Kaspersky Endpoint Security for Windows 11.6.0

Changing the security level

Changing the action to take on infected files

Generating a list of objects to scan

Selecting the type of files to scan

Selecting the run mode for the scan task

Using scan technologies

Starting a scan task under the account of a different user

Scanning removable drives when they are connected to the computer

Background scan

Checking the integrity of application

Page top

[Topic 128223]

Starting or stopping a scan task

Regardless of the selected scan task run mode, you can start or stop a scan task at any time.

To start or stop a scan task:

In the main application window, click the Tasks button.
Click the Start scan button if you want to run the scan task.

Kaspersky Endpoint Security will start scanning the computer. The application will show the scan progress, the number of scanned files, and the scan time remaining. You can stop the task at any time by clicking the Stop button.

To start or stop a scan task when the simplified application interface is displayed:

Right-click to bring up the context menu of the application icon that is in the taskbar notification area.
In the Tasks drop-down list in the context menu, do one of the following:
- select a non-running scan task to start it
- select a running scan task to stop it
- select a paused scan task to resume or restart it

Page top

[Topic 40777]

Changing the security level

Kaspersky Endpoint Security can use different groups of settings for running a scan. These groups of settings saved in the application are called security levels: High, Recommended, Low. The Recommended security level settings are considered to be optimal. They are recommended by Kaspersky experts. You can select one of the preset security levels or manually configure security level settings. If you change the security level settings, you can always revert back to the recommended security level settings.

To change a security level:

In the main application window, click the Tasks button.
In the opened window, select the scan task and click the button.
In the Security level section, do one of the following:
- If you want to apply one of the preset security levels, select it with the slider:
  - High. Kaspersky Endpoint Security scans all types of files. When scanning compound files, Kaspersky Endpoint Security also scans mail-format files.
  - Recommended. Kaspersky Endpoint Security scans only the specified file formats on all hard drives, network drives, and removable storage media of the computer, and also embedded OLE objects. Kaspersky Endpoint Security does not scan archives or installation packages.
  - Low. Kaspersky Endpoint Security scans only new or modified files with the specified extensions on all hard drives, removable drives, and network drives of the computer. Kaspersky Endpoint Security does not scan compound files.
- If you want to configure a custom security level, click the Advanced settings button and define your own component settings.
  You can restore the values of preset security levels by clicking the Restore recommended security level button in the upper part of the window.
Save your changes.

Page top

[Topic 128100]

Changing the action to take on infected files

By default, on detection of infected files, Kaspersky Endpoint Security tries to disinfect them, or deletes them if disinfection is not possible.

To change the action to take on infected files:

In the main application window, click the Tasks button.
In the opened window, select the scan task and click the button.
In the Action on threat detection block, select one of the following options:
- Disinfect; delete if disinfection fails. If this option is selected, Kaspersky Endpoint Security automatically attempts to disinfect all infected files that are detected. If disinfection fails, Kaspersky Endpoint Security deletes the files.
- Disinfect; block if disinfection fails. If this option is selected, Kaspersky Endpoint Security automatically attempts to disinfect all infected files that are detected. If disinfection is not possible, Kaspersky Endpoint Security adds the information about the infected files that are detected to the list of active threats.
- Inform. If this option is selected, Kaspersky Endpoint Security adds the information about infected files to the list of active threats on detection of these files.
Before attempting to disinfect or delete an infected file, Kaspersky Endpoint Security creates a backup copy of the file in case you need to restore the file or if it can be disinfected in the future.

On detection of infected files that are part of the Windows Store application, Kaspersky Endpoint Security attempts to delete the file.
Save your changes.

Page top

[Topic 123515]

Generating a list of objects to scan

To generate a list of objects to scan:

In the main application window, click the Tasks button.
In the opened window, select the scan task and click the button.
Click the Edit scan scope link.
In the opened window, select the objects that you want to add to the scan scope or exclude from it.
You cannot remove or edit objects that are included in the default scan scope.
If you want to add a new object to the scan scope:
1. Click the Add button.
  The folder tree opens.
2. Select the object and click Select.
You can exclude an object from scans without deleting it from the list of objects in the scan scope. To do so, clear the check box next to the object.
Save your changes.

Page top

[Topic 137012]

Selecting the type of files to scan

When selecting the type of files to scan, consider the following:

There is a low probability of introducing malicious code into files of certain formats and its subsequent activation (for example, TXT format). At the same time, there are file formats that contain executable code (such as .exe, .dll). The executable code may also be contained in files of formats that are not intended for this purpose (for example, the DOC format). The risk of intrusion and activation of malicious code in such files is high.
An intruder may send a virus or another malicious application to your computer in an executable file that has been renamed with the .txt extension. If you select scanning of files by extension, the application skips this file during scanning. If scanning of files by format is selected, Kaspersky Endpoint Security analyzes the file header regardless of its extension. If this analysis reveals that the file has the format of an executable file (for example, EXE), the application scans it.

To select the type of files to scan:

In the main application window, click the Tasks button.
In the opened window, select the scan task and click the button.
Click the Advanced settings button.
In the File types section, specify the type of files that you want to scan when the selected scan task runs:
- All files. If this setting is enabled, Kaspersky Endpoint Security checks all files without exception (all formats and extensions).
- Files scanned by format. If this setting is enabled, Kaspersky Endpoint Security scans
  infectable files only
  A file which, due to its structure or format, can be used by intruders as a "container" to store and spread malicious code. As a rule, these are executable files, with such file extensions as .com, .exe, and .dll. There is a fairly high risk that these files have been infiltrated with malicious code.
  
  A file which, due to its structure or format, can be used by intruders as a "container" to store and spread malicious code. As a rule, these are executable files, with such file extensions as .com, .exe, and .dll. There is a fairly high risk that these files have been infiltrated with malicious code.
  
  A file which, due to its structure or format, can be used by intruders as a "container" to store and spread malicious code. As a rule, these are executable files, with such file extensions as .com, .exe, and .dll. There is a fairly high risk that these files have been infiltrated with malicious code.
  
  A file which, due to its structure or format, can be used by intruders as a "container" to store and spread malicious code. As a rule, these are executable files, with such file extensions as .com, .exe, and .dll. There is a fairly high risk that these files have been infiltrated with malicious code.
  
  A file which, due to its structure or format, can be used by intruders as a "container" to store and spread malicious code. As a rule, these are executable files, with such file extensions as .com, .exe, and .dll. There is a fairly high risk that these files have been infiltrated with malicious code.
  
  A file which, due to its structure or format, can be used by intruders as a "container" to store and spread malicious code. As a rule, these are executable files, with such file extensions as .com, .exe, and .dll. There is a fairly high risk that these files have been infiltrated with malicious code.
  
  . Before scanning a file for malicious code, the internal header of the file is analyzed to determine the format of the file (for example, .txt, .doc, or .exe). The scan also looks for files with particular file extensions.
- Files scanned by extension. If this setting is enabled, Kaspersky Endpoint Security scans infectable files only. The file format is then determined based on the file's extension.
Kaspersky Endpoint Security considers files without an extension as executable ones. Kaspersky Endpoint Security always scans executable files regardless of the file types that you select for scanning.
Save your changes.

Page top

[Topic 128101]

Optimizing file scanning

You can optimize file scanning: reduce scan time and increase the operating speed of Kaspersky Endpoint Security. This can be achieved by scanning only new files and those files that have been modified since the previous scan. This mode applies both to simple and to compound files. You can also set a limit for scanning a single file. When the specified time interval expires, Kaspersky Endpoint Security excludes the file from the current scan (except archives and objects that include several files).

You can also enable use of the iChecker and iSwift technologies. The iChecker and iSwift technologies optimize the speed of scanning files, by excluding files that have not been modified since the most recent scan.

To optimize file scanning:

In the main application window, click the Tasks button.
In the opened window, select the scan task and click the button.
Click the Advanced settings button.
In the Scan optimization block, configure the scan settings:
- Scan only new and changed files. Scans only new files and those files that have been modified since the last time they were scanned. This helps reduce the duration of a scan. This mode applies both to simple and to compound files.
- Skip files that are scanned for longer than N seconds. Limits the duration for scanning a single object. After the specified amount of time, Kaspersky Endpoint Security stops scanning a file. This helps reduce the duration of a scan.
Save your changes.

Page top

[Topic 128801]

Scanning compound files

A common technique of concealing viruses and other malware is to implant them in compound files, such as archives or databases. To detect viruses and other malware that are hidden in this way, the compound file must be unpacked, which may slow down scanning. You can limit the types of compound files to be scanned and thereby speed up scanning.

To configure scanning of compound files:

In the main application window, click the Tasks button.
In the opened window, select the scan task and click the button.
Click the Advanced settings button.
In the Scan of compound files section, specify which compound files you want to scan: archives, installation packages, files in office formats, files in mail formats, and password-protected archives.
If scanning only new and modified files is disabled, configure the settings for scanning each type of compound file: scan all files of this type or only new files.
If scanning only new and modified files is enabled, Kaspersky Endpoint Security scans only new and modified files of all types of compound files.
In the Size limit block, do one of the following:
- If you do not want to unpack large compound files, select the Do not unpack large compound files check box and specify the required value in the Maximum file size field.
- If you want to unpack large compound files regardless of their size, clear the Do not unpack large compound files check box.
Kaspersky Endpoint Security scans large files that are extracted from archives, regardless of whether the Do not unpack large compound files check box is selected.
Save your changes.

Page top

[Topic 40773]

Using scan methods

Kaspersky Endpoint Security uses a scanning technique called Machine learning and signature analysis. During signature analysis, Kaspersky Endpoint Security matches the detected object with records in its database. Based on the recommendations of Kaspersky experts, machine learning and signature analysis is always enabled.

To increase the effectiveness of protection, you can use heuristic analysis. When scanning files for malicious code, the heuristic analyzer executes instructions in the executable files. The number of instructions that are executed by the heuristic analyzer depends on the level that is specified for the heuristic analyzer. The heuristic analysis level ensures a balance between the thoroughness of searching for new threats, the load on the resources of the operating system, and the duration of heuristic analysis.

To use scan methods:

In the main application window, click the Tasks button.
In the opened window, select the scan task and click the button.
Click the Advanced settings button.
If you want the application to use heuristic analysis when running the scan task, select the Heuristic analysis check box in the Scan methods block. Then use the slider to set the heuristic analysis level: Light scan, Medium scan, or Deep scan.
Save your changes.

Page top

[Topic 133792]

Using scan technologies

To use scan technologies:

In the main application window, click the Tasks button.
In the opened window, select the scan task and click the button.
Click the Advanced settings button.
In the Scan technologies block, select the check boxes next to the names of technologies that you want to use during a scan:
- iSwift technology. This technology allows increasing scan speed by excluding certain files from scanning. Files are excluded from scanning by using a special algorithm that takes into account the release date of Kaspersky Endpoint Security databases, the date that the file was last scanned on, and any modifications to the scanning settings. The iSwift technology is an advancement of the iChecker technology for the NTFS file system.
- iChecker technology. This technology allows increasing scan speed by excluding certain files from scanning. Files are excluded from scans by using a special algorithm that takes into account the release date of Kaspersky Endpoint Security databases, the date when the file was last scanned, and any modifications to the scan settings. There are limitations to iChecker Technology: it does not work with large files and applies only to files with a structure that the application recognizes (for example, EXE, DLL, LNK, TTF, INF, SYS, COM, CHM, ZIP, and RAR).
Save your changes.

Page top

[Topic 123523]

Selecting the run mode for the scan task

If it is impossible to run the scan task for any reason (for example, the computer is off at that time), you can configure the skipped task to be run automatically as soon as this becomes possible.

You can postpone the scan task start after application startup if the scan task start time matches the Kaspersky Endpoint Security startup time. The scan task can only be run after the specified time interval elapses after the startup of Kaspersky Endpoint Security.

To select the scan task run mode:

In the main application window, click the Tasks button.
In the opened window, select the scan task and click the button.
Click the Scan schedule button.
In the opened window, configure the scan task run schedule.
Depending on the selected frequency, configure advanced settings that specify the task run schedule.
1. Select the Run scheduled scan on the next day if computer is turned off if you want Kaspersky Endpoint Security to run missed scan tasks at the first opportunity.
  If Every minute, Every hour, After application startup or After every update item is selected in the Run scan drop-down list, the Run scheduled scan on the next day if computer is turned off check box is unavailable.
2. If you want Kaspersky Endpoint Security to suspend a task when computer resources are limited, select the Run only when the computer is idle check box. Kaspersky Endpoint Security starts the scan task if the computer is locked or if the screen saver is on.
  This schedule option helps to conserve computer resources.
Save your changes.

Page top

[Topic 123506]

Starting a scan task under the account of a different user

By default, a scan task is run with the permissions of the account under which the user logged in to the operating system. However, you may need to run a scan task under a different user account. You can specify a user who has the appropriate rights in the settings of the scan task and run the scan task under this user's account.

To configure the start of a scan task under a different user account:

In the main application window, click the Tasks button.
In the opened window, select the scan task and click the button.
Click Advanced settings → Run scan as.
In the opened window, select the user who requires the rights to start the scan task.
Save your changes.

Page top

[Topic 128102]

Scanning removable drives when they are connected to the computer

Kaspersky Endpoint Security scans all files that you run or copy, even if the file is located on a removable drive (File Threat Protection component). To prevent the spread of viruses and other malware, you can configure automatic scans of removable drives when they are connected to the computer. Kaspersky Endpoint Security automatically attempts to disinfect all infected files that are detected. If disinfection fails, Kaspersky Endpoint Security deletes the files. The component keeps a computer secure by running scans that implement machine learning, heuristic analysis (high level) and signature analysis. Kaspersky Endpoint Security also uses iSwift and iChecker scan optimization technologies. The technologies are always on and cannot be disabled.

To configure scanning of removable drives when they are connected:

In the main application window, click the Tasks button.
In the opened window, select the removable drive scan task and click the button.
Use the Removable drives scan toggle to enable or disable scans of removable drives upon connection to the computer.
Select the mode for scanning removable drives on connection:
- Detailed Scan If this option is selected, when a removable drive is connected Kaspersky Endpoint Security scans all files located on the removable drive, including files embedded within compound objects, archives, distribution packages, and files in office formats. Kaspersky Endpoint Security does not scan files in mail formats or password-protected archives.
- Quick Scan If this option is selected, after a removable drive is connected Kaspersky Endpoint Security scans only files of specific formats that are most vulnerable to infection, and does not unpack compound objects.
If you want Kaspersky Endpoint Security to scan only those removable drives whose size does not exceed a specified value, select the Maximum removable drive size check box and specify the value (in megabytes) in the neighboring field.
Configure how the scan progress of a removable disk will be displayed. Do one of the following:
- If you want Kaspersky Endpoint Security to display the removable drive scan progress in a separate window, select the Show scan progress check box.
  In the removable drive scan window, the user can stop the scan. To make removable drive scans mandatory and prevent the user from stopping a scan, select the Block the stopping of the scan task check box.
- If you want Kaspersky Endpoint Security to run a removable drive scan in the background, clear the Show scan progress check box.
To save changes, click the Save button.

Page top

[Topic 180811]

Background scan

After an anti-virus database update.
30 minutes after Kaspersky Endpoint Security is started.
Every six hours.
When the computer is idling for five minutes or more (the computer is locked or the screensaver is on).

Background scan when the computer is idling is interrupted when any of the following conditions are true:

The computer went into active mode.
If the background scan has not been run for more than ten days, the scan is not interrupted.
The computer (laptop) has switched to battery mode.

When performing a background scan, Kaspersky Endpoint Security does not scan files whose contents are located in OneDrive cloud storage.

To enable background scans of the computer:

In the main application window, click the Tasks button.
In the opened window, select the scan task and click the button.
Use the Background scan toggle to enable or disable background scans.
Save your changes.

Page top

[Topic 187641]

Checking the integrity of application

Kaspersky Endpoint Security checks the application files in the application installation folder for corruption or modifications. For example, if an application library has an incorrect digital signature, the library is considered corrupt. The Integrity check task is intended for scanning application files. Run the Integrity check task if Kaspersky Endpoint Security detected a malicious object but did not neutralize it.

You can create the Integrity Check task both in the Kaspersky Security Center 12 Web Console and in the Administration Console. It is not possible to create a task in the Kaspersky Security Center Cloud Console.

How to run an application integrity check through the Administration Console (MMC)

In the Administration Console, go to the folder Administration Server → Tasks.
The list of tasks opens.
Click the New task button.

The Task Wizard starts. Follow the instructions of the Wizard.

Step 1. Selecting task type

Select Kaspersky Endpoint Security for Windows (11.6.0) → Integrity check.

Step 2. Selecting the devices to which the task will be assigned

Select the computers on which the task will be performed. The following options are available:

Assign the task to an administration group. In this case, the task is assigned to computers included in a previously created administration group.
Select computers detected by the Administration Server in the network: unassigned devices. The specific devices can include devices in administration groups as well as unassigned devices.
Specify device addresses manually, or import addresses from a list. You can specify NetBIOS names, IP addresses, and IP subnets of devices to which you want to assign the task.

Step 3. Configuring a task start schedule

Configure a schedule for starting a task, for example, manually or when a virus outbreak is detected.

Step 4. Defining the task name

Enter a name for the task, for example, Integrity check after the computer was infected.

Step 5. Completing task creation

How to run an application integrity check through the Web Console

In the main window of Web Console, select Devices → Tasks.
The list of tasks opens.
Click the Add button.
The Task Wizard starts.
Configure the task settings:
1. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (11.6.0).
2. In the Task type drop-down list, select Integrity check.
3. In the Task name field, enter a brief description, for example, Check the integrity of the application after a computer infection.
4. In the Select devices to which the task will be assigned section, select the task scope.
Select devices according to the selected task scope option. Click the Next button.
Finish the wizard by clicking the Finish button.
A new task will be displayed in the list of tasks.
Select the check box next to the task.

As a result, Kaspersky Endpoint Security will check the integrity of the application. You can also configure an application integrity check schedule in the task properties.

Application integrity breaches may occur in the following cases:

A malicious object modified files of Kaspersky Endpoint Security. In this case, perform the procedure for restoring Kaspersky Endpoint Security using the tools of the operating system. After restoration, run a full scan of the computer and repeat the integrity check.
The digital signature expired. In this case, update Kaspersky Endpoint Security.

Page top

[Topic 34566]

Updating databases and application software modules

Updating the databases and application modules of Kaspersky Endpoint Security ensures up-to-date protection on your computer. New viruses and other types of malware appear worldwide on a daily basis. Kaspersky Endpoint Security databases contain information about threats and ways of neutralizing them. To detect threats quickly, you are urged to regularly update the databases and application modules.

Regular updates require a license in effect. If there is no current license, you will be able to perform an update only once.

The main update source for Kaspersky Endpoint Security is Kaspersky update servers.

Your computer must be connected to the Internet to successfully download the update package from Kaspersky update servers. By default, the Internet connection settings are determined automatically. If you are using a proxy server, you need to configure the proxy server settings.

Updates are downloaded over the HTTPS protocol. They may also be downloaded over the HTTP protocol when it is impossible to download updates over the HTTPS protocol.

While performing an update, the following objects are downloaded and installed on your computer:

Kaspersky Endpoint Security databases. Computer protection is provided using databases that contain signatures of viruses and other threats and information on ways to neutralize them. Protection components use this information when searching for and neutralizing infected files on your computer. The databases are constantly updated with records of new threats and methods for counteracting them. Therefore, we recommend that you update the databases regularly.
In addition to the Kaspersky Endpoint Security databases, the network drivers that enable the application's components to intercept network traffic are updated.
Application modules. In addition to the databases of Kaspersky Endpoint Security, you can also update the application modules. Updating the application modules fixes vulnerabilities in Kaspersky Endpoint Security, adds new functions, or enhances existing functions.

While updating, the application modules and databases on your computer are compared against the up-to-date version at the update source. If your current databases and application modules differ from their respective up-to-date versions, the missing portion of the updates is installed on your computer.

Context help files can be updated together with application module updates.

If the databases are obsolete, the update package may be large, which may cause additional Internet traffic (up to several dozen MB).

Information about the current status of Kaspersky Endpoint Security databases is displayed in the Update section in the Tasks window.

Information on update results and on all events that occur during the performance of the update task is logged in the Kaspersky Endpoint Security report.

In this section

Database and application module update scenarios

Starting and stopping an update task

Starting an update task under the rights of a different user account

Selecting the update task run mode

Adding an update source

Configuring updates from a shared folder

Updating application modules

Using a proxy server for updates

Last update rollback

Page top

[Topic 176379]

Database and application module update scenarios

The following objects are updated on users' computers:

Anti-virus databases. Anti-virus databases include databases of malware signatures, description of network attacks, databases of malicious and phishing web addresses, databases of banners, spam databases, and other data.
Application modules. Module updates are intended for eliminating vulnerabilities in the application and to improve computer protection methods. Module updates may change the behavior of application components and add new capabilities.

Kaspersky Endpoint Security supports the following scenarios for updating databases and application modules:

Update from Kaspersky servers.
Kaspersky update servers are located in various countries throughout the world. This ensures high reliability of updates. If an update cannot be performed from one server, Kaspersky Endpoint Security switches over to the next server.

Update from Kaspersky servers.
Centralized update.
Centralized update reduces external Internet traffic, and provides for convenient monitoring of the update.

Centralized update consists of the following steps:
1. Download the update package to a repository within the organization's network.
  The update package is downloaded to the repository by the Administration Server task named Download updates to Administration Server repository.
2. Download the update package to a shared folder (optional).
  You can download the update package to a shared folder by using the following methods:
  - Using Kaspersky Endpoint Security Update task. The task is intended for one of the computers in the local company network.
  - Using the Kaspersky Update Utility. For detailed information about using Kaspersky Update Utility, refer to Kaspersky Knowledge Base.
3. Distribute the update package to client computers.
  The update package is distributed to client computers by the Kaspersky Endpoint Security Update task. You can create an unlimited number of update tasks for each administration group.
Updating from a server repository

Updating from a shared folder

Updating using Kaspersky Update Utility

For the Web Console, the default list of update sources contains the Kaspersky Security Center Administration Server and Kaspersky update servers. For the Kaspersky Security Center Cloud Console, the default list of update sources contains distribution points and Kaspersky update servers. For more details about distribution points, refer to Kaspersky Security Center Cloud Console Help. You can add other update sources to the list. You can specify HTTP/FTP servers and shared folders as update sources. If an update cannot be performed from an update source, Kaspersky Endpoint Security switches over to the next one.

Updates are downloaded from Kaspersky update servers or from other FTP- or HTTP servers over standard network protocols. If connection to a proxy server is required for accessing the update source, specify the proxy server settings in Kaspersky Endpoint Security policy settings.

In this section

Updating from a server repository

Updating from a shared folder

Updating using Kaspersky Update Utility

Updating in mobile mode

Page top

[Topic 176856]

Updating from a server repository

To conserve Internet traffic, you can configure updates of databases and application modules on computers of the organization's LAN from a server repository. For this purpose, Kaspersky Security Center must download an update package to the repository (FTP- or HTTP server, network or local folder) from Kaspersky update servers. Other computers on the organization's LAN will be able to receive the update package from the server repository.

Configuring database and application module updates from a server repository consists of the following steps:

Configure download of an update package to the Administration Server repository (Download updates to Administration Server repository task).
Configure database and application module updates from the specified server repository to the remaining computers on the organization's LAN (Update task).

Updating from a server repository

To configure download of an update package to the server repository:

In the main window of Web Console, select Devices → Tasks.
The list of tasks opens.
Select the Download updates to the repository Administration Server task.
The task properties window opens.

The Download updates to the repository Administration Server task is created automatically by the Initial Configuration Wizard of Kaspersky Security Center 12 Web Console, and this task may only have one single instance.
Select the Application settings tab.
In the Other settings section, click Configure.
In the Update storage folder field, specify the address of FTP- or HTTP server, network folder or local folder where Kaspersky Security Center copies the update package received from Kaspersky update servers.
The following path format is used for update source:
- For an FTP or HTTP server, enter its web address or IP address.
  For example, http://dnl-01.geo.kaspersky.com/ or 93.191.13.103.
  
  For an FTP server, you can specify the authentication settings within the address in the following format: ftp://<user name>:<password>@<node>:<port>.
- For a network folder, enter the UNC path.
  For example, \\ Server\Share\Update distribution.
- For a local folder, enter the full path to that folder.
  For example, C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP11\Update distribution\.
Save your changes.

To configure Kaspersky Endpoint Security update from the specified server storage:

In the main window of Web Console, select Devices → Tasks.
The list of tasks opens.
Click the Update task for Kaspersky Endpoint Security.
The task properties window opens.

The Update task is created automatically by the Initial Configuration Wizard of Kaspersky Security Center. To create the Update task, install the Kaspersky Endpoint Security for Windows web plug-in while running the Wizard.
Select the Application settings tab → Local mode.
In the list of update sources, click the Add button.
In the Source field, specify the address of the FTP- or HTTP server, network folder or local folder where Kaspersky Security Center will copy the update package received from Kaspersky servers.
The address of the update source must match the address you specified in the Folder for storing updates field when you configured download of updates to the server storage (see the instruction above).
In the Status section select Enabled.
Click OK.
Configure the priorities of update sources by using the Up and Down buttons.
Click the Save button.

If an update cannot be performed from the first update source, Kaspersky Endpoint Security automatically switches over to the next source.

Page top

[Topic 176801]

Updating from a shared folder

To conserve Internet traffic, you can configure updates of databases and application modules on computers of the organization's LAN from a shared folder. For this purpose, one of the computers on the organization's LAN must receive update packages from the Kaspersky Security Center Administration Server or from Kaspersky update servers and then copy the received update package to the shared folder. Other computers on the organization's LAN will be able to receive the update package from this shared folder.

Configuring database and application module updates from a shared folder consists of the following steps:

Configuring database and application module updates from a server repository.
Enable copying of an update package to a shared folder on one of the computers on the enterprise LAN (see the instructions below).
Configure database and application module updates from the specified shared folder to the remaining computers on the enterprise LAN (see the instructions below).

Updating from a shared folder

To enable copying of the update package to the shared folder:

In the main window of Web Console, select Devices → Tasks.
The list of tasks opens.
Click the Update task for Kaspersky Endpoint Security.
The task properties window opens.

The Update task is created automatically by the Initial Configuration Wizard of Kaspersky Security Center. To create the Update task, install the Kaspersky Endpoint Security for Windows web plug-in while running the Wizard.
Select the Application settings tab → Local mode.
Configure the sources of updates.
The sources of updates can be Kaspersky update servers, Kaspersky Security Center Administration Server, other FTP- or HTTP servers, local folders, or network folders.
Select the Copy updates to folder check box.
In the Path field, enter the UNC path to the shared folder (for example, \\Server\Share\Update distribution).
If the field is left blank, Kaspersky Endpoint Security will copy the update package to the folder C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP11\Update distribution\.
Click the Save button.

The Update task must be assigned for one computer that will serve as the source of updates.

To configure updates from a shared folder:

In the main window of Web Console, select Devices → Tasks.
The list of tasks opens.
Click the Add button.
The Task Wizard starts.
Configure the task settings:
1. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (11.6.0).
2. In the Task type drop-down list, select Update.
3. In the Task name field, enter a brief description, for example, Update from shared folder.
4. In the Select devices to which the task will be assigned section, select the task scope.
  The Update task must be assigned to the computers of the organization's LAN, except the computer that serves as the update source.
Select devices according to the selected task scope option and click Next.
Finish the wizard by clicking the Create button.
A new task will be displayed in the table of tasks.
Click the newly created Update. task.
The task properties window opens.
Go to the Application settings section.
Select the Local mode tab.
In the Update source section, click the Add button.
In the Source field, enter the path to the shared folder.
The source address must match the address that you previously specified in the Path field when you configured copying of the update package to the shared folder (see the instructions above).
Click OK.
Configure the priorities of update sources by using the Up and Down buttons.
Click the Save button.

Page top

[Topic 176381]

Updating using Kaspersky Update Utility

To conserve Internet traffic, you can configure updates of databases and application modules on computers of the organization's LAN from a shared folder using the Kaspersky Update Utility. For this purpose, one of the computers on the organization's LAN must receive update packages from the Kaspersky Security Center Administration Server or from Kaspersky update servers and then copy the received update packages to the shared folder using the utility. Other computers on the organization's LAN will be able to receive the update package from this shared folder.

Configuring database and application module updates from a shared folder consists of the following steps:

Configuring database and application module updates from a server repository.
Install the Kaspersky Update Utility on one of the computers of the organization's LAN.
Configure copying of the update package to the shared folder in the Kaspersky Update Utility settings.
Configure database and application module updates from the specified shared folder to the remaining computers on the organization's LAN.

Updating using Kaspersky Update Utility

You can download the Kaspersky Update Utility distribution package from the Kaspersky Technical Support website. After installing the utility, select the update source (for example, the Administration Server repository) and the shared folder to which the Kaspersky Update Utility will copy update packages. For detailed information about using Kaspersky Update Utility, refer to Kaspersky Knowledge Base.

To configure updates from a shared folder:

In the main window of Web Console, select Devices → Tasks.
The list of tasks opens.
Click the Update task for Kaspersky Endpoint Security.
The task properties window opens.

The Update task is created automatically by the Initial Configuration Wizard of Kaspersky Security Center. To create the Update task, install the Kaspersky Endpoint Security for Windows web plug-in while running the Wizard.
Select the Application settings tab → Local mode.
In the list of update sources, click the Add button.
In the Source field, enter the UNC path to the shared folder (for example, \\Server\Share\Update distribution).
The source address must match the address indicated in the Kaspersky Update Utility settings.
Click OK.
Configure the priorities of update sources by using the Up and Down buttons.
Click the Save button.

Page top

[Topic 176800]

Updating in mobile mode

Mobile mode is the mode of Kaspersky Endpoint Security operation, when a computer leaves the organization network perimeter (offline computer). For more details about working with offline computers and out-of-office users, refer to Kaspersky Security Center Help.

An offline computer outside of the organization's network cannot connect to the Administration Server to update databases and application modules. By default, only Kaspersky update servers are used as update source for updating databases and application modules in mobile mode. The use of a proxy server to connect to the Internet is determined by a special out-of-office policy. The out-of-office policy must be created separately. When Kaspersky Endpoint Security is switched to mobile mode, the update task is started every two hours.

To configure the update settings for mobile mode:

In the main window of Web Console, select Devices → Tasks.
The list of tasks opens.
Click the Update task for Kaspersky Endpoint Security.
The task properties window opens.

The Update task is created automatically by the Initial Configuration Wizard of Kaspersky Security Center. To create the Update task, install the Kaspersky Endpoint Security for Windows web plug-in while running the Wizard.

Select the Application settings tab → Mobile mode.
Configure the sources of updates. The sources of updates can be Kaspersky update servers, other FTP- and HTTP servers, local folders, or network folders.
Click the Save button.

As a result, the databases and application modules will be updated on user computers when they switch to mobile mode.

Page top

[Topic 39100]

Starting and stopping an update task

Regardless of the selected update task run mode, you can start or stop a Kaspersky Endpoint Security update task at any time.

To start or stop an update task:

In the main application window, click the Database update button.
In the Update of databases and application modules block, click the Update button if you want to start the update task.

Kaspersky Endpoint Security will start updating the application modules and databases. The application will display the task progress, the size of the downloaded files, and the update source. You can click the icon_task_stop_local button to stop this task at any time.

To start or stop the update task when the simplified application interface is displayed:

Right-click to bring up the context menu of the application icon that is in the taskbar notification area.
In the Tasks drop-down list in the context menu, do one of the following:
- select a non-running update task to start it
- select a running update task to stop it
- select a paused update task to resume or restart it

Page top

[Topic 133791]

Starting an update task under the rights of a different user account

By default, the Kaspersky Endpoint Security update task is started on behalf of the user whose account you have used to log in to the operating system. However, Kaspersky Endpoint Security may be updated from an update source that the user cannot access due to a lack of required rights (for example, from a shared folder that contains an update package) or an update source for which proxy server authentication is not configured. In the Kaspersky Endpoint Security settings, you can specify a user that has such rights and start the Kaspersky Endpoint Security update task under that user account.

To start an update task under a different user account:

In the main application window, click the Database update button.
Select the Update task and click the Run mode: <mode> link.
The Update task properties open.
Click the User Account Settings button.
In the opened window, select the Run database updates with user rights option.
Enter the account credentials of a user with the necessary permissions to access the update source.
Save your changes.

Page top

[Topic 128098]

Selecting the update task run mode

If it is not possible to run the update task for any reason (for example, the computer is not on at that time), you can configure the skipped task to be start automatically as soon as this becomes possible.

You can postpone starting the update task after the application starts if you select the By schedule update task run mode, and if the start time of Kaspersky Endpoint Security matches the update task start schedule. The update task can only be run after the specified time interval elapses after the startup of Kaspersky Endpoint Security.

To select the update task run mode:

In the main application window, click the Database update button.
Select the Update task and click the Run mode: <mode> link.
The Update task properties open.
Click the Set database update mode button.
In the opened window, select the update task run mode:
- If you want Kaspersky Endpoint Security to run the update task depending on whether or not an update package is available from the update source, select Automatically. The frequency of checks by Kaspersky Endpoint Security for update packages increases during virus outbreaks and is less at other times.
- If you want to start an update task manually, select Manually.
- If you want to configure a startup schedule for the update task, select <By schedule>. Configure the advanced settings for starting the update task:
  - In the Postpone running after application startup for field, specify the time interval by which the start of the update task is postponed after the startup of Kaspersky Endpoint Security.
  - If you want Kaspersky Endpoint Security to run skipped update tasks as soon as possible, select the Run skipped tasks check box.
Save your changes.

Page top

[Topic 133787]

Adding an update source

An update source is a resource that contains updates for databases and application modules of Kaspersky Endpoint Security.

Update sources include the Kaspersky Security Center server, Kaspersky update servers, and network or local folders.

The default list of update sources includes Kaspersky Security Center and Kaspersky update servers. You can add other update sources to the list. You can specify HTTP/FTP servers and shared folders as update sources.

Kaspersky Endpoint Security does not support updates from HTTPS servers unless they are Kaspersky's update servers.

If several resources are selected as update sources, Kaspersky Endpoint Security tries to connect to them one after another, starting from the top of the list, and performs the update task by retrieving the update package from the first available source.

To add an update source:

In the main application window, click the Database update button.
Select the Update task and click the Run mode: <mode> link.
The Update task properties open.
Click the Select update sources button.
In the window, click the Add button.
In the window that opens, specify the address of the FTP or HTTP server, network folder or local folder that contains the update package.
The following path format is used for update source:
- For an FTP or HTTP server, enter its web address or IP address.
  For example, http://dnl-01.geo.kaspersky.com/ or 93.191.13.103.
  
  For an FTP server, you can specify the authentication settings within the address in the following format: ftp://<user name>:<password>@<node>:<port>.
- For a network folder, enter the UNC path.
  For example, \\ Server\Share\Update distribution.
- For a local folder, enter the full path to that folder.
  For example, C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP11\Update distribution\.
Click the Select button.
Configure the priorities of update sources by using the Up and Down buttons.
Save your changes.

Page top

[Topic 133789]

Configuring updates from a shared folder

Configuring database and application module updates from a shared folder consists of the following steps:

Enabling the copying of an update package to a shared folder on one of the computers on the local area network.
Configure database and application module updates from the specified shared folder to the remaining computers on the organization's LAN.

To enable copying of the update package to the shared folder:

In the main application window, click the Database update button.
Select the Update task and click the Run mode: <mode> link.
The Update task properties open.
In the Distributing updates block, select the Copy updates to folder check box.
Enter the UNC path to the shared folder (for example, \\Server\Share\Update distribution).
Save your changes.

To configure updates from a shared folder:

In the main application window, click the Database update button.
Select the Update task and click the Run mode: <mode> link.
The Update task properties open.
Click the Select update sources button.
In the window, click the Add button.
In the window that opens, enter the path to the shared folder.
The source address must match the address that you previously specified when you configured copying of the update package to the shared folder (see the instructions above).
Click the Select button.
Configure the priorities of update sources by using the Up and Down buttons.
Save your changes.

Page top

[Topic 87929]

Updating application modules

Application module updates fix errors, improve performance, and add new features. When a new application module update becomes available, you need to confirm installation of the update. You can confirm installation of an application module update either in the application interface or in Kaspersky Security Center. When an update becomes available, the application will show one of the following notifications in the main window of Kaspersky Endpoint Security: important update (), or critical update (). If application module updates require reviewing and accepting the terms of the End User License Agreement, the application installs updates after the terms of the End User License Agreement have been accepted. For details about keeping track of application module updates and confirming an update in Kaspersky Security Center, please refer to the Kaspersky Security Center Help.

After installing an application update, you may be required to restart your computer.

To configure application module updates:

In the main application window, click the Database update button.
Select the Update task and click the Run mode: <mode> link.
The Update task properties open.
In the Downloading and installing updates of application modules block, select the Download updates of application modules check box.
Select the application module updates that you want to install.
- Install critical and approved updates. If this option is selected, when application module updates are available Kaspersky Endpoint Security installs critical updates automatically and all other application module updates only after their installation is approved locally via the application interface or on the side of Kaspersky Security Center.
- Install only approved updates. If this option is selected, when application module updates are available Kaspersky Endpoint Security installs them only after their installation is approved locally via the application interface or on the side of Kaspersky Security Center. This option is selected by default.
Save your changes.

Page top

[Topic 176799]

Using a proxy server for updates

You may be required to specify proxy server settings to download database and application module updates from the update source. If there are multiple update sources, proxy server settings are applied for all sources. If a proxy server is not needed for some update sources, you can disable use of a proxy server in the policy properties. Kaspersky Endpoint Security will also use a proxy server to access Kaspersky Security Network and activation servers.

To configure a connection to update sources through a proxy server:

In the main window of Web Console, click .
The Administration Server properties window opens.
Go to the Internet access settings section.
Select the Use proxy server check box.
Configure the proxy server connection settings: proxy server address, port, and authentication settings (user name and password).
Click the Save button.

To disable use of a proxy server for a specific administration group:

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy for computers on which you want to disable use of a proxy server.
The policy properties window opens.
Select the Application settings tab.
Go to the General settings → Network settings section.
In the Proxy Server Settings section, select Do not use proxy server.
Click OK.
Confirm your changes by clicking Save.

To configure the proxy server settings in the application interface:

In the lower part of the main application window, click the button.
In the application settings window, select Network settings.
In the Proxy server block, click the Proxy server settings link.
In the opened window, select one of the following options for determining the proxy server address:
- Automatically detect proxy server settings.
  This option is selected by default. Kaspersky Endpoint Security uses the proxy server settings that are defined in the operating system settings.
- Use specified proxy server settings.
  If you selected this option, configure the settings for connecting to the proxy server: proxy server address and port.
If you want to enable authentication on the proxy server, select the Use proxy server authentication check box and provide your user account credentials.
If you want to disable proxy server use when updating databases and application modules from a shared folder, select the Bypass proxy server for local addresses check box.
Save your changes.

As a result, Kaspersky Endpoint Security will use the proxy server to download application module and database updates. Kaspersky Endpoint Security will also use the proxy server to access KSN servers and Kaspersky activation servers. If authentication is required on the proxy server but the user account credentials were not provided or are incorrect, Kaspersky Endpoint Security will prompt you for the user name and password.

Page top

[Topic 34568]

Last update rollback

After the databases and application modules are updated for the first time, the function of rolling back the databases and application modules to their previous versions becomes available.

Each time that a user starts the update process, Kaspersky Endpoint Security creates a backup copy of the current databases and application modules. This lets you roll back the databases and application modules to their previous versions when necessary. Rolling back the last update is useful, for example, when the new database version contains an invalid signature that causes Kaspersky Endpoint Security to block a safe application.

To roll back the last update:

In the main application window, click the Database update button.
In the Rollback of databases to their previous version block, click the Roll back button.

Kaspersky Endpoint Security will start rolling back the last database update. The application will display the rollback progress, the size of the downloaded files, and the update source. You can click the icon_task_stop_local button to stop this task at any time.

To start or stop a rollback task when the simplified application interface is displayed:

Right-click to bring up the context menu of the application icon that is in the taskbar notification area.
In the Tasks drop-down list in the context menu, do one of the following:
- Select a non-running rollback task to start it.
- Select a running rollback task to stop it.
- Select a paused rollback task to resume or restart it.

Page top

[Topic 128103]

Working with active threats

Kaspersky Endpoint Security logs information about files that it has not processed for some reason. This information is recorded in the form of events in the list of active threats. To work with active threats, Kaspersky Endpoint Security uses the Advanced Disinfection technology. Advanced Disinfection works differently for workstations and servers. You can configure advanced disinfection technology in Virus Scan task settings and in application settings.

Disinfection of active threats on workstations

To work with active threats on workstations, enable the Advanced Disinfection technology in the application settings. Next, configure the user experience in the Virus scan task properties. There is an Enable immediate Advanced Disinfection check box in the task properties. If the flag is set, Kaspersky Endpoint Security will perform disinfection without notifying the user. When the disinfection is complete, the computer will be rebooted. If the flag is unset, Kaspersky Endpoint Security will display a notification about active threats (see the figure below). You cannot close this notification without processing the file.

Advanced Disinfection during a virus scan task on a computer is performed only if the Advanced Disinfection feature is enabled in the properties of the policy applied to this computer.

loc_screen_KES11_ActiveThreats_Notification

Notification about active threat

Disinfection of active threats on servers

To work with active threats on servers, you need to do the following:

enable the Advanced Disinfection technology in the application settings;
enable immediate Advanced Disinfection in the Virus scan task properties.

If Kaspersky Endpoint Security is installed on a computer running Windows for Servers, Kaspersky Endpoint Security does not show the notification. Therefore, the user cannot select an action to disinfect an active threat. To disinfect a threat, you need to enable the Advanced Disinfection technology in the application settings and enable immediate Advanced Disinfection in the Virus scan task properties. Then you need to start Virus Scan task.

Processing of active threats

An infected file is considered processed if Kaspersky Endpoint Security performs one of the following actions on this file according to the specified application settings while scanning the computer for viruses and other threats:

Disinfect.
Remove.
Delete if disinfection fails.

Kaspersky Endpoint Security moves the file to the list of active threats if, for any reason, Kaspersky Endpoint Security failed to perform an action on this file according to the specified application settings while scanning the computer for viruses and other threats.

This situation is possible in the following cases:

The scanned file is unavailable (for example, it is located on a network drive or on a removable drive without write privileges).
The action that is selected in the Action on threat detection section for scan tasks is Inform, and the user selects the Skip action when a notification about the infected file is displayed.

Main application window when a threat is detected

To process active threats:

In the main application window, click the Details button.
The list of active threats opens.
Select the object that you want to process.
Choose how you want to handle the threat:
- Resolve. If this option is selected, Kaspersky Endpoint Security automatically attempts to disinfect all infected files that are detected. If disinfection fails, Kaspersky Endpoint Security deletes the files.
- Ignore. If this option is selected, Kaspersky Endpoint Security deletes the entry from the list of active threats. If there are no active threats remaining on the list, the computer status will be changed to OK. If the object is detected again, Kaspersky Endpoint Security will add a new entry to the list of active threats.
- Open containing folder. If this option is selected, Kaspersky Endpoint Security opens the folder containing the object in the file manager. You can then manually delete the object or move the object to a folder that is not within the protection scope.
- Learn more. If this option is selected, Kaspersky Endpoint Security opens the Kaspersky Virus Encyclopedia website.

Page top

[Topic 196709]

Computer protection

In this Help section

File Threat Protection

Web Threat Protection

Mail Threat Protection

Network Threat Protection

Host Intrusion Prevention

BadUSB Attack Prevention

AMSI Protection

Exploit Prevention

Behavior Detection

Remediation Engine

Kaspersky Security Network

Encrypted connections scan

Page top

[Topic 34233]

File Threat Protection

The File Threat Protection component lets you prevent infection of the file system of the computer. By default, the File Threat Protection component permanently resides in the computer's RAM. The component scans files on all drives of the computer, as well as on connected drives. The component provides computer protection with the help of anti-virus databases, the Kaspersky Security Network cloud service, and heuristic analysis.

The component scans the files accessed by the user or application. If a malicious file is detected, Kaspersky Endpoint Security blocks the file operation. The application then disinfects or deletes the malicious file, depending on the settings of the File Threat Protection component.

When attempting to access a file whose contents are stored in the OneDrive cloud, Kaspersky Endpoint Security downloads and scans the file contents.

In this section

Enabling and disabling File Threat Protection

Automatic pausing of File Threat Protection

Changing the action taken on infected files by the File Threat Protection component

Forming the protection scope of the File Threat Protection component

Using scan technologies in the operation of the File Threat Protection component

Enabling and disabling Web Threat Protection

Changing the scan mode

Page top

[Topic 133730]

Enabling and disabling File Threat Protection

By default, the File Threat Protection component is enabled and runs in the mode recommended by Kaspersky experts. For File Threat Protection, Kaspersky Endpoint Security can apply different groups of settings. These groups of settings saved in the application are called security levels: High, Recommended, Low. The Recommended security level settings are considered to be the optimal settings recommended by Kaspersky experts (see the table below). You can select one of the preset security levels or manually configure security level settings. If you change the security level settings, you can always revert back to the recommended security level settings.

To enable or disable the File Threat Protection component:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → File Threat Protection.
Use the File Threat Protection toggle to enable or disable the component.
If you enabled the component, do one of the following in the Security level section:
- If you want to apply one of the preset security levels, select it with the slider:
  - High. When this file security level is selected, the File Threat Protection component takes the strictest control of all files that are opened, saved, and started. The File Threat Protection component scans all file types on all hard drives, removable drives, and network drives of the computer. It also scans archives, installation packages, and embedded OLE objects.
  - Recommended. This file security level is recommended by Kaspersky Lab experts. The File Threat Protection component scans only the specified file formats on all hard drives, removable drives, and network drives of the computer, and embedded OLE objects. The File Threat Protection component does not scan archives or installation packages. The values of settings for the recommended security level are provided in the table below.
  - Low. The settings of this file security level ensure maximum scanning speed. The File Threat Protection component scans only files with specified extensions on all hard drives, removable drives, and network drives of the computer. The File Threat Protection component does not scan compound files.
- If you want to configure a custom security level, click the Advanced settings button and define your own component settings.
  You can restore the values of preset security levels by clicking the Restore recommended security level button in the upper part of the window.

Save your changes.

File Threat Protection settings recommended by Kaspersky experts (recommended security level)

Parameter	Value	Description
File types	Files scanned by format	If this setting is enabled, Kaspersky Endpoint Security scans infectable files only. Before scanning a file for malicious code, the internal header of the file is analyzed to determine the format of the file (for example, .txt, .doc, or .exe). The scan also looks for files with particular file extensions.
Heuristic Analysis	Light scan	The technology was developed for detecting threats that cannot be detected by using the current version of Kaspersky application databases. It detects files that may be infected with an unknown virus or a new variety of a known virus. When scanning files for malicious code, the heuristic analyzer executes instructions in the executable files. The number of instructions that are executed by the heuristic analyzer depends on the level that is specified for the heuristic analyzer. The heuristic analysis level ensures a balance between the thoroughness of searching for new threats, the load on the resources of the operating system, and the duration of heuristic analysis.
Scan only new and changed files	Enabled	Scans only new files and those files that have been modified since the last time they were scanned. This helps reduce the duration of a scan. This mode applies both to simple and to compound files.
iSwift Technology	Enabled	This technology allows increasing scan speed by excluding certain files from scanning. Files are excluded from scanning by using a special algorithm that takes into account the release date of Kaspersky Endpoint Security databases, the date that the file was last scanned on, and any modifications to the scanning settings. The iSwift technology is an advancement of the iChecker technology for the NTFS file system.
iChecker Technology	Enabled	This technology allows increasing scan speed by excluding certain files from scanning. Files are excluded from scans by using a special algorithm that takes into account the release date of Kaspersky Endpoint Security databases, the date when the file was last scanned, and any modifications to the scan settings. There are limitations to iChecker Technology: it does not work with large files and applies only to files with a structure that the application recognizes (for example, EXE, DLL, LNK, TTF, INF, SYS, COM, CHM, ZIP, and RAR).
Scan files in Microsoft Office formats	Enabled	Scans Microsoft Office files (DOC, DOCX, XLS, PPT and other Microsoft extensions). Office format files include OLE objects as well.
Scan mode	Smart mode	In this mode, File Threat Protection scans an object based on an analysis of actions taken on the object. For example, when working with a Microsoft Office document, Kaspersky Endpoint Security scans the file when it is first opened and last closed. Intermediate operations that overwrite the file do not cause it to be scanned.
Action on threat detection	Disinfect, if not possible – delete	If this option is selected, Kaspersky Endpoint Security automatically attempts to disinfect all infected files that are detected. If disinfection fails, Kaspersky Endpoint Security deletes the files.

Page top

[Topic 123514]

Automatic pausing of File Threat Protection

You can configure File Threat Protection to automatically pause at a specified time or when working with specific applications.

File Threat Protection should be paused only as a last resort when it conflicts with some applications. If any conflicts arise while a component is running, you are advised to contact Kaspersky Technical Support. The support experts will help you set up the File Threat Protection component to run simultaneously with other applications on your computer.

To configure automatic pausing of File Threat Protection:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → File Threat Protection.
Click the Advanced settings button.
In the Pause File Threat Protection block, click the Pause File Threat Protection link.
In the opened window, configure the settings for pausing File Threat Protection:
1. Configure a schedule for automatically pausing File Threat Protection.
2. Create a list of applications whose operation should cause File Threat Protection to pause its activities.
Save your changes.

Page top

[Topic 128010]

Changing the action taken on infected files by the File Threat Protection component

By default, the File Threat Protection component automatically tries to disinfect all infected files that are detected. If disinfection fails, the File Threat Protection component deletes these files.

To change the action taken on infected files by the File Threat Protection component:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → File Threat Protection.
In the Action on threat detection section, select the required option:
- Disinfect; delete if disinfection fails. If this option is selected, Kaspersky Endpoint Security automatically attempts to disinfect all infected files that are detected. If disinfection fails, Kaspersky Endpoint Security deletes the files.
- Disinfect; block if disinfection fails. If this option is selected, Kaspersky Endpoint Security automatically attempts to disinfect all infected files that are detected. If disinfection is not possible, Kaspersky Endpoint Security adds the information about the infected files that are detected to the list of active threats.
- Block. If this option is selected, the File Threat Protection component automatically blocks all infected files without attempting to disinfect them.
Before attempting to disinfect or delete an infected file, Kaspersky Endpoint Security creates a backup copy of the file in case you need to restore the file or if it can be disinfected in the future.
Save your changes.

Page top

[Topic 123504]

Forming the protection scope of the File Threat Protection component

The protection scope refers to the objects that the component scans when enabled. The protection scopes of different components have different properties. The location and type of files to be scanned are properties of the protection scope of the File Threat Protection component. By default, the File Threat Protection component scans only potentially infectable files that are run from hard drives, removable drives and network drives.

When selecting the type of files to scan, consider the following:

There is a low probability of introducing malicious code into files of certain formats and its subsequent activation (for example, TXT format). At the same time, there are file formats that contain executable code (such as .exe, .dll). The executable code may also be contained in files of formats that are not intended for this purpose (for example, the DOC format). The risk of intrusion and activation of malicious code in such files is high.
An intruder may send a virus or another malicious application to your computer in an executable file that has been renamed with the .txt extension. If you select scanning of files by extension, the application skips this file during scanning. If scanning of files by format is selected, Kaspersky Endpoint Security analyzes the file header regardless of its extension. If this analysis reveals that the file has the format of an executable file (for example, EXE), the application scans it.

To create the protection scope:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → File Threat Protection.
Click the Advanced settings button.
In the File types section, specify the type of files that you want the File Threat Protection component to scan:
- All files. If this setting is enabled, Kaspersky Endpoint Security checks all files without exception (all formats and extensions).
- Files scanned by format. If this setting is enabled, Kaspersky Endpoint Security scans infectable files only. Before scanning a file for malicious code, the internal header of the file is analyzed to determine the format of the file (for example, .txt, .doc, or .exe). The scan also looks for files with particular file extensions.
- Files scanned by extension. If this setting is enabled, Kaspersky Endpoint Security scans infectable files only. The file format is then determined based on the file's extension.
Click the Edit protection scope link.
In the opened window, select the objects that you want to add to the protection scope or exclude from it.
You cannot remove or edit objects that are included in the default protection scope.
If you want to add a new object to the protection scope:
1. Click the Add button.
  The folder tree opens.
2. Select the object and click Select.
You can exclude an object from scans without deleting it from the list of objects in the scan scope. To do so, clear the check box next to the object.
Save your changes.

Page top

[Topic 133732]

Using scan methods

To configure the use of heuristic analysis in the operation of the File Threat Protection component:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → File Threat Protection.
Click the Advanced settings button.
If you want the application to use heuristic analysis for protection against file threats, select the Heuristic analysis check box in the Scan methods block. Then use the slider to set the heuristic analysis level: Light scan, Medium scan, or Deep scan.
Save your changes.

Page top

[Topic 133733]

Using scan technologies in the operation of the File Threat Protection component

To configure the use of scan technologies in the operation of the File Threat Protection component:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → File Threat Protection.
Click the Advanced settings button.
In the Scan technologies block, select the check boxes next to the names of technologies that you want to use for file threat protection:
- iSwift technology. This technology allows increasing scan speed by excluding certain files from scanning. Files are excluded from scanning by using a special algorithm that takes into account the release date of Kaspersky Endpoint Security databases, the date that the file was last scanned on, and any modifications to the scanning settings. The iSwift technology is an advancement of the iChecker technology for the NTFS file system.
- iChecker technology. This technology allows increasing scan speed by excluding certain files from scanning. Files are excluded from scans by using a special algorithm that takes into account the release date of Kaspersky Endpoint Security databases, the date when the file was last scanned, and any modifications to the scan settings. There are limitations to iChecker Technology: it does not work with large files and applies only to files with a structure that the application recognizes (for example, EXE, DLL, LNK, TTF, INF, SYS, COM, CHM, ZIP, and RAR).
Save your changes.

Page top

[Topic 133734]

Optimizing file scanning

You can optimize the file scanning that is performed by the File Threat Protection component by reducing the scan time and increasing the operating speed of Kaspersky Endpoint Security. This can be achieved by scanning only new files and those files that have been modified since the previous scan. This mode applies both to simple and to compound files.

You can also enable the use of the iChecker and iSwift technologies that optimize the speed of file scanning by excluding files that have not been modified since the most recent scan.

To optimize file scanning:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → File Threat Protection.
Click the Advanced settings button.
In the Scan optimization section, select the Scan only new and changed files check box.
Save your changes.

Page top

[Topic 128011]

Scanning compound files

The method used to process an infected compound file (disinfection or deletion) depends on the type of file.

The File Threat Protection component disinfects compound files in the RAR, ARJ, ZIP, CAB, and LHA formats and deletes files in all other formats (except mail databases).

To configure scanning of compound files:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → File Threat Protection.
Click the Advanced settings button.
In the Scan of compound files section, specify the types of compound files that you want to scan: archives, installation packages, or files in office formats.
If scanning only new and modified files is disabled, configure the settings for scanning each type of compound file: scan all files of this type or only new files.
If scanning only new and modified files is enabled, Kaspersky Endpoint Security scans only new and modified files of all types of compound files.
Configure the advanced settings for scanning compound files.
- Do not unpack large compound files.
  If this check box is selected, Kaspersky Endpoint Security does not scan compound files if their size exceeds the specified value.
  
  If this check box is cleared, Kaspersky Endpoint Security scans compound files of all sizes.
  
  Kaspersky Endpoint Security scans large files that are extracted from archives, regardless of whether the Do not unpack large compound files check box is selected.
- Unpack compound files in the background.
  If the check box is selected, Kaspersky Endpoint Security provides access to compound files that are larger than the specified value before these files are scanned. In this case, Kaspersky Endpoint Security unpacks and scans compound files in the background.
  
  Kaspersky Endpoint Security provides access to compound files that are smaller than this value only after unpacking and scanning these files.
  
  If the check box is not selected, Kaspersky Endpoint Security provides access to compound files only after unpacking and scanning files of any size.
Save your changes.

Page top

[Topic 133735]

Changing the scan mode

Scan mode refers to the condition that triggers file scanning by the File Threat Protection component. By default, Kaspersky Endpoint Security scans files in smart mode. In this file scan mode, the File Threat Protection component decides whether or not to scan files after analyzing operations that are performed with the file by the user, by an application on behalf of the user (under the account that was used to log in or a different user account), or by the operating system. For example, when working with a Microsoft Office Word document, Kaspersky Endpoint Security scans the file when it is first opened and last closed. Intermediate operations that overwrite the file do not cause it to be scanned.

To change the file scan mode:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → File Threat Protection.
Click the Advanced settings button.
In the Scan mode section, select the required mode:
- Smart mode. In this mode, File Threat Protection scans an object based on an analysis of actions taken on the object. For example, when working with a Microsoft Office document, Kaspersky Endpoint Security scans the file when it is first opened and last closed. Intermediate operations that overwrite the file do not cause it to be scanned.
- On access and modification. In this mode, File Threat Protection scans objects whenever there is an attempt to open or modify them.
- On access. In this mode, File Threat Protection scans objects only upon an attempt to open them.
- On execution. In this mode, File Threat Protection only scans objects upon an attempt to run them.
Save your changes.

Page top

[Topic 34322]

Web Threat Protection

This component is available if Kaspersky Endpoint Security is installed on a computer that runs on Windows for workstations. This component is unavailable if Kaspersky Endpoint Security is installed on a computer that runs on Windows for servers.

The Web Threat Protection component prevents downloads of malicious files from the Internet, and also blocks malicious and phishing websites. The component provides computer protection with the help of anti-virus databases, the Kaspersky Security Network cloud service, and heuristic analysis.

Kaspersky Endpoint Security scans HTTP-, HTTPS- and FTP-traffic. Kaspersky Endpoint Security scans URLs and IP addresses. You can specify the ports that Kaspersky Endpoint Security will monitor, or select all ports.

For HTTPS traffic monitoring, you need to enable encrypted connections scan.

When a user tries to open a malicious or phishing website, Kaspersky Endpoint Security will block access and show a warning (see the figure below).

Website access denied message

In this section

Changing the action to take on malicious web traffic objects

Scanning URLs against databases of phishing and malicious web addresses

Using heuristic analysis in the operation of the Web Threat Protection component

Creating the list of trusted web addresses

Exporting and importing the list of trusted web addresses

Page top

[Topic 128209]

Enabling and disabling Web Threat Protection

By default, the Web Threat Protection component is enabled and runs in the mode recommended by Kaspersky experts. For Web Threat Protection, Kaspersky Endpoint Security can apply different groups of settings. These groups of settings saved in the application are called security levels: High, Recommended, Low. The Recommended web traffic security level settings are considered to be the optimal settings recommended by Kaspersky experts (see the table below). You can select one of the pre-installed security levels for web traffic that is received or transmitted via the HTTP and FTP protocols, or configure a custom web traffic security level. If you change the web traffic security level settings, you can always revert to the recommended web traffic security level settings.

To enable or disable the Web Threat Protection component:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → Web Threat Protection.
Use the Web Threat Protection toggle to enable or disable the component.
If you enabled the component, do one of the following in the Security level section:
- If you want to apply one of the preset security levels, select it with the slider:
  - High. The security level under which the Web Threat Protection component performs maximum scanning of web traffic that the computer receives over the HTTP and FTP protocols. Web Threat Protection performs detailed scanning of all web traffic objects by using the full set of application databases, and performs the deepest possible
    heuristic analysis
    The technology was developed for detecting threats that cannot be detected by using the current version of Kaspersky application databases. It detects files that may be infected with an unknown virus or a new variety of a known virus.
    
    The technology was developed for detecting threats that cannot be detected by using the current version of Kaspersky application databases. It detects files that may be infected with an unknown virus or a new variety of a known virus.
    
    .
  - Recommended. The security level that provides the optimal balance between the performance of Kaspersky Endpoint Security and the security of web traffic. The Web Threat Protection component performs heuristic analysis at the medium scan level. This web traffic security level is recommended by Kaspersky specialists. The values of settings for the recommended security level are provided in the table below.
  - Low. The settings of this web traffic security level ensure the maximum web traffic scanning speed. The Web Threat Protection component performs heuristic analysis at the light scan level.
- If you want to configure a custom security level, click the Advanced settings button and define your own component settings.
  You can restore the values of preset security levels by clicking the Restore recommended security level button in the upper part of the window.

Save your changes.

Web Threat Protection settings recommended by Kaspersky experts (recommended security level)

Parameter	Value	Description
Check if links are listed in the database of malicious links	Enabled	Scanning the links to determine whether they are included in the database of malicious web addresses allows you to track websites that have been added to denylist. The database of malicious web addresses is maintained by Kaspersky, included in the application installation package, and updated during Kaspersky Endpoint Security database updates.
Check the URL against the database of phishing URLs	Enabled	The database of phishing web addresses includes the web addresses of currently known websites that are used to launch phishing attacks. Kaspersky supplements this database of phishing links with addresses obtained from the international organization known as the Anti-Phishing Working Group. The database of phishing addresses is included in the application installation package and supplemented with Kaspersky Endpoint Security database updates.
Use heuristic analysis (Web Threat Protection)	Medium scan	The technology was developed for detecting threats that cannot be detected by using the current version of Kaspersky application databases. It detects files that may be infected with an unknown virus or a new variety of a known virus. When web traffic is scanned for viruses and other applications that present a threat, the heuristic analyzer performs instructions in the executable files. The number of instructions that are executed by the heuristic analyzer depends on the level that is specified for the heuristic analyzer. The heuristic analysis level ensures a balance between the thoroughness of searching for new threats, the load on the resources of the operating system, and the duration of heuristic analysis.
Use heuristic analysis (Anti-Phishing)	Enabled	The technology was developed for detecting threats that cannot be detected by using the current version of Kaspersky application databases. It detects files that may be infected with an unknown virus or a new variety of a known virus.
Action on threat detection	Block download	If this option is selected and an infected object is detected in web traffic, the Web Threat Protection component blocks access to the object and displays a message in the browser.

Page top

[Topic 133739]

Changing the action to take on malicious web traffic objects

By default, on detection of an infected object in web traffic, the Web Threat Protection component blocks access to the object and displays a notification about the action.

To change the action to take on malicious web traffic objects:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → Web Threat Protection.
In the Action on threat detection section, select the action that Kaspersky Endpoint Security performs on malicious web traffic objects:
- Block download. If this option is selected and an infected object is detected in web traffic, the Web Threat Protection component blocks access to the object and displays a message in the browser.
- Inform. If this option is selected and an infected object is detected in web traffic, Kaspersky Endpoint Security allows this object to be downloaded to the computer but adds information about the infected object to the list of active threats.
Save your changes.

Page top

[Topic 128018]

Scanning URLs against databases of phishing and malicious web addresses

Scanning links to see if they are included in the list of phishing web addresses allows avoiding phishing attacks. A phishing attack can be disguised, for example, as an email message supposedly from your bank with a link to the official website of the bank. By clicking the link, you go to an exact copy of the bank's website and can even see its real web address in the browser, even though you are on a counterfeit site. From this point forward, all of your actions on the site are tracked and can be used to steal your money.

Because links to phishing websites may be received not only in an email message but also from other sources such as ICQ messages, the Web Threat Protection component monitors attempts to access a phishing website at the web traffic scan level and blocks access to such websites. Lists of phishing URLs are included with the Kaspersky Endpoint Security distribution kit.

To configure the Web Threat Protection component to check links against the databases of phishing and malicious web addresses:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → Web Threat Protection.
Click the Advanced settings button.
Do the following:
- If you want the Web Threat Protection component to check links against the databases of malicious web addresses, in the Scan methods section, select the Check the URL against the database of malicious URLs check box. Scanning the links to determine whether they are included in the database of malicious web addresses allows you to track websites that have been added to denylist. The database of malicious web addresses is maintained by Kaspersky, included in the application installation package, and updated during Kaspersky Endpoint Security database updates.
  Kaspersky Endpoint scans all links to determine if they are listed in databases of malicious web addresses. The application's secure connection scan settings do not affect the link scanning functionality. In other words, if encrypted connection scans are disabled, Kaspersky Endpoint Security checks links against databases of malicious web addresses even if network traffic is transmitted over an encrypted connection.
- If you want the Web Threat Protection component to check links against the databases of phishing web addresses, select the Check the URL against the database of phishing URLs check box in the Anti-Phishing block. The database of phishing web addresses includes the web addresses of currently known websites that are used to launch phishing attacks. Kaspersky supplements this database of phishing links with addresses obtained from the international organization known as the Anti-Phishing Working Group. The database of phishing addresses is included in the application installation package and supplemented with Kaspersky Endpoint Security database updates.
  You can also check links against the reputation databases of Kaspersky Security Network.
Save your changes.

Page top

[Topic 128019]

Using heuristic analysis in the operation of the Web Threat Protection component

To increase the effectiveness of protection, you can use heuristic analysis. During heuristic analysis, Kaspersky Endpoint Security analyzes the activity of applications in the operating system. Heuristic analysis can detect threats for which there are currently no records in the Kaspersky Endpoint Security databases.

To configure the use of heuristic analysis:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → Web Threat Protection.
Click the Advanced settings button.
In the Scan methods block, select the Use heuristic analysis check box if you want the application to use heuristic analysis when scanning web traffic for viruses and other malware. Then use the slider to set the heuristic analysis level: Light scan, Medium scan, or Deep scan.
In the Anti-Phishing block, select the Use heuristic analysis check box if you want the application to use heuristic analysis when scanning web pages for phishing links.
Save your changes.

Page top

[Topic 128021]

Creating the list of trusted web addresses

You can create a list of URLs whose content you trust. The Web Threat Protection component does not analyze information from trusted web addresses to check them for viruses or other threats. This option may be useful, for example, if the Web Threat Protection component interferes with the downloading of a file from a known website.

A URL may be the address of a specific web page or the address of a website.

To create a list of trusted web addresses:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → Web Threat Protection.
Click the Advanced settings button.
Select the Do not scan web traffic from trusted web addresses check box.
If the check box is selected, the Web Threat Protection component does not scan the content of web pages or websites whose addresses are included in the list of trusted web addresses. You can add both the specific address and the address mask of a web page/website to the list of trusted web addresses.
Create a list of URLs / web pages whose content you trust.
Save your changes.

Page top

[Topic 202082]

Exporting and importing the list of trusted web addresses

You can export the list of trusted web addresses to an XML file. Then you can modify the file to, for example, add a large number of web addresses of the same type. You can also use the export/import function to back up the list of trusted web addresses or to migrate the list to a different server.

How to export and import a list of trusted web addresses in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Essential Threat Protection → Web Threat Protection.
Click the Settings button.
In the opened window, select the Trusted web addresses tab.
To export the list of trusted web addresses:
1. Select the trusted web addresses that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
  If you did not select any trusted web address, Kaspersky Endpoint Security will export all web addresses.
2. Click the Export link.
3. In the window that opens, specify the name of the XML file to which you want to export the list of trusted web addresses, and select the folder in which you want to save this file.
4. Click the Save button.
  Kaspersky Endpoint Security exports the entire list of trusted web addresses to the XML file.
To import the list of trusted addresses:
1. Click the Import link.
  In the window that opens, select the XML file from which you want to import the list of trusted addresses.
2. Click the Open button.
  If the computer already has a list of trusted addresses, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.

How to export and import a list of trusted web addresses in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy for computers on which you want to export or import a list of trusted web addresses.
The policy properties window opens.
Select the Application settings tab.
Select Essential Threat Protection → Web Threat Protection.
To export the list of exclusions in the Trusted web addresses block:
1. Select the trusted web addresses that you want to export.
2. Click the Export link.
3. In the window that opens, specify the name of the XML file to which you want to export the list of trusted web addresses, and select the folder in which you want to save this file.
4. Click the Save button.
  Kaspersky Endpoint Security exports the entire list of trusted web addresses to the XML file.
To import a list of exclusions in the Trusted web addresses block:
1. Click the Import link.
  In the window that opens, select the XML file from which you want to import the list of trusted addresses.
2. Click the Open button.
  If the computer already has a list of trusted addresses, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.

Page top

[Topic 34268]

Mail Threat Protection

The Mail Threat Protection component scans the attachments of incoming and outgoing email messages for viruses and other threats. The component also scans messages for malicious and phishing links. By default, the Mail Threat Protection component permanently resides in the computer's RAM and scans all messages received or sent using the POP3, SMTP, IMAP, or NNTP protocols, or the Microsoft Office Outlook mail client (MAPI). The component provides computer protection with the help of anti-virus databases, the Kaspersky Security Network cloud service, and heuristic analysis.

The Mail Threat Protection component does not scan messages if the mail client is open in a browser.

When a malicious file is detected in an attachment, Kaspersky Endpoint Security renames the message subject as follows: [Message is infected] <message subject> or [Infected object deleted] <message subject>.

This component interacts with mail clients installed on the computer. For the Microsoft Office Outlook mail client, an extension with additional parameters is provided. The Mail Threat Protection extension is embedded in the Microsoft Office Outlook mail client during installation of Kaspersky Endpoint Security.

In this section

Enabling and disabling Mail Threat Protection

Changing the action to take on infected email messages

Forming the protection scope of the Mail Threat Protection component

Scanning compound files attached to email messages

Filtering email message attachments

Exporting and importing extensions for attachment filtering

Scanning emails in Microsoft Office Outlook

Page top

[Topic 128208]

Enabling and disabling Mail Threat Protection

By default, the Mail Threat Protection component is enabled and runs in the mode recommended by Kaspersky experts. For Mail Threat Protection, Kaspersky Endpoint Security can apply different groups of settings. These groups of settings saved in the application are called security levels: High, Recommended, Low. The Recommended mail security level settings are considered to be the optimal settings recommended by Kaspersky experts (see the table below). You can select one of the pre-installed email security levels or configure a custom email security level. If you have changed the email security level settings, you can always revert to the recommended email security level settings.

To enable or disable the Mail Threat Protection component:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → Mail Threat Protection.
Use the Mail Threat Protection toggle to enable or disable the component.
If you enabled the component, do one of the following in the Security level section:
- If you want to apply one of the preset security levels, select it with the slider:
  - High. When this email security level is selected, the Mail Threat Protection component scans email messages most thoroughly. The Mail Threat Protection component scans incoming and outgoing email messages, and performs deep heuristic analysis. The High mail security level is recommended for high-risk environments. An example of such an environment is a connection to a free email service from a home network that is not guarded by centralized email protection.
  - Recommended. The email security level that provides the optimal balance between the performance of Kaspersky Endpoint Security and email security. The Mail Threat Protection component scans incoming and outgoing email messages, and performs medium-level heuristic analysis. This mail traffic security level is recommended by Kaspersky specialists. The values of settings for the recommended security level are provided in the table below.
  - Low. When this email security level is selected, the Mail Threat Protection component only scans incoming email messages, performs light heuristic analysis, and does not scan archives that are attached to email messages. At this mail security level, the Mail Threat Protection component scans email messages at maximum speed and uses a minimum of operating system resources. The Low mail security level is recommended for use in a well-protected environment. An example of such an environment might be an enterprise LAN with centralized email security.
- If you want to configure a custom security level, click the Advanced settings button and define your own component settings.
  You can restore the values of preset security levels by clicking the Restore recommended security level button in the upper part of the window.

Save your changes.

Mail Threat Protection settings recommended by Kaspersky experts (recommended security level)

Parameter	Value	Description
Protection scope	Incoming and outgoing messages	The Protection scope includes objects that the component checks when it is run: Incoming and outgoing messages or Incoming messages only. In order to protect your computers, you need only scan incoming messages. You can turn on scanning for outgoing messages to prevent infected files from being sent in archives. You can also turn on the scanning of outgoing messages if you want to prevent files in particular formats from being sent, such as audio and video files, for example.
Connect Microsoft Outlook extension	Enabled	If the check box is selected, scanning of email messages transmitted via the POP3, SMTP, NNTP, IMAP protocols is enabled on the side of the extension integrated into Microsoft Outlook. If mail is scanned using the extension for Microsoft Outlook, it is recommended to use Cached Exchange Mode. For more detailed information about Cached Exchange Mode and recommendations on its use, refer to the Microsoft Knowledge Base.
Scan attached archives	Enabled	Scans archives in the following formats: RAR, ARJ, ZIP, CAB, LHA, JAR, and ICE.
Scan attached Office formats	Enabled	Scans Microsoft Office files (DOC, DOCX, XLS, PPT and other Microsoft extensions). Office format files include OLE objects as well.
Attachment filter	Rename attachments of selected types	If this option is selected, the Mail Threat Protection component will replace the last extension character found in the attached files of the specified types with the underscore character (for example, attachment.doc_). Thus, in order to open the file, the user must rename the file.
Heuristic Analysis	Medium scan	The technology was developed for detecting threats that cannot be detected by using the current version of Kaspersky application databases. It detects files that may be infected with an unknown virus or a new variety of a known virus. When scanning files for malicious code, the heuristic analyzer executes instructions in the executable files. The number of instructions that are executed by the heuristic analyzer depends on the level that is specified for the heuristic analyzer. The heuristic analysis level ensures a balance between the thoroughness of searching for new threats, the load on the resources of the operating system, and the duration of heuristic analysis.
Action on threat detection	Disinfect, if not possible – delete	When an infected object is detected in an inbound or outbound message, Kaspersky Endpoint Security attempts to disinfect the detected object. The user will be able to access the message with a safe attachment. If the object cannot be disinfected, Kaspersky Endpoint Security deletes the infected object. Kaspersky Endpoint Security adds information about the performed action to the message subject: `[Infected object was deleted] <message subject>`.

Page top

[Topic 129850]

Changing the action to take on infected email messages

By default, the Mail Threat Protection component automatically attempts to disinfect all infected email messages that are detected. If disinfection fails, the Mail Threat Protection component deletes the infected email messages.

To change the action to take on infected email messages:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → Mail Threat Protection.
In the Action on threat detection section, select the action for Kaspersky Endpoint Security to perform when an infected message is detected:
- Disinfect; delete if disinfection fails. When an infected object is detected in an inbound or outbound message, Kaspersky Endpoint Security attempts to disinfect the detected object. The user will be able to access the message with a safe attachment. If the object cannot be disinfected, Kaspersky Endpoint Security deletes the infected object. Kaspersky Endpoint Security adds information about the performed action to the message subject: [Infected object was deleted] <message subject>.
- Disinfect; block if disinfection fails. When an infected object is detected in an inbound message, Kaspersky Endpoint Security attempts to disinfect the detected object. The user will be able to access the message with a safe attachment. If the object cannot be disinfected, Kaspersky Endpoint Security adds a warning to the message subject: [Message infected] <message subject>. The user will be able to access the message with the original attachment. When an infected object is detected in an outbound message, Kaspersky Endpoint Security attempts to disinfect the detected object. If the object cannot be disinfected, Kaspersky Endpoint Security blocks transmission of the message, and the mail client shows an error.
- Block. If an infected object is detected in an inbound message, Kaspersky Endpoint Security adds a warning to the message subject: [Message infected] <message subject>. The user will be able to access the message with the original attachment. If an infected object is detected in an outbound message, Kaspersky Endpoint Security blocks transmission of the message, and the mail client shows an error.
Save your changes.

Page top

[Topic 128357]

Forming the protection scope of the Mail Threat Protection component

Protection scope refers to the objects that are scanned by the component when it is active. The protection scopes of different components have different properties. The properties of the protection scope of the Mail Threat Protection component include the settings for integrating the Mail Threat Protection component into mail clients, and the type of email messages and email protocols whose traffic is scanned by the Mail Threat Protection component. By default, Kaspersky Endpoint Security scans both incoming and outgoing email messages and traffic of the POP3, SMTP, NNTP, and IMAP protocols, and is integrated into the Microsoft Office Outlook mail client.

To form the protection scope of the Mail Threat Protection component:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → Mail Threat Protection.
Click the Advanced settings button.
In the Protection scope block, select the messages to scan:
- Incoming and outgoing messages.
- Incoming messages only.
In order to protect your computers, you need only scan incoming messages. You can turn on scanning for outgoing messages to prevent infected files from being sent in archives. You can also turn on the scanning of outgoing messages if you want to prevent files in particular formats from being sent, such as audio and video files, for example.

If you choose to scan only incoming messages, it is recommended that you perform a one-time scan of all outgoing messages because there is a chance that your computer has email worms that are being spread over email. This helps to avoid problems resulting from unmonitored mass emailing of infected messages from your computer.
In the Connectivity section, do the following:
- If you want the Mail Threat Protection component to scan messages that are transmitted via the POP3, SMTP, NNTP and IMAP protocols before they arrive on the user's computer, select the Scan POP3 / SMTP / NNTP / IMAP traffic check box.
  If you do not want the Mail Threat Protection component to scan messages that are transmitted via the POP3, SMTP, NNTP and IMAP protocols before they arrive on the user's computer, clear the Scan POP3 / SMTP / NNTP / IMAP traffic check box. In this case, messages are scanned by the Mail Threat Protection extension embedded in the Microsoft Office Outlook mail client after they are received on the user computer if the Connect Microsoft Outlook extension check box is selected.
  
  If you use a mail client other than Microsoft Office Outlook, messages that are transmitted via the POP3, SMTP, NNTP and IMAP protocols are not scanned by the Mail Threat Protection component if the Scan POP3 / SMTP / NNTP / IMAP traffic check box is cleared.
- If you want to allow access to Mail Threat Protection component settings from Microsoft Office Outlook and enable scanning of messages that are transmitted via the POP3, SMTP, NNTP, IMAP, and MAPI protocols after they arrive on the computer using the extension that is embedded into Microsoft Office Outlook, select the Connect Microsoft Outlook extension check box.
  If you want to block access to Mail Threat Protection component settings from Microsoft Office Outlook and disable scanning of messages that are transmitted via the POP3, SMTP, NNTP, IMAP, and MAPI protocols after they arrive on the computer using the extension that is embedded into Microsoft Office Outlook, clear the Connect Microsoft Outlook extension check box.
  
  The Mail Threat Protection extension is embedded in the Microsoft Office Outlook mail client during installation of Kaspersky Endpoint Security.
Save your changes.

Page top

[Topic 128886]

Scanning compound files attached to email messages

You can enable or disable scanning of message attachments, limit the maximum size of message attachments to be scanned, and limit the maximum message attachment scan duration.

To configure scanning of compound files attached to email messages:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → Mail Threat Protection.
Click the Advanced settings button.
In the Scan of compound files section, configure the scan settings:
- Scan attached files of Microsoft Office formats. Scans Microsoft Office files (DOC, DOCX, XLS, PPT and other Microsoft extensions). Office format files include OLE objects as well.
- Scan attached archives. Scans archives in the following formats: RAR, ARJ, ZIP, CAB, LHA, JAR, and ICE.
- Do not scan archives larger than N MB. If this check box is selected, the Mail Threat Protection component excludes archives attached to email messages from scanning if their size exceeds the specified value. If the check box is cleared, the Mail Threat Protection component scans email attachment archives of any size.
- Limit archive scan time to N seconds. If the check box is selected, the time that is allocated for scanning archives attached to email messages is limited to the specified period.
Save your changes.

Page top

[Topic 128353]

Filtering email message attachments

The attachment filtering functionality is not applied to outgoing email messages.

Malicious applications can be distributed in the form of attachments in email messages. You can configure filtering based on the type of message attachments so that files of the specified types are automatically renamed or deleted. By renaming an attachment of a certain type, Kaspersky Endpoint Security can protect your computer against automatic execution of a malicious application.

To configure filtering of attachments:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → Mail Threat Protection.
Click the Advanced settings button.
In the Attachment filter section, do one of the following:
- If you do not want the Mail Threat Protection component to filter message attachments, select the Disable filtering option.
- If you want the Mail Threat Protection component to rename message attachments of the specified types, select the Rename attachments of selected types option.
- If you want the Mail Threat Protection component to delete message attachments of the specified file types, select the Delete attachments of selected types option.
If you selected the Rename attachments of selected types option or the Delete attachments of selected types option during the previous step, select the check boxes opposite the relevant types of files.
Save your changes.

Page top

[Topic 202315]

Exporting and importing extensions for attachment filtering

You can export the list of attachment filter extensions to an XML file. You can use the export/import function to back up the list of extensions or to migrate the list to a different server.

How to export and import a list of attachment filter extensions in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Essential Threat Protection → Mail Threat Protection.
In the Security level section, click the Settings button.
In the opened window, select the Attachment filter tab.
To export the list of extensions:
1. Select the extensions that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
2. Click the Export link.
3. In the window that opens, specify the name of the XML file to which you want to export the list of extensions, and select the folder in which you want to save this file.
4. Click the Save button.
  Kaspersky Endpoint Security exports the entire list of extensions to the XML file.
To import the list of extensions:
1. Click the Import link.
2. In the window that opens, select the XML file from which you want to import the list of extensions.
3. Click the Open button.
  If the computer already has a list of extensions, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.

How to export and import a list of attachment filter extensions in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy for computers on which you want to export or import a list of exclusions.
The policy properties window opens.
Select the Application settings tab.
Select Essential Threat Protection → Mail Threat Protection.
To export the list of extensions in the Attachment filter block:
1. Select the extensions that you want to export.
2. Click the Export link.
3. In the window that opens, specify the name of the XML file to which you want to export the list of extensions, and select the folder in which you want to save this file.
4. Click the Save button.
  Kaspersky Endpoint Security exports the entire list of extensions to the XML file.
To import a list of extensions in the Attachment filter block:
1. Click the Import link.
2. In the window that opens, select the XML file from which you want to import the list of extensions.
3. Click the Open button.
  If the computer already has a list of extensions, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.

Page top

[Topic 128015]

Scanning emails in Microsoft Office Outlook

During installation of Kaspersky Endpoint Security, the Mail Threat Protection extension is embedded into Microsoft Office Outlook (hereinafter also referred to as Outlook). It allows you to open the Mail Threat Protection component settings from within Outlook, and to specify when email messages are to be scanned for viruses and other threats. The Mail Threat Protection extension for Outlook can scan incoming and outgoing messages that are transmitted via the POP3, SMTP, NNTP, IMAP, and MAPI protocols. Kaspersky Endpoint Security also supports working with other email clients (including Microsoft Outlook Express, Windows Mail, and Mozilla Thunderbird).

The Mail Threat Protection extension supports operations with Outlook 2010, 2013, 2016, and 2019.

When working with the Mozilla Thunderbird mail client, the Mail Threat Protection component does not scan messages that are transmitted via the IMAP protocol for viruses and other threats if filters are used to move messages from the Inbox folder.

In Outlook, incoming messages are first scanned by the Mail Threat Protection component (if the Scan POP3, SMTP, NNTP, and IMAP traffic check box is selected in the interface of Kaspersky Endpoint Security) and then by the Mail Threat Protection extension for Outlook. If the Mail Threat Protection component detects a malicious object in a message, it notifies you about this event.

The Mail Threat Protection component settings can be configured directly in Outlook if the Microsoft Outlook extension is connected in the Kaspersky Endpoint Security interface.

Outgoing messages are first scanned by the Mail Threat Protection extension for Outlook, and are then scanned by the Mail Threat Protection component.

If mail is scanned using the Mail Threat Protection extension for Outlook, it is recommended to use Cached Exchange Mode. For more detailed information about Cached Exchange Mode and recommendations on its use, refer to the Microsoft Knowledge Base.

To configure the operating mode of the Mail Threat Protection extension for Outlook using Kaspersky Security Center:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Essential Threat Protection → Mail Threat Protection.
In the Security level section, click the Settings button.
The Mail Threat Protection window opens.
In the Connectivity section, click the Settings button.
In the Email protection window:
- Select the Scan when receiving check box if you want the Mail Threat Protection extension for Outlook to scan incoming messages as they arrive to the mailbox.
- Select the Scan when reading check box if you want the Mail Threat Protection extension for Outlook to scan incoming messages when the user opens them.
- Select the Scan when sending check box if you want the Mail Threat Protection extension for Outlook to scan outgoing messages as they are sent.
Save your changes.

Page top

[Topic 34430]

Network Threat Protection

The Network Threat Protection component scans inbound network traffic for activity that is typical of network attacks. When Kaspersky Endpoint Security detects an attempted network attack on the user's computer, it blocks the network connection with the attacking computer.

Descriptions of currently known types of network attacks and ways to counteract them are provided in Kaspersky Endpoint Security databases. The list of network attacks that the Network Threat Protection component detects is updated during database and application module updates.

In this section

Enabling and disabling Network Threat Protection

Blocking an attacking computer

Configuring addresses of exclusions from blocking

Exporting and importing the list of exclusions from blocking

Configuring protection against network attacks by type

Page top

[Topic 128211]

Enabling and disabling Network Threat Protection

By default, Network Threat Protection is enabled and running in the optimal mode. You can disable Network Threat Protection if necessary.

To enable or disable Network Threat Protection:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Network Threat Protection.
Use the Network Threat Protection toggle to enable or disable the component.
Save your changes.

As a result, if Network Threat Protection is enabled, Kaspersky Endpoint Security scans inbound network traffic for activity that is typical of network attacks. When Kaspersky Endpoint Security detects an attempted network attack on the user's computer, it blocks the network connection with the attacking computer.

Page top

[Topic 133746]

Blocking an attacking computer

To block an attacking computer:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Network Threat Protection.
Select the Add the attacking computer to the list of blocked computers for N minutes check box.
If the check box is selected, the Network Threat Protection component adds the attacking computer to the blocked list. This means that the Network Threat Protection component blocks the network connection with the attacking computer after the first network attack attempt for the specified amount of time. This block automatically protects the user's computer against possible future network attacks from the same address.

You can view the block list in the Network Monitor tool window.

Kaspersky Endpoint Security clears the block list when the application is restarted and when the Network Threat Protection settings are changed.
Change the amount of time during which an attacking computer is blocked in the field next to the Add the attacking computer to the list of blocked computers for N minutes check box.
Save your changes.

As a result, when Kaspersky Endpoint Security detects an attempted network attack launched against the user's computer, it will block all connections with the attacking computer.

Page top

[Topic 130879]

Configuring addresses of exclusions from blocking

Kaspersky Endpoint Security can recognize a network attack and block an unsecured network connection that is transmitting a large number of packets (for example, from surveillance cameras). To work with trusted devices, you can add the IP addresses of these devices to the list of exclusions.

To configure addresses of exclusions from blocking:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Network Threat Protection.
Click the Manage exclusions link.
In the window, click the Add button.
Enter the IP address of the computer from which network attacks must not be blocked.
Save your changes.

As a result, Kaspersky Endpoint Security does not track the activity from devices on the list of exclusions.

Page top

[Topic 202434]

Exporting and importing the list of exclusions from blocking

You can export the list of exclusions to an XML file. Then you can modify the file to, for example, add a large number of addresses of the same type. You can also use the export/import function to back up the list of exclusions or to migrate the list to a different server.

How to export and import a list of exclusions in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Essential Threat Protection → Network Threat Protection.
In the Network Threat Protection settings block, click the Exclusions button.
To export the list of rules:
1. Select the exclusions that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
  If you did not select any exclusion, Kaspersky Endpoint Security will export all exclusions.
2. Click the Export link.
3. In the window that opens, specify the name of the XML file to which you want to export the list of exclusions, and select the folder in which you want to save this file.
4. Click the Save button.
  Kaspersky Endpoint Security exports the entire list of exclusions to the XML file.
To import the list of exclusions:
1. Click the Import button.
2. In the window that opens, select the XML file from which you want to import the list of exclusions.
3. Click the Open button.
  If the computer already has a list of exclusions, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.

How to export and import a list of exclusions in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy for computers on which you want to export or import a list of exclusions.
The policy properties window opens.
Select the Application settings tab.
Select Essential Threat Protection → Network Threat Protection.
In the Network Threat Protection settings block, click the Exclusions link.
The list of exclusions opens.
To export the list of rules:
1. Select the exclusions that you want to export.
2. Click the Export button.
3. Confirm that you want to export only the selected exclusions, or export the entire list of exclusions.
4. In the window that opens, specify the name of the XML file to which you want to export the list of exclusions, and select the folder in which you want to save this file.
5. Click the Save button.
  Kaspersky Endpoint Security exports the entire list of exclusions to the XML file.
To import the list of exclusions:
1. Click the Import button.
2. In the window that opens, select the XML file from which you want to import the list of exclusions.
3. Click the Open button.
  If the computer already has a list of exclusions, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.

Page top

[Topic 174954]

Configuring protection against network attacks by type

Kaspersky Endpoint Security lets you manage protection against the following types of network attacks:

Network Flooding is an attack on network resources of an organization (such as web servers). This attack consists of sending a large number of requests to overload the bandwidth of network resources. When this happens, users are unable to access the network resources of the organization.
A Port Scanning attack consists of scanning UDP ports, TCP ports, and network services on the computer. This attack allows the attacker to identify the degree of vulnerability of the computer before conducting more dangerous types of network attacks. Port Scanning also enables the attacker to identify the operating system on the computer and select the appropriate network attacks for this operating system.
A MAC spoofing attack consists of changing the MAC address of a network device (network card). As a result, an attacker can redirect data sent to a device to another device and gain access to this data. Kaspersky Endpoint Security lets you block MAC Spoofing attacks and receive notifications about the attacks.

You can disable detection of these types of attacks in case some of your allowed applications perform operations that are typical for these types of attacks. This will help avoid false alarms.

By default, Kaspersky Endpoint Security does not monitor Network Flooding, Port Scanning, and MAC spoofing attacks.

To configure protection against network attacks by type:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Network Threat Protection.
Use the toggle Treat port scanning and network flooding as attacks to enable or disable detection of these attacks.
Use the MAC Spoofing Protection toggle.
In the Upon detection of MAC spoofing attack block, select one of the following options:
- Notify only.
- Notify and block.
Save your changes.

Page top

[Topic 43497]

Firewall

The Firewall blocks unauthorized connections to the computer while working on the Internet or local network. The Firewall also controls the network activity of applications on the computer. This allows you to protect your corporate LAN from identity theft and other attacks. The component provides computer protection with the help of anti-virus databases, the Kaspersky Security Network cloud service, and predefined network rules.

Network Agent is used for interaction with Kaspersky Security Center. Firewall automatically creates network rules required for the application and the Network Agent to work. As a result, the Firewall opens several ports on the computer. Which ports are opened depends on computer's role (for example, distribution point). To learn more about the ports that will be opened on the computer, see Kaspersky Security Center Help.

Network rules

You can configure network rules at the following levels:

Network packet rules. Network packet rules impose restrictions on network packets, regardless of the application. Such rules restrict inbound and outbound network traffic through specific ports of the selected data protocol. Kaspersky Endpoint Security has predefined network packet rules with permissions recommended by Kaspersky experts.
Application network rules. Application network rules impose restrictions on the network activity of a specific application. They factor in not only the characteristics of the network packet, but also the specific application to which this network packet is addressed or which issued this network packet.

Controlled access of applications to operating system resources, processes and personal data is provided by the Host Intrusion Prevention component by using application rights.

During the first startup of the application, the Firewall performs the following actions:

Checks the security of the application using downloaded anti-virus databases.
Checks the security of the application in Kaspersky Security Network.
You are advised to participate in Kaspersky Security Network to help the Firewall work more effectively.
Puts the application in one of the trust groups: Trusted, Low Restricted, High Restricted, Untrusted.
A trust group defines the rights that Kaspersky Endpoint Security refers to when controlling application activity. Kaspersky Endpoint Security places an application in a trust group depending on the level of danger that this application may pose to the computer.

Kaspersky Endpoint Security places an application in a trust group for the Firewall and Host Intrusion Prevention components. You cannot change the trust group only for the Firewall or Host Intrusion Prevention.

If you refused to participate in KSN or there is no network, Kaspersky Endpoint Security places the application in a trust group depending on the settings of the Host Intrusion Prevention component. After receiving the reputation of the application from KSN, the trust group can be changed automatically.
It blocks network activity of the application depending on the trust group. For example, applications in the High Restricted trust group are not allowed to use any network connections.

The next time the application is started, Kaspersky Endpoint Security checks the integrity of the application. If the application is unchanged, the component uses the current network rules for it. If the application has been modified, Kaspersky Endpoint Security analyzes the application as if it were being started for the first time.

Network Rule Priorities

Each rule has a priority. The higher a rule is on the list, the higher its priority. If network activity is added to several rules, the Firewall regulates network activity according to the rule with the highest priority.

Network packet rules have a higher priority than network rules for applications. If both network packet rules and network rules for applications are specified for the same type of network activity, the network activity is handled according to the network packet rules.

Network rules for applications work as follows: a network rule for applications includes access rules based on the network status: public, local, or trusted. For example, applications in the High Restricted trust group are not allowed any network activity in networks of all statuses by default. If a network rule is specified for an individual application (parent application), then the child processes of other applications will run according to the network rule of the parent application. If there is no network rule for the application, the child processes will run according to network access rule of the application's trust group.

For example, you have prohibited any network activity in networks of all statuses for all applications, except browser X. If you start browser Y installation (child process) from browser X (parent application), then browser Y installer will access the network and download the necessary files. After installation, browser Y will be denied any network connections according to the Firewall settings. To prohibit network activity of browser Y installer as a child process, you must add a network rule for the installer of browser Y.

Network connection statuses

The Firewall allows you to control network activity depending on the status of the network connection. Kaspersky Endpoint Security receives the network connection status from the computer's operating system. The status of the network connection in the operating system is set by the user when setting up the connection. You can change the status of the network connection in the Kaspersky Endpoint Security settings. The Firewall will monitor network activity depending on the network status in the Kaspersky Endpoint Security settings, and not in the operating system.

The network connection can have one of the following status types:

Public network. The network is not protected by antivirus applications, firewalls, or filters (such as Wi-Fi in a cafe). When the user operates a computer that is connected to such a network, Firewall blocks access to files and printers of this computer. External users are also unable to access data through shared folders and remote access to the desktop of this computer. Firewall filters the network activity of each application according to the network rules that are set for it.
Firewall assigns Public network status to the Internet by default. You cannot change the status of the Internet.
Local network. Network for users with restricted access to files and printers on this computer (such as for a corporate LAN or home network).
Trusted network. Safe network in which the computer is not exposed to attacks or unauthorized data access attempts. Firewall permits any network activity within networks with this status.

In this section

Enabling or disabling Firewall

Changing the network connection status

Managing network packet rules

Managing application network rules

Network Monitor

Page top

[Topic 128210]

Enabling or disabling Firewall

By default, Firewall is enabled and functions in the optimal mode.

To enable or disable Firewall:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → Firewall.
Use the Firewall toggle to enable or disable the component.
Save your changes.

Page top

[Topic 133742]

Changing the network connection status

Firewall assigns Public network status to the Internet by default. You cannot change the status of the Internet.

To change the network connection status:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → Firewall.
Click the Available networks button.
Select the network connection whose status you want to change.
In the Network type column, select the status of the network connection:
- Public network. The network is not protected by antivirus applications, firewalls, or filters (such as Wi-Fi in a cafe). When the user operates a computer that is connected to such a network, Firewall blocks access to files and printers of this computer. External users are also unable to access data through shared folders and remote access to the desktop of this computer. Firewall filters the network activity of each application according to the network rules that are set for it.
- Local network. Network for users with restricted access to files and printers on this computer (such as for a corporate LAN or home network).
- Trusted network. Safe network in which the computer is not exposed to attacks or unauthorized data access attempts. Firewall permits any network activity within networks with this status.
Save your changes.

Page top

[Topic 44428]

Managing network packet rules

You can perform the following actions while managing network packet rules:

Create a new network packet rule.
You can create a new network packet rule by creating a set of conditions and actions that is applied to network packets and data streams.
Enable or disable a network packet rule.
All network packet rules that are created by Firewall by default have Enabled status. When a network packet rule is enabled, Firewall applies this rule.

You can disable any network packet rule that is selected in the list of network packet rules. When a network packet rule is disabled, Firewall temporarily does not apply this rule.

A new custom network packet rule is added to the list of network packet rules by default with Enabled status.
Edit the settings of an existing network packet rule.
After you create a new network packet rule, you can always return to editing its settings and modify them as needed.
Change the Firewall action for a network packet rule.
In the list of network packet rules, you can edit the action that is taken by Firewall on detecting network activity that matches a specific network packet rule.
Change the priority of a network packet rule.
You can raise or lower the priority of a network packet rule that is selected in the list.
Remove a network packet rule.
You can remove a network packet rule to stop Firewall from applying this rule on detecting network activity and to stop this rule from showing in the list of network packet rules with Disabled status.

In this section

Creating a network packet rule

Enabling or disabling a network packet rule

Changing the Firewall action for a network packet rule

Changing the priority of a network packet rule

Exporting and importing network packet rules

Page top

[Topic 123451]

Creating a network packet rule

You can create a network packet rule in the following ways:

Use the Network Monitor tool.
Network Monitor is a tool designed for viewing information about the network activity of a user's computer in real time. This is convenient because you do not need to configure all the rule settings. Some Firewall settings will be inserted automatically from Network Monitor data. Network Monitor is available only in the application interface.
Configure the Firewall settings.
This lets you fine-tune the Firewall settings. You can create rules for any network activity, even if there is no network activity at the current time.

When creating network packet rules, remember that they have priority over network rules for applications.

How to use the Network Monitor tool to create a network packet rule in the application interface

In the main application window, click More Tools → Network Monitor.
Select the Network activity tab.
The Network activity tab shows all currently active network connections with the computer. Both outbound and inbound network connections are displayed.
In the context menu of a network connection, select Create packet rule.
This opens the network rule properties.
Set the Active status for the packet rule.
Manually enter the name of the network service in the Name field.
Configure the network rule settings (see the table below).
You can select a predefined rule template by clicking the Network rule template link. Rule templates describe the most frequently used network connections.

All network rule settings will be filled in automatically.
If you want the actions of the network rule to be reflected in the report, select the Log events check box.
Click the Save button.
The new network rule will be added to the list.
Use the Up / Down buttons to set the priority of the network rule.
Save your changes.

How to use Firewall settings to create a network packet rule in the application interface

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → Firewall.
Click the Packet rules button.
This opens the list of default network rules that are set by the Firewall.
Click the Add button.
This opens the network rule properties.
Set the Active status for the packet rule.
Manually enter the name of the network service in the Name field.
Configure the network rule settings (see the table below).
You can select a predefined rule template by clicking the Network rule template link. Rule templates describe the most frequently used network connections.

All network rule settings will be filled in automatically.
If you want the actions of the network rule to be reflected in the report, select the Log events check box.
Click the Save button.
The new network rule will be added to the list.
Use the Up / Down buttons to set the priority of the network rule.
Save your changes.

How to create a network packet rule in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Essential Threat Protection → Firewall.
In the Firewall settings block, click the Settings button.
This opens the list of network packet rules and the list of application network rules.
Select the Network packet rules tab.
This opens the list of default network rules that are set by the Firewall.
Click the Add button.
This opens the packet rule properties.
Manually enter the name of the network service in the Name field.
Configure the network rule settings (see the table below).
You can select a predefined rule template by clicking the button. Rule templates describe the most frequently used network connections.

All network rule settings will be filled in automatically.
If you want the actions of the network rule to be reflected in the report, select the Log events check box.
Click the Save button.
The new network rule will be added to the list.
Use the Up / Down buttons to set the priority of the network rule.
Save your changes.

The Firewall will control network packets according to the rule. You can disable a packet rule from Firewall operation without deleting it from the list. To do so, clear the check box next to the object.

How to create a network packet rule in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Select Essential Threat Protection → Firewall.
In the Firewall settings block, click the Network packet rules link.
This opens the list of default network rules that are set by the Firewall.
Click the Add button.
This opens the packet rule properties.
Manually enter the name of the network service in the Name field.
Configure the network rule settings (see the table below).
You can select a predefined rule template by clicking the Select template link. Rule templates describe the most frequently used network connections.

All network rule settings will be filled in automatically.
If you want the actions of the network rule to be reflected in the report, select the Log events check box.
Click the Save button.
The new network rule will be added to the list.
Use the Up / Down buttons to set the priority of the network rule.
Save your changes.

The Firewall will control network packets according to the rule. You can disable a packet rule from Firewall operation without deleting it from the list. Use the toggle in the Status column to enable or disable the packet rule.

Network packet rule settings

Parameter	Description
Action	Allow. Block. By application rules. If this option is selected, Firewall applies the application network rules to the network connection.
Protocol	Control network activity over the selected protocol: TCP, UDP, ICMP, ICMPv6, IGMP and GRE. If ICMP or ICMPv6 is selected as the protocol, you can define the ICMP packet type and code. If TCP or UDP is selected as the protocol type, you can specify the comma-delimited port numbers of the local and remote computers between which the connection is to be monitored.
Direction	Inbound (packet). Firewall applies the network rule to all inbound network packets. Inbound. Firewall applies the network rule to all network packets sent via a connection that was initiated by a remote computer. Inbound / Outbound. Firewall applies the network rule to both inbound and outbound network packets, regardless of whether the user's computer or a remote computer initiated the network connection. Outbound (packet). Firewall applies the network rule to all outbound network packets. Outbound. Firewall applies the network rule to all network packets sent via a connection that was initiated by the user's computer. The TCP protocol establishes a connection. Use the Inbound, Outbound and Inbound/Outbound directions for TCP. All other protocols do not establish connections, but they send packets. For all other protocols, use the Inbound (packet), Outbound (packets) or Inbound/Outbound directions.
Network adapters	Network adapters that can send and/or receive network packets. Specifying the settings of network adapters makes it possible to differentiate between network packets sent or received by network adapters with identical IP addresses.
Time to live (TTL)	Restrict control of network packets based on their time to live (TTL).
Remote addresses	Network addresses of remote computers that can send and receive network packets. Firewall applies the network rule to the specified range of remote network addresses. You can include all IP addresses into a network rule, create a separate list of IP addresses, or select a subnetwork (Trusted networks, Local networks, Public networks).
Local addresses	Network addresses of computers that can send and receive network packets. Firewall applies a network rule to the specified range of local network addresses. You can include all IP addresses in a network rule or create a separate list of IP addresses. Sometimes the local address cannot be obtained for applications. If this is the case, this parameter is ignored.

Page top

[Topic 133743]

Enabling or disabling a network packet rule

To enable or disable a network packet rule:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → Firewall.
Click the Packet rules button.
This opens a list of default network packet rules that are set by Firewall.
Select the necessary network packet rule in the list.
Use the toggle in the Status column to enable or disable the rule.
Save your changes.

Page top

[Topic 133744]

Changing the Firewall action for a network packet rule

To change the Firewall action that is applied to a network packet rule:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → Firewall.
Click the Packet rules button.
This opens a list of default network packet rules that are set by Firewall.
Select it in the list of network packet rules and click the Edit button.
In the Action drop-down list, select the action to be performed by Firewall on detecting this kind of network activity:
- Allow.
- Block.
- By application rules.
Save your changes.

Page top

[Topic 133745]

Changing the priority of a network packet rule

The priority of a network packet rule is determined by its position in the list of network packet rules. The topmost network packet rule in the list of network packet rules has the highest priority.

Every manually created network packet rule is added to the end of the list of network packet rules and is of the lowest priority.

Firewall executes rules in the order in which they appear in the list of network packet rules, from top to bottom. According to each processed network packet rule that applies to a particular network connection, Firewall either allows or blocks network access to the address and port that are specified in the settings of this network connection.

To change the network packet rule priority:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → Firewall.
Click the Packet rules button.
This opens a list of default network packet rules that are set by Firewall.
In the list, select the network packet rule whose priority you want to change.
Use the Up and Down buttons to move the network packet rule to the desired spot in the list of network packet rules.
Save your changes.

Page top

[Topic 202615]

Exporting and importing network packet rules

You can export the list of network packet rules to an XML file. Then you can modify the file to, for example, add a large number of rules of the same type. You can use the export/import function to back up the list of network packet rules or to migrate the list to a different server.

How to export and import a list of network packet rules in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Essential Threat Protection → Firewall.
To export the list of network packet rules:
1. Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
  If you did not select any rule, Kaspersky Endpoint Security will export all rules.
2. Click the Export link.
3. In the window that opens, specify the name of the XML file to which you want to export the list of rules, and select the folder in which you want to save this file.
4. Click the Save button.
  Kaspersky Endpoint Security exports the list of rules to the XML file.
To import a list of network packet rules:
1. Click the Import link.
  In the window that opens, select the XML file from which you want to import the list of rules.
2. Click the Open button.
  If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.

How to export and import a list of network packet rules in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy for computers on which you want to export or import the list of rules.
The policy properties window opens.
Select the Application settings tab.
Select Essential Threat Protection → Firewall.
Click the Network packet rules link.
To export the list of network packet rules:
1. Select the rules that you want to export.
2. Click the Export button.
3. Confirm that you want to export only the selected rules, or export the entire list.
4. Click the Export button.
  Kaspersky Endpoint Security exports the list of rules to an XML file in the default downloads folder.
To import a list of network packet rules:
1. Click the Import link.
  In the window that opens, select the XML file from which you want to import the list of rules.
2. Click the Open button.
  If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.

Page top

[Topic 128236]

Managing application network rules

By default, Kaspersky Endpoint Security groups all applications that are installed on the computer by the name of the vendor of the software whose file or network activity it monitors. Application groups are in turn categorized into trust groups. All applications and application groups inherit properties from their parent group: application control rules, application network rules, and their execution priority.

Like the Host Intrusion Prevention component, by default the Firewall component applies the network rules for an application group when filtering the network activity of all applications within the group. The application group network rules define the rights of applications within the group to access different network connections.

By default, Firewall creates a set of network rules for each application group that is detected by Kaspersky Endpoint Security on the computer. You can change the Firewall action that is applied to the application group network rules that are created by default. You cannot edit, remove, disable, or change the priority of application group network rules that are created by default.

You can also create a network rule for an individual application. Such a rule will have a higher priority than the network rule of the group to which the application belongs.

In this section

Creating an application network rule

Enabling and disabling an application network rule

Changing the Firewall action for an application network rule

Changing the priority of an application network rule

Page top

[Topic 123452]

Creating an application network rule

By default, application activity is controlled by network rules that are defined for the trust group to which Kaspersky Endpoint Security assigned the application when it started the first time. If necessary, you can create network rules for an entire trust group, for an individual application, or for a group of applications that are within a trust group.

Manually defined network rules have a higher priority than network rules that were determined for a trust group. In other words, if manually defined application rules differ from the application rules determined for a trust group, Firewall controls application activity according to the manually defined rules for applications.

By default, Firewall creates the following network rules for each application:

Any network activity in Trusted networks.
Any network activity in Local networks.
Any network activity in Public networks.

Kaspersky Endpoint Security controls the network activity of applications according to predefined network rules as follows:

Trusted and Low Restricted: all network activity is allowed.
High Restricted and Untrusted: all network activity is blocked.

Predefined application rules cannot be edited or deleted.

You can create an application network rule in the following ways:

Use the Network Monitor tool.
Network Monitor is a tool designed for viewing information about the network activity of a user's computer in real time. This is convenient because you do not need to configure all the rule settings. Some Firewall settings will be inserted automatically from Network Monitor data. Network Monitor is available only in the application interface.
Configure the Firewall settings.
This lets you fine-tune the Firewall settings. You can create rules for any network activity, even if there is no network activity at the current time.

When creating network rules for applications, remember that network packet rules have priority over application network rules.

How to use the Network Monitor tool to create an application network rule in the application interface

In the main application window, click More Tools → Network Monitor.
Select the Network activity or Open ports tab.
The Network activity tab shows all currently active network connections with the computer. Both outbound and inbound network connections are displayed.

The Open ports tab lists all open network ports of the computer.
In the context menu of a network connection, select Create application rule.
The application rules and properties window opens.
Select the Network rules tab.
This opens the list of default network rules that are set by the Firewall.
Click the Add button.
This opens the network rule properties.
Manually enter the name of the network service in the Name field.
Configure the network rule settings (see the table below).
You can select a predefined rule template by clicking the Network rule template link. Rule templates describe the most frequently used network connections.

All network rule settings will be filled in automatically.
If you want the actions of the network rule to be reflected in the report, select the Log events check box.
Click the Save button.
The new network rule will be added to the list.
Use the Up / Down buttons to set the priority of the network rule.
Save your changes.

How to use Firewall settings to create an application network rule in the application interface

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → Firewall.
Click the Application rules button.
This opens the list of default network rules that are set by the Firewall.
In the list of applications, select the application or application group for which you want to create a network rule.
Right-click to open the context menu and select Details and rules.
The application rules and properties window opens.
Select the Network rules tab.
Click the Add button.
This opens the network rule properties.
Manually enter the name of the network service in the Name field.
Configure the network rule settings (see the table below).
You can select a predefined rule template by clicking the Network rule template link. Rule templates describe the most frequently used network connections.

All network rule settings will be filled in automatically.
If you want the actions of the network rule to be reflected in the report, select the Log events check box.
Click the Save button.
The new network rule will be added to the list.
Use the Up / Down buttons to set the priority of the network rule.
Save your changes.

How to create an application network rule in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Essential Threat Protection → Firewall.
In the Firewall settings block, click the Settings button.
This opens the list of network packet rules and the list of application network rules.
Select the Application network rules tab.
Click the Add button.
In the opened window, enter criteria to search for the application for which you want to create a network rule.
You can enter the name of the application or the name of the vendor. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.
Click the Refresh button.
Kaspersky Endpoint Security will search for the application in the consolidated list of applications installed on managed computers. Kaspersky Endpoint Security will show a list of applications that satisfy your search criteria.
Select the necessary application.
In the Add selected applications to <trust group> group drop-down list, select Default groups and click OK.
The application will be added to the default group.
Select the relevant application and then select Application rights from the context menu of the application.
The application rules and properties window opens.
Select the Network rules tab.
This opens the list of default network rules that are set by the Firewall.
Click the Add button.
This opens the network rule properties.
Manually enter the name of the network service in the Name field.
Configure the network rule settings (see the table below).
You can select a predefined rule template by clicking the button. Rule templates describe the most frequently used network connections.

All network rule settings will be filled in automatically.
If you want the actions of the network rule to be reflected in the report, select the Log events check box.
Click the Save button.
The new network rule will be added to the list.
Use the Up / Down buttons to set the priority of the network rule.
Save your changes.

How to create an application network rule in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Select Essential Threat Protection → Firewall.
In the Firewall settings block, click the Application network rules link.
This opens the application rights configuration window and the list of protected resources.
Select the Application rights tab.
You will see a list of trust groups on the left side of the window and their properties on the right side.
Click the Add button.
This starts the Wizard for adding an application to a trust group.
Click the Selected target group link to select the relevant trust group for the application.
Select the Application type. Click the Next button.
If you want to create a network rule for multiple applications, select the Group type and define a name for the application group.
In the opened list of applications, select the applications for which you want to create a network rule.
Use a filter. You can enter the name of the application or the name of the vendor. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.
Finish the Wizard by clicking OK.
The application will be added to the trust group.
In the left part of the window, select the relevant application.
In the right part of the window, select Network rules from the drop-down list.
This opens the list of default network rules that are set by the Firewall.
Click the Add button.
This opens the application rule properties.
Manually enter the name of the network service in the Name field.
Configure the network rule settings (see the table below).
You can select a predefined rule template by clicking the Select template link. Rule templates describe the most frequently used network connections.

All network rule settings will be filled in automatically.
If you want the actions of the network rule to be reflected in the report, select the Log events check box.
Click the Save button.
The new network rule will be added to the list.
Use the Up / Down buttons to set the priority of the network rule.
Save your changes.

Application network rule settings

Parameter	Description
Action	Allow. Block.
Protocol	Control network activity over the selected protocol: TCP, UDP, ICMP, ICMPv6, IGMP and GRE. If ICMP or ICMPv6 is selected as the protocol, you can define the ICMP packet type and code. If TCP or UDP is selected as the protocol type, you can specify the comma-delimited port numbers of the local and remote computers between which the connection is to be monitored.
Direction	Inbound. Inbound / Outbound. Outbound.
Remote addresses	Network addresses of remote computers that can send and receive network packets. Firewall applies the network rule to the specified range of remote network addresses. You can include all IP addresses into a network rule, create a separate list of IP addresses, or select a subnetwork (Trusted networks, Local networks, Public networks).
Local addresses	Network addresses of computers that can send and receive network packets. Firewall applies a network rule to the specified range of local network addresses. You can include all IP addresses in a network rule or create a separate list of IP addresses. Sometimes the local address cannot be obtained for applications. If this is the case, this parameter is ignored.

Page top

[Topic 133631]

Enabling and disabling an application network rule

To enable or disable an application network rule:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → Firewall.
Click the Application rules button.
This opens the list of application rules.
In the list of applications, select the application or group of applications for which you want to create or edit a network rule.
Right-click to open the context menu and select Details and rules.
The application rules and properties window opens.
Select the Network rules tab.
In the list of network rules for an application group, select the relevant network rule.
The network rule properties window opens.
Set the Active or Inactive status for the network rule.
You cannot disable an application group network rule that is created by Firewall by default.
Save your changes.

Page top

[Topic 133632]

Changing the Firewall action for an application network rule

You can change the Firewall action that is applied to all network rules for an application or application group that were created by default, and change the Firewall action for a single custom network rule for an application or application group.

To change the Firewall action for all network rules for an application or group of applications:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → Firewall.
Click the Application rules button.
This opens the list of application rules.
If you want to change the Firewall action that is applied to all network rules that are created by default, select an application or group of applications in the list. Manually created network rules are left unchanged.
Right-click to open the context menu, select Network rules, then select the action that you want to assign:
- Inherit.
- Allow.
- Block.
Save your changes.

To change the Firewall response for one network rule for an application or application group:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → Firewall.
Click the Application rules button.
This opens the list of application rules.
In the list, select the application or group of applications for which you want to change the action for one network rule.
Right-click to open the context menu and select Details and rules.
The application rules and properties window opens.
Select the Network rules tab.
Select the network rule for which you want to change the Firewall action.
In the Permission column, right-click to bring up the context menu and select the action that you want to assign:
- Inherit.
- Allow.
- Block.
- Log events.
Save your changes.

Page top

[Topic 133633]

Changing the priority of an application network rule

The priority of a network rule is determined by its position in the list of network rules. Firewall executes the rules in the order in which they appear in the list of network rules, from top to bottom. According to each processed network rule that applies to a particular network connection, Firewall either allows or blocks network access to the address and port that are indicated in the settings of this network connection.

Manually created network rules have a higher priority than default network rules.

You cannot change the priority of application group network rules that are created by default.

To change the priority of a network rule:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → Firewall.
Click the Application rules button.
This opens the list of application rules.
In the list of applications, select the application or group of applications for which you want to change the priority of a network rule.
Right-click to open the context menu and select Details and rules.
The application rules and properties window opens.
Select the Network rules tab.
Select the network rule whose priority you want to change.
Use the Up and Down buttons to move the network rule to the desired spot in the list of network rules.
Save your changes.

Page top

[Topic 49629]

Network Monitor

Network Monitor is a tool designed for viewing information about the network activity of a user's computer in real time.

To start Network Monitor:

In the main application window, click More Tools → Network Monitor.

The Network Monitor window opens. In this window, information about the network activity of the computer is shown on four tabs:

The Network activity tab shows all currently active network connections with the computer. Both outbound and inbound network connections are displayed. On this tab, you can also create network packet rules for Firewall operation.
The Open ports tab lists all open network ports of the computer. On this tab, you can also create network packet rules and application rules for Firewall operation.
The Network traffic tab shows the volume of inbound and outbound network traffic between the user's computer and other computers in the network to which the user is currently connected.
The Blocked computers tab lists the IP addresses of remote computers whose network activity has been blocked by the Network Threat Protection component after detecting network attack attempts from such IP addresses.

Page top

[Topic 97193]

BadUSB Attack Prevention

Some viruses modify the firmware of USB devices to trick the operating system into detecting the USB device as a keyboard. As a result, the virus may execute commands under your user account to download malware, for example.

The BadUSB Attack Prevention component prevents infected USB devices emulating a keyboard from connecting to the computer.

When a USB device is connected to the computer and identified as a keyboard by the operating system, the application prompts the user to enter a numerical code generated by the application from this keyboard or using On-Screen Keyboard if available (see the figure below). This procedure is known as keyboard authorization.

If the code has been entered correctly, the application saves the identification parameters – VID/PID of the keyboard and the number of the port to which it has been connected – in the list of authorized keyboards. Authorization does not need to be repeated when the keyboard is reconnected or after the operating system is restarted.

When the authorized keyboard is connected to a different USB port of the computer, the application shows a prompt for authorization of this keyboard again.

If the numerical code has been entered incorrectly, the application generates a new code. Three attempts are available for entering the numerical code. If the numerical code is entered incorrectly three times in a row or the <Keyboard name> keyboard authorization window is closed, the application blocks input from this keyboard. When the keyboard is reconnected or the operating system is restarted, the application prompts the user to perform keyboard authorization again.

The application allows use of an authorized keyboard and blocks a keyboard that has not been authorized.

The BadUSB Attack Prevention component is not installed by default. If you need the BadUSB Attack Prevention component, you can add the component in the properties of the installation package before installing the application or change the available application components after installing the application.

loc_screen_KES11_BadUSB_authorization

Keyboard authorization

In this section

Enabling and disabling BadUSB Attack Prevention

Using On-Screen Keyboard for authorization of USB devices

Page top

[Topic 138434]

Enabling and disabling BadUSB Attack Prevention

USB devices identified by the operating system as keyboards and connected to the computer before installation of the BadUSB Attack Prevention component are considered authorized after installation of the component.

To enable or disable BadUSB Attack Prevention:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → BadUSB Attack Prevention.
Use the BadUSB Attack Prevention toggle to enable or disable the component.
Save your changes.

As a result, if BadUSB Attack Prevention is enabled, Kaspersky Endpoint Security requires authorization of a connected USB device identified as a keyboard by the operating system. The user cannot use an unauthorized keyboard until it is authorized.

Page top

[Topic 134688]

Using On-Screen Keyboard for authorization of USB devices

On-Screen Keyboard should be used only for authorization of USB devices that do not support the input of random characters (e.g. bar code scanners). It is not recommended to use On-Screen Keyboard for authorization of unknown USB devices.

To allow or prohibit the use of On-Screen Keyboard for authorization:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → BadUSB Attack Prevention.
Use the Prohibit use of On-Screen Keyboard for authorization of USB devices check box to block or allow use of the On-Screen Keyboard for authorization.
Save your changes.

Page top

[Topic 173854]

AMSI Protection

AMSI Protection component is intended to support Antimalware Scan Interface from Microsoft. The Antimalware Scan Interface (AMSI) allows third-party applications with AMSI support to send objects (for example, PowerShell scripts) to Kaspersky Endpoint Security for an additional scan and then receive the results from scanning these objects. Third-party applications may include, for example, Microsoft Office applications (see the figure below). For details on AMSI refer to Microsoft documentation.

The AMSI Protection can only detect a threat and notify a third-party application about the detected threat. Third-party application after receiving a notification of a threat does not allow to perform malicious actions (for example, terminates).

AMSI operation example

AMSI Protection component may decline a request from a third-party application, for example, if this application exceeds maximum number of requests within a specified interval. Kaspersky Endpoint Security sends information about a rejected request from a third-party application to the Administration Server. AMSI Protection component does not reject requests from those third-party applications for which the Do not block interaction with AMSI Protection Provider check box is selected

AMSI Protection is available for the following operating systems for workstations and servers:

Windows 10 Home / Pro / Pro for Workstations / Education / Enterprise;
Windows Server 2016 Essentials / Standard / Datacenter;
Windows Server 2019 Essentials / Standard / Datacenter.

In this section

Enabling and disabling the AMSI Protection

Using AMSI Protection to scan compound files

Page top

[Topic 174820]

Enabling and disabling the AMSI Protection

By default, the AMSI Protection is enabled.

To enable or disable the AMSI Protection:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → AMSI Protection.
Use the AMSI Protection toggle to enable or disable the component.
Save your changes.

Page top

[Topic 174821]

Using AMSI Protection to scan compound files

A common technique for concealing viruses and other malware is to embed them in compound files such as archives. To detect viruses and other malware that are hidden in this way, the compound file must be unpacked, which may slow down scanning. You can limit the types of compound files to be scanned, thus speeding up scanning.

To configure AMSI Protection scans of compound files:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Essential Threat Protection → AMSI Protection.
In the Scan of compound files section, specify the types of compound files that you want to scan: archives, distribution package, or files in office formats.
In the Size limit section, do one of the following:
- To block the AMSI Protection component from unpacking large compound files, select the Do not unpack large compound files check box and specify the required value in the Maximum file size field. The AMSI Protection component will not unpack compound files that are larger than the specified size.
- To allow the AMSI Protection component to unpack large compound files, clear the Do not unpack large compound files check box.
The AMSI Protection component scans large files that are extracted from archives, regardless of whether the Do not unpack large compound files check box is selected.
Save your changes.

Page top

[Topic 151109]

Exploit Prevention

The Exploit Prevention component detects program code that takes advantage of vulnerabilities on the computer to exploit administrator privileges or to perform malicious activities. For example, exploits can utilize a buffer overflow attack. To do so, the exploit sends a large amount of data to a vulnerable application. When processing this data, the vulnerable application executes malicious code. As a result of this attack, the exploit can start an unauthorized installation of malware.

When there is an attempt to run an executable file from a vulnerable application that was not performed by the user, Kaspersky Endpoint Security blocks this file from running or notifies the user.

In this section

Enabling and disabling Exploit Prevention

Selecting an action to take when an exploit is detected

System processes memory protection

Page top

[Topic 151128]

Enabling and disabling Exploit Prevention

By default, Exploit Prevention is enabled and runs in the mode recommended by Kaspersky experts. You can disable Exploit Prevention if necessary.

To enable or disable Exploit Prevention:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Advanced Threat Protection → Exploit Prevention.
Use the Exploit Prevention toggle to enable or disable the component.
Save your changes.

As a result, if Exploit Prevention is enabled, Kaspersky Endpoint Security will monitor executable files that are run by vulnerable applications. If Kaspersky Endpoint Security detects that an executable file from a vulnerable application was run by something other than the user, Kaspersky Endpoint Security will perform the selected action (for example, will block the operation).

Page top

[Topic 151129]

Selecting an action to take when an exploit is detected

By default, on detection of an exploit, Kaspersky Endpoint Security blocks operations attempted by the exploit.

To choose an action to be taken when an exploit is detected:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Advanced Threat Protection → Exploit Prevention.
Select the relevant action in the On detecting exploit block:
- Block operation. If this item is selected, on detecting an exploit, Kaspersky Endpoint Security blocks the operations of this exploit and makes a log entry with information about this exploit.
- Inform. If this item is selected, when Kaspersky Endpoint Security detects an exploit it logs an entry containing information about the exploit and adds information about this exploit to the list of active threats.
Save your changes.

Page top

[Topic 158231]

System processes memory protection

By default, protection of system process memory is enabled.

To enable or disable system process memory protection:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Advanced Threat Protection → Exploit Prevention.
Use the Enable system process memory protection toggle to enable or disable this feature.
Save your changes.

As a result, Kaspersky Endpoint Security will block external processes that attempt to access system processes.

Page top

[Topic 151031]

Behavior Detection

The Behavior Detection component receives data on the actions of applications on your computer and provides this information to other protection components to improve their performance.

The Behavior Detection component utilizes Behavior Stream Signatures (BSS) for applications. If application activity matches a behavior stream signature, Kaspersky Endpoint Security performs the selected responsive action. Kaspersky Endpoint Security functionality based on behavior stream signatures provides proactive defense for the computer.

In this section

Enabling and disabling Behavior Detection

Selecting the action to take on detecting malware activity

Protection of shared folders against external encryption

Page top

[Topic 151064]

Enabling and disabling Behavior Detection

By default, Behavior Detection is enabled and runs in the mode recommended by Kaspersky experts. You can disable Behavior Detection if necessary.

It is not recommended to disable Behavior Detection unless absolutely necessary because doing so would reduce the effectiveness of the protection components. The protection components may request data collected by the Behavior Detection component to detect threats.

To enable or disable Behavior Detection:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Advanced Threat Protection → Behavior Detection.
Use the Behavior Detection toggle to enable or disable the component.
Save your changes.

As a result, if Behavior Detection is enabled, Kaspersky Endpoint Security will use behavior stream signatures to analyze the activity of applications in the operating system.

Page top

[Topic 151065]

Selecting the action to take on detecting malware activity

In order to choose what to do if an application engages in malicious activity, perform the following steps:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Advanced Threat Protection → Behavior Detection.
Select the relevant action in the On detecting malware activity block:
- Delete file. If this item is selected, on detecting malicious activity Kaspersky Endpoint Security deletes the executable file of the malicious application and creates a backup copy of the file in Backup.
- Terminate the application. If this item is selected, on detecting malicious activity Kaspersky Endpoint Security terminates this application.
- Inform. If this item is selected and malware activity of an application is detected, Kaspersky Endpoint Security adds information about the malware activity of the application to the list of active threats.
Save your changes.

Page top

[Topic 151229]

Protection of shared folders against external encryption

The component monitors operations performed only with those files that are stored on mass storage devices with the NTFS file system and that are not encrypted with EFS.

Protection of shared folders against external encryption provides for analysis of activity in shared folders. If this activity matches a behavior stream signature that is typical for external encryption, Kaspersky Endpoint Security performs the selected action.

By default, protection of shared folders against external encryption is disabled.

After Kaspersky Endpoint Security is installed, the protection of shared folders against external encryption will be limited until the computer is restarted.

In this section

Enabling and disabling protection of shared folders against external encryption

Selecting the action to take on detection of external encryption of shared folders

Creating an exclusion for protection of shared folders against external encryption

Configuring addresses of exclusions from protection of shared folders against external encryption

Exporting and importing a list of exclusions from protection of shared folders against external encryption

Page top

[Topic 151230]

Enabling and disabling protection of shared folders against external encryption

After Kaspersky Endpoint Security is installed, the protection of shared folders against external encryption will be limited until the computer is restarted.

To enable or disable protection of shared folders against external encryption:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Advanced Threat Protection → Behavior Detection.
Use the Enable protection of shared folders against external encryption toggle to enable or disable detection of activity that is typical of external encryption.
Save your changes.

Page top

[Topic 151231]

Selecting the action to take on detection of external encryption of shared folders

To select the action to take on detection of external encryption of shared folders:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Advanced Threat Protection → Behavior Detection.
Select the relevant action in the Protection of shared folders against external encryption block:
- Block connection for N min. If this option is selected and Kaspersky Endpoint Security detects an attempt to modify files in shared folders, it takes the following actions:
  - Blocks network activity of the computer attempting the modification.
  - Creates backup copies of files that are being modified.
  - Adds an entry to local application interface reports.
  - Sends information about the detected malicious activity to Kaspersky Security Center.
  Also, if the Remediation Engine component is enabled, the modified files are restored from backup copies.
- Inform. If this option is selected and Kaspersky Endpoint Security detects an attempt to modify files in shared folders, it takes the following actions:
  - Adds an entry to local application interface reports.
  - Adds an entry to the list of active threats.
  - Sends information about the detected malicious activity to Kaspersky Security Center.
Save your changes.

Page top

[Topic 234668]

Creating an exclusion for protection of shared folders against external encryption

Excluding a folder can reduce the amount of false positives if your organization uses data encryption when exchanging files using shared folders. For example, Behavior Detection can raise false positives when the user works with files with the ENC extension in a shared folder. Such activity matches a behavioral pattern that is typical for external encryption. If you have encrypted files in a shared folder to protect data, add that folder to exclusions.

How to create an exclusion for protection of shared folders using the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select General settings → Exclusions.
In the Scan exclusions and trusted applications section, click the Settings button.
In the window that opens, select the Scan exclusions tab.
This opens a window containing a list of exclusions.
Select the Merge values when inheriting check box if you want to create a consolidated list of exclusions for all computers in the company. The lists of exclusions in the parent and child policies will be merged. The lists will be merged provided that merging values when inheriting is enabled. Exclusions from the parent policy are displayed in child policies in a read-only view. Changing or deleting exclusions of the parent policy is not possible.
Select the Allow use of local trusted applications check box if you want to enable the user to create a local list of exclusions. This way, a user can create their own local list of exclusions in addition to the general list of exclusions generated in the policy. An administrator can use Kaspersky Security Center to view, add, edit, or delete list items in the computer properties.
If the check box is cleared, the user can access only the general list of exclusions generated in the policy. If a local list was generated, after this functionality is disabled Kaspersky Endpoint Security continues excluding the listed files from scans.
Click the Add button.
In the Properties section, select the File or folder check box.
Click the select file or folder link in the Scan exclusion description (click underlined items to edit them) section to open the Name of file or folder window.
Click Browse and select the shared folder.
You can also manually enter the path. Kaspersky Endpoint Security supports the * and ? characters when entering a mask:
- The * (asterisk) character, which takes the place of any set of characters, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\*\*.txt will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders.
- Two consecutive * characters take the place of any set of characters (including an empty set) in the file or folder name, including the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\**\*.txt will include all paths to files with the TXT extension located in folders nested within the Folder, except the Folder itself. The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
- The ? (question mark) character, which takes the place of any single character, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\???.txt will include paths to all files residing in the folder named Folder that have the TXT extension and a name consisting of three characters.
If necessary, in the Comment field, enter a brief comment on the scan exclusion that you are creating.
Click the any link in the Scan exclusion description (click underlined items to edit them) section to activate the select components link.
Click the select components link to open the Protection components window.
Select the check box next to the Behavior Detection component.
Save your changes.

How to create an exclusion for protection of shared folders using the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Select General settings → Exclusions.
In the Scan exclusions and trusted applications block, click the Scan exclusions link.
Select the Merge values when inheriting check box if you want to create a consolidated list of exclusions for all computers in the company. The lists of exclusions in the parent and child policies will be merged. The lists will be merged provided that merging values when inheriting is enabled. Exclusions from the parent policy are displayed in child policies in a read-only view. Changing or deleting exclusions of the parent policy is not possible.
Select the Allow use of local trusted applications check box if you want to enable the user to create a local list of exclusions. This way, a user can create their own local list of exclusions in addition to the general list of exclusions generated in the policy. An administrator can use Kaspersky Security Center to view, add, edit, or delete list items in the computer properties.
If the check box is cleared, the user can access only the general list of exclusions generated in the policy. If a local list was generated, after this functionality is disabled Kaspersky Endpoint Security continues excluding the listed files from scans.
Click the Add button.
Select how you want to add the exclusion File or folder.
Click Browse and select the shared folder.
You can also manually enter the path. Kaspersky Endpoint Security supports the * and ? characters when entering a mask:
- The * (asterisk) character, which takes the place of any set of characters, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\*\*.txt will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders.
- Two consecutive * characters take the place of any set of characters (including an empty set) in the file or folder name, including the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\**\*.txt will include all paths to files with the TXT extension located in folders nested within the Folder, except the Folder itself. The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
- The ? (question mark) character, which takes the place of any single character, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\???.txt will include paths to all files residing in the folder named Folder that have the TXT extension and a name consisting of three characters.
In the Protection components block, select the Behavior Detection component.
If necessary, in the Comment field, enter a brief comment on the scan exclusion that you are creating.
Select the Active status for the exclusion.
You can use the toggle to stop an exclusion at any time.
Save your changes.

How to create an exclusion for protection of shared folders in the application interface

In the main application window, click the button.
In the application settings window, select General settings → Threats and Exclusions.
In the Exclusions block, click the Manage exclusions link.
Click the Add button.
Click Browse and select the shared folder.
You can also manually enter the path. Kaspersky Endpoint Security supports the * and ? characters when entering a mask:
- The * (asterisk) character, which takes the place of any set of characters, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\*\*.txt will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders.
- Two consecutive * characters take the place of any set of characters (including an empty set) in the file or folder name, including the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\**\*.txt will include all paths to files with the TXT extension located in folders nested within the Folder, except the Folder itself. The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
- The ? (question mark) character, which takes the place of any single character, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\???.txt will include paths to all files residing in the folder named Folder that have the TXT extension and a name consisting of three characters.
In the Protection components block, select the Behavior Detection component.
If necessary, in the Comment field, enter a brief comment on the scan exclusion that you are creating.
Select the Active status for the exclusion.
You can use the toggle to stop an exclusion at any time.
Save your changes.

Page top

[Topic 151232]

Configuring addresses of exclusions from protection of shared folders against external encryption

The Audit Logon service must be enabled to enable exclusions of addresses from protection of shared folders against external encryption. By default, the Audit Logon service is disabled (for detailed information about enabling the Audit Logon service, please visit the Microsoft website).

The functionality for excluding addresses from shared folder protection does not work on a remote computer if the remote computer was turned on before Kaspersky Endpoint Security was started. You can restart this remote computer after Kaspersky Endpoint Security is started to ensure that the functionality for excluding addresses from shared folder protection works on this remote computer.

To exclude remote computers that perform external encryption of shared folders:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Advanced Threat Protection → Behavior Detection.
In the Exclusions block, click the Configure addresses of exclusions link.
If you want to add an IP address or computer name to the list of exclusions, click the Add button.
Enter the IP address or name of the computer from which external encryption attempts must not be handled.
Save your changes.

Page top

[Topic 201977]

Exporting and importing a list of exclusions from protection of shared folders against external encryption

How to export and import a list of exclusions in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Advanced Threat Protection → Behavior Detection.
In the Protection of shared folders against external encryption section, click the Exclusions button.
To export the list of rules:
1. Select the exclusions that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
  If you did not select any exclusion, Kaspersky Endpoint Security will export all exclusions.
2. Click the Export link.
3. In the window that opens, specify the name of the XML file to which you want to export the list of exclusions, and select the folder in which you want to save this file.
4. Click the Save button.
  Kaspersky Endpoint Security exports the entire list of exclusions to the XML file.
To import the list of exclusions:
1. Click the Import button.
2. In the window that opens, select the XML file from which you want to import the list of exclusions.
3. Click the Open button.
  If the computer already has a list of exclusions, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.

How to export and import a list of exclusions in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy for computers on which you want to export or import a list of exclusions.
The policy properties window opens.
Select the Application settings tab.
Select Advanced Threat Protection → Behavior Detection.
To export the list of exclusions in the Exclusions block:
1. Select the exclusions that you want to export.
2. Click the Export button.
3. Confirm that you want to export only the selected exclusions, or export the entire list of exclusions.
4. In the window that opens, specify the name of the XML file to which you want to export the list of exclusions, and select the folder in which you want to save this file.
5. Click the Save button.
  Kaspersky Endpoint Security exports the entire list of exclusions to the XML file.
To import the list of exclusions in the Exclusions block:
1. Click the Import button.
2. In the window that opens, select the XML file from which you want to import the list of exclusions.
3. Click the Open button.
  If the computer already has a list of exclusions, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.

Page top

[Topic 39265]

Host Intrusion Prevention

The Host Intrusion Prevention component prevents applications from performing actions that may be dangerous for the operating system, and ensures control over access to operating system resources and personal data. The component provides computer protection with the help of anti-virus databases and the Kaspersky Security Network cloud service.

The component controls the operation of applications by using application rights. Application rights include the following access parameters:

Access to operating system resources (for example, automatic startup options, registry keys)
Access to personal data (such as files and applications)

Network activity of applications is controlled by the Firewall using network rules.

During the first startup of the application, the Host Intrusion Prevention component performs the following actions:

Checks the security of the application using downloaded anti-virus databases.
Checks the security of the application in Kaspersky Security Network.
You are advised to participate in Kaspersky Security Network to help the Host Intrusion Prevention component work more effectively.
Puts the application in one of the trust groups: Trusted, Low Restricted, High Restricted, Untrusted.
A trust group defines the rights that Kaspersky Endpoint Security refers to when controlling application activity. Kaspersky Endpoint Security places an application in a trust group depending on the level of danger that this application may pose to the computer.

Kaspersky Endpoint Security places an application in a trust group for the Firewall and Host Intrusion Prevention components. You cannot change the trust group only for the Firewall or Host Intrusion Prevention.

If you refused to participate in KSN or there is no network, Kaspersky Endpoint Security places the application in a trust group depending on the settings of the Host Intrusion Prevention component. After receiving the reputation of the application from KSN, the trust group can be changed automatically.
Blocks application actions depending on the trust group. For example, applications from the High Restricted trust group are denied access to the operating system modules.

The next time the application is started, Kaspersky Endpoint Security checks the integrity of the application. If the application is unchanged, the component uses the current application rights for it. If the application has been modified, Kaspersky Endpoint Security analyzes the application as if it were being started for the first time.

In this section

Enabling and disabling Host Intrusion Prevention

Managing application trust groups

Managing application rights

Protecting operating system resources and personal data

Deleting information about unused applications

Monitoring Host Intrusion Prevention

Protecting access to audio and video

Page top

[Topic 128217]

Enabling and disabling Host Intrusion Prevention

By default, the Host Intrusion Prevention component is enabled and runs in the mode recommended by Kaspersky experts.

How to enable or disable the Host Intrusion Prevention component in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Advanced Threat Protection → Host Intrusion Prevention.
Use the Host Intrusion Prevention check box to enable or disable the component.
Save your changes.

How to enable or disable the Host Intrusion Prevention component in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Select Advanced Threat Protection → Host Intrusion Prevention.
Use the Host Intrusion Prevention toggle to enable or disable the component.
Save your changes.

How to enable or disable the Host Intrusion Prevention component in the application interface

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Advanced Threat Protection → Host Intrusion Prevention.
Use the Host Intrusion Prevention toggle to enable or disable the component.
Save your changes.

If the Host Intrusion Prevention component is enabled, Kaspersky Endpoint Security will place an application in a trust group depending on the level of danger that this application may pose to the computer. Kaspersky Endpoint Security will then block the actions of the application depending on the trust group.

Page top

[Topic 130895]

Managing application trust groups

When each application is started for the first time, the Host Intrusion Prevention component checks the security of the application and places the application into one of the trust groups.

At the first stage of the application scan, Kaspersky Endpoint Security searches the internal database of known applications for a matching entry and at the same time sends a request to the Kaspersky Security Network database (if an Internet connection is available). Based on the results of the search in the internal database and the Kaspersky Security Network database, the application is placed into a trust group. Each time the application is subsequently started, Kaspersky Endpoint Security sends a new query to the KSN database and places the application into a different trust group if the reputation of the application in the KSN database has changed.

You can select a trust group to which Kaspersky Endpoint Security must automatically assign all unknown applications. Applications that were started before Kaspersky Endpoint Security are automatically moved to the trust group defined in the Host Intrusion Prevention component settings window.

For applications that were started before Kaspersky Endpoint Security, only network activity is controlled. Control is performed according to the network rules defined in the Firewall settings.

In this section

Changing the trust group of an application

Configuring trust group rights

Selecting a trust group for applications started before Kaspersky Endpoint Security

Selecting a trust group for unknown applications

Selecting a trust group for digitally signed applications

Page top

[Topic 123280]

Changing the trust group of an application

When each application is started for the first time, the Host Intrusion Prevention component checks the security of the application and places the application into one of the trust groups.

Kaspersky specialists do not recommend moving applications from the automatically assigned trust group to a different trust group. Instead, you can modify rights for an individual application if necessary.

How to change the trust group of an application in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Advanced Threat Protection → Host Intrusion Prevention.
In the Application rights block, click the Settings button.
This opens the application rights configuration window and the list of protected resources.
Select the Application rights tab.
Click the Add button.
In the opened window, enter criteria to search for the application whose trust group you want to change.
You can enter the name of the application or the name of the vendor. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.
Click the Refresh button.
Kaspersky Endpoint Security will search for the application in the consolidated list of applications installed on managed computers. Kaspersky Endpoint Security will show a list of applications that satisfy your search criteria.
Select the necessary application.
In the Add selected applications to <trust group> group drop-down list, select the necessary trust group for the application.
Save your changes.

How to change the trust group of an application in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Select Advanced Threat Protection → Host Intrusion Prevention.
In the Application rights and protected resources block, click the Application rights and protected resources link.
This opens the application rights configuration window and the list of protected resources.
Select the Application rights tab.
You will see a list of trust groups on the left side of the window and their properties on the right side.
Click the Add button.
This starts the Wizard for adding an application to a trust group.
Click the Selected target group link to select the relevant trust group for the application.
Select the Application type. Click the Next button.
If you want to change the trust group for multiple applications, select the Group type and define a name for the application group.
In the opened list of applications, select the applications whose trust group you want to change.
Use a filter. You can enter the name of the application or the name of the vendor. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.
Finish the Wizard by clicking OK.
The application will be added to the trust group.
Save your changes.

How to change the trust group of an application in the application interface

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Advanced Threat Protection → Host Intrusion Prevention.
Click the Manage applications button.
This opens the list of installed applications.
Select the necessary application.
In the context menu of the application, select Restrictions → <trust group>.
Save your changes.

As a result, the application will be put into the other trust group. Kaspersky Endpoint Security will then block the actions of the application depending on the trust group. The icon_HIPS_user_choice (user-defined) status will be assigned to the application. If the reputation of the application is changed in Kaspersky Security Network, the Host Intrusion Prevention component will leave this application's trust group unchanged.

Page top

[Topic 133777]

Configuring trust group rights

The optimal application rights are created for different trust groups by default. The settings of rights for application groups that are in a trust group inherit values from the settings of the trust group rights.

How to change trust group rights in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Advanced Threat Protection → Host Intrusion Prevention.
In the Application rights block, click the Settings button.
This opens the application rights configuration window and the list of protected resources.
Select the Application rights tab.
Select the necessary trust group.
Select Group rights from the context menu of the trust group.
This opens the trust group properties.
Do one of the following:
- If you want to edit trust group rights that regulate operations with the operating system registry, user files, and application settings, select the Files and system registry tab.
- If you want to edit trust group rights that regulate access to operating system processes and objects, select the Rights tab.
Network activity of applications is controlled by the Firewall using network rules.
For the relevant resource, in the column of the corresponding action, right-click to open the context menu and select the necessary option: Inherit, Allow () or Forbid ().
If you want to monitor the use of computer resources, select Write to report ( / ).
Kaspersky Endpoint Security will record information about the operation of the Host Intrusion Prevention component. Reports contain information about operations with computer resources performed by the application (allowed or forbidden). Reports also contain information about the applications that utilize each resource.
Save your changes.

How to change trust group rights in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Select Advanced Threat Protection → Host Intrusion Prevention.
In the Application rights and protected resources block, click the Application rights and protected resources link.
This opens the application rights configuration window and the list of protected resources.
Select the Application rights tab.
You will see a list of trust groups on the left side of the window and their properties on the right side.
In the left part of the window, select the relevant trust group.
In the right part of the window, in the drop-down list, do one of the following:
- If you want to edit trust group rights that regulate operations with the operating system registry, user files, and application settings, select Files and system registry.
- If you want to edit trust group rights that regulate access to operating system processes and objects, select Rights.
Network activity of applications is controlled by the Firewall using network rules.
For the relevant resource, in the column of the corresponding action, select the necessary option: Inherit, Allow (), or Forbid ().
If you want to monitor the use of computer resources, select Write to report ( / ).
Kaspersky Endpoint Security will record information about the operation of the Host Intrusion Prevention component. Reports contain information about operations with computer resources performed by the application (allowed or forbidden). Reports also contain information about the applications that utilize each resource.
Save your changes.

How to change trust group rights in the application interface

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Advanced Threat Protection → Host Intrusion Prevention.
Click the Manage applications button.
This opens the list of installed applications.
Select the necessary trust group.
In the context menu of the trust group, select Details and rules.
This opens the trust group properties.
Do one of the following:
- If you want to edit trust group rights that regulate operations with the operating system registry, user files, and application settings, select the Files and system registry tab.
- If you want to edit trust group rights that regulate access to operating system processes and objects, select the Rights tab.
Network activity of applications is controlled by the Firewall using network rules.
For the relevant resource, in the column of the corresponding action, right-click to open the context menu and select the necessary option: Inherit, Allow (), or Forbid ().
If you want to monitor the use of computer resources, select Write to report ().
Kaspersky Endpoint Security will record information about the operation of the Host Intrusion Prevention component. Reports contain information about operations with computer resources performed by the application (allowed or forbidden). Reports also contain information about the applications that utilize each resource.
Save your changes.

The trust group rights will be changed. Kaspersky Endpoint Security will then block the actions of the application depending on the trust group. The icon_HIPS_Settings_Edited status (User settings) will be assigned to the trust group.

Page top

[Topic 130891]

Selecting a trust group for applications started before Kaspersky Endpoint Security

For applications that were started before Kaspersky Endpoint Security, only network activity is controlled. Control is performed according to the network rules defined in the Firewall settings. To specify which network rules must be applied to network activity monitoring for such applications, you must select a trust group.

How to select a trust group for applications started before Kaspersky Endpoint Security in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Advanced Threat Protection → Host Intrusion Prevention.
In the Application rights block, click the Edit button.
Select the necessary trust group for the Applications launched before Kaspersky Endpoint Security for Windows are automatically moved to the <trust group> trust group setting.
Save your changes.

How to select a trust group for applications started before Kaspersky Endpoint Security in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Select Advanced Threat Protection → Host Intrusion Prevention.
Select the necessary trust group for the Applications launched before Kaspersky Endpoint Security for Windows are automatically moved to the <trust group> trust group setting.
Save your changes.

How to select a trust group for applications started before Kaspersky Endpoint Security in the application interface

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Advanced Threat Protection → Host Intrusion Prevention.
Select the necessary trust group in the Applications launched before Kaspersky Endpoint Security for Windows are automatically moved to the <trust group> trust group block.
Save your changes.

As a result, an application that is started before Kaspersky Endpoint Security will be put into the other trust group. Kaspersky Endpoint Security will then block the actions of the application depending on the trust group.

Page top

[Topic 39270]

Selecting a trust group for unknown applications

During the first startup of an application, the Host Intrusion Prevention component determines the trust group for the application. If you do not have Internet access or if Kaspersky Security Network has no information about this application, Kaspersky Endpoint Security will place the application into the Low Restricted group by default. When information about a previously unknown application is detected in KSN, Kaspersky Endpoint Security will update the rights of this application. You can then manually edit the application rights.

How to select a trust group for unknown applications in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Advanced Threat Protection → Host Intrusion Prevention.
In the Application processing rules block, use the Trust group for applications that could not be assigned to other groups drop-down list to select the necessary trust group.
If participation in Kaspersky Security Network is enabled, Kaspersky Endpoint Security sends KSN a request for the reputation of an application each time the application is started. Based on the received response, the application may be moved to a trust group that is different from the one specified in the Host Intrusion Prevention component settings.
Use the Update rights for previously unknown applications from KSN database check box to configure automatic update of the rights of unknown applications.
Save your changes.

How to select a trust group for unknown applications in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Select Advanced Threat Protection → Host Intrusion Prevention.
In the Application processing rules block, use the Trust group for applications that could not be assigned to other groups drop-down list to select the necessary trust group.
If participation in Kaspersky Security Network is enabled, Kaspersky Endpoint Security sends KSN a request for the reputation of an application each time the application is started. Based on the received response, the application may be moved to a trust group that is different from the one specified in the Host Intrusion Prevention component settings.
Use the Update rights for previously unknown applications from KSN database check box to configure automatic update of the rights of unknown applications.
Save your changes.

How to select a trust group for unknown applications in the application interface

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Advanced Threat Protection → Host Intrusion Prevention.
In the Trust group for unknown applications block, select the relevant trust group.
If participation in Kaspersky Security Network is enabled, Kaspersky Endpoint Security sends KSN a request for the reputation of an application each time the application is started. Based on the received response, the application may be moved to a trust group that is different from the one specified in the Host Intrusion Prevention component settings.
Use the Update rights for previously unknown applications from KSN database check box to configure automatic update of the rights of unknown applications.
Save your changes.

Page top

[Topic 128240]

Selecting a trust group for digitally signed applications

Kaspersky Endpoint Security always places applications signed by Microsoft certificates or Kaspersky certificates into the Trusted group.

How to select a trust group for digitally signed applications in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Advanced Threat Protection → Host Intrusion Prevention.
In the Application processing rules block, use the Trust applications that have a digital signature check box to enable or disable automatic assignment to the Trusted group for applications containing the digital signature of trusted vendors.
Trusted vendors are those software vendors that are included in the trusted group by Kaspersky. You can also add vendor certificate to the trusted system certificate store manually.

If this check box is cleared, the Host Intrusion Prevention component does not consider digitally signed applications to be trusted, and uses other parameters to determine their trust group.
Save your changes.

How to select a trust group for digitally signed applications in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Select Advanced Threat Protection → Host Intrusion Prevention.
In the Application processing rules block, use the Trust applications that have a digital signature check box to enable or disable automatic assignment to the Trusted group for applications containing the digital signature of trusted vendors.
Trusted vendors are those software vendors that are included in the trusted group by Kaspersky. You can also add vendor certificate to the trusted system certificate store manually.

If this check box is cleared, the Host Intrusion Prevention component does not consider digitally signed applications to be trusted, and uses other parameters to determine their trust group.
Save your changes.

How to select a trust group for digitally signed applications in the application interface

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Advanced Threat Protection → Host Intrusion Prevention.
In the Application processing rules block, use the Trust applications that have a digital signature check box to enable or disable automatic assignment to the Trusted group for applications containing the digital signature of trusted vendors.
Trusted vendors are those software vendors that are included in the trusted group by Kaspersky. You can also add vendor certificate to the trusted system certificate store manually.

If this check box is cleared, the Host Intrusion Prevention component does not consider digitally signed applications to be trusted, and uses other parameters to determine their trust group.
Save your changes.

Page top

[Topic 39278]

Managing application rights

By default, application activity is controlled based on the application rights that are defined for the specific trust group that Kaspersky Endpoint Security assigned to the application when it started for the first time. If necessary, you can edit the application rights for an entire trust group, for an individual application, or for a group of applications within a trust group.

Manually defined application rights have a higher priority than application rights that were defined for a trust group. In other words, if manually defined application rights differ from the application rights defined for a trust group, the Host Intrusion Prevention component controls application activity according to the manually defined application rights.

The rules that you create for applications are inherited by child applications. For example, if you deny all network activity for cmd.exe, all network activity will also be denied for notepad.exe if it is started using cmd.exe. If an application is started indirectly by another application but is not a child of the application it runs from, rules are not inherited.

How to change application rights in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Advanced Threat Protection → Host Intrusion Prevention.
In the Application rights block, click the Settings button.
This opens the application rights configuration window and the list of protected resources.
Select the Application rights tab.
Click the Add button.
In the opened window, enter criteria to search for the application whose application rights you want to change.
You can enter the name of the application or the name of the vendor. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.
Click the Refresh button.
Kaspersky Endpoint Security will search for the application in the consolidated list of applications installed on managed computers. Kaspersky Endpoint Security will show a list of applications that satisfy your search criteria.
Select the necessary application.
In the Add selected applications to <trust group> group drop-down list, select Default groups and click OK.
The application will be added to the default group.
Select the relevant application and then select Application rights from the context menu of the application.
This opens the application properties.
Do one of the following:
- If you want to edit trust group rights that regulate operations with the operating system registry, user files, and application settings, select the Files and system registry tab.
- If you want to edit trust group rights that regulate access to operating system processes and objects, select the Rights tab.
Network activity of applications is controlled by the Firewall using network rules.
For the relevant resource, in the column of the corresponding action, right-click to open the context menu and select the necessary option: Inherit, Allow () or Forbid ().
If you want to monitor the use of computer resources, select Write to report ( / ).
Kaspersky Endpoint Security will record information about the operation of the Host Intrusion Prevention component. Reports contain information about operations with computer resources performed by the application (allowed or forbidden). Reports also contain information about the applications that utilize each resource.
Save your changes.

How to change application rights in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Select Advanced Threat Protection → Host Intrusion Prevention.
In the Application rights and protected resources block, click the Application rights and protected resources link.
This opens the application rights configuration window and the list of protected resources.
Select the Application rights tab.
You will see a list of trust groups on the left side of the window and their properties on the right side.
Click the Add button.
This starts the Wizard for adding an application to a trust group.
Click the Selected target group link to select the relevant trust group for the application.
Select the Application type. Click the Next button.
If you want to change the trust group for multiple applications, select the Group type and define a name for the application group.
In the opened list of applications, select the applications whose application rights you want to change.
Use a filter. You can enter the name of the application or the name of the vendor. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.
Finish the Wizard by clicking OK.
The application will be added to the trust group.
In the left part of the window, select the relevant application.
In the right part of the window, in the drop-down list, do one of the following:
- If you want to edit trust group rights that regulate operations with the operating system registry, user files, and application settings, select Files and system registry.
- If you want to edit trust group rights that regulate access to operating system processes and objects, select Rights.
Network activity of applications is controlled by the Firewall using network rules.
For the relevant resource, in the column of the corresponding action, select the necessary option: Inherit, Allow (), or Forbid ().
If you want to monitor the use of computer resources, select Write to report ( / ).
Kaspersky Endpoint Security will record information about the operation of the Host Intrusion Prevention component. Reports contain information about operations with computer resources performed by the application (allowed or forbidden). Reports also contain information about the applications that utilize each resource.
Save your changes.

How to change application rights in the application interface

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Advanced Threat Protection → Host Intrusion Prevention.
Click the Manage applications button.
This opens the list of installed applications.
Select the necessary application.
In the context menu of the application, select Details and rules.
This opens the application properties.
Do one of the following:
- If you want to edit trust group rights that regulate operations with the operating system registry, user files, and application settings, select the Files and system registry tab.
- If you want to edit trust group rights that regulate access to operating system processes and objects, select the Rights tab.
For the relevant resource, in the column of the corresponding action, right-click to open the context menu and select the necessary option: Inherit, Allow (), or Forbid ().
If you want to monitor the use of computer resources, select Write to report ().
Kaspersky Endpoint Security will record information about the operation of the Host Intrusion Prevention component. Reports contain information about operations with computer resources performed by the application (allowed or forbidden). Reports also contain information about the applications that utilize each resource.
Select the Exclusions tab and configure the advanced settings of the application (see the table below).

Save your changes.

Advanced Settings of the application

Parameter	Description
Do not scan opened files	All files that are opened by the application are excluded from scans by Kaspersky Endpoint Security. For example, if you are using applications to back up files, this feature helps reduce the consumption of resources by Kaspersky Endpoint Security.
Do not monitor application activity	Kaspersky Endpoint Security will not monitor the application's file- and network activity in the operating system. Application activity is monitored by the following components: Behavior Detection, Exploit Prevention, Host Intrusion Prevention, Remediation Engine and Firewall.
Do not inherit restrictions of the parent process (application)	The restrictions configured for the parent process will not be applied by Kaspersky Endpoint Security to a child process. The parent process is started by an application for which application rights (Host Intrusion Prevention) and application network rules (Firewall) are configured.
Do not monitor the activity of child applications	Kaspersky Endpoint Security will not monitor the file activity or network activity of applications that are started by this application.
Allow interaction with Kaspersky Endpoint Security interface	Kaspersky Endpoint Security Self-Defense blocks all attempts to manage application services from a remote computer. If the check box is selected, the remote access application is allowed to manage Kaspersky Endpoint Security settings through the Kaspersky Endpoint Security interface.
Do not scan encrypted traffic / Do not scan all traffic	Network traffic initiated by the application will be excluded from scans by Kaspersky Endpoint Security. You can exclude either all traffic or only encrypted traffic from scans. You can also exclude individual IP addresses and port numbers from scans.

Page top

[Topic 39271]

Protecting operating system resources and personal data

The Host Intrusion Prevention component manages the rights of applications to take actions on various categories of operating system resources and personal data. Kaspersky specialists have established preset categories of protected resources. For example, the Operating system category has a Startup settings subcategory that lists all the registry keys associated with autorun of applications. You cannot edit or delete the preset categories of protected resources or the protected resources that are within these categories.

How to add a protected resource in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Advanced Threat Protection → Host Intrusion Prevention.
In the Application rights block, click the Settings button.
This opens the application rights configuration window and the list of protected resources.
Select the Protected resources tab.
You will see a list of protected resources in the left part of the window and the corresponding rights for accessing those resources depending on the specific trust group.
Select the category of protected resources to which you want to add a new protected resource.
If you want to add a subcategory, click Add → Category.
Click the Add button. In the drop-down list, select the type of resource that you want to add: File or folder or Registry key.
In the opened window, select a file, folder, or registry key.
You can view applications' rights to access the added resources. To do so, select an added resource in the left part of the window and Kaspersky Endpoint Security will show the access rights for each trust group. You can also disable control of application activity with resources by using the check box next to a new resource.
Save your changes.

How to add a protected resource in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Select Advanced Threat Protection → Host Intrusion Prevention.
In the Application rights and protected resources block, click the Application rights and protected resources link.
This opens the application rights configuration window and the list of protected resources.
Select the Protected resources tab.
You will see a list of protected resources in the left part of the window and the corresponding rights for accessing those resources depending on the specific trust group.
Click the Add button.
The New Resource Wizard starts.
Click the Group name link to select the category of protected resources to which you want to add a new protected resource.
If you want to add a subcategory, select the Category of protected resources option.
Select the type of resource that you want to add: File or folder or Registry key.
Select a file, folder, or registry key.
Finish the Wizard by clicking OK.
You can view applications' rights to access the added resources. To do so, select an added resource in the left part of the window and Kaspersky Endpoint Security will show the access rights for each trust group. You can also use the check box in the Status column to disable control of application activity with resources.
Save your changes.

How to add a protected resource in the application interface

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Advanced Threat Protection → Host Intrusion Prevention.
Click the Manage resources button.
The list of protected resources opens.
Select the category of protected resources to which you want to add a new protected resource.
If you want to add a subcategory, click Add → Category.
Click the Add button. In the drop-down list, select the type of resource that you want to add: File or folder or Registry key.
In the opened window, select a file, folder, or registry key.
You can view applications' rights to access the added resources. To do so, select an added resource in the left part of the window and Kaspersky Endpoint Security will show a list of applications and the access rights for each application. You can also disable control of application activity with resources by using the Disable control button in the Status column.
Save your changes.

Kaspersky Endpoint Security will control access to the added operating system resources and to personal data. Kaspersky Endpoint Security controls an application's access to resources based on the trust group assigned to the application. You can also change the trust group of an application.

Page top

[Topic 128039]

Deleting information about unused applications

Kaspersky Endpoint Security uses application rights to control the activities of applications. Application rights are determined by their trust group. Kaspersky Endpoint Security puts an application into a trust group when the application is started for the first time. You can manually change the trust group of an application. You can also manually configure the rights of an individual application. Kaspersky Endpoint Security stores the following information about an application: trust group of the application, and rights of the application.

Kaspersky Endpoint Security automatically deletes information about unused applications to save computer resources. Kaspersky Endpoint Security deletes application information according to the following rules:

If the trust group and rights of an application were determined automatically, Kaspersky Endpoint Security deletes information about this application after 30 days. It is not possible to change the storage term for application information or turn off automatic deletion.
If you manually put an application into a trust group or configured its access rights, Kaspersky Endpoint Security deletes information about this application after 60 days (default storage term). You can change the storage term for application information, or turn off automatic deletion (see the instructions below).

When you start an application whose information has been deleted, Kaspersky Endpoint Security analyzes the application as if it were starting for the first time.

How to configure automatic deletion of information about unused applications in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Advanced Threat Protection → Host Intrusion Prevention.
In the Application processing rules block, do one of the following:
- If you want to configure automatic deletion, select the Delete rights for applications that are not started for more than N days check box and specify the necessary number of days.
  Information about the applications that you manually put into a trust group or whose access rights you manually configured will be deleted by Kaspersky Endpoint Security after the defined number of days. Information about applications whose trust group and application rights were automatically determined will also be deleted by Kaspersky Endpoint Security after 30 days.
- If you want to turn off automatic deletion, clear the Delete rights for applications that are not started for more than N days check box.
  Information about the applications that you manually put into a trust group or whose access rights you manually configured will be stored by Kaspersky Endpoint Security indefinitely, without any storage term limits. Kaspersky Endpoint Security will only delete information about applications whose trust group and application rights were automatically determined after 30 days.
Save your changes.

How to configure automatic deletion of information about unused applications in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Select Advanced Threat Protection → Host Intrusion Prevention.
In the Application processing rules block, do one of the following:
- If you want to configure automatic deletion, select the Delete rights for applications that are not started for more than N days check box and specify the necessary number of days.
  Information about the applications that you manually put into a trust group or whose access rights you manually configured will be deleted by Kaspersky Endpoint Security after the defined number of days. Information about applications whose trust group and application rights were automatically determined will also be deleted by Kaspersky Endpoint Security after 30 days.
- If you want to turn off automatic deletion, clear the Delete rights for applications that are not started for more than N days check box.
  Information about the applications that you manually put into a trust group or whose access rights you manually configured will be stored by Kaspersky Endpoint Security indefinitely, without any storage term limits. Kaspersky Endpoint Security will only delete information about applications whose trust group and application rights were automatically determined after 30 days.
Save your changes.

How to configure automatic deletion of information about unused applications in the application interface

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Advanced Threat Protection → Host Intrusion Prevention.
In the Application processing rules block, do one of the following:
- If you want to configure automatic deletion, select the Delete rights for applications that are not started for more than N days check box and specify the necessary number of days.
  Information about the applications that you manually put into a trust group or whose access rights you manually configured will be deleted by Kaspersky Endpoint Security after the defined number of days. Information about applications whose trust group and application rights were automatically determined will also be deleted by Kaspersky Endpoint Security after 30 days.
- If you want to turn off automatic deletion, clear the Delete rights for applications that are not started for more than N days check box.
  Information about the applications that you manually put into a trust group or whose access rights you manually configured will be stored by Kaspersky Endpoint Security indefinitely, without any storage term limits. Kaspersky Endpoint Security will only delete information about applications whose trust group and application rights were automatically determined after 30 days.
Save your changes.

Page top

[Topic 133783]

Monitoring Host Intrusion Prevention

You can receive reports on the operation of the Host Intrusion Prevention component. Reports contain information about operations with computer resources performed by the application (allowed or forbidden). Reports also contain information about the applications that utilize each resource.

To monitor Host Intrusion Prevention operations, you need to enable report writing. For example, you can enable forwarding of reports for individual applications in the Host Intrusion Prevention component settings.

When configuring Host Intrusion Prevention monitoring, take into account the potential network load when forwarding events to Kaspersky Security Center. You can also enable saving of reports only in the local log of Kaspersky Endpoint Security.

Page top

[Topic 134861]

Protecting access to audio and video

Cybercriminals can use special programs to try to gain access to devices that record audio and video (such as microphones or webcams). Kaspersky Endpoint Security controls when applications receive an audio stream or video stream and protects data against unauthorized interception.

By default, Kaspersky Endpoint Security controls applications' access to the audio stream and video stream based on the application's category:

Trusted and Low Restricted applications are allowed to receive the audio stream and video stream from devices by default.
High Restricted and Untrusted applications are not allowed to receive the audio stream and video stream from devices by default.

You can manually allow applications to receive the audio stream and video stream.

Special features of audio stream protection

Audio stream protection has the following special characteristics:

The Host Intrusion Prevention component must be enabled for this functionality to work.
If the application started receiving the audio stream before the Host Intrusion Prevention component was started, Kaspersky Endpoint Security allows the application to receive the audio stream and does not show any notifications.
If you moved the application to the Untrusted group or High Restricted group after the application began receiving the audio stream, Kaspersky Endpoint Security allows the application to receive the audio stream and does not show any notifications.
After the settings for the application's access to sound recording devices have been changed (for example, if the application has been blocked from receiving the audio stream), this application must be restarted to stop it from receiving the audio stream.
Control of access to the audio stream from sound recording devices does not depend on an application's webcam access settings.
Kaspersky Endpoint Security protects access to only built-in microphones and external microphones. Other audio streaming devices are not supported.
Kaspersky Endpoint Security cannot guarantee the protection of an audio stream from such devices as DSLR cameras, portable video cameras, and action cameras.
When you run audio and video recording or playback applications for the first time since installation of Kaspersky Endpoint Security, audio and video playback or recording may be interrupted. This is necessary in order to enable the functionality that controls access to sound recording devices by applications. The system service that controls audio hardware will be restarted when Kaspersky Endpoint Security is run for the first time.

Special features of application webcam access protection

Webcam access protection functionality has the following special considerations and limitations:

The application controls video and still images derived from the processing of webcam data.
The application controls the audio stream if it is part of the video stream received from the webcam.
The application controls only webcams connected via USB or IEEE1394 that are displayed as Imaging Devices in the Windows Device Manager.
Kaspersky Endpoint Security supports the following webcams:
- Logitech HD Webcam C270
- Logitech HD Webcam C310
- Logitech Webcam C210
- Logitech Webcam Pro 9000
- Logitech HD Webcam C525
- Microsoft LifeCam VX-1000
- Microsoft LifeCam VX-2000
- Microsoft LifeCam VX-3000
- Microsoft LifeCam VX-800
- Microsoft LifeCam Cinema
Kaspersky cannot guarantee support for webcams that are not specified in this list.

Page top

[Topic 151135]

Remediation Engine

The Remediation Engine lets Kaspersky Endpoint Security roll back actions that have been performed by malware in the operating system.

When rolling back malware activity in the operating system, Kaspersky Endpoint Security handles the following types of malware activity:

File activity
Kaspersky Endpoint Security performs the following actions:
- Deletes executable files that were created by malware (on all media except network drives).
- Deletes executable files that were created by programs that have been infiltrated by malware.
- Restores files that have been modified or deleted by malware.
The file recovery feature has a number of limitations.
Registry activity
Kaspersky Endpoint Security performs the following actions:
- Deletes registry keys that were created by malware.
- Does not restore registry keys that have been modified or deleted by malware.
System activity
Kaspersky Endpoint Security performs the following actions:
- Terminates processes that have been initiated by malware.
- Terminates processes into which a malicious application has penetrated.
- Does not resume processes that have been halted by malware.
Network activity
Kaspersky Endpoint Security performs the following actions:
- Blocks the network activity of malware.
- Blocks the network activity of processes that have been infiltrated by malware.

A rollback of malware actions can be started by the File Threat Protection or Behavior Detection component, or during a virus scan.

Rolling back malware operations affects a strictly defined set of data. Rollback has no adverse effects on the operating system or on the integrity of your computer data.

How to enable or disable the Remediation Engine component in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Advanced Threat Protection → Remediation Engine.
Use the Remediation Engine check box to enable or disable the component.
Save your changes.

How to enable or disable the Remediation Engine component in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Select Advanced Threat Protection → Remediation Engine.
Use the Remediation Engine toggle to enable or disable the component.
Save your changes.

How to enable or disable the Remediation Engine component in the application interface

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Advanced Threat Protection → Remediation Engine.
Use the Remediation Engine toggle to enable or disable the component.
Save your changes.

As a result, if Remediation Engine is enabled, Kaspersky Endpoint Security will roll back the actions taken by malicious applications in the operating system.

Page top

[Topic 177936]

Kaspersky Security Network

To protect your computer more effectively, Kaspersky Endpoint Security uses data that is received from users around the globe. Kaspersky Security Network is designed for obtaining this data.

Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to the online Kaspersky Knowledge Base that contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky Endpoint Security to new threats, improves the performance of some protection components, and reduces the likelihood of false positives. If you are participating in Kaspersky Security Network, KSN services provide Kaspersky Endpoint Security with information about the category and reputation of scanned files, as well as information about the reputation of scanned web addresses.

Use of Kaspersky Security Network is voluntary. The application prompts you to use KSN during initial configuration of the application. Users can begin or discontinue participation in KSN at any time.

For more detailed information about sending Kaspersky statistical information that is generated during participation in KSN, and about the storage and destruction of such information, please refer to the Kaspersky Security Network Statement and the Kaspersky website. The ksn_<language ID>.txt file with the text of the Kaspersky Security Network Statement is included in the application distribution kit.

To reduce the load on KSN servers, Kaspersky experts may release application updates that temporarily disable or partly restrict requests to Kaspersky Security Network. In this case, the status of the connection to KSN in the local interface of the application is Enabled with restrictions.

KSN Infrastructure

Kaspersky Endpoint Security supports the following KSN infrastructural solutions:

Global KSN is the solution that is used by most Kaspersky applications. KSN participants receive information from Kaspersky Security Network and send Kaspersky information about objects detected on the user's computer to be analyzed additionally by Kaspersky analysts and to be included in the reputation and statistical databases of Kaspersky Security Network.
Private KSN is a solution that enables users of computers hosting Kaspersky Endpoint Security or other Kaspersky applications to obtain access to reputation databases of Kaspersky Security Network, and to other statistical data without sending data to KSN from their own computers. Private KSN is designed for corporate customers who are unable to participate in Kaspersky Security Network for any of the following reasons:
- Local workstations are not connected to the Internet.
- Transmission of any data outside the country or outside the corporate LAN is prohibited by law or restricted by corporate security policies.

By default, Kaspersky Security Center uses Global KSN. You can configure the use of Private KSN in the Administration Console (MMC), in the Kaspersky Security Center 12 Web Console, and in the command line. It is not possible to configure the use of Private KSN in the Kaspersky Security Center Cloud Console.

For more details about Private KSN, please refer to the documentation on Kaspersky Private Security Network.

KSN Proxy

User computers managed by Kaspersky Security Center Administration Server can interact with KSN via the KSN Proxy service.

The KSN Proxy service provides the following capabilities:

The user's computer can query KSN and submit information to KSN even without direct access to the Internet.
The KSN Proxy service caches processed data, thereby reducing the load on the external network communication channel and speeding up receipt of the information that is requested by the user's computer.

For more details on the KSN Proxy service, please refer to the Kaspersky Security Center Help Guide.

In this section

Enabling and disabling the usage of Kaspersky Security Network

Limitations of Private KSN

Enabling and disabling cloud mode for protection components

Checking the connection to Kaspersky Security Network

Checking the reputation of a file in Kaspersky Security Network

Page top

[Topic 126799]

Enabling and disabling the usage of Kaspersky Security Network

To enable or disable the usage of Kaspersky Security Network:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Advanced Threat Protection → Kaspersky Security Network.
Use the Kaspersky Security Network toggle to enable or disable the component.
If you enabled the use of KSN, Kaspersky Endpoint Security will display the Kaspersky Security Network Statement. Please read and accept the terms of the Kaspersky Security Network (KSN) Statement if you agree to them.

By default, Kaspersky Endpoint Security uses the Extended KSN mode. Extended KSN mode is a mode in which Kaspersky Endpoint Security sends additional data to Kaspersky.
If required, flip the Enable Extended KSN mode toggle off.
Save your changes.

As a result, if use of KSN is enabled, Kaspersky Endpoint Security uses information about the reputation of files, web resources, and applications received from Kaspersky Security Network.

Page top

[Topic 203181]

Limitations of Private KSN

Private KSN (hereinafter also referred to as KPSN) lets you use your own local reputation database to check the reputation of objects (files or web addresses). The reputation of an object added to the local reputation database has a higher priority than one added to KSN/KPSN. For example, imagine that Kaspersky Endpoint Security is scanning a computer and requests the reputation of a file in KSN/KPSN. If the file has an "untrusted" reputation in the local reputation database but has a "trusted" reputation in KSN/KPSN, Kaspersky Endpoint Security will detect the file as "untrusted" and will take the action defined for detected threats.

However, in some cases Kaspersky Endpoint Security might not request the reputation of an object in KSN/KPSN. If this is the case, Kaspersky Endpoint Security will not receive data from the local reputation database of KPSN. Kaspersky Endpoint Security might not request the reputation of an object in KSN/KPSN for the following reasons:

Kaspersky applications are using offline reputation databases. Offline reputation databases are designed to optimize resources during operation of Kaspersky applications and to protect critically important objects on the computer. Offline reputation databases are created by Kaspersky experts based on data from Kaspersky Security Network. Kaspersky applications update offline reputation databases with anti-virus databases of the specific application. If offline reputation databases contain information about an object being scanned, the application does not request the reputation of this object from KSN/KPSN.
Scan exclusions (trusted zone) are configured in the application settings. If this is the case, the application does not take into account the reputation of the object in the local reputation database.
The application is using scan optimization technologies, such as iSwift or iChecker, or is caching reputation requests in
KSN/KPSN. If this is the case, the application might not request the reputation of previously scanned objects.
To optimize its workload, the application scans files of a certain format and size. The list of relevant formats and size limits are determined by Kaspersky experts. This list is updated with the application's anti-virus databases. You can also configure scan optimization settings in the application interface, for example, for the File Threat Protection component.

Page top

[Topic 155760]

Enabling and disabling cloud mode for protection components

Cloud mode refers to the application operating mode in which Kaspersky Endpoint Security uses a light version of anti-virus databases. Kaspersky Security Network supports the operation of the application when light anti-virus databases are being used. The light version of anti-virus databases lets you use approximately half of the computer RAM that would otherwise be used with the usual databases. If you do not participate in Kaspersky Security Network or if cloud mode is disabled, Kaspersky Endpoint Security downloads the full version of anti-virus databases from Kaspersky servers.

When using Kaspersky Private Security Network, cloud mode functionality is available starting with Kaspersky Private Security Network version 3.0.

To enable or disable cloud mode for protection components:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Advanced Threat Protection → Kaspersky Security Network.
Use the Enable cloud mode toggle to enable or disable the component.
Save your changes.

As a result, Kaspersky Endpoint Security downloads a light version or full version of anti-virus databases during the next update.

If the light version of anti-virus databases is not available for use, Kaspersky Endpoint Security automatically switches to the premium version of anti-virus databases.

Page top

[Topic 126800]

Checking the connection to Kaspersky Security Network

Your connection to Kaspersky Security Network may be lost for the following reasons:

You do not participate in Kaspersky Security Network.
Your computer is not connected to the Internet.
Current key status does not allow connecting to Kaspersky Security Network. For example, a connection to KSN may be unavailable due to the following reasons:
- Application is not activated.
- License or subscription has expired.
- License key issues have been identified (for example, the key has been added to the list of prohibited keys).

To check the connection to Kaspersky Security Network:

In the main application window, click More Tools → Kaspersky Security Network.

This opens the Kaspersky Security Network window, which displays information about Kaspersky Security Network activity. The application receives KSN usage statistics when the Kaspersky Security Network window is opened. The global statistics of the Kaspersky Security Network cloud service infrastructure and the synchronization time are not refreshed in real time.

The left part of the Kaspersky Security Network window displays one of the following statuses for the connection between the computer and Kaspersky Security Network:

Enabled.
This status means that Kaspersky Security Network is being used in Kaspersky Endpoint Security operations and KSN servers are available.
Enabled. Available with restrictions.
This status means that Kaspersky Security Network is being used in Kaspersky Endpoint Security operations and KSN servers are unavailable.

KSN servers may be unavailable due to the following reasons:
- The KSN Proxy service (ksnproxy) is running on the computer.
- Firewall blocks port 13111.
If the time that has elapsed since the last synchronization with KSN servers exceeds 15 minutes or shows the Unknown status, the status of the Kaspersky Endpoint Security connection to Kaspersky Security Network takes the Enabled value. Not available.
Off.
This status means that Kaspersky Security Network is not being used in Kaspersky Endpoint Security operations.

If the connection with Kaspersky Security Network servers cannot be restored, it is recommended to contact Technical Support or your service provider.

Page top

[Topic 128451]

Checking the reputation of a file in Kaspersky Security Network

If you are doubtful of the security of a file, you can check its reputation in Kaspersky Security Network.

You can check the reputation of a file if you have accepted the terms of the Kaspersky Security Network Statement.

To check the reputation of a file in Kaspersky Security Network:

Open the file context menu and select the Check reputation in KSN option (see the figure below).

File context menu

Kaspersky Endpoint Security displays the file reputation:

Trusted. Most users of Kaspersky Security Network have confirmed that the file is trusted.

Legitimate software that could be exploited to harm your computer or personal data. Although they do not have any malicious functions, such applications can be exploited by intruders. For details on legitimate software that could be used by criminals to harm the computer or personal data of a user, please visit the website of the Kaspersky IT Encyclopedia. You can add these applications to the trusted list.

Untrusted. A virus or other application that poses a threat.

Unknown. Kaspersky Security Network does not have any information about the file. You can scan a file using anti-virus databases (the Scan for viruses option in the context menu).

Kaspersky Endpoint Security displays the KSN solution that was used to determine the reputation of the file: Global KSN or Private KSN.

Kaspersky Endpoint Security also displays additional information about the file (see the figure below).

Reputation of a file in Kaspersky Security Network

Page top

[Topic 175451]

Encrypted connections scan

After installation, Kaspersky Endpoint Security adds a Kaspersky certificate to the system storage for trusted certificates (Windows certificate store). Kaspersky Endpoint Security also includes the use of system storage of trusted certificates in Firefox and Thunderbird to scan the traffic of these applications.

The Web Control, Mail Threat Protection, Web Threat Protection components can decrypt and scan network traffic transmitted over encrypted connections using the following protocols:

SSL 3.0.
TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3.

In this section

Configuring the encrypted connections scan settings

Scanning encrypted connections in Firefox and Thunderbird

Excluding encrypted connections from scanning

Page top

[Topic 175124]

Configuring the encrypted connections scan settings

To configure the encrypted connections scan settings:

In the lower part of the main application window, click the button.
In the application settings window, select Network settings.
In the Encrypted connections scan section, select the encrypted connection scanning mode:
- Do not scan encrypted connections Kaspersky Endpoint Security will not have access to the contents of websites whose addresses begin with https://.
- Scan encrypted connections upon request from protection components. Kaspersky Endpoint Security will scan encrypted traffic only when requested by the File Threat Protection, Mail Threat Protection, and Web Control components.
- Always scan encrypted connections Kaspersky Endpoint Security will scan encrypted network traffic even if protection components are disabled.
Kaspersky Endpoint Security does not scan encrypted connections that were established by trusted applications for which traffic scanning is disabled. Kaspersky Endpoint Security does not scan encrypted connections from the predefined list of trusted websites. The predefined list of trusted websites is created by Kaspersky experts. This list is updated with the application's anti-virus databases. You can view the predefined list of trusted websites only in the Kaspersky Endpoint Security interface. You cannot view the list in the Kaspersky Security Center Console.
If necessary, add scan exclusions: trusted addresses and applications.
Click the Advanced settings button.
Configure the settings for scanning encrypted connections (see the table below).

Save your changes.

Encrypted connections scan settings

Parameter	Description
When visiting a domain with an untrusted certificate	Allow. If this option is selected, when visiting a domain with an untrusted certificate, Kaspersky Endpoint Security allows the network connection. When opening a domain with an untrusted certificate in a browser, Kaspersky Endpoint Security displays an HTML page showing a warning and the reason why visiting that domain is not recommended. A user can click the link from the HTML warning page to obtain access to the requested web resource. After following this link, during the next hour Kaspersky Endpoint Security will not display warnings about an untrusted certificate when visiting other resources on this same domain. Block connection. If this option is selected, when visiting a domain with an untrusted certificate, Kaspersky Endpoint Security blocks the network connection. When opening a domain with an untrusted certificate in a browser, Kaspersky Endpoint Security displays an HTML page showing the reason why that domain is blocked.
When encrypted connection scan errors occur	Block connection. If this item is selected, when an encrypted connection scan error occurs, Kaspersky Endpoint Security blocks the network connection. Add domain to exclusions. If this item is selected, when an encrypted connection scan error occurs, Kaspersky Endpoint Security adds the domain that resulted in the error to the list of domains with scan errors and does not monitor encrypted network traffic when this domain is visited. You can view a list of domains with encrypted connections scan errors only in the local interface of the application. To clear the list contents, you need to select Block connection.
Block SSL 2.0 connections	If the check box is selected, Kaspersky Endpoint Security blocks network connections established over the SSL 2.0 protocol. If the check box is cleared, Kaspersky Endpoint Security does not block network connections established over the SSL 2.0 protocol and does not monitor network traffic transmitted over these connections.
Decrypt encrypted connections with websites that use EV certificates	EV certificates (Extended Validation Certificates) confirm the authenticity of websites and enhance the security of the connection. Browsers use a lock icon in their address bar to indicate that a website has an EV certificate. Browsers may also fully or partially color the address bar in green. If the check box is selected, Kaspersky Endpoint Security decrypts and monitors encrypted connections with websites that use an EV certificate. If the check box is cleared, Kaspersky Endpoint Security does not have access to the contents of HTTPS traffic. For this reason, the application monitors HTTPS traffic only based on the website address, for example, `https://facebook.com`. If you are opening a website with an EV certificate for the first time, the encrypted connection will be decrypted regardless of whether or not the check box is selected.

Page top

[Topic 202714]

Scanning encrypted connections in Firefox and Thunderbird

After installation, Kaspersky Endpoint Security adds a Kaspersky certificate to the system storage for trusted certificates (Windows certificate store). By default, Firefox and Thunderbird use their own proprietary Mozilla certificate store instead of the Windows certificate store. If Kaspersky Security Center is deployed in your organization and a policy is being applied to a computer, Kaspersky Endpoint Security automatically enables use of the Windows certificate store in Firefox and Thunderbird to scan the traffic of these applications. If a policy is not being applied to the computer, you can choose the certificate storage that will be used by Mozilla applications. If you selected the Mozilla certificate store, manually add a Kaspersky certificate to it. This will help avoid errors when working with HTTPS traffic.

To scan traffic in the Mozilla Firefox browser and the Thunderbird mail client, you must enable the Encrypted Connections Scan. If Encrypted Connections Scan is disabled, Kaspersky Endpoint Security does not scan traffic in the Mozilla Firefox browser and Thunderbird mail client.

Prior to adding a certificate to the Mozilla store, export the Kaspersky certificate from the Windows Control Panel (browser properties). For details about exporting the Kaspersky certificate, please refer to the Technical Support Knowledge Base. For details about adding a certificate to storage, visit the Mozilla technical support website.

You can choose the certificate store only in the local interface of the application.

To choose a certificate store for scanning encrypted connections in Firefox and Thunderbird:

In the lower part of the main application window, click the button.
In the application settings window, select Network settings.
In the Mozilla Firefox and Thunderbird block, select the Scan secure traffic in Mozilla applications check box.
Select a certificate store:
- Use Windows certificate store. The Kaspersky root certificate is added to this store during installation of Kaspersky Endpoint Security.
- Use Mozilla certificate store. Mozilla Firefox and Thunderbird use their own certificate stores. If the Mozilla certificate store is selected, you need to manually add the Kaspersky root certificate to this store through the browser properties.
Save your changes.

Page top

[Topic 175151]

Excluding encrypted connections from scanning

Most web resources use encrypted connections. Kaspersky experts recommend that you enable Encrypted connections scan. Is scanning encrypted connections interferes with work-related activity, you can add a website to exclusions referred to as trusted addresses. If a trusted application uses an encrypted connection, you can disable encrypted connections scan for this application. For example, you can disable encrypted connections scan for cloud storage applications that use two-factor authentication with their own certificate.

To exclude a web address from encrypted connection scans:

In the lower part of the main application window, click the button.
In the application settings window, select Network settings.
In the Encrypted connections scan section, click the Trusted addresses button.
Click the Add button.
Enter a domain name or an IP address if you do not want Kaspersky Endpoint Security to scan encrypted connections established when visiting that domain.

Kaspersky Endpoint Security supports the * character when entering a domain name mask.

Kaspersky Endpoint Security does not support masks for IP addresses.

Examples:

domain.com – this entry includes the following addresses: https://domain.com, https://www.domain.com, https://domain.com/page123. This entry excludes subdomains (for example, subdomain.domain.com).
subdomain.domain.com – this entry includes the following addresses: https://subdomain.domain.com, https://subdomain.domain.com/page123. The entry excludes the domain domain.com.
*.domain.com – this entry includes the following addresses: https://movies.domain.com, https://images.domain.com/page123. The entry excludes the domain domain.com.

Save your changes.

By default, Kaspersky Endpoint Security does not scan encrypted connections when errors occur and adds the website to a special list of Domains with scan errors. Kaspersky Endpoint Security compiles a separate list for each user and does not send data to Kaspersky Security Center. You can enable blocking the connection when a scan error occurs. You can view a list of domains with encrypted connections scan errors only in the local interface of the application.

Save your changes.

To view the list of domains with scan errors:

In the lower part of the main application window, click the button.
In the application settings window, select Network settings.
In the Encrypted connections scan section, click the Domains with scan errors button.

A list of domains with scan errors opens. To reset the list, enable blocking connection when scan errors occur in the policy, apply the policy, then reset the parameter to its initial value and apply the policy again.

Kaspersky specialists make a list of global exceptions — trusted websites that Kaspersky Endpoint Security does not check regardless of the application settings.

To view the global exclusions from encrypted traffic scans:

In the lower part of the main application window, click the button.
In the application settings window, select Network settings.
In the Encrypted connections scan section, click the websites link.

This opens a list of websites compiled by Kaspersky experts. Kaspersky Endpoint Security does not scan protected connections for websites on the list. The list may be updated when Kaspersky Endpoint Security databases and modules are updated.

Page top

[Topic 196711]

Computer control

In this Help section

Enabling and disabling Web Control

Network ports monitoring

Page top

[Topic 128048]

Web Control

Web Control manages users' access to web resources. This helps reduce traffic and inappropriate use of work time. When a user tries to open a website that is restricted by Web Control, Kaspersky Endpoint Security will block access or show a warning (see the figure below).

Kaspersky Endpoint Security monitors only HTTP- and HTTPS traffic.

For HTTPS traffic monitoring, you need to enable encrypted connections scan.

Methods for managing access to websites

Web Control lets you configure access to websites by using the following methods:

Website category. Websites are categorized according to the Kaspersky Security Network cloud service, heuristic analysis, and the database of known websites (included in application databases). For example, you can restrict user access to the "Social networks" category or to other categories.
Data type. You can restrict users' access to data on a website, and hide graphic images, for example. Kaspersky Endpoint Security determines the data type based on the file format and not based on its extension.
Kaspersky Endpoint Security does not scan files within archives. For example, if image files were placed in an archive, Kaspersky Endpoint Security identifies the "Archives" data type and not "Graphic files".
Individual address. You can enter a web address or use masks.

You can simultaneously use multiple methods for regulating access to websites. For example, you can restrict access to the "Office files" data type just for the "Web-based mail" website category.

Website access rules

Web Control manages users' access to websites by using access rules. You can configure the following advanced settings for a website access rule:

Users to which the rule applies.
For example, you can restrict Internet access through a browser for all users of the company except the IT department.
Rule schedule.
For example, you can restrict Internet access through a browser during working hours only.

Access rule priorities

Each rule has a priority. The higher a rule is on the list, the higher its priority. If a website has been added to multiple rules, Web Control regulates access to the website based on the rule with the highest priority. For example, Kaspersky Endpoint Security may identify a corporate portal as a social network. To restrict access to social networks and provide access to the corporate web portal, create two rules: one block rule for the "Social networks" website category and one allow rule for the corporate web portal. The access rule for the corporate web portal must have a higher priority than the access rule for social networks.

Web Control messages

In this section

Actions with web resource access rules

Exporting and importing the list of web resource addresses

Monitoring user Internet activity

Editing templates of Web Control messages

Editing masks for web resource addresses

Migrating web resource access rules from previous versions of the application

Page top

[Topic 128051]

Enabling and disabling Web Control

By default, Web Control is enabled.

To enable or disable Web Control:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Web Control.
Use the Web Control toggle to enable or disable the component.
Save your changes.

Page top

[Topic 124709]

Actions with web resource access rules

It is not recommended to create more than 1000 rules of access to web resources, as this can cause the system to become unstable.

A web resource access rule is a set of filters and actions that Kaspersky Endpoint Security performs when the user visits web resources that are described in the rule during the time span that is indicated in the rule schedule. Filters allow you to precisely specify a pool of web resources to which access is controlled by the Web Control component.

The following filters are available:

Filter by content. Web Control categorizes web resources by content and data type. You can control user access to web resources with content and data falling into the types defined by these categories. When the users visit web resources that belong to the selected content category and / or data type category, Kaspersky Endpoint Security performs the action that is specified in the rule.
Filter by web resource addresses. You can control user access to all web resource addresses or to individual web resource addresses and / or groups of web resource addresses.
If filtering by content and filtering by web resource addresses are specified, and the specified web resource addresses and / or groups of web resource addresses belong to the selected content categories or data type categories, Kaspersky Endpoint Security does not control access to all web resources in the selected content categories and / or data type categories. Instead, the application controls access only to the specified web resource addresses and / or groups of web resource addresses.
Filter by names of users and user groups. You can specify the names of users and / or groups of users for which access to web resources is controlled according to the rule.
Rule schedule. You can specify the rule schedule. The rule schedule determines the time span during which Kaspersky Endpoint Security monitors access to web resources covered by the rule.

After Kaspersky Endpoint Security is installed, the list of rules of the Web Control component is not blank. Two rules are preset:

Scripts and Stylesheets rule, which grants all users access at all times to web resources whose addresses contain the names of files with the CSS, JS, or VBS extensions. For example: http://www.example.com/style.css, http://www.example.com/style.css?mode=normal.
Default rule. This rule is applied to any web resources that are not covered by other rules, and allows or blocks access to these web resources for all users.

In this section

Adding a web resource access rule

Assigning priorities to web resource access rules

Enabling and disabling a web resource access rule

Exporting and importing the list of trusted web addresses

Testing web resource access rules

Page top

[Topic 123289]

Adding a web resource access rule

To add or edit a web resource access rule:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Web Control.
In the Settings block, click the Rules of access to web resources button.
In the window, click the Add button.
The Rule of access to web resources window opens.
In the Rule name field, enter the name of the rule.
Select the Active status for the web resource access rule.
You can use the toggle to disable the web resource access rule at any time.
In the Action block, select the relevant option:
- Allow. If this value is selected, Kaspersky Endpoint Security allows access to web resources that match the parameters of the rule.
- Block. If this value is selected, Kaspersky Endpoint Security blocks access to web resources that match the parameters of the rule.
- Warn. If this value is selected, Kaspersky Endpoint Security displays a warning that a web resource is unwanted when the user attempts to access web resources that match the rule. By using links from the warning message, the user can obtain access to the requested web resource.
In the Filter type block, select the relevant content filter:
- By content categories. You can control user access to web resources by category (for example, the Social networks category).
- By types of data. You can control user access to web resources based on the specific data type of its published data (for example, Graphic images).
To configure the content filter:
1. Click the Configure link.
2. Select the check boxes next to the names of the required categories of content and/or data types.
  Selecting the check box next to the name of a content category and/or data type means that Kaspersky Endpoint Security applies the rule to control access to web resources that belong to the selected categories of content and/or data types.
3. Return to the window for configuring the web resource access rule.
In the Addresses block, select the relevant web resource address filter:
- To all addresses. Web Control will not filter web resources by address.
- To individual addresses. Web Control will filter only web resource addresses from the list. To create a list of web resource addresses:
  1. Click the Add address or Add a group of addresses button.
  2. In the opened window, create a list of web resource addresses. You can enter a web address or use masks. You can also export a list of web resource addresses from a TXT file.
  3. Return to the window for configuring the web resource access rule.
  If Encrypted Connections Scan is disabled, for the HTTPS protocol you can only filter by the server name.
In the Users block, select the relevant filter for users:
- To all users. Web Control will not filter web resources for specific users.
- To individual users and/or groups. Web Control will filter web resources only for specific users. To create a list of users to whom you want to apply the rule:
  1. Click the Add button.
  2. In the opened window, select the users or group of users to whom you want to apply the web resource access rule.
  3. Return to the window for configuring the web resource access rule.
In the Rule schedule drop-down list, select the name of the necessary schedule or generate a new schedule based on the selected rule schedule. To do so:
1. Click the Schedule management button.
2. In the window, click the Add button.
3. In the opened window, enter the rule schedule name.
4. Configure the web resource access schedule for users.
5. Return to the window for configuring the web resource access rule.
Save your changes.

Page top

[Topic 128052]

Assigning priorities to web resource access rules

You can assign priorities to each rule from the list of rules, by arranging the rules in a certain order.

To assign a priority to a web resource access rule:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Web Control.
In the Settings block, click the Rules of access to web resources button.
In the opened window, select the rule whose priority you want to change.
Use the Up and Down buttons to move the rule to the relevant position in the list of web resource access rules.
Save your changes.

Page top

[Topic 128053]

Enabling and disabling a web resource access rule

To enable or disable a web resource access rule:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Web Control.
In the Settings block, click the Rules of access to web resources button.
In opened window, select the rule that you want to enable or disable.
In the State column, do the following:
- If you want to enable the use of the rule, select the Active value.
- If you want to disable the use of the rule, select the Inactive value.
Save your changes.

Page top

[Topic 202285]

Exporting and importing the list of trusted web addresses

You can export the list of Web Policy Management rules to an XML file. Then you can modify the file to, for example, add a large number of addresses of the same type. You can use the export/import function to back up the list of Web Policy Management rules or to migrate the list to a different server.

How to export and import a list of Web Policy Management rules in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Security Controls → Web Policy Management.
To export the list of Web Policy Management rules:
1. Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
  If you did not select any rule, Kaspersky Endpoint Security will export all rules.
2. Click the Export link.
3. In the window that opens, specify the name of the XML file to which you want to export the list of rules, and select the folder in which you want to save this file.
4. Click the Save button.
  Kaspersky Endpoint Security exports the list of rules to the XML file.
To import the list of Web Policy Management rules:
1. Click the Import link.
  In the window that opens, select the XML file from which you want to import the list of rules.
2. Click the Open button.
  If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.

How to export and import a list of Web Policy Management rules in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy for computers on which you want to export or import the list of rules.
The policy properties window opens.
Select the Application settings tab.
Go to Security Controls → Web Policy Management.
To export the list of rules, in the Rule List block:
1. Select the rules that you want to export.
2. Click the Export button.
3. Confirm that you want to export only the selected rules, or export the entire list.
4. Click the Export button.
  Kaspersky Endpoint Security exports the list of rules to an XML file in the default downloads folder.
To import the list of rules, in the Rule List block:
1. Click the Import link.
  In the window that opens, select the XML file from which you want to import the list of rules.
2. Click the Open button.
  If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.

Page top

[Topic 123290]

Testing web resource access rules

To check the consistency of Web Control rules, you can test them. For this purpose, the Web Control component includes a Rules Diagnostics function.

To test the web resource access rules:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Web Control.
In the Settings block, click the Rules diagnostics link.
The Rules diagnostics window opens.
If you want to test the rules that Kaspersky Endpoint Security uses to control access to a specific web resource, select the Specify address check box Enter the address of the web resource in the field below.
If you want to test the rules that Kaspersky Endpoint Security uses to control access to web resources for specified users and / or groups of users, specify a list of users and / or groups of users.
If you want to test the rules that Kaspersky Endpoint Security uses to control access to web resources of specified content categories and/or data type categories, select the Filter content check box and choose the relevant option from the drop-down list (By content categories, By types of data, or By content categories and types of data).
If you want to test the rules with account of the time and day of the week when an attempt is made to access the web resources that are specified in the rule diagnostics conditions, select the Include time of access attempt check box. Then specify the day of the week and the time.
Click the Test button.

Test completion is followed by a message with information about the action that is taken by Kaspersky Endpoint Security, according to the first rule that is triggered on the attempt to access the specified web resource (allow, block, or warn). The first rule to be triggered is the one with a rank on the list of Web Control rules which is higher than that of other rules meeting the diagnostics conditions. The message is displayed on the right of the Test button. The following table lists the remaining triggered rules, specifying the action taken by Kaspersky Endpoint Security. The rules are listed in the order of declining priority.

Page top

[Topic 128055]

Exporting and importing the list of web resource addresses

If you have created a list of web resource addresses in a web resource access rule, you can export it to a .txt file. You can subsequently import the list from this file to avoid creating a new list of web resource addresses manually when configuring an access rule. The option of exporting and importing the list of web resource addresses may be useful if, for example, you create access rules with similar parameters.

To import or export a list of web resource addresses to a file:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Web Control.
In the Settings block, click the Rules of access to web resources button.
Select the rule whose list of web resource addresses you want to export or import.
To export the list of trusted web addresses, do the following in the Addresses block:
1. Select the addresses that you want to export.
  If you did not select any address, Kaspersky Endpoint Security will export all addresses.
2. Click the Export button.
3. In the opened window, enter the name of the TXT file to which you want to export the list of web resource addresses, and select the folder in which you want to save this file.
4. Click the Save button.
  Kaspersky Endpoint Security exports the list of web resource addresses to a TXT file.
To import the list of web resources, do the following in the Addresses block:
1. Click the Import button.
  In the window that opens, select the TXT file from which you want to import the list of web resources.
2. Click the Open button.
  If the computer already has a list of addresses, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the TXT file.
Save your changes.

Page top

[Topic 187604]

Monitoring user Internet activity

Kaspersky Endpoint Security lets you log data on user visits to all websites, including allowed websites. This enables you to obtain the complete history of browser views. Kaspersky Endpoint Security sends user activity events to Kaspersky Security Center, to the local log of Kaspersky Endpoint Security, and to the Windows Event log. To receive events in Kaspersky Security Center, you need to configure the settings of events in a policy in the Administration Console or Web Console. You can also configure the transmission of Web Control events by email and the display of on-screen notifications on the user's computer.

Kaspersky Endpoint Security creates the following user Internet activity events:

Block the website (Critical events status ).
Visit to a non-recommended website (Warnings status ).
Visit to an allowed website (Informational messages status ).

Prior to enabling user Internet activity monitoring, you must do the following:

Inject a web page interaction script into web traffic (see the instructions below). The script enables registration of Web Control events.
For HTTPS traffic monitoring, you need to enable encrypted connections scan.

To inject a web page interaction script into web traffic:

In the lower part of the main application window, click the button.
In the application settings window, select Network settings.
In the Traffic processing block, select the Inject interaction script in traffic check box.
Save your changes.

As a result, Kaspersky Endpoint Security will inject a web page interaction script into web traffic. This script enables registration of Web Control events for the application event log, OS event log, and reports.

To configure logging of Web Control events on the user's computer:

In the lower part of the main application window, click the button.
In the application settings window, select the Interface section.
In the Notifications block, click the Notification rules button.
In the opened window, select the Web Control section.
This opens the table of Web Control events and notification methods.
Configure the notification method for each event: Save in local report or Save in Windows Event Log.
To log allowed website visit events, you need to also configure Web Control (see the instructions below).

In the events table, you can also enable an on-screen notification and an email notification. To send notifications by email, you need to configure the SMTP server settings. For more details about sending notifications by email, please refer to Kaspersky Security Center Help.
Save your changes.

As a result, Kaspersky Endpoint Security begins logging user Internet activity events.

Web Control sends user activity events to Kaspersky Security Center as follows:

If you are using Kaspersky Security Center, Web Control sends events for all the objects that make up the web page. For this reason, multiple events may be created when one web page is blocked. For example, when blocking the web page http://www.example.com, Kaspersky Endpoint Security may relay events for the following objects: http://www.example.com, http://www.example.com/icon.ico, http://www.example.com/file.js, etc.
If you are using the Kaspersky Security Center Cloud Console, Web Control groups events and sends only the protocol and domain of the website. For instance, if a user visits non-recommended web pages http://www.example.com/main, http://www.example.com/contact, and http://www.example.com/gallery, Kaspersky Endpoint Security will send only one event with the http://www.example.com object.

To enable logging of events for visiting allowed websites:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Web Control.
In the Additional block, click the Advanced settings button.
In the opened window, select the Log the opening of allowed pages check box.
Save your changes.

As a result, you will be able to view the full browser history.

Page top

[Topic 128057]

Editing templates of Web Control messages

Depending on the type of action that is specified in the properties of Web Control rules, Kaspersky Endpoint Security displays a message of one of the following types when users attempt to access Internet resources (the application substitutes an HTML page with a message for the HTTP server response):

Warning message. This message warns the user that visiting the web resource is not recommended and/or violates the corporate security policy. Kaspersky Endpoint Security displays a warning message if the Warn option is selected from the Action drop-down list in the settings of the rule that describes this web resource.
If the user believes that the warning is mistaken, the user may click the link from the warning to send a pre-generated message to the local corporate network administrator.
Message informing of blocking of a web resource. Kaspersky Endpoint Security displays a message informing that a web resource is blocked if the Block option is selected from the Action drop-down list in the settings of the rule that describes this web resource.
If the user believes that the web resource is blocked by mistake, the user may click the link in the web resource block notification message to send a pre-generated message to the local corporate network administrator.

Special templates are provided for the warning message, the message informing that a web resource is blocked, and the message sent to the LAN administrator. You can modify their content.

To change the template for Web Control messages:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Web Control.
In the Templates block, configure the templates for Web Control messages:
- Warnings. The entry field consists of a template of the message that is displayed if a rule for warning about attempts to access an unwanted web resource is triggered.
- Blockage. The entry field contains the template of the message that appears if a rule which blocks access to a web resource is triggered.
- Message to administrator. The entry field contains the template of the message to be sent to the LAN administrator if the user considers the block to be a mistake.
Save your changes.

Editing templates of encrypted file access messages

Page top

[Topic 128056]

Editing masks for web resource addresses

Using a web resource address mask (also referred to as "address mask") may be useful if you need to enter numerous similar web resource addresses when creating a web resource access rule. If crafted well, one address mask can replace a large number of web resource addresses.

When creating an address mask, follow these rules:

The * character replaces any sequence that contains zero or more characters.
For example, if you enter the *abc* address mask, the access rule is applied to all web resources that contain the sequence abc. Example: http://www.example.com/page_0-9abcdef.html.
A sequence of *. characters (known as a domain mask) lets you select all domains of an address. The *. domain mask represents any domain name, subdomain name, or a blank line.
Example: the *.example.com mask represents the following addresses:
- http://pictures.example.com. The domain mask *. represents pictures.
- http://user.pictures.example.com. The domain mask *. represents pictures. and user.
- http://example.com. The domain mask *. is interpreted as a blank line.
The www. character sequence at the start of the address mask is interpreted as a *. sequence.
Example: the address mask www.example.com is interpreted as *.example.com. This mask covers the addresses www2.example.com and www.pictures.example.com.
If an address mask does not start with the * character, the content of the address mask is equivalent to the same content with the *. prefix.
If an address mask ends with a character other than / or *, the content of the address mask is equivalent to the same content with the /* postfix.
Example: the address mask http://www.example.com covers such addresses as http://www.example.com/abc, where a, b, and c are any characters.
If an address mask ends with the / character, the content of the address mask is equivalent to the same content with the /*. postfix.
The character sequence /* at the end of an address mask is interpreted as /* or an empty string.
Web resource addresses are verified against an address mask, taking into account the protocol (http or https):
- If the address mask contains no network protocol, this address mask covers addresses with any network protocol.
  Example: the address mask example.com covers the addresses http://example.com and https://example.com.
- If the address mask contains a network protocol, this address mask only covers addresses with the same network protocol as that of the address mask.
  Example: the address mask http://*.example.com covers the address http://www.example.com but does not cover https://www.example.com.
An address mask that is in double quotes is treated without considering any additional replacements, except the * character if it has been initially included in the address mask. Rules 5 and 7 do not apply to address masks enclosed in double quotation marks (see examples 14 – 18 in the table below).

The user name and password, connection port, and character case are not taken into account during comparison with the address mask of a web resource.

Examples of how to use rules for creating address masks

No.	Address mask	Address of web resource to verify	Is the address covered by the address mask	Comment
1	*.example.com	http://www.123example.com	No	See rule 1.
2	*.example.com	http://www.123.example.com	Yes	See rule 2.
3	*example.com	http://www.123example.com	Yes	See rule 1.
4	*example.com	http://www.123.example.com	Yes	See rule 1.
5	http://www.*.example.com	http://www.123example.com	No	See rule 1.
6	www.example.com	http://www.example.com	Yes	See rules 3, 2, 1.
7	www.example.com	https://www.example.com	Yes	See rules 3, 2, 1.
8	http://www.*.example.com	http://123.example.com	Yes	See rules 3, 4, 1.
9	www.example.com	http://www.example.com/abc	Yes	See rules 3, 5, 1.
10	example.com	http://www.example.com	Yes	See rules 3, 1.
11	http://example.com/	http://example.com/abc	Yes	See rule 6.
12	http://example.com/*	http://example.com	Yes	See rule 7.
13	http://example.com	https://example.com	No	See rule 8.
14	"example.com"	http://www.example.com	No	See rule 9.
15	"http://www.example.com"	http://www.example.com/abc	No	See rule 9.
16	"*.example.com"	http://www.example.com	Yes	See rules 1, 9.
17	"http://www.example.com/*"	http://www.example.com/abc	Yes	See rules 1, 9.
18	"www.example.com"	http://www.example.com; https://www.example.com	Yes	See rules 9, 8.
19	www.example.com/abc/123	http://www.example.com/abc	No	An address mask contains more information than the address of a web resource.

Page top

[Topic 134448]

Migrating web resource access rules from previous versions of the application

When Kaspersky Endpoint Security 10 Service Pack 2 for Windows or an earlier version of the application is upgraded to Kaspersky Endpoint Security for Windows 11.6.0, the web resource access rules based on web resource content categories are migrated as follows:

Rules of access to web resources that are based on one or several web resource content categories from the "Chats and forums", "Web-based mail", and "Social networks" lists migrate to the "Internet communication" web resource content category.
Rules of access to web resources based on one or several web resource content categories from the "E-stores" and "Payment systems" lists migrate to the "Online stores, banks, payment systems" web resource content category.
Rules of access to web resources based on the "Gambling" web resource content category migrate to the "Gambling, lotteries, sweepstakes" content category.
Rules of access to web resources based on the "Browser games" web resource content category migrate to the "Computer games" content category.
Rules of access to web resources based on web resource content categories that are not enumerated in the list above are migrated without changes.

Page top

[Topic 34890]

Device Control

Device Control manages user access to devices that are installed on or connected to the computer (for example, hard drives, cameras, or Wi-Fi modules). This lets you protect the computer from infection when such devices are connected, and prevent loss or leaks of data.

Device access levels

Device Control controls access at the following levels:

Device type. For example, printers, removable drives, and CD/DVD drives.
You can configure device access as follows:
- Allow – .
- Block – .
- Depends on connection bus (except for Wi-Fi) – .
- Block with exceptions (Wi-Fi only) – .
Connection bus. A connection bus is an interface used for connecting devices to the computer (for example, USB or FireWire). Therefore, you can restrict the connection of all devices, for example, over USB.
You can configure device access as follows:
- Allow – .
- Block – .
Trusted devices. Trusted devices are devices to which users that are specified in the trusted device settings have full access at all times.
You can add trusted devices based on the following data:
- Devices by ID. Each device has a unique identifier (Hardware ID, or HWID). You can view the ID in the device properties by using operating system tools. Example device ID: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&354AE4D7&0&000000. Adding devices by ID is convenient if you want to add several specific devices.
- Devices by model. Each device has a vendor ID (VID) and a product ID (PID). You can view the IDs in the device properties by using operating system tools. Template for entering the VID and PID: VID_1234&PID_5678. Adding devices by model is convenient if you use devices of a certain model in your organization. This way, you can add all devices of this model.
- Devices by ID mask. If you are using multiple devices with similar IDs, you can add devices to the trusted list by using masks. The * character replaces any set of characters. Kaspersky Endpoint Security does not support the ? character when entering a mask. For example, WDC_C*.
- Devices by model mask. If you are using multiple devices with similar VIDs or PIDs (for example, devices from the same manufacturer), you can add devices to the trusted list by using masks. The * character replaces any set of characters. Kaspersky Endpoint Security does not support the ? character when entering a mask. For example, VID_05AC & PID_ *.

Device Control regulates user access to devices by using access rules. Device Control also lets you save device connection/disconnection events. To save events, you need to configure the registration of events in a policy.

If access to a device depends on the connection bus (the status), Kaspersky Endpoint Security does not save device connection/disconnection events. To enable Kaspersky Endpoint Security to save device connection/disconnection events, allow access to the corresponding type of device (the status) or add the device to the trusted list.

When a device that is blocked by Device Control is connected to the computer, Kaspersky Endpoint Security will block access and show a notification (see the figure below).

Device Control notification

Device Control operating algorithm

Kaspersky Endpoint Security makes a decision on whether to allow access to a device after the user connects the device to the computer (see the figure below).

Device Control operating algorithm

If a device is connected and access is allowed, you can edit the access rule and block access. In this case, the next time someone attempts to access the device (such as to view the folder tree, or perform read or write operations), Kaspersky Endpoint Security blocks access. A device without a file system is blocked only the next time that the device is connected.

If a user of the computer with Kaspersky Endpoint Security installed must request access to a device that the user believes was blocked by mistake, send the user the request access instructions.

In this section

Enabling and disabling Device Control

About access rules

Editing a device access rule

Editing a connection bus access rule

Adding a Wi-Fi network to the trusted list

Monitoring usage of removable drives

Changing the caching duration

Actions with trusted devices

Obtaining access to a blocked device

Adding a device to the Trusted list from the application interface

Anti-Bridging

Page top

[Topic 128043]

Enabling and disabling Device Control

By default, Device Control is enabled.

To enable or disable Device Control:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Device Control.
Use the Device Control toggle to enable or disable the component.
Save your changes.

As a result, if Device Control is enabled, the application relays information about connected devices to Kaspersky Security Center. You can view the list of connected devices in Kaspersky Security Center in the Hardware folder.

Page top

[Topic 38436]

About access rules

Access rules comprise a group of settings that determine which users can access devices that are installed or connected to the computer. You cannot add a device that is outside of Device Control classification. Access to such devices is allowed for all users.

Device Access Rules

The group of settings for an access rule differs depending on the type of device (see the table below).

Access rule settings

Devices	Schedule for access to a device	Assignment of users and/or a group of users	Priority	Read/write permission
Hard drives
Removable drives
Printers	–	–	–	–
Floppy disks
CD/DVD drives
Modems	–	–	–	–
Tape devices	–	–	–	–
Multifunctional devices	–	–	–	–
Smart card readers	–	–	–	–
Windows CE USB ActiveSync devices	–	–	–	–
External network adapters	–	–	–	–
Portable devices (MTP)
Bluetooth	–	–	–	–
Cameras and scanners	–	–	–	–

Mobile device access rules

Mobile devices running Android or iOS are categorized as portable devices (MTP). When a mobile device is connected to the computer, the operating system determines the device type. If Android Debug Bridge (ADB), iTunes or their equivalent applications are installed on the computer, the operating system identifies mobile devices as ADB or iTunes devices. In all other cases, the operating system may identify the mobile device type as a portable device (MTP) for file transfer, a PTP device (camera) for image transfer, or another device. The device type depends on the model of the mobile device.

Please note the following special considerations regarding access to ADB- or iTunes devices:

You cannot configure a device access schedule. If access to devices is restricted by rules (they have the status), ADB- and iTunes devices are always accessible.
You cannot configure device access for individual users, or configure access permissions (read/write). If access to devices is restricted by rules (they have the status), ADB- and iTunes devices are accessible to all users with all permissions.
You cannot configure access to trusted ADB- or iTunes devices for individual users. If the device is trusted, ADB- and iTunes devices are accessible to all users.
If you installed the ADB or iTunes applications after connecting a device to the computer, the unique ID of the device may be reset. This means that Kaspersky Endpoint Security will identify this device as a new device. If a device is trusted, add the device to the trusted list again.

By default, access rules grant all users full access to the devices at all times, if access to the connection buses for the corresponding types of devices is allowed (the status).

Access rules for Wi-Fi networks

A Wi-Fi network access rule determines whether the use of Wi-Fi networks is allowed (the status) or forbidden (the status). You can add a trusted Wi-Fi network (the status) to a rule. Use of a trusted Wi-Fi network is allowed without limitations. By default, a Wi-Fi network access rule allows access to any Wi-Fi network.

Connection bus access rules

Connection bus access rules determine whether the connection of devices is allowed (the status) or forbidden (the status). Rules that allow access to buses are created by default for all connection buses that are present in the classification of the Device Control component.

Page top

[Topic 123282]

Editing a device access rule

A device access rule is a group of settings that determine how users can access devices that are installed or connected to the computer. These settings include access to a specific device, an access schedule, and read or write permissions.

To edit a device access rule:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Device Control.
In the Configure access block, click the Devices and Wi-Fi networks button.
The opened window shows access rules for all devices that are included in the Device Control component classification.
In the Access to storage devices block, select the access rule that you want to edit. The block contains devices that have a file system for which you can configure additional access settings. By default, a device access rule grants all users full access to the specified type of devices at any time.
1. In the Access block, select the appropriate device access option:
  - Allow.
  - Block.
  - Depends on connection bus.
    To block or allow access to a device, configure access to the connection bus.
  - Restrict by rules.
    This option lets you configure user rights, permissions, and a schedule for device access.
2. In the Users' rights block, click the Add button.
  This opens a window for adding a new device access rule.
3. Assign a priority to the rule. A rule includes the following attributes: user account, schedule, permissions (read/write), and priority.
  A rule has a specific priority. If a user has been added to multiple groups, Kaspersky Endpoint Security regulates device access based on the rule with the highest priority. Kaspersky Endpoint Security allows to assign priority from 0 to 10,000. The higher the value, the higher the priority. In other words, an entry with the value of 0 has the lowest priority.
  
  For example, you can grant read-only permissions to the Everyone group and grant read/write permissions to the administrators group. To do so, assign a priority of 1 for the administrators group and assign a priority of 0 for the Everyone group.
  
  The priority of a block rule is higher than the priority of an allow rule. In other words, if a user has been added to multiple groups and the priority of all rules are the same, Kaspersky Endpoint Security regulates device access based on any existing block rule.
4. Set the Enabled status for the device access rule.
5. Configure users' device access permissions: read and/or write.
6. Select the users or group of users to whom you want to apply the device access rule.
7. Configure a device access schedule for users.
8. Click the Add button.
In the Access to external devices block, select the rule and configure access: Allow, Deny, or Depends on connection bus. If necessary, configure access to the connection bus.
In the Access to Wi-Fi networks block, click the Wi-Fi link and configure access: Allow, Block, or Block with exceptions. If necessary, add Wi-Fi networks to the trusted list.
Save your changes.

Page top

[Topic 38502]

Editing a connection bus access rule

To edit a connection bus access rule:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Device Control.
In the Settings block, click the Connection buses button.
The opened window shows access rules for all connection buses that are included in the Device Control component classification.
Select the access rule that you want to edit.
In the Access column, select whether or not to allow access to the connection bus: Allow or Deny.
Save your changes.

Page top

[Topic 131690]

Adding a Wi-Fi network to the trusted list

You can allow users connect to Wi-Fi networks that you consider to be secure, such as a corporate Wi-Fi network. To do so, you must add the network to the list of trusted Wi-Fi networks. Device Control will block access to all Wi-Fi networks except those specified in the trusted list.

To add a Wi-Fi network to the trusted list:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Device Control.
In the Settings block, click the Access rules for devices and Wi-Fi networks button.
The opened window shows access rules for all devices that are included in the Device Control component classification.
In the Access to Wi-Fi networks block, click the Wi-Fi link.
The opened window shows the Wi-Fi network access rules.
In the Access column, select Block with exceptions.
Click the Add button in the Trusted Wi-Fi network block.
In the opened window, do the following:
1. In the Network name field, specify the name of the Wi-Fi network that you want to add to the trusted list.
2. In the Authentication type drop-down list, select the type of authentication used when connecting to the trusted Wi-Fi network.
3. In the Encryption type drop-down list, select the type of encryption used for securing traffic of the trusted Wi-Fi network.
4. In the Comment field, you can specify any information about the added Wi-Fi network.
A Wi-Fi network is considered trusted if its settings match all settings specified in the rule.
Save your changes.

Page top

[Topic 134053]

Monitoring usage of removable drives

To enable monitoring of removable drive usage:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Device Control.
In the Settings block, click the Access rules for devices and Wi-Fi networks button.
The opened window shows access rules for all devices that are included in the Device Control component classification.
In the Access to storage devices block, select Removable drives.
Click the Logging link.
In the opened window, select the Logging tab.
Turn on the Logging toggle.
In the File operations block, select the operations that you want to monitor: Write, Delete.
In the Filter by file formats block, select the formats of files whose associated operations should be logged by Device Control.
Select the users or group of users whose use of removable drives you want to monitor.
Save your changes.

As a result, when users write to files located on removable drives or delete files from removable drives, Kaspersky Endpoint Security will save information about such operations to the event log and send events to Kaspersky Security Center. You can view events associated with files on removable drives in the Kaspersky Security Center Administration Console in the workspace of the Administration Server node on the Events tab. For events to be displayed in the local Kaspersky Endpoint Security event log, you must select the File operation performed check box in the notification settings for the Device Control component.

Page top

[Topic 203232]

Changing the caching duration

The Device Control component registers events related to monitored devices, such as connection and disconnection of a device, reading a file from a device, writing a file to a device, and other events. Device Control then either allows or blocks the action according to the Kaspersky Endpoint Security settings.

Device Control saves information about events for a specific period of time called the caching period. If information about an event is cached and this event is repeated, there is no need to notify Kaspersky Endpoint Security about it or to show another prompt for granting access to the corresponding action, such as connecting a device. This makes it more convenient to work with a device.

An event is considered a duplicate event if all of the following event settings match the record in the cache:

device ID
SID of the user account attempting access
Device category
Action taken with the device
Application permission verdict for this action: allowed or denied
Path to the process used to take the action
File that is being accessed

Prior to changing the caching period, disable Kaspersky Endpoint Security Self-Defense. After changing the caching period, enable Self-Defense.

To change the caching period:

Open the registry editor on the computer.
In the registry editor, go to the following section:
- For 64-bit operating systems: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\protected\KES\environment]
- For 32-bit operating systems: [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\protected\KES\environment]
Open DeviceControlEventsCachePeriod for editing.
Define the number of minutes that Device Control must save information about an event before this information is deleted.

Page top

[Topic 38595]

Actions with trusted devices

Trusted devices are devices to which users that are specified in the trusted device settings have full access at all times.

To work with trusted devices, you can grant access to an individual user, to a group of users, or to all users of the organization.

For example, if your organization does not allow the use of removable drives but administrators use removable drives in their work, you can allow removable drives only for a group of administrators. To do so, add removable drives to the trusted list and configure user access permissions.

Kaspersky Endpoint Security allows you to add a device to the trusted list in the following ways:

If Kaspersky Security Center is not deployed in your organization, you can connect the device to the computer and add it to the trusted list in the application settings. To distribute the list of trusted devices to all computers in your organization, you can enable merging the lists of trusted devices in a policy or use the export / import procedure.
If Kaspersky Security Center is deployed in your organization, you can detect all connected devices remotely and create a list of trusted devices in the policy. The list of trusted devices will be available on all computers to which the policy is applied.

Kaspersky Endpoint Security has the following limitations when working with trusted devices:

Kaspersky Endpoint Security administration plug-in versions 11.0.0–11.2.0 cannot work with a list of trusted devices that was created in Kaspersky Endpoint Security version 11.3.0 and 11.4.0. To work with a list of trusted devices from these versions, the administration plug-in must be upgraded to version 11.3.0 and 11.4.0, respectively.
Kaspersky Endpoint Security administration plug-in version 11.3.0 and 11.4.0 cannot work with a list of trusted devices that was created in Kaspersky Endpoint Security version 11.2.0 or earlier. For these versions to work with a list of trusted devices, the application must be upgraded to version 11.3.0 and 11.4.0, respectively. You can also send a request containing a description of your situation to Technical Support through Kaspersky CompanyAccount.
To migrate a list of trusted devices from Kaspersky Endpoint Security version 11.2.0 to version 11.3.0, send a request containing a description of your situation to Technical Support through Kaspersky CompanyAccount.

In this section

Adding a device to the Trusted list from Kaspersky Security Center

Exporting and importing the list of trusted devices

Page top

[Topic 123283]

Adding a device to the Trusted list from the application interface

By default, when a device is added to the list of trusted devices, access to the device is granted to all users (the Everyone group of users).

To add a device to the Trusted list from the application interface:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Device Control.
In the Settings block, click the Trusted devices button.
This opens the list of trusted devices.
Click the Select button.
This opens the list of connected devices. The list of devices depends on the value that is selected in the Display connected devices drop-down list.
In the list of devices, select the device that you want to add to the trusted list.
In the Comment field, you can provide any relevant information about the trusted device.
Select the users or group of users for whom you want to allow access to trusted devices.
Save your changes.

Page top

[Topic 123284]

Adding a device to the Trusted list from Kaspersky Security Center

Kaspersky Security Center receives information about devices if Kaspersky Endpoint Security is installed on the computers and Device Control is enabled. It is not possible to add a device to the trusted list unless information about that device is available in Kaspersky Security Center.

You can add a device to the trusted list according to the following data:

Devices by ID. Each device has a unique identifier (Hardware ID, or HWID). You can view the ID in the device properties by using operating system tools. Example device ID: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&354AE4D7&0&000000. Adding devices by ID is convenient if you want to add several specific devices.
Devices by model. Each device has a vendor ID (VID) and a product ID (PID). You can view the IDs in the device properties by using operating system tools. Template for entering the VID and PID: VID_1234&PID_5678. Adding devices by model is convenient if you use devices of a certain model in your organization. This way, you can add all devices of this model.
Devices by ID mask. If you are using multiple devices with similar IDs, you can add devices to the trusted list by using masks. The * character replaces any set of characters. Kaspersky Endpoint Security does not support the ? character when entering a mask. For example, WDC_C*.
Devices by model mask. If you are using multiple devices with similar VIDs or PIDs (for example, devices from the same manufacturer), you can add devices to the trusted list by using masks. The * character replaces any set of characters. Kaspersky Endpoint Security does not support the ? character when entering a mask. For example, VID_05AC & PID_ *.

To add devices to the list of trusted devices:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Security Controls → Device Control.
In the right part of the window, select the Trusted devices tab.
Select the Merge values when inheriting check box if you want to create a consolidated list of trusted devices for all computers in the company.
The lists of trusted devices in the parent and child policies will be merged. The lists will be merged provided that merging values when inheriting is enabled. Trusted devices from the parent policy are displayed in child policies in a read-only view. Changing or deleting trusted devices of the parent policy is not possible.
Click the Add button and select a method for adding a device to the trusted list.
To filter devices, select a device type from the Device type drop-down list (for example, Removable Drives).
In the Name / Model field, enter the device ID, model (VID and PID) or mask, depending on the selected addition method.
Adding devices by model mask (VID and PID) works as follows: if you enter a model mask that does not match any model, Kaspersky Endpoint Security checks if the device ID (HWID) matches the mask. Kaspersky Endpoint Security checks only the part of the device ID that determines the manufacturer and the type of the device (SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&354AE4D7&0&000000). If the model mask matches this part of the device ID, the devices that match the mask will be added to the list of trusted devices on the computer. At the same time, the list of devices in Kaspersky Security Center remains empty when you click the Refresh button. To display the list of devices correctly, you can add devices by device ID mask.
To filter devices, in the Computer field, enter the computer name or a mask for the name of the computer to which the device is connected.
The * character replaces any set of characters. The ? character replaces any single character.
Click the Refresh button.
The table displays a list of devices that satisfy the defined filtering criteria.
Select the check boxes next to the names of devices that you want to add to the trusted list.
In the Comment field, enter a description of the reason for adding devices to the trusted list.
Click the Select button to the right of the Allow to users and / or groups of users field.
Select a user or a group in Active Directory and confirm your selection.
By default, access to trusted devices is allowed for the Everyone group.
Save your changes.

When a device is connected, Kaspersky Endpoint Security checks the list of trusted devices for an authorized user. If the device is trusted, Kaspersky Endpoint Security allows access to the device with all permissions, even if access to the device type or connection bus is denied. If the device is untrusted and access is denied, you can request access to the locked device.

Page top

[Topic 158502]

Exporting and importing the list of trusted devices

To distribute the list of trusted devices to all computers in your organization, you can use the export/import procedure.

For example, if you need to distribute a list of trusted removable drives, you need to do the following:

Sequentially connect removable drives to your computer.
In the Kaspersky Endpoint Security settings, add the removable drives to the trusted list. If required, configure user access permissions. For example, allow only administrators to access removable drives.
Export the list of trusted devices in the Kaspersky Endpoint Security settings (see the instructions below).
Distribute the trusted device list file to other computers in your organization. For example, place the file in a shared folder.
Import the list of trusted devices in the Kaspersky Endpoint Security settings on other computers in the organization (see the instructions below).

To import or export the list of trusted devices:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Device Control.
In the Settings block, click the Trusted devices button.
This opens the list of trusted devices.
To export the list of trusted devices:
1. Select the trusted devices that you want to export.
2. Click the Export button.
3. In the window that opens, specify the name of the XML file to which you want to export the list of trusted devices, and select the folder in which you want to save this file.
4. Click the Save button.
  Kaspersky Endpoint Security exports the entire list of trusted devices to the XML file.
To import the list of trusted devices:
1. In the Import drop-down list, select the relevant action: Import and add to existing or Import and replace existing.
2. In the window that opens, select the XML file from which you want to import the list of trusted devices.
3. Click the Open button.
  If the computer already has a list of trusted devices, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.

Page top

[Topic 130920]

Obtaining access to a blocked device

When configuring Device Control, you can accidentally block access to a device that is necessary for work.

If Kaspersky Security Center is not deployed in your organization, you can provide access to a device in the settings of Kaspersky Endpoint Security. For example, you can add the device to the trusted list or temporarily disable Device Control.

If Kaspersky Security Center is deployed in your organization and a policy has been applied to computers, you can provide access to a device in the Administration Console.

Online mode for granting access

You can grant access to a blocked device in online mode only if Kaspersky Security Center is deployed in the organization and a policy has been applied to the computer. The computer must have the capability to establish a connection with the Administration Server.

Granting access in online mode consists of the following steps:

The user sends the administrator a message containing an access request.
The administrator adds the device to the trusted list.
You can add a trusted device in a policy for the administration group or in the local application settings for an individual computer.
The administrator updates the settings of Kaspersky Endpoint Security on the user's computer.

Schematic for granting access to a device in online mode

Offline mode for granting access

You can grant access to a blocked device in offline mode only if Kaspersky Security Center is deployed in the organization and a policy has been applied to the computer. In the policy settings, in the Device Control section, the Allow requests for temporary access check box must be selected.

If you need to grant temporary access to a blocked device but you cannot add the device to the trusted list, you can grant access to the device in offline mode. This way, you can grant access to a blocked device even if the computer does not have network access or if the computer is outside of the corporate network.

Granting access in offline mode consists of the following steps:

The user creates a request access file and sends it to the administrator.
The administrator creates an access key from the request access file and sends it to the user.
The user activates the access key.

Schematic for granting access to a device in offline mode

Page top

[Topic 128047]

Online mode for granting access

A user requests access to a blocked device as follows:

Connect the device to the computer.
Kaspersky Endpoint Security will show a notification stating that access to the device is blocked (see the figure below).
Click the Request access link.
The Administrator's message window opens. This message contains information about the blocked device.
Click the Send button.

The administrator will receive a message containing a request to provide access, for example, by email. For more details about processing the requests of users, please refer to Kaspersky Security Center Help. After adding the device to the trusted list and updating Kaspersky Endpoint Security settings on the computer, the user will receive access to the device.

Device Control notification

Page top

[Topic 186150]

Offline mode for granting access

A user requests access to a blocked device as follows:

Connect the device to the computer.
Kaspersky Endpoint Security will show a notification stating that access to the device is blocked (see the figure below).
Click the Request temporary access link.
The Request access to device window opens with a list of connected devices.
In the list of connected devices, select the device to which you want to gain access.
Click the Generate request access file button.
In the Access duration field, specify the period of time for which you want to have access to the device.
Save the file to computer memory.

As a result, a request access file with the *.akey extension will be downloaded to computer memory. Use any available method to send the device request access file to the corporate LAN administrator.

Device Control notification

The administrator creates an access key for a blocked device as follows:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder of the Administration Console tree, open the folder with the name of the administration group to which the relevant client computer belongs.
In the workspace, select the Devices tab.
In the list of client computers, select the computer whose user needs to be granted temporary access to a locked device.
In the context menu of the computer, select Grant access in offline mode.
In the opened window, select the Device Control tab.
Click the Browse button and download the request access file received from the user.
You will see information about the blocked device to which the user has requested access.
If necessary, change the value of the Access duration setting.
By default, the Access duration setting takes the value that was indicated by the user when creating the access request file.
Specify the value of the Activate by setting.
This setting defines the time period during which the user can activate access to the blocked device by using the provided access key.
Save the access key file to computer memory.

As a result, the blocked device access key will be downloaded to computer memory. An access key file has the *.acode extension. Use any available method to send the blocked device access key to the user.

The user activates the access key as follows:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Device Control.
In the Access request block, click the Request access to device button.
In the opened window, click the Activate access key button.
In the opened window, select the file with the device access key received from the corporate LAN administrator. Click the Open button.
This opens a window containing information about access provision.
Click OK.

As a result, the user receives access to the device for the time period set by the administrator. The user receives the full set of rights for accessing the device (read and write). When the key expires, access to the device will be blocked. If the user requires permanent access to the device, add the device to the trusted list.

Page top

[Topic 128046]

Editing templates of Device Control messages

When the user attempts to access a blocked device, Kaspersky Endpoint Security displays a message stating that access to the device is blocked or that an operation with the device contents is forbidden. If the user believes that access to the device was mistakenly blocked or that an operation with device contents was forbidden by mistake, the user can send a message to the local corporate network administrator by clicking the link in the displayed message about the blocked action.

Templates are available for messages about blocked access to devices or forbidden operations with device contents, and for the message sent to the administrator. You can modify the message templates.

To edit the templates for Device Control messages:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Device Control.
In the Templates block, configure the templates for Device Control messages:
- Message about blocking. Template of the message that appears when a user attempts to access a blocked device. This message also appears when a user attempts to perform an operation on the device contents that was blocked for this user.
- Message to administrator. A template of the message that is sent to the LAN administrator when the user believes that access to the device is blocked or an operation with device content is forbidden by mistake.
Save your changes.

Editing templates of encrypted file access messages

Page top

[Topic 156084]

Anti-Bridging

Anti-Bridging inhibits the creation of network bridges by preventing the simultaneous establishment of multiple network connections for a computer. This lets you protect a corporate network from attacks over unprotected, unauthorized networks.

Anti-Bridging regulates the establishment of network connections by using connection rules.

Connection rules are created for the following predefined types of devices:

Network adapters
Wi-Fi adapters
Modems

If a connection rule is enabled, Kaspersky Endpoint Security:

Blocks the active connection when establishing a new connection, if the device type specified in the rule is used for both connections.
Blocks connections that are established using the types of devices for which lower-priority rules are used.

In this section

Enabling Anti-Bridging

Changing the status of a connection rule

Change the priority of a connection rule

Page top

[Topic 156085]

Enabling Anti-Bridging

Anti-Bridging is disabled by default.

To enable Anti-Bridging:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Device Control.
In the Settings block, click the Anti-Bridging button.
Use the Enable Anti-Bridging toggle to enable or disable this feature.
Save your changes.

After Anti-Bridging is enabled, Kaspersky Endpoint Security blocks already established connections according to the connection rules.

Page top

[Topic 156114]

Changing the status of a connection rule

To change the status of a connection rule:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Device Control.
In the Settings block, click the Anti-Bridging button.
In the Rules for devices block, select the rule whose status you want to change.
Use the toggles in the Control column to enable or disable the rule.
Save your changes.

Page top

[Topic 156108]

Change the priority of a connection rule

To change the priority of a connection rule:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Device Control.
In the Settings block, click the Anti-Bridging button.
In the Rules for devices block, select the rule whose priority you want to change.
Use the Up / Down buttons to set the priority of the connection rule.
The higher a rule is positioned in the table of rules, the higher its priority. Anti-Bridging blocks all connections except one connection established using the type of device for which the highest-priority rule is used.
Save your changes.

Page top

[Topic 173855]

Adaptive Anomaly Control

This component is available only for Kaspersky Endpoint Security for Business Advanced and Kaspersky Total Security for Business. For more details about Kaspersky Endpoint Security for Business, please visit the Kaspersky website.

The Adaptive Anomaly Control component monitors and blocks actions that are not typical of the computers in a company's network. Adaptive Anomaly Control uses a set of rules to track uncharacteristic behavior (for example, the Start of Microsoft PowerShell from office application rule). Rules are created by Kaspersky specialists based on typical scenarios of malicious activity. You can configure how Adaptive Anomaly Control handles each rule and, for example, allow the execution of PowerShell scripts that automate certain workflow tasks. Kaspersky Endpoint Security updates the set of rules along with the application databases. Updates to the sets of rules must be confirmed manually.

Adaptive Anomaly Control settings

Configuring Adaptive anomaly control consists of the following steps:

Training Adaptive Anomaly Control.
After you enable Adaptive Anomaly Control, its rules work in training mode. During the training, Adaptive Anomaly Control monitors rule triggering and sends triggering events to Kaspersky Security Center. Each rule has its own duration of the training mode. The duration of the training mode is set by Kaspersky experts. Normally, the training mode is active for two weeks.

If a rule is not triggered at all during the training, Adaptive Anomaly Control will consider the actions associated with this rule as non-typical. Kaspersky Endpoint Security will block all actions associated with that rule.

If a rule was triggered during training, Kaspersky Endpoint Security logs events in the rule triggering report and the Triggering of rules in Smart Training mode repository.
Analyzing the rule triggering report.
The administrator analyzes the rule triggering report or the contents of the Triggering of rules in Smart Training mode repository. Then the administrator can select the behavior of Adaptive Anomaly Control when the rule is triggered: either block or allow. The administrator can also continue to monitor how the rule works and extend the duration of the training mode. If the administrator does not take any action, the application will also continue to work in training mode. The training mode term is restarted.

Adaptive Anomaly Control is configured in real time. Adaptive Anomaly Control is configured via the following channels:

Adaptive Anomaly Control automatically starts to block the actions associated with the rules that were never triggered in training mode.
Kaspersky Endpoint Security adds new rules or removes obsolete ones.
The administrator configures the operation of the Adaptive Anomaly Control after reviewing the rule triggering report and the contents of the Triggering of rules in Smart Training mode repository. It is recommended to check the rule triggering report and the contents of the Triggering of rules in Smart Training mode repository.

When a malicious application attempts to perform an action, Kaspersky Endpoint Security will block the action and display a notification (see figure below).

Adaptive Anomaly Control notification

Adaptive Anomaly Control operating algorithm

Kaspersky Endpoint Security decides whether to allow or block an action that is associated with a rule based on the following algorithm (see the figure below).

Adaptive Anomaly Control operating algorithm

In this section

Enabling and disabling Adaptive Anomaly Control

Enabling and disabling an Adaptive Anomaly Control rule

Modifying the action taken when an Adaptive Anomaly Control rule is triggered

Creating an exclusion for an Adaptive Anomaly Control rule

Exporting and importing exclusions for Adaptive Anomaly Control rules

Applying updates for Adaptive Anomaly Control rules

Viewing Adaptive Anomaly Control reports

Page top

[Topic 175467]

Enabling and disabling Adaptive Anomaly Control

Adaptive Anomaly Control is enabled by default.

To enable or disable Adaptive Anomaly Control:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Adaptive Anomaly Control.
Use the Adaptive Anomaly Control toggle to enable or disable the component.
Save your changes.

Page top

[Topic 175244]

Enabling and disabling an Adaptive Anomaly Control rule

To enable or disable an Adaptive Anomaly Control rule:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Adaptive Anomaly Control.
In the Rules block, click the Edit rules button.
The Adaptive Anomaly Control rule list opens.
In the table, select a set of rules (for example, Activity of office applications) and expand the set.
Select a rule (for example, Start Windows PowerShell from office applications).
Use the toggle in the Status column to enable or disable the Adaptive Anomaly Control rule.
Save your changes.

Page top

[Topic 175243]

Modifying the action taken when an Adaptive Anomaly Control rule is triggered

To edit the action that is taken when an Adaptive Anomaly Control rule is triggered:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Adaptive Anomaly Control.
In the Rules block, click the Edit rules button.
The Adaptive Anomaly Control rule list opens.
Select a rule in the table.
Click the Edit button.
The Adaptive Anomaly Control rule properties window opens.
In the Action block, select one of the following options:
- Smart. If this option is selected, the Adaptive Anomaly Control rule works in Smart training mode for a period of time defined by Kaspersky experts. In this mode, when an Adaptive Anomaly Control rule is triggered, Kaspersky Endpoint Security allows the activity covered by the rule and logs an entry in the Triggering of rules in Smart Training mode storage of the Kaspersky Security Center Administration Server. When the time period set for working in Smart Training mode ends, Kaspersky Endpoint Security blocks the activity covered by an Adaptive Anomaly Control rule and logs an entry containing information about the activity.
- Block. If this action is selected, when an Adaptive Anomaly Control rule is triggered Kaspersky Endpoint Security blocks the activity covered by the rule and logs an entry containing information about the activity.
- Inform. If this action is selected, when an Adaptive Anomaly Control rule is triggered Kaspersky Endpoint Security allows the activity covered by the rule and logs an entry containing information about the activity.
Save your changes.

Page top

[Topic 175245]

Creating an exclusion for an Adaptive Anomaly Control rule

You cannot create more than 1,000 exclusions for Adaptive Anomaly Control rules. It is not recommended to create more than 200 exclusions. To reduce the number of exclusions used, it is recommended to use masks in the settings of exclusions.

An exclusion for an Adaptive Anomaly Control rule includes a description of the source and target objects. The source object is the object performing the actions. The target object is the object on which the actions are being performed. For example, you have opened a file named file.xlsx. As a result, a library file with the DLL extension is loaded into the computer memory. This library is used by a browser (executable file named browser.exe). In this example, file.xlsx is the source object, Excel is the source process, browser.exe is the target object, and Browser is the target process.

To create an exclusion for an Adaptive Anomaly Control rule:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Adaptive Anomaly Control.
In the Rules block, click the Edit rules button.
The Adaptive Anomaly Control rule list opens.
Select a rule in the table.
Click the Edit button.
The Adaptive Anomaly Control rule properties window opens.
In the Exclusions block, click the Add button.
The exclusion properties window opens.
Select the user for which you want to configure an exclusion.

Adaptive Anomaly Control does not support exclusions for user groups. If you select a user group, Kaspersky Endpoint Security does not apply the exclusion.

In the Description field, enter a description of the exclusion.
Define the settings of the source object or source process started by the object:
- Source process. Path or mask of the path to the file or folder containing files (for example, С:\Dir\File.exe or Dir\*.exe).
- Source process hash. File hash code.
- Source object. Path or mask of the path to the file or folder containing files (for example, С:\Dir\File.exe or Dir\*.exe). For example, file path document.docm, which uses a script or macro to start the target processes.
  You can also specify other objects to exclude, such as a web address, macro, command in the command line, registry path, or others. Specify the object according to the following template: object://<object>, where <object> refers to the name of the object, for example, object://web.site.example.com, object://VBA, object://ipconfig, object://HKEY_USERS. You can also use masks, for example, object://*C:\Windows\temp\*.
- Source object hash. File hash code.
The Adaptive Anomaly Control rule is not applied to actions performed by the object, or to processes started by the object.
Specify the settings of the target object or target processes started on the object.
- Target process. Path or mask of the path to the file or folder containing files (for example, С:\Dir\File.exe or Dir\*.exe).
- Target process hash. File hash code.
- Target object. The command to start the target process. Specify the command using the following pattern object://<command>, for example, object://cmdline:powershell -Command "$result = 'C:\windows\temp\result_local_users_pwdage txt'". You can also use masks, for example, object://*C:\windows\temp\*.
- Target object hash. File hash code.
The Adaptive Anomaly Control rule is not applied to actions taken on the object, or to processes started on the object.
Save your changes.

Page top

[Topic 175494]

Exporting and importing exclusions for Adaptive Anomaly Control rules

To export or import the list of exclusions for selected rules:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Adaptive Anomaly Control.
In the Rules block, click the Edit rules button.
The Adaptive Anomaly Control rule list opens.
To export the list of rules:
1. Select the rules whose exceptions you want to export.
2. Click the Export button.
3. In the window that opens, specify the name of the XML file to which you want to export the list of exclusions, and select the folder in which you want to save this file.
4. Confirm that you want to export only the selected exclusions, or export the entire list of exclusions.
5. Click the Save button.
To import the list of rules:
1. Click the Import button.
2. In the window that opens, select the XML file from which you want to import the list of exclusions.
3. Click the Open button.
  If the computer already has a list of exclusions, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.

Page top

[Topic 175466]

Applying updates for Adaptive Anomaly Control rules

New Adaptive Anomaly Control rules may be added to the table of rules and existing Adaptive Anomaly Control rules may be deleted from the table of rules when anti-virus databases are updated. Kaspersky Endpoint Security distinguishes Adaptive Anomaly Control rules that are to be deleted or added to the table, if an update for these rules has not been applied.

Until the update is applied, Kaspersky Endpoint Security displays the Adaptive Anomaly Control rules set to be deleted by the update in the table of rules and assigns the Disabled status to them. It is not possible to change the settings of these rules.

To apply updates for Adaptive Anomaly Control rules:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Adaptive Anomaly Control.
In the Rules block, click the Edit rules button.
The Adaptive Anomaly Control rule list opens.
In the opened window, click the Approve updates button.
The Approve updates button is available if an update for Adaptive Anomaly Control rules is available.
Save your changes.

Page top

[Topic 177163]

Editing Adaptive Anomaly Control message templates

When a user tries to do an action, blocked by Adaptive Anomaly Control rules, Kaspersky Endpoint Security displays a message that potentially harmful actions are blocked. If the user believes that an action was mistakenly blocked, the user can use the link in the message text to send a message to the local corporate network administrator.

Special templates are available for the message about blocking potentially harmful actions and for the message to be sent to the administrator. You can modify the message templates.

To edit a message template:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Adaptive Anomaly Control.
In the Templates block, configure the templates for Adaptive Anomaly Control messages:
- Blockage. Template of the message that is displayed to a user when an Adaptive Anomaly Control rule that blocks a non-typical action is triggered.
- Message to administrator. Template of the message that a user can be sent to the local corporate network administrator if the user considers the blocking to be a mistake.
Save your changes.

Editing templates of encrypted file access messages

Page top

[Topic 177558]

Viewing Adaptive Anomaly Control reports

To view Adaptive Anomaly Control reports:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the Security Controls section, select the Adaptive Anomaly Control subsection.
The settings of the Adaptive Anomaly Control component are displayed in the right part of the window.
Do one of the following:
- If you want to view a report on the settings of Adaptive Anomaly Control rules, click the Rule status report button.
- If you want to view a report on the triggering of Adaptive Anomaly Control rules, click the Rule triggering report button.
The report generation process starts.

The report is displayed in a new window.

Page top

[Topic 129102]

Application Control

Application Control manages the startup of applications on users' computers. This allows you to implement a corporate security policy when using applications. Application Control also reduces the risk of computer infection by restricting access to applications.

Configuring Application Control consists of the following steps:

Creating application categories.
The administrator creates categories of applications that the administrator wants to manage. Categories of applications are intended for all computers in the corporate network, regardless of administration groups. To create a category, you can use the following criteria: KL category (for example, Browsers), file hash, application vendor, and other criteria.
Creating Application Control rules.
The administrator creates Application Control rules in the policy for the administration group. The rule includes the categories of applications and the startup status of applications from these categories: blocked or allowed.
Selecting the Application Control mode.
The administrator chooses the mode for working with applications that are not included in any of the rules (application denylist and allowlist).

When a user attempts to start a prohibited application, Kaspersky Endpoint Security will block the application from starting and will display a notification (see the figure below).

A test mode is provided to check the configuration of Application Control. In this mode, Kaspersky Endpoint Security does the following:

Allows the startup of applications, including prohibited ones.
Shows a notification about the startup of a prohibited application and adds information to the report on the user's computer.
Sends data about the startup of prohibited applications to Kaspersky Security Center.

Application Control notification

Application Control operating modes

The Application Control component operates in two modes:

Denylist. In this mode, Application Control allows users to start all applications except for applications that are prohibited in Application Control rules.
This mode of Application Control is enabled by default.
Allowlist. In this mode, Application Control blocks users from starting any applications except for applications that are allowed and not prohibited in Application Control rules.
If the allow rules of Application Control are fully configured, the component blocks the startup of all new applications that have not been verified by the LAN administrator, while allowing the operation of the operating system and of trusted applications that users rely on in their work.

You can read the recommendations on configuring Application Control rules in allowlist mode.

Application Control can be configured to operate in these modes both by using the Kaspersky Endpoint Security local interface and by using Kaspersky Security Center.

However, Kaspersky Security Center offers tools that are not available in the Kaspersky Endpoint Security local interface, such as the tools that are needed for the following tasks:

Creating application categories.
Application Control rules created in the Kaspersky Security Center Administration Console are based on your custom application categories and not on inclusion and exclusion conditions as is the case in the Kaspersky Endpoint Security local interface.
Receiving information about applications that are installed on corporate LAN computers.

This is why it is recommended to use Kaspersky Security Center to configure the operation of the Application Control component.

Application Control operating algorithm

Kaspersky Endpoint Security uses an algorithm to make a decision about starting an application (see the figure below).

Application Control operating algorithm

In this section

Application Control functionality limitations

Enabling and disabling Application Control

Selecting the Application Control mode

Working with Application Control rules in the application interface

Managing Application Control rules in Kaspersky Security Center

Testing Application Control rules

Application activity monitor

Rules for creating name masks for files or folders

Best practices for implementing a list of allowed applications

Page top

[Topic 133573]

Application Control functionality limitations

Operation of the Application Control component is limited in the following cases:

When the application version is upgraded, importing Application Control component settings is not supported.
When the application version is upgraded, importing Application Control settings is supported only if Kaspersky Endpoint Security 10 Service Pack 2 for Windows or later is upgraded to Kaspersky Endpoint Security 11.6.0 for Windows.
When application versions other than Kaspersky Endpoint Security 10 Service Pack 2 for Windows are upgraded, the Application Control settings have to be configured anew in order to restore this component to operational state.
If there is no connection with KSN servers, Kaspersky Endpoint Security receives information about the reputation of applications and their modules only from local databases.
The list of applications assigned by Kaspersky Endpoint Security to the KL category Applications trusted according to reputation in KSN when a connection to KSN servers is available may differ from the list of applications assigned by Kaspersky Endpoint Security to the KL category Applications trusted according to reputation in KSN when there is no connection to KSN.
At the Kaspersky Security Center database, information on 150,000 processed files may be stored. Once this number of records has been achieved, new files will not be processed. To resume inventory operations, you must delete the files that were previously inventoried in the Kaspersky Security Center database from the computer on which Kaspersky Endpoint Security is installed.
The component does not control the startup of scripts unless the script is sent to the interpreter via the command line.
If the startup of an interpreter is allowed by Application Control rules, the component will not block a script started from this interpreter.

If at least one of the scripts specified in the interpreter command line is blocked from start by Application control rules, the component blocks all the scripts, specified in the interpreter command line.
The component does not control the startup of scripts from interpreters that are not supported by Kaspersky Endpoint Security.
Kaspersky Endpoint Security supports the following interpreters:
- Java
- PowerShell
The following types of interpreters are supported:
- %ComSpec%;
- %SystemRoot%\\system32\\regedit.exe;
- %SystemRoot%\\regedit.exe;
- %SystemRoot%\\system32\\regedt32.exe;
- %SystemRoot%\\system32\\cscript.exe;
- %SystemRoot%\\system32\\wscript.exe;
- %SystemRoot%\\system32\\msiexec.exe;
- %SystemRoot%\\system32\\mshta.exe;
- %SystemRoot%\\system32\\rundll32.exe;
- %SystemRoot%\\system32\\wwahost.exe;
- %SystemRoot%\\syswow64\\cmd.exe;
- %SystemRoot%\\syswow64\\regedit.exe;
- %SystemRoot%\\syswow64\\regedt32.exe;
- %SystemRoot%\\syswow64\\cscript.exe;
- %SystemRoot%\\syswow64\\wscript.exe;
- %SystemRoot%\\syswow64\\msiexec.exe;
- %SystemRoot%\\syswow64\\mshta.exe;
- %SystemRoot%\\syswow64\\rundll32.exe;
- %SystemRoot%\\syswow64\\wwahost.exe.

Page top

[Topic 128212]

Enabling and disabling Application Control

By default, Application Control is disabled.

To enable or disable Application Control:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Application Control.
Use the Application Control toggle to enable or disable the component.
Save your changes.

As a result, if Application Control is enabled, the application forwards information about running executable files to Kaspersky Security Center. You can view the list of running executable files in Kaspersky Security Center in the Executable files folder. To receive information about all executable files instead of only running executable files, run the Inventory task.

Page top

[Topic 128036]

Selecting the Application Control mode

To select the Application Control mode:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Application Control.
In the Application Startup Control mode block, select one of the following options:
- Denylist. If this option is selected, Application Control allows all users to start any applications, except in cases that satisfy the conditions of Application Control block rules.
- Allowlist. If this option is selected, Application Control blocks all users from starting any applications, except in cases that satisfy the conditions of Application Control allow rules.
  The Golden Image rule and Trusted Updaters rule are initially defined for Allowlist mode. These Application Control rules correspond to KL categories. The "Golden Image" KL category includes programs that ensure normal operation of the operating system. The "Trusted Updaters" KL category includes updaters for the most reputable software vendors. You cannot delete these rules. The settings of these rules cannot be edited. By default, the Golden Image rule is enabled and the Trusted Updaters rule is disabled. All users are allowed to start applications that match the trigger conditions of these rules.
All rules created during the selected mode are saved after the mode is changed so that the rules can be used again. To revert back to using these rules, all you have to do is select the necessary mode.
In the Action at startup of blocked applications section, select the action to be performed by the component when a user attempts to start an application that is blocked by Application Control rules.
Select the Control DLL modules load check box if you want Kaspersky Endpoint Security to monitor the loading of DLL modules when applications are started by users.
Information about the module and the application that loaded the module will be saved to a report.

Kaspersky Endpoint Security monitors only the DLL modules and drivers that have been loaded since the check box was selected. Restart the computer after selecting the check box if you want Kaspersky Endpoint Security to monitor all DLL modules and drivers, including ones that are loaded before Kaspersky Endpoint Security is started.

When enabling control over the loading of DLL modules and drivers, make sure that one of the following rules is enabled in the Application Control settings: the default Golden Image rule or another rule that contains the "Trusted certificates" KL category and ensures that trusted DLL modules and drivers are loaded before Kaspersky Endpoint Security is started. Enabling control of the loading of DLL modules and drivers when the Golden Image rule is disabled may cause instability in the operating system.

We recommend turning on password protection for configuring application settings, so that it is possible to turn off the rules blocking critical DLL modules and drivers form start, without modifying Kaspersky Security Center policy settings.
Save your changes.

Page top

[Topic 128031]

Working with Application Control rules in the application interface

Kaspersky Endpoint Security controls the startup of applications by users by means of rules. An Application Control rule specifies the triggering conditions and actions performed by the Application Control component when the rule is triggered (allowing or blocking application startup by users).

Rule-triggering conditions

A rule-triggering condition has the following correlation: "condition type - condition criterion - condition value". Based on the rule-triggering conditions, Kaspersky Endpoint Security applies (or does not apply) a rule to an application.

The following types of conditions are used in rules:

Inclusion conditions. Kaspersky Endpoint Security applies the rule to the application if the application matches at least one of the inclusion conditions.
Exclusion conditions. Kaspersky Endpoint Security does not apply the rule to the application if the application matches at least one of the exclusion conditions and does not match any of the inclusion conditions.

Rule-triggering conditions are created using criteria. The following criteria are used to create rules in Kaspersky Endpoint Security:

Path to the folder containing the executable file of the application or path to the executable file of the application.
Metadata: application executable file name, application executable file version, application name, application version, application vendor.
Hash of the executable file of the application.
Certificate: issuer, subject, thumbprint.
Inclusion of the application in a KL category.
Location of the application executable file on a removable drive.

The criterion value must be specified for each criterion used in the condition. If the parameters of the application being started match the values of criteria specified in the inclusion condition, the rule is triggered. In this case, Application Control performs the action prescribed in the rule. If application parameters match the values of criteria specified in the exclusion condition, Application Control does not control startup of the application.

Decisions made by the Application Control component when a rule is triggered

When a rule is triggered, Application Control allows users (or user groups) to start applications or blocks startup according to the rule. You can select individual users or groups of users that are allowed or not allowed to start applications that trigger a rule.

If a rule does not specify those users allowed to start applications satisfying the rule, this rule is called a block rule.

If a rule that does not specify any users who are not allowed to start applications that match the rule, this rule is called an allow rule.

The priority of a block rule is higher than the priority of an allow rule. For example, if an Application Control allow rule has been assigned for a user group while an Application Control block rule has been assigned for one user in this user group, this user will be blocked from starting the application.

Operating status of a rule

Application Control rules can have one of the following operating statuses:

On. This status means that the rule is used when Application Control is in operation.
Off. This status means that the rule is ignored when Application Control is in operation.
Test. This status signifies that Kaspersky Endpoint Security allows the startup of applications to which the rules apply but logs information about the startup of such applications in the report.

In this section

Adding an Application Control rule

Adding a trigger condition for an Application Control rule

Changing the status of an Application Control rule

Page top

[Topic 123275]

Adding an Application Control rule

To add an Application Control rule:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Application Control.
Click the Blocked applications or Allowed applications button.
This opens the list of Application Control rules.
Click the Add button.
The Application Control rule window opens.
On the General settings tab, define the main settings of the rule:
1. In the Rule name field, enter the name of the rule.
2. In the Description field, enter a description of the rule.
3. Compile or edit a list of users and/or groups of users who are allowed or not allowed to start applications that meet the rule trigger conditions. To do this, click the Add button in the Subjects and their rights table.
  By default, the Everyone value is added to the list of users. The rule applies to all users.
  
  If there is no user specified in the table, the rule cannot be saved.
4. In the Subjects and their rights table, use the toggle to define the right of users to start applications.
5. Select the Deny for other users check box if you want all users that do not appear in the Subject column and that are not part of the group of users specified in the Subject column to be blocked from starting applications that match the rule trigger conditions.
  If the Deny for other users check box is cleared, Kaspersky Endpoint Security does not control the startup of applications by users that are not specified in the Subjects and their rights table and that do not belong to the groups of users specified in the Subjects and their rights table.
6. If you want Kaspersky Endpoint Security to consider applications matching the rule trigger conditions as trusted updaters allowed to create other executable files that will be allowed to run subsequently, select the Trusted Updaters check box.
On the Conditions tab, create or edit the list of inclusion conditions for triggering the rule.
On the Exclusions tab, create or edit the list of exclusion conditions for triggering the rule.
When Kaspersky Endpoint Security settings are migrated, the list of executable files created by trusted updaters is migrated as well.
Save your changes.

Page top

[Topic 128032]

Adding a trigger condition for an Application Control rule

To add a new trigger condition for an Application Control rule:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Application Control.
Click the Blocked applications or Allowed applications button.
This opens the list of Application Control rules.
Select the rule for which you want to configure a trigger condition.
The Application Control rule properties open.
Select the Conditions tab or Exclusions tab and click the Add button.
Select the trigger conditions for the Application Control rule:
- Conditions from properties of started applications. In the list of running applications, you can select the applications to which the Application Control rule will be applied. Kaspersky Endpoint Security also lists applications that were previously running on the computer. You need to select the criterion that you want to use to create one or multiple rule trigger conditions: File hash code, Certificate, KL category, Metadata or Folder path.
- Conditions "KL category". A KL category is a list of applications that have shared theme attributes. The list is maintained by Kaspersky experts. For example, the KL category of "Office applications" includes applications from the Microsoft Office suite, Adobe Acrobat, and others.
- Custom condition. You can select the application file and select one of the rule trigger conditions: File hash code, Certificate, Metadata or Path to file or folder.
- Condition by file drive (removable drive). The Application Control rule is applied only to files that are run on a removable drive.
- Conditions from properties of files in the specified folder. The Application Control rule is applied only to files that reside within the specified folder. You can also include or exclude files from subfolders. You need to select the criterion that you want to use to create one or multiple rule trigger conditions: File hash code, Certificate, KL category, Metadata or Folder path.
Save your changes.

When adding conditions, please take into account the following special considerations for Application Control:

Kaspersky Endpoint Security does not support an MD5 file hash and does not control startup of applications based on an MD5 hash. An SHA256 hash is used as a rule trigger condition.
It is not recommended to use only the Issuer and Subject criteria as rule trigger conditions. Use of these criteria is unreliable.
If you are using a symbolic link in the Path to file or folder field, you are advised to resolve the symbolic link for correct operation of the Application Control rule. To do so, click the Resolve symbolic link button.

Page top

[Topic 128033]

Changing the status of an Application Control rule

To change the status of an Application Control rule:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Application Control.
Click the Blocked applications or Allowed applications button.
This opens the list of Application Control rules.
In the Status column, open the context menu and select one of the following:
- On. This status means that the rule is used when the Application Control component is running.
- Off. This status means that the rule is ignored when the Application Control component is running.
- Testing. This status means that Kaspersky Endpoint Security always allows the startup of applications to which this rule applies but logs information about the startup of such applications in the report.
Save your changes.

Page top

[Topic 130535]

Managing Application Control rules in Kaspersky Security Center

Rule-triggering conditions

The following types of conditions are used in rules:

Inclusion conditions. Kaspersky Endpoint Security applies the rule to the application if the application matches at least one of the inclusion conditions.
Exclusion conditions. Kaspersky Endpoint Security does not apply the rule to the application if the application matches at least one of the exclusion conditions and does not match any of the inclusion conditions.

Rule-triggering conditions are created using criteria. The following criteria are used to create rules in Kaspersky Endpoint Security:

Path to the folder containing the executable file of the application or path to the executable file of the application.
Metadata: application executable file name, application executable file version, application name, application version, application vendor.
Hash of the executable file of the application.
Certificate: issuer, subject, thumbprint.
Inclusion of the application in a KL category.
Location of the application executable file on a removable drive.

Decisions made by the Application Control component when a rule is triggered

If a rule does not specify those users allowed to start applications satisfying the rule, this rule is called a block rule.

If a rule that does not specify any users who are not allowed to start applications that match the rule, this rule is called an allow rule.

Operating status of a rule

Application Control rules can have one of the following operating statuses:

On. This status means that the rule is used when Application Control is in operation.
Off. This status means that the rule is ignored when Application Control is in operation.

Test. This status signifies that Kaspersky Endpoint Security allows the startup of applications to which the rules apply but logs information about the startup of such applications in the report.

In this section

Receiving information about the applications that are installed on users' computers

Creating application categories

Adding executable files from the Executable files folder to the application category

Adding and modifying an Application Control rule using Kaspersky Security Center

Changing the status of an Application Control rule via Kaspersky Security Center

Exporting and importing Application Control rules

Testing Application Control rules using Kaspersky Security Center

Viewing events resulting from test operation of the Application Control component

Viewing a report on blocked applications in test mode

Viewing events resulting from operation of the Application Control component

Viewing a report on blocked applications

Page top

[Topic 130536]

Receiving information about the applications that are installed on users' computers

To create optimal Application Control rules, it is recommended to first get a picture of the applications that are used on computers on the corporate LAN. To do this, you can obtain the following information:

Vendors, versions, and localizations of applications used on the corporate LAN.
Frequency of application updates.
Application usage policies adopted in the company (this may be security policies or administrative policies).
Storage location of application distribution packages.

Information about applications that are used on corporate LAN computers is available in the Applications registry folder and in the Executable files folder. The Applications registry folder and the Executable files folder are located in the Application management folder in the Kaspersky Security Center Administration Console tree.

The Applications registry folder contains the list of applications that were detected by

Network Agent

which is installed on the client computer.

The Executable files folder contains a list of all executable files that have ever been started on client computers or that were detected during the inventory task of Kaspersky Endpoint Security.

To view general information about the application and its executable files, and the list of computers on which an application is installed, open the properties window of an application that is selected in the Applications registry folder or in the Executable files folder.

To open the application properties window in the Applications registry folder:

Open the Kaspersky Security Center Administration Console.
In the Administration Console tree, select Additional → Application management → Applications registry.
Select an application.
In the context menu of the application, select Properties.

To open the properties window for an executable file in the Executable files folder:

Open the Kaspersky Security Center Administration Console.
In the Administration Console tree, select the Additional → Application management → Executable files folder.
Select an executable file.
In the context menu of the executable file, select Properties.

Page top

[Topic 130537]

Creating application categories

For more convenience when creating Application Control rules, you can create application categories.

It is recommended to create a "Work applications" category that covers the standard set of applications that are used at the company. If different user groups use different sets of applications in their work, a separate application category can be created for each user group.

To create an application category:

Open the Kaspersky Security Center Administration Console.
In the Administration Console tree, select the Additional → Application management → Application categories folder.
Click the Create a category button in the workspace.
The user category creation wizard starts.
Follow the instructions of the user category creation wizard.

Step 1. Selecting the category type

At this step, select one of the following types of application categories:

Category with content added manually. If you selected this type of category, at the "Configuring the conditions for including applications in a category" step and the "Configuring the conditions for excluding applications from a category" step, you will be able to define the criteria whereby executable files will be included into the category.
Category which includes executable files from selected devices. If you selected this type of category, at the "Settings" step you will be able to specify a computer whose executable files will be automatically included in the category.
Category that includes executable files from a specific folder. If you selected this type of category, at the "Repository folder" step you will be able to specify a folder from which executable files will be automatically included in the category.

When creating a category with content added automatically, Kaspersky Security Center performs inventory on files with the following formats: EXE, COM, DLL, SYS, BAT, PS1, CMD, JS, VBS, REG, MSI, MSC, CPL, HTML, HTM, DRV, OCX, and SCR.

Step 2. Entering a user category name

At this step, specify a name for the application category.

Step 3. Configuring the conditions for including applications in a category

This step is available if you selected the Category with content added manually category type.

At this step, in the Add drop-down list, select the conditions for including applications into the category:

From the list of executable files. Add applications from the list of executable files on the client device to the custom category.
From file properties. Specify detailed data of executable files as a condition for adding applications to the custom category.
Metadata from files in folder. Select a folder on the client device that contains executable files. Kaspersky Security Center will indicate the metadata of these executable files as a condition for adding applications to the custom category.
Checksums of files in folder. Select a folder on the client device that contains executable files. Kaspersky Security Center will indicate the hashes of these executable files as a condition for adding applications to the custom category.
Certificates for files from folder. Select a folder on the client device that contains executable files signed with certificates. Kaspersky Security Center will indicate the certificates of these executable files as a condition for adding applications to the custom category.
It is not recommended to use conditions whose properties do not have the Certificate thumbprint parameter specified.
MSI installer files metadata. Select the MSI package. Kaspersky Security Center will indicate the metadata of executable files packed in this MSI package as a condition for adding applications to the custom category.
Checksums of files from MSI installer of the application. Select the MSI package. Kaspersky Security Center will indicate the hashes of executable files packed in this MSI package as a condition for adding applications to the custom category.
KL category. Specify a KL category as a condition for adding applications to the custom category. A KL category is a list of applications that have shared theme attributes. The list is maintained by Kaspersky experts. For example, the KL category known as "Office applications" includes applications from the Microsoft Office suite, Adobe Acrobat, and others.
You can select all KL categories to generate an extended list of trusted applications.
Path to application. Select a folder on the client device. Kaspersky Security Center will add executable files from this folder to the custom category.
Certificates from certificate repository. Select certificates that were used to sign executable files as a condition for adding applications to the custom category.
It is not recommended to use conditions whose properties do not have the Certificate thumbprint parameter specified.
Drive type. Specify the type of storage device (all hard drives and removable drives, or only removable drives) as a condition for adding applications to the custom category.

Step 4. Configuring the conditions for excluding applications from a category

This step is available if you selected the Category with content added manually category type.

Applications specified at this step are excluded from the category even if these applications were specified at the "Configuring the conditions for including applications in a category" step.

At this step, in the Add drop-down list, select conditions for excluding applications from the category:

From the list of executable files. Add applications from the list of executable files on the client device to the custom category.
From file properties. Specify detailed data of executable files as a condition for adding applications to the custom category.
Metadata from files in folder. Select a folder on the client device that contains executable files. Kaspersky Security Center will indicate the metadata of these executable files as a condition for adding applications to the custom category.
Checksums of files in folder. Select a folder on the client device that contains executable files. Kaspersky Security Center will indicate the hashes of these executable files as a condition for adding applications to the custom category.
Certificates for files from folder. Select a folder on the client device that contains executable files signed with certificates. Kaspersky Security Center will indicate the certificates of these executable files as a condition for adding applications to the custom category.
MSI installer files metadata. Select the MSI package. Kaspersky Security Center will indicate the metadata of executable files packed in this MSI package as a condition for adding applications to the custom category.
Checksums of files from MSI installer of the application. Select the MSI package. Kaspersky Security Center will indicate the hashes of executable files packed in this MSI package as a condition for adding applications to the custom category.
KL category. Specify a KL category as a condition for adding applications to the custom category. A KL category is a list of applications that have shared theme attributes. The list is maintained by Kaspersky experts. For example, the KL category known as "Office applications" includes applications from the Microsoft Office suite, Adobe Acrobat, and others.
You can select all KL categories to generate an extended list of trusted applications.
Path to application. Select a folder on the client device. Kaspersky Security Center will add executable files from this folder to the custom category.
Certificates from certificate repository. Select certificates that were used to sign executable files as a condition for adding applications to the custom category.
Drive type. Specify the type of storage device (all hard drives and removable drives, or only removable drives) as a condition for adding applications to the custom category.

Step 5. Settings

This step is available if you selected the Category which includes executable files from selected devices category type.

At this step, click the Add button and specify the computers whose executable files will be added to the application category by Kaspersky Security Center. All executable files from the specified computers presented in the Executable files folder will be added to the application category by Kaspersky Security Center.

At this step, you can also configure the following settings:

Algorithm for hash function calculation by Kaspersky Security Center. To select an algorithm, you must select at least one of the following check boxes:
- Calculate SHA-256 for files in this category (supported by Kaspersky Endpoint Security 10 Service Pack 2 for Windows and any later versions).
- Calculate MD5 for files in this category (supported by versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows).
Synchronize data with the Administration Server repository check box. Select this check box if you want Kaspersky Security Center to periodically clear the application category and add to it all executable files from the specified computers presented in the Executable files folder.
If the Synchronize data with the Administration Server repository check box is cleared, Kaspersky Security Center will not make any modifications to an application category after it is created.
Scan period (h) field. In this field, you can specify the period of time (in hours) after which Kaspersky Security Center clears the application category and adds to it all executable files from the specified computers presented in the Executable files folder.
The field is available if the Synchronize data with the Administration Server repository check box is selected.

Step 6. Repository folder

This step is available if you selected the Category that includes executable files from a specific folder category type.

At this step, click the Browse button and specify the folder in which Kaspersky Security Center will search for executable files to automatically add applications to the application category.

At this step, you can also configure the following settings:

Include dynamic-link libraries (DLL) in this category check box. Select this check box if you want dynamic-link libraries (DLL files) to be included in the application category.
Including DLL files in the application category may reduce the performance of Kaspersky Security Center.
Include script data in this category check box. Select this check box if you want scripts to be included in the application category.
Including scripts in the application category may reduce the performance of Kaspersky Security Center.
Algorithm for hash function calculation by Kaspersky Security Center. To select an algorithm, you must select at least one of the following check boxes:
- Calculate SHA-256 for files in this category (supported by Kaspersky Endpoint Security 10 Service Pack 2 for Windows and any later versions).
- Calculate MD5 for files in this category (supported by versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows).
Force folder scan for changes check box. Select this check box if you want Kaspersky Security Center to periodically search for executable files in the folder used for automatically adding to the application category.
If the Force folder scan for changes check box is cleared, Kaspersky Security Center searches for executable files in the folder used for automatically adding to the application category only if changes have been made in the folder, files have been added to it or deleted from it.
Scan period (h) field. In this field, you can specify the time interval (in hours) after which Kaspersky Security Center will search for executable files in the folder used for automatically adding to the application category.
This field is available if the Force folder scan for changes check box is selected.

Step 7. Creating a custom category

To exit the Application Setup Wizard, click the Finish button.

Page top

[Topic 166751]

Adding executable files from the Executable files folder to the application category

In the Executable files folder the list of executable files detected on computers is displayed. Kaspersky Endpoint Security generates a list of executable files after executing the Inventory task.

To add executable files from the Executable files folder to the application category:

Open the Kaspersky Security Center Administration Console.
In the Administration Console tree, select Additional → Application management → Executable files folder.
In the workspace, select the executable files that you want to add to the application category.
Right-click to open the context menu for the selected executable files and select Add to category.
The Select application category window opens.
In the Select application category window:
- In the upper part of the window, choose one of the following options:
  - Create category of applications. Choose this option if you want to create a new application category and add executable files to it.
  - Add rules to specified category. Choose this option if you want to select an existing application category and add executable files to it.
- In the Rule type section, choose one of the following options:
  - Add to inclusion rules. Select this option if you want to create a condition that adds executable files to the application category.
  - Add to exclusion rules. Select this option if you want to create a condition that excludes executable files from the application category.
- In the File info type section, choose one of the following options:
  - Certificate data (or SHA-256 for files without a certificate).
  - Certificate data (files without a certificate will be skipped).
  - Only SHA-256 (files without SHA-256 will be skipped).
  - MD5 (discontinued mode, only for Kaspersky Endpoint Security 10 Service Pack 1).
Click OK.

Page top

[Topic 166737]

Adding event-related executable files to the application category

To add executable files related to Application Control events to the application category:

Open the Kaspersky Security Center Administration Console.
In the Administration Server node of the Administration Console tree, select the Events tab.
Choose a selection of events related to operation of the Application Control component (Viewing events resulting from operation of the Application Control component, Viewing events resulting from test operation of the Application Control component) in the Selection events drop-down list.
Click the Run selection button.
Select the events whose associated executable files you want to add to the application category.
Right-click to open the context menu for the selected events and select Add to category.
The Select application category window opens.
In the Select application category window:
- In the upper part of the window, choose one of the following options:
  - Create category of applications. Choose this option if you want to create a new application category and add executable files to it.
  - Add rules to specified category. Choose this option if you want to select an existing application category and add executable files to it.
- In the Rule type section, choose one of the following options:
  - Add to inclusion rules. Select this option if you want to create a condition that adds executable files to the application category.
  - Add to exclusion rules. Select this option if you want to create a condition that excludes executable files from the application category.
- In the File info type section, choose one of the following options:
  - Certificate data (or SHA-256 for files without a certificate).
  - Certificate data (files without a certificate will be skipped).
  - Only SHA-256 (files without SHA-256 will be skipped).
  - MD5 (discontinued mode, only for Kaspersky Endpoint Security 10 Service Pack 1).
Click OK.

Page top

[Topic 130538]

Adding and modifying an Application Control rule using Kaspersky Security Center

To add or modify an Application Control rule using Kaspersky Security Center:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Security Controls → Application Control.
In the right part of the window, the settings of the Application Control component are displayed.
Do one of the following:
- To add a rule, click the Add button.
- If you want to edit an existing rule, select it in the list of rules and click the Edit button.
The Application Control rule window opens.
Do one of the following:
- If you want to create a new category:
  1. Click the Create a category button.
    The user category creation wizard starts.
  2. Follow the instructions of the user category creation wizard.
  3. In the Category drop-down list, select the created application category.
- If you want to edit an existing category:
  1. In the Category drop-down list, select the created application category that you want to edit.
  2. Click the Properties button.
    The Properties: <Category name> window opens.
  3. Modify the settings of the selected application category.
  4. Click OK.
  5. In the Category drop-down list, select the created application category based on which you want to create a rule.
In the Subjects and their rights table, click the Add button.
The standard Microsoft Windows Select Users or Groups window opens.
In the Select Users or Groups window, specify the list of users and/or user groups for which you want to configure permission to start applications from the selected category.
In the Subjects and their rights table:
- If you want to allow users and/or groups of users to start applications that belong to the selected category, select the Allow check box in the relevant rows.
- If you want to block users and/or groups of users from starting applications that belong to the selected category, select the Deny check box in the relevant rows.
Select the Deny for other users check box if you want all users that do not appear in the Subject column and that are not part of the group of users specified in the Subject column to be blocked from starting applications that belong to the selected category.
If you want Kaspersky Endpoint Security to consider applications included in the selected application category as trusted updaters allowed to create other executable files that will be subsequently allowed to run, select the Trusted Updaters check box.
When Kaspersky Endpoint Security settings are migrated, the list of executable files created by trusted updaters is migrated as well.
Save your changes.

Page top

[Topic 123489]

Changing the status of an Application Control rule via Kaspersky Security Center

To change the status of an Application Control rule:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Security Controls → Application Control.
In the right part of the window, the settings of the Application Control component are displayed.
In the Status column, left-click to display the context menu and select one of the following:
- On. This status means that the rule is used when Application Control is in operation.
- Off. This status means that the rule is ignored when Application Control is in operation.
- Test. This status means that Kaspersky Endpoint Security always allows the startup of applications to which the rule applies but logs information about the startup of such applications in the report.
  You can use the Test status to assign the action equivalent to the Test rules option for a portion of rules when the Apply rules option is selected in the Action drop-down list.
Save your changes.

Page top

[Topic 202095]

Exporting and importing Application Control rules

You can export the list of Application Control rules to an XML file. You can use the export/import function to back up the list of Application Control rules or to migrate the list to a different server.

When exporting and importing Application Control rules, please keep in mind the following special considerations:

Kaspersky Endpoint Security exports the list of rules only for the active Application Control mode. In other words, if Application Control is operating in denylist mode, Kaspersky Endpoint Security exports rules only for this mode. To export the list of rules for allowlist mode, you need to switch the mode and run the export operation again.
Kaspersky Endpoint Security uses application categories for Application Control rules to work. When migrating the list of Application Control rules to a different server, you also need to migrate the list of application categories. For more details on exporting or importing application categories, please refer to Kaspersky Security Center Help.

How to export and import a list of Application Control rules in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Security Controls → Application Control.
To export the list of Application Control rules:
1. Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
  If you did not select any rule, Kaspersky Endpoint Security will export all rules.
2. Click the Export link.
3. In the window that opens, specify the name of the XML file to which you want to export the list of rules, and select the folder in which you want to save this file.
4. Click the Save button.
  Kaspersky Endpoint Security exports the list of rules to the XML file.
To export a list of Application Control rules:
1. Click the Import link.
  In the window that opens, select the XML file from which you want to import the list of rules.
2. Click the Open button.
  If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.

How to export and import a list of Application Control rules in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy for computers on which you want to export or import the list of rules.
The policy properties window opens.
Select the Application settings tab.
Select Security Controls → Application Control.
Click the Rules lists settings link.
Select a list of rules: application denylist or allowlist.
To export the list of Application Control rules:
1. Select the rules that you want to export.
2. Click the Export button.
3. Confirm that you want to export only the selected rules, or export the entire list.
4. Click the Export button.
  Kaspersky Endpoint Security exports the list of rules to an XML file in the default downloads folder.
To export a list of Application Control rules:
1. Click the Import link.
  In the window that opens, select the XML file from which you want to import the list of rules.
2. Click the Open button.
  If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.

Page top

[Topic 165700]

Testing Application Control rules using Kaspersky Security Center

To ensure that Application Control rules do not block applications required for work, it is recommended to enable testing of Application Control rules and analyze their operation after creating new rules. When testing of Application Control rules is enabled, Kaspersky Endpoint Security will not block applications whose startup is forbidden by Application Control, but will instead send notifications about their startup to the Administration Server.

An analysis of the operation of Application Control rules requires a review of the resultant Application Control events that are reported to Kaspersky Security Center. If test mode results in no blocked startup events for all applications required for the work of the computer user, this means that the correct rules were created. Otherwise, you are advised to update the settings of the rules you have created, create additional rules, or delete the existing rules.

By default, Kaspersky Endpoint Security allows the startup of all applications except for applications prohibited by the rules.

To enable or disable testing of Application Control rules in Kaspersky Security Center:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Security Controls → Application Control.
In the right part of the window, the settings of the Application Control component are displayed.
In the Control mode drop-down list, select one of the following items:
- Denylist. If this option is selected, Application Control allows all users to start any applications, except in cases that satisfy the conditions of Application Control block rules.
- Allowlist. If this option is selected, Application Control blocks all users from starting any applications, except in cases that satisfy the conditions of Application Control allow rules.
Do one of the following:
- If you want to enable testing of Application Control rules, select the Test rules option in the Action drop-down list.
- If you want to enable Application Control to manage the startup of applications on users' computers, select the Apply rules option in the Action drop-down list.
Save your changes.

Page top

[Topic 165757]

Viewing events resulting from test operation of the Application Control component

To view Application Control testing events received by Kaspersky Security Center:

Open the Kaspersky Security Center Administration Console.
In the Administration Server node of the Administration Console tree, select the Events tab.
Click the Create a selection button.
The Properties: <Selection name> window opens.
Open the Events section.
Click the Clear all button.
In the Events table, select the Application startup prohibited in test mode and Application startup allowed in test mode check boxes.
Click OK.
In the Selection events drop-down list, select the created selection.
Click the Run selection button.

Page top

[Topic 165775]

Viewing a report on blocked applications in test mode

To view the report on blocked applications in test mode:

Open the Kaspersky Security Center Administration Console.
In the Administration Server node of the Administration Console tree, select the Reports tab.
Click the New report template button.
The Report Template Wizard starts.
Follow the instructions of the Report Template Wizard. At the Selecting the report template type step, select Other → Report on blocked applications in test mode.
After you have finished with the New Report Template Wizard, the new report template appears in the table on the Reports tab.
Open the report by double-clicking it.

The report generation process starts. The report is displayed in a new window.

Page top

[Topic 165715]

Viewing events resulting from operation of the Application Control component

To view events resulting from the operation of the Application Control component received by Kaspersky Security Center:

Open the Kaspersky Security Center Administration Console.
In the Administration Server node of the Administration Console tree, select the Events tab.
Click the Create a selection button.
The Properties: <Selection name> window opens.
Open the Events section.
Click the Clear all button.
In the Events table, select the Application startup prohibited check box.
Click OK.
In the Selection events drop-down list, select the created selection.
Click the Run selection button.

Page top

[Topic 165714]

Viewing a report on blocked applications

To view the report on blocked applications:

Open the Kaspersky Security Center Administration Console.
In the Administration Server node of the Administration Console tree, select the Reports tab.
Click the New report template button.
The Report Template Wizard starts.
Follow the instructions of the Report Template Wizard. At the Selecting the report template type step, select Other → Report on blocked applications.
After you have finished with the New Report Template Wizard, the new report template appears in the table on the Reports tab.
Open the report by double-clicking it.

The report generation process starts. The report is displayed in a new window.

Page top

[Topic 133827]

Testing Application Control rules

To enable testing of Application Control rules or to select a blocking action for Application Control:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Application Control.
This opens the list of Application Control rules.
In the Status column, select Testing.
This status means that Kaspersky Endpoint Security always allows the startup of applications to which this rule applies but logs information about the startup of such applications in the report.
Save your changes.

Kaspersky Endpoint Security will not block applications whose startup is forbidden by the Application Control component, but will send notifications about their startup to the Administration Server.

Page top

[Topic 204231]

Application activity monitor

Application Activity Monitor is a tool designed for viewing information about the activity of applications on a user's computer in real time.

Using the Application Activity Monitor requires installing the Application Control and Host Intrusion Prevention components. If these components are not installed, the Application Activity Monitor section in the main application window is hidden.

To start Application Activity Monitor:

In the main application window, click More Tools → Application Activity Monitor.

The Application Activity window opens. In this window, information about the activity of applications on the user's computer is presented on three tabs:

The All applications tab displays information about all applications installed on the computer.
The Running tab displays information about the computer resource consumption by each application in real time. From this tab, you can also proceed to configure permissions for an individual application.
The Run at startup tab displays the list of applications that are started when the operating system starts.

Page top

[Topic 187478]

Rules for creating name masks for files or folders

A mask of a file or folder name is a representation of the name of a folder or name and extension of a file using common characters.

You can use the following common characters to create a file or folder name mask:

The * (asterisk) character, which takes the place of any set of characters (including an empty set). For example, the C:\*.txt mask will include all paths to files with the txt extension located in folders and subfolders on the (C:) drive.
The ? (question mark) character, which takes the place of any single character, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\???.txt will include paths to all files residing in the folder named Folder that have the TXT extension and a name consisting of three characters.

Page top

[Topic 128034]

Editing Application Control message templates

When a user attempts to start an application that is blocked by an Application Control rule, Kaspersky Endpoint Security displays a message stating that the application is blocked from starting. If the user believes that an application was mistakenly blocked from starting, the user can use the link in the message text to send a message to the local corporate network administrator.

Special templates are available for the message that is displayed when an application is blocked from starting and for the message sent to the administrator. You can modify the message templates.

To edit a message template:

In the lower part of the main application window, click the button.
In the application settings window, select Protection → Security Controls → Application Control.
In the Templates block, configure the templates for Application Control messages:
- Blockage. Template of the message that is displayed when an Application Control rule that blocks an application from starting is triggered.
- Message to administrator. Template of the message that a user can send to the corporate LAN administrator if the user believes that an application was blocked by mistake.
Save your changes.

Editing templates of encrypted file access messages

Page top

[Topic 159634]

Best practices for implementing a list of allowed applications

When planning implementation of a list of allowed applications, it is recommended to perform the following actions:

Form the following types of groups:
- User groups. Groups of users for whom you need to allow use of various sets of applications.
- Administration groups. One or multiple groups of computers to which Kaspersky Security Center will apply the list of allowed applications. It is necessary to create multiple groups of computers if different allowlist settings are used for those groups.
Create a list of applications that must be allowed to start.
Prior to creating a list, you are advised to do the following:
1. Run the inventory task.
  Information about the creation, reconfiguration, and startup of an inventory task is available in the Task management section.
2. View the list of executable files.

In this section

Configuring allowlist mode for applications

Testing the allowlist mode

Support for allowlist mode

Page top

[Topic 165718]

Configuring allowlist mode for applications

When configuring the allowlist mode, it is recommended to perform the following actions:

Create application categories containing the applications that must be allowed to start.
You can select one of the following methods for creating application categories:
- Category with content added manually. You can manually add to this category by using the following conditions:
  - File metadata. Kaspersky Security Center adds all executable files accompanied by the specified metadata to the application category.
  - File hash code. Kaspersky Security Center adds all executable files with the specified hash to the application category.
    Use of this condition excludes the capability to automatically install updates because different versions of files will have a different hash.
  - File certificate. Kaspersky Security Center adds all executable files signed with the specified certificate to the application category.
  - KL category. Kaspersky Security Center adds all applications that are in the specified KL category to the application category.
  - Path to application. Kaspersky Security Center adds all executable files from this folder to the application category.
    Use of the Application folder condition may be unsafe because any application from the specified folder will be allowed to start. It is recommended to apply rules that use the application categories with the Application folder condition only to those users for whom the automatic installation of updates must be allowed.
- Category that includes executable files from a specific folder. You can specify a folder from which executable files will be automatically assigned to the created application category.
- Category which includes executable files from selected devices. You can specify a computer for which all executable files will be automatically assigned to the created application category.
  When using this method of creating application categories, Kaspersky Security Center receives information about applications on the computer from the Executable files folder.
Select the allowlist mode for the Application Control component.
Create Application Control rules using the created application categories.
The Golden Image rule and Trusted Updaters rule are initially defined for Allowlist mode. These Application Control rules correspond to KL categories. The "Golden Image" KL category includes programs that ensure normal operation of the operating system. The "Trusted Updaters" KL category includes updaters for the most reputable software vendors. You cannot delete these rules. The settings of these rules cannot be edited. By default, the Golden Image rule is enabled and the Trusted Updaters rule is disabled. All users are allowed to start applications that match the trigger conditions of these rules.

Golden Image
Determine the applications for which automatic installation of updates must be allowed.
You can allow automatic installation of updates in one of the following ways:
- Specify an extended list of allowed applications by allowing the startup of all applications that belong to any KL category.
- Specify an extended list of allowed applications by allowing the startup of all applications that are signed with certificates.
  To allow the startup of all applications signed with certificates, you can create a category with a certificate-based condition that uses only the Subject parameter with the value *.
- For the Application control rule, select the Trusted Updaters parameter. If this check box is selected, Kaspersky Endpoint Security considers the applications included in the rule as Trusted Updaters. Kaspersky Endpoint Security allows the startup of applications that have been installed or updated by applications included in the rule, provided that no blocking rules are applied to those applications.
  When Kaspersky Endpoint Security settings are migrated, the list of executable files created by trusted updaters is migrated as well.
- Create a folder and place within it the executable files of applications for which you want to allow automatic installation of updates. Then create an application category with the "Application folder" condition and specify the path to that folder. Then create an allow rule and select this category.
  Use of the Application folder condition may be unsafe because any application from the specified folder will be allowed to start. It is recommended to apply rules that use the application categories with the Application folder condition only to those users for whom the automatic installation of updates must be allowed.

Page top

[Topic 165699]

Testing the allowlist mode

To ensure that Application Control rules do not block applications required for work, it is recommended to enable testing of Application Control rules and analyze their operation after creating new rules. When testing is enabled, Kaspersky Endpoint Security will not block applications whose startup is forbidden by Application Control rules, but will instead send notifications about their startup to the Administration Server.

When testing the allowlist mode, it is recommended to perform the following actions:

Determine the testing period (ranging from several days to two months).
Enable testing of Application Control rules.
Examine the events resulting from testing the operation of Application Control and reports on blocked applications in test mode to analyze the testing results.
Based on the analysis results, make changes to the allowlist mode settings.
In particular, based on the test results, you can add executable files related to events to an application category.

Page top

[Topic 165710]

Support for allowlist mode

After selecting a blocking action for Application Control, it is recommended to continue supporting allowlist mode by performing the following actions:

Examine the events resulting from the operation of Application Control and reports on blocked runs to analyze the effectiveness of Application Control.
Analyze users' requests to access applications.
Analyze unfamiliar executable files by checking their reputation in Kaspersky Security Network.
Prior to installing updates for the operating system or for software, install those updates on a test group of computers to check how they will be processed by Application Control rules.
Add the necessary applications to categories used in Application Control rules.

Page top

[Topic 45659]

Network ports monitoring

During the operation of Kaspersky Endpoint Security, the Web Control, Mail Threat Protection and Web Threat Protection components monitor data streams that are transmitted via specific protocols and that pass through specific open TCP and UDP ports on user computer. For example, the Mail Threat Protection component analyzes information transmitted via SMTP, while the Web Threat Protection component analyzes information transmitted via HTTP and FTP.

Kaspersky Endpoint Security divides TCP and UDP ports of the user's computer into several groups, depending on the likelihood of their being compromised. Some network ports are reserved for vulnerable services. You are advised to monitor these ports more thoroughly because they have a greater likelihood of being targeted by a network attack. If you use non-standard services that rely on non-standard network ports, these network ports may also be targeted by an attacking computer. You can specify a list of network ports and a list of applications that request network access. These ports and applications then receive special attention from the Mail Threat Protection and Web Threat Protection components during network traffic monitoring.

In this section

Enabling monitoring of all network ports

Creating a list of monitored network ports

Creating a list of applications for which all network ports are monitored

Exporting and importing lists of monitored ports

Page top

[Topic 133786]

Enabling monitoring of all network ports

To enable monitoring of all network ports:

In the lower part of the main application window, click the button.
In the application settings window, select Network settings.
In the Monitored ports section, select the Monitor all network ports option.
Save your changes.

Page top

[Topic 123512]

Creating a list of monitored network ports

To create a list of monitored network ports:

In the lower part of the main application window, click the button.
In the application settings window, select Network settings.
In the Monitored ports section, select Monitor selected network ports only.
Click the Select button.
This opens a list of network ports that are normally used for transmission of email and network traffic. This list of network ports is included in the Kaspersky Endpoint Security package.
Use the toggle in the Status column to enable or disable network port monitoring.
If a network port is not shown in the list of network ports, add it by doing the following:
1. Click the Add button.
2. In the window that opens, enter the network port number and brief description.
3. Set the Active or Inactive status for network port monitoring.
Save your changes.

When the FTP protocol runs in passive mode, the connection can be established via a random network port that is not added to the list of monitored network ports. To protect such connections, enable monitoring of all network ports or configure control of network ports for applications that establish FTP connections.

Page top

[Topic 123454]

Creating a list of applications for which all network ports are monitored

You can create a list of applications for which Kaspersky Endpoint Security monitors all network ports.

We recommend including applications that receive or transmit data via the FTP protocol in the list of applications for which Kaspersky Endpoint Security monitors all network ports.

To create a list of applications for which all network ports are monitored:

In the lower part of the main application window, click the button.
In the application settings window, select Network settings.
In the Monitored ports section, select Monitor selected network ports only.
Select the Monitor all ports for the applications from the list recommended by Kaspersky check box.
If this check box is selected, Kaspersky Endpoint Security monitors all ports for the following applications:
- Adobe Reader.
- Apple Application Support.
- Google Chrome.
- Microsoft Edge.
- Mozilla Firefox.
- Internet Explorer.
- Java.
- mIRC.
- Opera.
- Pidgin.
- Safari.
- Mail.ru Agent.
- Yandex Browser.
Select the Monitor all ports for specified applications check box.
Click the Select button.
This opens a list of applications for which Kaspersky Endpoint Security monitors network ports.
Use the toggle in the Status column to enable or disable network port monitoring.
If an application is not included in the list of applications, add it as follows:
1. Click the Add button.
2. In the window that opens, enter the path to the executable file of the application and a brief description.
3. Set the Active or Inactive status for network port monitoring.
Save your changes.

Page top

[Topic 202192]

Exporting and importing lists of monitored ports

Kaspersky Endpoint Security uses the following lists to monitor network ports: list of network ports and list of applications whose ports are monitored by Kaspersky Endpoint Security. You can export lists of monitored ports to an XML file. Then you can modify the file to, for example, add a large number of ports with the same description. You can also use the export/import function to back up the lists of monitored ports or to migrate the lists to a different server.

How to export and import lists of monitored ports in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select General settings → Network settings.
In the Monitored ports section, select Monitor selected network ports only.
Click the Settings button.
The Network ports window opens. The Network ports window displays a list of network ports that are normally used for transmission of email and network traffic. This list of network ports is included in the Kaspersky Endpoint Security package.
To export the list of network ports:
1. In the list of network ports, select the ports that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
  If you did not select any port, Kaspersky Endpoint Security will export all ports.
2. Click the Export button.
3. In the opened window, enter the name of the XML file to which you want to export the list of network ports, and select the folder in which you want to save this file.
4. Click the Save button.
  Kaspersky Endpoint Security exports the entire list of network ports to the XML file.
To export the list of applications whose ports are monitored by Kaspersky Endpoint Security:
1. Select the Monitor all ports for specified applications check box.
2. In the list of applications, select the applications that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
  If you did not select any application, Kaspersky Endpoint Security will export all applications.
3. Click the Export button.
4. In the window that opens, specify the name of the XML file to which you want to export the list of applications, and select the folder in which you want to save this file.
5. Click the Save button.
  Kaspersky Endpoint Security exports the entire list of applications to the XML file.
To import the list of network ports:
1. In the list of network ports, click the Import button.
  In the window that opens, select the XML file from which you want to import the list of network ports.
2. Click the Open button.
  If the computer already has a list of network ports, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
To import a list of applications whose ports are monitored by Kaspersky Endpoint Security:
1. In the list of applications, click the Import button.
  In the opened window, select the XML file from which you want to import the list of applications.
2. Click the Open button.
  If the computer already has a list of applications, Kaspersky Endpoint Security will prompt you to delete the existing list or to add new entries to it from the XML file.
Save your changes.

How to export and import lists of monitored ports in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy for computers on which you want to export or import lists of monitored ports.
The policy properties window opens.
Select the Application settings tab.
Go to the General settings → Network settings section.
To export the list of network ports:
1. In the Monitored ports section, select Monitor selected network ports only.
2. Click the N ports selected link.
  The Network ports window opens. The Network ports window displays a list of network ports that are normally used for transmission of email and network traffic. This list of network ports is included in the Kaspersky Endpoint Security package.
3. In the list of network ports, select the ports that you want to export.
4. Click the Export button.
5. In the opened window, enter the name of the XML file to which you want to export the list of network ports, and select the folder in which you want to save this file.
6. Click the Save button.
  Kaspersky Endpoint Security exports the entire list of network ports to the XML file.
To export the list of applications whose ports are monitored by Kaspersky Endpoint Security:
1. In the Monitored ports block, select the Monitor all ports for specified applications check box.
2. Click the N applications selected link.
3. In the list of applications, select the applications that you want to export.
4. Click the Export button.
5. In the window that opens, specify the name of the XML file to which you want to export the list of applications, and select the folder in which you want to save this file.
6. Click the Save button.
  Kaspersky Endpoint Security exports the entire list of applications to the XML file.
To import the list of network ports:
1. In the list of network ports, click the Import button.
  In the window that opens, select the XML file from which you want to import the list of network ports.
2. Click the Open button.
  If the computer already has a list of network ports, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
To import a list of applications whose ports are monitored by Kaspersky Endpoint Security:
1. In the list of applications, click the Import button.
  In the opened window, select the XML file from which you want to import the list of applications.
2. Click the Open button.
  If the computer already has a list of applications, Kaspersky Endpoint Security will prompt you to delete the existing list or to add new entries to it from the XML file.
Save your changes.

Page top

[Topic 207834]

Expanding Threat Protection

In this Help section

Managed Detection and Response

Kaspersky Endpoint Agent

Page top

[Topic 206310]

Managed Detection and Response

The Managed Detection and Response component was added to Kaspersky Endpoint Security version 11.6.0. This component facilitates interaction with the solution known as Kaspersky Managed Detection and Response. Kaspersky Managed Detection and Response (MDR) continuously searches for, detects, and eliminates threats aimed at your organization. For detailed information about how the solution works, please refer to the Kaspersky Managed Detection and Response Help Guide.

When interacting with Kaspersky Managed Detection and Response, the application lets you perform the following functions:

Activate Managed Detection and Response using a BLOB configuration file.
Execute commands from Kaspersky Managed Detection and Response.
Send telemetry data to Kaspersky Managed Detection and Response for threat detection.

Integration with Kaspersky Managed Detection and Response

Integration with Kaspersky Managed Detection and Response consists of the following steps:

Configuring Private Kaspersky Security Network
Skip this step if you are using Kaspersky Security Center Cloud Console. Kaspersky Security Center Cloud Console automatically configures Local Kaspersky Security Network when installing the MDR plug-in.

Private KSN supports data exchange between computers and Kaspersky Security Network dedicated servers, but not Global KSN.

Upload the Kaspersky Security Network configuration file in the Administration Server properties. The Kaspersky Security Network configuration file is located within the ZIP archive of the MDR configuration file. You can obtain the ZIP archive in the Kaspersky Managed Detection and Response Console. For details on configuring Private KSN, please refer to the Kaspersky Security Center Help Guide. You can also upload a Kaspersky Security Network configuration file to the computer from the command line (see the instructions below).

How to configure Private KSN from the command line
1. Run the command line interpreter (cmd.exe) as an administrator.
2. Go to the folder where the Kaspersky Endpoint Security distribution package is located.
3. Run the following command:
  avp.com KSN /private <file name>
  
  <file name> is the name of the configuration file containing Private KSN settings (PKCS7 or PEM file format).
  
  Example:
  
  avp.com KSN /private C:\kpsn_config.pkcs7
As a result, Kaspersky Endpoint Security will use Private KSN to determine the reputation of files, applications, and websites. The policy settings in the Kaspersky Security Network section will show the following operating status: KSN network: Private KSN.

You must enable extended KSN mode for Managed Detection and Response to work.
Activate Managed Detection and Response.
Load the BLOB configuration file in the Kaspersky Endpoint Security policy (see the instructions below). The BLOB file contains the client ID and information about the license for Kaspersky Managed Detection and Response. The BLOB file is located inside the ZIP archive of the MDR configuration file. You can obtain the ZIP archive in the Kaspersky Managed Detection and Response Console. For detailed information about a BLOB file, please refer to the Kaspersky Managed Detection and Response Help Guide.

How to activate Managed Detection and Response in the Administration Console (MMC)
1. Open the Kaspersky Security Center Administration Console.
2. In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
3. In the workspace, select the Policies tab.
4. Select the necessary policy and double-click to open the policy properties.
5. In the policy window, select Expanding Threat Protection → Detection and Response.
6. Select the Managed Detection and Response check box.
7. In the Settings block, click Import and select the BLOB file received in the Kaspersky Managed Detection and Response Console. The file has the P7 extension.
8. Save your changes.
How to activate Managed Detection and Response in the Web Console and Cloud Console
1. In the main window of Web Console, select Devices → Policies and profiles.
2. Click the name of the Kaspersky Endpoint Security policy.
  The policy properties window opens.
3. Select the Application settings tab.
4. Select Expanding Threat Protection → Detection and Response.
5. Turn on the Managed Detection and Response toggle.
6. Click Import and select the BLOB file that was obtained in the Kaspersky Managed Detection and Response Console. The file has the P7 extension.
7. Save your changes.
How to activate Managed Detection and Response from the command line
1. Run the command line interpreter (cmd.exe) as an administrator.
2. Go to the folder where the Kaspersky Endpoint Security distribution package is located.
3. Run the following command:
  - If the application settings are not password protected:
    avp.com MDRLICENSE /ADD <file name>
    
    <file name> is the name of the BLOB configuration file for activating Managed Detection and Response (P7 file format).
  - If the application settings are password protected:
    avp.com MDRLICENSE /ADD <file name> /login=<user name> /password=<password>
As a result, Kaspersky Endpoint Security will verify the BLOB file. BLOB file verification includes checking the digital signature and the license term. If the BLOB file is successfully verified, Kaspersky Endpoint Security will upload the file and send the file to the computer during the next synchronization with Kaspersky Security Center. Check the operating status of the component by viewing the Application components status report. You can also view the operating status of a component in reports in the local interface of Kaspersky Endpoint Security. The Managed Detection and Response component will be added to the list of Kaspersky Endpoint Security components.

You must enable the following components for Managed Detection and Response to work:
- Kaspersky Security Network (extended mode).
- Behavior Detection.
Enabling these components is non-optional. Otherwise Kaspersky Managed Detection and Response cannot function because it does not receive required telemetry data.

In addition, Kaspersky Managed Detection and Response uses data received from other application components. Enabling those components is optional. Components that provide additional data include:

Migration from Kaspersky Endpoint Agent to Kaspersky Endpoint Security for Windows

Kaspersky Endpoint Security version 11 and later supports the MDR solution. Kaspersky Endpoint Security versions 11 – 11.5.0 only sends telemetry data to Kaspersky Managed Detection and Response to enable threat detection. Kaspersky Endpoint Security version 11.6.0 has all the functionality of the built-in agent (Kaspersky Endpoint Agent).

If you are using Kaspersky Endpoint Security 11 – 11.5.0, you must update databases to the latest version to work with the MDR solution. You must also install Kaspersky Endpoint Agent.

If you are using Kaspersky Endpoint Security 11.6.0 or later, to work with the MDR solution, you must select the Managed Detection and Response component when installing the application. In this case, you do not need to install Kaspersky Endpoint Agent.

To migrate from Kaspersky Endpoint Agent to Kaspersky Endpoint Security for Windows:

Configure integration with Kaspersky Managed Detection and Response in the Kaspersky Endpoint Security policy.
Disable the Managed Detection and Response component in the Kaspersky Endpoint Agent policy.

If the Kaspersky Endpoint Security policy also applies to computers that do not have Kaspersky Endpoint Security 11 – 11.5.0 installed, you must first create a separate Kaspersky Endpoint Agent policy for those computers. In the new policy, configure integration with Kaspersky Managed Detection and Response.

Page top

[Topic 190287]

Kaspersky Endpoint Agent

Kaspersky Endpoint Agent supports interaction between the application and other Kaspersky solutions for detecting advanced threats (e.g. Kaspersky Sandbox). Kaspersky solutions are compatible with specific versions of Kaspersky Endpoint Agent.

For complete information about the Kaspersky Endpoint Agent for Windows included in the software solution you are using, and for complete information about the standalone solution, please refer to the Help Guide of the relevant product:

Kaspersky Anti Targeted Attack Platform Help Guide
Kaspersky Sandbox Help Guide
Kaspersky Endpoint Detection and Response Optimum Help Guide
Kaspersky Managed Detection and Response Help Guide

Kaspersky Endpoint Agent is included in the Kaspersky Endpoint Security distribution kit. You can install Kaspersky Endpoint Agent during installation of Kaspersky Endpoint Security. To do so, you must select the Endpoint Agent component during installation of the application (for example, in the installation package). After installing the application with Endpoint Agent, Kaspersky Endpoint Security and Kaspersky Endpoint Agent will be added to the list of installed applications. After uninstalling Kaspersky Endpoint Security, Kaspersky Endpoint Agent will also be uninstalled automatically.

Page top

[Topic 187503]

Wipe Data

Kaspersky Endpoint Security lets you use a task to remotely delete data from users' computers.

Kaspersky Endpoint Security deletes data as follows:

In silent mode;
On hard drives and removable drives;
For all user accounts on the computer.

Kaspersky Endpoint Security performs the Wipe data task no matter which licensing type is being used, even after the license has expired.

Data Wipe modes

This task enables you to delete data in the following modes:

Immediate data deletion.
In this mode, you can, for example, delete outdated data to free up disk space.
Postponed data deletion.
This mode is intended, for example, to protect data on a laptop in case it is lost or stolen. You can configure automatic data deletion if the laptop goes outside the boundaries of the corporate network and has not been synchronized with Kaspersky Security Center in a long time.

It is not possible to set a schedule for deleting data in task properties. You can only delete data immediately after starting the task manually, or configure delayed data deletion if there is no connection with Kaspersky Security Center.

Limitations

Data Wipe has the following limitations:

Only a Kaspersky Security Center administrator can manage the Wipe data task. You cannot configure or start a task in the local interface of Kaspersky Endpoint Security.
For the NTFS file system, Kaspersky Endpoint Security deletes only the names of the main data streams. Alternate data stream names cannot be deleted.
When you delete a symbolic link file, Kaspersky Endpoint Security also deletes the files whose paths are specified in the symbolic link.

Creating a Wipe data task

To delete data on users' computers:

In the main window of Web Console, select Devices → Tasks.
The list of tasks opens.
Click the Add button.
The Task Wizard starts.
Configure the task settings:
1. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (11.6.0).
2. In the Task type drop-down list, select Wipe data.
3. In the Task name field, enter a brief description, for example, Wipe data (Anti-Theft).
4. In the Select devices to which the task will be assigned section, select the task scope.
Select devices according to the selected task scope option. Click the Next button.
If new computers are added to an administration group within the task scope, the immediate data deletion task is run on the new computers only if the task is completed within 5 minutes of the addition of the new computers.
Finish the wizard by clicking the Finish button.
A new task will be displayed in the list of tasks.
Click the Wipe data task of Kaspersky Endpoint Security.
The task properties window opens.
Select the Application settings tab.
Select the data deletion method:
- Delete by means of the operating system. Kaspersky Endpoint Security uses the operating system resources to delete files without sending them to the recycle bin.
- Delete completely, no recovery possible. Kaspersky Endpoint Security overwrites files with random data. It is practically impossible to restore data after it is deleted.
If you want to postpone data deletion, select the Automatically delete data if there is no connection to Kaspersky Security Center for more than N days check box. Define the number of days.
The postponed data deletion task will be performed each time that a connection with Kaspersky Security Center is absent for the defined period of time.

When configuring postponed data deletion, bear in mind that employees may turn off their computer before going on vacation. In this case, the absent connection term may be exceeded and data will be deleted. Also consider the work schedule of offline users. For more details about working with offline computers and out-of-office users, refer to Kaspersky Security Center Help.

If the check box is cleared, the task will be performed immediately after synchronization with Kaspersky Security Center.
Create a list of objects to delete:
- Folders. Kaspersky Endpoint Security deletes all files in the folder, and its subfolders. Kaspersky Endpoint Security does not support masks and environment variables for entering a folder path.
- Files by extension. Kaspersky Endpoint Security searches for files with the specified extensions on all computer drives, including removable drives. Use the ";" or "," characters to specify multiple extensions.
- Predefined folders. Kaspersky Endpoint Security will delete files from the following areas:
  - Documents. Files in the standard Documents folder of the operating system, and its subfolders.
  - Cookies. Files in which the browser saves data from the websites visited by the user (such as user authorization data).
  - Desktop. Files in the standard Desktop folder of the operating system, and its subfolders.
  - Temporary Internet Explorer files. Temporary files related to the operation of Internet Explorer, such as copies of web pages, images, and media files.
  - Temporary files. Temporary files related to the operation of applications installed on the computer. For example, Microsoft Office applications create temporary files containing backup copies of documents.
  - Outlook files. Files related to the operation of the Outlook mail client: data files (PST), offline data files (OST), offline address book files (OAB), and personal address book files (PAB).
  - User profile. Set of files and folders that store operating system settings for the local user account.
You can create a list of objects to delete on each tab. Kaspersky Endpoint Security will create a consolidated list and delete files from this list when a task is complete.

You cannot delete files that are required for operation of Kaspersky Endpoint Security.
Click the Save button.
Select the check box next to the task.
Click the Run button.

As a result, data on users' computers will be deleted according to the selected mode: immediate or when a connection is absent. If Kaspersky Endpoint Security cannot delete a file, such as when a user is currently using a file, the application does not attempt to delete it again. To complete data deletion, run the task again.

Page top

[Topic 41045]

Password protection

Multiple users with different levels of computer literacy can share a computer. If users have unrestricted access to Kaspersky Endpoint Security and its settings, the overall level of computer protection may be reduced. Password protection lets you restrict users' access to Kaspersky Endpoint Security according to the permissions granted to them (for example, permission to exit the application).

If the user that started the Windows session (session user) has the permission to perform the action, Kaspersky Endpoint Security does not request the user name and password or a temporary password. The user receives access to Kaspersky Endpoint Security in accordance with the granted permissions.

If a session user does not have the permission to perform an action, the user can obtain access to the application in the following ways:

Enter a user name and password.
This method is suitable for day-to-day operations. To perform a password-protected action, you must enter the domain account credentials of the user with the required permission. In this case, the computer must be in that domain. If the computer is not in the domain, you can use the KLAdmin account.
Enter a temporary password.
This method is suitable for granting temporary permissions to perform blocked actions (for example, exiting the application) to users outside the corporate network. When a temporary password expires or a session ends, Kaspersky Endpoint Security reverts its settings to their previous state.

When a user attempts to perform a password-protected action, Kaspersky Endpoint Security prompts the user for the user name and password or temporary password (see the figure below).

Kaspersky Endpoint Security access password prompt

User name and password

To access Kaspersky Endpoint Security, you must enter your domain account credentials. Password protection supports the following accounts:

KLAdmin. An Administrator account with unrestricted access to Kaspersky Endpoint Security. The KLAdmin account has the right to perform any action that is password-protected. The permissions for the KLAdmin account cannot be revoked. When you enable password protection, Kaspersky Endpoint Security prompts you to set a password for the KLAdmin account.
The Everyone group. A built-in Windows group that includes all users within the corporate network. Users in the Everyone group can access the application according to the permissions that are granted to them.
Individual users or groups. User accounts for which you can configure individual permissions. For example, if an action is blocked for the Everyone group, you can allow this action for an individual user or a group.
Session user. Account of the user who started the Windows session. You can switch to another session user when prompted for a password (the Save password for current session check box). In this case, Kaspersky Endpoint Security regards the user whose account credentials were entered as the session user instead of the user who started the Windows session.

Temporary password

A temporary password can be used to grant temporary access to Kaspersky Endpoint Security for an individual computer outside of the corporate network. The Administrator generates a temporary password for an individual computer in the computer properties in Kaspersky Security Center. The Administrator selects the actions that will be protected with the temporary password, and specifies the temporary password's validity period.

Password protection operating algorithm

Kaspersky Endpoint Security decides whether to allow or block a password-protected action based on the following algorithm (see the figure below).

Password protection operating algorithm

In this section

Enabling Password protection

Granting permissions to individual users or groups

Using a temporary password to grant permissions

Special aspects of Password protection permissions

Page top

[Topic 123303]

Enabling Password protection

Password protection lets you restrict users' access to Kaspersky Endpoint Security according to the permissions granted to them (for example, permission to exit the application).

To enable password protection:

In the lower part of the main application window, click the button.
In the application settings window, select the Interface section.
Use the Password protection toggle to enable or disable the component.
Specify the password for the KLAdmin account and confirm it.
The KLAdmin account has the right to perform any action that is password-protected.

If a computer is running under a policy, the Administrator can reset the password for the KLAdmin account in the policy properties. If the computer is not connected to Kaspersky Security Center and you have forgotten the password for the KLAdmin account, it is not possible to recover the password.
Set permissions for all users within the corporate network:
1. In the Permissions table, click the Edit button to open the list of permissions for the Everyone group.
  The Everyone group is a built-in Windows group that includes all users within the corporate network.
2. Select the check boxes next to the actions that users will be allowed to perform without entering the password.
  If a check box is cleared, the users are blocked from performing the action. For example, if the check box next to the Exit the application permission is cleared, you can exit the application only if you are logged in as KLAdmin, or as an individual user who has the required permission, or if you enter a temporary password.
  
  Password protection permissions have some important aspects to consider. Make sure that all conditions for accessing Kaspersky Endpoint Security are fulfilled.
3. Click the OK button.
Save your changes.

When password protection is enabled, the application will restrict users' access to Kaspersky Endpoint Security according to the permissions granted to the Everyone group. You can perform the actions that are blocked for the Everyone group only if you use the KLAdmin account, another account that is granted the required permissions, or if you enter a temporary password.

You can disable Password protection only if you are logged in as KLAdmin. It is not possible to disable password protection if you are using any other user account or a temporary password.

During the password check, you can select the Save password for current session check box. In this case, Kaspersky Endpoint Security will not prompt for a password when a user attempts to perform another password-protected action for the duration of the session.

Page top

[Topic 177503]

Granting permissions to individual users or groups

You can grant access to Kaspersky Endpoint Security to individual users or groups. For example, if exiting the application is blocked for the Everyone group, you can grant the Exit the application permission to an individual user. As a result, you can exit the application only if you are logged in as that user or as KLAdmin.

You can use account credentials to access the application only if the computer is in the domain. If the computer is not in the domain, you can use the KLAdmin account or a temporary password.

To grant permissions to individual users or groups:

In the lower part of the main application window, click the button.
In the application settings window, select the Interface section.
In the Password protection table, click the Add button.
In the opened window, click the Select user button.
The standard Select Users or Groups dialog opens.
Select a user or a group in Active Directory and confirm your selection.
In the Permissions list, select the check boxes next to the actions that the selected user or group will be allowed to perform without being prompted for a password.
If a check box is cleared, the users are blocked from performing the action. For example, if the check box next to the Exit the application permission is cleared, you can exit the application only if you are logged in as KLAdmin, or as an individual user who has the required permission, or if you enter a temporary password.

Password protection permissions have some important aspects to consider. Make sure that all conditions for accessing Kaspersky Endpoint Security are fulfilled.
Save your changes.

As a result, if access to the application is restricted for the Everyone group, users will be granted permissions to access Kaspersky Endpoint Security according to the users' individual permissions.

Page top

[Topic 131217]

Using a temporary password to grant permissions

A temporary password can be used to grant temporary access to Kaspersky Endpoint Security for an individual computer outside of the corporate network. This is necessary to allow the user to perform a blocked action without obtaining the KLAdmin account credentials. To use a temporary password, the computer must be added to Kaspersky Security Center.

To allow a user to perform a blocked action using a temporary password:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Devices tab.
Double-click to open the computer properties window.
In the computer properties window, select the Applications section.
In the list of Kaspersky applications installed on the computer, select Kaspersky Endpoint Security for Windows and double-click to open the application properties.
In the application settings window, select General settings → Interface.
In the Password protection section, click the Settings button.
The Password protection window opens.
In the Temporary password section, click the Settings button.
The Create temporary password window opens.
In the Expiration date field, specify the expiration date when the temporary password will expire.
In the Temporary password scope table, select the check boxes next to the actions that will be available to the user after entering the temporary password.
Click the Create button.
A window containing the temporary password opens (see the figure below).
Copy the password and provide it to the user.

Temporary password

Page top

[Topic 177506]

Special aspects of Password protection permissions

Password protection permissions have some important aspects and limitations to consider.

Configure application settings

If a user's computer is running under a policy, make sure that all the required settings in the policy are available for editing (the attributes are open).

Exit the application

There are no special considerations or limitations.

Disable protection components

It is not possible to grant the permission to disable protection components for the Everyone group. To allow users other than KLAdmin to disable protection components, add a user or group that has the Disable protection components permission in the Password Protection settings.
If a user's computer is running under a policy, make sure that all the required settings in the policy are available for editing (the attributes are open).
To disable protection components in the application settings, a user must have the Configure application settings permission.
To disable protection components from the context menu (by using the Pause protection menu item), a user must have the Disable control components permission in addition to the Disable protection components permission.

Disable control components

It is not possible to grant the permission to disable control components for the Everyone group. To allow users other than KLAdmin to disable control components, add a user or group that has the Disable control components permission in the Password Protection settings.
If a user's computer is running under a policy, make sure that all the required settings in the policy are available for editing (the attributes are open).
To disable control components in the application settings, a user must have the Configure application settings permission.
To disable control components from the context menu (by using the Pause protection menu item), a user must have the Disable protection components permission in addition to the Disable control components permission.

Disable Kaspersky Security Center policy

You cannot grant the "Everyone" group the permission to disable the Kaspersky Security Center policy. To allow users other than KLAdmin to disable the policy, add a user or a group that has the Disable Kaspersky Security Center policy permission in the Password Protection settings.

Remove key

There are no special considerations or limitations.

Remove / modify / restore the application

If you have allowed removing, modifying, and restoring the application for the "All" group, Kaspersky Endpoint Security does not request a password when the user attempts to carry out these operations. Therefore, any user including users from outside the domain, can install, modify, or restore the application.

Restore access to data on encrypted drives

You can restore access to data on encrypted drives only if you are logged in as KLAdmin. Permission to perform this action cannot be granted to any other user.

View reports

There are no special considerations or limitations.

Restore from Backup

There are no special considerations or limitations.

Page top

[Topic 128135]

Trusted zone

A trusted zone is a system administrator-configured list of objects and applications that Kaspersky Endpoint Security does not monitor when active.

The administrator forms the trusted zone independently, taking into account the features of the objects that are handled and the applications that are installed on the computer. It may be necessary to include objects and applications in the trusted zone when Kaspersky Endpoint Security blocks access to a certain object or application, if you are sure that the object or application is harmless. An administrator can also allow a user to create their own local trusted zone for a specific computer. This way, users can create their own local lists of exclusions and trusted applications in addition to the general trusted zone in a policy.

In this section

Creating a scan exclusion

Enabling and disabling a scan exclusion

Editing the list of trusted applications

Enabling and disabling trusted zone rules for an application in the list of trusted applications

Using trusted system certificate storage

Page top

[Topic 128138]

Creating a scan exclusion

A scan exclusion is a set of conditions that must be fulfilled so that Kaspersky Endpoint Security will not scan a particular object for viruses and other threats.

Scan exclusions make it possible to safely use legitimate software that can be exploited by criminals to damage the computer or user data. Although they do not have any malicious functions, such applications can be exploited by intruders. For details on legitimate software that could be used by criminals to harm the computer or personal data of a user, please visit the website of the Kaspersky IT Encyclopedia.

Such applications may be blocked by Kaspersky Endpoint Security. To prevent them from being blocked, you can configure scan exclusions for the applications in use. To do so, add the name or name mask that is listed in the Kaspersky IT Encyclopedia to the trusted zone. For example, you often use the Radmin application for remote administration of computers. Kaspersky Endpoint Security regards this activity as suspicious and may block it. To prevent the application from being blocked, create a scan exclusion with the name or name mask that is listed in the Kaspersky IT Encyclopedia.

If an application that collects information and sends it to be processed is installed on your computer, Kaspersky Endpoint Security may classify this application as malware. To avoid this, you can exclude the application from scanning by configuring Kaspersky Endpoint Security as described in this document.

Scan exclusions can be used by the following application components and tasks that are configured by the system administrator:

Behavior Detection.
Exploit Prevention.
Host Intrusion Prevention.
File Threat Protection.
Web Threat Protection.
Mail Threat Protection.
Scan tasks.

Kaspersky Endpoint Security does not scan an object if the drive or folder containing this object is included in the scan scope at the start of one of the scan tasks. However, the scan exclusion is not applied when a custom scan task is started for this particular object.

How to create a scan exclusion in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select General settings → Exclusions.
In the Scan exclusions and trusted applications section, click the Settings button.
In the Trusted zone window, select the Scan exclusions tab.
This opens a window containing a list of exclusions.
Select the Merge values when inheriting check box if you want to create a consolidated list of exclusions for all computers in the company. The lists of exclusions in the parent and child policies will be merged. The lists will be merged provided that merging values when inheriting is enabled. Exclusions from the parent policy are displayed in child policies in a read-only view. Changing or deleting exclusions of the parent policy is not possible.
Select the Allow use of local exclusions check box if you want to enable the user to create a local list of exclusions. This way, a user can create their own local list of exclusions in addition to the general list of exclusions generated in the policy. An administrator can use Kaspersky Security Center to view, add, edit, or delete list items in the computer properties.
If the check box is cleared, the user can access only the general list of exclusions generated in the policy. If a local list was generated, after this functionality is disabled Kaspersky Endpoint Security continues excluding the listed files from scans.
Click the Add button.
To exclude a file or folder from scanning:
1. In the Properties section, select the File or folder check box.
2. Click the select file or folder link in the Scan exclusion description section to open the Name of file or folder window.
3. Enter the file or folder name or the mask of the file or folder name, or select the file or folder in the folder tree by clicking Browse.
  Use masks:
  - The * (asterisk) character, which takes the place of any set of characters, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\*\*.txt will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders.
  - Two consecutive * characters take the place of any set of characters (including an empty set) in the file or folder name, including the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\**\*.txt will include all paths to files with the TXT extension located in the folder named Folder and its subfolders. The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
  - The ? (question mark) character, which takes the place of any single character, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\???.txt will include paths to all files residing in the folder named Folder that have the TXT extension and a name consisting of three characters.
4. In the Name of file or folder window, click OK.
  A link to the added file or folder appears in the Scan exclusion description section of the Scan exclusion window.
To exclude objects with a specific name from scanning:
1. In the Properties section, select the Object name check box.
2. Click the enter object name link in the Scan exclusion description section to open the Object name window.
3. Enter the name of the object type according to the classification of the Kaspersky Encyclopedia (for example, Email-Worm, Rootkit or RemoteAdmin).
  You can use masks with the ? character (replaces any single character) and the * character (replaces any number of characters). For example, if the Client* mask is specified, Kaspersky Endpoint Security excludes Client-IRC, Client-P2P and Client-SMTP objects from scans.
4. Click OK in the Object name window.
  A link to the added object name appears in the Scan exclusion description section of the Scan exclusion window.
If you want to exclude an individual file from scans:
1. In the Properties section, select the Object hash check box.
2. Click the object hash entry link to open the Object hash window.
3. Enter the file hash or select the file by clicking the Browse button.
  If the file is modified, the file hash will also be modified. If this happens, the modified file will not be added to exclusions.
4. Click OK in the Object hash window.
  A link to the added object appears in the Scan exclusion description block of the Scan exclusion window.
If necessary, in the Comment field, enter a brief comment on the scan exclusion that you are creating.
Specify the Kaspersky Endpoint Security components that should use the scan exclusion:
1. Click the any link in the Scan exclusion description section to activate the select components link.
2. Click the select components link to open the Protection components window.
3. Select the check boxes opposite the components to which the scan exclusion must be applied.
4. In the Protection components window, click OK.
If the components are specified in the settings of the scan exclusion, this exclusion is applied only during scanning by these components of Kaspersky Endpoint Security.

If the components are not specified in the settings of the scan exclusion, this exclusion is applied during scanning by all components of Kaspersky Endpoint Security.
You can use the check box to stop an exclusion at any time.
Save your changes.

How to create a scan exclusion in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy for the computers on which you want to add an exclusion.
The policy properties window opens.
Select the Application settings tab.
Select General settings → Exclusions.
In the Scan exclusions and trusted applications block, click the Scan exclusions link.
Select the Merge values when inheriting check box if you want to create a consolidated list of exclusions for all computers in the company. The lists of exclusions in the parent and child policies will be merged. The lists will be merged provided that merging values when inheriting is enabled. Exclusions from the parent policy are displayed in child policies in a read-only view. Changing or deleting exclusions of the parent policy is not possible.
Select the Allow use of local exclusions check box if you want to enable the user to create a local list of exclusions. This way, a user can create their own local list of exclusions in addition to the general list of exclusions generated in the policy. An administrator can use Kaspersky Security Center to view, add, edit, or delete list items in the computer properties.
If the check box is cleared, the user can access only the general list of exclusions generated in the policy. If a local list was generated, after this functionality is disabled Kaspersky Endpoint Security continues excluding the listed files from scans.
Click the Add button.
Select how you want to add the exclusion: File or folder, Object name or Object hash.
If you want to exclude a file or folder from scans, select the file or folder by clicking the Browse button.
You can also manually enter the path. Kaspersky Endpoint Security supports the * and ? characters when entering a mask:
- The * (asterisk) character, which takes the place of any set of characters, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\*\*.txt will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders.
- Two consecutive * characters take the place of any set of characters (including an empty set) in the file or folder name, including the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\**\*.txt will include all paths to files with the TXT extension located in the folder named Folder and its subfolders. The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
- The ? (question mark) character, which takes the place of any single character, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\???.txt will include paths to all files residing in the folder named Folder that have the TXT extension and a name consisting of three characters.
If you want to exclude a specific type of object from scans, in the Object field enter the name of the object type according to the classification of the Kaspersky Encyclopedia (for example, Email-Worm, Rootkit or RemoteAdmin).
You can use masks with the ? character (replaces any single character) and the * character (replaces any number of characters). For example, if the Client* mask is specified, Kaspersky Endpoint Security excludes Client-IRC, Client-P2P and Client-SMTP objects from scans.
If you want to exclude an individual file from scans, enter the file hash in the File hash field.
If the file is modified, the file hash will also be modified. If this happens, the modified file will not be added to exclusions.
In the Protection components block, select the components that you want the scan exclusion to apply to.
If necessary, in the Comment field, enter a brief comment on the scan exclusion that you are creating.
You can use the toggle to stop an exclusion at any time.
Save your changes.

How to create a scan exclusion in the application interface

In the lower part of the main application window, click the button.
In the application settings window, select Threats and exclusions.
In the Exclusions block, click the Manage exclusions link.
Click the Add button.
If you want to exclude a file or folder from scans, select the file or folder by clicking the Browse button.
You can also manually enter the path. Kaspersky Endpoint Security supports the * and ? characters when entering a mask:
- The * (asterisk) character, which takes the place of any set of characters, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\*\*.txt will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders.
- Two consecutive * characters take the place of any set of characters (including an empty set) in the file or folder name, including the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\**\*.txt will include all paths to files with the TXT extension located in the folder named Folder and its subfolders. The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
- The ? (question mark) character, which takes the place of any single character, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\???.txt will include paths to all files residing in the folder named Folder that have the TXT extension and a name consisting of three characters.
If you want to exclude a specific type of object from scans, in the Object field enter the name of the object type according to the classification of the Kaspersky Encyclopedia (for example, Email-Worm, Rootkit or RemoteAdmin).
You can use masks with the ? character (replaces any single character) and the * character (replaces any number of characters). For example, if the Client* mask is specified, Kaspersky Endpoint Security excludes Client-IRC, Client-P2P and Client-SMTP objects from scans.
If you want to exclude an individual file from scans, enter the file hash in the File hash field.
If the file is modified, the file hash will also be modified. If this happens, the modified file will not be added to exclusions.
In the Protection components block, select the components that you want the scan exclusion to apply to.
If necessary, in the Comment field, enter a brief comment on the scan exclusion that you are creating.
Select the Active status for the exclusion.
You can use the toggle to stop an exclusion at any time.
Save your changes.

Path mask examples:

Paths to files located in any folder:

The mask *.exe will include all paths to files that have the exe extension.
The mask example* will include all paths to files named EXAMPLE.

Paths to files located in a specified folder:

The C:\dir\*.* mask will include all paths to files located in the C:\dir\ folder, but not in the subfolders of C:\dir\.
The mask C:\dir\* will include all paths to files located in the C:\dir\ folder, but not in the subfolders of C:\dir\.
The mask C:\dir\ will include all paths to files located in the C:\dir\ folder, but not in the subfolders of C:\dir\.
The mask C:\dir\*.exe will include all paths to files with the EXE extension located in the C:\dir\ folder, but not in the subfolders of C:\dir\.
The mask C:\dir\test will include all paths to files named "test" located in the C:\dir\ folder, but not in the subfolders of C:\dir\.
The mask C:\dir\*\test will include all paths to files named "test" located in the C:\dir\ folder and in the subfolders of C:\dir\.

Paths to files located in all folders with a specified name:

The mask dir\*.* will include all paths to files in folders named "dir", but not in the subfolders of those folders.
The mask dir\* will include all paths to files in folders named "dir", but not in the subfolders of those folders.
The mask dir\ will include all paths to files in folders named "dir", but not in the subfolders of those folders.
The mask dir\*.exe will include all paths to files with the EXE extension in folders named "dir", but not in the subfolders of those folders.
The mask dir\test will include all paths to files named "test" in folders named "dir", but not in the subfolders of those folders.

Page top

[Topic 128141]

Enabling and disabling a scan exclusion

To enable or disable a scan exclusion:

In the lower part of the main application window, click the button.
In the application settings window, select Threats and exclusions.
In the Exclusions block, click the Manage exclusions link.
Select the exclusion that you need in the list of scan exclusions.
Use the toggle next to an object to include this object in the scan scope or exclude it.
Save your changes.

Page top

[Topic 123510]

Editing the list of trusted applications

The list of trusted applications is a list of applications whose file and network activity (including malicious activity) and access to the system registry are not monitored by Kaspersky Endpoint Security. By default, Kaspersky Endpoint Security scans objects that are opened, executed, or saved by any application process and controls the activity of all applications and network traffic that is generated by them. However, an application that has been added to the list of trusted applications is excluded from scans by Kaspersky Endpoint Security.

For example, if you consider objects that are used by the standard Microsoft Windows Notepad application to be safe without scanning, meaning that you trust this application, you can add Microsoft Windows Notepad to the list of trusted applications. Scanning then skips objects that are used by this application.

In addition, certain actions that are classified by Kaspersky Endpoint Security as suspicious may be safe within the context of the functionality of a number of applications. For example, the interception of text that is typed from the keyboard is a routine process for automatic keyboard layout switchers (such as Punto Switcher). To take account of the specifics of such applications and exclude their activity from monitoring, we recommend that you add such applications to the trusted applications list.

Excluding trusted applications from scanning allows avoiding compatibility conflicts between Kaspersky Endpoint Security and other programs (for example, the problem of double-scanning of the network traffic of a third-party computer by Kaspersky Endpoint Security and by another anti-virus application), and also increases the computer's performance, which is critical when using server applications.

At the same time, the executable file and process of the trusted application are still scanned for viruses and other malware. An application can be fully excluded from Kaspersky Endpoint Security scanning by means of scan exclusions.

How to add an application to the trusted list in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select General settings → Exclusions.
In the Scan exclusions and trusted applications section, click the Settings button.
In the Trusted zone window, select the Trusted applications tab.
This opens a window containing a list of trusted applications.
Select the Merge values when inheriting check box if you want to create a consolidated list of trusted applications for all computers in the company. The lists of trusted applications in the parent and child policies will be merged. The lists will be merged provided that merging values when inheriting is enabled. Trusted applications from the parent policy are displayed in child policies in a read-only view. Changing or deleting trusted applications of the parent policy is not possible.
Select the Allow use of local trusted applications check box if you want to enable the user to create a local list of trusted applications. This way, a user can create their own local list of trusted applications in addition to the general list of trusted applications generated in the policy. An administrator can use Kaspersky Security Center to view, add, edit, or delete list items in the computer properties.
If the check box is cleared, the user can access only the general list of trusted applications generated in the policy. If a local list was generated, after this functionality is disabled Kaspersky Endpoint Security continues excluding the listed trusted applications from scans.
Click the Add button.
In the opened window, enter the path to the executable file of the trusted application.
Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.

Kaspersky Endpoint Security does not support the %userprofile% environment variable when generating a list of trusted applications on the Kaspersky Security Center console. To apply the entry to all user accounts, you can use the * character (for example, C:\Users\*\Documents\File.exe).

Whenever you add a new environment variable, you need to restart the application.
Configure the advanced settings for the trusted application (see the table below).
You can use the check box to exclude an application from the trusted zone at any time.
Save your changes.

How to add an application to the trusted list in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy for computers on which you want to add the application to the trusted list.
The policy properties window opens.
Select the Application settings tab.
Select General settings → Exclusions.
In the Scan exclusions and trusted applications block, click the Trusted applications link.
This opens a window containing a list of trusted applications.
Select the Merge values when inheriting check box if you want to create a consolidated list of trusted applications for all computers in the company. The lists of trusted applications in the parent and child policies will be merged. The lists will be merged provided that merging values when inheriting is enabled. Trusted applications from the parent policy are displayed in child policies in a read-only view. Changing or deleting trusted applications of the parent policy is not possible.
Select the Allow use of local trusted applications check box if you want to enable the user to create a local list of trusted applications. This way, a user can create their own local list of trusted applications in addition to the general list of trusted applications generated in the policy. An administrator can use Kaspersky Security Center to view, add, edit, or delete list items in the computer properties.
If the check box is cleared, the user can access only the general list of trusted applications generated in the policy. If a local list was generated, after this functionality is disabled Kaspersky Endpoint Security continues excluding the listed trusted applications from scans.
Click the Add button.
In the opened window, enter the path to the executable file of the trusted application.
Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.

Kaspersky Endpoint Security does not support the %userprofile% environment variable when generating a list of trusted applications on the Kaspersky Security Center console. To apply the entry to all user accounts, you can use the * character (for example, C:\Users\*\Documents\File.exe).

Whenever you add a new environment variable, you need to restart the application.
Configure the advanced settings for the trusted application (see the table below).
You can use the check box to exclude an application from the trusted zone at any time.
Save your changes.

How to add an application to the trusted list in the application interface

In the lower part of the main application window, click the button.
In the application settings window, select Threats and exclusions.
In the Exclusions block, click the Specify trusted applications link.
In the window, click the Add button.
Select the executable file of the trusted application.
You can also manually enter the path. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.

Kaspersky Endpoint Security supports environment variables and converts the path in the local interface of the application. In other words, if you enter the file path %userprofile%\Documents\File.exe, a C:\Users\Fred123\Documents\File.exe record is added in local interface of the application for user Fred123. Accordingly, Kaspersky Endpoint Security ignores the File.exe trusted program for other users. To apply the entry to all user accounts, you can use the * character (for example, C:\Users\*\Documents\File.exe).

Whenever you add a new environment variable, you need to restart the application.
In the trusted application properties window, configure the advanced settings (see the table below).
You can use the toggle to exclude an application from the trusted zone at any time.
Save your changes.

Trusted application settings

Parameter	Description
Do not scan opened files	All files that are opened by the application are excluded from scans by Kaspersky Endpoint Security. For example, if you are using applications to back up files, this feature helps reduce the consumption of resources by Kaspersky Endpoint Security.
Do not monitor application activity	Kaspersky Endpoint Security will not monitor the application's file- and network activity in the operating system. Application activity is monitored by the following components: Behavior Detection, Exploit Prevention, Host Intrusion Prevention, Remediation Engine and Firewall.
Do not inherit restrictions of the parent process (application)	The restrictions configured for the parent process will not be applied by Kaspersky Endpoint Security to a child process. The parent process is started by an application for which application rights (Host Intrusion Prevention) and application network rules (Firewall) are configured.
Do not monitor the activity of child applications	Kaspersky Endpoint Security will not monitor the file activity or network activity of applications that are started by this application.
Allow interaction with Kaspersky Endpoint Security interface	Kaspersky Endpoint Security Self-Defense blocks all attempts to manage application services from a remote computer. If the check box is selected, the remote access application is allowed to manage Kaspersky Endpoint Security settings through the Kaspersky Endpoint Security interface.
Do not block interaction with AMSI Protection component (available only in the Kaspersky Security Center Console)	Kaspersky Endpoint Security will not monitor the trusted application's requests for objects to be scanned by the AMSI Protection component.
Do not scan encrypted traffic / Do not scan all traffic	Network traffic initiated by the application will be excluded from scans by Kaspersky Endpoint Security. You can exclude either all traffic or only encrypted traffic from scans. You can also exclude individual IP addresses and port numbers from scans.
Comment	If necessary, you can provide a brief comment for the trusted application. Comments help simplify searches and sorting of trusted applications.
Status	Status of the trusted application: Active status means that the application is in the trusted zone. Inactive status means that the application is excluded from the trusted zone.

Page top

[Topic 128356]

Enabling and disabling trusted zone rules for an application in the list of trusted applications

To enable or disable the action of trusted zone rules applied to an application from the list of trusted applications:

In the lower part of the main application window, click the button.
In the application settings window, select Threats and exclusions.
In the Exclusions block, click the Specify trusted applications link.
In the list of trusted applications, select the necessary trusted application.
Use the toggle in the Status column to include a trusted application in the scan scope or exclude it.
Save your changes.

Page top

[Topic 131348]

Using trusted system certificate storage

Use of system certificate storage lets you exclude applications signed by a trusted digital signature from virus scans. Kaspersky Endpoint Security automatically assigns such applications to the Trusted group.

To begin using trusted system certificate storage:

In the lower part of the main application window, click the button.
In the application settings window, select Threats and exclusions.
In the Trusted system certificate store drop-down list, select which system store must be considered as trusted by Kaspersky Endpoint Security.
Save your changes.

Page top

[Topic 34558]

Managing Backup

Backup stores backup copies of files that were deleted or modified during disinfection. A backup copy is a file copy created before the file was disinfected or deleted. Backup copies of files are stored in a special format and do not pose a threat.

Backup copies of files are stored in the folder C:\ProgramData\Kaspersky Lab\KES\QB.

Users in the Administrators group are granted full permission to access this folder. Limited access rights to this folder are granted to the user whose account was used to install Kaspersky Endpoint Security.

Kaspersky Endpoint Security does not provide the capability to configure user access permissions to backup copies of files.

Sometimes it is not possible to maintain the integrity of files during disinfection. If you partially or completely lose access to important information in a disinfected file after disinfection, you can attempt to restore the file from its backup copy to its original folder.

If Kaspersky Endpoint Security is running under the management of Kaspersky Security Center, backup copies of files may be transmitted to the Kaspersky Security Center Administration Server. For more details about managing backup copies of files in Kaspersky Security Center, please refer to the Kaspersky Security Center Help system.

In this section

Configuring the maximum storage period for files in Backup

Configuring the maximum size of Backup

Restoring files from Backup

Deleting backup copies of files from Backup

Page top

[Topic 128123]

Configuring the maximum storage period for files in Backup

The default maximum storage period for copies of files in Backup is 30 days. After expiration of the maximum storage term, Kaspersky Endpoint Security deletes the oldest files from Backup.

To configure the maximum storage period for files in Backup:

In the lower part of the main application window, click the button.
In the application settings window, select the Reports and Storage section.
If you want to limit the storage period for copies of files in Backup, select the Store objects no longer than N days check box in the Backup block. In the field on the right of the Store objects no longer than N days check box, specify the maximum storage period for copies of files in Backup.
Save your changes.

Page top

[Topic 128124]

Configuring the maximum size of Backup

You can specify the maximum size of Backup. The size of Backup is unlimited by default. After the maximum size is reached, Kaspersky Endpoint Security automatically deletes the oldest files from Backup so that the maximum size is not exceeded.

To configure the maximum size of Backup:

In the lower part of the main application window, click the button.
In the application settings window, select the Reports and Storage section.
If you want to limit the size of Backup, select the Limit the size of Backup to N MB check box in the Backup block. Specify the maximum size of Backup.
Save your changes.

Page top

[Topic 128133]

Restoring files from Backup

If malicious code is detected in a file, Kaspersky Endpoint Security blocks the file, assigns the Infected status to it, places a copy of it in Backup, and attempts to disinfect it. If file disinfection succeeds, the status of the backup copy of the file changes to Disinfected. The file becomes available in its original folder. If a file cannot be disinfected, Kaspersky Endpoint Security deletes it from its original folder. You can restore the file from its backup copy to its original folder.

Files with the Will be disinfected on computer restart status cannot be restored. Restart the computer, and the file status will change to Disinfected or Deleted. You can also restore the file from its backup copy to its original folder.

Upon detecting malicious code in a file that is part of the Windows Store application, Kaspersky Endpoint Security immediately deletes the file without moving a copy of the file to Backup. You can restore the integrity of the Windows Store application by using the appropriate tools of the Microsoft Windows 8 operating system (see the Microsoft Windows 8 help files for details on restoring a Windows Store application).

The set of backup copies of files is presented as a table. For a backup copy of a file, the path to the original folder of the file is displayed. The path to the original folder of the file may contain personal data.

If several files with identical names and different content located in the same folder are moved to Backup, only the file that was last placed in Backup can be restored.

To restore files from Backup:

In the main application window, click More Tools → Storage.
The Backup window opens.
In the table in the Backup window, select one or multiple Backup files.
Click the Restore button.

Kaspersky Endpoint Security restores files from the selected backup copies to their original folders.

Page top

[Topic 128134]

Deleting backup copies of files from Backup

Kaspersky Endpoint Security automatically deletes backup copies of files with any status from Backup after the storage term configured in application settings has elapsed. You can also manually delete any copy of a file from Backup.

To delete backup copies of files from Backup:

In the main application window, click More Tools → Storage.
The Backup window opens.
Select the backup copies of files that you want to delete from Backup and click the Delete button. You can also delete all files from Backup by clicking the Delete all button.

Kaspersky Endpoint Security deletes the selected backup copies of files from Backup.

Page top

[Topic 126005]

Notification service

All sorts of events occur during the operation of Kaspersky Endpoint Security. Notifications of these events can be either be purely informational or contain critical information. For example, notifications may inform of a successful database and application modules update or log component errors that need remedying.

Kaspersky Endpoint Security supports the logging of information about events in the operation of the Microsoft Windows application log and / or the Kaspersky Endpoint Security event log.

Kaspersky Endpoint Security delivers notifications in the following ways:

using pop-up notifications in the Microsoft Windows taskbar notification area;
by email.

You can configure the delivery of event notifications. The method of notification delivery is configured for each type of event.

When using the table of events to configure the notification service, you can perform the following actions:

Filter notification service events by column values or by custom filter conditions.
Use the search function for notification service events.
Sort notification service events.
Change the order and set of columns that are displayed in the list of notification service events.

In this section

Configuring event log settings

Configuring the display and delivery of notifications

Configuring the display of warnings about the application status in the notification area

Page top

[Topic 128354]

Configuring event log settings

To configure event log settings:

In the lower part of the main application window, click the button.
In the application settings window, select the Interface section.
In the Notifications section, click the Set up notifications button.
Kaspersky Endpoint Security components and tasks are shown in the left part of the window. The right part of the window lists the events generated for the selected component or task.

Events may contain the following user data:
- Paths to files scanned by Kaspersky Endpoint Security.
- Paths to registry keys modified during the operation of Kaspersky Endpoint Security.
- Microsoft Windows user name.
- Addresses of web pages opened by the user.
In the left part of the window, select the component or task for which you want to configure the event log settings.
Select check boxes opposite the relevant events in the Save in local report and Save in Windows Event Log columns.
Events whose check boxes are selected in the Save in local report column are displayed in Applications and Services Logs in the Kaspersky Event Log section. Events whose check boxes are selected in the Save in Windows Event Log column are displayed in Windows logs in the Application section. To open the event logs, select Start → Control Panel → Administration → Event Viewer.
Save your changes.

Page top

[Topic 130890]

Configuring the display and delivery of notifications

To configure the display and delivery of notifications:

In the lower part of the main application window, click the button.
In the application settings window, select the Interface section.
In the Notifications section, click the Set up notifications button.
Kaspersky Endpoint Security components and tasks are shown in the left part of the window. The right part of the window lists events generated for the selected component or the selected task.

Events may contain the following user data:
- Paths to files scanned by Kaspersky Endpoint Security.
- Paths to registry keys modified during the operation of Kaspersky Endpoint Security.
- Microsoft Windows user name.
- Addresses of web pages opened by the user.
In the left part of the window, select the component or task for which you want to configure the delivery of notifications.
In the Notify on screen column, select the check boxes next to the required events.
Information about the selected events is displayed on the screen as pop-up messages in the Microsoft Windows taskbar notification area.
In the Notify by email column, select the check boxes next to the required events.
Information about the selected events is delivered by email if the mail notification delivery settings are configured.
Click OK.
If you enabled email notifications, configure the settings for email delivery:
1. Click the Email notification settings button.
2. Select the Notify about events check box to enable delivery of information about Kaspersky Endpoint Security events selected in the Notify by email column.
3. Specify the email notification delivery settings.
4. Click OK.
Save your changes.

Page top

[Topic 131802]

Configuring the display of warnings about the application status in the notification area

To configure the display of application status warnings in the notification area:

In the lower part of the main application window, click the button.
In the application settings window, select the Interface section.
In the Show application's status in notifications area section, select the check boxes opposite those categories of events about which you want to see notifications in the notification area of Microsoft Windows.
Save your changes.

When events associated with the selected categories occur, the application icon in the notification area will change to icon_tray_critical or depending on the severity of the warning.

Page top

[Topic 34585]

Managing reports

Information about the operation of each Kaspersky Endpoint Security component, data encryption events, the performance of each scan task, the update task and integrity check task, and the overall operation of the application is recorded in reports.

Reports are stored in the folder C:\ProgramData\Kaspersky Lab\KES\Report.

Reports may contain the following user data:

Paths to files scanned by Kaspersky Endpoint Security.
Paths to registry keys modified during the operation of Kaspersky Endpoint Security.
Microsoft Windows user name.
Addresses of web pages opened by the user.

The data in the report is presented in tabular form. Each table row contains information on a separate event. Event attributes are located in the table columns. Certain columns are compound ones which contain nested columns with additional attributes. To view additional attributes, click the button next to the name of the column. Events that are logged during the operation of various components or during the performance of various tasks have different sets of attributes.

The following reports are available:

System Audit report. Contains information about events occurring during the interaction between the user and the application and in the course of application operation in general, which are unrelated to any particular Kaspersky Endpoint Security components or tasks.
Reports on the operation of Kaspersky Endpoint Security components.
Kaspersky Endpoint Security task reports.
Data encryption report. Contains information about events occurring during data encryption and decryption.

Reports use the following event importance levels:

Informational messages. Reference events that normally do not contain important information.

Warnings. Events that need attention because they reflect important situations in the operation of Kaspersky Endpoint Security.

Critical events. Events of critical importance that indicate problems in the operation of Kaspersky Endpoint Security or vulnerabilities in the protection of the user's computer.

For convenient processing of reports, you can modify the presentation of data on the screen in the following ways:

Filter the event list by various criteria.
Use the search function to find a specific event.
View the selected event in a separate section.
Sort the list of events by each report column.
Display and hide events grouped by the event filter using the button.
Change the order and arrangement of columns that are shown in the report.

You can save a generated report to a text file, if necessary. You can also delete report information on Kaspersky Endpoint Security components and tasks that are combined into groups.

If Kaspersky Endpoint Security is running under the management of Kaspersky Security Center, information about events may be relayed to the Kaspersky Security Center Administration Server (for more details, please refer to the Kaspersky Security Center Help Guide).

In this section

Viewing reports

Configuring the maximum report storage term

Configuring the maximum size of the report file

Saving a report to file

Clearing reports

Page top

[Topic 128116]

View reports

If a user can view reports, the user can also view all events reflected in the reports.

To view reports:

In the main application window, click More Tools → Reports.
In the left part of the Reports window, in the list of components and tasks, select a component or task.
The right part of the window displays a report containing a list of events resulting from the operation of the selected component or selected task of Kaspersky Endpoint Security. You can sort events in the report based on the values in cells of one of the columns. By default, report events are sorted in ascending order of the values in cells of the Event date column.
To view detailed information about an event, select the event in the report.
A section with the event summary is displayed in the lower part of the window.

Page top

[Topic 133795]

Configuring the maximum report storage term

The default maximum storage term for reports on events that are logged by Kaspersky Endpoint Security is 30 days. After that period of time, Kaspersky Endpoint Security automatically deletes the oldest entries from the report file.

To modify the report maximum storage term:

In the lower part of the main application window, click the button.
In the application settings window, select the Reports and Storage section.
If you want to limit the report storage term, select the Store reports no longer than N days check box in the Reports block. Define the maximum report storage term.
Save your changes.

Page top

[Topic 133796]

Configuring the maximum size of the report file

You can specify the maximum size of the file that contains the report. By default, the maximum report file size is 1024 MB. To avoid exceeding the maximum report file size, Kaspersky Endpoint Security automatically deletes the oldest entries from the report file when the maximum report file size is reached.

To configure the maximum report file size:

In the lower part of the main application window, click the button.
In the application settings window, select the Reports and Storage section.
In the Reports block, select the Limit the size of report file to N MB check box if you want to limit the size of a report file. Define the maximum size of the report file.
Save your changes.

Page top

[Topic 128118]

Saving a report to file

The user is personally responsible for ensuring the security of information from a report saved to file, and particularly for controlling and restricting access to this information.

You can save the report that you generate to a file in text format (TXT) or a CSV file.

Kaspersky Endpoint Security logs events in the report in the same way as they are displayed on the screen: in other words, with the same set and sequence of event attributes.

To save a report to file:

In the main application window, click More Tools → Reports.
In the opened window, select the component or task.
A report is displayed in the right part of the window, which contains a list of events in the operation of the selected Kaspersky Endpoint Security component or task.
If necessary, you can modify data presentation in the report by:
- Filtering events
- Running an event search
- Rearranging columns
- Sorting events
Click the Save report button in the upper right part of the window.
In the window that opens, specify the destination folder for the report file.
In the File name field, type the report file name.
In the File type field, select the necessary report file format: TXT or CSV.
Save your changes.

Page top

[Topic 128119]

Clearing reports

To remove information from reports:

In the lower part of the main application window, click the button.
In the application settings window, select the Reports and Storage section.
In the Reports block, click the Clear button.
If Password Protection is enabled, Kaspersky Endpoint Security may prompt you for user account credentials. The application prompts for account credentials if the user does not have the required permissions.

Kaspersky Endpoint Security will delete all reports for all application components and tasks.

Page top

[Topic 34598]

Kaspersky Endpoint Security Self-Defense

Kaspersky Endpoint Security protects the computer from malicious applications, that attempt to block the operation of Kaspersky Endpoint Security or even remove it from the computer. The set of available Self-Defense technologies for Kaspersky Endpoint Security depends on whether the operating system is 32-bit or 64-bit (refer to the table below).

Kaspersky Endpoint Security Self-Defense technologies

Technology

Description

х86 computer

x64 computer

Self-Defense mechanism

The technology blocks access to the following application components:

Files in the Kaspersky Endpoint Security installation folder
Registry keys with records belonging to the application
Processes that the application runs

AM-PPL (Antimalware Protected Process Light)

The technology protects Kaspersky Endpoint Security processes against malicious actions. For more details about AM-PPL technology, please visit the Microsoft website.

AM-PPL technology is available for Windows 10 version 1703 (RS2) or later, and Windows Server 2019 operating systems.

–

External management defense mechanism

The technology restricts the management of Kaspersky Endpoint Security using special remote administration applications (such as TeamViewer or RemotelyAnywhere).

–
(except for Windows 7)

In this section

Enabling and disabling Self-Defense

Enabling and disabling AM-PPL support

Enabling and disabling external management defense

Supporting remote administration applications

Page top

[Topic 133797]

Enabling and disabling Self-Defense

The Self-Defense mechanism of Kaspersky Endpoint Security is enabled by default.

To enable or disable Self-Defense:

In the lower part of the main application window, click the button.
In the application settings window, select the General section.
Use the Enable Self-Defense check box to enable or disable the Self-Defense mechanism.
Save your changes.

Page top

[Topic 189943]

Enabling and disabling AM-PPL support

Kaspersky Endpoint Security supports Antimalware Protected Process Light technology (hereinafter referred to as "AM-PPL") from Microsoft. AM-PPL protects Kaspersky Endpoint Security processes against malicious actions (for example, terminating the application). AM-PPL allows only trusted processes to run. Kaspersky Endpoint Security processes are signed in accordance with Windows security requirements, and therefore they are trusted. For more details about AM-PPL technology, please visit the Microsoft website. AM-PPL technology is enabled by default.

Kaspersky Endpoint Security also has built-in mechanisms for protecting application processes. AM-PPL support lets you delegate process security functions to the operating system. You can thereby increase the speed of the application and reduce the consumption of computer resources.

The AM-PPL service is available for Windows 10 version 1703 (RS2) or later, and Windows Server 2019 operating systems.

To enable or disable AM-PPL technology:

Turn off the application's Self-Defense mechanism.
The Self-Defense mechanism prevents modification and deletion of application processes in the computer memory, including changing the AM-PPL status.
Run the command line interpreter (cmd.exe) as an administrator.
Go to the folder where the Kaspersky Endpoint Security executable file is located.
Type the following in the command line:
- klpsm.exe enable – enable support for AM-PPL technology (see the figure below).
- klpsm.exe disable – disable support for AM-PPL technology.
Restart Kaspersky Endpoint Security.
Resume the application's Self-Defense mechanism.

Enabling support for AM-PPL technology

Page top

[Topic 133798]

Enabling and disabling external management defense

Protection against external management allows you to prohibit Kaspersky Endpoint Security managing using remote administration applications (such as TeamViewer or RemotelyAnywhere). The technology serves the following purposes:

Protection against modification of Kaspersky Endpoint Security settings.
Protection against management of Kaspersky Endpoint Security services (such as the AVP service).
Protection against stopping application processes.

Protection against external management is available only for computers running 32-bit operating systems. Technology is not available for computers running 64-bit operating systems.

To enable or disable protection against external management:

In the main application window, click the button .
In the application settings window, select Advanced settings → General.
Use the Allow managing Kaspersky Endpoint Security settings via remote control applications check box to enable or disable protection against modifications of Kaspersky Endpoint Security settings. If you use remote administration applications, you should allow management of Kaspersky Endpoint Security settings and add the applications to the trusted list. Untrusted remote administration applications are not allowed to modify Kaspersky Endpoint Security settings even when the Allow managing Kaspersky Endpoint Security settings via remote control applications check box is selected. This check box is unavailable when the Enable Self-Defense check box is selected.
Use the Enable external service control check box to enable or disable the protection of Kaspersky Endpoint Security services against external management.
To quit the application from the command line, disable the protection of Kaspersky Endpoint Security services against external management.
Save your changes.

As a result, when external management defense mechanisms are enabled, Kaspersky Endpoint Security prevents the mouse pointer from getting pointed at the application icon. When a remote user attempts to shut down an application service, a system window with an error message appears.

Page top

[Topic 128342]

Supporting remote administration applications

You may occasionally need to use a remote administration application while external management defense is enabled.

To enable the operation of remote administration applications:

In the lower part of the main application window, click the button.
In the application settings window, select Threats and exclusions.
In the Exclusions block, click the Specify trusted applications link.
In the window, click the Add button.
Select the executable file of the remote administration application.
You can also manually enter the path. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.
Select the Do not monitor application activity check box.
Save your changes.

Page top

[Topic 128143]

Kaspersky Endpoint Security performance and compatibility with other applications

Performance of Kaspersky Endpoint Security

The performance of Kaspersky Endpoint Security refers to the number of types of objects that can harm the computer that are detectable, as well as energy consumption and use of computer resources.

Selecting types of detectable objects

Kaspersky Endpoint Security lets you fine-tune the protection of your computer and select the types of objects that the application detects during operation. Kaspersky Endpoint Security always scans the operating system for viruses, worms, and Trojans. You cannot disable scanning of these types of objects. Such malware can cause significant harm to the computer. For greater security on your computer, you can expand the range of detectable object types by enabling monitoring of legal software that can be used by criminals to damage your computer or personal data.

Using energy-saving mode

Energy consumption by applications is a key consideration for portable computers. Kaspersky Endpoint Security scheduled tasks usually use up considerable resources. When the computer is running on battery power, you can use energy-saving mode to consume power more sparingly.

In energy-saving mode, the following scheduled tasks are postponed automatically:

Update task
Full Scan task
Critical Areas Scan task
Custom Scan task
Integrity Check task

Whether or not energy saving mode is enabled, Kaspersky Endpoint Security pauses encryption tasks when a portable computer switches to battery power. The application resumes encryption tasks when the portable computer switches from battery power to mains power.

Conceding computer resources to other applications

Use of computer resources by Kaspersky Endpoint Security may impact the performance of other applications. To resolve the problem of simultaneous operation during increased load on the CPU and hard drive subsystems, Kaspersky Endpoint Security can pause scheduled tasks and concede resources to other applications.

However, a number of applications start immediately when CPU resources become available, proceeding to work in background mode. To prevent scanning from depending on the performance of other applications, it is better to not concede operating system resources to them.

You can start such tasks manually, if necessary.

Using advanced disinfection technology

Today's malicious applications can penetrate the lowest levels of an operating system, which makes them virtually impossible to eliminate. After detecting malicious activity in the operating system, Kaspersky Endpoint Security performs an extensive disinfection procedure that uses special advanced disinfection technology. Advanced disinfection technology is aimed at purging the operating system of malicious applications that have already started their processes in RAM and that prevent Kaspersky Endpoint Security from removing them by using other methods. The threat is neutralized as a result. While Advanced Disinfection is in progress, you are advised to refrain from starting new processes or editing the operating system registry. The advanced disinfection technology uses considerable operating system resources, which may slow down other applications.

After the Advanced Disinfection process has been completed on a computer running Microsoft Windows for workstations, Kaspersky Endpoint Security requests the user's permission to reboot the computer. After system reboot, Kaspersky Endpoint Security deletes malware files and starts a "lite" full scan of the computer.

A reboot prompt is impossible on a computer running Microsoft Windows for servers due to the specifics of Kaspersky Endpoint Security. An unplanned reboot of a file server can lead to problems involving temporary unavailability of file server data or loss of unsaved data. It is recommended to reboot a file server strictly according to schedule. This is why Advanced Disinfection technology is disabled by default for file servers.

If active infection is detected on a file server, an event is relayed to Kaspersky Security Center with information that Active Disinfection is required. To disinfect an active infection of a server, enable Active Disinfection technology for servers and start a Virus scan group task at a time convenient for server users.

In this section

Selecting types of detectable objects

Enabling or disabling Advanced Disinfection technology

Enabling or disabling energy-saving mode

Enabling or disabling conceding of resources to other applications

Page top

[Topic 128145]

Selecting types of detectable objects

To select types of detectable objects:

In the lower part of the main application window, click the button.
In the application settings window, select Threats and exclusions.

In the Types of detected objects section, select check boxes opposite the types of objects that you want Kaspersky Endpoint Security to detect:

Viruses and worms

Subcategory: viruses and worms (Viruses_and_Worms)

Threat level: high

Classic viruses and worms perform actions that are not authorized by the user. They can create copies of themselves which are able to self-replicate.

Classic virus

When a classic virus infiltrates a computer, it infects a file, activates, performs malicious actions, and adds copies of itself to other files.

A classic virus multiplies only on local resources of the computer; it cannot penetrate other computers on its own. It can be passed to another computer only if it adds a copy of itself to a file that is stored in a shared folder or on an inserted CD, or if the user forwards an email message with an attached infected file.

Classic virus code can penetrate various areas of computers, operating systems, and applications. Depending on the environment, viruses are divided into file viruses, boot viruses, script viruses, and macro viruses.

Viruses can infect files by using a variety of techniques. Overwriting viruses write their code over the code of the file that is infected, thus erasing the file's content. The infected file stops functioning and cannot be restored. Parasitic viruses modify files, leaving them fully or partially functional. Companion viruses do not modify files, but instead create duplicates. When an infected file is opened, a duplicate of it (what is actually a virus) is started. The following types of viruses are also encountered: link viruses, OBJ viruses, LIB viruses, source code viruses, and many others.

Worm

As with a classic virus, the code of a worm is activated and performs malicious actions after it infiltrates a computer. Worms are so named because of their ability to "crawl" from one computer to another and to spread copies via numerous data channels without the user's permission.

The main feature that allows differentiating between various types of worms is the way they spread. The following table provides an overview of various types of worms, which are classified by the way in which they spread.

Ways in which worms spread

Type	Name	Description
Email-Worm	Email-Worm	They spread via email. An infected email message contains an attached file with a copy of a worm, or a link to a file that is uploaded to a website which may have been hacked or created exclusively for that purpose. When you open the attached file, the worm is activated. When you click the link, download, and then open the file, the worm also starts performing its malicious actions. After that, it goes on spreading copies of itself, searching for other email addresses and sending infected messages to them.
IM-Worm	IM clients	They spread through IM clients. Usually, such worms send messages that contain a link to a file with a copy of the worm on a website, making use of the user's contact lists. When the user downloads and opens the file, the worm activates.
IRC-Worm	Internet chat worms	They spread via Internet Relay Chats, service systems which allow communicating with other people over the Internet in real time. These worms publish a file with a copy of themselves or a link to the file in an Internet chat. When the user downloads and opens the file, the worm activates.
Net-Worm	Network worms	These worms spread over computer networks. Unlike other types of worms, a typical network worm spreads without the user's participation. It scans the local network for computers that contain programs with vulnerabilities. To do this, it sends a specially formed network packet (exploit) which contains the worm code or a part of it. If a "vulnerable" computer is on the network, it receives such a network packet. When the worm completely penetrates the computer, it activates.
P2P-Worm	File sharing network worms	They spread over peer-to-peer file sharing networks. To infiltrate a P2P network, the worm copies itself into a file sharing folder which is usually located on the user's computer. The P2P network displays information about this file so that the user may "find" the infected file on the network like any other file, and then download and open it. More sophisticated worms emulate the network protocol of a specific P2P network: they return positive responses to search queries and offer copies of themselves for download.
Worm	Other types of worms	Other types of worms include: Worms that spread copies of themselves over network resources. By using the functions of the operating system, they scan available network folders, connect to computers on the Internet, and attempt to obtain full access to their disk drives. Unlike the previously described types of worms, other types of worms activate not on their own, but when the user opens a file that contains a copy of the worm. Worms that do not use any of the methods described in the previous table to spread (for example, those that spread over cell phones).

Trojans

Subcategory: Trojans

Threat level: high

Unlike worms and viruses, Trojans do not self-replicate. For example, they penetrate a computer via email or a browser when the user visits an infected web page. Trojans are started with the user's participation. They begin performing their malicious actions right after they are started.

Different Trojans behave differently on infected computers. The main functions of Trojans consist in blocking, modifying, or destroying information, and disabling computers or networks. Trojans can also receive or send files, run them, display messages on the screen, request web pages, download and install programs, and restart the computer.

Hackers often use "sets" of various Trojans.

Types of Trojan behavior are described in the following table.

Types of Trojan behavior on an infected computer

Type	Name	Description
Trojan-ArcBomb	Trojans – "archive bombs"	When unpacked, these archives grow in size to such an extent that the computer's operation is impacted. When the user attempts to unpack such an archive, the computer may slow down or freeze; the hard disk may become filled with "empty" data. "Archive bombs" are especially dangerous to file and mail servers. If the server uses an automatic system to process incoming information, an "archive bomb" may halt the server.
Backdoor	Trojans for remote administration	They are considered the most dangerous type of Trojan. In their functions, they are similar to remote administration applications that are installed on computers. These programs install themselves on the computer without being noticed by the user, allowing the intruder to manage the computer remotely.
Trojan	Trojans	They include the following malicious applications: Classic Trojans. These programs perform only the main functions of Trojans: blocking, modifying or destroying information, and disabling computers or networks. They do not have any advanced features, unlike the other types of Trojans that are described in the table. Versatile Trojans. These programs have advanced features typical of several types of Trojans.
Trojan-Ransom	Ransom Trojans	They take the user's information "hostage", modifying or blocking it, or impact the computer's operation so that the user loses the ability to use information. The intruder demands a ransom from the user, promising to send an application to restore the computer's performance and the data that had been stored on it.
Trojan-Clicker	Trojan clickers	They access web pages from the user's computer, either by sending commands to a browser on their own or by changing the web addresses that are specified in operating system files. By using these programs, intruders perpetrate network attacks and increase website visits, increasing the number of displays of banner ads.
Trojan-Downloader	Trojan downloaders	They access the intruder's web page, download other malicious applications from it, and install them on the user's computer. They can contain the file name of the malicious application to download, or receive it from the web page that is accessed.
Trojan-Dropper	Trojan droppers	They contain other Trojans which they install on the hard drive and then install. Intruders may use Trojan Dropper–type programs for the following goals: Install a malicious application without being noticed by the user: Trojan Dropper–type programs display no messages, or display fake messages which inform, for example, of an error in an archive or an incompatible version of the operating system. Protect another known malicious application from detection: not all anti-virus software can detect a malicious application within a Trojan Dropper–type application.
Trojan-Notifier	Trojan notifiers	They inform an intruder that the infected computer is accessible, sending the intruder information about the computer: IP address, number of opened port, or email address. They connect with the intruder via email, FTP, accessing the intruder's web page, or in another way. Trojan Notifier–type programs are often used in sets that are made of several Trojans. They notify the intruder that other Trojans have been successfully installed on the user's computer.
Trojan-Proxy	Trojan proxies	They allow the intruder to anonymously access web pages by using the user's computer; they are often used for sending spam.
Trojan-PSW	Password-stealing-ware	Password-stealing-ware is a kind of Trojan that steals user accounts, such as software registration data. These Trojans find confidential data in system files and in the registry and send it to the "master" by email, via FTP, by accessing the intruder's web page, or in another way. Some of these Trojans are categorized into separate types that are described in this table. These are Trojans that steal bank accounts (Trojan-Banker), steal data from users of IM clients (Trojan-IM), and steal information from users of online games (Trojan-GameThief).
Trojan-Spy	Trojan spies	They spy on the user, collecting information about the actions that the user makes while working at the computer. They may intercept the data that the user enters at the keyboard, take screenshots, or collect lists of active applications. After they receive the information, they transfer it to the intruder by email, via FTP, by accessing the intruder's web page, or in another way.
Trojan-DDoS	Trojan network attackers	They send numerous requests from the user's computer to a remote server. The server lacks resources to process all requests, so it stops functioning (Denial of Service, or simply DoS). Hackers often infect many computers with these programs so that they can use the computers to attack a single server simultaneously. DoS programs perpetrate an attack from a single computer with the user's knowledge. DDoS (Distributed DoS) programs perpetrate distributed attacks from several computers without being noticed by the user of the infected computer.
Trojan-IM	Trojans that steal information from users of IM clients	They steal account numbers and passwords of IM client users. They transfer the data to the intruder by email, via FTP, by accessing the intruder's web page, or in another way.
Rootkit	Rootkits	They mask other malicious applications and their activity, thus prolonging the applications' persistence in the operating system. They can also conceal files, processes in an infected computer's memory, or registry keys which run malicious applications. The rootkits can mask data exchange between applications on the user's computer and other computers on the network.
Trojan-SMS	Trojans in the form of SMS messages	They infect cell phones, sending SMS messages to premium-rate phone numbers.
Trojan-GameThief	Trojans that steal information from users of online games	They steal account credentials from users of online games, after which they send the data to the intruder by email, via FTP, by accessing the intruder's web page, or in another way.
Trojan-Banker	Trojans that steal bank accounts	They steal bank account data or e-money system data; send the data to the hacker by email, via FTP, by accessing the hacker's web page, or by using another method.
Trojan-Mailfinder	Trojans that collect email addresses	They collect email addresses that stored on a computer and send them to the intruder by email, via FTP, by accessing the intruder's web page, or in another way. Intruders may send spam to the addresses they have collected.

Malicious tools

Subcategory: Malicious tools

Danger level: medium

Unlike other types of malware, malicious tools do not perform their actions right after they are started. They can be safely stored and started on the user's computer. Intruders often use the features of these programs to create viruses, worms, and Trojans, perpetrate network attacks on remote servers, hack computers, or perform other malicious actions.

Various features of malicious tools are grouped by the types that are described in the following table.

Features of malicious tools

Type	Name	Description
Constructor	Constructors	They allow creating new viruses, worms, and Trojans. Some constructors boast a standard window-based interface in which the user can select the type of malicious application to create, the way of counteracting debuggers, and other features.
Dos	Network attacks	They send numerous requests from the user's computer to a remote server. The server lacks resources to process all requests, so it stops functioning (Denial of Service, or simply DoS).
Exploit	Exploits	An exploit is a set of data or a program code that uses vulnerabilities of the application in which it is processed, performing a malicious action on a computer. For example, an exploit can write or read files, or request "infected" web pages. Different exploits use vulnerabilities in different applications or network services. Disguised as a network packet, an exploit is transmitted over the network to numerous computers, searching for computers with vulnerable network services. An exploit in a DOC file uses the vulnerabilities of a text editor. It may start performing the actions that are preprogrammed by the hacker when the user opens the infected file. An exploit that is embedded in an email message searches for vulnerabilities in any email client. It may start performing a malicious action as soon as the user opens the infected message in this email client. Net-Worms spread over networks by using exploits. Nuker exploits are network packets that disable computers.
FileCryptor	Encryptors	They encrypt other malicious applications to conceal them from the anti-virus application.
Flooder	Programs for "contaminating" networks	They send numerous messages over network channels. This type of tools includes, for example, programs that contaminate Internet Relay Chats. Flooder-type tools do not include programs that "contaminate" channels that are used by email, IM clients, and mobile communication systems. These programs are distinguished as separate types that are described in the table (Email-Flooder, IM-Flooder, and SMS-Flooder).
HackTool	Hacking tools	They make it possible to hack the computer on which they are installed or attack another computer (for example, by adding new system accounts without the user's permission or by erasing system logs to conceal traces of their presence in the operating system). This type of tools includes some sniffers which feature malicious functions, such as password interception. Sniffers are programs that allow viewing network traffic.
Hoax	Hoaxes	They alarm the user with virus-like messages: they may "detect a virus" in an uninfected file or notify the user that the disk has been formatted, although this has not happened in reality.
Spoofer	Spoofing tools	They send messages and network requests with a fake address of the sender. Intruders use Spoofer-type tools to pass themselves off as the true senders of messages, for example.
VirTool	Tools that modify malicious applications	They allow modifying other malware programs, concealing them from anti-virus applications.
Email-Flooder	Programs that "contaminate" email addresses	They send numerous messages to various email addresses, thus "contaminating" them. A large volume of incoming messages prevents users from viewing useful messages in their inboxes.
IM-Flooder	Programs that "contaminate" traffic of IM clients	They flood users of IM clients with messages. A large volume of messages prevents users from viewing useful incoming messages.
SMS-Flooder	Programs that "contaminate" traffic with SMS messages	They send numerous SMS messages to cell phones.

Adware
Subcategory: advertising software (Adware);

Threat level: medium

Adware displays advertising information to the user. Adware programs display banner ads in the interfaces of other programs and redirect search queries to advertising web pages. Some of them collect marketing information about the user and send it to the developer: this information may include the names of the websites that are visited by the user or the content of the user's search queries. Unlike Trojan-Spy–type programs, adware sends this information to the developer with the user's permission.

Auto-dialers

Subcategory: legal software that may be used by criminals to damage your computer or personal data.

Danger level: medium

Most of these applications are useful, so many users run them. These applications include IRC clients, auto-dialers, file download programs, computer system activity monitors, password utilities, and Internet servers for FTP, HTTP, and Telnet.

However, if intruders gain access to these programs, or if they plant them on the user's computer, some of the application's features may be used to violate security.

These applications differ by function; their types are described in the following table.

Type	Name	Description
Client-IRC	Internet chat clients	Users install these programs to talk to people in Internet Relay Chats. Intruders use them to spread malware.
Dialer	Auto-dialers	They can establish phone connections over a modem in hidden mode.
Downloader	Programs for downloading	They can download files from web pages in hidden mode.
Monitor	Programs for monitoring	They allow monitoring activity on the computer on which they are installed (seeing which applications are active and how they exchange data with applications that are installed on other computers).
PSWTool	Password restorers	They allow viewing and restoring forgotten passwords. Intruders secretly implant them on users' computers with the same purpose.
RemoteAdmin	Remote administration programs	They are widely used by system administrators. These programs allow obtaining access to the interface of a remote computer to monitor and manage it. Intruders secretly implant them on users' computers with the same purpose: to monitor and manage remote computers. Legal remote administration programs differ from Backdoor-type Trojans for remote administration. Trojans have the ability to penetrate the operating system independently and install themselves; legal programs are unable to do so.
Server-FTP	FTP servers	They function as FTP servers. Intruders implant them on the user's computer to open remote access to it via FTP.
Server-Proxy	Proxy servers	They function as proxy servers. Intruders implant them on the user's computer to send spam under the user's name.
Server-Telnet	Telnet servers	They function as Telnet servers. Intruders implant them on the user's computer to open remote access to it via Telnet.
Server-Web	Web servers	They function as web servers. Intruders implant them on the user's computer to open remote access to it via HTTP.
RiskTool	Tools for working at a local computer	They provide the user with additional options when working at the user's own computer. The tools allow the user to hide files or windows of active applications and terminate active processes.
NetTool	Network tools	They provide the user with additional options when working with other computers on the network. These tools allow restarting them, detecting open ports, and starting applications that are installed on the computers.
Client-P2P	P2P network clients	They allow working on peer-to-peer networks. They can be used by intruders for spreading malware.
Client-SMTP	SMTP clients	They send email messages without the user's knowledge. Intruders implant them on the user's computer to send spam under the user's name.
WebToolbar	Web toolbars	They add toolbars to the interfaces of other applications to use search engines.
FraudTool	Pseudo-programs	They pass themselves off as other programs. For example, there are pseudo-anti-virus programs which display messages about malware detection. However, in reality, they do not find or disinfect anything.

Other software that can be used by criminals to damage your computer or personal data

Subcategory: legal software that may be used by criminals to damage your computer or personal data.

Danger level: medium

However, if intruders gain access to these programs, or if they plant them on the user's computer, some of the application's features may be used to violate security.

These applications differ by function; their types are described in the following table.

Type	Name	Description
Client-IRC	Internet chat clients	Users install these programs to talk to people in Internet Relay Chats. Intruders use them to spread malware.
Dialer	Auto-dialers	They can establish phone connections over a modem in hidden mode.
Downloader	Programs for downloading	They can download files from web pages in hidden mode.
Monitor	Programs for monitoring	They allow monitoring activity on the computer on which they are installed (seeing which applications are active and how they exchange data with applications that are installed on other computers).
PSWTool	Password restorers	They allow viewing and restoring forgotten passwords. Intruders secretly implant them on users' computers with the same purpose.
RemoteAdmin	Remote administration programs	They are widely used by system administrators. These programs allow obtaining access to the interface of a remote computer to monitor and manage it. Intruders secretly implant them on users' computers with the same purpose: to monitor and manage remote computers. Legal remote administration programs differ from Backdoor-type Trojans for remote administration. Trojans have the ability to penetrate the operating system independently and install themselves; legal programs are unable to do so.
Server-FTP	FTP servers	They function as FTP servers. Intruders implant them on the user's computer to open remote access to it via FTP.
Server-Proxy	Proxy servers	They function as proxy servers. Intruders implant them on the user's computer to send spam under the user's name.
Server-Telnet	Telnet servers	They function as Telnet servers. Intruders implant them on the user's computer to open remote access to it via Telnet.
Server-Web	Web servers	They function as web servers. Intruders implant them on the user's computer to open remote access to it via HTTP.
RiskTool	Tools for working at a local computer	They provide the user with additional options when working at the user's own computer. The tools allow the user to hide files or windows of active applications and terminate active processes.
NetTool	Network tools	They provide the user with additional options when working with other computers on the network. These tools allow restarting them, detecting open ports, and starting applications that are installed on the computers.
Client-P2P	P2P network clients	They allow working on peer-to-peer networks. They can be used by intruders for spreading malware.
Client-SMTP	SMTP clients	They send email messages without the user's knowledge. Intruders implant them on the user's computer to send spam under the user's name.
WebToolbar	Web toolbars	They add toolbars to the interfaces of other applications to use search engines.
FraudTool	Pseudo-programs	They pass themselves off as other programs. For example, there are pseudo-anti-virus programs which display messages about malware detection. However, in reality, they do not find or disinfect anything.

Packed objects whose packing may be used to protect malicious code
Kaspersky Endpoint Security scans compressed objects and the unpacker module within SFX (self-extracting) archives.

To hide dangerous programs from anti-virus applications, intruders archive them by using special packers or create multi-packed files.

Kaspersky virus analysts have identified packers that are the most popular amongst hackers.

If Kaspersky Endpoint Security detects such a packer in a file, the file most likely contains a malicious application or an application that can be used by criminals to cause harm to your computer or personal data.

Kaspersky Endpoint Security singles out the following types of programs:
- Packed files that may cause harm – used for packing malware, such as viruses, worms, and Trojans.
- Multi-packed files (medium threat level) – the object has been packed three times by one or more packers.
Multi-packed files
Kaspersky Endpoint Security scans compressed objects and the unpacker module within SFX (self-extracting) archives.

To hide dangerous programs from anti-virus applications, intruders archive them by using special packers or create multi-packed files.

Kaspersky virus analysts have identified packers that are the most popular amongst hackers.

If Kaspersky Endpoint Security detects such a packer in a file, the file most likely contains a malicious application or an application that can be used by criminals to cause harm to your computer or personal data.

Kaspersky Endpoint Security singles out the following types of programs:
- Packed files that may cause harm – used for packing malware, such as viruses, worms, and Trojans.
- Multi-packed files (medium threat level) – the object has been packed three times by one or more packers.

Save your changes.

Page top

[Topic 128147]

Enabling or disabling Advanced Disinfection technology

If Kaspersky Endpoint Security cannot halt the execution of a piece of malware, you can use the Advanced Disinfection technology. By default, Advanced Disinfection is disabled because this technology uses a significant amount of computing resources. Therefore, you can enable Advanced Disinfection only when working with active threats.

Advanced Disinfection works differently for workstations and servers. To use the technology on servers, you must enable immediate advanced disinfection in the properties of the Anti-Virus Scan task. This prerequisite is not necessary to use the technology on workstations.

To enable or disable the Advanced Disinfection technology:

In the lower part of the main application window, click the button.
In the application settings window, select the General section.
In the Protection mode section, select or clear the Enable Advanced Disinfection technology check box to enable or disable Advanced Disinfection technology.
Save your changes.

As a result, the user cannot use most operating system features while Active Disinfection is in progress. When the disinfection is complete, the computer is rebooted.

Page top

[Topic 128351]

Enabling or disabling energy-saving mode

To enable or disable energy conservation mode:

In the lower part of the main application window, click the button.
In the application settings window, select Threats and exclusions.
In the Performance section, use the Postpone scheduled tasks while running on battery power check box to enable or disable power saving mode.
When energy conservation mode is enabled and the computer is running on battery power, the following tasks are not run even if scheduled:
- Update task
- Full Scan task
- Critical Areas Scan task
- Custom Scan task
- Integrity Check task
Save your changes.

Page top

[Topic 123511]

Enabling or disabling conceding of resources to other applications

To enable or disable conceding of resources to other applications:

In the lower part of the main application window, click the button.
In the application settings window, select the General section.
In the Performance section, use the Concede resources to other applications check box to enable or disable conceding of resources to other applications.
When configured to concede resources to other applications, Kaspersky Endpoint Security postpones scheduled tasks that slow down other applications:
- Update task
- Full Scan task
- Critical Areas Scan task
- Custom Scan task
- Integrity Check task
By default, the application is configured to concede resources to other applications.
Save your changes.

Page top

[Topic 134486]

Creating and using a configuration file

A configuration file with Kaspersky Endpoint Security settings lets you accomplish the following tasks:

Perform local installation of Kaspersky Endpoint Security via the command line with predefined settings.
To do so, you must save the configuration file in the same folder where the distribution kit is located.
Perform remote installation of Kaspersky Endpoint Security via Kaspersky Security Center with predefined settings.
Migrate Kaspersky Endpoint Security settings from one computer to another.

To create a configuration file:

In the lower part of the main application window, click the button.
In the application settings window, select Manage settings.
Click the Export button.
In the window that opens, specify the path to where you want to save the configuration file, and enter its name.
To use the configuration file for local or remote installation of Kaspersky Endpoint Security, you must name it install.cfg.
Click the Save button.

To import Kaspersky Endpoint Security settings from a configuration file:

In the lower part of the main application window, click the button.
In the application settings window, select Manage settings.
Click the Import button.
In the window that opens, enter the path to the configuration file.
Click the Open button.

All values of Kaspersky Endpoint Security settings will be set according to the selected configuration file.

Page top

[Topic 201017]

Restoring the default application settings

You can restore the settings recommended by Kaspersky for Endpoint Security at any time. When the settings are restored, the Recommended security level is set for all protection components.

To restore the default application settings:

In the lower part of the main application window, click the button.
In the application settings window, select Manage settings.
Click the Restore button.
Click the Save button.

Page top

[Topic 132089]

Messaging between users and the administrator

The Application Control, Device Control, Web Control and Adaptive Anomaly Control components enable LAN users whose computers have Kaspersky Endpoint Security installed to send messages to the administrator.

A user may need to send a message to the local corporate network administrator in the following cases:

Device Control blocked access to the device.
The message template for a request to access a blocked device is available in the Kaspersky Endpoint Security interface in the Device Control section.
Application Control blocked the startup of an application.
The message template for a request to allow the startup of a blocked application is available in the Kaspersky Endpoint Security interface in the Application Control section.
Web Control blocked access to a web resource.
The message template for a request to access a blocked web resource is available in the Kaspersky Endpoint Security interface in the Web Control section.

The method used to send messages and the utilized template depends on whether or not there is an active Kaspersky Security Center policy running on the computer that has Kaspersky Endpoint Security installed, and whether or not there is a connection with the Kaspersky Security Center Administration Server. The following scenarios are possible:

If a Kaspersky Security Center policy is not running on the computer that has Kaspersky Endpoint Security installed, a user's message is sent to the local area network administrator by email.
The message fields are populated with the values of fields from the template defined in the local interface of Kaspersky Endpoint Security.
If a Kaspersky Security Center policy is running on the computer that has Kaspersky Endpoint Security installed, the standard message is sent to the Kaspersky Security Center Administration Server.
In this case, user messages are available for viewing in the Kaspersky Security Center event storage (see instruction below). The message fields are populated with the values of fields from the template defined in the Kaspersky Security Center policy.
If a Kaspersky Security Center out-of-office policy is running on the computer with Kaspersky Endpoint Security installed, the method used to send messages depends on whether or not there is a connection with Kaspersky Security Center.
- If a connection with Kaspersky Security Center is established, Kaspersky Endpoint Security sends the standard message to the Kaspersky Security Center Administration Server.
- If a connection with Kaspersky Security Center is absent, a user's message is sent to the local area network administrator by email.
In both cases, the message fields are populated with the values of fields from the template defined in the Kaspersky Security Center policy.

To view a user message in the Kaspersky Security Center event storage:

Open the Kaspersky Security Center Administration Console.
In the Administration Server node of the Administration Console tree, select the Events tab.
The Kaspersky Security Center workspace displays all events occurring during the operation of Kaspersky Endpoint Security, including messages to the administrator that are received from LAN users.
To configure the event filter, in the Selection events drop-down list, select User requests.
Select the message sent to the administrator.
Click the Open event properties window button in the right part of the Administration Console workspace.

Page top

[Topic 128080]

Data Encryption

Kaspersky Endpoint Security lets you encrypt files and folders that are stored on local and removable drives, or entire removable drives and hard drives. Data encryption minimizes the risk of information leaks that may occur when a portable computer, removable drive or hard drive is lost or stolen, or when data is accessed by unauthorized users or applications. Kaspersky Endpoint Security uses the Advanced Encryption Standard (AES) encryption algorithm.

If the license has expired, the application does not encrypt new data, and old encrypted data remains encrypted and available for use. In this event, encrypting new data requires the application be activated with a new license that permits the use of encryption.

If your license has expired, or the End User License Agreement has been violated, the license key, Kaspersky Endpoint Security, or encryption components has been removed, the encrypted status of previously encrypted files is not guaranteed. This is because some applications, such as Microsoft Office Word, create a temporary copy of files during editing. When the original file is saved, the temporary copy replaces the original file. As a result, on a computer that has no or inaccessible encryption functionality, the file remains unencrypted.

Kaspersky Endpoint Security offers the following aspects of data protection:

File Level Encryption on local computer drives. You can compile lists of files by extension or group of extensions and lists of folders stored on local computer drives, and create rules for encrypting files that are created by specific applications. After a policy is applied, Kaspersky Endpoint Security encrypts and decrypts the following files:
- files individually added to lists for encryption and decryption;
- files stored in folders added to lists for encryption and decryption;
- files created by separate applications.
Encryption of removable drives. You can specify a default encryption rule, according to which the application applies the same action to all removable drives, or specify encryption rules for individual removable drives.
The default encryption rule has a lower priority than encryption rules created for individual removable drives. Encryption rules created for removable drives of the specified device model have a lower priority than encryption rules created for removable drives with the specified device ID.

To select an encryption rule for files on a removable drive, Kaspersky Endpoint Security checks whether or not the device model and ID are known. The application then performs one of the following operations:
- If only the device model is known, the application uses the encryption rule (if any) created for removable drives of the specific device model.
- If only the device ID is known, the application uses the encryption rule (if any) created for removable drives with the specific device ID.
- If the device model and ID are known, the application applies the encryption rule (if any) created for removable drives with the specific device ID. If no such rule exists, but there is an encryption rule created for removable drives with the specific device model, the application applies this rule. If no encryption rule is specified for the specific device ID nor for the specific device model, the application applies the default encryption rule.
- If neither the device model nor device ID is known, the application uses the default encryption rule.
The application lets you prepare a removable drive for using encrypted data stored on it in portable mode. After enabling portable mode, you can access encrypted files on removable drives connected to a computer without encryption functionality.
Managing rules of application access to encrypted files. For any application, you can create an encrypted file access rule that blocks access to encrypted files or allows access to encrypted files only as ciphertext, which is a sequence of characters obtained when encryption is applied.
Creating encrypted packages. You can create encrypted archives and protect access to such archives with a password. The contents of encrypted archives can be accessed only by entering the passwords with which you protected access to those archives. Such archives can be securely transmitted over networks or on removable drives.
Full Disk Encryption. You can select an encryption technology: Kaspersky Disk Encryption or BitLocker Drive Encryption (hereinafter also referred to as simply "BitLocker").
BitLocker is a technology that is part of the Windows operating system. If a computer is equipped with a Trusted Platform Module (TPM), BitLocker uses it to store recovery keys that provide access to an encrypted hard drive. When the computer starts, BitLocker requests the hard drive recovery keys from the Trusted Platform Module and unlocks the drive. You can configure the use of a password and/or PIN code for accessing recovery keys.

You can specify the default full disk encryption rule and create a list of hard drives to be excluded from encryption. Kaspersky Endpoint Security performs full disk encryption by sector after the Kaspersky Security Center policy is applied. The application encrypts all logical partitions of hard drives simultaneously.

After the system hard drives have been encrypted, at the next computer startup the user must complete authentication using the
Authentication Agent
Interface that lets you complete authentication to access encrypted hard drives and load the operating system after the bootable hard drive has been encrypted.

Interface that lets you complete authentication to access encrypted hard drives and load the operating system after the bootable hard drive has been encrypted.

before the hard drives can be accessed and the operating system is loaded. This requires entering the password of the token or smart card connected to the computer, or the user name and password of the Authentication Agent account created by the local area network administrator using the Manage Authentication Agent accounts task. These accounts are based on Microsoft Windows accounts under which users log into the operating system. You can also use Single Sign-On (SSO) technology, which lets you automatically log in to the operating system using the user name and password of the Authentication Agent account.

If you back up a computer and then encrypt the computer data, after which you restore the backup copy of the computer and encrypt the computer data again, Kaspersky Endpoint Security creates duplicates of Authentication Agent accounts. To remove the duplicate accounts, you must use the klmover utility with the dupfix key. The klmover utility is included in the Kaspersky Security Center build. You can read more about its operation in the Kaspersky Security Center Help.

Access to encrypted hard drives is possible only from computers on which Kaspersky Endpoint Security with full disk encryption functionality is installed. This precaution minimizes the risk of data leaks from an encrypted hard drive when an attempt to access it is made outside of the local area network of the company.

To encrypt hard drives and removable drives, you can use the Encrypt used disk space only function. It is recommended you only use this function for new devices that have not been previously used. If you are applying encryption to a device that is already in use, it is recommended you encrypt the entire device. This ensures that all data is protected – even deleted data that might still contain retrievable information.

Before beginning encryption, Kaspersky Endpoint Security obtains the map of file system sectors. The first wave of encryption includes sectors that are occupied by files at the moment when encryption is started. The second wave of encryption includes sectors that were written to after encryption began. After encryption is complete, all sectors containing data are encrypted.

After encryption is complete and a user deletes a file, the sectors that stored the deleted file become available for storing new information at the file system level but remain encrypted. Thus, as files are written to a new device and the device is regularly encrypted with the Encrypt used disk space only function enabled, all sectors will be encrypted after some time.

The data needed to decrypt files is provided by the Kaspersky Security Center Administration Server that controlled the computer at the time of encryption. If the computer with encrypted objects was managed by a different Administration Server for some reason, you can obtain access to the encrypted data in one of the following ways:

Administration Servers in the same hierarchy:
- You do not need to take any additional actions. The user will retain access to the encrypted objects. Encryption keys are distributed to all Administration Servers.
Separated Administration Servers:
- Request access to encrypted objects from the LAN administrator.
- Restore data on encrypted devices using the Restore Utility.
- Restore the configuration of the Kaspersky Security Center Administration Server that controlled the computer at the time of encryption from a backup copy and use this configuration on the Administration Server that now controls the computer with encrypted objects.

If there is no access to encrypted data, follow the special instructions for working with encrypted data (Restoring access to encrypted files, Working with encrypted devices when there is no access to them).

In this section

Encryption functionality limitations

Changing the length of the encryption key (AES56 / AES256)

Kaspersky Disk Encryption

BitLocker Management

File Level Encryption on local computer drives

Encryption of removable drives

Viewing data encryption details

Working with encrypted devices when there is no access to them

Page top

[Topic 130984]

Encryption functionality limitations

Data Encryption has the following limitations:

The application creates service files during encryption. Around 0.5% of non-fragmented free space on the hard drive is required to store them. If there is not enough non-fragmented free space on the hard drive, encryption will not start until enough space is freed up.
You can manage all data encryption components in the Kaspersky Security Center Administration Console and in the Kaspersky Security Center 12 Web Console. In the Kaspersky Security Center Cloud Console, you can only manage Bitlocker.
Data encryption is available only when using Kaspersky Endpoint Security with the Kaspersky Security Center administration system or the Kaspersky Security Center Cloud Console (BitLocker only). Data Encryption when using Kaspersky Endpoint Security in offline mode is not possible because Kaspersky Endpoint Security stores encryption keys in Kaspersky Security Center.
If Kaspersky Endpoint Security is installed on a computer running Microsoft Windows for Servers, only full disk encryption using BitLocker Drive Encryption technology is available. If Kaspersky Endpoint Security is installed on a computer running Windows for Workstations, data encryption functionality is fully available.

Full disk encryption using Kaspersky Disk Encryption technology is unavailable for hard drives that do not meet the hardware and software requirements.

Compatibility between the full disk encryption functionality of Kaspersky Endpoint Security and Kaspersky Anti-Virus for UEFI is not supported. Kaspersky Anti-Virus for UEFI starts before the operating system loads. When using full disk encryption, the application will detect the absence of an installed operating system on the computer. As a result, the operation of Kaspersky Anti-Virus for UEFI will end with an error. File Level Encryption (FLE) does not affect the operation of Kaspersky Anti-Virus for UEFI.

Kaspersky Endpoint Security supports the following configurations:

HDD, SSD, and USB drives.
Kaspersky Disk Encryption (FDE) technology supports working with SSD while preserving the performance and service life of SSD drives.
Drives connected via bus: SCSI, ATA, IEEE1934, USB, RAID, SAS, SATA, NVME.
Non-removable drives connected via SD or MMC bus.
Drives with 512-byte sectors.
Drives with 4096-byte sectors that emulate 512 bytes.
Drives with the following type of partitions: GPT, MBR, and VBR (removable drives).
Embedded software of the UEFI 64 and Legacy BIOS standard.
Embedded software of the UEFI standard with Secure Boot support.
Secure Boot is a technology designed to verify digital signatures for UEFI loader applications and drivers. Secure Boot blocks the startup of UEFI applications and drivers that are unsigned or signed by unknown publishers. Kaspersky Disk Encryption (FDE) fully supports Secure Boot. Authentication Agent is signed by a Microsoft Windows UEFI Driver Publisher certificate.

On some devices (for example, Microsoft Surface Pro and Microsoft Surface Pro 2), an out-of-date list of digital signature verification certificates may be installed by default. Prior to encrypting the drive, you need to update the list of certificates.
Embedded software of the UEFI standard with Fast Boot support.
Fast Boot is a technology that helps the computer start up faster. When Fast Boot technology is enabled, normally the computer loads only the minimum set of UEFI drivers required for starting the operating system. When Fast Boot technology is enabled, USB keyboards, mice, USB tokens, touchpads and touchscreens may not work while Authentication Agent is running.

To use Kaspersky Disk Encryption (FDE), it is recommended to disable Fast Boot technology. You can use the FDE Test Utility to test the operation of Kaspersky Disk Encryption (FDE).

Kaspersky Endpoint Security does not support the following configurations:

The boot loader is located on one drive while the operating system is on a different drive.
The system contains embedded software of the UEFI 32 standard.
The system has Intel Rapid Start Technology and drives that have a hibernation partition even when Intel Rapid Start Technology is disabled.
Drives in MBR format with more than 10 extended partitions.
The system has a swap file located on a non-system drive.
Multiboot system with multiple simultaneously installed operating systems.
Dynamic partitions (only primary partitions are supported).
Drives with less than 0.5% free unfragmented disk space.
Drives with a sector size different from 512 bytes or 4096 bytes that emulate 512 bytes.
Hybrid drives.
The system has third-party loaders.
Drives with compressed NTFS directories.
Kaspersky Disk Encryption (FDE) technology is incompatible with other full disk encryption technologies (such as BitLocker, McAfee Drive Encryption, and WinMagic SecureDoc).
Kaspersky Disk Encryption (FDE) technology is incompatible with Express Cache technology.
Creating, deleting, and modifying partitions on an encrypted drive is not supported. You could lose data.
File system formatting is not supported. You could lose data.
If you need to format a drive that was encrypted with Kaspersky Disk Encryption (FDE) technology, format the drive on a computer that does not have Kaspersky Endpoint Security for Windows and use only full disk encryption.

An encrypted drive that is formatted with the quick format option may be mistakenly identified as encrypted the next time it is connected to a computer that has Kaspersky Endpoint Security for Windows installed. User data will be unavailable.
Authentication Agent supports no more than 100 accounts.
Single Sign-On technology is incompatible with other technologies of third-party developers.
Kaspersky Disk Encryption (FDE) technology is not supported on the following models of devices:
- Dell Latitude E6410 (UEFI mode)
- HP Compaq nc8430 (Legacy BIOS mode)
- Lenovo Think Center 8811 (Legacy BIOS mode)
Authentication Agent does not support working with USB tokens when Legacy USB Support is enabled. Only password-based authentication will be possible on the computer.
When encrypting a drive in Legacy BIOS mode, you are advised to enable Legacy USB Support on the following models of devices:
- Acer Aspire 5560G
- Acer Aspire 6930
- Acer TravelMate 8572T
- Dell Inspiron 1420
- Dell Inspiron 1545
- Dell Inspiron 1750
- Dell Inspiron N4110
- Dell Latitude E4300
- Dell Studio 1537
- Dell Studio 1569
- Dell Vostro 1310
- Dell Vostro 1320
- Dell Vostro 1510
- Dell Vostro 1720
- Dell Vostro V13
- Dell XPS L502x
- Fujitsu Celsius W370
- Fujitsu LifeBook A555
- HP Compaq dx2450 Microtower PC
- Lenovo G550
- Lenovo ThinkPad L530
- Lenovo ThinkPad T510
- Lenovo ThinkPad W540
- Lenovo ThinkPad X121e
- Lenovo ThinkPad X200s (74665YG)
- Samsung R530
- Toshiba Satellite A350
- Toshiba Satellite U400 10O
- MSI 760GM-E51 (motherboard)

Page top

[Topic 130874]

Changing the length of the encryption key (AES56 / AES256)

Kaspersky Endpoint Security uses the Advanced Encryption Standard (AES) encryption algorithm. Kaspersky Endpoint Security supports the AES encryption algorithm with an effective key length of 256 or 56 bits. The data encryption algorithm depends on the AES encryption library that is included in the distribution package: Strong encryption (AES256) or Lite encryption (AES56). The AES encryption library is installed together with the application.

Changing the length of the encryption key is available only for Kaspersky Endpoint Security 11.2.0 or later.

Changing the encryption key length consists of the following steps:

Decrypt objects that Kaspersky Endpoint Security encrypted before you begin changing the encryption key length:
After the encryption key length is changed, objects that were previously encrypted become unavailable.
Remove Kaspersky Endpoint Security.
Install Kaspersky Endpoint Security from the Kaspersky Endpoint Security distribution package containing a different encryption library.

You can also change the encryption key length by upgrading the application. The key length can be changed through an application upgrade only if the following conditions are met:

Kaspersky Endpoint Security version 10 Service Pack 2 or later is installed on the computer.
Data encryption components (File Level Encryption, Full Disk Encryption) are not installed on the computer.
By default, data encryption components are not included in Kaspersky Endpoint Security. The BitLocker Management component does not affect the change in the length of the encryption key.

To change the encryption key length, run the kes_win.msi or setup_kes.exe file from the distribution package containing the necessary encryption library. You can also remotely upgrade the application by using the installation package.

It is impossible to change the length of the encryption key using the distribution package of the same version of the application that is installed on your computer without first uninstalling the application.

Page top

[Topic 137268]

Kaspersky Disk Encryption

Kaspersky Disk Encryption is available only for computers running a Windows operating system for workstations. For computers running a Windows operating system for servers, use BitLocker Drive Encryption technology.

Kaspersky Endpoint Security supports full disk encryption in FAT32, NTFS and exFat file systems.

Before starting full disk encryption, the application runs a series of checks to determine if the device can be encrypted, which includes checking the system hard drive for compatibility with Authentication Agent or with BitLocker encryption components. To check for compatibility, the computer must be restarted. After the computer has been rebooted, the application performs all the necessary checks automatically. If the compatibility check is successful, full disk encryption starts after the operating system has loaded and the application has started. If the system hard drive is found to be incompatible with Authentication Agent or with BitLocker encryption components, the computer must be restarted by pressing the Reset hardware button. Kaspersky Endpoint Security logs information about the incompatibility. Based on this information, the application does not start full disk encryption at operating system startup. Information about this event is logged in Kaspersky Security Center reports.

If the hardware configuration of the computer has changed, the incompatibility information logged by the application during the previous check should be deleted in order to check the system hard drive for compatibility with Authentication Agent and BitLocker encryption components. To do so, prior to full disk encryption, type avp pbatestreset in the command line. If the operating system fails to load after the system hard drive has been checked for compatibility with Authentication Agent, you must remove the objects and data remaining after test operation of Authentication Agent by using the Restore Utility and then start Kaspersky Endpoint Security and execute the avp pbatestreset command again.

After full disk encryption has started, Kaspersky Endpoint Security encrypts all data that is written to hard drives.

If the user shuts down or restarts the computer during full disk encryption, Authentication Agent is loaded before the next startup of the operating system. Kaspersky Endpoint Security resumes full disk encryption after successful authentication in Authentication Agent and operating system startup.

If the operating system switches to hibernation mode during full disk encryption, Authentication Agent is loaded when the operating system switches back from hibernation mode. Kaspersky Endpoint Security resumes full disk encryption after successful authentication in Authentication Agent and operating system startup.

If the operating system goes into sleep mode during full disk encryption, Kaspersky Endpoint Security resumes full disk encryption when the operating system comes out of sleep mode without loading Authentication Agent.

User authentication in the Authentication Agent can be performed in two ways:

Enter the name and password of the Authentication Agent account created by the LAN administrator using Kaspersky Security Center tools.
Enter the password of a token or smart card connected to the computer.
Use of a token or smart card is available only if the computer hard drives were encrypted using the AES256 encryption algorithm. If the computer hard drives were encrypted using the AES56 encryption algorithm, addition of the electronic certificate file to the command will be denied.

The authentication agent supports keyboard layouts for the following languages:

English (UK)
English (USA)
Arabic (Algeria, Morocco, Tunis; AZERTY layout)
Spanish (Latin America)
Italian
German (Germany and Austria)
German (Switzerland)
Portuguese (Brazil, ABNT2 layout)
Russian (for 105-key IBM / Windows keyboards with the QWERTY layout)
Turkish (QWERTY layout)
French (France)
French (Switzerland)
French (Belgium, AZERTY layout)
Japanese (for 106-key keyboards with the QWERTY layout)

A keyboard layout becomes available in the Authentication Agent if this layout has been added in the language and regional standards settings of the operating system and has become available on the welcome screen of Microsoft Windows.

If the Authentication Agent account name contains symbols that cannot be entered using keyboard layouts available in the Authentication Agent, encrypted hard drives can be accessed only after they are restored using the Restore Utility or after the Authentication Agent account name and password are restored.

In this section

Special features of SSD drive encryption

Full disk encryption using Kaspersky Disk Encryption technology

Creating a list of hard drives excluded from encryption

Exporting and importing a list of hard drives excluded from encryption

Enabling Single Sign-On (SSO) technology

Managing Authentication Agent accounts

Using a token and smart card with Authentication Agent

Hard drive decryption

Restoring access to a drive protected by Kaspersky Disk Encryption technology

Updating the operating system

Eliminating errors of encryption functionality update

Selecting the Authentication Agent tracing level

Editing Authentication Agent help texts

Removing leftover objects and data after testing the operation of Authentication Agent

Page top

[Topic 202601]

Special features of SSD drive encryption

The application supports encryption of SSD drives, hybrid SSHD drives, and drives with the Intel Smart Response feature. The application does not support encryption of drives with the Intel Rapid Start feature. Disable the Intel Rapid Start feature prior to encrypting such a drive.

Encryption of SSD drives has the following special features:

If an SSD drive is new and contains no confidential data, enable encryption of only occupied space. This lets you overwrite the relevant drive sectors.
If an SSD drive is in use and it has confidential data, select one of the following options:
- Fully wipe the SSD drive (Secure Erase), install the operating system and run encryption of the SSD drive with the option to encrypt only occupied space enabled.
- Run encryption of the SSD drive with the option to encrypt only occupied space disabled.

Encryption of an SSD drive requires 5-10 GB of free space. The free space requirements for storing encryption administration data are provided in the table below.

Free space requirements for storing encryption administration data

SSD drive size (GB)	Free space on primary partition of SSD drive (MB)	Free space on secondary partition of SSD drive (MB)
128	250	64
256	250	640
512	300	128

Page top

[Topic 123502]

Full disk encryption using Kaspersky Disk Encryption technology

Prior to starting full disk encryption, you are advised to make sure that the computer is not infected. To do so, start the Full Scan or Critical Areas Scan task. Performing full disk encryption on a computer that is infected by a rootkit may cause the computer to become inoperable.

To perform full disk encryption using Kaspersky Disk Encryption technology:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Data Encryption → Full Disk Encryption.
In the Encryption technology drop-down list, select Kaspersky Disk Encryption.
Kaspersky Disk Encryption technology cannot be used if the computer has hard drives that were encrypted by BitLocker.
In the Encryption mode drop-down list, select Encrypt all hard drives.
If the computer has several operating systems installed, after encrypting all hard drives you will be able to load only the operating system that has the application installed.

If you need to exclude some of the hard drives from encryption, create a list of such hard drives.
Configure rules for adding Authentication Agent accounts during disk encryption. The Agent allows a user to complete authentication for access to encrypted drives and to load the operating system. To automatically add Authentication Agent accounts, configure the following settings:
- During encryption, automatically create Authentication Agent accounts for Windows users. If this check box is selected, the application creates Authentication Agent accounts based on the list of Windows user accounts on the computer. By default, Kaspersky Endpoint Security uses all local and domain accounts with which the user logged in to the operating system over the past 30 days.
- Automatically create Authentication Agent accounts for all users of this computer upon sign-in. If this check box is selected, the application checks information about Windows user accounts on the computer before starting Authentication Agent. If Kaspersky Endpoint Security detects a Windows user account that has no Authentication Agent account, the application will create a new account for accessing encrypted drives. The new Authentication Agent account will have the following default settings: password-protected sign-on only, and password change on first authentication. Therefore, you do not need to manually add Authentication Agent accounts using the Manage Authentication Agent accounts task for computers with already encrypted drives.
If you disabled automatic creation of Authentication Agent accounts, you can manually add Authentication Agent accounts by using the Manage accounts task. You can also use this task to change the settings of Authentication Agent accounts that were created automatically.
For user convenience, you can save the user name to Authentication Agent memory so that the user only has to enter a password the next time they sign in to the system. To do so, select the Save user name entered in Authentication Agent check box.
Select one of the following encryption methods:
- If you want to apply encryption only to those hard drive sectors that are occupied by files, select the Encrypt used disk space only check box.
  If you are applying encryption on a drive that is already in use, it is recommended to encrypt the entire drive. This ensures that all data is protected – even deleted data that might still contain retrievable information. The Encrypt used disk space only function is recommended for new drives that have not been previously used.
- If you want to apply encryption to the entire hard drive, clear the Encrypt used disk space only check box.
  If a device was previously encrypted using the Encrypt used disk space only function, after applying a policy in Encrypt all hard drives mode, sectors that are not occupied by files will still not be encrypted.
If a hardware incompatibility problem occurs during computer encryption, you can select the Use Legacy USB Support check box.
Legacy USB Support is a BIOS/UEFI function that allows you to use USB devices (such as a security token) during the computer's boot phase before starting the operating system (BIOS mode). Legacy USB Support does not affect support for USB devices after the operating system is started.

When the Legacy USB Support function is enabled, the Authentication Agent in BIOS mode does not support working with tokens via USB. It is recommended to use this option only when there is a hardware compatibility issue and only for those computers on which the problem occurred.
Save your changes.

You can use the Encryption Monitor tool to control the disk encryption or decryption process on a user's computer. You can run the Encryption Monitor tool from the main application window.

If system hard drives are encrypted, the Authentication Agent loads before startup of the operating system. Use the Authentication Agent to complete authentication for obtaining access to encrypted system hard drives and load the operating system. After successful completion of the authentication procedure, the operating system loads. The authentication process is repeated every time the operating system restarts.

Page top

[Topic 123501]

Creating a list of hard drives excluded from encryption

You can create a list of exclusions from encryption only for Kaspersky Disk Encryption technology.

To form a list of hard drives excluded from encryption:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Data Encryption → Full Disk Encryption.
In the Encryption technology drop-down list, select the Kaspersky Disk Encryption option.
Entries corresponding to hard drives excluded from encryption appear in the Do not encrypt the following hard drives table. This table is empty if you have not previously formed a list of hard drives excluded from encryption.
To add hard drives to the list of hard drives excluded from encryption:
1. Click the Add button.
  The Add devices from Kaspersky Security Center list window opens.
2. In the Add devices from Kaspersky Security Center list window, specify the values of the following parameters: Name, Computer, Disk type, and Kaspersky Disk Encryption.
3. Click the Refresh button.
4. In the Name column, select the check boxes in the table rows corresponding to those hard drives that you want to add to the list of hard drives excluded from encryption.
5. Click OK.
The selected hard drives appear in the Do not encrypt the following hard drives table.
If you want to remove hard drives from the table of exclusions, select one or several rows in the Do not encrypt the following hard drives table and click the Delete button.
To select multiple rows in the table, select them while holding down the CTRL key.
Save your changes.

Page top

[Topic 202258]

Exporting and importing a list of hard drives excluded from encryption

You can export the list of hard drive encryption exclusions to an XML file. Then you can modify the file to, for example, add a large number of exclusions of the same type. You can also use the export/import function to back up the list of exclusions or to migrate the exclusions to a different server.

How to export and import a list of hard drive encryption exclusions in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Data Encryption → Full Disk Encryption.
In the Encryption technology drop-down list, select the Kaspersky Disk Encryption option.
Entries corresponding to hard drives excluded from encryption appear in the Do not encrypt the following hard drives table.
To export the list of exclusions:
1. Select the exclusions that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
  If you did not select any exclusion, Kaspersky Endpoint Security will export all exclusions.
2. Click the Export link.
3. In the window that opens, specify the name of the XML file to which you want to export the list of exclusions, and select the folder in which you want to save this file.
4. Click the Save button.
  Kaspersky Endpoint Security exports the entire list of exclusions to the XML file.
To import the list of rules:
1. Click the Import button.
2. In the window that opens, select the XML file from which you want to import the list of exclusions.
3. Click the Open button.
  If the computer already has a list of exclusions, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.

How to export and import a list of hard drive encryption exclusions in the Web Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy for computers on which you want to export or import a list of exclusions.
The policy properties window opens.
Select the Application settings tab.
Select Data Encryption → Full Disk Encryption.
Select the Kaspersky Disk Encryption technology and follow the link to configure the settings.
The encryption settings open.
Click the Exclusions link.
To export the list of rules:
1. Select the exclusions that you want to export.
2. Click the Export button.
3. Confirm that you want to export only the selected exclusions, or export the entire list of exclusions.
4. In the window that opens, specify the name of the XML file to which you want to export the list of exclusions, and select the folder in which you want to save this file.
5. Click the Save button.
  Kaspersky Endpoint Security exports the entire list of exclusions to the XML file.
To import the list of rules:
1. Click the Import button.
2. In the window that opens, select the XML file from which you want to import the list of exclusions.
3. Click the Open button.
  If the computer already has a list of exclusions, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.

Page top

[Topic 128315]

Enabling Single Sign-On (SSO) technology

Single Sign-On (SSO) technology allows you to automatically log into the operating system using the credentials of the Authentication Agent.

When using Single Sign-on technology, the Authentication Agent ignores the password strength requirements specified in Kaspersky Security Center. You can set the password strength requirements in the operating system settings.

Single Sign-On technology is incompatible with third-party providers of account credentials.

How to enable the use of Single Sign-On technology in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Data Encryption → Common Encryption Settings.
In the Password settings block, click the Settings button.
In the window that opens, on the Authentication Agent tab, select the Use Single Sign-On (SSO) technology check box.
Save your changes.

As a result, the user needs to complete the authentication procedure only once with the Agent. The authentication procedure is not required for loading the operating system. The operating system loads automatically.

How to enable use of Single Sign-On in the Web Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy for computers on which you want to enable use of Single Sign-On.
The policy properties window opens.
Select the Application settings tab.
Go to Data Encryption → Full Disk Encryption.
Select the Kaspersky Disk Encryption technology and follow the link to configure the settings.
The encryption settings open.
In the Password settings section, select the Use Single Sign-On (SSO) technology check box.
Click OK.

For Single Sign-On to work, the Windows account password and the password for the Authentication Agent account must match. If the passwords do not match, the user needs to perform the authentication procedure twice: in the interface of the Authentication Agent and before loading the operating system. After that, Kaspersky Endpoint Security replaces the password of the Authentication Agent account with the password of the Windows account.

Page top

[Topic 194443]

Managing Authentication Agent accounts

Authentication Agent is needed for working with drives that are protected using Kaspersky Disk Encryption (FDE) technology. Before the operating system is loaded, the user needs to complete authentication with the Agent. The Manage Authentication Agent accounts task is designed for configuring user authentication settings. You can use local tasks for individual computers as well as group tasks for computers from separate administration groups or a selection of computers.

You cannot configure a schedule for starting the Manage Authentication Agent accounts task. It is also impossible to forcibly stop a task.

How to create the Manage Authentication Agent accounts task in the Administration Console (MMC)

In the Administration Console, go to the folder Administration Server → Tasks.
The list of tasks opens.
Click the New task button.

The Task Wizard starts. Follow the instructions of the Wizard.

Step 1. Selecting task type

Select Kaspersky Endpoint Security for Windows (11.6.0) → Manage Authentication Agent accounts.

Step 2. Selecting an Authentication Agent account management command

Generate a list of Authentication Agent account management commands. Management commands allow you to add, modify, and delete Authentication Agent accounts (see instructions below). Only users who have an Authentication Agent account can complete the authentication procedure, load the operating system, and gain access to the encrypted drive.

Step 3. Selecting the devices to which the task will be assigned

Select the computers on which the task will be performed. The following options are available:

Assign the task to an administration group. In this case, the task is assigned to computers included in a previously created administration group.
Select computers detected by the Administration Server in the network: unassigned devices. The specific devices can include devices in administration groups as well as unassigned devices.
Specify device addresses manually, or import addresses from a list. You can specify NetBIOS names, IP addresses, and IP subnets of devices to which you want to assign the task.

Step 4. Defining the task name

Enter a name for the task, for example, Administrator Accounts.

Step 5. Completing task creation

Exit the Wizard. If necessary, select the Run task after Wizard finishes check box. You can monitor the progress of the task in the task properties.

As a result, after the task is completed at the next computer startup, the new user can complete the authentication procedure, load the operating system, and gain access to the encrypted drive.

How to create the Manage Authentication Agent accounts task in the Web Console

In the main window of Web Console, select Devices → Tasks.
The list of tasks opens.
Click the Add button.

The Task Wizard starts. Follow the instructions of the Wizard.

Step 1. Configuring general task settings

Configure the general task settings:

In the Application drop-down list, select Kaspersky Endpoint Security for Windows (11.6.0).
In the Task type drop-down list, select Manage Authentication Agent accounts.
In the Task name field, enter a brief description, such as Administrator accounts.
In the Select devices to which the task will be assigned section, select the task scope.

Step 2. Managing Authentication Agent accounts

Step 3. Completing task creation

Finish the wizard by clicking the Finish button. A new task will be displayed in the list of tasks.

To run a task, select the check box opposite the task and click the Start button.

As a result, after the task is completed at the next computer startup, the new user can complete the authentication procedure, load the operating system, and gain access to the encrypted drive.

To add an Authentication Agent account, you need to add a special command to the Manage Authentication Agent accounts task. It is convenient to use a group task, for example, to add an administrator account to all computers.

Kaspersky Endpoint Security allows you to automatically create Authentication Agent accounts before encrypting a drive. You can enable automatic creation of Authentication Agent accounts in the Full Disk Encryption policy settings. You can also use Single Sign-On (SSO) technology.

How to add an Authentication Agent account through the Administration Console (MMC)

Open the properties of the Manage Authentication Agent accounts task.
In the task properties, select the Options section.
Click Add → Account adding command.
In the window that opens, in the Windows account field, specify the name of the Microsoft Windows account that will be used to create the Authentication Agent account.
If you manually entered the Windows account name, click the Allow button to define the account security identifier (SID).
If you choose not to determine the security identifier (SID) by clicking the Allow button, it will be determined when the task is performed on the computer.

Defining a Windows account security identifier is necessary to verify that the Windows account name was entered correctly. If the Windows account does not exist on the computer or in the trusted domain, the Manage Authentication Agent accounts task will end with an error.
Select the Replace existing account check box if you want the existing account previously created for the Authentication Agent to be replaced with the account being created.
This step is available when you are adding an Authentication Agent account creation command in the properties of a group task for managing Authentication Agent accounts. This step is not available if you add a command for creating Authentication Agent account in the properties of the Full Disk Encryption, account management local task.
In the User name field, type the name of the Authentication Agent account that must be entered during authentication for access to encrypted hard drives.
Select the Allow password-based authentication check box if you want the application to prompt the user to enter the Authentication Agent account password during authentication for accessing encrypted hard drives. Set a password for the Authentication Agent account. If necessary, you can request a new password from the user after the first authentication.
Select the Allow certificate-based authentication check box if you want the application to prompt the user to connect a token or smart card to the computer during authentication for accessing encrypted hard drives. Select a certificate file for authentication with a smart card or token.
If required, in the Command description field, enter the Authentication Agent account details that you need for managing the command.
Do one of the following:
- Select the Allow authentication option if you want the application to allow the user working under the account specified in the command to access the authentication dialog in Authentication Agent.
- Select the Block authentication option if you want the application to block the user working under the account specified in the command from accessing the authentication dialog in Authentication Agent.
Save your changes.

How to add an Authentication Agent account through the Web Console

In the main window of Web Console, select Devices → Tasks.
The list of tasks opens.
Click the Manage Authentication Agent accounts task of Kaspersky Endpoint Security.
The task properties window opens.
Select the Application settings tab.
In the list of Authentication Agent accounts, click the Add button.
This starts the Authentication Agent Account Management Wizard.
Select the Add account command type.
Select a user account. You can select an account from the list of domain accounts or manually enter the account name. Click the Next button.
Kaspersky Endpoint Security determines the account security identifier (SID). This is necessary to verify the account. If you entered the user name incorrectly, Kaspersky Endpoint Security will end the task with an error.
Configure the Authentication Agent account settings.
- Create a new Authentication Agent account to replace the existing account. Kaspersky Endpoint Security scans existing accounts on the computer. If the user security ID on the computer and in the task match, Kaspersky Endpoint Security will change the user account settings in accordance with the task.
- User name. The default user name of the Authentication Agent account corresponds to the domain name of the user.
- Allow password-based authentication. Set a password for the Authentication Agent account. If necessary, you can request a new password from the user after the first authentication. This way, each user will have their own unique password. You can also set password strength requirements for the Authentication Agent account in the policy.
- Allow certificate-based authentication. Select a certificate file for authentication with a smart card or token. This way, the user will need to enter the password for the smart card or token.
- Account access to encrypted data. Configure user access to the encrypted drive. You can, for example, temporarily disable user authentication instead of deleting the Authentication Agent account.
- Comment. Enter an account description, if necessary.
Save your changes.
Select the check box next to the task and click the Start button.

As a result, after the task is completed at the next computer startup, the new user can complete the authentication procedure, load the operating system, and gain access to the encrypted drive.

To change the password and other settings of the Authentication Agent account, you need to add a special command to the Manage Authentication Agent accounts task. It is convenient to use a group task, for example, to replace the administrator token certificate on all computers.

How to change the Authentication Agent account through the Administration Console (MMC)

Open the properties of the Manage Authentication Agent accounts task.
In the task properties, select the Options section.
Click Add → Account editing command.
In the window that opens, in the Windows account field, specify the name of the Microsoft Windows user account that you want to change.
If you manually entered the Windows account name, click the Allow button to define the account security identifier (SID).
If you choose not to determine the security identifier (SID) by clicking the Allow button, it will be determined when the task is performed on the computer.

Defining a Windows account security identifier is necessary to verify that the Windows account name was entered correctly. If the Windows account does not exist on the computer or in the trusted domain, the Manage Authentication Agent accounts task will end with an error.
Select the Change user name check box and enter a new name for the Authentication Agent account if you want Kaspersky Endpoint Security to change the user name for all Authentication Agent accounts created using the Microsoft Windows account with the name indicated in the Windows account field to the name typed in the field below.
Select the Modify password-based authentication settings check box to make password-based authentication settings editable.
Select the Allow password-based authentication check box if you want the application to prompt the user to enter the Authentication Agent account password during authentication for accessing encrypted hard drives. Set a password for the Authentication Agent account.
Select the Edit the rule of password change upon authentication in Authentication Agent check box if you want Kaspersky Endpoint Security to change the value of the password change setting for all Authentication Agent accounts created using the Microsoft Windows account with the name indicated in the Windows account field to the setting value specified below.
Specify the value of the password change setting upon authentication in Authentication Agent.
Select the Modify certificate-based authentication settings check box to make settings of authentication based on the electronic certificate of a token or smart card editable.
Select the Allow certificate-based authentication check box if you want the application to prompt the user to enter the password to the token or smart card connected to the computer during the authentication process in order to access encrypted hard drives. Select a certificate file for authentication with a smart card or token.
Select the Edit command description check box and edit the command description if you want Kaspersky Endpoint Security to change the command description for all Authentication Agent accounts created using the Microsoft Windows account with the name indicated in the Windows account field.
Select the Edit the rule of access to authentication in Authentication Agent check box if you want Kaspersky Endpoint Security to change the rule for user access to the authentication dialog in Authentication Agent to the value specified below for all Authentication Agent accounts created using the Microsoft Windows account with the name indicated in the Windows account field.
Specify the rule for accessing the authentication dialog in Authentication Agent.
Save your changes.

How to change the Authentication Agent account through the Web Console

In the main window of Web Console, select Devices → Tasks.
The list of tasks opens.
Click the Manage Authentication Agent accounts task of Kaspersky Endpoint Security.
The task properties window opens.
Select the Application settings tab.
In the list of Authentication Agent accounts, click the Add button.
This starts the Authentication Agent Account Management Wizard.
Select the Edit account command type.
Select a user account. You can select an account from the list of domain accounts or manually enter the account name. Click the Next button.
Kaspersky Endpoint Security determines the account security identifier (SID). This is necessary to verify the account. If you entered the user name incorrectly, Kaspersky Endpoint Security will end the task with an error.
Select the check boxes next to the settings that you want to edit.
Configure the Authentication Agent account settings.
- Create a new Authentication Agent account to replace the existing account. Kaspersky Endpoint Security scans existing accounts on the computer. If the user security ID on the computer and in the task match, Kaspersky Endpoint Security will change the user account settings in accordance with the task.
- User name. The default user name of the Authentication Agent account corresponds to the domain name of the user.
- Allow password-based authentication. Set a password for the Authentication Agent account. If necessary, you can request a new password from the user after the first authentication. This way, each user will have their own unique password. You can also set password strength requirements for the Authentication Agent account in the policy.
- Allow certificate-based authentication. Select a certificate file for authentication with a smart card or token. This way, the user will need to enter the password for the smart card or token.
- Account access to encrypted data. Configure user access to the encrypted drive. You can, for example, temporarily disable user authentication instead of deleting the Authentication Agent account.
- Comment. Enter an account description, if necessary.
Save your changes.
Select the check box next to the task and click the Start button.

To delete an Authentication Agent account, you need to add a special command to the Manage Authentication Agent accounts task. It is convenient to use a group task, for example, to delete the account of a dismissed employee.

How to delete an Authentication Agent account through the Administration Console (MMC)

Open the properties of the Manage Authentication Agent accounts task.
In the task properties, select the Options section.
Click Add → Account deletion command.
In the window that opens, in the Windows account field, specify the name of the Windows user account that was used to create the Authentication Agent account that you want to delete.
If you manually entered the Windows account name, click the Allow button to define the account security identifier (SID).
If you choose not to determine the security identifier (SID) by clicking the Allow button, it will be determined when the task is performed on the computer.

Defining a Windows account security identifier is necessary to verify that the Windows account name was entered correctly. If the Windows account does not exist on the computer or in the trusted domain, the Manage Authentication Agent accounts task will end with an error.
Save your changes.

How to delete an Authentication Agent account through the Web Console

In the main window of Web Console, select Devices → Tasks.
The list of tasks opens.
Click the Manage Authentication Agent accounts task of Kaspersky Endpoint Security.
The task properties window opens.
Select the Application settings tab.
In the list of Authentication Agent accounts, click the Add button.
This starts the Authentication Agent Account Management Wizard.
Select the Remove account command type.
Select a user account. You can select an account from the list of domain accounts or manually enter the account name.
Save your changes.
Select the check box next to the task and click the Start button.

As a result, after the task is completed at the next computer startup, the user will not be able to complete the authentication procedure and load the operating system. Kaspersky Endpoint Security will deny access to encrypted data.

To view the list of users who can complete authentication with the Agent and load the operating system, you need to go to the properties of the managed computer.

How to view the list of Authentication Agent accounts through the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Devices tab.
Double-click to open the computer properties window.
In the computer properties window, select the Tasks section.
The list of local tasks opens.
Select the Manage Authentication Agent accounts task.
In the task properties, select the Options section.

As a result, you will be able to access a list of Authentication Agent accounts on this computer. Only users from the list can complete authentication with the Agent and load the operating system.

How to view a list of Authentication Agent accounts through the Web Console

In the main window of Web Console, select Devices → Managed devices.
Click the name of the computer on which you want to view the list of Authentication Agent accounts.
This opens the computer properties.
In the computer properties window, select the Tasks section.
The list of local tasks opens.
Select the Manage Authentication Agent accounts task.
In the task properties, select the Application Settings tab.

As a result, you will be able to access a list of Authentication Agent accounts on this computer. Only users from the list can complete authentication with the Agent and load the operating system.

Page top

[Topic 133615]

Using a token and smart card with Authentication Agent

A token or smart card can be used for authentication when accessing encrypted hard drives. To do so, you must add the electronic certificate file of a token or smart card to the Manage Authentication Agent accounts task.

Use of a token or smart card is available only if the computer hard drives were encrypted using the AES256 encryption algorithm. If the computer hard drives were encrypted using the AES56 encryption algorithm, addition of the electronic certificate file to the command will be denied.

Kaspersky Endpoint Security supports the following tokens, smart card readers, and smart cards:

SafeNet eToken PRO 64K (4.2b)
SafeNet eToken PRO 72K Java
SafeNet eToken 4100-72K (Java)
SafeNet eToken 5100
SafeNet eToken 5105
SafeNet eToken 7300
EMC RSA SID 800
Gemalto IDPrime.NET 510
Gemalto IDPrime.NET 511
Rutoken ECP
Rutoken ECP Flash
Aladdin-RD JaCarta PKI
Athena IDProtect Laser
SafeNet eToken PRO 72K Java
Aladdin-RD JaCarta PKI

To add the file of a token or smart card electronic certificate to the command for creating an Authentication Agent account, you must first save the file using third-party software for managing certificates.

The token or smart-card certificate must have the following properties:

The certificate must be compliant with the X.509 standard, and the certificate file must have DER encoding.
The certificate contains an RSA key with a length of at least 1024 bits.

If the electronic certificate of the token or smart card does not meet these requirements, you cannot load the certificate file into the command for creating an Authentication Agent account.

The KeyUsage parameter of the certificate must have the value keyEncipherment or dataEncipherment. The KeyUsage parameter determines the purpose of the certificate. If the parameter has a different value, Kaspersky Security Center will download the certificate file but will display a warning.

If a user has lost a token or smart card, the administrator must add the file of a token or smart card electronic certificate to the command for creating an Authentication Agent account. Then the user must complete the procedure for receiving access to encrypted devices or restoring data on encrypted devices.

Page top

[Topic 123498]

Hard drive decryption

You can decrypt hard drives even if there is no active license permitting data encryption.

To decrypt hard drives:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Data Encryption → Full Disk Encryption.
In the Encryption technology drop-down list, select the technology with which the hard drives were encrypted.
Do one of the following:
- In the Encryption mode drop-down list, select the Decrypt all hard drives option if you want to decrypt all encrypted hard drives.
- Add the encrypted hard drives that you want to decrypt to the Do not encrypt the following hard drives table.
  This option is available only for Kaspersky Disk Encryption technology.
Save your changes.

You can use the Encryption Monitor tool to control the disk encryption or decryption process on a user's computer. You can run the Encryption Monitor tool from the main application window.

If the user shuts down or restarts the computer during decryption of hard drives that were encrypted using Kaspersky Disk Encryption technology, the Authentication Agent loads before the next startup of the operating system. Kaspersky Endpoint Security resumes hard drive decryption after successful authentication in the authentication agent and operating system startup.

If the operating system switches to hibernation mode during decryption of hard drives that were encrypted using Kaspersky Disk Encryption technology, Authentication Agent loads when the operating system comes out of hibernation mode. Kaspersky Endpoint Security resumes hard drive decryption after successful authentication in the authentication agent and operating system startup. After hard drive decryption, hibernation mode is unavailable until the first reboot of the operating system.

If the operating system goes into sleep mode during hard drive decryption, Kaspersky Endpoint Security resumes hard drive decryption when the operating system comes out of sleep mode without loading the Authentication Agent.

Page top

[Topic 128090]

Restoring access to a drive protected by Kaspersky Disk Encryption technology

If a user has forgotten the password for accessing a hard drive protected by Kaspersky Disk Encryption technology, you need to start the recovery procedure (Request-Response).

Restoring access to the system hard drive

Restoring access to a system hard drive protected by Kaspersky Disk Encryption technology consists of the following steps:

The user reports the request blocks to the administrator (see the figure below).
The administrator enters the request blocks into Kaspersky Security Center, receives the response blocks and reports the response blocks to the user.
The user enters the response blocks in the Authentication Agent interface and obtains access to the hard drive.

Restoring access to a system hard drive protected by Kaspersky Disk Encryption technology

To start the recovery procedure, the user needs to click the Forgot your password button in the Authentication Agent interface.

How to obtain response blocks for a system hard drive protected by Kaspersky Disk Encryption technology in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Devices tab.
On the Devices tab, select the computer of the user requesting access to encrypted data and right-click to open the context menu.
In the context menu, select Grant access in offline mode.
In the window that opens, select the Authentication Agent tab.
In the Encryption algorithm in use section, select an encryption algorithm: AES56 or AES256.
The data encryption algorithm depends on the AES encryption library that is included in the distribution package: Strong encryption (AES256) or Lite encryption (AES56). The AES encryption library is installed together with the application.
In the Account drop-down list, select the name of the Authentication Agent account of the user who requested recovery of access to the drive.
In the Hard drive drop-down list, select the encrypted hard drive for which you need to recover access.
In the User request section enter the blocks of request dictated by the user.

As a result, the contents of the blocks of the response to the user's request for recovery of the user name and password of an Authentication Agent account will be displayed in the Access key field. Convey the contents of the response blocks to the user.

How to obtain response blocks for a system hard drive protected by Kaspersky Disk Encryption technology in the Web Console

In the main window of Web Console, select Devices → Managed devices.
Select the check box next to the name of the computer whose drive you want to restore access to.
Click the Share this device offline button.
In the window that opens, select the Authentication Agent section.
In the Account drop-down list, select the name of the Authentication Agent account created for the user who is requesting recovery of the Authentication Agent account name and password.
Enter the request blocks conveyed by the user.

The contents of the blocks of the response to the user's request for recovery of the user name and password of the Authentication Agent account will be displayed at the bottom of the window. Convey the contents of the response blocks to the user.

After completing the recovery procedure, the Authentication Agent will prompt the user to change the password.

Restoring access to a non-system hard drive

Restoring access to a non-system hard drive protected by Kaspersky Disk Encryption technology consists of the following steps:

The user sends a request access file to the administrator.
The administrator adds the request access file to Kaspersky Security Center, creates an access key file and sends the file to the user.
The user adds the access key file to Kaspersky Endpoint Security and obtains access to the hard drive.

To start the recovery procedure, the user needs to attempt to access a hard drive. As a result, Kaspersky Endpoint Security will create a request access file (a file with the KESDC extension), which the user needs to send to the administrator, for example, by email.

How to obtain an access key file for an encrypted non-system hard drive in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Devices tab.
On the Devices tab, select the computer of the user requesting access to encrypted data and right-click to open the context menu.
In the context menu, select Grant access in offline mode.
In the window that opens, select the Data Encryption tab.
On the Data Encryption tab, click the Browse button.
In the window for selecting a request access file, specify the path to the file received from the user.

You will see information about the user's request. Kaspersky Security Center generates a key file. Email the generated encrypted data access key file to the user. Or save the access file and use any available method to transfer the file.

How to obtain an encrypted non-system hard drive access key file in the Web Console

In the main window of Web Console, select Devices → Managed devices.
Select the check box next to the name of the computer whose data you want to restore access to.
Click the Share this device offline button.
Select the Data Encryption section.
Click the Select file button and select the request access file that you received from the user (a file with the KESDC extension).
The Web Console will display information about the request. This will include the name of the computer on which the user is requesting access to the file.
Click the Save key button and select a folder to save the encrypted data access key file (a file with the KESDR extension).

As a result, you will be able to obtain the encrypted data access key, which you will need to transfer to the user.

Page top

[Topic 188902]

Updating the operating system

There are a number of special considerations for updating the operating system of a computer that is protected by Full Disk Encryption (FDE). Update the operating system as follows: first update the OS on one computer, then update the OS on a small portion of the computers, then update the OS on all computers of the network.

If you are using Kaspersky Disk Encryption technology, Authentication Agent is loaded before the operating system is started. Using Authentication Agent, the user can sign in to the system and receive access to encrypted drives. Then the operating system begins loading.

If you start an update of the operating system on a computer that is protected using Kaspersky Disk Encryption technology, the OS Update Wizard will remove Authentication Agent. As a result, the computer can be locked because the OS loader will not be able to access the encrypted drive.

For details about safely updating the operating system, please refer to the Technical Support Knowledge Base.

Automatic updating of the operating system is available under the following conditions:

The operating system is updated through WSUS (Windows Server Update Services).
Windows 10 version 1607 (RS1) or later is installed on the computer.
Kaspersky Endpoint Security version 11.2.0 or later is installed on the computer.

If all the conditions are met, you can update the operating system in the usual way.

If you are using Kaspersky Disk Encryption (FDE) technology and Kaspersky Endpoint Security for Windows version 11.1.0 or 11.1.1 is installed on the computer, you do not need to decrypt the hard drives to update Windows 10.

To update the operating system, you need to do the following:

Prior to updating the system, copy the drivers named cm_km.inf, cm_km.sys, klfde.cat, klfde.inf, klfde.sys, klfdefsf.cat, klfdefsf.inf, and klfdefsf.sys to a local folder. For example, C:\fde_drivers.
Run the system update installation with the /ReflectDrivers switch and specify the folder containing the saved drivers:
setup.exe /ReflectDrivers C:\fde_drivers

If you are using BitLocker Drive Encryption technology, you do not need to decrypt the hard drives to update Windows 10. For more details on BitLocker, please visit the Microsoft website.

Page top

[Topic 179327]

Eliminating errors of encryption functionality update

Full Disk Encryption is updated when a previous version of the application is upgraded to Kaspersky Endpoint Security for Windows 11.6.0.

When starting update of the Full Disk Encryption functionality the following errors may occur:

Unable to initialize update.
Device is incompatible with Authentication Agent.

To eliminate errors that occurred when you start update process of the Full Disk Encryption functionality in the new application version:

Decrypt hard drives.
Encrypt hard drives once again.

During update of the Full Disk Encryption functionality the following errors may occur:

Unable to complete the update.
Full Disk Encryption upgrade rollback completed with an error.

To eliminate errors that occurred during update process of the Full Disk Encryption functionality,

restore access to encrypted devices using Restore Utility.

Page top

[Topic 128771]

Selecting the Authentication Agent tracing level

The application logs service information about the operation of the Authentication Agent and information about the user's operations with the Authentication Agent in the trace file.

To select the Authentication Agent tracing level:

As soon as a computer with encrypted hard drives starts, press the F3 button to call up a window for configuring Authentication Agent settings.
Select the tracing level in the Authentication Agent settings window:
- Disable debug logging (default). If this option is selected, the application does not log information about Authentication Agent events in the trace file.
- Enable debug logging. If this option is selected, the application logs information about the operation of the Authentication Agent and the user operations performed with the Authentication Agent in the trace file.
- Enable verbose logging. If this option is selected, the application logs detailed information about the operation of the Authentication Agent and the user operations performed with the Authentication Agent in the trace file.
  The level of detail of entries under this option is higher compared to the level of the Enable debug logging option. A high level of detail of entries can slow down the startup of the Authentication Agent and the operating system.
- Enable debug logging and select serial port. If this option is selected, the application logs information about the operation of the Authentication Agent and the user operations performed with the Authentication Agent in the trace file, and relays it via the COM port.
  If a computer with encrypted hard drives is connected to another computer via the COM port, Authentication Agent events can be examined from this other computer.
- Enable verbose debug logging and select serial port. If this option is selected, the application logs detailed information about the operation of the Authentication Agent and the user operations performed with the Authentication Agent in the trace file, and relays it via the COM port.
  The level of detail of entries under this option is higher compared to the level of the Enable debug logging and select serial port option. A high level of detail of entries can slow down the startup of the Authentication Agent and the operating system.

Data is recorded in the Authentication Agent trace file if there are encrypted hard drives on the computer or during full disk encryption.

The Authentication Agent trace file is not sent to Kaspersky, unlike other trace files of the application. If necessary, you can manually send the Authentication Agent trace file to Kaspersky for analysis.

Page top

[Topic 123495]

Editing Authentication Agent help texts

Before editing help messages of the Authentication Agent, please review the list of supported characters in a preboot environment (see below).

To edit Authentication Agent help messages:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Data Encryption → Common Encryption Settings.
In the Templates section, click the Help button.
This opens the Authentication Agent help messages window.
Do the following:
- Select the Authentication tab to edit the help text shown in the Authentication Agent window when account credentials are being entered.
- Select the Change password tab to edit the help text shown in the Authentication Agent window when the password for the Authentication Agent account is being changed.
- Select the Recover password tab to edit the help text shown in the Authentication Agent window when the password for the Authentication Agent account is being recovered.
Edit help messages.
If you want to restore the original text, click the By default button.

You can enter help text containing 16 lines or less. The maximum length of a line is 64 characters.
Save your changes.

Limited support for characters in Authentication Agent help messages

In a preboot environment, the following Unicode characters are supported:

Basic Latin alphabet (0000 - 007F)
Additional Latin-1 characters (0080 - 00FF)
Extended Latin-A (0100 - 017F)
Extended Latin-B (0180 - 024F)
Uncombined extended ID characters (02B0 - 02FF)
Combined diacritical marks (0300 - 036F)
Greek and Coptic alphabets (0370 - 03FF)
Cyrillic (0400 - 04FF)
Hebrew (0590 - 05FF)
Arabic script (0600 - 06FF)
Additional extended Latin (1E00 - 1EFF)
Punctuation marks (2000 - 206F)
Currency symbols (20A0 - 20CF)
Letter-like symbols (2100 - 214F)
Geometric figures (25A0 - 25FF)
Presentation forms of Arabic script-B (FE70 - FEFF)

Characters that are not specified in this list are not supported in a preboot environment. It is not recommended to use such characters in Authentication Agent help messages.

Page top

[Topic 128199]

Removing leftover objects and data after testing the operation of Authentication Agent

During application uninstallation, if Kaspersky Endpoint Security detects objects and data that remained on the system hard drive after test operation of Authentication Agent, application uninstallation is interrupted and becomes impossible until such objects and data are removed.

Objects and data may remain on the system hard drive after test operation of Authentication Agent only in exceptional cases. For example, this can happen if the computer has not been restarted after a Kaspersky Security Center policy with encryption settings was applied, or if the application fails to start after test operation of Authentication Agent.

You can remove objects and data that remained on the system hard drive after test operation of Authentication Agent in the following ways:

Using the Kaspersky Security Center policy.
using Restore Utility.

To use a Kaspersky Security Center policy to remove objects and data that remained after test operation of Authentication Agent:

Apply to the computer a Kaspersky Security Center policy with settings configured to decrypt all computer hard drives.
Start Kaspersky Endpoint Security.

To remove information about application incompatibility with Authentication Agent,

type the avp pbatestreset command in the command line.

Page top

[Topic 196002]

BitLocker Management

BitLocker is an encryption technology built into Windows operating systems. Kaspersky Endpoint Security allows you to control and manage Bitlocker using Kaspersky Security Center. BitLocker encrypts logical volumes. BitLocker cannot be used for encryption of removable drives. For more details on BitLocker, refer to Microsoft documentation.

BitLocker provides secure storage of access keys using a trusted platform module. A Trusted Platform Module (TPM) is a microchip developed to provide basic functions related to security (for example, to store encryption keys). A Trusted Platform Module is usually installed on the computer motherboard and interacts with all other system components via the hardware bus. Using TPM is the safest way to store BitLocker access keys, since TPM provides pre-startup system integrity verification. You can still encrypt drives on a computer without a TPM. In this case, the access key will be encrypted with a password. BitLocker uses the following authentication methods:

TPM.
TPM and PIN.
Password.

After encrypting a drive, BitLocker creates a master key. Kaspersky Endpoint Security sends the master key to Kaspersky Security Center so that you can restore access to the disk, for example, if a user has forgotten the password.

If a user encrypts a disk using BitLocker, Kaspersky Endpoint Security will send information about disk encryption to Kaspersky Security Center. However, Kaspersky Endpoint Security will not send the master key to Kaspersky Security Center, so it will be impossible to restore access to the disk using Kaspersky Security Center. For BitLocker to work correctly with Kaspersky Security Center, decrypt the drive and re-encrypt the drive using a policy. You can decrypt a drive locally or using a policy.

After encrypting the system hard drive, the user needs to go through BitLocker authentication to boot the operating system. After the authentication procedure, BitLocker will allow for users to log in. BitLocker does not support single sign-on technology (SSO).

If you are using Windows group policies, turn off BitLocker management in the policy settings. Windows policy settings may conflict with Kaspersky Endpoint Security policy settings. When encrypting a drive, errors may occur.

In this section

Starting BitLocker Drive Encryption

Decrypting a hard drive protected by BitLocker

Restoring access to a drive protected by BitLocker

Pausing BitLocker protection to update software

Page top

[Topic 130689]

Starting BitLocker Drive Encryption

To use BitLocker Drive Encryption on computers running Windows operating systems for servers, installing the BitLocker Drive Encryption component may be required. Install the component using the operating system tools (Add Roles and Components Wizard). For more information about installing BitLocker Drive Encryption, refer to the Microsoft documentation.

How to run BitLocker Drive Encryption through the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Data Encryption → Full Disk Encryption.
In the Encryption technology drop-down list, select BitLocker Drive Encryption.
In the Encryption mode drop-down list, select Encrypt all hard drives.
If the computer has several operating systems installed, after encryption you will be able to load only the operating system in which the encryption was performed.
Configure advanced BitLocker Drive Encryption options (see table below).
Save your changes.

How to run BitLocker Drive Encryption through the Web Console and Cloud Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of Kaspersky Endpoint Security policy for the computers for which you want to start BitLocker Drive Encryption.
The policy properties window opens.
Select the Application settings tab.
Go to Data Encryption → Full Disk Encryption.
In the Manage encryption section, select BitLocker Drive Encryption.
Click the BitLocker Drive Encryption link.
This opens the Bitlocker Drive Encryption settings window.
In the Encryption mode drop-down list, select Encrypt all hard drives.
If the computer has several operating systems installed, after encryption you will be able to load only the operating system in which the encryption was performed.
Configure advanced BitLocker Drive Encryption options (see table below).
Click OK.

You can use the Encryption Monitor tool to control the disk encryption or decryption process on a user's computer. You can run the Encryption Monitor tool from the main application window.

After the policy is applied, the application will display the following queries, depending on the authentication settings:

TPM only. No user input required. The disk will be encrypted when the computer restarts.
TPM + PIN / Password. If a TPM module is available, a PIN code prompt window appears. If a TPM module is not available, you will see a password prompt window for preboot authentication.
Password only. You will see a password prompt window for preboot authentication.

If the Federal Information Processing standard compatibility mode is enabled for computer operating system, then in Windows 8 and earlier versions of operating system, a request for connecting a storage device is displayed to save the recovery key file. You can save multiple recovery key files on a single storage device.

After setting a password or a PIN, BitLocker will ask you to restart your computer to complete the encryption. Next, the user needs to go through the BitLocker authentication procedure. After the authentication procedure, the user must log on to the system. After the operating system has loaded, BitLocker will complete the encryption.

If there is no access to encryption keys, the user may request the local network administrator to provide a recovery key (if the recovery key was not saved earlier on the storage device or was lost).

BitLocker Drive Encryption component settings

Parameter	Description
Enable use of BitLocker authentication requiring preboot keyboard input on slates	This check box enables / disables the use of authentication requiring data input in a preboot environment, even if the platform does not have the capability for preboot input (for example, with touchscreen keyboards on tablets). The touchscreen of tablet computers is not available in the preboot environment. To complete BitLocker authentication on tablet computers, the user must connect a USB keyboard, for example. If the check box is selected, use of authentication requiring preboot input is allowed. It is recommended to use this setting only for devices that have alternative data input tools in a preboot environment, such as a USB keyboard in addition to touchscreen keyboards. If the check box is cleared, BitLocker Drive Encryption is not possible on tablets.
Use hardware encryption (Windows 8 and later versions)	If the check box is selected, the application applies hardware encryption. This lets you increase the speed of encryption and use less computer resources.
Encrypt used disk space only (Windows 8 and later versions)	This check box enables / disables the option that limits the encryption area to only occupied hard drive sectors. This limit lets you reduce encryption time. Enabling or disabling the Encrypt used disk space only (reduces encryption time) feature after starting encryption does not modify this setting until the hard drives are decrypted. You must select or clear the check box before starting encryption. If the check box is selected, only portions of the hard drive that are occupied by files are encrypted. Kaspersky Endpoint Security automatically encrypts new data as it is added. If the check box is cleared, the entire hard drive is encrypted, including residual fragments of previously deleted and modified files. This option is recommended for new hard drives whose data has not been modified or deleted. If you are applying encryption on a hard drive that is already in use, it is recommended to encrypt the entire hard drive. This ensures protection of all data, even deleted data that is potentially recoverable. This check box is cleared by default.
Authentication settings	Use password (Windows 8 and later versions) If this option is selected, Kaspersky Endpoint Security prompts the user for a password when the user attempts to access an encrypted drive. This option can be selected when a Trusted Platform Module (TPM) is not being used. Use Trusted Platform Module (TPM) If this option is selected, BitLocker uses a Trusted Platform Module (TPM). A Trusted Platform Module (TPM) is a microchip developed to provide basic functions related to security (for example, to store encryption keys). A Trusted Platform Module is usually installed on the computer motherboard and interacts with all other system components via the hardware bus. For computers running Windows 7 or Windows Server 2008 R2, only encryption using a TPM module is available. If a TPM module is not installed, BitLocker encryption is not possible. Use of a password on these computers is not supported. A device equipped with a Trusted Platform Module can create encryption keys that can be decrypted only with the device. A Trusted Platform Module encrypts encryption keys with its own root storage key. The root storage key is stored within the Trusted Platform Module. This provides an additional level of protection against attempts to hack encryption keys. This action is selected by default. You can set an additional layer of protection for access to the encryption key, and encrypt the key with a password or a PIN: Use PIN for TPM. If this check box is selected, a user can use of a PIN code to obtain access to an encryption key that is stored in a Trusted Platform Module (TPM). If this check box is cleared, users are prohibited from using PIN codes. To access the encryption key, a user must enter the password. You can allow the user to use enhanced PIN. Enhanced PIN allows using other characters in addition to numerical characters: uppercase and lowercase Latin letters, special characters, and spaces. Use Trusted Platform Module (TPM); if it is unavailable - use password. If the check box is selected, the user can use a password to obtain access to encryption keys when a Trusted Platform Module (TPM) is not available. If the check box is cleared and the TPM is not available, full disk encryption will not start.

Page top

[Topic 196150]

Decrypting a hard drive protected by BitLocker

Users can decrypt a disk using the operating system (the Turn Off BitLocker function). After that, Kaspersky Endpoint Security will prompt the user to encrypt the disk again. Kaspersky Endpoint Security will be prompting to encrypt the disk unless you enable disk decryption in the policy.

How to decrypt a hard drive protected by BitLocker through the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Data Encryption → Full Disk Encryption.
In the Encryption technology drop-down list, select BitLocker Drive Encryption.
In the Encryption mode drop-down list, select Decrypt all hard drives.
Save your changes.

How to decrypt a BitLocker-encrypted hard drive through the Web Console and Cloud Console

In the main window of Web Console, select the Devices → Policies and profiles tab.
Click the name of Kaspersky Endpoint Security policy for the computers for which you want to decrypt hard drives.
The policy properties window opens.
Select the Application settings tab.
Go to Data Encryption → Full Disk Encryption.
Select the BitLocker Drive Encryption technology and follow the link to configure the settings.
The encryption settings open.
In the Encryption mode drop-down list, select Decrypt all hard drives.
Click OK.

You can use the Encryption Monitor tool to control the disk encryption or decryption process on a user's computer. You can run the Encryption Monitor tool from the main application window.

Page top

[Topic 130939]

Restoring access to a drive protected by BitLocker

If a user has forgotten the password for accessing a hard drive encrypted by BitLocker, you need to start the recovery procedure (Request-Response).

If the computer's operating system has Federal Information Processing standard (FIPS) compatibility mode enabled, then in Windows 8 and older the recovery key file is saved to the removable drive before encryption. To restore access to the drive, insert the removable drive and follow the on-screen instructions.

Restoring access to a hard drive encrypted by BitLocker consists of the following steps:

The user tells the administrator the recovery key ID (see the figure below).
The administrator verifies the ID of the recovery key in the computer properties in Kaspersky Security Center. The ID that the user provided must match the ID that is displayed in the computer properties.
If the recovery key IDs match, the administrator provides the user with the recovery key or sends a recovery key file.
A recovery key file is used for computers running the following operating systems:
- Windows 7
- Windows 8
- Windows Server 2008
- Windows Server 2011
- Windows Server 2012
For all other operating systems, a recovery key is used.
The user enters the recovery key and gains access to the hard drive.

Restoring access to a hard drive encrypted by BitLocker

Restoring access to a system drive

To start the recovery procedure, the user needs to press the Esc key at the pre-boot authentication stage.

How to view the recovery key for a system drive encrypted by BitLocker in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Devices tab.
On the Devices tab, select the computer of the user requesting access to encrypted data and right-click to open the context menu.
In the context menu, select Grant access in offline mode.
In the window that opens, select the Access to a BitLocker-protected system drive tab.
Prompt the user for the recovery key ID indicated in the BitLocker password input window, and compare it with the ID in the Recovery key ID field.
If the IDs do not match, this key is not valid for restoring access to the specified system drive. Make sure that the name of the selected computer matches the name of the user's computer.

As a result, you will have access to the recovery key or file of the recovery key, which will need to be transferred to the user.

How to view the recovery key for a BitLocker-encrypted system drive in the Web Console and Cloud Console

In the main window of Web Console, select Devices → Managed devices.
Select the check box next to the name of the computer whose drive you want to restore access to.
Click the Share this device offline button.
In the window that opens, select the BitLocker section.
Verify the recovery key ID. The ID provided by the user must match the ID that is displayed in the computer settings.
If the IDs do not match, this key is not valid for restoring access to the specified system drive. Make sure that the name of the selected computer matches the name of the user's computer.
Click the Receive key button.

As a result, you will have access to the recovery key or file of the recovery key, which will need to be transferred to the user.

After the operating system is loaded, Kaspersky Endpoint Security prompts the user to change the password or PIN code. After you set a new password or PIN code, BitLocker will create a new master key and send the key to Kaspersky Security Center. As a result, the recovery key and recovery key file will be updated. If the user has not changed the password, you can use the old recovery key the next time the operating system loads.

Windows 7 computers don't allow changing the password or PIN code. After the recovery key is entered and the operating system is loaded, Kaspersky Endpoint Security won't prompt the user to change the password or PIN code. Thus, it is impossible to set a new password or a PIN code. This issue stems from the peculiarities of the operating system. To continue, you need to re-encrypt the hard drive.

Restoring access to a non-system drive

To start the recovery procedure, the user needs to click the Forgot your password link in the window providing access to the drive. After gaining access to the encrypted drive, the user can enable automatic unlocking of the drive during Windows authentication in the BitLocker settings.

How to view the recovery key for a non-system drive encrypted by BitLocker in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Administration Console tree, select the Additional → Data encryption and protection → Encrypted devices folder.
In the workspace, select the encrypted device for which you want to create an access key file, and select Get access to the device in Kaspersky Endpoint Security for Windows (11.6.0) in the device context menu.
Prompt the user for the recovery key ID indicated in the BitLocker password input window, and compare it with the ID in the Recovery key ID field.
If the IDs do not match, this key is not valid for restoring access to the specified drive. Make sure that the name of the selected computer matches the name of the user's computer.
Send the user the key that is indicated in the Recovery key field.

How to view the recovery key for a BitLocker-encrypted non-system drive in the Web Console and Cloud Console

In the main window of the Web Console, select Operations → Data encryption and protection → Encrypted devices.
Select the check box next to the name of the computer whose drive you want to restore access to.
Click the Share this device offline button.
This starts the Wizard for granting access to a device.
Follow the instructions of the Wizard for granting access to a device:
1. Select the Kaspersky Endpoint Security for Windows plug-in.
2. Verify the recovery key ID. The ID provided by the user must match the ID that is displayed in the computer settings.
  If the IDs do not match, this key is not valid for restoring access to the specified system drive. Make sure that the name of the selected computer matches the name of the user's computer.
3. Click the Receive key button.

As a result, you will have access to the recovery key or file of the recovery key, which will need to be transferred to the user.

Page top

[Topic 57604]

File Level Encryption on local computer drives

File encryption has the following special features:

Kaspersky Endpoint Security encrypts / decrypts files in predefined folders only for local user profiles of the operating system. Kaspersky Endpoint Security does not encrypt or decrypt files in predefined folders of roaming user profiles, mandatory user profiles, temporary user profiles, or redirected folders.
Kaspersky Endpoint Security does not encrypt files whose modification could harm the operating system and installed applications. For example, the following files and folders with all nested folders are on the list of encryption exclusions:
- %WINDIR%;
- %PROGRAMFILES% and %PROGRAMFILES(X86)%;
- Windows registry files.
The list of encryption exclusions cannot be viewed or edited. While files and folders on the list of encryption exclusions can be added to the encryption list, they will not be encrypted during file encryption.

In this section

Encrypting files on local computer drives

Forming encrypted file access rules for applications

Encrypting files that are created or modified by specific applications

Generating a decryption rule

Decrypting files on local computer drives

Creating encrypted packages

Restoring access to encrypted files

Restoring access to encrypted data after operating system failure

Editing templates of encrypted file access messages

Page top

[Topic 123292]

Encrypting files on local computer drives

Kaspersky Endpoint Security does not encrypt files whose contents are located in OneDrive cloud storage, and blocks the encrypted files from copying to OneDrive cloud storage, if these files are not added to decryption rule.

To encrypt files on local drives:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Data Encryption → File Level Encryption.
In the right part of the window, select the Encryption tab.
In the Encryption mode drop-down list, select the According to rules item.
On the Encryption tab, click the Add button, and in the drop-down list select one of the following items:
1. Select the Predefined folders item to add files from folders of local user profiles suggested by Kaspersky experts to an encryption rule.
  - Documents. Files in the standard Documents folder of the operating system, and its subfolders.
  - Favorites. Files in the standard Favorites folder of the operating system, and its subfolders.
  - Desktop. Files in the standard Desktop folder of the operating system, and its subfolders.
  - Temporary files. Temporary files related to the operation of applications installed on the computer. For example, Microsoft Office applications create temporary files containing backup copies of documents.
  - Outlook files. Files related to the operation of the Outlook mail client: data files (PST), offline data files (OST), offline address book files (OAB), and personal address book files (PAB).
2. Select the Custom folder item to add a manually entered folder path to an encryption rule.
  When adding a folder path, adhere to the following rules:
  - Use an environment variable (for example, %FOLDER%\UserFolder\). You can use an environment variable only once and only at the beginning of the path.
  - Do not use relative paths. You can use the set \..\ (e.g. C:\Users\..\UserFolder\). The set \..\ denotes the transition to the parent folder.
  - Do not use the * and ? characters.
  - Do not use UNC paths.
  - Use ; or , as a separator character.
3. Select the Files by extension item to add individual file extensions to an encryption rule. Kaspersky Endpoint Security encrypts files with the specified extensions on all local drives of the computer.
4. Select the Files by groups of extensions item to add groups of file extensions to an encryption rule (for example, Microsoft Office Documents). Kaspersky Endpoint Security encrypts files that have the extensions listed in the groups of extensions on all local drives of the computer.
Save your changes.

As soon as the policy is applied, Kaspersky Endpoint Security encrypts the files that are included in the encryption rule and not included in the decryption rule.

File encryption has the following special features:

If the same file is added to both an encryption rule and a decryption rule, then Kaspersky Endpoint Security performs the following actions:
- If the file is not encrypted, Kaspersky Endpoint Security does not encrypt this file.
- If the file is encrypted, Kaspersky Endpoint Security decrypts this file.
Kaspersky Endpoint Security continues to encrypt new files if these files meet the criteria of the encryption rule. For example, when you change the properties of an unencrypted file (path or extension), the file then meets the criteria of the encryption rule. Kaspersky Endpoint Security encrypts this file.
When the user creates a new file whose properties meet the encryption rule criteria, Kaspersky Endpoint Security encrypts the file as soon as it is opened.
Kaspersky Endpoint Security postpones the encryption of open files until they are closed.
If you move an encrypted file to another folder on the local drive, the file remains encrypted regardless of whether or not this folder is included in the encryption rule.
If you decrypt a file and copy it to another local folder that is not included in the decryption rule, a copy of the file may be encrypted. To prevent the copied file from being encrypted, create a decryption rule for the target folder.

Page top

[Topic 123296]

Forming encrypted file access rules for applications

To form encrypted file access rules for applications:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Data Encryption → File Level Encryption.
In the Encryption mode drop-down list, select the According to rules item.
Access rules are applied only when in the According to rules mode. After applying access rules in According to rules mode, if you switch to Leave unchanged, mode, Kaspersky Endpoint Security will ignore all access rules. All applications will have access to all encrypted files.
In the right part of the window, select the Rules for applications tab.
If you want to select applications exclusively from the Kaspersky Security Center list, click the Add button and in the drop-down list select the Applications from Kaspersky Security Center list item.
1. Specify the filters to narrow down the list of applications in the table. To do so, specify the values of the Application, Vendor, and Period added parameters, and all check boxes from the Group section.
2. Click the Refresh button.
3. The table lists applications that match the applied filters.
4. In the Applications column, select check boxes opposite the applications for which you want to form encrypted file access rules.
5. In the Rule for applications drop-down list, select the rule that will determine the access of applications to encrypted files.
6. In the Actions for applications that were selected earlier drop-down list, select the action to be taken by Kaspersky Endpoint Security on encrypted file access rules that were previously formed for such applications.
7. Click OK.
The details of an encrypted file access rule for applications appear in the table on the Rules for applications tab.
If you want to manually select applications, click the Add button and in the drop-down list select the Custom applications item.
1. In the entry field, type the name or list of names of executable application files, including their extensions.
  You can also add the names of executable files of applications from the Kaspersky Security Center list by clicking the Add from Kaspersky Security Center list button.
2. If required, in the Description field, enter a description of the list of applications.
3. In the Rule for applications drop-down list, select the rule that will determine the access of applications to encrypted files.
4. Click OK.
The details of an encrypted file access rule for applications appear in the table on the Rules for applications tab.
Save your changes.

Page top

[Topic 134863]

Encrypting files that are created or modified by specific applications

You can create a rule by which Kaspersky Endpoint Security will encrypt all files created or modified by the applications specified in the rule.

Files that were created or modified by the specified applications before the encryption rule was applied will not be encrypted.

To configure encryption of files that are created or modified by specific applications:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Data Encryption → File Level Encryption.
In the Encryption mode drop-down list, select the According to rules item.
Encryption rules are applied only in According to rules mode. After applying encryption rules in According to rules mode, if you switch to Leave unchanged, mode, Kaspersky Endpoint Security will ignore all encryption rules. Files that were previously encrypted will remain encrypted.
In the right part of the window, select the Rules for applications tab.
If you want to select applications exclusively from the Kaspersky Security Center list, click the Add button and in the drop-down list select the Applications from Kaspersky Security Center list item.
The Add applications from Kaspersky Security Center list window opens.

Do the following:
1. Specify the filters to narrow down the list of applications in the table. To do so, specify the values of the Application, Vendor, and Period added parameters, and all check boxes from the Group section.
2. Click the Refresh button.
  The table lists applications that match the applied filters.
3. In the Applications column, select the check boxes next to the applications whose created files you want to encrypt.
4. In the Rule for applications drop-down list, select Encrypt all created files.
5. In the Actions for applications that were selected earlier drop-down list, select the action to be taken by Kaspersky Endpoint Security on file encryption rules that were previously formed for such applications.
6. Click OK.
Information about the encryption rule for files created or modified by the selected applications appears in the table on the Rules for applications tab.
If you want to manually select applications, click the Add button and in the drop-down list select the Custom applications item.
The Add / edit names of the executable files of applications window opens.

Do the following:
1. In the entry field, type the name or list of names of executable application files, including their extensions.
  You can also add the names of executable files of applications from the Kaspersky Security Center list by clicking the Add from Kaspersky Security Center list button.
2. If required, in the Description field, enter a description of the list of applications.
3. In the Rule for applications drop-down list, select Encrypt all created files.
4. Click OK.
Information about the encryption rule for files created or modified by the selected applications appears in the table on the Rules for applications tab.
Save your changes.

Page top

[Topic 123295]

Generating a decryption rule

To generate a decryption rule:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Data Encryption → File Level Encryption.
In the right part of the window, select the Decryption tab.
In the Encryption mode drop-down list, select the According to rules item.
On the Decryption tab, click the Add button, and in the drop-down list select one of the following items:
1. Select the Predefined folders item to add files from folders of local user profiles suggested by Kaspersky experts to a decryption rule.
2. Select the Custom folder item to add a manually entered folder path to a decryption rule.
3. Select the Files by extension item to add individual file extensions to a decryption rule. Kaspersky Endpoint Security does not encrypt files with the specified extensions on all local drives of the computer.
4. Select the Files by groups of extensions item to add groups of file extensions to a decryption rule (for example, Microsoft Office Documents). Kaspersky Endpoint Security does not encrypt files that have the extensions listed in the groups of extensions on all local drives of the computer.
Save your changes.

If the same file has been added to the encryption rule and the decryption rule, Kaspersky Endpoint Security does not encrypt this file if it is not encrypted, and decrypts the file if it is encrypted.

Page top

[Topic 123294]

Decrypting files on local computer drives

To decrypt files on local drives:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Data Encryption → File Level Encryption.
In the right part of the window, select the Encryption tab.
Remove files and folders that you want to decrypt from the encryption list. To do so, select files and select the Delete rule and decrypt files item in the context menu of the Remove button.
You can delete several items from the encryption list at once. To do so, while holding down the CTRL key, select the files you need by left-clicking them and select the Delete rule and decrypt files item in the context menu of the Remove button.

Files and folders removed from the encryption list are automatically added to the decryption list.
Form a file decryption list.
Save your changes.

As soon as the policy is applied, Kaspersky Endpoint Security decrypts encrypted files that are added to the decryption list.

Kaspersky Endpoint Security decrypts encrypted files if their parameters (file path / file name / file extension) change to match the parameters of objects added to the decryption list.

Kaspersky Endpoint Security postpones the decryption of open files until they are closed.

Page top

[Topic 57617]

Creating encrypted packages

To protect your data when sending files to users outside the corporate network, you can use encrypted packages. Encrypted packages can be convenient for transferring large files on removable drives, as email clients have file size restrictions.

Before creating encrypted packages, Kaspersky Endpoint Security will prompt the user for a password. To reliably protect the data, you can enable password strength check and specify password strength requirements. This will prevent users from using short and simple passwords, for example, 1234.

How to enable password strength check when creating encrypted archives in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Data Encryption → Common Encryption Settings.
In the Password settings block, click the Settings button.
In the window that opens, select the Encrypted packages tab.
Configure password complexity settings when creating encrypted packages.

How to enable password strength check when creating encrypted archives in the Web Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy for the computers on which you want to enable password strength check.
The policy properties window opens.
Select the Application settings tab.
Go to Data Encryption → File Level Encryption.
In the Encrypted package password settings block, configure the password strength criteria required when creating encrypted packages.

You can create encrypted packages on computers with Kaspersky Endpoint Security installed with File Level Encryption available.

When adding a file to the encrypted package whose contents reside in OneDrive cloud storage, Kaspersky Endpoint Security downloads the contents of the file and performs encryption.

To create an encrypted package:

In any file manager, select the files or folders that you want to add to the encrypted package. Right-click to open their context menu.
In the context menu, select New encrypted package (see figure below).
In the window that opens, select a location on a removable drive to save the encrypted package → specify the package name and click the Save button.
In the window that opens, specify the password and confirm it.
The password must meet the complexity criteria specified in the policy.
Click the Create button.

The encrypted package creation process starts. Kaspersky Endpoint Security does not perform file compression when it creates an encrypted package. When the process finishes, a self-extracting password-protected encrypted package (an executable file with .exe extension – ) is created in the selected destination folder.

Creating an encrypted package

To access files in an encrypted package, double-click it to start the Unpacking Wizard, then enter the password. If you forgot or lost your password, it is not possible to recover it and access the files in the encrypted package. You can recreate the encrypted package.

Page top

[Topic 128083]

Restoring access to encrypted files

When files are encrypted, Kaspersky Endpoint Security receives an encryption key required for directly accessing the encrypted files. Using this encryption key, a user working under any Windows user account that was active during file encryption can directly access the encrypted files. Users working under Windows accounts that were inactive during file encryption must connect to Kaspersky Security Center in order to access the encrypted files.

Encrypted files may be inaccessible under the following circumstances:

The user's computer stores encryption keys, but there is no connection with Kaspersky Security Center for managing them. In this case, the user must request access to encrypted files from the LAN administrator.
If access to Kaspersky Security Center does not exist, you must:
- request an access key for access to encrypted files on computer hard drives;
- to access encrypted files that are stored on removable drives, request separate access keys for encrypted files on each removable drive.
Encryption components are deleted from the user's computer. In this event, the user may open encrypted files on local and removable disks but the contents of those files will appear encrypted.
The user may work with encrypted files under the following circumstances:
- Files are placed inside encrypted packages created on a computer with Kaspersky Endpoint Security installed.
- Files are stored on removable drives on which portable mode has been allowed.

To gain access to encrypted files, the user needs to start the recovery procedure (Request-Response).

Recovering access to encrypted files consists of the following steps:

The user sends a request access file to the administrator (see the figure below).
The administrator adds the request access file to Kaspersky Security Center, creates an access key file and sends the file to the user.
The user adds the access key file to Kaspersky Endpoint Security and gains access to the files.

Restoring access to encrypted files

To start the recovery procedure, the user needs to attempt to access a file. As a result, Kaspersky Endpoint Security will create a request access file (a file with the KESDC extension), which the user needs to send to the administrator, for example, by email.

Kaspersky Endpoint Security generates a request access file for access to all encrypted files stored on the computer's drive (local drive or removable drive).

How to obtain an encrypted data access key file in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Devices tab.
On the Devices tab, select the computer of the user requesting access to encrypted data and right-click to open the context menu.
In the context menu, select Grant access in offline mode.
In the window that opens, select the Data Encryption tab.
On the Data Encryption tab, click the Browse button.
In the window for selecting a request access file, specify the path to the file received from the user.

How to obtain an encrypted data access key file in the Web Console

In the main window of Web Console, select Devices → Managed devices.
Select the check box next to the name of the computer whose data you want to restore access to.
Click the Share this device offline button.
Select the Data Encryption section.
Click the Select file button and select the request access file that you received from the user (a file with the KESDC extension).
The Web Console will display information about the request. This will include the name of the computer on which the user is requesting access to the file.
Click the Save key button and select a folder to save the encrypted data access key file (a file with the KESDR extension).

As a result, you will be able to obtain the encrypted data access key, which you will need to transfer to the user.

After receiving the encrypted data access key file, the user needs to run the file by double-clicking it. As a result, Kaspersky Endpoint Security will grant access to all encrypted files stored on the drive. To access encrypted files that are stored on other drives, you must obtain a separate access key file for each drive.

Page top

[Topic 128094]

Restoring access to encrypted data after operating system failure

You can restore access to data after operating system failure only for file level encryption (FLE). You cannot restore access to data if full disk encryption (FDE) is used.

To restore access to encrypted data after operating system failure:

Reinstall the operating system without formatting the hard drive.
Install Kaspersky Endpoint Security.
Establish a connection between the computer and the Kaspersky Security Center Administration Server that controlled the computer when the data was encrypted.

Access to encrypted data will be granted under the same conditions that applied before operating system failure.

Page top

[Topic 123497]

Editing templates of encrypted file access messages

To edit templates of encrypted file access messages:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Data Encryption → Common Encryption Settings.
In the Templates section, click the Templates button.
The Templates window opens.
Do the following:
- If you want to edit the user message template, select the User's message tab. The Access to data is blocked window opens when the user attempts to access an encrypted file while there is no key available on the computer for access to encrypted files. Clicking the Send by email button in the Access to data is blocked window automatically creates a user message. This message is sent to the corporate LAN administrator along with the file requesting access to encrypted files.
- If you want to edit the administrator message template, select the Administrator's message tab. This message is created automatically when you click the Send by email button in the Request access to encrypted files window and is sent to the user after the user is granted access to encrypted files.
Edit the message templates.
You can use the By default button and the Variable drop-down list.
Save your changes.

Starting encryption of removable drives

Page top

[Topic 128082]

Encryption of removable drives

Kaspersky Endpoint Security supports encryption of files in FAT32 and NTFS file systems. If a removable drive with an unsupported file system is connected to the computer, the encryption task for this removable drive ends with an error and Kaspersky Endpoint Security assigns the read-only status to the removable drive.

To protect data on removable drives, you can use the following types of encryption:

Full Disk Encryption (FDE).
Encryption of the entire removable drive, including the file system.

It is not possible to access encrypted data outside the corporate network. It is also impossible to access encrypted data inside the corporate network if the computer is not connected to Kaspersky Security Center (e.g. on a guest computer).
File Level Encryption (FLE).
Encryption of only files on a removable drive. The file system remains unchanged.

Encryption of files on removable drives provides the capability to access data outside the corporate network using a special mode called portable mode.

During encryption, Kaspersky Endpoint Security creates a master key. Kaspersky Endpoint Security saves the master key in the following repositories:

Kaspersky Security Center.
User's computer.
The master key is encrypted with the user's secret key.
Removable drive.
The master key is encrypted with the public key of Kaspersky Security Center.

After encryption is complete, the data on the removable drive can be accessed within the corporate network as if was on an ordinary unencrypted removable drive.

Accessing encrypted data

When a removable drive with encrypted data is connected, Kaspersky Endpoint Security performs the following actions:

Checks for a master key in the local storage on the user's computer.
If the master key is found, the user gains access to the data on the removable drive.

If the master key is not found, Kaspersky Endpoint Security performs the following actions:
1. Sends a request to Kaspersky Security Center.
  After receiving the request, Kaspersky Security Center sends a response that contains the master key.
2. Kaspersky Endpoint Security saves the master key in the local storage on the user's computer for subsequent operations with the encrypted removable drive.
Decrypts the data.

Special features of removable drive encryption

Encryption of removable drives has the following special features:

The policy with preset settings for removable drive encryption is formed for a specific group of managed computers. Therefore, the result of applying the Kaspersky Security Center policy configured for encryption / decryption of removable drives depends on the computer to which the removable drive is connected.
Kaspersky Endpoint Security does not encrypt / decrypt read-only files that are stored on removable drives.
The following device types are supported as removable drives:
- Data media connected via the USB bus
- hard drives connected via USB and FireWire buses
- SSD drives connected via USB and FireWire buses

In this section

Adding an encryption rule for removable drives

Exporting and importing a list of encryption rules for removable drives

Portable mode for accessing encrypted files on removable drives

Decryption of removable drives

Page top

[Topic 123503]

Starting encryption of removable drives

You can use a policy to decrypt a removable drive. A policy with defined settings for removable drive encryption is generated for a specific administration group. Therefore, the result of data decryption on removable drives depends on the computer to which the removable drive is connected.

Kaspersky Endpoint Security supports encryption in FAT32 and NTFS file systems. If a removable drive with an unsupported file system is connected to the computer, removable drive encryption ends with an error and Kaspersky Endpoint Security assigns read-only access for the removable drive.

To encrypt removable drives:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Data Encryption → Encryption of removable drives.
In the Encryption mode drop-down list, select the default action that you want Kaspersky Endpoint Security to perform on removable drives:
- Encrypt entire removable drive (FDE). Kaspersky Endpoint Security encrypts the contents of a removable drive sector by sector. As a result, the application encrypts not only the files stored on the removable drive but also its file systems, including the file names and folder structures on the removable drive.
- Encrypt all files (FLE). Kaspersky Endpoint Security encrypts all files that are stored on removable drives. The application does not encrypt the file systems of removable drives, including the names of files and folder structures.
- Encrypt new files only (FLE). Kaspersky Endpoint Security encrypts only those files that have been added to removable drives or that were stored on removable drives and have been modified after the Kaspersky Security Center policy was last applied.
Kaspersky Endpoint Security does not encrypt a removable drive that is already encrypted.
If you want to use portable mode for encryption of removable drives, select the Portable mode check box.
Portable mode is a mode of file encryption (FLE) on removable drives that provides the ability to access data outside of a corporate network. Portable mode also lets you work with encrypted data on computers that do not have Kaspersky Endpoint Security installed.
If you want to encrypt a new removable drive, it is recommended to select the Encrypt used disk space only check box. If the check box is cleared, Kaspersky Endpoint Security will encrypt all files, including the residual fragments of deleted or modified files.
If you want to configure encryption for individual removable drives, define encryption rules.
If you want to use full disk encryption of removable drives in offline mode, select the Allow removable drive encryption in offline mode check box.
Offline encryption mode refers to encryption of removable drives (FDE) when there is no connection to Kaspersky Security Center. During encryption, Kaspersky Endpoint Security saves the master key only on the user's computer. Kaspersky Endpoint Security will send the master key to Kaspersky Security Center during the next synchronization.

If the computer on which the master key is saved is corrupted and data is not sent to Kaspersky Security Center, it is not possible to obtain access to the removable drive.

If the Allow removable drive encryption in offline mode check box is cleared and there is no connection to Kaspersky Security Center, removable drive encryption is not possible.
Save your changes.

After the policy is applied, when the user connects a removable drive or if a removable drive is already connected, Kaspersky Endpoint Security prompts the user for confirmation to perform the encryption operation (see the figure below).

The application lets you perform the following actions:

If the user confirms the encryption request, Kaspersky Endpoint Security encrypts the data.
If the user declines the encryption request, Kaspersky Endpoint Security leaves the data unchanged and assigns read-only access for this removable drive.
If the user does not respond to the encryption request, Kaspersky Endpoint Security leaves the data unchanged and assigns read-only access for this removable drive. The application prompts for confirmation again when subsequently applying a policy or the next time this removable drive is connected.

If the user initiates safe removal of a removable drive during data encryption, Kaspersky Endpoint Security interrupts the data encryption process and allows removal of the removable drive before the encryption process has finished. Data encryption will be continued the next time the removable drive is connected to this computer.

If encryption of a removable drive failed, view the Data encryption report in the Kaspersky Endpoint Security interface. Access to files may be blocked by another application. In this case, try unplugging the removable drive from the computer and connecting it again.

Removable drive encryption request

Page top

[Topic 123493]

Adding an encryption rule for removable drives

To add an encryption rule for removable drives:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Data Encryption → Encryption of removable drives.
Click the Add button, and in the drop-down list select one of the following items:
- If you want to add encryption rules for removable drives that are in the list of trusted devices of the Device Control component, select From list of trusted devices of this policy.
- If you want to add encryption rules for removable drives that are in the Kaspersky Security Center list, select From Kaspersky Security Center list of devices.
In the Encryption mode for selected devices drop-down list, select the action to be performed by Kaspersky Endpoint Security on files stored on the selected removable drives.
Select the Portable mode check box if you want Kaspersky Endpoint Security to prepare removable drives before encryption, making it possible to use encrypted files stored on them in portable mode.
Portable mode lets you use encrypted files stored on removable drives that are connected to computers without encryption functionality.
Select the Encrypt used disk space only check box if you want Kaspersky Endpoint Security to encrypt only those disk sectors that are occupied by files.
If you are applying encryption on a drive that is already in use, it is recommended to encrypt the entire drive. This ensures that all data is protected - even deleted data that might still contain retrievable information. The Encrypt used disk space only function is recommended for new drives that have not been previously used.

If a device was previously encrypted using the Encrypt used disk space only function, after applying a policy in Encrypt entire removable drive mode, sectors that are not occupied by files will still not be encrypted.
In the Actions for devices that were selected earlier drop-down list, select the action to be performed by Kaspersky Endpoint Security according to encryption rules that had been previously defined for removable drives:
- If you want the previously created encryption rule for the removable drive to remain unchanged, select Skip.
- If you want the previously created encryption rule for the removable drive to be replaced by the new rule, select Update.
Save your changes.

The added encryption rules for removable drives will be applied to removable drives connected to any computers in the organization.

Page top

[Topic 202233]

Exporting and importing a list of encryption rules for removable drives

You can export the list of removable drive encryption rules to an XML file. Then you can modify the file to, for example, add a large number of rules for the same type of removable drives. You can also use the export/import function to back up the list of rules or to migrate the rules to a different server.

How to export and import a list of removable drive encryption rules in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Data Encryption → Encryption of removable drives.
To export the list of encryption rules for removable drives:
1. Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
  If you did not select any rule, Kaspersky Endpoint Security will export all rules.
2. Click the Export link.
3. In the window that opens, specify the name of the XML file to which you want to export the list of rules, and select the folder in which you want to save this file.
4. Click the Save button.
  Kaspersky Endpoint Security exports the list of rules to the XML file.
To import a list of encryption rules for removable drives:
1. Click the Import link.
  In the window that opens, select the XML file from which you want to import the list of rules.
2. Click the Open button.
  If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.

How to export and import a list of removable drive encryption rules in the Web Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy for computers on which you want to export or import a list of removable drive encryption rules.
The policy properties window opens.
Select the Application settings tab.
Go to Data Encryption → Encryption of Removable Drives.
In the Encryption rules for selected devices block, click the Encryption rules link.
This opens a list of encryption rules for removable drives.
To export the list of encryption rules for removable drives:
1. Select the rules that you want to export.
2. Click the Export button.
3. Confirm that you want to export only the selected rules, or export the entire list.
4. Click the Export button.
  Kaspersky Endpoint Security exports the list of rules to an XML file in the default downloads folder.
To import the list of rules:
1. Click the Import link.
  In the window that opens, select the XML file from which you want to import the list of rules.
2. Click the Open button.
  If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.

Page top

[Topic 123492]

Portable mode for accessing encrypted files on removable drives

Portable mode is a mode of file encryption (FLE) on removable drives that provides the ability to access data outside of a corporate network. Portable mode also lets you work with encrypted data on computers that do not have Kaspersky Endpoint Security installed.

Portable mode is convenient to use in the following cases:

There is no connection between the computer and the Kaspersky Security Center Administration Server.
The infrastructure has changed with the change of the Kaspersky Security Center Administration Server.
Kaspersky Endpoint Security is not installed on the computer.

Portable File Manager

To work in portable mode, Kaspersky Endpoint Security installs a special encryption module named Portable File Manager on a removable drive. The Portable File Manager provides an interface for working with encrypted data if Kaspersky Endpoint Security is not installed on the computer (see the figure below). If Kaspersky Endpoint Security is installed on your computer, you can work with encrypted removable drives using your usual file manager (for example, Explorer).

The Portable File Manager stores a key to encrypt files on a removable drive. The key is encrypted with the user password. The user sets a password before encrypting files on a removable drive.

The Portable File Manager starts automatically when a removable drive is connected to a computer on which Kaspersky Endpoint Security is not installed. If automatic startup of applications is disabled on the computer, manually start the Portable File Manager. To do so, run the file named pmv.exe that is stored on the removable drive.

Portable File Manager

Support for portable mode for working with encrypted files

How to enable portable mode support for working with encrypted files on removable drives in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Data Encryption → Encryption of removable drives.
In the Encryption mode for selected devices drop-down list, select Encrypt all files or Encrypt new files only.
Portable mode is available only with File Level Encryption (FLE). It is not possible to enable portable mode support for Full Disk Encryption (FDE).
Select the Portable mode check box.
If necessary, add encryption rules for individual removable drives.
Save your changes.
After applying the policy, connect the removable drive to the computer.
Confirm the removable drive encryption operation.
This opens a window in which you can create a password for Portable File Manager.
Specify a password that meets the strength requirements and confirm it.
Click OK.

Kaspersky Endpoint Security will encrypt files on the removable drive. The Portable File Manager used for working with encrypted files will also be added to the removable drive. If there are already encrypted files on the removable drive, Kaspersky Endpoint Security will encrypt them again using its own key. This allows the user to access all files on the removable drive in portable mode.

How to enable portable mode support for working with encrypted files on removable drives in the Web Console

In the main window of Web Console, select Devices → Policies and profiles.
Click the name of the Kaspersky Endpoint Security policy for computers on which you want to enable support for portable mode.
The policy properties window opens.
Select the Application settings tab.
Go to Data Encryption → Encryption of Removable Drives.
In the Manage encryption section, select Encrypt all files or Encrypt new files only.
Portable mode is available only with File Level Encryption (FLE). It is not possible to enable portable mode support for Full Disk Encryption (FDE).
Select the Portable mode check box.
If necessary, add encryption rules for individual removable drives.
Save your changes.
After applying the policy, connect the removable drive to the computer.
Confirm the removable drive encryption operation.
This opens a window in which you can create a password for Portable File Manager.
Specify a password that meets the strength requirements and confirm it.
Click OK.

Accessing encrypted files on a removable drive

After encrypting files on a removable drive with portable mode support, the following file access methods are available:

If Kaspersky Endpoint Security is not installed on the computer, the Portable File Manager will prompt you to enter a password. You will need to enter the password each time you restart the computer or reconnect the removable drive.
If the computer is located outside the corporate network and Kaspersky Endpoint Security is installed on the computer, the application will prompt you to enter the password or send the administrator a request to access the files. After gaining access to files on a removable drive, Kaspersky Endpoint Security will save the secret key in the computer's key storage. This will allow access to files in the future without entering a password or asking the administrator.
If the computer is located inside the corporate network and Kaspersky Endpoint Security is installed on the computer, you will get access to the device without entering a password. Kaspersky Endpoint Security will receive the secret key from the Kaspersky Security Center Administration Server to which the computer is connected.

Recovering the password for working in portable mode

If you have forgotten the password for working in portable mode, you need to connect the removable drive to a computer with Kaspersky Endpoint Security installed inside the corporate network. You will get access to the files because the secret key is stored in the computer's key storage or on the Administration Server. Decrypt and re-encrypt files with a new password.

Features of portable mode when connecting a removable drive to a computer from another network

If the computer is located outside the corporate network and Kaspersky Endpoint Security is installed on the computer, you can access the files in the following ways:

Password-based access
After entering the password, you will be able to view, modify, and save files on the removable drive (transparent access). Kaspersky Endpoint Security can set a read-only access right for a removable drive if the following parameters are configured in the policy settings for encryption of removable drives:
- Portable mode support is disabled.
- The Encrypt all files or Encrypt new files only mode is selected.
In all other cases, you will get full access to the removable drive (read/write permission). You will be able to add and delete files.

You can change the removable drive access permissions even while the removable drive is connected to the computer. If the removable drive access permissions are changed, Kaspersky Endpoint Security will block access to the files and prompt you for the password again.

After entering the password, you cannot apply encryption policy settings for the removable drive. In this case, it is impossible to decrypt or re-encrypt files on the removable drive.
Ask the administrator for access to files
If you have forgotten the password for working in portable mode, ask the administrator for access to files. To access the files, the user needs to send the administrator a request access file (a file with the KESDC extension). The user can send the request access file by email, for example. The administrator will send an encrypted data access file (a file with the KESDR extension).

After you complete the Request-Response password recovery procedure, you will receive transparent access to files on the removable drive, and full access to the removable drive (read/write permission).

You can apply a removable drive encryption policy, and decrypt files, for example. After recovering the password or when the policy is updated, Kaspersky Endpoint Security will prompt you to confirm the changes.

How to obtain an encrypted data access file in the Administration Console (MMC)
1. Open the Kaspersky Security Center Administration Console.
2. In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
3. In the workspace, select the Devices tab.
4. On the Devices tab, select the computer of the user requesting access to encrypted data and right-click to open the context menu.
5. In the context menu, select Grant access in offline mode.
6. In the window that opens, select the Data Encryption tab.
7. On the Data Encryption tab, click the Browse button.
8. In the window for selecting a request access file, specify the path to the file received from the user.
You will see information about the user's request. Kaspersky Security Center generates a key file. Email the generated encrypted data access key file to the user. Or save the access file and use any available method to transfer the file.
How to obtain an encrypted data access file in the Web Console
1. In the main window of Web Console, select Devices → Managed devices.
2. Select the check box next to the name of the computer whose data you want to restore access to.
3. Click the Share this device offline button.
4. Select the Data Encryption section.
5. Click the Select file button and select the request access file that you received from the user (a file with the KESDC extension).
  The Web Console will display information about the request. This will include the name of the computer on which the user is requesting access to the file.
6. Click the Save key button and select a folder to save the encrypted data access key file (a file with the KESDR extension).
As a result, you will be able to obtain the encrypted data access key, which you will need to transfer to the user.

Page top

[Topic 123500]

Decryption of removable drives

To decrypt removable drives:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Data Encryption → Encryption of removable drives.
If you want to decrypt all encrypted files that are stored on removable drives, in the Encryption mode drop-down list select Decrypt entire removable drive.
To decrypt data that is stored on individual removable drives, edit the encryption rules for removable drives whose data you want to decrypt. To do so:
1. In the list of removable drives for which encryption rules have been configured, select an entry corresponding to the removable drive you need.
2. Click the Set a rule button to edit the encryption rule for the selected removable drive.
  The context menu of the Set a rule button opens.
3. Select the Decrypt all files item in the context menu of the Set a rule button.
Save your changes.

As a result, if a user connects a removable drive or if it is already connected, Kaspersky Endpoint Security decrypts the removable drive. The application warns the user that the decryption process may take some time. If the user initiates safe removal of a removable drive during data decryption, Kaspersky Endpoint Security interrupts the data decryption process and allows removal of the removable drive before the decryption operation has finished. Data decryption will be continued the next time the removable drive is connected to the computer.

If decryption of a removable drive failed, view the Data encryption report in the Kaspersky Endpoint Security interface. Access to files may be blocked by another application. In this case, try unplugging the removable drive from the computer and connecting it again.

Page top

[Topic 65058]

Viewing data encryption details

While encryption or decryption in progress, Kaspersky Endpoint Security relays information about the status of encryption parameters applied to client computers to Kaspersky Security Center.

The following encryption status values are possible:

Encryption policy not defined. A Kaspersky Security Center encryption policy has not been defined for the computer.
Applying policy. Data encryption and / or decryption is in progress on the computer.
Error. An error occurred during data encryption and / or decryption on the computer.
Reboot required. The operating system has to be rebooted in order to start or finish data encryption or decryption on the computer.
Compliant with policy. Data encryption on the computer has been completed using the encryption settings specified in the Kaspersky Security Center policy applied to the computer.
Cancelled by user. The user has declined to confirm the file encryption operation on the removable drive.

In this section

Viewing the encryption status

Viewing encryption statistics on Kaspersky Security Center dashboards

Viewing file encryption errors on local computer drives

Viewing the data encryption report

Page top

[Topic 128095]

Viewing the encryption status

To view the encryption status of computer data:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Devices tab.
The Devices tab in the workspace shows the properties of computers in the selected administration group.
On the Devices tab in the workspace, slide the scroll bar all the way to the right.
If the Encryption status column is not displayed:
1. Right-click to open the context menu for the table header.
2. In the context menu, in the View drop-down list, select Add/Remove columns.
  The Add/Remove columns window opens.
3. In the Add/Remove columns window, select the Encryption status check box.
4. Click OK.

The Encryption status column shows the encryption status of data on computers in the selected administration group. This status is formed based on information about file encryption on local drives of the computer, and about full disk encryption.

Page top

[Topic 128096]

Viewing encryption statistics on Kaspersky Security Center dashboards

To view the encryption status on Kaspersky Security Center dashboards:

Open the Kaspersky Security Center Administration Console.
In the console tree, select the Administration Server – <Computer name> node.
In the workspace to the right of the Administration Console tree, select the Statistics tab.
Create a new page with details panes containing data encryption statistics. To do so:
1. On the Statistics tab, click the Customize view button.
  The Properties: Statistics window opens.
2. In the Properties: Statistics window, click Add.
  The Properties: New page window opens.
3. In the General section of the Properties: New page window, type the page name.
4. In the Details panes section, click the Add button.
  The New details pane window opens.
5. In the New details panel window in the Protection status group, select the Encryption of devices item.
6. Click OK.
  The Properties: Encryption Control window opens.
7. If necessary, edit the details pane settings. To do so, use the View and Devices sections of the Properties: Encryption of devices window.
8. Click OK.
9. Repeat steps d – h of the instructions, selecting the Encryption of removable drives item in the Protection status section of the New details pane window.
  The details panes added appear in the Details panes list in the Properties: New page window.
10. In the Properties: New page window, click OK.
  The name of the page with details panes created at the previous steps appears in the Pages list of the Properties: Statistics window.
11. In the Properties: Statistics window, click Close.
On the Statistics tab, open the page that was created during the previous steps of the instructions.

The details panes appear, showing the encryption status of computers and removable drives.

Page top

[Topic 128786]

Viewing file encryption errors on local computer drives

To view the file encryption errors on local computer drives:

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder of the Administration Console tree, open the folder with the name of the administration group that includes the client computer whose list of file encryption errors you want to view.
In the workspace, select the Devices tab.
On the Devices tab, select the name of the computer in the list and right-click it to open the context menu.
In the context menu of the computer, select the Properties item. In the Properties: <computer name> window, select the Protection section.
In the Protection section of the Properties: <computer name> window, click the View list of data encryption errors link to open the Data encryption errors window.

This window shows the details of file encryption errors on local computer drives. When an error is corrected, Kaspersky Security Center removes the error details from the Data encryption errors window.

Page top

[Topic 128372]

Viewing the data encryption report

To view the data encryption report:

Open the Kaspersky Security Center Administration Console.
In the Administration Server node of the Administration Console tree, select the Reports tab.
Click the New report template button.
The Report Template Wizard starts.
Follow the instructions of the Report Template Wizard. In the Select report template type window in the Other section, select one of the following items:
- Managed device encryption status report.
- Mass storage device encryption status report.
- File encryption errors report.
- Report on blocked access to encrypted files.
After you have finished with the New Report Template Wizard, the new report template appears in the table on the Reports tab.
Select the report template that was created at the previous steps of the instructions.
In the context menu of the template, select Show report.

The report generation process starts. The report is displayed in a new window.

Page top

[Topic 128089]

Working with encrypted devices when there is no access to them

Obtaining access to encrypted devices

A user may be required to request access to encrypted devices in the following cases:

The hard drive was encrypted on a different computer.
The encryption key for a device is not on the computer (for example, upon the first attempt to access the encrypted removable drive on the computer), and the computer is not connected to Kaspersky Security Center.
After the user has applied the access key to the encrypted device, Kaspersky Endpoint Security saves the encryption key on the user's computer and allows access to this device upon subsequent access attempts even if there is no connection to Kaspersky Security Center.

Access to encrypted devices can be obtained as follows:

The user uses the Kaspersky Endpoint Security application interface to create a request access file with the kesdc extension and sends it to the corporate LAN administrator.
The administrator uses the Kaspersky Security Center Administration Console to create an access key file with the kesdr extension and sends it to the user.
The user applies the access key.

Restoring data on encrypted devices

A user can use the Encrypted Device Restore Utility (hereinafter referred to as the Restore Utility) to work with encrypted devices. This may be required in the following cases:

The procedure for using an access key to obtain access was unsuccessful.
Encryption components have not been installed on the computer with the encrypted device.

The data needed to restore access to encrypted devices using the Restore Utility resides in the memory of the user's computer in unencrypted form for some time. To reduce the risk of unauthorized access to such data, you are advised to restore access to encrypted devices on trusted computers.

Data on encrypted devices can be restored as follows:

The user uses the Restore Utility to create a request access file with the fdertc extension and sends it to the corporate LAN administrator.
The administrator uses the Kaspersky Security Center Administration Console to create an access key file with the fdertr extension and sends it to the user.
The user applies the access key.

To restore data on encrypted system hard drives, the user can also specify the Authentication Agent account credentials in the Restore Utility. If the metadata of the Authentication Agent account has been corrupted, the user must complete the restoration procedure using a request access file.

Before restoring data on encrypted devices, it is recommended to cancel the Kaspersky Security Center policy or disable encryption in the Kaspersky Security Center policy settings on the computer where the procedure will be performed. This prevents the device from being encrypted again.

In this section

Recovering data by using the FDERT Restore Utility

Creating an operating system rescue disk

Page top

[Topic 130941]

Recovering data by using the FDERT Restore Utility

If the hard drive fails, the file system may be corrupt. If this is the case, data protected by Kaspersky Disk Encryption technology will be unavailable. You can decrypt the data and copy the data to a new drive.

Data recovery on a drive protected by Kaspersky Disk Encryption technology consists of the following steps:

Create a stand-alone Restore Utility (see the figure below).
Connect a drive to a computer that does not have Kaspersky Endpoint Security encryption components installed.
Run the Restore Utility and diagnose the hard drive.
Access data on the drive. To do so, enter the credentials of the Authentication Agent or start the recovery procedure (Request-Response).

FDERT Restore Utility

Creating a standalone restore utility

To create the executable file of Restore Utility:

In the main application window, click the Support button.
In the window that opens, click the Restore encrypted device button.
Encrypted device Restore Utility starts.
Click the Create Stand-alone Restore Utility button in the window of Restore Utility.
Save the stand-alone Restore Utility to computer memory.

As a result, the executable file of the Restore Utility (fdert.exe) will be saved in the specified folder. Copy the Restore Utility to a computer that does not have Kaspersky Endpoint Security encryption components. This prevents the drive from being encrypted again.

Recovering data on a hard drive

To restore access to an encrypted device using the Restore Utility:

Run the file named fdert.exe, which is the executable file of the Restore Utility. This file is created by Kaspersky Endpoint Security.
In the Restore Utility window, from the Select device drop-down list select an encrypted device to which you want to restore access.
Click the Scan button to allow the utility to define which of the actions should be taken on the device: whether it should be unlocked or decrypted.
If the computer has access to Kaspersky Endpoint Security encryption functionality, the Restore Utility prompts you to unlock the device. While unlocking the device does not decrypt it, the device becomes directly accessible as a result of being unlocked. If the computer does not have access to Kaspersky Endpoint Security encryption functionality, the Restore Utility prompts you to decrypt the device.
If you want to import diagnostic information, click the Save diagnostics button.
The utility will save an archive with files containing diagnostic information.
Click the Fix MBR button if diagnostics of the encrypted system hard drive has returned a message about problems involving the master boot record (MBR) of the device.
Fixing the master boot record of the device can speed up the process of obtaining information that is needed for unlocking or decrypting the device.
Click the Unlock or Decrypt button depending on the results of diagnostics.
If you want to restore data using an Authentication Agent account, select the Use Authentication Agent account settings option and enter the credentials of the Authentication Agent.
This method is possible only when restoring data on a system hard drive. If the system hard drive was corrupted and Authentication Agent account data has been lost, you must obtain an access key from the corporate LAN administrator to restore data on an encrypted device.
If you want to start the recovery procedure, do the following:
1. Select the Specify device access key manually option.
2. Click the Receive access key button and save the request access file to computer memory (a file with the FDERTC extension).
3. Send the request access file to the corporate LAN administrator.
  Do not close the Receive device access key window until you have received the access key. When this window is opened again, you will not be able to apply the access key that was previously created by the administrator.
4. Receive and save the access file (a file with the FDERTR extension) created and sent to you by the corporate LAN administrator (see the instructions below).
5. Download the access file in the Receive device access key window.
If you are decrypting a device, you must configure additional decryption settings:
- Specify area to decrypt:
  - If you want to decrypt the entire device, select the Decrypt entire device option.
  - If you want to decrypt a portion of the data on a device, select the Decrypt individual device areas option and specify the decryption area boundaries.
- Select the location for writing the decrypted data:
  - If you want the data on the original device to be rewritten with the decrypted data, clear the Decrypt to a disk image file check box.
  - If you want to save decrypted data separately from the original encrypted data, select the Decrypt to a disk image file check box and use the Browse button to specify the path where to save the VHD file.
Click OK.

The device unlocking / decryption process starts.

How to create an encrypted data access file in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the Administration Console tree, select the Additional → Data encryption and protection → Encrypted devices folder.
In the workspace, select the encrypted device for which you want to create an access key file, and select Get access to the device in Kaspersky Endpoint Security for Windows (11.6.0) in the device context menu.
If you are not sure for which computer the request access file was generated, in the Administration Console tree select the Additional → Data encryption and protection folder and click the Get device encryption key in Kaspersky Endpoint Security for Windows (11.6.0) link in the workspace.
In the window that opens, select the encryption algorithm to use: AES256 or AES56.
The data encryption algorithm depends on the AES encryption library that is included in the distribution package: Strong encryption (AES256) or Lite encryption (AES56). The AES encryption library is installed together with the application.
Click the Browse button. In the window that opens, specify the path to the request access file (with the FDERTC extension) received from the user.
Click the Open button.

How to create an encrypted data access file in the Web Console

In the main window of the Web Console, select Operations → Data encryption and protection → Encrypted devices.
Select the check box next to the name of the computer on which you want to recover data.
Click the Share this device offline button.
This starts the Wizard for granting access to a device.
Follow the instructions of the Wizard for granting access to a device:
1. Select the Kaspersky Endpoint Security for Windows plug-in.
2. Select the encryption algorithm to use: AES256 or AES56.
  The data encryption algorithm depends on the AES encryption library that is included in the distribution package: Strong encryption (AES256) or Lite encryption (AES56). The AES encryption library is installed together with the application.
3. Click the Select file button and select the request access file received from the user (a file with the FDERTC extension).
4. Click the Save key button and select a folder to save the key file for accessing encrypted data (a file with the FDERTR extension).

As a result, you will be able to obtain the encrypted data access key, which you will need to transfer to the user.

Page top

[Topic 64998]

Creating an operating system rescue disk

The operating system rescue disk can be useful when an encrypted hard drive cannot be accessed for some reason and the operating system cannot load.

You can load an image of the Windows operating system using the rescue disk and restore access to the encrypted hard drive using Restore Utility included in the operating system image.

To create an operating system rescue disk:

Create an executable file for the Encrypted Device Restore Utility.
Create a custom image of the Windows pre-boot environment. While creating the custom image of the Windows pre-boot environment, add the executable file of Restore Utility to the image.
Save the custom image of the Windows pre-installation environment to bootable media such as a CD or removable drive.
Refer to Microsoft help files for instructions on creating a custom image of the Windows pre-boot environment (for example, in the Microsoft TechNet resource).

Page top

[Topic 184545]

Managing the application from the command line

You can manage Kaspersky Endpoint Security from the command line. You can view the list of commands for managing the application by executing the HELP command. To read about the syntax of a specific command, enter HELP <command>.

Special characters in the command must be escaped. To escape &, |, (, ), <, >, ^, use the ^ character (for example, to use the & character, enter ^&). To escape the % character, enter %%.

In this Help section

Commands

Error codes

Appendix. Application profiles

Page top

[Topic 141652]

AVP commands

To manage Kaspersky Endpoint Security from the command line:

Run the command line interpreter (cmd.exe) as an administrator.
Go to the folder where the Kaspersky Endpoint Security executable file is located.
To execute a command, enter:
avp.com <command> [options]

As a result, Kaspersky Endpoint Security will execute the command (see figure below.)

Managing the application from the command line

In this section

SCAN. Virus Scan

UPDATE. Updating databases and application software modules

ROLLBACK. Rolling back the last update

TRACES. Traces

START. Start the profile

STOP. Stopping a profile

STATUS. Profile status

STATISTICS. Profile operation statistics

RESTORE. Restoring files

EXPORT. Exporting application settings

IMPORT. Importing application settings

ADDKEY. Applying a key file

LICENSE. Licensing

RENEW. Purchasing a license

PBATESTRESET. Reset the disk check results before encrypting the disk

EXIT. Exit the application

EXITPOLICY. Disabling policy

STARTPOLICY. Enabling policy

DISABLE. Disabling protection

SPYWARE. Spyware detection

MDRLICENSE. MDR activation

KSN. Global/Private KSN transition

Page top

[Topic 181236]

SCAN. Virus Scan

Run the virus scan task.

Command syntax

SCAN [<scan scope>] [<action on threat detection>] [<file types>] [<scan exclusions>] [/R[A]:<report file>] [<scan technologies>] [/C:<file with virus scan settings>]

Scan scope
`<files to scan>`	A space-separated list of files and folders. Long paths must be enclosed in quotation marks. Short paths (MS-DOS format) do not need to be enclosed in quotation marks. For example: `"C:\Program Files (x86)\Example Folder"` – long path. `C:\PROGRA~2\EXAMPL~1` – short path.
`/ALL`	Run the Full Scan task. Kaspersky Endpoint Security scans the following objects: Kernel memory Objects that are loaded at startup of the operating system Boot sectors Operating system backup All hard and removable drives
`/MEMORY`	Scan the Kernel memory
`/STARTUP`	Scan the Objects that are loaded at startup of the operating system
`/MAIL`	Scan Outlook mailbox
`/REMDRIVES`	Scan removable drives.
`/FIXDRIVES`	Scan hard drives.
`/NETDRIVES`	Scan network drives.
`/QUARANTINE`	Scan the files in the Kaspersky Endpoint Security Backup.
`/@:<file list.lst>`	Scan the files and folders from a list. Each file in the list must be on a new row. Long paths must be enclosed in quotation marks. Short paths (MS-DOS format) do not need to be enclosed in quotation marks. For example: `"C:\Program Files (x86)\Example Folder"` – long path. `C:\PROGRA~2\EXAMPL~1` – short path.

Action on threat detection
`/i0`	Inform. If this option is selected, Kaspersky Endpoint Security adds the information about infected files to the list of active threats on detection of these files.
`/i1`	Disinfect; block if disinfection fails. If this option is selected, Kaspersky Endpoint Security automatically attempts to disinfect all infected files that are detected. If disinfection is not possible, Kaspersky Endpoint Security adds the information about the infected files that are detected to the list of active threats.
`/i2`	Disinfect; delete if disinfection fails. If this option is selected, Kaspersky Endpoint Security automatically attempts to disinfect all infected files that are detected. If disinfection fails, Kaspersky Endpoint Security deletes the files. This action is selected by default.
`/i3`	Disinfect the infected files that are detected. If disinfection fails, delete the infected files. Also delete compound files (for example, archives) if the infected file cannot be disinfected or deleted.
`/i4`	Delete infected files. Also delete compound files (for example, archives) if the infected file cannot be deleted.
`/i8`	Prompt the user for action as soon as a threat is detected.
`/i9`	Prompt the user for action after the scan is completed.

File types
`/fe`	Files scanned by extension. If this setting is enabled, Kaspersky Endpoint Security scans infectable files only. The file format is then determined based on the file's extension.
`/fi`	Files scanned by format. If this setting is enabled, Kaspersky Endpoint Security scans infectable files only. Before scanning a file for malicious code, the internal header of the file is analyzed to determine the format of the file (for example, .txt, .doc, or .exe). The scan also looks for files with particular file extensions.
`/fa`	All files. If this setting is enabled, Kaspersky Endpoint Security checks all files without exception (all formats and extensions). This is the default setting.

Scan exclusions
`-e:a`	RAR, ARJ, ZIP, CAB, LHA, JAR, and ICE archives are excluded from the scan scope.
`-e:b`	Mail databases, incoming and outgoing e-mails are excluded from the scan scope.
`-E:<file mask>`	Files that match the file mask are excluded from the scan scope. For example: The mask `.exe` will include all paths to files that have the exe extension. The mask `example` will include all paths to files named EXAMPLE.
`-e:<seconds>`	Files that take longer to scan than the specified time limit (in seconds) are excluded from the scan scope.
`-es:<megabytes>`	Files that are larger than the specified size limit (in megabytes) are excluded from the scan scope.

Saving events to a report file mode
`/R:<report file>`	Save only critical events to the report file.
`/RA:<report file>`	Save all events to a report file.

Scan technologies
`/iChecker=on\|off`	This technology allows increasing scan speed by excluding certain files from scanning. Files are excluded from scans by using a special algorithm that takes into account the release date of Kaspersky Endpoint Security databases, the date when the file was last scanned, and any modifications to the scan settings. There are limitations to iChecker Technology: it does not work with large files and applies only to files with a structure that the application recognizes (for example, EXE, DLL, LNK, TTF, INF, SYS, COM, CHM, ZIP, and RAR).
`/iSwift=on\|off`	This technology allows increasing scan speed by excluding certain files from scanning. Files are excluded from scanning by using a special algorithm that takes into account the release date of Kaspersky Endpoint Security databases, the date that the file was last scanned on, and any modifications to the scanning settings. The iSwift technology is an advancement of the iChecker technology for the NTFS file system.

Advanced settings
`/C:<file with virus scan settings>`	File with Virus scan task settings. The file must be created manually and saved in TXT format. The file can have the following contents: `[<scan scope>] [<action on threat detection>] [<file types>] [<scan exclusions>] [/R[A]:<report file>] [<scan technologies>]`.

Example:

avp.com SCAN /R:log.txt /MEMORY /STARTUP /MAIL "C:\Documents and Settings\All Users\My Documents" "C:\Program Files"

See also:

Working with active threats

Page top

[Topic 181286]

UPDATE. Updating databases and application software modules

Run the Update task.

Command syntax

UPDATE [local] ["<update source>"] [/R[A]:<report file>] [/C:<file with update settings >]

Update task settings

local

Start of the Update task that was created automatically after the application was installed. You can change the settings of the Update task in the local application interface or in the console of Kaspersky Security Center. If this setting is not configured, Kaspersky Endpoint Security starts the Update task with the default settings or with the settings specified in the command. You can configure Update task settings as follows:

UPDATE starts the Update task with the default settings: the update source is Kaspersky update servers, the account is System, and other default settings.
UPDATE local starts the Update task that was created automatically after installation (predefined task).
UPDATE <update settings> starts the Update task with manually defined settings (see below).

Update source
`"<update source>"`	Address of a HTTP or FTP server, or of a shared folder with the update package. You can specify only one update source. If the update source is not specified, Kaspersky Endpoint Security uses the default source: Kaspersky update servers.

Saving events to a report file mode
`/R:<report file>`	Save only critical events to the report file.
`/RA:<report file>`	Save all events to a report file.

Advanced settings
`/C:<file with update settings>`	File with the Update task settings. The file must be created manually and saved in TXT format. The file can have the following contents: `["<update source>"] [/R[A]:<report file>]`.

Example:

avp.com UPDATE local

avp.com UPDATE "ftp://my_server/kav updates" /RA:avbases_upd.txt

See also:

Starting and stopping an update task

Page top

[Topic 181289]

ROLLBACK. Rolling back the last update

Roll back the last anti-virus database update. This lets you roll back the databases and application modules to their previous version when necessary, for example, when the new database version contains an invalid signature that causes Kaspersky Endpoint Security to block a safe application.

Command syntax

ROLLBACK [/R[A]:<report file>]

Saving events to a report file mode
`/R:<report file>`	Save only critical events to the report file.
`/RA:<report file>`	Save all events to a report file.

Example:

avp.com ROLLBACK /RA:rollback.txt

Page top

[Topic 181290]

TRACES. Traces

Enable / disable tracing. Trace files are stored on the computer as long as the application is in use, and are deleted permanently when the application is removed. Trace files, except trace files of Authentication Agent, are stored in the folder %ProgramData%\Kaspersky Lab\KES\Traces. By default, tracing is disabled.

Command syntax

TRACES on|off [<tracing level>] [<advanced settings>]

Tracing level

<tracing level>

Level of detail of traces. Available values:

100 (critical). Only messages about fatal errors.
200 (high). Messages about all errors, including fatal errors.
300 (diagnostic). Messages about all errors, as well as warnings.
400 (important). All error messages, warnings, and additional information.
500 (normal). Messages about all errors and warnings, as well as detailed information about the operation of the application in normal mode (default).
600 (low). All messages.

Advanced settings
`all`	Run a command with the `dbg`, `file` and `mem` parameters.
`dbg`	Use the OutputDebugString function and save the trace file. The OutputDebugString function sends a character string to the application debugger to display on screen. For details, visit the MSDN website.
`file`	Save one trace file (no size limit).
`rot`	Save traces to a limited number of files of limited size and overwrite the older files when the maximum size is reached.
`mem`	Save traces to dump files.

Examples:

avp.com TRACES on 500
avp.com TRACES on 500 dbg
avp.com TRACES off
avp.com TRACES on 500 dbg mem
avp.com TRACES off file

See also:

Application operation traces

Application performance traces

Contents and storage of trace files

Dump writing

Protecting dump files and trace files

Page top

[Topic 181291]

START. Start the profile

Start the profile (for example, to update databases or to enable a protection component).

Command syntax

START <profile> [/R[A]:<report file>]

Profile
`<profile>`	Profile name. A Profile is a Kaspersky Endpoint Security component, task or feature. You can view the list of available profiles by executing the `HELP START` command.

Saving events to a report file mode
`/R:<report file>`	Save only critical events to the report file.
`/RA:<report file>`	Save all events to a report file.

Example:

avp.com START Scan_Objects

Page top

[Topic 181292]

STOP. Stopping a profile

Stop the running profile (for example, stop scanning, stop removable drives scan, or disable a protection component).

To execute this command, Password protection must be enabled. The user must have the Disable protection components and Disable control components permissions.

Command syntax

STOP <profile> /login=<user name> /password=<password>

Profile
`<profile>`	Profile name. A Profile is a Kaspersky Endpoint Security component, task or feature. You can view the list of available profiles by executing the `HELP STOP` command.

Authentication
`/login=<user name> /password=<password>`	User account credentials with the required Password protection permissions.

Page top

[Topic 181295]

STATUS. Profile status

Show status information for application profiles (for example, running or completed). You can view the list of available profiles by executing the HELP STATUS command.

Kaspersky Endpoint Security also displays information about the status of service profiles. Information about the status of service profiles may be required when you are contacting Kaspersky Technical Support.

Command syntax

STATUS [<profile>]

Page top

[Topic 181297]

STATISTICS. Profile operation statistics

View statistical information about an application profile (for example, scan duration or the number of threats detected.) You can view the list of available profiles by running the HELP STATISTICS command.

Command syntax

STATISTICS <profile>

Page top

[Topic 181298]

RESTORE. Restoring files

You can restore a file from Backup to its original folder. If a file with the same name already exists at the specified path, the suffix "-copy"is appended to the file name. The file that is being restored is copied keeping its original name.

To execute this command, Password protection must be enabled. The user must have the Restore from Backup permission.

Backup copies of files are stored in the folder C:\ProgramData\Kaspersky Lab\KES\QB.

Kaspersky Endpoint Security does not provide the capability to configure user access permissions to backup copies of files.

Command syntax

RESTORE [/REPLACE] <file name> /login=<user name> /password=<password>

Advanced settings
`/REPLACE`	Overwrite an existing file.
`<file name>`	The name of the file to be restored.

Authentication
`/login=<user name> /password=<password>`	User account credentials with the required Password protection permissions.

Example:

avp.com RESTORE /REPLACE true_file.txt /login=KLAdmin /password=!Password1

Page top

[Topic 181299]

EXPORT. Exporting application settings

Export Kaspersky Endpoint Security settings to a file. The file will be located in the C:\Windows\SysWOW64 folder.

Command syntax

EXPORT <profile> <file name>

Profile
`<profile>`	Profile name. A Profile is a Kaspersky Endpoint Security component, task or feature. You can view the list of available profiles by executing the `HELP EXPORT` command`.`

File to export
`<file name>`	The name of the file to which the application settings will be exported. You can export Kaspersky Endpoint Security settings to a DAT or CFG configuration file, to a TXT text file, or to an XML document.

Examples:

avp.com EXPORT ids ids_config.dat
avp.com EXPORT fm fm_config.txt

See also:

Creating and using a configuration file

Page top

[Topic 181300]

IMPORT. Importing application settings

Imports settings for Kaspersky Endpoint Security from a file that was created with the EXPORT command.

To execute this command, Password protection must be enabled. The user must have the Configure application settings permission.

Command syntax

IMPORT <file name> /login=<username> /password=<password>

File to import
`<file name>`	The name of the file from which the application settings will be imported. You can import Kaspersky Endpoint Security settings from a DAT or CFG configuration file, a TXT text file, or an XML document.

Authentication
`/login=<user name> /password=<password>`	User account credentials with the required Password protection permissions.

Example:

avp.com IMPORT config.dat /login=KLAdmin /password=!Password1

See also:

Creating and using a configuration file

Page top

[Topic 181301]

ADDKEY. Applying a key file

Apply the key file to activate Kaspersky Endpoint Security. If the application is already activated, the key will be added as a reserve one.

Command syntax

ADDKEY <file name> /login=<user name> /password=<password>

Key file
`<file name>`	Key file name.

Authentication
`/login=<user name> /password=<password>`	User account credentials. These credentials need to be entered only if Password protection is enabled.

Example:

avp.com ADDKEY file.key

See also:

About the key file

Using the Activation Wizard to activate the application

Page top

[Topic 181302]

LICENSE. Licensing

Perform actions with Kaspersky Endpoint Security license keys.

To execute this command and remove a license key, Password protection must be enabled. The user must have the Remove key permission.

Command syntax

LICENSE <operation> [/login=<user name> /password=<password>]

Operation
`/ADD <file name>`	Apply the key file to activate Kaspersky Endpoint Security. If the application is already activated, the key will be added as a reserve one.
`/ADD <activation code>`	Activate Kaspersky Endpoint Security using an activation code. If the application is already activated, the key will be added as a reserve one.
`/REFRESH <file name>`	Renew your license with a key file. A reserve key is added as a result. It becomes active upon license expiration. It is not possible to add an active key by executing this command.
`/REFRESH <activation code>`	Renew your license with an activation code. A reserve key is added as a result. It becomes active upon license expiration. It is not possible to add an active key by executing this command.
`/DEL /login=<user name> /password=<password>`	Remove a license key. Reserve key will also be removed.

Authentication
`/login=<user name> /password=<password>`	User account credentials with the required Password protection permissions.

Example:

avp.com LICENSE /ADD file.key
avp.com LICENSE /ADD AAAAA-BBBBB-CCCCC-DDDDD
avp.com LICENSE /DEL /login=KLAdmin /password=!Password1

See also:

About activation code

About the key file

About license key

Using the Activation Wizard to activate the application

Page top

[Topic 184351]

RENEW. Purchasing a license

Open the Kaspersky website to purchase or renew your license.

Page top

[Topic 184342]

PBATESTRESET. Reset the disk check results before encrypting the disk

Reset the compatibility check results for Full Disk Encryption(FDE), including both the Kaspersky Disk Encryption and BitLocker Drive Encryption technologies.

Before running Full Disk Encryption, the application performs a number of checks to verify that the computer can be encrypted. If the computer does not support Full Disk Encryption, Kaspersky Endpoint Security logs information about the incompatibility. The next time you try to encrypt, the application does not perform this check and warns you that encryption is not possible. If the hardware configuration of the computer has changed, the compatibility check results previously logged by the application must be reset to re-check the system hard drive for compatibility with Kaspersky Disk Encryption or BitLocker drive encryption technologies.

See also:

Starting BitLocker Drive Encryption

Page top

[Topic 184347]

EXIT. Exit the application

Exits Kaspersky Endpoint Security. The application will be unloaded from the computer's RAM.

To execute this command, Password protection must be enabled. The user must have the Exit the application permission.

Command syntax

EXIT /login=<user name> /password=<password>

Page top

[Topic 184348]

EXITPOLICY. Disabling policy

Disables a Kaspersky Security Center policy on the computer. All Kaspersky Endpoint Security settings are available for configuration, including settings that have a closed lock in the policy ().

To execute this command, Password protection must be enabled. The user must have the Disable Kaspersky Security Center policy permission.

Command syntax

EXITPOLICY /login=<user name> /password=<password>

Page top

[Topic 184350]

STARTPOLICY. Enabling policy

Enables a Kaspersky Security Center policy on the computer. The application settings will be configured according to the policy.

Page top

[Topic 184352]

DISABLE. Disabling protection

Disables File Threat Protection on a computer with an expired Kaspersky Endpoint Security license. It is not possible to run this command on a computer that has the application that is not activated or has a valid license.

Page top

[Topic 184354]

SPYWARE. Spyware detection

Enable / disable spyware detection. By default, spyware detection is enabled.

Command syntax

SPYWARE on|off

Page top

[Topic 207836]

MDRLICENSE. MDR activation

Perform operations with the BLOB configuration file to activate Managed Detection and Response. The BLOB file contains the client ID and information about the license for Kaspersky Managed Detection and Response. The BLOB file is located inside the ZIP archive of the MDR configuration file. You can obtain the ZIP archive in the Kaspersky Managed Detection and Response Console. For detailed information about a BLOB file, please refer to the Kaspersky Managed Detection and Response Help Guide.

Administrator privileges are required for performing operations with a BLOB file. Managed Detection and Response settings in the policy must also be available for editing ().

Command syntax

MDRLICENSE <operation> [/login=<user name> /password=<password>]

Operation
`/ADD <file name>`	Apply the BLOB configuration file for integration with Kaspersky Managed Detection and Response (P7 file format). You can apply only one BLOB file. If a BLOB file was already added to the computer, the file will be replaced.
`/DEL`	Delete the BLOB configuration file.

Authentication
`/login=<user name> /password=<password>`	User account credentials with the required Password protection permissions.

Example:

avp.com MDRLICENSE /ADD file.key
avp.com MDRLICENSE /DEL /login=KLAdmin /password=!Password1

Page top

[Topic 207430]

KSN. Global/Private KSN transition

Selecting a Kaspersky Security Network solution for determining the reputation of files or websites. Kaspersky Endpoint Security supports the following KSN infrastructural solutions:

Global KSN is the solution that is used by most Kaspersky applications. KSN participants receive information from Kaspersky Security Network and send Kaspersky information about objects detected on the user's computer to be analyzed additionally by Kaspersky analysts and to be included in the reputation and statistical databases of Kaspersky Security Network.
Private KSN is a solution that enables users of computers hosting Kaspersky Endpoint Security or other Kaspersky applications to obtain access to reputation databases of Kaspersky Security Network, and to other statistical data without sending data to KSN from their own computers. Private KSN is designed for corporate customers who are unable to participate in Kaspersky Security Network for any of the following reasons:
- Local workstations are not connected to the Internet.
- Transmission of any data outside the country or outside the corporate LAN is prohibited by law or restricted by corporate security policies.

Command syntax

KSN /global | /private <file name>


Private KSN configuration file
`<file name>`	Name of the configuration file containing the KSN proxy server settings This file has the PKCS7 or PEM extension.
Example: `avp.com KSN /global` `avp.com KSN /private C:\ksn_config.pkcs7`

Limitations of Private KSN

Enabling and disabling cloud mode for protection components

Checking the connection to Kaspersky Security Network

Checking the reputation of a file in Kaspersky Security Network

Page top

[Topic 213488]

KESCLI commands

KESCLI commands let you receive information about the state of computer protection using the OPSWAT component, and let you perform standard tasks such as virus scans and database updates.

You can view the list of KESCLI commands by using the --help command or by using the abbreviated command -h.

To manage Kaspersky Endpoint Security from the command line:

Run the command line interpreter (cmd.exe) as an administrator.
Go to the folder where the Kaspersky Endpoint Security executable file is located.
To execute a command, enter:
kescli <command> [options]

As a result, Kaspersky Endpoint Security will execute the command (see figure below.)

unlock_kes11_cmd_getthreats

Managing the application from the command line

In this section

Scan. Virus Scan

GetScanState. Scan completion status

GetLastScanTime. Determining the scan completion time

GetThreats. Obtaining data on detected threats

UpdateDefinitions. Updating databases and application software modules

GetDefinitionState. Determining the update completion time

EnableRTP. Enabling protection

GetRealTimeProtectionState. File Threat Protection status

Version. Identifying the application version

Page top

[Topic 213709]

Scan. Virus Scan

Run the virus scan task.

Command syntax

--opswat Scan <scan scope> <action on threat detection>

You can check the status of Full Scan task completion by using the GetScanState command and view the date and time when the scan was last completed by using the GetLastScanTime command.

Scan scope
`<files to scan>`	`;`-separated list of files and folders. E.g.: `C:\Program Files (x86)\Example Folder`.

Action on threat detection

0

Inform. If this option is selected, Kaspersky Endpoint Security adds the information about infected files to the list of active threats on detection of these files.

1

Disinfect; delete if disinfection fails. If this option is selected, Kaspersky Endpoint Security automatically attempts to disinfect all infected files that are detected. If disinfection fails, Kaspersky Endpoint Security deletes the files.

This action is selected by default.

Example:

kescli --opswat Scan C:\Documents and Settings\All Users\My Documents;C:\Program Files 1

See also:

Scanning the computer

Editing the scan scope

SCAN. Virus Scan

Working with active threats

Page top

[Topic 213715]

GetScanState. Scan completion status

Receive information about the status of Full Scan task completion:

1 – the scan is in progress.
0 – the scan is not running.

Command syntax

--opswat GetScanState

Example:

kescli --opswat GetScanState

Page top

[Topic 213723]

GetLastScanTime. Determining the scan completion time

Receive information about the date and time of the last Full Scan task completion.

Command syntax

--opswat GetLastScanTime

Example:

kescli --opswat GetLastScanTime

Page top

[Topic 213725]

GetThreats. Obtaining data on detected threats

Receive a list of detected threats (Threats report). This report contains information about threats and virus activity during the last 30 days prior to creating the report.

Command syntax

--opswat GetThreats

When this command is executed, Kaspersky Endpoint Security will send a response in the following format:

<name of detected object> <type of object> <detection date and time> <path to file> <action on threat detection> <threat danger level>

unlock_kes11_cmd_getthreats

Managing the application from the command line

Object type
`0`	Not known (`Unknown`).
`1`	Viruses (`Virware`).
`2`	Trojan programs (`Trojware`).
`3`	Malicious programs (`Malware`).
`4`	Advertisement programs (`Adware`).
`5`	Auto-dialer programs (`Pornware`).
`6`	Applications that could be used by a cybercriminal to harm the user's computer or data (`Riskware`).
`7`	Packed objects whose packing method may be used to protect malicious code (`Packed`).
`20`	Unknown objects (`Xfiles`).
`21`	Known applications (`Software`).
`22`	Concealed files (`Hidden`).
`23`	Application requiring attention (`Pupware`).
`24`	Anomalous behavior (`Anomaly`).
`30`	Not determined (`Undetect`).
`40`	Ad banners (`Banner`).
`50`	Network attack (`Attack`).
`51`	Registry access (`Registry`).
`52`	Suspicious activity (`Suspicion`).
`60`	Vulnerabilities (`Vulnerability`).
`70`	`Phishing`.
`80`	Unwanted email attachment (`Attachment`).
`90`	Malware detected by Kaspersky Security Network (`Urgent`).
`100`	Unknown link (`Suspic URL`).
`110`	Other malware (`Behavioral`).

Action on threat detection
`0`	Not known (`unknown`).
`1`	Threat was remediated (`ok`).
`2`	Object was infected and has not been disinfected (`infected`).
`5`	Object is in an archive and has not been disinfected (`archive`).
`9`	Object has been disinfected (`disinfected`).
`10`	Object has not been disinfected (`not disinfected`).
`11`	Object was deleted (`deleted`).
`13`	A backup copy of the object was created (`backupped`).
`15`	Object was moved to Backup (`quarantined`).
`23`	Object was deleted on computer restart (`delete on reboot`).
`25`	Object was disinfected on computer restart (`disinfect on reboot`).
`29`	Object was moved to Backup by a user (`added by user`).
`30`	Object was added to exclusions (`added to exclude`).
`31`	Object was moved to Backup on computer restart (`quarantine on reboot`).
`36`	False positive (`false alarm`).
`38`	Process was terminated (`terminated`).
`40`	Object was not detected (`not found`).
`41`	Cannot resolve the threat (`untreatable`).
`42`	Object was restored (`rolled back`).
`43`	Object was created as a result of threat activity (`produced by threat`).
`44`	Object was restored on computer restart (`roll back on reboot`).
`0xffffffff`	Object was not processed (`discarded`).

Threat danger level
`0`	Unknown
`1`	High
`2`	Medium scan
`4`	Low
`8`	Info (less than Low)

Page top

[Topic 213710]

UpdateDefinitions. Updating databases and application software modules

Run the Update task. Kaspersky Endpoint Security uses the default source: Kaspersky update servers.

Command syntax

--opswat UpdateDefinitions

You can view the date and time of the last completed Update task by using the GetDefinitionsetState command.

Example:

kescli --opswat UpdateDefinitions

Page top

[Topic 213724]

GetDefinitionState. Determining the update completion time

Receive information about the date and time of the last Update task completion.

Command syntax

--opswat GetDefinitionState

Example:

kescli --opswat GetDefinitionState

Page top

[Topic 213713]

EnableRTP. Enabling protection

Enable Kaspersky Endpoint Security protection components on the computer: File Threat Protection, Web Threat Protection, Mail Threat Protection, Network Threat Protection, Host Intrusion Prevention.

Command syntax

--opswat EnableRTP

You can check the operating status of File Threat Protection by using the GetRealTimeProtectionState command.

Example:

kescli --opswat EnableRTP

Page top

[Topic 213719]

GetRealTimeProtectionState. File Threat Protection status

Receive information about the operating status of the File Threat Protection component:

1 – the component is enabled.
0 – the component is disabled.

Command syntax

--opswat GetRealTimeProtectionState

Example:

kescli --opswat GetRealTimeProtectionState

Page top

[Topic 213708]

Version. Identifying the application version

Identify the version of Kaspersky Endpoint Security for Windows.

Command syntax

--Version

You can also use the abbreviated command -v.

Example:

kescli -v

Page top

[Topic 184247]

Error codes

Errors may occur when working with the application through the command line. When errors occur, Kaspersky Endpoint Security shows an error message, for example, Error: Cannot start task 'EntAppControl'. Kaspersky Endpoint Security can also show additional information in the form of a code, for example, error=8947906D (see the table below).

Error codes

Error code	Description
`09479001`	License key for Kaspersky Endpoint Security is already in use on this computer.
`0947901D`	License expired. Database update is not available.
`89479002`	Key not found.
`89479003`	Digital signature missing or corrupted.
`89479004`	Data corrupted.
`89479005`	Key file corrupted.
`89479006`	License expired or license key expired.
`89479007`	Key file not specified.
`89479008`	Cannot apply key file.
`89479009`	Failed to save data.
`8947900A`	Failed to read data.
`8947900B`	I/O error.
`8947900C`	Databases not found.
`8947900E`	Licensing library not loaded.
`8947900F`	Databases corrupted or updated manually.
`89479010`	Databases are corrupted.
`89479011`	Cannot use invalid key file to add a reserve key.
`89479012`	System error.
`89479013`	Denylist of keys corrupted.
`89479014`	Digital signature of file does not match the digital signature of Kaspersky.
`89479015`	Cannot use a key for non-commercial license as a key for commercial license.
`89479016`	The beta license is required to use the beta version of the application.
`89479017`	Key file not compatible with this application.
`89479018`	Key blocked by Kaspersky.
`89479019`	Application has already been used under a trial license. Cannot add trial key again.
`8947901A`	Key file corrupted.
`8947901B`	Digital signature missing, corrupted, or does not match the digital signature of Kaspersky.
`8947901C`	Cannot add a key if the corresponding non-commercial license has expired.
`8947901E`	The date the key file was created or used is invalid. Check the system date.
`8947901F`	Cannot add a key for trial license: another key for trial license is already active.
`89479020`	Denylist of keys corrupted or missing.
`89479021`	Update description missing or corrupted.
`89479022`	Error in license key service data.
`89479023`	Cannot use invalid key file to add a reserve key.
`89479025`	Error sending request to activation server. Possible reasons: Internet connection error or temporary problems on the activation server. Try to activate the application with the activation code later. If this error persists, contact your Internet provider.
`89479026`	Error in response from activation server.
`89479027`	Cannot obtain response status.
`89479028`	Error occurred when saving temporary file.
`89479029`	Activation code has been entered incorrectly or system date is incorrect. Check the system date on the computer.
`8947902A`	Key file not compatible with this application, or license expired. You cannot activate Kaspersky Endpoint Security by using a key file for a different application.
`8947902B`	Failed to receive key file. Incorrect activation code was entered.
`8947902C`	Activation server has returned error 400.
`8947902D`	Activation server has returned error 401.
`8947902E`	Activation server has returned error 403.
`8947902F`	Activation server has returned error 404.
`89479030`	Activation server has returned error 405.
`89479031`	Activation server has returned error 406.
`89479032`	Authentication on proxy server required. Check the network settings.
`89479033`	Request timeout expired.
`89479034`	Activation server has returned error 409.
`89479035`	Activation server has returned error 410.
`89479036`	Activation server has returned error 411.
`89479037`	Activation server has returned error 412.
`89479038`	Activation server has returned error 413.
`89479039`	Activation server has returned error 414.
`8947903A`	Activation server has returned error 415.
`8947903C`	Internal server error.
`8947903D`	Functionality not supported.
`8947903E`	Invalid response from gateway. Check the network settings.
`8947903F`	Service unavailable (HTTP Error 503).
`89479040`	Gateway response timeout has expired. Check the network settings.
`89479041`	The protocol is not supported by the server.
`89479043`	Unknown HTTP error.
`89479044`	Invalid resource ID.
`89479046`	Invalid URL.
`89479047`	Invalid destination folder.
`89479048`	Memory allocation error.
`89479049`	Error converting parameters to ANSI string (URL, folder, agent).
`8947904A`	Error creating worker thread.
`8947904B`	Worker thread already running.
`8947904C`	Worker thread not running.
`8947904D`	Key file not found on activation server.
`8947904E`	Key is blocked.
`8947904F`	Internal error of activation server.
`89479050`	Not enough data in activation request.
`89479053`	License key expired.
`89479054`	Incorrect system date is set on the computer.
`89479055`	Trial license has expired.
`89479056`	License expired.
`89479057`	The limit of application activations has been exceeded for the specified code.
`89479058`	Activation procedure ended with a system error.
`89479059`	Cannot use a key for non-commercial license as a key for commercial license.
`8947905C`	Activation code is required.
`89479062`	Cannot connect to activation server.
`89479064`	Activation server is unavailable. Please check your Internet connection settings and retry activation.
`89479065`	Application database release date exceeds the license expiration date.
`89479066`	Cannot replace the active key with an expired key.
`89479067`	Cannot add a reserve key if it expires before the current license.
`89479068`	Updated subscription key missing.
`8947906A`	Incorrect activation code (checksum does not match).
`8947906B`	Key already active.
`8947906C`	License types that correspond to active and reserve keys do not match.
`8947906D`	Component not supported by license.
`8947906E`	Unable to add subscription key as a reserve key.
`89479213`	Transport layer general error.
`89479214`	Failed to connect to activation server.
`89479215`	Invalid URL format.
`89479216`	Failed to convert proxy server address.
`89479217`	Failed to convert server address. Check the Internet connection settings.
`89479218`	Failed to connect to activation server or proxy server.
`89479219`	Remote access denied.
`8947921A`	Response timeout has expired.
`8947921B`	Error sending HTTP request.
`8947921C`	SSL connection error.
`8947921D`	Operation interrupted by callback.
`8947921E`	Too many forward attempts.
`8947921F`	Recipient check failed.
`89479220`	Empty response from activation server.
`89479221`	Error sending data.
`89479222`	Error receiving data.
`89479223`	Local SSL certificate error.
`89479224`	SSL encryption error.
`89479225`	Server SSL certificate error.
`89479226`	Invalid contents of network packet.
`89479227`	User access denied.
`89479228`	Invalid SSL certificate file.
`89479229`	Failed to establish SSL connection.
`8947922A`	Failed to send or receive network packet. Please try again later.
`8947922B`	Invalid file with revoked certificates.
`8947922C`	SSL certificate request error.
`89479401`	Unknown server error.
`89479402`	Internal server error.
`89479403`	No license key available for the activation code entered.
`89479404`	Active key blocked.
`89479405`	Required parameters of application activation request are missing.
`89479406`	Incorrect user name or password.
`89479407`	Incorrect activation code sent to server.
`89479408`	Activation code is invalid for Kaspersky Endpoint Security. You cannot activate Kaspersky Endpoint Security by using a key file for an unknown application.
`89479409`	Request is missing an activation code.
`8947940B`	License expired (according to data from the activation server).
`8947940C`	Number of activations with this code has been exceeded.
`8947940D`	Invalid format of request ID.
`8947940E`	Activation code is invalid for Kaspersky Endpoint Security. Activation code is intended for a different Kaspersky application.
`8947940F`	Cannot update license key.
`89479410`	Activation code is invalid for this region.
`89479411`	Activation code is invalid for the Kaspersky Endpoint Security language version.
`89479412`	Additional access to the activation server is required.
`89479413`	Activation server has returned error 643.
`89479414`	Activation server has returned error 644.
`89479415`	Activation server has returned error 645.
`89479416`	Activation server has returned error 646.
`89479417`	Activation code format not supported by activation server.
`89479418`	Invalid activation code format.
`89479419`	Incorrect system time is set on the computer.
`8947941A`	Activation code is invalid for the Kaspersky Endpoint Security version.
`8947941B`	Subscription expired.
`8947941C`	Number of activations exceeded for this license key.
`8947941D`	Invalid digital signature of license key.
`8947941E`	Additional data is needed.
`8947941F`	User data verification failed.
`89479420`	Subscription inactive.
`89479421`	Activation server is under maintenance.
`89479501`	Unknown error of Kaspersky Endpoint Security.
`89479502`	Invalid parameter transferred (for example, an empty list of activation server addresses).
`89479503`	Incorrect activation code.
`89479504`	Invalid user name.
`89479505`	Invalid user password.
`89479506`	Invalid response from activation server.
`89479507`	Activation request interrupted.
`89479509`	Activation server returned an empty forwarding list.

Page top

[Topic 181294]

Appendix. Application profiles

A Profile is a Kaspersky Endpoint Security component, task or feature. Profiles are used to manage the application from the command line. You can use profiles to execute START, STOP, STATUS, STATISTICS, EXPORT, and IMPORT commands. Using profiles, you can configure application settings (for example, STOP DeviceControl) or run tasks (for example, START Scan_My_Computer).

The following profiles are available:

AdaptiveAnomaliesControl – Adaptive Anomaly Control.
AMSI – AMSI Protection.
BehaviorDetection – Behavior Detection.
DeviceControl – Device control.
EntAppControl – Application Control.
File_Monitoring or FM – File Threat Protection.
Firewall or FW – Firewall.
HIPS – Host Intrusion prevention.
IDS – Network Threat Protection.
IntegrityCheck – Integrity check.
Mail_Monitoring or EM – Mail Threat Protection.
Rollback – update rollback.
Scan_ContextScan – Scan from context menu.
Scan_IdleScan – Background scan.
Scan_Memory – Kernel memory scan.
Scan_My_Computer – Full scan.
Scan_Objects – Custom scan.
Scan_Qscan – Scan objects that are loaded at operation system startup.
Scan_Removable_Drive – Removable drives scan.
Scan_Startup or STARTUP – Critical Areas Scan.
Updater – Update.
Web_Monitoring or WM – Web Threat Protection.
WebControl – Web Control.

Kaspersky Endpoint Security also supports service profiles. Service profiles may be required when you are contacting Kaspersky Technical Support.

Page top

[Topic 189442]

Managing the application through the REST API

Kaspersky Endpoint Security lets you configure application settings, run a scan, update the anti-virus databases, and perform other tasks using third-party solutions. Kaspersky Endpoint Security provides an API for this purpose. The Kaspersky Endpoint Security REST API operates over HTTP and consists of a set of request/response methods. In other words, you can manage Kaspersky Endpoint Security through a third-party solution, and not the local application interface or the Kaspersky Security Center Administration Console.

To start using REST API, you need to install Kaspersky Endpoint Security with support for the REST API. The REST client and Kaspersky Endpoint Security must be installed on the same computer.

To ensure safe interaction between Kaspersky Endpoint Security and the REST client:

Configure REST client's protection from unauthorized access according the recommendations of the REST client developer. Configure REST client folder protection from writing with the help of Discretionary Access Control List – DACL.
To run REST client, use a separate account with administrator rights. Deny interactive sign-in into the system for this account.

The application is managed through the REST API at http://127.0.0.1 or http://localhost. It is not possible to remotely manage Kaspersky Endpoint Security through the REST API.

OPEN THE REST API DOCUMENTATION

In this Help section

Installing the application with the REST API

Working with the API

Page top

[Topic 189530]

Installing the application with the REST API

To manage the application through the REST API, you need to install Kaspersky Endpoint Security with support for the REST API. If you manage Kaspersky Endpoint Security through the REST API, you cannot manage the application using Kaspersky Security Center.

To install Kaspersky Endpoint Security with REST API support:

Run the command line interpreter (cmd.exe) as an administrator.
Go to the folder that contains the distribution package for Kaspersky Endpoint Security version 11.2.0 or later.
Install Kaspersky Endpoint Security with the following settings:
- RESTAPI=1
- RESTAPI_User=<User name>
  User name for managing the application through the REST API. Enter the user name in the format <DOMAIN>\<UserName> (for example, RESTAPI_User=COMPANY\Administrator). You can manage the application through the REST API only under this account. You can select only one user to work with the REST API.
- RESTAPI_Port=<Port>
  Port used for data exchange. Optional parameter. Port 6782 is selected by default.
- AdminKitConnector=1
  Application management using administration systems. Management is allowed by default.
You can also use the setup.ini file to define the settings for working with the REST API.

You can define the settings for working with the RESТ API only during application installation. It is not possible to change the settings after the application is installed. If you want to change the settings, uninstall Kaspersky Endpoint Security and reinstall it with the new settings for working with the REST API.

Example:

setup_kes.exe /pEULA=1 /pPRIVACYPOLICY=1 /pKSN=1 /pALLOWREBOOT=1 /pAdminKitConnector=1 /pRESTAPI=1 /pRESTAPI_User=COMPANY\Administrator /s

As a result, you will be able to manage the application through the REST API. To verify its operation, open the REST API documentation using a GET request.

Example:

GET http://localhost:6782/kes/v1/api-docs

Page top

[Topic 189531]

Working with the API

It is not possible to restrict access to the application through the REST API using Password Protection. For example, it is not possible to block a user from disabling protection through the REST API. You can configure Password Protection through the REST API and restrict user access to the application through the local interface.

To manage the application through the REST API, you need to run the REST client under the account that you specified when installing the application with REST API support. You can select only one user to work with the REST API.

OPEN THE REST API DOCUMENTATION

Managing the application through the REST API consists of the following steps:

Get the current values of the application settings. To do so, send a GET request.

Example:

GET http://localhost:6782/kes/v1/settings/ExploitPrevention
The application will send a response with the structure and values of settings. Kaspersky Endpoint Security supports XML- and JSON formats.

Example:

{

"action": 0,

"enableSystemProcessesMemoryProtection": true,

"enabled": true

}
Edit the application settings. To do so, send a POST request. Use the settings structure received in response to the GET request.

Example:

POST http://localhost:6782/kes/v1/settings/ExploitPrevention

{

"action": 0,

"enableSystemProcessesMemoryProtection": false,

"enabled": true

}
The application will apply the changes in the settings and send a response containing the application configuration results.

Page top

[Topic 80831]

Sources of information about the application

Kaspersky Endpoint Security page on the Kaspersky website

On the Kaspersky Endpoint Security page, you can view general information about the application and its functions and features.

The Kaspersky Endpoint Security page contains a link to the online store. There you can purchase or renew the application.

Kaspersky Endpoint Security page in the Knowledge Base

Knowledge Base is a section on the Technical Support website.

On the Kaspersky Endpoint Security page in the Knowledge Base, you can read articles that provide useful information, recommendations, and answers to frequently asked questions on how to purchase, install, and use the application.

Knowledge Base articles can answer questions relating to not only Kaspersky Endpoint Security but also to other Kaspersky applications. Articles in the Knowledge Base may also contain news from Technical Support.

Discussion of Kaspersky applications in user community

If your question does not require an urgent answer, you can discuss it with Kaspersky experts and other users in our Community.

In the Community, you can view existing topics, post your own comments, and create new discussion topics.

Page top

[Topic 128165]

Contacting Technical Support

If you cannot find a solution to your problem in the documentation or in other sources of information about Kaspersky Endpoint Security, we recommend that you contact Technical Support. Technical Support will answer your questions about installing and using Kaspersky Endpoint Security.

Kaspersky provides support for Kaspersky Endpoint Security during the application's life cycle (refer to the application life cycle page). Before contacting Technical Support, please read the support rules.

You can contact Technical Support in one of the following ways:

By visiting the Technical Support website
By sending a request to Kaspersky Technical Support through the Kaspersky CompanyAccount portal

After you inform Kaspersky Technical Support specialists about your issue, they may ask you to create a trace file. The trace file allows you to trace the process of performing application commands step by step and determine the stage of application operation at which an error occurs.

Technical Support specialists may also require additional information about the operating system, processes that are running on the computer, detailed reports on the operation of application components.

While running diagnostics, Technical Support experts may ask you to change application settings by:

Activating the functionality for receiving extended diagnostic information.
Fine-tuning the settings of individual application components, which are not available via standard user interface elements.
Changing the settings for storage of diagnostic information.
Configuring the interception and logging of network traffic.

Technical Support experts will provide all the information needed to perform these operations (description of the sequence of steps, settings to be modified, configuration files, scripts, additional command line functionality, debugging modules, special-purpose utilities, etc.) and inform you about the scope of data used for purposes of debugging. The extended diagnostic information is saved on the user's computer. The data is not automatically transmitted to Kaspersky.

The operations listed above should be performed only under the supervision of Technical Support specialists by following their instructions. Unsupervised changes to application settings performed in ways other than those described in the Administrator's Guide or instructions of Technical Support specialists can slow down or crash the operating system, affect computer security, or compromise the availability and integrity of data being processed.

In this Help section

Contents and storage of trace files

Application operation traces

Application performance traces

Dump writing

Protecting dump files and trace files

Page top

[Topic 124710]

Contents and storage of trace files

You are personally responsible for the security of the data that is stored on your computer, particularly for monitoring and restricting access to the data until it is submitted to Kaspersky.

Trace files are stored on the computer as long as the application is in use, and are deleted permanently when the application is removed.

Trace files, except trace files of Authentication Agent, are stored in the folder %ProgramData%\Kaspersky Lab\KES\Traces.

Trace files are named as follows: KES<service version number_dateXX.XX_timeXX.XX_pidXXX.><trace file type>.log.

You can view data saved in trace files.

All trace files contain the following common data:

Event time.
Number of the thread of execution.
The Authentication Agent trace file does not contain this information.
Application component that caused the event.
Degree of event severity (informational event, warning, critical event, error).
A description of the event involving command execution by a component of the application and the result of execution of this command.

Kaspersky Endpoint Security saves user passwords to a trace file only in encrypted form.

Contents of SRV.log, GUI.log, and ALL.log trace files

SRV.log, GUI.log, and ALL.log trace files may store the following information in addition to general data:

Personal data, including the last name, first name, and middle name, if such data is included in the path to files on the local computer.
Data on the hardware installed on the computer (such as BIOS/UEFI firmware data). This data is written to trace files when performing Kaspersky Disk Encryption.
The user name and password if they were transmitted openly. This data can be recorded in trace files during Internet traffic scanning.
The user name and password if they are contained in HTTP headers.
The name of the Microsoft Windows account if the account name is included in a file name.
Your email address or a web address containing the name of your account and password if they are contained in the name of the object detected.
Websites that you visit and redirects from these websites. This data is written to trace files when the application scans websites.
Proxy server address, computer name, port, IP address, and user name used to sign in to the proxy server. This data is written to trace files if the application uses a proxy server.
Remote IP addresses to which your computer established connections.
Message subject, ID, sender's name and address of the message sender's web page on a social network. This data is written to trace files if the Web Control component is enabled.
Network traffic data. This data is written to trace files if traffic monitoring components are enabled (such as Web Control).
Data received from Kaspersky servers (such as the version of anti-virus databases).
Statuses of Kaspersky Endpoint Security components and their operating data.
Data on user activity in the application.
Operating system events.

Contents of HST.log, BL.log, Dumpwriter.log, WD.log, AVPCon.dll.log trace files

In addition to general data, the HST.log trace file contains information about the execution of a database and application module update task.

In addition to general data, the BL.log trace file contains information about events occurring during operation of the application, as well as data required to troubleshoot application errors. This file is created if the application is started with the avp.exe –bl parameter.

In addition to general data, the Dumpwriter.log trace file contains service information required for troubleshooting errors that occur when the application dump file is written.

In addition to general data, the WD.log trace file contains information about events occurring during operation of the avpsus service, including application module update events.

In addition to general data, the AVPCon.dll.log trace file contains information about events occurring during the operation of the Kaspersky Security Center connectivity module.

Contents of performance trace files

Performance trace files are named as follows: KES<version number_dateXX.XX_timeXX.XX_pidXXX.>PERF.HAND.etl.

In addition to general data, performance trace files contain information about the load on the processor, information about the loading time of the operating system and applications, and information about running processes.

Contents of the AMSI Protection component trace file

In addition to general data, the AMSI.log trace file contains information about the results of scans performed on requests from third-party applications.

Contents of trace files of the Mail Threat Protection component

The trace file mcou.OUTLOOK.EXE.log may contain parts of email messages, including email addresses, in addition to general data.

Contents of trace files of the Scan from Context Menu component

The shellex.dll.log trace file contains information about completion of the scan task and data required to debug the application, in addition to general information.

Contents of trace files of the application web plug-in

Trace files of the application web plug-in are stored on the computer on which Kaspersky Security Center 12 Web Console is deployed, in the folder Program Files\Kaspersky Lab\Kaspersky Security Center Web Console 12\logs.

Trace files of the application web plug-in are named as follows: logs-kes_windows-<type of trace file>.DESKTOP-<date of file update>.log. Web Console begins writing data after installation and deletes the trace files after Web Console is removed.

Trace files of the application web plug-in contain the following information in addition to general data:

KLAdmin user password for unlocking the Kaspersky Endpoint Security interface (Password protection).
Temporary password for unlocking the Kaspersky Endpoint Security interface (Password protection).
User name and password for the SMTP mail server (Email notifications).
User name and password for the Internet proxy server (Proxy server).
User name and password for the Change application components task.
Account credentials and paths specified in Kaspersky Endpoint Security tasks and policy properties.

Contents of the Authentication Agent trace file

The Authentication Agent trace file is stored in the System Volume Information folder and is named as follows: KLFDE.{EB2A5993-DFC8-41a1-B050-F0824113A33A}.PBELOG.bin.

In addition to general data, the Authentication Agent trace file contains information about the operation of Authentication Agent and the actions performed by the user with Authentication Agent.

Page top

[Topic 128166]

Application traces

Application traces are detailed records of the actions performed by the application, and of messages about events that occurred during operation of the application.

Application traces should be performed under the supervision of Kaspersky Technical Support.

To create an application trace file:

In the main application window, click the button .
The Support window opens.
In the Support window, click the Support Tools button.
Use the Enable application traces toggle to enable or disable tracing of application operation.
In the Traces drop-down list, select an application tracing mode:
- with rotation. Save traces to a limited number of files of limited size and overwrite the older files when the maximum size is reached. If this mode is selected, you can define the maximum number of files for rotation and the maximum size for each file.
- Write to a single file. Save one trace file (no size limit).
In the Level drop-down list, select the tracing level.
You are advised to clarify the required tracing level with a Technical Support specialist. In the absence of guidance from Technical Support, set the tracing level to Normal (500).
Restart Kaspersky Endpoint Security.
To stop the tracing process, return to the Support window and disable tracing.

You can also create trace files when installing the application from the command line, including by using the setup.ini file.

Trace files are stored on the computer as long as the application is in use, and are deleted permanently when the application is removed. Trace files, except trace files of Authentication Agent, are stored in the folder %ProgramData%\Kaspersky Lab\KES\Traces. By default, tracing is disabled.

Page top

[Topic 177255]

Application performance traces

Kaspersky Endpoint Security lets you receive information about computer operating issues during use of the application. For example, you can receive information about delays in operating system loading after the application is installed. To do so, Kaspersky Endpoint Security creates performance trace files. Performance traces refer to the logging of actions performed by the application for the purpose of diagnosing performance issues of Kaspersky Endpoint Security. To receive information, Kaspersky Endpoint Security uses the Event Tracing for Windows service (ETW). Kaspersky Technical Support is responsible for diagnosing issues of Kaspersky Endpoint Security and establishing the reasons for those issues.

Application traces should be performed under the supervision of Kaspersky Technical Support.

To create a performance trace file:

In the main application window, click the button .
The Support window opens.
In the Support window, click the Support Tools button.
Use the Enable performance traces toggle to enable or disable tracing of application performance.
In the Traces drop-down list, select an application tracing mode:
- with rotation. Save traces to a limited number of files of limited size and overwrite the older files when the maximum size is reached. If this mode is selected, you can define the maximum size for each file.
- Write to a single file. Save one trace file (no size limit).
In the Level drop-down list, select the tracing level:
- Light. Kaspersky Endpoint Security analyzes the main operating system processes related to performance.
- Detailed. Kaspersky Endpoint Security analyzes all operating system processes related to performance.
In the Tracing type drop-down list, select the tracing type:
- Basic information. Kaspersky Endpoint Security analyzes processes while the operating system is running. Use this tracing type if a problem persists after the operating system is loaded, such as a problem accessing the Internet in the browser.
- On restart. Kaspersky Endpoint Security analyzes processes only while the operating system is loading. After the operating system is loaded, Kaspersky Endpoint Security stops tracing. Use this tracing type if the problem is related to delayed loading of the operating system.
Restart the computer and try to reproduce the problem.
To stop the tracing process, return to the Support window and disable tracing.

As a result, a performance trace file will be created in the folder %ProgramData%\Kaspersky Lab\KES\Traces. After the trace file is created, send the file to Kaspersky Technical Support.

Page top

[Topic 158644]

Dump writing

A dump file contains all information about the working memory of Kaspersky Endpoint Security processes at the moment when the dump file was created.

Saved dump files may contain confidential data. To control access to data, you must independently ensure the security of dump files.

Dump files are stored on the computer as long as the application is in use, and are deleted permanently when the application is removed. Dump files are stored in the folder %ProgramData%\Kaspersky Lab\KES\Traces.

To enable or disable dump writing:

In the lower part of the main application window, click the button.
In the application settings window, select the General section.
In the Debug information block, use the Enable dump writing check box to enable or disable application dump writing.
Save your changes.

Page top

[Topic 131264]

Protecting dump files and trace files

Dump files and trace files contain information about the operating system, and may also contain user data. To prevent unauthorized access to such data, you can enable protection of dump files and trace files.

If protection of dump files and trace files is enabled, the files can be accessed by the following users:

Dump files can be accessed by the system administrator and local administrator, and by the user that enabled the writing of dump files and trace files.
Trace files can be accessed only by the system administrator and local administrator.

To enable or disable protection of dump files and trace files:

In the lower part of the main application window, click the button.
In the application settings window, select the General section.
In the Debug information block, use the Enable dump and trace files protection check box to enable or disable file protection.
Save your changes.

Dump files and trace files that were written while protection was active remain protected even after this function is disabled.

Page top

[Topic 201943]

Limitations and warnings

Expand all | Collapse all

Kaspersky Endpoint Security has a number of limitations that are not critical to operation of the application.

Installing the application

For details about support for the Microsoft Windows 10, Microsoft Windows Server 2016 and Microsoft Windows Server 2019 operating systems, please refer to the Technical Support Knowledge Base.
After being installed to an infected computer, the application does not inform the user about the need to run a computer scan. You may experience problems activating the application. To resolve these problems, start a Critical Areas Scan.
If non-ASCII characters (for example, Russian letters) are used in the setup.ini and setup.reg files, you are advised to edit the file using notepad.exe and to save the file in UTF-16LE encoding. Other encodings are not supported.
The application does not support the use of non-ASCII characters when specifying the application installation path in the installation package settings.
When application settings are imported from a CFG file, the value of the setting that defines participation in Kaspersky Security Network is not applied. After importing the settings, please read the text of the Kaspersky Security Network Statement and confirm your consent to participate in Kaspersky Security Network. You can read the text of the Statement in the application interface or in the ksn_*.txt file located in the folder containing the application distribution kit.
When upgrading from Kaspersky Endpoint Security 10 Service Pack 2 for Windows (build 10.3.0.6294), the Host Intrusion Prevention component is turned on.
When updating Kaspersky Endpoint Security 10 for Windows Service Pack 2 (build 10.3.0.6294), the files that were placed in Backup or Quarantine in the previous version of the application will be transferred to Backup in the new version of the application. These files are not transferred for versions earlier than Kaspersky Endpoint Security 10 for Windows Service Pack 2 (build 10.3.0.6294). To save them, you must restore the files from Quarantine and Backup before upgrading the application. After the upgrade is complete, re-scan the restored files.
If you want to remove and then re-install encryption (FLE or FDE) or the Device Control component, you must restart the system before reinstallation.
When using the Microsoft Windows 10 operating system, you must restart the system after removing the File Level Encryption (FLE) component.
When attempting to install any version of the AES Encryption Module on a computer that has Kaspersky Endpoint Security for Windows 11.6.0 but no encryption components installed, installation of the Encryption Module will end with an error message stating that a newer version of the application is installed. Starting with Kaspersky Endpoint Security 10 for Windows Service Pack 2 (version 10.3.0.6294), there is no separate installation file for the Encryption Module. Encryption libraries are included in the application distribution package. Kaspersky Endpoint Security 11.6.0 is incompatible with AES encryption modules. The libraries required for encryption are installed automatically when the Full Disk Encryption (FDE) or File Level Encryption (FLE) component is selected.
Installation of the application may end with an error stating An application whose name is missing or unreadable is installed on your computer. This means that incompatible applications or fragments of them remain on your computer. To remove artifacts of incompatible applications, send a request with a detailed description of the situation to Kaspersky Technical Support via Kaspersky CompanyAccount.
Starting from 11.0.0 application version, you can install Kaspersky Endpoint Security for Windows MMC plugin on top of the previous plugin version. To return to a previous plugin version, delete the current plugin and install a previous version of the plugin.
When upgrading Kaspersky Endpoint Security 11.0.0 or 11.0.1 for Windows, the local task schedule settings for the Update, Critical Areas Scan, Custom Scan, and Integrity Check tasks are not saved.
If you canceled removal of the application, start its recovery after the computer restarts.
On computers running Windows 10 version 1903 and 1909, upgrades from Kaspersky Endpoint Security 10 for Windows Service Pack 2 Maintenance Release 3 (build 10.3.3.275), Service Pack 2 Maintenance Release 4 (build 10.3.3.304), 11.0.0 and 11.0.1 with the File Level Encryption (FLE) component installed may end with an error. This is because file encryption is not supported for these versions of Kaspersky Endpoint Security for Windows in Windows 10 version 1903 and 1909. Prior to installing this upgrade, you are advised to remove the file encryption component.
If you are upgrading a previous version of the application to version 11.6.0, to install Kaspersky Endpoint Agent, restart the computer and sign in to the system using an account with local administrator rights. Otherwise, Kaspersky Endpoint Agent will not be installed during the upgrade procedure.
If the application is unsuccessfully installed with the Kaspersky Endpoint Agent component selected in a server operating system and the Windows Installer Coordinator Error window appears, refer to the instructions on the Microsoft support website.
If the application was installed locally in non-interactive mode, use the provided setup.ini file to replace the installed components.
If you are upgrading Kaspersky Endpoint Security 10 for Windows Service Pack 2 Maintenance Release 4 with the File Level Encryption (FLE) component installed on computers running Windows 10 version 1809, 1903 and 1909, FDE drivers will not be installed to the WinRE image.
After Kaspersky Endpoint Security for Windows is installed in some configurations of Windows 7, Windows Defender continues to operate. You are advised to manually disable Windows Defender to prevent degraded system performance.
After the application is upgraded from versions earlier than Kaspersky Endpoint Security 11 for Windows, the computer must be restarted.

Support for server platforms

The ReFS file system is supported with limitations:
- After server anti-virus check is started, scan exclusions added with iChecker are reset when the server is rebooted.
- Kaspersky Endpoint Security does not detect eicar.com and susp-eicar.com files if meicar.exe file existed on the computer before Kaspersky Endpoint Security was installed.
The Server Core and Cluster Mode configurations are not supported.
File Level Encryption (FLE) and Kaspersky Disk Encryption (FDE) technologies are not supported on server platforms.
Device Control is not supported on server platforms.
Microsoft Windows Server 2008 was excluded from support. - Installing the application on a computer running the Microsoft Windows Server 2008 operating system is not supported.
If you started several working sessions on the terminal server, Kaspersky Endpoint Security notifications may not work correctly. Example: user of session #1 runs a file reputation check in KSN. Kaspersky Endpoint Security will display a notification with the check results to the user of session #2.

Support for virtual platforms

Full disk encryption (FDE) on Hyper-V virtual machines is not supported.
Full disk encryption (FDE) on Citrix virtual platforms is not supported.
Windows 10 Enterprise multi-session is supported with limitations:
- Kaspersky Endpoint Security considers Windows 10 Enterprise multi-session as a server operating system. Therefore, Windows 10 Enterprise multi-session is supported with server platform-specific limitations. For example, servers cannot use some Kaspersky Endpoint Security components. The application also uses a server license key instead of a workstation license key.
- Full disk encryption (FDE) is not supported.
- Managing BitLocker is not supported.
- Using Kaspersky Endpoint Security with removable drives is not supported. The Microsoft Azure infrastructure defines removable drives as network drives.
Installation and use of file level encryption (FLE) on Citrix virtual platforms is not supported.
To support compatibility of Kaspersky Endpoint Security for Windows with Citrix PVS, perform installation with the Ensure compatibility with Citrix PVS option enabled. This option can be enabled in the Setup Wizard or by using the command line parameter /pCITRIXCOMPATIBILITY=1. In case of remote installation, the KUD file must be edited by adding the following parameter to it: /pCITRIXCOMPATIBILITY=1.
Citrix XenDesktop. Before starting cloning, you must disable Self-Defense to clone virtual machines that use vDisk.
When preparing a template machine for the Citrix XenDesktop master image with pre-installed Kaspersky Endpoint Security for Windows and Kaspersky Security Center Network Agent, add the following types of exclusions to the configuration file:
[Rule-Begin]

Type=File-Catalog-Construction

Action=Catalog-Location-Guest-Modifiable

name="%ALLUSERSPROFILE%\Kaspersky\**\*"

name="%ALLUSERSPROFILE%\KasperskyLab\**\*"

[Rule-End]

For details about Citrix XenDesktop, visit the Citrix Support website.
In some cases, an attempt to safely disconnect a removable drive may be unsuccessful on a virtual machine that is deployed on a VMware ESXi hypervisor. Attempt to safely disconnect the device once again.

Compatibility with Kaspersky Security Center

You can manage the Adaptive Anomaly Control component only in Kaspersky Security Center version 11 or later.
The Kaspersky Security Center 11 threat report might not display information about the action taken on threats that were detected by the AMSI Protection.
The operating status of the AMSI Protection and Adaptive Anomaly Control components is available only in Kaspersky Security Center version 11 or later. You can view the operating status in the Kaspersky Security Center Console within the computer properties in the Tasks section. Reports for these components are also available only in Kaspersky Security Center version 11 or later.

Licensing

If the Error receiving data system message is displayed, verify that the computer on which you are performing activation has network access, or configure the activation settings via Kaspersky Security Center Activation Proxy.
The application cannot be activated by subscription via the Kaspersky Security Center if the license has expired or if a trial license is active on the computer. To replace a trial license or a soon-to-be expired license with a subscription license, use the license distribution task.
In the application interface, the license expiration date is displayed in the local time of the computer.
Installation of the application with an embedded key file on a computer that has unstable Internet access may result in the temporary display of events stating that the application is not activated or that the license does not permit component operation. This is because the application first installs and attempts to activate the embedded trial license, which requires Internet access for activation during the installation procedure.
During the trial period, installation of any application upgrade or patch on a computer that has unstable Internet access may result in the temporary display of events stating that the application is not activated. This is because the application once again installs and attempts to activate the embedded trial license, which requires Internet access for activation when installing an upgrade.
If the trial license was automatically activated during application installation and then the application was removed without saving the license information, the application will not be automatically activated with the trial license when re-installed. In this case, manually activate the application.
If you are using Kaspersky Security Center version 11 and Kaspersky Endpoint Security version 11.6.0, component performance reports may work incorrectly. If you installed Kaspersky Endpoint Security components that are not included in your license, Network Agent may send component status errors to the Windows Event Log. To avoid errors, remove the components that are not included in your license.

Remediation Engine

The application restores files only on devices that have the NTFS or FAT32 file system.
The application can restore files with the following extensions: odt, ods, odp, odm, odc, odb, doc, docx, docm, wps, xls, xlsx, xlsm, xlsb, xlk, ppt, pptx, pptm, mdb, accdb, pst, dwg, dxf, dxg, wpd, rtf, wb2, pdf, mdf, dbf, psd, pdd, eps, ai, indd, cdr, jpg, jpe, dng, 3fr, arw, srf, sr2, bay, crw, cr2, dcr, kdc, erf, mef, mrw, nef, nrw, orf, raf, raw, rwl, rw2, r3d, ptx, pef, srw, x3f, der, cer, crt, pem, pfx, p12, p7b, p7c, 1cd.
It is not possible to restore files residing on network drives or on rewritable CD/DVD discs.
It is not possible to restore files that were encrypted with the Encryption File System (EFS). For more details on EFS operation, please visit the Microsoft website.
The application does not monitor modifications to files performed by processes at the level of the operating system kernel.
The application does not monitor modifications made to files over a network interface (for example, if a file is stored in a shared folder and a process is started remotely from another computer).

Filtration of packets or connections by local address, physical interface, and packet time to live (TTL) is supported in the following cases:
- By local address for outbound packets or connections in application rules for TCP and UDP and packet rules.
- By local address for inbound packets or connections (except UDP) in block application rules and packet rules.
- By packet time to live (TTL) in block packet rules for inbound or outbound packets.
- By network interface for inbound and outbound packets or connections in packet rules.
In application versions 11.0.0 and 11.0.1, defined MAC addresses are incorrectly applied. The MAC address settings for versions 11.0.0, 11.0.1 and 11.1.0 or later are not compatible. After upgrading the application or plug-in from these versions to version 11.1.0 or later, you must verify and reconfigure the defined MAC addresses in Firewall rules.
When upgrading the application from versions 11.1.1 and 11.2.0 to version 11.6.0, the statuses of permissions for the following Firewall rules are not migrated:
- Requests to DNS server over TCP.
- Requests to DNS server over UDP.
- Any network activity.
- ICMP Destination Unreachable incoming responses.
- Incoming ICMP stream.
If you configured a network adapter or packet time to live (TTL) for an allowing packet rule, the priority of this rule is lower than a blocking application rule. In other words, if network activity is blocked for an application (for example, the application is in the High Restricted trust group), you cannot allow network activity of the application by using a packet rule with these settings. In all other cases, the priority of a packet rule is higher than an application network rule.
An error may occur in Kaspersky Endpoint Security for Windows 11.5.0–11.6.0 when importing a list of Firewall packet rules. This may result in the deletion of user-defined local or remote addresses from a rule. To fix the error, please contact Technical Support. Technical Support will provide you with a patched update for the plug-in. Or you can upgrade the application to the next version after its release.
When importing a list of Firewall packet rules, Kaspersky Endpoint Security may change the names of rules. The application identifies rules that have the same set of main parameters, such as protocol, direction, remote and local ports, and packet time to live (TTL). If this set of main parameters is identical for multiple rules, the application assigns the same name to these rules or adds a parameter tag to the name. This means that Kaspersky Endpoint Security imports all packet rules, but the name of rules that have identical main parameters may be changed.
When a network packet rule is triggered in Kaspersky Endpoint Security 11.6.0 or earlier, the Application name column in the Firewall report will always display the Kaspersky Endpoint Security value. In addition, the Firewall will block the connection at packet level for all applications. This behavior has been modified for Kaspersky Endpoint Security 11.7.0 or later. The Rule type column has been added to the Firewall report. When a network packet rule is triggered, the value in the Application name column remains empty.

When working in Microsoft Windows 10 in application denylist mode, block rules may be incorrectly applied, which could cause blocking of applications that are not specified in rules.
When progressive web apps (PWA) are blocked by the Application Control component, appManifest.xml is indicated as the blocked app in the report.

Access to Printer devices that were added to the trusted list is blocked by device and bus blocking rules.
For MTP devices, control of Read, Write, and Connect operations is supported if you are using the built-in Microsoft drivers of the operating system. If a user installs a custom driver for working with a device (for example, as part of iTunes or Android Debug Bridge), control of Read and Write operations may not work.
When working with MTP devices, access rules are changed after reconnecting the device.
If you are adding a device to the trusted list based on a model mask and use characters that are included in the ID but not in the model name, these devices are not added. On a workstation, these devices will be added to the trusted list based on an ID mask.

The OGV and WEBM formats are not supported.
The RTMP protocol is not supported.

File Level Encryption (FLE)

It is recommended to create exclusions automatically based on the event. When manually adding an exclusion, add the * character to the beginning of the path when specifying the target object.
An Adaptive Anomaly Control Rules report cannot be generated if the sample includes even one event whose name contains more than 260 characters.
Adding exclusions from Adaptive Anomaly Control Triggering of Rules repository is not supported if the properties of an object or a process have a value consisting of more than 256 characters (for example, path to target object). You can add an exclusion manually in the Policy settings. You can also add an exclusion in the Report on triggered Adaptive Anomaly Control rules.

Drive Encryption (FDE)

After installing the application, you must restart the operating system for hard drive encryption to work properly.
The Authentication Agent does not support hieroglyphics or the special characters | and \.
For optimal computer performance after encryption, it is required that the processor supports AES-NI instruction set (Intel Advanced Encryption Standard New Instructions). If the processor does not support AES-NI, computer performance might decrease.
When there are processes that attempt to access encrypted devices before the application has granted access to such devices, the application shows a warning stating that such processes must be terminated. If the processes cannot be terminated, re-connect the encrypted devices.
The unique IDs of hard drives are displayed in the device encryption statistics in inverted format.
It is not recommended to format devices while they are being encrypted.
When multiple removable drives are simultaneously connected to a computer, the encryption policy can be applied to only one removable drive. When the removable devices are reconnected, the encryption policy is applied correctly.
Encryption may fail to start on a heavily fragmented hard drive. Defragment the hard drive.
When hard drives are encrypted, hibernation is blocked from the time when the encryption task starts until the first restart of a computer running Microsoft Windows 7/8/8.1/10, and after installation of hard drive encryption until the first restart of Microsoft Windows 8/8.1/10 operating systems. When hard drives are decrypted, hibernation is blocked from the time when the boot drive is fully decrypted until the first restart of the operating system. When the Quick Start option is enabled in Microsoft Windows 8/8.1/10, blocking of hibernation prevents you from shutting down the operating system.
Windows 7 computers don't allow to change password during recovery when the disk is encrypted with BitLocker technology. After the recovery key is entered and the operating system is loaded, Kaspersky Endpoint Security won't prompt the user to change the password or PIN code. Thus, it is impossible to set a new password or a PIN code. This issue stems from the peculiarities of the operating system. To continue, you need to re-encrypt the hard drive.
It is not recommended to use the xbootmgr.exe tool with additional providers enabled. For example, Dispatcher, Network, or Drivers.
Formatting an encrypted removable drive is not supported on a computer that has Kaspersky Endpoint Security for Windows installed.
Formatting an encrypted removable drive with the FAT32 file system is not supported (the drive is displayed as encrypted). To format a drive, reformat it to the NTFS file system.
For details on restoring an operating system from a backup copy to an encrypted GPT device, visit the Technical Support Knowledge Base.
Multiple download agents cannot co-exist on one encrypted computer.
It is impossible to access a removable drive that was previously encrypted on a different computer when all of the following conditions are simultaneously met:
- There is no connection to the Kaspersky Security Center server.
- The user is attempting authorization with a new token or password.
If a similar situation occurs, restart the computer. After the computer has been restarted, access to the encrypted removable drive will be granted.
Discovery of USB devices by the Authentication Agent may not be supported when xHCI mode for USB is enabled in BIOS settings.
Kaspersky Disk Encryption (FDE) for the SSD part of a device that is used for caching the most frequently used data is not supported for SSHD devices.
Encryption of hard drives in 32-bit Microsoft Windows 8/8.1/10 operating systems running in UEFI mode is not supported.
Restart the computer before encrypting a decrypted hard drive again.
Hard drive encryption is not compatible with Kaspersky Anti-Virus for UEFI. It is not recommended to use hard drive encryption on computers that have Kaspersky Anti-Virus for UEFI installed.
Creating Authentication Agent accounts based on Microsoft accounts is supported with the following limitations:
- Single Sign-On technology is not supported.
- Automatic creation of Authentication Agent accounts is not supported if the option to create accounts for users who log in to the system in the last N days is selected.
If the name of an Authentication Agent account has the format <domain>/<Windows account name>, after changing the computer name you need to also change the names of accounts that were created for local users of this computer. For example, imagine that there is a local user Ivanov on the Ivanov computer, and an Authentication Agent account with the name Ivanov/Ivanov has been created for this user. If the computer name Ivanov has been changed to Ivanov-PC, you need to change the name of the Authentication Agent account for the user Ivanov from Ivanov/Ivanov to Ivanov-PC/Ivanov. You can change the account name using the local account management task of the Authentication Agent. Before the name of the account has been changed, authentication in the preboot environment is possible using the old name (for example, Ivanov/Ivanov).
If a user is allowed to access a computer that was encrypted using Kaspersky Disk Encryption technology only by using a token and this user needs to complete the access recovery procedure, make sure that this user is granted password-based access to this computer after access to the encrypted computer has been restored. The password that the user set when restoring access might not be saved. In this case, the user will have to complete the procedure for restoring access to the encrypted computer again the next time the computer is restarted.
When decrypting a hard drive using the FDE Recovery Tool, the decryption process may end with an error if data on the source device is overwritten with the decrypted data. Part of the data on the hard drive will remain encrypted. It is recommended to choose the option to save decrypted data to a file in the device decryption settings when using the FDE Recovery Tool.
If the Authentication Agent password has been changed, a message containing the text Your password has been changed successfully. Click OK appears and the user restarts the computer, the new password is not saved. The old password must be used for subsequent authentication in the preboot environment.
Disk encryption is incompatible with Intel Rapid Start technology.
Disk encryption is incompatible with ExpressCache technology.
In some cases, when attempting to decrypt an encrypted drive using the FDE Recovery Tool, the tool mistakenly detects the device status as "unencrypted" after the "Request-Response" procedure is completed. The tool's log shows an event stating that the device was successfully decrypted. In this case, you must restart the data recovery procedure to decrypt the device.
After the Kaspersky Endpoint Security for Windows plug-in is updated in the Web Console, the client computer properties do not show the BitLocker recovery key until the Web Console service is restarted.
To see the other limitations of full disk encryption support and a list of devices for which encryption of hard drives is supported with restrictions, please refer to the Technical Support Knowledge Base.

File and folder encryption is not supported in operating systems of the Microsoft Windows Embedded family.
Once you have installed the application, you must restart the operating system for file and folder encryption to work properly.
If an encrypted file is stored on a computer that has available encryption functionality and you access the file from a computer where encryption is not available, direct access to this file will be provided. An encrypted file that is stored in a network folder on a computer that has available encryption functionality is copied in decrypted form to a computer that does not have available encryption functionality.
You are advised to decrypt files that were encrypted with Encrypting File System before encrypting files with Kaspersky Endpoint Security for Windows.
After a file is encrypted, its size increases by 4 kB.
After a file is encrypted, the Archive attribute is set in the file properties.
If an unpacked file from an encrypted archive has the same name as an already existing file on your computer, the latter will be overwritten by the new file that is unpacked from an encrypted archive. The user is not notified about the overwrite operation.
The Portable File Manager interface does not display messages about errors that occur during its operation.
Kaspersky Endpoint Security for Windows does not start the Portable File Manager on a computer that has the File Level Encryption component installed.
The Portable File Manager cannot be used to gain access to a removable drive if the following conditions are simultaneously met:
- There is no connection to Kaspersky Security Center;
- Kaspersky Endpoint Security for Windows is installed on the computer;
- Data encryption (FDE or FLE) was not performed on the computer.
In this case, access is not possible even if you know the password for the Portable File Manager.
When file encryption is used, the application is incompatible with the Sylpheed mail client.
Kaspersky Endpoint Security for Windows does not support the rules of restriction of access to encrypted files for some applications. This is due to the fact that some file operations are performed by a third-party application. For example, file copying is performed by the file manager, not by the application itself. In this way, if access to encrypted files is denied to the Outlook mail client, Kaspersky Endpoint Security will allow the mail client to access the encrypted file, if the user has copied files to the email message via the clipboard or using the drag-and-drop function. The copy operation was performed by a file manager, for which the rules of restriction of access to encrypted files are not specified, i.e. the access is allowed.
Changing the page file settings is not supported. The operating system uses the default values instead of the specified parameter values.
Use safe removal when working with encrypted removable drives. We cannot guarantee data integrity if the removable drive is not safely removed.
After files are encrypted, their non-encrypted originals are securely deleted.
Synchronization of offline files using Client-Side Caching (CSC) is not supported. It is recommended to prohibit offline management of shared resources at the group policy level. Files that are in offline mode can be edited. After synchronization, changes made to an offline file may be lost. For details regarding support for Client-Side Caching (CSC) when using encryption, please refer to the Technical Support Knowledge Base.
Creation of an encrypted archive in the root of the system hard drive is not supported.
You may experience problems when accessing encrypted files over the network. You are advised to move the files to a different source or make sure that the computer being used as a file server is managed by the same Kaspersky Security Center Administration Server.
Changing the keyboard layout may cause the password entry window for an encrypted self-extracting archive to hang. To solve this problem, close the password entry window, switch the keyboard layout in your operating system, and re-enter the password for the encrypted archive.
When file encryption is used on systems that have multiple partitions on one disk, you are advised to use the option that automatically determines the size of the pagefile.sys file. After the computer restarts, the pagefile.sys file may move between disk partitions.
After applying file encryption rules, including files in the My Documents folder, make sure that users for whom encryption has been applied can successfully access encrypted files. To do so, have each user sign in to the system when a connection to Kaspersky Security Center is available. If a user attempts to access encrypted files without a connection to Kaspersky Security Center, the system may hang.
If system files are somehow included in the scope of file level encryption, events regarding errors when encrypting these files may appear in reports. The files specified in these events are not actually encrypted.
Pico processes are not supported.
Case-sensitive paths are not supported. When encryption rules or decryption rules are applied, the paths in product events are displayed in lowercase.
It is not recommended to encrypt files that are used by the system on startup. If these files are encrypted, an attempt to access encrypted files without a connection to Kaspersky Security Center may cause the system to hang or result in prompts for access to unencrypted files.
When removable drives are encrypted with portable mode support, password age control cannot be disabled.
If users jointly work with a file over the network under FLE rules via applications that use the file-to-memory mapping method (such as WordPad or FAR) and applications designed for working with large files (such as Notepad ++ ), the file in unencrypted form may be blocked indefinitely without the capability to access it from the computer on which it resides.
File encryption in OneDrive sync folders is not supported. Adding folders with already encrypted files to the OneDrive sync list may result in loss of data in the encrypted files.
When the file level encryption component is installed, management of users and groups does not work in WSL mode (Windows Subsystem for Linux).
When the file level encryption component is installed, POSIX (Portable Operating System Interface) for renaming and deleting files is not supported.
After updating Kaspersky Endpoint Security for Windows version 11.0.1 or earlier, to access encrypted files after restarting the computer, make sure that the Network Agent is running. Network Agent has a delayed startup, so you cannot access the encrypted files immediately after the operating system loads. There is no need to wait for the Network Agent to start after the next computer startup.

Other limitations

In server operating systems, no warning is displayed regarding the need for advanced disinfection.
Web addresses that are added to the trusted list may be incorrectly processed.
Kaspersky Endpoint Security monitors HTTP traffic that complies with the RFC 2616, RFC 7540, RFC 7541, RFC 7301 standards. If Kaspersky Endpoint Security detects another data exchange format in HTTP traffic, the application blocks this connection to prevent downloading malicious files from the Internet.
Kaspersky Endpoint Security does not support RFC9218 standard for the HTTP/2 protocol. If Kaspersky Endpoint Security detects this data exchange format in traffic, the application blocks this connection and the browser displays the error ERR_HTTP2_PROTOCOL_ERROR. If you need to access this web resource, you can exclude the web resource from encrypted connection scans or contact Technical Support for a patch.
System Watcher. Complete information about processes is not displayed.
When Kaspersky Endpoint Security for Windows is started for the first time, a digitally signed application may be temporarily placed into the wrong group. The digitally signed application will later be put into the correct group.
When scanning mail with the Mail Threat Protection extension for Microsoft Outlook, you are advised to use Cached Exchange Mode (the Use Cached Exchange Mode option).
Virus Scan task does not support 64-bit Microsoft Outlook version. This means that Kaspersky Endpoint Security does not check Outlook x64 files (PST and OST files) even if mail is included in scan scope.
In Kaspersky Security Center 10, when switching from using the global Kaspersky Security Network to using a private Kaspersky Security Network, or vice versa, the option to participate in Kaspersky Security Network is disabled in the policy of the specific product. After switching, carefully read the text of the Kaspersky Security Network Statement and confirm your consent to participate in KSN. You can read the text of the Statement in the application interface or when editing the product policy.
During a rescan of a malicious object that was blocked by third-party software, the user is not notified when the threat is detected again. The threat re-detection event is displayed in the product report and in the Kaspersky Security Center 10 report.
The Endpoint Sensor component cannot be installed in Microsoft Windows Server 2008.
The Kaspersky Security Center 10 report on device encryption will not include information about devices that were encrypted using Microsoft BitLocker on server platforms or on workstations on which the Device Control component is not installed.
When using a policy hierarchy, the settings of the Encryption of Removable Drives section in a child policy are accessible for editing if the parent policy prohibits modification of those settings.
You must enable Audit Logon in the operating system settings to ensure proper functioning of exclusions for the protection of shared folders against external encryption.
If shared folder protection is enabled, Kaspersky Endpoint Security for Windows monitors attempts to encrypt shared folders for each remote access session that was started before the startup of Kaspersky Endpoint Security for Windows, including if the computer from which the remote access session was started has been added to exclusions. If you do not want Kaspersky Endpoint Security for Windows to monitor attempts to encrypt shared folders for remote access sessions that were started from a computer that was added to exclusions and that were started before the startup of Kaspersky Endpoint Security for Windows, terminate and re-establish the remote access session or restart the computer on which Kaspersky Endpoint Security for Windows is installed.
If the update task is run with the permissions of a specific user account, product patches will not be downloaded when updating from a source that requires authorization.
The application may fail to start due to insufficient system performance. To resolve this problem, use the Ready Boot option or increase the operating system timeout for starting services.
The application cannot work in Safe Mode.
To ensure that Kaspersky Endpoint Security for Windows versions 11.5.0 and 11.6.0 can work correctly with Cisco AnyConnect software, you must install Compliance Module version 4.3.183.2048 or later. Learn more about compatibility with Cisco Identity Services Engine in Cisco documentation.
We cannot guarantee that Audio Control will work until after the first restart after installing the application.
When rotated trace files are enabled, no traces are created for the AMSI component and the Outlook plug-in.
Performance traces cannot be manually collected in Windows Server 2008.
Performance traces for the "Restart" trace type are not supported.
The KSN availability check task is no longer supported.
Turning off the "Disable external management of the system services" option will not allow you to stop the service of the application that was installed with the AMPPL=1 parameter (by default, the parameter value is set to 1 starting with the Windows 10RS2 operating system version). The AMPPL parameter with a value of 1 enables the use of Protection Processes technology for the product service.
To run a custom scan of a folder, the user that starts the custom scan must have the permissions to read the attributes of this folder. Otherwise the custom folder scan will be impossible and will end with an error.
When a scan rule defined in a policy includes a path without the \ character at the end, for example, С:\folder1\folder2, the scan will be run for the path С:\folder1\.
When upgrading the application from version 11.1.0 to 11.6.0, the AMSI Protection settings will be reset to their default values.
If you are using software restriction policies (SRP), the computer may fail to load (black screen). You are advised to change the SRP settings as follows: set the All software files except libraries (such as DLL) value for the Apply software restriction policies to the following objects parameter, and add rules with the Unrestricted security level for paths to files of the application (C:\Program Files\Common Files\Kaspersky Lab and C:\Program Files\Kaspersky Lab). For details on using SRP, refer to Microsoft documentation.
Management of Outlook plug-in settings via Rest API is not supported.
Task run settings for a specific user cannot be transferred between devices via a configuration file. After settings are applied from a configuration file, manually specify the user name and password.
After installing an update, the integrity check task does not work until the system is restarted to apply the update.
When the rotated trace level is changed through the remote diagnostics utility, Kaspersky Endpoint Security for Windows incorrectly displays a blank value for the trace level. However, trace files are written according to the correct trace level. When the rotated trace level is changed through the local interface of the application, the trace level is correctly modified but the remote diagnostics utility incorrectly displays the trace level that was last defined by the utility. This may cause the administrator to not have up-to-date information about the current trace level, and relevant information may be absent from traces if a user manually changes the trace level in the local interface of the application.
In the local interface, Password protection settings don't allow changing the name of the administrator account (KLAdmin by default). To change the name of the administrator account, you need to disable Password protection, then enable Password protection and specify a new name of the administrator account.
Kaspersky Endpoint Security monitors HTTP traffic that complies with the RFC 2616, RFC 7540, RFC 7541, RFC 7301 standards. If Kaspersky Endpoint Security detects another data exchange format in HTTP traffic, the application blocks this connection to prevent downloading malicious files from the Internet.
When scanning an encrypted connection, Kaspersky Endpoint Security forces HTTP/1.
The Kaspersky Endpoint Security application when installed on a Windows Server 2019 server is incompatible with Docker. Deploying Docker containers on a computer with Kaspersky Endpoint Security causes a crash (BSOD).

Page top

[Topic 90]

Glossary

Active key

A key that is currently used by the application.

Additional key

A key that certifies the right to use the application but is not currently being used.

Administration group

A set of devices that share common functions and a set of Kaspersky applications installed on them. Devices are grouped so that they can be managed conveniently as a single unit. A group may include other groups. It is possible to create group policies and group tasks for each installed application in the group.

Anti-virus databases

Databases that contain information about computer security threats known to Kaspersky as of the anti-virus database release date. Anti-virus database signatures help to detect malicious code in scanned objects. Anti-virus databases are created by Kaspersky specialists and updated hourly.

Authentication Agent

Interface that lets you complete authentication to access encrypted hard drives and load the operating system after the bootable hard drive has been encrypted.

Certificate issuer

Certification center that issued the certificate.

Database of malicious web addresses

A list of web addresses whose content may be considered to be dangerous. The list is created by Kaspersky specialists. It is regularly updated and is included in the Kaspersky application distribution kit.

Database of phishing web addresses

A list of web addresses which Kaspersky specialists have determined to be phishing-related. The database is regularly updated and is part of the Kaspersky application distribution kit.

Disinfection

A method of processing infected objects that results in complete or partial recovery of data. Not all infected objects can be disinfected.

False alarm

A false alarm occurs when the Kaspersky application reports an uninfected file as infected because the signature of the file is similar to that of a virus.

Infectable file

A file which, due to its structure or format, can be used by intruders as a "container" to store and spread malicious code. As a rule, these are executable files, with such file extensions as .com, .exe, and .dll. There is a fairly high risk of intrusion of malicious code in such files.

Infected file

A file which contains malicious code (code of known malware has been detected when scanning the file). Kaspersky does not recommend using such files, because they may infect your computer.

License certificate

A document that Kaspersky transfers to the user together with the key file or activation code. It contains information about the license granted to the user.

Mask

Representation of a file name and extension by using wildcards.

File masks can contain any characters that are allowed in file names, including wildcards:

The * (asterisk) character, which takes the place of any set of characters, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\*\*.txt will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders.
Two consecutive * characters take the place of any set of characters (including an empty set) in the file or folder name, including the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\**\*.txt will include all paths to files with the TXT extension located in the folder named Folder and its subfolders. The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask. The ** mask is available only for creating scan exclusions.
The ? (question mark) character, which takes the place of any single character, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\???.txt will include paths to all files residing in the folder named Folder that have the TXT extension and a name consisting of three characters.

Network Agent

A Kaspersky Security Center component that enables interaction between the Administration Server and Kaspersky applications that are installed on a specific network node (workstation or server). This component is common for all Kaspersky applications running under Windows. Dedicated versions of Network Agent are intended for applications running under other operating systems.

Normalized form of the address of a web resource

The normalized form of the address of a web resource is a textual representation of a web resource address that is obtained through normalization. Normalization is a process whereby the textual representation of a web resource address changes according to specific rules (for example, exclusion of the user login, password, and connection port from the text representation of the web resource address; additionally, the web resource address is changed from uppercase to lowercase characters).

Regarding the operation of protection components, the purpose of normalization of web resource addresses is to avoid scanning website addresses, which may differ in syntax while being physically equivalent, more than once.

Example:

Non-normalized form of an address: www.Example.com\.

Normalized form of an address: www.example.com.

OLE object

An attached file or a file that is embedded in another file. Kaspersky applications allow scanning OLE objects for viruses. For example, if you insert a Microsoft Office Excel table into a Microsoft Office Word document, the table is scanned as an OLE object.

Portable File Manager

This is an application that provides an interface for working with encrypted files on removable drives when encryption functionality is not available on the computer.

Protection scope

Objects that are constantly being scanned by the Essential Threat Protection component when it is running. The protection scopes of different components have different properties.

Scan scope

Objects that Kaspersky Endpoint Security scans while performing a scan task.

Task

Functions performed by the Kaspersky application as tasks, for example: Real-time File Protection, Full Device Scan, Database Update.

Trusted Platform Module

A microchip developed to provide basic functions related to security (for example, for storing encryption keys). A Trusted Platform Module is usually installed on the computer motherboard and interacts with all other system components via the hardware bus.

Page top

[Topic 36215]

Appendices

This section contains information that supplements the body of the document.

In this Help section

Appendix 1. Application settings

Appendix 2. Application trust groups

Appendix 3. File extensions for quick removable drives scan

Appendix 4. File Types for the Mail Threat Protection attachment filter

Appendix 5. Network settings for interaction with external services

Appendix 6. Application events in the Windows Event Log

Page top

[Topic 176382]

Appendix 1. Application settings

You can use a policy, tasks, or the application interface to configure Kaspersky Endpoint Security. Detailed information about application components is provided in the corresponding sections.

In this section

File Threat Protection

Web Threat Protection

Mail Threat Protection

Network Threat Protection

Host Intrusion Prevention

BadUSB Attack Prevention

AMSI Protection

Exploit Prevention

Behavior Detection

Remediation Engine

Kaspersky Security Network

Encryption of removable drives

Endpoint Sensor

Full Disk Encryption

File Level Encryption

Templates (data encryption)

Scanning the computer

Background scan

Scan from context menu

Removable drives scan

Integrity check

Updating databases and application software modules

Page top

[Topic 176733]

File Threat Protection

When attempting to access a file whose contents are stored in the OneDrive cloud, Kaspersky Endpoint Security downloads and scans the file contents.

File Threat Protection component settings

Parameter	Description
Security level (available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)	For File Threat Protection, Kaspersky Endpoint Security can apply different groups of settings. These groups of settings that are stored in the application are called security levels: High. When this file security level is selected, the File Threat Protection component takes the strictest control of all files that are opened, saved, and started. The File Threat Protection component scans all file types on all hard drives, removable drives, and network drives of the computer. It also scans archives, installation packages, and embedded OLE objects. Recommended. This file security level is recommended by Kaspersky Lab experts. The File Threat Protection component scans only the specified file formats on all hard drives, removable drives, and network drives of the computer, and embedded OLE objects. The File Threat Protection component does not scan archives or installation packages. Low. The settings of this file security level ensure maximum scanning speed. The File Threat Protection component scans only files with specified extensions on all hard drives, removable drives, and network drives of the computer. The File Threat Protection component does not scan compound files.
File types (available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)	All files. If this setting is enabled, Kaspersky Endpoint Security checks all files without exception (all formats and extensions). Files scanned by format. If this setting is enabled, Kaspersky Endpoint Security scans infectable files only. Before scanning a file for malicious code, the internal header of the file is analyzed to determine the format of the file (for example, .txt, .doc, or .exe). The scan also looks for files with particular file extensions. Files scanned by extension. If this setting is enabled, Kaspersky Endpoint Security scans infectable files only. The file format is then determined based on the file's extension.
Protection scope	Contains objects that are scanned by the File Threat Protection component. A scan object may be a hard drive, removable drive, network drive, folder, file, or multiple files defined by a mask. By default, the File Threat Protection component scans files that are started on any hard drives, removable drives, or network drives. The protection scope for these objects cannot be changed or deleted. You can also exclude an object (such as removable drives) from scans.
Machine learning and signature analysis (available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)	The machine learning and signature analysis method uses the Kaspersky Endpoint Security databases that contain descriptions of known threats and ways to neutralize them. Protection that uses this method provides the minimum acceptable security level. Based on the recommendations of Kaspersky experts, machine learning and signature analysis is always enabled.
Heuristic Analysis (available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)	The technology was developed for detecting threats that cannot be detected by using the current version of Kaspersky application databases. It detects files that may be infected with an unknown virus or a new variety of a known virus. When scanning files for malicious code, the heuristic analyzer executes instructions in the executable files. The number of instructions that are executed by the heuristic analyzer depends on the level that is specified for the heuristic analyzer. The heuristic analysis level ensures a balance between the thoroughness of searching for new threats, the load on the resources of the operating system, and the duration of heuristic analysis.
Action on threat detection	Disinfect; delete if disinfection fails. If this option is selected, Kaspersky Endpoint Security automatically attempts to disinfect all infected files that are detected. If disinfection fails, Kaspersky Endpoint Security deletes the files. Disinfect; block if disinfection fails. If this option is selected, Kaspersky Endpoint Security automatically attempts to disinfect all infected files that are detected. If disinfection is not possible, Kaspersky Endpoint Security adds the information about the infected files that are detected to the list of active threats. Block. If this option is selected, the File Threat Protection component automatically blocks all infected files without attempting to disinfect them. Before attempting to disinfect or delete an infected file, Kaspersky Endpoint Security creates a backup copy of the file in case you need to restore the file or if it can be disinfected in the future.
Scan only new and changed files	Scans only new files and those files that have been modified since the last time they were scanned. This helps reduce the duration of a scan. This mode applies both to simple and to compound files.
Scan archives	Scans archives in the following formats: RAR, ARJ, ZIP, CAB, LHA, JAR, and ICE.
Scan distribution packages	This check box enables/disables scanning of third-party distribution packages.
Scan files in Microsoft Office formats	Scans Microsoft Office files (DOC, DOCX, XLS, PPT and other Microsoft extensions). Office format files include OLE objects as well.
Do not unpack large compound files	If this check box is selected, Kaspersky Endpoint Security does not scan compound files if their size exceeds the specified value. If this check box is cleared, Kaspersky Endpoint Security scans compound files of all sizes. Kaspersky Endpoint Security scans large files that are extracted from archives regardless of whether the check box is ticked or not.
Unpack compound files in the background	If the check box is selected, Kaspersky Endpoint Security provides access to compound files that are larger than the specified value before these files are scanned. In this case, Kaspersky Endpoint Security unpacks and scans compound files in the background. Kaspersky Endpoint Security provides access to compound files that are smaller than this value only after unpacking and scanning these files. If the check box is not selected, Kaspersky Endpoint Security provides access to compound files only after unpacking and scanning files of any size.
Scan mode (available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)	Kaspersky Endpoint Security scans files accessed by the user, operating system, or an application running under the user's account. Smart mode. In this mode, File Threat Protection scans an object based on an analysis of actions taken on the object. For example, when working with a Microsoft Office document, Kaspersky Endpoint Security scans the file when it is first opened and last closed. Intermediate operations that overwrite the file do not cause it to be scanned. On access and modification. In this mode, File Threat Protection scans objects whenever there is an attempt to open or modify them. On access. In this mode, File Threat Protection scans objects only upon an attempt to open them. On execution. In this mode, File Threat Protection only scans objects upon an attempt to run them.
iSwift Technology (available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)	This technology allows increasing scan speed by excluding certain files from scanning. Files are excluded from scanning by using a special algorithm that takes into account the release date of Kaspersky Endpoint Security databases, the date that the file was last scanned on, and any modifications to the scanning settings. The iSwift technology is an advancement of the iChecker technology for the NTFS file system.
iChecker Technology (available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)	This technology allows increasing scan speed by excluding certain files from scanning. Files are excluded from scans by using a special algorithm that takes into account the release date of Kaspersky Endpoint Security databases, the date when the file was last scanned, and any modifications to the scan settings. There are limitations to iChecker Technology: it does not work with large files and applies only to files with a structure that the application recognizes (for example, EXE, DLL, LNK, TTF, INF, SYS, COM, CHM, ZIP, and RAR).
Pause File Threat Protection (available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)	This temporarily and automatically pauses operation of File Threat Protection at the specified time or when working with the specified applications.

See also: Managing the application via the local interface

Enabling and disabling File Threat Protection

Automatic pausing of File Threat Protection

Changing the action taken on infected files by the File Threat Protection component

Forming the protection scope of the File Threat Protection component

Using scan technologies in the operation of the File Threat Protection component

Enabling and disabling Web Threat Protection

Changing the scan mode

Page top

[Topic 176735]

Web Threat Protection

For HTTPS traffic monitoring, you need to enable encrypted connections scan.

When a user tries to open a malicious or phishing website, Kaspersky Endpoint Security will block access and show a warning (see the figure below).

Website access denied message

Web Threat Protection component settings

Parameter	Description
Security level (available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)	For Web Threat Protection, Kaspersky Endpoint Security can apply different groups of settings. These groups of settings that are stored in the application are called security levels: High. The security level under which the Web Threat Protection component performs maximum scanning of web traffic that the computer receives over the HTTP and FTP protocols. Web Threat Protection performs detailed scanning of all web traffic objects by using the full set of application databases, and performs the deepest possible heuristic analysis. Recommended. The security level that provides the optimal balance between the performance of Kaspersky Endpoint Security and the security of web traffic. The Web Threat Protection component performs heuristic analysis at the medium scan level. This web traffic security level is recommended by Kaspersky specialists. Low. The settings of this web traffic security level ensure the maximum web traffic scanning speed. The Web Threat Protection component performs heuristic analysis at the light scan level.
Action on threat detection	Block download. If this option is selected and an infected object is detected in web traffic, the Web Threat Protection component blocks access to the object and displays a message in the browser. Inform. If this option is selected and an infected object is detected in web traffic, Kaspersky Endpoint Security allows this object to be downloaded to the computer but adds information about the infected object to the list of active threats.
Check the URL against the database of malicious URLs (available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)	Scanning the links to determine whether they are included in the database of malicious web addresses allows you to track websites that have been added to denylist. The database of malicious web addresses is maintained by Kaspersky, included in the application installation package, and updated during Kaspersky Endpoint Security database updates.
Use Heuristic Analysis (available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)	The technology was developed for detecting threats that cannot be detected by using the current version of Kaspersky application databases. It detects files that may be infected with an unknown virus or a new variety of a known virus. When web traffic is scanned for viruses and other applications that present a threat, the heuristic analyzer performs instructions in the executable files. The number of instructions that are executed by the heuristic analyzer depends on the level that is specified for the heuristic analyzer. The heuristic analysis level ensures a balance between the thoroughness of searching for new threats, the load on the resources of the operating system, and the duration of heuristic analysis.
Check the URL against the database of phishing URLs (available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)	The database of phishing web addresses includes the web addresses of currently known websites that are used to launch phishing attacks. Kaspersky supplements this database of phishing links with addresses obtained from the international organization known as the Anti-Phishing Working Group. The database of phishing addresses is included in the application installation package and supplemented with Kaspersky Endpoint Security database updates.
Do not scan web traffic from trusted web addresses	If the check box is selected, the Web Threat Protection component does not scan the content of web pages or websites whose addresses are included in the list of trusted web addresses. You can add both the specific address and the address mask of a web page/website to the list of trusted web addresses.

See also: Managing the application via the local interface

Changing the action to take on malicious web traffic objects

Scanning URLs against databases of phishing and malicious web addresses

Using heuristic analysis in the operation of the Web Threat Protection component

Creating the list of trusted web addresses

Page top

[Topic 176736]

Mail Threat Protection

The Mail Threat Protection component does not scan messages if the mail client is open in a browser.

Mail Threat Protection component settings

Parameter	Description
Security level (available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)	For Mail Threat Protection, Kaspersky Endpoint Security can apply different groups of settings. These groups of settings that are stored in the application are called security levels: High. When this email security level is selected, the Mail Threat Protection component scans email messages most thoroughly. The Mail Threat Protection component scans incoming and outgoing email messages, and performs deep heuristic analysis. The High mail security level is recommended for high-risk environments. An example of such an environment is a connection to a free email service from a home network that is not guarded by centralized email protection. Recommended. The email security level that provides the optimal balance between the performance of Kaspersky Endpoint Security and email security. The Mail Threat Protection component scans incoming and outgoing email messages, and performs medium-level heuristic analysis. This mail traffic security level is recommended by Kaspersky specialists. Low. When this email security level is selected, the Mail Threat Protection component only scans incoming email messages, performs light heuristic analysis, and does not scan archives that are attached to email messages. At this mail security level, the Mail Threat Protection component scans email messages at maximum speed and uses a minimum of operating system resources. The Low mail security level is recommended for use in a well-protected environment. An example of such an environment might be an enterprise LAN with centralized email security.
Action on threat detection	Disinfect; delete if disinfection fails. When an infected object is detected in an inbound or outbound message, Kaspersky Endpoint Security attempts to disinfect the detected object. The user will be able to access the message with a safe attachment. If the object cannot be disinfected, Kaspersky Endpoint Security deletes the infected object. Kaspersky Endpoint Security adds information about the performed action to the message subject: `[Infected object was deleted] <message subject>`. Disinfect; block if disinfection fails. When an infected object is detected in an inbound message, Kaspersky Endpoint Security attempts to disinfect the detected object. The user will be able to access the message with a safe attachment. If the object cannot be disinfected, Kaspersky Endpoint Security adds a warning to the message subject: `[Message infected] <message subject>`. The user will be able to access the message with the original attachment. When an infected object is detected in an outbound message, Kaspersky Endpoint Security attempts to disinfect the detected object. If the object cannot be disinfected, Kaspersky Endpoint Security blocks transmission of the message, and the mail client shows an error. Block. If an infected object is detected in an inbound message, Kaspersky Endpoint Security adds a warning to the message subject: `[Message infected] <message subject>`. The user will be able to access the message with the original attachment. If an infected object is detected in an outbound message, Kaspersky Endpoint Security blocks transmission of the message, and the mail client shows an error.
Protection scope (available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)	The Protection scope includes objects that the component checks when it is run: Incoming and outgoing messages or Incoming messages only. In order to protect your computers, you need only scan incoming messages. You can turn on scanning for outgoing messages to prevent infected files from being sent in archives. You can also turn on the scanning of outgoing messages if you want to prevent files in particular formats from being sent, such as audio and video files, for example.
Scan POP3 / SMTP / NNTP / IMAP traffic	The check box enables / disables scanning by the Mail Threat Protection component of traffic that is transferred via the POP3, SMTP, NNTP, and IMAP protocols.
Connect Microsoft Outlook extension	If the check box is selected, scanning of email messages transmitted via the POP3, SMTP, NNTP, IMAP protocols is enabled on the side of the extension integrated into Microsoft Outlook. If mail is scanned using the extension for Microsoft Outlook, it is recommended to use Cached Exchange Mode. For more detailed information about Cached Exchange Mode and recommendations on its use, refer to the Microsoft Knowledge Base.
Heuristic Analysis (available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)	The technology was developed for detecting threats that cannot be detected by using the current version of Kaspersky application databases. It detects files that may be infected with an unknown virus or a new variety of a known virus. When scanning files for malicious code, the heuristic analyzer executes instructions in the executable files. The number of instructions that are executed by the heuristic analyzer depends on the level that is specified for the heuristic analyzer. The heuristic analysis level ensures a balance between the thoroughness of searching for new threats, the load on the resources of the operating system, and the duration of heuristic analysis.
Scan attached archives	Scans archives in the following formats: RAR, ARJ, ZIP, CAB, LHA, JAR, and ICE. If during the scan, Kaspersky Endpoint Security detects a password for an archive in the text of the message, this password will be used to scan the content of the archive for malicious applications. In this case, the password is not saved. An archive is unpacked during scan. If an application error occurs during the unpacking process, you can manually delete the unpacked files that are saved to the following path: %systemroot%\temp. The files have the PR prefix.
Scan attached Office formats	Scans Microsoft Office files (DOC, DOCX, XLS, PPT and other Microsoft extensions). Office format files include OLE objects as well.
Do not scan archives larger than N MB	If this check box is selected, the Mail Threat Protection component excludes archives attached to email messages from scanning if their size exceeds the specified value. If the check box is cleared, the Mail Threat Protection component scans email attachment archives of any size.
Do not scan archives for more than N sec	If the check box is selected, the time that is allocated for scanning archives attached to email messages is limited to the specified period.
Attachment filter	The attachment filter is not applied to outgoing email messages. Disable filtering. If this option is selected, the Mail Threat Protection component does not filter files that are attached to email messages. Rename attachments of selected types. If this option is selected, the Mail Threat Protection component will replace the last extension character found in the attached files of the specified types with the underscore character (for example, attachment.doc_). Thus, in order to open the file, the user must rename the file. Delete attachments of selected types. If this option is selected, the Mail Threat Protection component deletes attached files of the specified types from email messages. In the list of file masks, you can specify the types of attached files to rename or delete from email messages.

See also: Managing the application via the local interface

Enabling and disabling Mail Threat Protection

Changing the action to take on infected email messages

Forming the protection scope of the Mail Threat Protection component

Scanning compound files attached to email messages

Filtering email message attachments

Scanning emails in Microsoft Office Outlook

Page top

[Topic 176737]

Network Threat Protection

Network Threat Protection component settings

Parameter	Description
Detect Port Scanning and Network Flooding attacks	Network Flooding is an attack on network resources of an organization (such as web servers). This attack consists of sending a large number of requests to overload the bandwidth of network resources. When this happens, users are unable to access the network resources of the organization. A Port Scanning attack consists of scanning UDP ports, TCP ports, and network services on the computer. This attack allows the attacker to identify the degree of vulnerability of the computer before conducting more dangerous types of network attacks. Port Scanning also enables the attacker to identify the operating system on the computer and select the appropriate network attacks for this operating system. If this check box is selected, Kaspersky Endpoint Security monitors network traffic to detect these attacks. When an attack is detected, the application filters and blocks the traffic associated with the attack. This way, if a Network Flooding attack is launched against the computer, the application reduces the load on the resource being attacked. If a Port Scanning attack is launched against the computer, Kaspersky Endpoint Security prevents data leaks on the computer. You can disable detection of these types of attacks in case some of your allowed applications perform operations that are typical for these types of attacks. This will help avoid false alarms.
Add the attacking computer to the list of blocked computers for N minutes	If the check box is selected, the Network Threat Protection component adds the attacking computer to the blocked list. This means that the Network Threat Protection component blocks the network connection with the attacking computer after the first network attack attempt for the specified amount of time. This block automatically protects the user's computer against possible future network attacks from the same address. You can view the block list in the Network Monitor tool window. Kaspersky Endpoint Security clears the block list when the application is restarted and when the Network Threat Protection settings are changed.
Exclusions	The list contains IP addresses from which Network Threat Protection does not block network attacks. Kaspersky Endpoint Security does not log information on network attacks from the IP addresses that are in the list of exclusions.
Protection against MAC spoofing	A MAC spoofing attack consists of changing the MAC address of a network device (network card). As a result, an attacker can redirect data sent to a device to another device and gain access to this data. Kaspersky Endpoint Security lets you block MAC Spoofing attacks and receive notifications about the attacks.

See also: Managing the application via the local interface

Enabling and disabling Network Threat Protection

Blocking an attacking computer

Configuring addresses of exclusions from blocking

Configuring protection against network attacks by type

Page top

[Topic 176738]

Firewall

Network rules

You can configure network rules at the following levels:

Network packet rules. Network packet rules impose restrictions on network packets, regardless of the application. Such rules restrict inbound and outbound network traffic through specific ports of the selected data protocol. Kaspersky Endpoint Security has predefined network packet rules with permissions recommended by Kaspersky experts.
Application network rules. Application network rules impose restrictions on the network activity of a specific application. They factor in not only the characteristics of the network packet, but also the specific application to which this network packet is addressed or which issued this network packet.

Controlled access of applications to operating system resources, processes and personal data is provided by the Host Intrusion Prevention component by using application rights.

During the first startup of the application, the Firewall performs the following actions:

Checks the security of the application using downloaded anti-virus databases.
Checks the security of the application in Kaspersky Security Network.
You are advised to participate in Kaspersky Security Network to help the Firewall work more effectively.
Puts the application in one of the trust groups: Trusted, Low Restricted, High Restricted, Untrusted.
A trust group defines the rights that Kaspersky Endpoint Security refers to when controlling application activity. Kaspersky Endpoint Security places an application in a trust group depending on the level of danger that this application may pose to the computer.

Kaspersky Endpoint Security places an application in a trust group for the Firewall and Host Intrusion Prevention components. You cannot change the trust group only for the Firewall or Host Intrusion Prevention.

If you refused to participate in KSN or there is no network, Kaspersky Endpoint Security places the application in a trust group depending on the settings of the Host Intrusion Prevention component. After receiving the reputation of the application from KSN, the trust group can be changed automatically.
It blocks network activity of the application depending on the trust group. For example, applications in the High Restricted trust group are not allowed to use any network connections.

Network Rule Priorities

Network connection statuses

The network connection can have one of the following status types:

Public network. The network is not protected by antivirus applications, firewalls, or filters (such as Wi-Fi in a cafe). When the user operates a computer that is connected to such a network, Firewall blocks access to files and printers of this computer. External users are also unable to access data through shared folders and remote access to the desktop of this computer. Firewall filters the network activity of each application according to the network rules that are set for it.
Firewall assigns Public network status to the Internet by default. You cannot change the status of the Internet.
Local network. Network for users with restricted access to files and printers on this computer (such as for a corporate LAN or home network).

Trusted network. Safe network in which the computer is not exposed to attacks or unauthorized data access attempts. Firewall permits any network activity within networks with this status.

Firewall component settings

Parameter

Description

Network packet rules

Table with a list of network packet rules. Network packet rules serve to impose restrictions on network packets, regardless of the application. Such rules restrict inbound and outbound network traffic through specific ports of the selected data protocol.

The table lists pre-configured network packet rules that are recommended by Kaspersky for optimum protection of the network traffic of computers that run on Microsoft Windows operating systems.

Firewall sets the execution priority of each network packet rule. Firewall processes network packet rules in the order in which they appear in the list of network packet rules, from top to bottom. Firewall locates the topmost network packet rule that is suitable for the network connection and applies it by either allowing or blocking network activity. Firewall then ignores all subsequent network packet rules for the specific network connection.

Network packet rules have higher priority than network rules for applications.

Network connections

This table contains information about network connections that Firewall detects on the computer.

The Public network status is assigned to the Internet by default. You cannot change the status of the Internet.

Network rules

Appendices

Table of applications that are controlled by the Firewall component. Applications are assigned to trust groups. A trust group defines the rights used by Kaspersky Endpoint Security when controlling network activity of applications.

You can select an application from a single list of all applications installed on computers under the influence of a policy and add the application to a trust group.

Network rules

Table of network rules for applications that are part of a trust group. In accordance with these rules, Firewall regulates the network activity of an application.

The table displays the predefined network rules that are recommended by Kaspersky experts. These network rules have been added to optimally protect the network traffic of computers running Windows operating systems. It is not possible to delete the predefined network rules.

See also: Managing the application via the local interface

Enabling or disabling Firewall

Changing the network connection status

Managing network packet rules

Managing application network rules

Network Monitor

Page top

[Topic 176739]

BadUSB Attack Prevention

The BadUSB Attack Prevention component prevents infected USB devices emulating a keyboard from connecting to the computer.

When the authorized keyboard is connected to a different USB port of the computer, the application shows a prompt for authorization of this keyboard again.

The application allows use of an authorized keyboard and blocks a keyboard that has not been authorized.

loc_screen_KES11_BadUSB_authorization

Keyboard authorization

BadUSB Attack Prevention component settings

Parameter	Description
Prohibit use of On-Screen Keyboard for authorization of USB devices	If the check box is selected, the application blocks use of On-Screen Keyboard for authorization of a USB device from which an authorization code cannot be entered.

See also: Managing the application via the local interface

Enabling and disabling BadUSB Attack Prevention

Using On-Screen Keyboard for authorization of USB devices

Page top

[Topic 176740]

AMSI Protection

AMSI operation example

AMSI Protection is available for the following operating systems for workstations and servers:

Windows 10 Home / Pro / Pro for Workstations / Education / Enterprise;
Windows Server 2016 Essentials / Standard / Datacenter;

Windows Server 2019 Essentials / Standard / Datacenter.

AMSI Protection Provider component settings

Parameter	Description
Scan archives	Scans archives in the following formats: RAR, ARJ, ZIP, CAB, LHA, JAR, and ICE.
Scan distribution packages	This check box enables/disables scanning of third-party distribution packages.
Scan files in Microsoft Office formats	Scans Microsoft Office files (DOC, DOCX, XLS, PPT and other Microsoft extensions). Office format files include OLE objects as well.
Do not unpack large compound files	If this check box is selected, Kaspersky Endpoint Security does not scan compound files if their size exceeds the specified value. If this check box is cleared, Kaspersky Endpoint Security scans compound files of all sizes. Kaspersky Endpoint Security scans large files that are extracted from archives regardless of whether the check box is ticked or not.

See also: Managing the application via the local interface

Enabling and disabling the AMSI Protection

Using AMSI Protection to scan compound files

Page top

[Topic 176730]

Exploit Prevention

When there is an attempt to run an executable file from a vulnerable application that was not performed by the user, Kaspersky Endpoint Security blocks this file from running or notifies the user.

Exploit Prevention component settings

Parameter	Description
On detecting exploit	Block operation. If this option is selected, on detection of an exploit Kaspersky Endpoint Security blocks the actions attempted by the exploit. Inform. If this option is selected and an exploit is detected, Kaspersky Endpoint Security does not block the actions of the exploit but adds information about this exploit to the list of active threats.
Enable system process memory protection	If this toggle button is switched on, Kaspersky Endpoint Security blocks external processes that attempt to access system process memory.

See also: Managing the application via the local interface

Enabling and disabling Exploit Prevention

Selecting an action to take when an exploit is detected

System processes memory protection

Page top

[Topic 176728]

Behavior Detection

The Behavior Detection component receives data on the actions of applications on your computer and provides this information to other protection components to improve their performance.

Behavior Detection component settings

Parameter	Description
On detecting malware activity	Delete file. If this option is selected, on detecting malicious activity Kaspersky Endpoint Security deletes the executable file of the malicious application and creates a backup copy of the file in Backup. Terminate the application. If this option is selected, on detecting malicious activity Kaspersky Endpoint Security terminates this application. Inform. If this option is selected and malicious activity of an application is detected, Kaspersky Endpoint Security does not terminate this application but adds information about the malicious activity of this application to the list of active threats.
Enable protection of shared folders against external encryption	If the toggle button is switched on, Kaspersky Endpoint Security analyzes activity in shared folders. If this activity matches a behavior stream signature that is typical for external encryption, Kaspersky Endpoint Security performs the selected action. Kaspersky Endpoint Security prevents external encryption of only those files that are located on media that have the NTFS file system and are not encrypted by the EFS system. Inform. If this option is selected, on detecting an attempt to modify files in shared folders, Kaspersky Endpoint Security adds information about this attempt to modify files in shared folders to the list of active threats. Block connection. If this option is selected, on detecting an attempt to modify files in shared folders, Kaspersky Endpoint Security blocks network activity originating from the computer attempting to modify files and creates backup copies of modified files. If the Remediation Engine component is enabled and the Block connection option is selected, Kaspersky Endpoint Security restores modified files from backup copies.
Block connection for N minutes	The time for which Kaspersky Endpoint Security blocks the network activity of the remote computer performing encryption of shared folders.
Exclusions	List of computers from which attempts to encrypt shared folders will not be monitored. To apply the list of exclusions of computers from protection of shared folders against external encryption, you must enable Audit Logon in the Windows security audit policy. Audit Logon is disabled by default. For more details about a Windows security audit policy, please visit the Microsoft website.

See also: Managing the application via the local interface

Enabling and disabling Behavior Detection

Selecting the action to take on detecting malware activity

Protection of shared folders against external encryption

Page top

[Topic 176731]

Host Intrusion Prevention

The component controls the operation of applications by using application rights. Application rights include the following access parameters:

Access to operating system resources (for example, automatic startup options, registry keys)
Access to personal data (such as files and applications)

Network activity of applications is controlled by the Firewall using network rules.

During the first startup of the application, the Host Intrusion Prevention component performs the following actions:

Checks the security of the application using downloaded anti-virus databases.
Checks the security of the application in Kaspersky Security Network.
You are advised to participate in Kaspersky Security Network to help the Host Intrusion Prevention component work more effectively.
Puts the application in one of the trust groups: Trusted, Low Restricted, High Restricted, Untrusted.
A trust group defines the rights that Kaspersky Endpoint Security refers to when controlling application activity. Kaspersky Endpoint Security places an application in a trust group depending on the level of danger that this application may pose to the computer.

Kaspersky Endpoint Security places an application in a trust group for the Firewall and Host Intrusion Prevention components. You cannot change the trust group only for the Firewall or Host Intrusion Prevention.

If you refused to participate in KSN or there is no network, Kaspersky Endpoint Security places the application in a trust group depending on the settings of the Host Intrusion Prevention component. After receiving the reputation of the application from KSN, the trust group can be changed automatically.
Blocks application actions depending on the trust group. For example, applications from the High Restricted trust group are denied access to the operating system modules.

Host Intrusion Prevention component settings

Parameter	Description
Application rights	Applications Table of applications that are monitored by the Host Intrusion Prevention component. Applications are assigned to trust groups. A trust group defines the rights that Kaspersky Endpoint Security refers to when controlling application activity. You can select an application from a single list of all applications installed on computers under the influence of a policy and add the application to a trust group. Application access rights are presented in the following tables: Files and system registry. This table contains the rights of applications within a trust group to access operating system resources and personal data. Rights. This table contains the rights of applications in a trust group to access processes and resources of the operating system. Network rules. Table of network rules for applications that are part of a trust group. In accordance with these rules, Firewall regulates the network activity of applications. The table displays the predefined network rules that are recommended by Kaspersky experts. These network rules have been added to optimally protect the network traffic of computers running Windows operating systems. It is not possible to delete the predefined network rules.
Protected resources	Name The table contains categorized computer resources. The Host Intrusion Prevention component monitors attempts by other applications to access resources in the table. A resource can be a registry category, file or folder, or registry key. Applications Table of applications monitored by the Host Intrusion Prevention component for the selected resource. Applications are assigned to trust groups. A trust group defines the rights that Kaspersky Endpoint Security refers to when controlling application activity.
Trust group for applications started before startup of Kaspersky Endpoint Security	A trust group in which Kaspersky Endpoint Security will place applications that are started before Kaspersky Endpoint Security.
Update rights for previously unknown applications from KSN database	If the check box is selected, the Host Intrusion Prevention component updates rights for previously unknown applications by using the Kaspersky Security Network database.
Trust applications that have a digital signature	If this check box is selected, the Host Intrusion Prevention component places the applications with the digital signature of trusted vendors in the Trusted group. Trusted vendors are those software vendors that are trusted by Kaspersky. You can also add vendor certificate to the trusted certificate store manually. If this check box is cleared, the Host Intrusion Prevention component does not consider such applications to be trusted, and uses other parameters to determine their trust group.
Delete rights for applications that are not started for more than N days	If the check box is selected, Kaspersky Endpoint Security automatically deletes information about the application (trust group and access rights) if the following conditions are met: You manually put the application into a trust group or configured its access rights. The application has not started within the defined period of time. If the trust group and rights of an application were determined automatically, Kaspersky Endpoint Security deletes information about this application after 30 days. It is not possible to change the storage term for application information or turn off automatic deletion. The next time you start this application, Kaspersky Endpoint Security analyzes the application as if it were starting for the first time.
Trust group for applications that could not be assigned to other groups	Items in this drop-down list determine to which trust group Kaspersky Endpoint Security will assign an unknown application. You can choose one of the following items: Low Restricted. High Restricted. Untrusted.

See also: Managing the application via the local interface

Protecting access to audio and video

Enabling and disabling Host Intrusion Prevention

Managing application trust groups

Managing application rights

Protecting operating system resources and personal data

Page top

[Topic 176732]

Remediation Engine

The Remediation Engine lets Kaspersky Endpoint Security roll back actions that have been performed by malware in the operating system.

When rolling back malware activity in the operating system, Kaspersky Endpoint Security handles the following types of malware activity:

File activity
Kaspersky Endpoint Security performs the following actions:
- Deletes executable files that were created by malware (on all media except network drives).
- Deletes executable files that were created by programs that have been infiltrated by malware.
- Restores files that have been modified or deleted by malware.
The file recovery feature has a number of limitations.
Registry activity
Kaspersky Endpoint Security performs the following actions:
- Deletes registry keys that were created by malware.
- Does not restore registry keys that have been modified or deleted by malware.
System activity
Kaspersky Endpoint Security performs the following actions:
- Terminates processes that have been initiated by malware.
- Terminates processes into which a malicious application has penetrated.
- Does not resume processes that have been halted by malware.
Network activity
Kaspersky Endpoint Security performs the following actions:
- Blocks the network activity of malware.
- Blocks the network activity of processes that have been infiltrated by malware.

A rollback of malware actions can be started by the File Threat Protection or Behavior Detection component, or during a virus scan.

Rolling back malware operations affects a strictly defined set of data. Rollback has no adverse effects on the operating system or on the integrity of your computer data.

Page top

[Topic 176440]

Kaspersky Security Network

To protect your computer more effectively, Kaspersky Endpoint Security uses data that is received from users around the globe. Kaspersky Security Network is designed for obtaining this data.

KSN Infrastructure

Kaspersky Endpoint Security supports the following KSN infrastructural solutions:

Global KSN is the solution that is used by most Kaspersky applications. KSN participants receive information from Kaspersky Security Network and send Kaspersky information about objects detected on the user's computer to be analyzed additionally by Kaspersky analysts and to be included in the reputation and statistical databases of Kaspersky Security Network.
Private KSN is a solution that enables users of computers hosting Kaspersky Endpoint Security or other Kaspersky applications to obtain access to reputation databases of Kaspersky Security Network, and to other statistical data without sending data to KSN from their own computers. Private KSN is designed for corporate customers who are unable to participate in Kaspersky Security Network for any of the following reasons:
- Local workstations are not connected to the Internet.
- Transmission of any data outside the country or outside the corporate LAN is prohibited by law or restricted by corporate security policies.

For more details about Private KSN, please refer to the documentation on Kaspersky Private Security Network.

KSN Proxy

User computers managed by Kaspersky Security Center Administration Server can interact with KSN via the KSN Proxy service.

The KSN Proxy service provides the following capabilities:

The user's computer can query KSN and submit information to KSN even without direct access to the Internet.
The KSN Proxy service caches processed data, thereby reducing the load on the external network communication channel and speeding up receipt of the information that is requested by the user's computer.

For more details on the KSN Proxy service, please refer to the Kaspersky Security Center Help Guide.

Kaspersky Security Network settings

Parameter	Description
Enable extended KSN mode	Extended KSN mode is a mode in which Kaspersky Endpoint Security sends additional data to Kaspersky. Kaspersky Endpoint Security uses KSN to detect threats regardless of the toggle position.
Enable Cloud mode	Cloud mode refers to the application operating mode in which Kaspersky Endpoint Security uses a light version of anti-virus databases. Kaspersky Security Network supports the operation of the application when light anti-virus databases are being used. The light version of anti-virus databases lets you use approximately half of the computer RAM that would otherwise be used with the usual databases. If you do not participate in Kaspersky Security Network or if cloud mode is disabled, Kaspersky Endpoint Security downloads the full version of anti-virus databases from Kaspersky servers. If the toggle button is switched on, Kaspersky Endpoint Security uses the light version of anti-virus databases, which reduces the load on operating system resources. Kaspersky Endpoint Security downloads the light version of anti-virus databases during the next update after the check box was selected. If the toggle button is switched off, Kaspersky Endpoint Security uses the full version of anti-virus databases. Kaspersky Endpoint Security downloads the full version of anti-virus databases during the next update after the check box was cleared.
Computer status when KSN servers are unavailable (available only in the Kaspersky Security Center Console)	The items in this drop-down list determine the status of a computer in Kaspersky Security Center when KSN servers are unavailable.
Use KSN Proxy (available only in the Kaspersky Security Center Console)	If the check box is selected, Kaspersky Endpoint Security uses the KSN Proxy service. You can configure the KSN Proxy service settings in the Administration Server properties.
Use KSN servers when KSN Proxy is not available (available only in the Kaspersky Security Center Console)	If the check box is selected, Kaspersky Endpoint Security uses KSN servers when the KSN Proxy service is unavailable. KSN servers may be located both on the side of Kaspersky (when Global KSN is used) and on the side of third parties (when Private KSN is used).

See also: Managing the application via the local interface

Data provision when using Kaspersky Security Network

Enabling and disabling the usage of Kaspersky Security Network

Enabling and disabling cloud mode for protection components

Checking the connection to Kaspersky Security Network

Checking the reputation of a file in Kaspersky Security Network

Page top

[Topic 176743]

Web Control

Kaspersky Endpoint Security monitors only HTTP- and HTTPS traffic.

For HTTPS traffic monitoring, you need to enable encrypted connections scan.

Methods for managing access to websites

Web Control lets you configure access to websites by using the following methods:

Website category. Websites are categorized according to the Kaspersky Security Network cloud service, heuristic analysis, and the database of known websites (included in application databases). For example, you can restrict user access to the "Social networks" category or to other categories.
Data type. You can restrict users' access to data on a website, and hide graphic images, for example. Kaspersky Endpoint Security determines the data type based on the file format and not based on its extension.
Kaspersky Endpoint Security does not scan files within archives. For example, if image files were placed in an archive, Kaspersky Endpoint Security identifies the "Archives" data type and not "Graphic files".
Individual address. You can enter a web address or use masks.

You can simultaneously use multiple methods for regulating access to websites. For example, you can restrict access to the "Office files" data type just for the "Web-based mail" website category.

Website access rules

Web Control manages users' access to websites by using access rules. You can configure the following advanced settings for a website access rule:

Users to which the rule applies.
For example, you can restrict Internet access through a browser for all users of the company except the IT department.
Rule schedule.
For example, you can restrict Internet access through a browser during working hours only.

Access rule priorities

Web Control messages

Web Control component settings

Parameter	Description
Rules of access to web resources	List containing web resource access rules. Each rule has a priority. The higher a rule is on the list, the higher its priority. If a website has been added to multiple rules, Web Control regulates access to the website based on the rule with the highest priority.
Default rule	The Default rule is a rule for accessing web resources that are not covered by any other rule. The following options are available: Allow all except the rules list, also known as denylist mode for prohibited websites. Deny everything except the rules list, also known as allowlist mode for allowed websites.
Message templates	Warning. The entry field consists of a template of the message that is displayed if a rule for warning about attempts to access an unwanted web resource is triggered. Message about blocking. The entry field contains the template of the message that appears if a rule which blocks access to a web resource is triggered. Message to administrator. The entry field contains the template of the message to be sent to the LAN administrator if the user considers the block to be a mistake.
Log the opening of allowed pages	Kaspersky Endpoint Security logs data on visits to all websites, including allowed websites. Kaspersky Endpoint Security sends events to Kaspersky Security Center, to the local log of Kaspersky Endpoint Security, and to the Windows Event log. To monitor user Internet activity, you need to configure the settings for saving events. Monitoring user Internet activity may require more computer resources when decrypting HTTPS traffic.

See also: Managing the application via the local interface

Enabling and disabling Web Control

Actions with web resource access rules

Migrating web resource access rules from previous versions of the application

Exporting and importing the list of web resource addresses

Monitoring user Internet activity

Editing masks for web resource addresses

Editing templates of Web Control messages

Page top

[Topic 176741]

Device Control

Device access levels

Device Control controls access at the following levels:

Device type. For example, printers, removable drives, and CD/DVD drives.
You can configure device access as follows:
- Allow – .
- Block – .
- Depends on connection bus (except for Wi-Fi) – .
- Block with exceptions (Wi-Fi only) – .
Connection bus. A connection bus is an interface used for connecting devices to the computer (for example, USB or FireWire). Therefore, you can restrict the connection of all devices, for example, over USB.
You can configure device access as follows:
- Allow – .
- Block – .
Trusted devices. Trusted devices are devices to which users that are specified in the trusted device settings have full access at all times.
You can add trusted devices based on the following data:
- Devices by ID. Each device has a unique identifier (Hardware ID, or HWID). You can view the ID in the device properties by using operating system tools. Example device ID: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&354AE4D7&0&000000. Adding devices by ID is convenient if you want to add several specific devices.
- Devices by model. Each device has a vendor ID (VID) and a product ID (PID). You can view the IDs in the device properties by using operating system tools. Template for entering the VID and PID: VID_1234&PID_5678. Adding devices by model is convenient if you use devices of a certain model in your organization. This way, you can add all devices of this model.
- Devices by ID mask. If you are using multiple devices with similar IDs, you can add devices to the trusted list by using masks. The * character replaces any set of characters. Kaspersky Endpoint Security does not support the ? character when entering a mask. For example, WDC_C*.
- Devices by model mask. If you are using multiple devices with similar VIDs or PIDs (for example, devices from the same manufacturer), you can add devices to the trusted list by using masks. The * character replaces any set of characters. Kaspersky Endpoint Security does not support the ? character when entering a mask. For example, VID_05AC & PID_ *.

When a device that is blocked by Device Control is connected to the computer, Kaspersky Endpoint Security will block access and show a notification (see the figure below).

Device Control notification

Device Control operating algorithm

Kaspersky Endpoint Security makes a decision on whether to allow access to a device after the user connects the device to the computer (see the figure below).

Device Control operating algorithm

If a user of the computer with Kaspersky Endpoint Security installed must request access to a device that the user believes was blocked by mistake, send the user the request access instructions.

Device Control component settings

Parameter	Description
Allow requests for temporary access (available only in the Kaspersky Security Center Console)	If the check box is selected, the Request access button is available through the local interface of Kaspersky Endpoint Security. Clicking this button opens the Request access to device window. In this window, the user can request temporary access to a blocked device.
Devices and Wi-Fi networks	This table contains all possible types of devices according to the classification of the Device Control component, including their respective access statuses.
Connection buses	A list of all available connection buses according to the Device Control component's classification, including their respective access statuses.
Trusted devices	List of trusted devices and users who are granted access to these devices.
Anti-Bridging	Anti-Bridging inhibits the creation of network bridges by preventing the simultaneous establishment of multiple network connections for a computer. This lets you protect a corporate network from attacks over unprotected, unauthorized networks. Anti-Bridging blocks the establishment of multiple connections according to the priorities of devices. The higher a device is on the list, the higher its priority. If an active connection and a new connection are both of the same type (for example, Wi-Fi), Kaspersky Endpoint Security blocks the active connection and allows establishment of the new connection. If an active connection and a new connection are of different types (for example, a network adapter and Wi-Fi), Kaspersky Endpoint Security blocks the connection with the lower priority and allows the connection with the higher priority. Anti-Bridging supports operation with the following types of devices: network adapter, Wi-Fi, and modem.
Message templates	Message about blocking. Template of the message that appears when a user attempts to access a blocked device. This message also appears when a user attempts to perform an operation on the device contents that was blocked for this user. Message to administrator. A template of the message that is sent to the LAN administrator when the user believes that access to the device is blocked or an operation with device content is forbidden by mistake.

See also: Managing the application via the local interface

Enabling and disabling Device Control

About access rules

Editing a device access rule

Monitoring usage of removable drives

Adding a Wi-Fi network to the trusted list

Editing a connection bus access rule

Actions with trusted devices

Obtaining access to a blocked device

Application Control functionality limitations

Anti-Bridging

Page top

[Topic 176742]

Application Control

Configuring Application Control consists of the following steps:

Creating application categories.
The administrator creates categories of applications that the administrator wants to manage. Categories of applications are intended for all computers in the corporate network, regardless of administration groups. To create a category, you can use the following criteria: KL category (for example, Browsers), file hash, application vendor, and other criteria.
Creating Application Control rules.
The administrator creates Application Control rules in the policy for the administration group. The rule includes the categories of applications and the startup status of applications from these categories: blocked or allowed.
Selecting the Application Control mode.
The administrator chooses the mode for working with applications that are not included in any of the rules (application denylist and allowlist).

When a user attempts to start a prohibited application, Kaspersky Endpoint Security will block the application from starting and will display a notification (see the figure below).

A test mode is provided to check the configuration of Application Control. In this mode, Kaspersky Endpoint Security does the following:

Allows the startup of applications, including prohibited ones.
Shows a notification about the startup of a prohibited application and adds information to the report on the user's computer.
Sends data about the startup of prohibited applications to Kaspersky Security Center.

Application Control notification

Application Control operating modes

The Application Control component operates in two modes:

Denylist. In this mode, Application Control allows users to start all applications except for applications that are prohibited in Application Control rules.
This mode of Application Control is enabled by default.
Allowlist. In this mode, Application Control blocks users from starting any applications except for applications that are allowed and not prohibited in Application Control rules.
If the allow rules of Application Control are fully configured, the component blocks the startup of all new applications that have not been verified by the LAN administrator, while allowing the operation of the operating system and of trusted applications that users rely on in their work.

You can read the recommendations on configuring Application Control rules in allowlist mode.

Application Control can be configured to operate in these modes both by using the Kaspersky Endpoint Security local interface and by using Kaspersky Security Center.

However, Kaspersky Security Center offers tools that are not available in the Kaspersky Endpoint Security local interface, such as the tools that are needed for the following tasks:

Creating application categories.
Application Control rules created in the Kaspersky Security Center Administration Console are based on your custom application categories and not on inclusion and exclusion conditions as is the case in the Kaspersky Endpoint Security local interface.
Receiving information about applications that are installed on corporate LAN computers.

This is why it is recommended to use Kaspersky Security Center to configure the operation of the Application Control component.

Application Control operating algorithm

Kaspersky Endpoint Security uses an algorithm to make a decision about starting an application (see the figure below).

Application Control operating algorithm

Application Control component settings

Parameter	Description
Test mode	If the toggle button is switched on, Kaspersky Endpoint Security allows the startup of an application that is blocked in the current Application Control mode, but logs information about its startup in the report.
Application Control mode	You can choose one of the following options: Denylist. If this option is selected, Application Control allows all users to start any applications, except in cases that satisfy the conditions of Application Control block rules. Allowlist. If this option is selected, Application Control blocks all users from starting any applications, except in cases that satisfy the conditions of Application Control allow rules. When Allowlist mode is selected, two Application Control rules are automatically created: Golden Image. Trusted Updaters. You cannot edit the settings of or delete automatically created rules. You can enable or disable these rules.
Control DLL	If the check box is selected, Kaspersky Endpoint Security controls the loading of DLL modules when users attempt to start applications. Information about the DLL module and the application that loaded this DLL module is logged in the report. When enabling control over the loading of DLL modules and drivers, make sure that one of the following rules is enabled in the Application Control settings: the default Golden Image rule or another rule that contains the "Trusted certificates" KL category and ensures that trusted DLL modules and drivers are loaded before Kaspersky Endpoint Security is started. Enabling control of the loading of DLL modules and drivers when the Golden Image rule is disabled may cause instability in the operating system. Kaspersky Endpoint Security monitors only the DLL modules and drivers that have been loaded since the check box was selected. After selecting the check box, it is recommended to restart the computer to ensure that the application monitors all DLL modules and drivers, including those loaded before Kaspersky Endpoint Security starts.
Message templates	Message about blocking. Template of the message that is displayed when an Application Control rule that blocks an application from starting is triggered. Message to administrator. Template of the message that a user can send to the corporate LAN administrator if the user believes that an application was blocked by mistake.

See also: Managing the application via the local interface

Enabling and disabling Application Control

Managing Application Control rules in Kaspersky Security Center

Working with Application Control rules in the application interface

Testing Application Control rules

Selecting the Application Control mode

Rules for creating name masks for files or folders

Enabling and disabling Adaptive Anomaly Control

Page top

[Topic 176744]

Adaptive Anomaly Control

Adaptive Anomaly Control settings

Configuring Adaptive anomaly control consists of the following steps:

Training Adaptive Anomaly Control.
After you enable Adaptive Anomaly Control, its rules work in training mode. During the training, Adaptive Anomaly Control monitors rule triggering and sends triggering events to Kaspersky Security Center. Each rule has its own duration of the training mode. The duration of the training mode is set by Kaspersky experts. Normally, the training mode is active for two weeks.

If a rule is not triggered at all during the training, Adaptive Anomaly Control will consider the actions associated with this rule as non-typical. Kaspersky Endpoint Security will block all actions associated with that rule.

If a rule was triggered during training, Kaspersky Endpoint Security logs events in the rule triggering report and the Triggering of rules in Smart Training mode repository.
Analyzing the rule triggering report.
The administrator analyzes the rule triggering report or the contents of the Triggering of rules in Smart Training mode repository. Then the administrator can select the behavior of Adaptive Anomaly Control when the rule is triggered: either block or allow. The administrator can also continue to monitor how the rule works and extend the duration of the training mode. If the administrator does not take any action, the application will also continue to work in training mode. The training mode term is restarted.

Adaptive Anomaly Control is configured in real time. Adaptive Anomaly Control is configured via the following channels:

Adaptive Anomaly Control automatically starts to block the actions associated with the rules that were never triggered in training mode.
Kaspersky Endpoint Security adds new rules or removes obsolete ones.
The administrator configures the operation of the Adaptive Anomaly Control after reviewing the rule triggering report and the contents of the Triggering of rules in Smart Training mode repository. It is recommended to check the rule triggering report and the contents of the Triggering of rules in Smart Training mode repository.

When a malicious application attempts to perform an action, Kaspersky Endpoint Security will block the action and display a notification (see figure below).

Adaptive Anomaly Control notification

Adaptive Anomaly Control operating algorithm

Kaspersky Endpoint Security decides whether to allow or block an action that is associated with a rule based on the following algorithm (see the figure below).

Adaptive Anomaly Control operating algorithm

Adaptive Anomaly Control component settings

Parameter	Description
Rule status report (available only in the Kaspersky Security Center Console)	This report contains information about the status of Adaptive Anomaly Control detection rules (for example, the Off or Block). The report is generated for all administration groups.
Rule triggering report (available only in the Kaspersky Security Center Console)	This report contains information about non-typical actions detected using Adaptive Anomaly Control. The report is generated for all administration groups.
Rules	Adaptive Anomaly Control table of rules. Rules are created by Kaspersky specialists based on typical scenarios of potentially malicious activity.
Templates	Message about blocking. Template of the message that is displayed to a user when an Adaptive Anomaly Control rule that blocks a non-typical action is triggered. Message to administrator. Template of the message that a user can be sent to the local corporate network administrator if the user considers the blocking to be a mistake.

See also: Managing the application via the local interface

Enabling and disabling an Adaptive Anomaly Control rule

Modifying the action taken when an Adaptive Anomaly Control rule is triggered

Creating an exclusion for an Adaptive Anomaly Control rule

Exporting and importing exclusions for Adaptive Anomaly Control rules

Applying updates for Adaptive Anomaly Control rules

Viewing Adaptive Anomaly Control reports

Page top

[Topic 176745]

Endpoint Sensor

Endpoint Sensor is not included in Kaspersky Endpoint Security 11.4.0.

You can manage the Endpoint Sensor in the Kaspersky Security Center 12 Web Console and in the Kaspersky Security Center Administration Console. It is not possible to manage Endpoint Sensor in the Kaspersky Security Center Cloud Console.

Endpoint Sensor is designed to interact with Kaspersky Anti Targeted Attack Platform. Kaspersky Anti Targeted Attack Platform is a solution designed for timely detection of sophisticated threats such as targeted attacks, advanced persistent threats (APT), zero-day attacks, and others. Kaspersky Anti Targeted Attack Platform includes two functional blocks: Kaspersky Anti Targeted Attack (hereinafter also referred to as "KATA") and Kaspersky Endpoint Detection and Response (hereinafter also referred to as "KEDR"). You can purchase KEDR separately. For detailed information on the solution. refer to the Kaspersky Anti Targeted Attack Platform Help.

Managing Endpoint Sensor has the following limitations:

You can configure Endpoint Sensor settings in a policy provided that Kaspersky Endpoint Security version 11.0.0 to 11.3.0 is installed on the computer. For more information about configuring Endpoint Sensor settings using the policy, refer to the help articles for the previous versions of Kaspersky Endpoint Security.
If Kaspersky Endpoint Security version 11.4.0 and later is installed on the computer, you cannot configure Endpoint Sensor settings in the policy.

Endpoint Sensor is installed on client computers. On these computers, the component constantly monitors processes, active network connections, and files that are modified. Endpoint Sensor relays information to the KATA server.

The component functionality is available under the following operating systems:

Windows 7 Service Pack 1 Home / Professional / Enterprise;
Windows 8.1.1 Professional / Enterprise;
Windows 10 RS3 Home / Professional / Education / Enterprise;
Windows 10 RS4 Home / Professional / Education / Enterprise;
Windows 10 RS5 Home / Professional / Education / Enterprise;
Windows 10 RS6 Home / Professional / Education / Enterprise;
Windows Server 2008 R2 Foundation / Standard / Enterprise (64-bit);
Windows Server 2012 Foundation / Standard / Enterprise (64-bit);
Windows Server 2012 R2 Foundation / Standard / Enterprise (64-bit);
Windows Server 2016 Essentials / Standard (64-bit).

For detailed information on KATA operation, please refer to the Kaspersky Anti Targeted Attack Platform Help Guide.

Page top

[Topic 193687]

Full Disk Encryption

You can select an encryption technology: Kaspersky Disk Encryption or BitLocker Drive Encryption (hereinafter also referred to as simply "BitLocker").

Kaspersky Disk Encryption

After the system hard drives have been encrypted, at the next computer startup the user must complete authentication using the Authentication Agent before the hard drives can be accessed and the operating system is loaded. This requires entering the password of the token or smart card connected to the computer, or the user name and password of the Authentication Agent account created by the local area network administrator using the Manage Authentication Agent accounts task. These accounts are based on Microsoft Windows accounts under which users log into the operating system. You can also use Single Sign-On (SSO) technology, which lets you automatically log in to the operating system using the user name and password of the Authentication Agent account.

User authentication in the Authentication Agent can be performed in two ways:

Enter the name and password of the Authentication Agent account created by the LAN administrator using Kaspersky Security Center tools.
Enter the password of a token or smart card connected to the computer.
Use of a token or smart card is available only if the computer hard drives were encrypted using the AES256 encryption algorithm. If the computer hard drives were encrypted using the AES56 encryption algorithm, addition of the electronic certificate file to the command will be denied.

BitLocker Drive Encryption

TPM.
TPM and PIN.
Password.

Kaspersky Disk Encryption component settings

Parameter	Description
Encryption mode	Encrypt all hard drives. If this item is selected, the application encrypts all hard drives when the policy is applied. If the computer has several operating systems installed, after encryption you will be able to load only the operating system that has the application installed. Decrypt all hard drives. If this item is selected, the application decrypts all previously encrypted hard drives when the policy is applied. Leave unchanged. If this item is selected, the application leaves drives in their previous state when the policy is applied. If the drive was encrypted, it remains encrypted. If the drive was decrypted, it remains decrypted. This item is selected by default.
During encryption, automatically create Authentication Agent accounts for Windows users	If this check box is selected, the application creates Authentication Agent accounts based on the list of Windows user accounts on the computer. By default, Kaspersky Endpoint Security uses all local and domain accounts with which the user logged in to the operating system over the past 30 days.
Authentication Agent account creation settings	All accounts on the computer. If this check box is selected, when running the full disk encryption task Kaspersky Endpoint Security creates Authentication Agent accounts for all computer accounts that have ever been active. All domain accounts on the computer. If this check box is selected, when running the full disk encryption task Kaspersky Endpoint Security creates Authentication Agent accounts for all computer accounts belonging to a certain domain that have ever been active. All local accounts on the computer. If this check box is selected, when running the full disk encryption task Kaspersky Endpoint Security creates Authentication Agent accounts for all local computer accounts that have ever been active. Local administrator. If this check box is selected, when running the full disk encryption task Kaspersky Endpoint Security creates a local administrator account. Computer manager. If this check box is selected, when running the full disk encryption task Kaspersky Endpoint Security creates an Authentication Agent account for the account whose properties in Active Directory show that it is a management account. Active account. If this check box is selected, when running the full disk encryption task Kaspersky Endpoint Security automatically creates an Authentication Agent account for the computer account that is active during the task.
Automatically create Authentication Agent accounts for all users of this computer upon sign-in	If this check box is selected, the application checks information about Windows user accounts on the computer before starting Authentication Agent. If Kaspersky Endpoint Security detects a Windows user account that has no Authentication Agent account, the application will create a new account for accessing encrypted drives. The new Authentication Agent account will have the following default settings: password-protected sign-on only, and password change on first authentication. Therefore, you do not need to manually add Authentication Agent accounts using the Manage Authentication Agent accounts task for computers with already encrypted drives.
Save user name entered in Authentication Agent	If the check box is selected, the application saves the name of the Authentication Agent account. You will not be required to enter the account name the next time you attempt to complete authorization in the Authentication Agent under the same account.
Encrypt used disk space only	This check box enables / disables the option that limits the encryption area to only occupied hard drive sectors. This limit lets you reduce encryption time. Enabling or disabling the Encrypt used disk space only (reduces encryption time) feature after starting encryption does not modify this setting until the hard drives are decrypted. You must select or clear the check box before starting encryption. If the check box is selected, only portions of the hard drive that are occupied by files are encrypted. Kaspersky Endpoint Security automatically encrypts new data as it is added. If the check box is cleared, the entire hard drive is encrypted, including residual fragments of previously deleted and modified files. This option is recommended for new hard drives whose data has not been modified or deleted. If you are applying encryption on a hard drive that is already in use, it is recommended to encrypt the entire hard drive. This ensures protection of all data, even deleted data that is potentially recoverable. This check box is cleared by default.
Use Legacy USB Support	This check box enables/disables the Legacy USB Support function. Legacy USB Support is a BIOS/UEFI function that allows you to use USB devices (such as a security token) during the computer's boot phase before starting the operating system (BIOS mode). Legacy USB Support does not affect support for USB devices after the operating system is started. If the check box is selected, support for USB devices during initial startup of the computer will be enabled. When the Legacy USB Support function is enabled, the Authentication Agent in BIOS mode does not support working with tokens via USB. It is recommended to use this option only when there is a hardware compatibility issue and only for those computers on which the problem occurred.
Password settings	Authentication Agent account password strength settings. You can also enable the use of Single Sign-On (SSO) technology. SSO technology makes it possible to use the same account credentials to access encrypted hard drives and to sign in to the operating system. If the check box is selected, you must enter the account credentials for accessing encrypted hard drives and then automatically logging in to the operating system. If the check box is cleared, to access encrypted hard drives and subsequently log into the operating system you must separately enter the credentials for accessing encrypted hard drives and the operating system user account credentials.
Help texts	Authentication. Help text that appears in the Authentication Agent window when entering account credentials. Change password. Help text that appears in the Authentication Agent window when changing the password for the Authentication Agent account. Recover password. Help text that appears in the Authentication Agent window when recovering the password for the Authentication Agent account.

BitLocker Drive Encryption component settings

Parameter	Description
Encryption mode	Encrypt all hard drives. If this item is selected, the application encrypts all hard drives when the policy is applied. If the computer has several operating systems installed, after encryption you will be able to load only the operating system that has the application installed. Decrypt all hard drives. If this item is selected, the application decrypts all previously encrypted hard drives when the policy is applied. Leave unchanged. If this item is selected, the application leaves drives in their previous state when the policy is applied. If the drive was encrypted, it remains encrypted. If the drive was decrypted, it remains decrypted. This item is selected by default.
Enable use of BitLocker authentication requiring preboot keyboard input on slates	This check box enables / disables the use of authentication requiring data input in a preboot environment, even if the platform does not have the capability for preboot input (for example, with touchscreen keyboards on tablets). The touchscreen of tablet computers is not available in the preboot environment. To complete BitLocker authentication on tablet computers, the user must connect a USB keyboard, for example. If the check box is selected, use of authentication requiring preboot input is allowed. It is recommended to use this setting only for devices that have alternative data input tools in a preboot environment, such as a USB keyboard in addition to touchscreen keyboards. If the check box is cleared, BitLocker Drive Encryption is not possible on tablets.
Use hardware encryption	If the check box is selected, the application applies hardware encryption. This lets you increase the speed of encryption and use less computer resources.
Encrypt used disk space only (Windows 8 and later versions)	This check box enables / disables the option that limits the encryption area to only occupied hard drive sectors. This limit lets you reduce encryption time. Enabling or disabling the Encrypt used disk space only (reduces encryption time) feature after starting encryption does not modify this setting until the hard drives are decrypted. You must select or clear the check box before starting encryption. If the check box is selected, only portions of the hard drive that are occupied by files are encrypted. Kaspersky Endpoint Security automatically encrypts new data as it is added. If the check box is cleared, the entire hard drive is encrypted, including residual fragments of previously deleted and modified files. This option is recommended for new hard drives whose data has not been modified or deleted. If you are applying encryption on a hard drive that is already in use, it is recommended to encrypt the entire hard drive. This ensures protection of all data, even deleted data that is potentially recoverable. This check box is cleared by default.
Authentication settings	Use password (Windows 8 and later versions) If this option is selected, Kaspersky Endpoint Security prompts the user for a password when the user attempts to access an encrypted drive. This option can be selected when a Trusted Platform Module (TPM) is not being used. Use Trusted Platform Module (TPM) If this option is selected, BitLocker uses a Trusted Platform Module (TPM). A Trusted Platform Module (TPM) is a microchip developed to provide basic functions related to security (for example, to store encryption keys). A Trusted Platform Module is usually installed on the computer motherboard and interacts with all other system components via the hardware bus. For computers running Windows 7 or Windows Server 2008 R2, only encryption using a TPM module is available. If a TPM module is not installed, BitLocker encryption is not possible. Use of a password on these computers is not supported. A device equipped with a Trusted Platform Module can create encryption keys that can be decrypted only with the device. A Trusted Platform Module encrypts encryption keys with its own root storage key. The root storage key is stored within the Trusted Platform Module. This provides an additional level of protection against attempts to hack encryption keys. This action is selected by default. You can set an additional layer of protection for access to the encryption key, and encrypt the key with a password or a PIN: Use PIN for TPM. If this check box is selected, a user can use of a PIN code to obtain access to an encryption key that is stored in a Trusted Platform Module (TPM). If this check box is cleared, users are prohibited from using PIN codes. To access the encryption key, a user must enter the password. You can allow the user to use enhanced PIN. Enhanced PIN allows using other characters in addition to numerical characters: uppercase and lowercase Latin letters, special characters, and spaces. Use Trusted Platform Module (TPM); if it is unavailable - use password. If the check box is selected, the user can use a password to obtain access to encryption keys when a Trusted Platform Module (TPM) is not available. If the check box is cleared and the TPM is not available, full disk encryption will not start.

See also: About managing the application via the Kaspersky Security Center Administration Console

Full disk encryption using Kaspersky Disk Encryption technology

Starting BitLocker Drive Encryption

Creating a list of hard drives excluded from encryption

Hard drive decryption

Updating the operating system

Eliminating errors of encryption functionality update

Page top

[Topic 193688]

File Level Encryption

You can compile lists of files by extension or group of extensions and lists of folders stored on local computer drives, and create rules for encrypting files that are created by specific applications. After a policy is applied, Kaspersky Endpoint Security encrypts and decrypts the following files:

files individually added to lists for encryption and decryption;
files stored in folders added to lists for encryption and decryption;
files created by separate applications.

File encryption has the following special features:

Kaspersky Endpoint Security encrypts / decrypts files in predefined folders only for local user profiles of the operating system. Kaspersky Endpoint Security does not encrypt or decrypt files in predefined folders of roaming user profiles, mandatory user profiles, temporary user profiles, or redirected folders.

Kaspersky Endpoint Security does not encrypt files whose modification could harm the operating system and installed applications. For example, the following files and folders with all nested folders are on the list of encryption exclusions:

%WINDIR%;
%PROGRAMFILES% and %PROGRAMFILES(X86)%;
Windows registry files.

The list of encryption exclusions cannot be viewed or edited. While files and folders on the list of encryption exclusions can be added to the encryption list, they will not be encrypted during file encryption.

File Level Encryption component settings

Parameter	Description
Manage encryption	Leave unchanged. If this item is selected, Kaspersky Endpoint Security leaves the files and folders unchanged without encrypting or decrypting them. Encrypt according to rules. If this item is selected, Kaspersky Endpoint Security encrypts the files and folders according to encryption rules, decrypts the files and folders according to decryption rules, and regulates the access of applications to encrypted files according to application rules. Decrypt all. If this item is selected, Kaspersky Endpoint Security decrypts all encrypted files and folders.
Encryption rules	This tab shows encryption rules for files stored on local drives. You can add files as follows: Predefined folders. Kaspersky Endpoint Security allows you to add the following areas: Documents. Files in the standard Documents folder of the operating system, and its subfolders. Favorites. Files in the standard Favorites folder of the operating system, and its subfolders. Desktop. Files in the standard Desktop folder of the operating system, and its subfolders. Temporary files. Temporary files related to the operation of applications installed on the computer. For example, Microsoft Office applications create temporary files containing backup copies of documents. Outlook files. Files related to the operation of the Outlook mail client: data files (PST), offline data files (OST), offline address book files (OAB), and personal address book files (PAB). Folders. You can type the path to the folder. When adding a folder path, adhere to the following rules: Use an environment variable (for example, `%FOLDER%\UserFolder\`). You can use an environment variable only once and only at the beginning of the path. Do not use relative paths. You can use the set `\..\` (e.g. `C:\Users\..\UserFolder\`). The set `\..\` denotes the transition to the parent folder. Do not use the `` and `?` characters. Do not use UNC paths. Use `;` or `,` as a separator character. Files by extension. You can select extension groups from the list, such as the extension group Archives*. You can also manually add the file extension.
Decryption rules	This tab shows decryption rules for files stored on local drives.
Rules for applications	The tab displays a table containing encrypted file access rules for applications and encryption rules for files that are created or modified by individual applications.
Encrypted package password settings	Password strength requirements to meet when creating encrypted packages.

See also: About managing the application via the Kaspersky Security Center Administration Console

Encrypting files on local computer drives

Forming encrypted file access rules for applications

Encrypting files that are created or modified by specific applications

Generating a decryption rule

Decrypting files on local computer drives

Creating encrypted packages

Restoring access to encrypted data after operating system failure

Page top

[Topic 193689]

Encryption of removable drives

To protect data on removable drives, you can use the following types of encryption:

Full Disk Encryption (FDE).
Encryption of the entire removable drive, including the file system.

It is not possible to access encrypted data outside the corporate network. It is also impossible to access encrypted data inside the corporate network if the computer is not connected to Kaspersky Security Center (e.g. on a guest computer).
File Level Encryption (FLE).
Encryption of only files on a removable drive. The file system remains unchanged.

Encryption of files on removable drives provides the capability to access data outside the corporate network using a special mode called portable mode.

During encryption, Kaspersky Endpoint Security creates a master key. Kaspersky Endpoint Security saves the master key in the following repositories:

Kaspersky Security Center.
User's computer.
The master key is encrypted with the user's secret key.
Removable drive.
The master key is encrypted with the public key of Kaspersky Security Center.

After encryption is complete, the data on the removable drive can be accessed within the corporate network as if was on an ordinary unencrypted removable drive.

Accessing encrypted data

When a removable drive with encrypted data is connected, Kaspersky Endpoint Security performs the following actions:

Checks for a master key in the local storage on the user's computer.
If the master key is found, the user gains access to the data on the removable drive.

If the master key is not found, Kaspersky Endpoint Security performs the following actions:
1. Sends a request to Kaspersky Security Center.
  After receiving the request, Kaspersky Security Center sends a response that contains the master key.
2. Kaspersky Endpoint Security saves the master key in the local storage on the user's computer for subsequent operations with the encrypted removable drive.
Decrypts the data.

Special features of removable drive encryption

Encryption of removable drives has the following special features:

The policy with preset settings for removable drive encryption is formed for a specific group of managed computers. Therefore, the result of applying the Kaspersky Security Center policy configured for encryption / decryption of removable drives depends on the computer to which the removable drive is connected.
Kaspersky Endpoint Security does not encrypt / decrypt read-only files that are stored on removable drives.

The following device types are supported as removable drives:

Data media connected via the USB bus
hard drives connected via USB and FireWire buses
SSD drives connected via USB and FireWire buses

Encryption of removable drives component settings

Parameter	Description
Manage encryption	Encrypt entire removable drive. If this item is selected, when applying the policy with the specified encryption settings for removable drives, Kaspersky Endpoint Security encrypts removable drives sector by sector, including their file systems. Encrypt all files. If this item is selected, when applying the policy with the specified encryption settings for removable drives, Kaspersky Endpoint Security encrypts all files that are stored on removable drives. Kaspersky Endpoint Security does not re-encrypt files that are already encrypted. The contents of the file system of a removable drive, including the folder structure and names of encrypted files, are not encrypted and remain accessible. Encrypt new files only. If this item is selected, when applying the policy with the specified encryption settings for removable drives, Kaspersky Endpoint Security encrypts only those files that were added or modified on removable drives after the Kaspersky Security Center policy was last applied. This encryption mode is convenient when a removable drive is used for both personal and work purposes. This encryption mode lets you leave all old files unchanged and encrypt only those files that the user creates on a work computer that has Kaspersky Endpoint Security installed and encryption functionality enabled. As a result, access to personal files is always available, regardless of whether or not Kaspersky Endpoint Security is installed on the computer with encryption functionality enabled. Decrypt entire removable drive. If this item is selected, when applying the policy with the specified encryption settings for removable drives, Kaspersky Endpoint Security decrypts all encrypted files stored on removable drives as well as the file systems of the removable drives if they were previously encrypted. Leave unchanged. If this item is selected, the application leaves drives in their previous state when the policy is applied. If the drive was encrypted, it remains encrypted. If the drive was decrypted, it remains decrypted. This item is selected by default.
Portable mode	This check box enables / disables the preparation of a removable drive that makes it possible to access files stored on this removable drive on computers outside of the corporate network. If this check box is selected, Kaspersky Endpoint Security prompts the user to specify a password before encrypting files on a removable drive upon the application of the policy. The password is needed to access files encrypted on a removable drive on computers outside of the corporate network. You can configure the password strength. Portable mode is available for the Encrypt all files or Encrypt new files only modes.
Encrypt used disk space only	This check box enables / disables the encryption mode in which only occupied disk sectors are encrypted. This mode is recommended for new drives whose data has not been modified or deleted. If the check box is selected, only portions of the drive that are occupied by files are encrypted. Kaspersky Endpoint Security automatically encrypts new data as it is added. If the check box is cleared, the entire drive is encrypted, including residual fragments of previously deleted and modified files. The ability to encrypt only occupied space is available only for the Encrypt entire removable drive mode. After encryption started, enabling / disabling the Encrypt used disk space only function will not change this setting. You must select or clear the check box before starting encryption.
Encryption rules for selected devices	This table contains devices for which custom encryption rules are defined. You can create encryption rules for individual removable drives in the following ways: Add a removable drive from the list of trusted devices for Device Control. Manually add a removable drive: By device ID (Hardware ID, or HWID) By device model: vendor ID (VID) and product ID (PID)
Allow removable drive encryption in offline mode	If this check box is selected, Kaspersky Endpoint Security encrypts removable drives even when there is no connection to Kaspersky Security Center. In this case, the data required for decrypting removable drives is stored on the hard drive of the computer to which the removable drive is connected, and is not transmitted to Kaspersky Security Center. If the check box is cleared, Kaspersky Endpoint Security does not encrypt removable drives without a connection to Kaspersky Security Center.
Portable mode password settings	Password strength settings for the Portable File Manager.

See also: About managing the application via the Kaspersky Security Center Administration Console

Starting encryption of removable drives

Adding an encryption rule for removable drives

Portable mode for accessing encrypted files on removable drives

Decryption of removable drives

Page top

[Topic 193690]

Templates (data encryption)

After data encryption, Kaspersky Endpoint Security may restrict access to data, for example, due to a change in the organization's infrastructure and a change in the Kaspersky Security Center Administration Server. If a user does not have access to encrypted data, the user can ask the administrator for access to the data. In other words, the user needs to send a request access file to the administrator. The user then needs to upload the response file received from the administrator to Kaspersky Endpoint Security. Kaspersky Endpoint Security allows you to request access to data from the administrator via email (see the figure below).

Requesting access to encrypted data

A template is provided for reporting a lack of access to encrypted data. For user convenience, you can fill out the following fields:

To. Enter the email address of the administrator group with rights to the data encryption features.
Subject. Enter the subject of the email with your request for access to encrypted files. You can, for example, add tags to filter messages.
Message. If necessary, change the contents of the message. You can use variables to get the necessary data (for example, %USER_NAME% variable).

See also: About managing the application via the Kaspersky Security Center Administration Console

Editing templates of encrypted file access messages

Page top

[Topic 178487]

Exclusions

A trusted zone is a system administrator-configured list of objects and applications that Kaspersky Endpoint Security does not monitor when active.

Scan exclusions

A scan exclusion is a set of conditions that must be fulfilled so that Kaspersky Endpoint Security will not scan a particular object for viruses and other threats.

Scan exclusions can be used by the following application components and tasks that are configured by the system administrator:

Behavior Detection.
Exploit Prevention.
Host Intrusion Prevention.
File Threat Protection.
Web Threat Protection.
Mail Threat Protection.
Scan tasks.

List of trusted applications

Settings of exclusions

Parameter

Description

Types of detected objects

Regardless of the configured application settings, Kaspersky Endpoint Security always detects and blocks viruses, worms, and Trojans. They can cause significant harm to the computer.

Viruses and worms

Subcategory: viruses and worms (Viruses_and_Worms)

Threat level: high

Classic viruses and worms perform actions that are not authorized by the user. They can create copies of themselves which are able to self-replicate.

Classic virus

When a classic virus infiltrates a computer, it infects a file, activates, performs malicious actions, and adds copies of itself to other files.

Worm

Ways in which worms spread

Type	Name	Description
Email-Worm	Email-Worm	They spread via email. An infected email message contains an attached file with a copy of a worm, or a link to a file that is uploaded to a website which may have been hacked or created exclusively for that purpose. When you open the attached file, the worm is activated. When you click the link, download, and then open the file, the worm also starts performing its malicious actions. After that, it goes on spreading copies of itself, searching for other email addresses and sending infected messages to them.
IM-Worm	IM clients	They spread through IM clients. Usually, such worms send messages that contain a link to a file with a copy of the worm on a website, making use of the user's contact lists. When the user downloads and opens the file, the worm activates.
IRC-Worm	Internet chat worms	They spread via Internet Relay Chats, service systems which allow communicating with other people over the Internet in real time. These worms publish a file with a copy of themselves or a link to the file in an Internet chat. When the user downloads and opens the file, the worm activates.
Net-Worm	Network worms	These worms spread over computer networks. Unlike other types of worms, a typical network worm spreads without the user's participation. It scans the local network for computers that contain programs with vulnerabilities. To do this, it sends a specially formed network packet (exploit) which contains the worm code or a part of it. If a "vulnerable" computer is on the network, it receives such a network packet. When the worm completely penetrates the computer, it activates.
P2P-Worm	File sharing network worms	They spread over peer-to-peer file sharing networks. To infiltrate a P2P network, the worm copies itself into a file sharing folder which is usually located on the user's computer. The P2P network displays information about this file so that the user may "find" the infected file on the network like any other file, and then download and open it. More sophisticated worms emulate the network protocol of a specific P2P network: they return positive responses to search queries and offer copies of themselves for download.
Worm	Other types of worms	Other types of worms include: Worms that spread copies of themselves over network resources. By using the functions of the operating system, they scan available network folders, connect to computers on the Internet, and attempt to obtain full access to their disk drives. Unlike the previously described types of worms, other types of worms activate not on their own, but when the user opens a file that contains a copy of the worm. Worms that do not use any of the methods described in the previous table to spread (for example, those that spread over cell phones).

Trojans

Subcategory: Trojans

Threat level: high

Hackers often use "sets" of various Trojans.

Types of Trojan behavior are described in the following table.

Types of Trojan behavior on an infected computer

Type	Name	Description
Trojan-ArcBomb	Trojans – "archive bombs"	When unpacked, these archives grow in size to such an extent that the computer's operation is impacted. When the user attempts to unpack such an archive, the computer may slow down or freeze; the hard disk may become filled with "empty" data. "Archive bombs" are especially dangerous to file and mail servers. If the server uses an automatic system to process incoming information, an "archive bomb" may halt the server.
Backdoor	Trojans for remote administration	They are considered the most dangerous type of Trojan. In their functions, they are similar to remote administration applications that are installed on computers. These programs install themselves on the computer without being noticed by the user, allowing the intruder to manage the computer remotely.
Trojan	Trojans	They include the following malicious applications: Classic Trojans. These programs perform only the main functions of Trojans: blocking, modifying or destroying information, and disabling computers or networks. They do not have any advanced features, unlike the other types of Trojans that are described in the table. Versatile Trojans. These programs have advanced features typical of several types of Trojans.
Trojan-Ransom	Ransom Trojans	They take the user's information "hostage", modifying or blocking it, or impact the computer's operation so that the user loses the ability to use information. The intruder demands a ransom from the user, promising to send an application to restore the computer's performance and the data that had been stored on it.
Trojan-Clicker	Trojan clickers	They access web pages from the user's computer, either by sending commands to a browser on their own or by changing the web addresses that are specified in operating system files. By using these programs, intruders perpetrate network attacks and increase website visits, increasing the number of displays of banner ads.
Trojan-Downloader	Trojan downloaders	They access the intruder's web page, download other malicious applications from it, and install them on the user's computer. They can contain the file name of the malicious application to download, or receive it from the web page that is accessed.
Trojan-Dropper	Trojan droppers	They contain other Trojans which they install on the hard drive and then install. Intruders may use Trojan Dropper–type programs for the following goals: Install a malicious application without being noticed by the user: Trojan Dropper–type programs display no messages, or display fake messages which inform, for example, of an error in an archive or an incompatible version of the operating system. Protect another known malicious application from detection: not all anti-virus software can detect a malicious application within a Trojan Dropper–type application.
Trojan-Notifier	Trojan notifiers	They inform an intruder that the infected computer is accessible, sending the intruder information about the computer: IP address, number of opened port, or email address. They connect with the intruder via email, FTP, accessing the intruder's web page, or in another way. Trojan Notifier–type programs are often used in sets that are made of several Trojans. They notify the intruder that other Trojans have been successfully installed on the user's computer.
Trojan-Proxy	Trojan proxies	They allow the intruder to anonymously access web pages by using the user's computer; they are often used for sending spam.
Trojan-PSW	Password-stealing-ware	Password-stealing-ware is a kind of Trojan that steals user accounts, such as software registration data. These Trojans find confidential data in system files and in the registry and send it to the "master" by email, via FTP, by accessing the intruder's web page, or in another way. Some of these Trojans are categorized into separate types that are described in this table. These are Trojans that steal bank accounts (Trojan-Banker), steal data from users of IM clients (Trojan-IM), and steal information from users of online games (Trojan-GameThief).
Trojan-Spy	Trojan spies	They spy on the user, collecting information about the actions that the user makes while working at the computer. They may intercept the data that the user enters at the keyboard, take screenshots, or collect lists of active applications. After they receive the information, they transfer it to the intruder by email, via FTP, by accessing the intruder's web page, or in another way.
Trojan-DDoS	Trojan network attackers	They send numerous requests from the user's computer to a remote server. The server lacks resources to process all requests, so it stops functioning (Denial of Service, or simply DoS). Hackers often infect many computers with these programs so that they can use the computers to attack a single server simultaneously. DoS programs perpetrate an attack from a single computer with the user's knowledge. DDoS (Distributed DoS) programs perpetrate distributed attacks from several computers without being noticed by the user of the infected computer.
Trojan-IM	Trojans that steal information from users of IM clients	They steal account numbers and passwords of IM client users. They transfer the data to the intruder by email, via FTP, by accessing the intruder's web page, or in another way.
Rootkit	Rootkits	They mask other malicious applications and their activity, thus prolonging the applications' persistence in the operating system. They can also conceal files, processes in an infected computer's memory, or registry keys which run malicious applications. The rootkits can mask data exchange between applications on the user's computer and other computers on the network.
Trojan-SMS	Trojans in the form of SMS messages	They infect cell phones, sending SMS messages to premium-rate phone numbers.
Trojan-GameThief	Trojans that steal information from users of online games	They steal account credentials from users of online games, after which they send the data to the intruder by email, via FTP, by accessing the intruder's web page, or in another way.
Trojan-Banker	Trojans that steal bank accounts	They steal bank account data or e-money system data; send the data to the hacker by email, via FTP, by accessing the hacker's web page, or by using another method.
Trojan-Mailfinder	Trojans that collect email addresses	They collect email addresses that stored on a computer and send them to the intruder by email, via FTP, by accessing the intruder's web page, or in another way. Intruders may send spam to the addresses they have collected.

Malicious tools

Subcategory: Malicious tools

Danger level: medium

Various features of malicious tools are grouped by the types that are described in the following table.

Features of malicious tools

Type	Name	Description
Constructor	Constructors	They allow creating new viruses, worms, and Trojans. Some constructors boast a standard window-based interface in which the user can select the type of malicious application to create, the way of counteracting debuggers, and other features.
Dos	Network attacks	They send numerous requests from the user's computer to a remote server. The server lacks resources to process all requests, so it stops functioning (Denial of Service, or simply DoS).
Exploit	Exploits	An exploit is a set of data or a program code that uses vulnerabilities of the application in which it is processed, performing a malicious action on a computer. For example, an exploit can write or read files, or request "infected" web pages. Different exploits use vulnerabilities in different applications or network services. Disguised as a network packet, an exploit is transmitted over the network to numerous computers, searching for computers with vulnerable network services. An exploit in a DOC file uses the vulnerabilities of a text editor. It may start performing the actions that are preprogrammed by the hacker when the user opens the infected file. An exploit that is embedded in an email message searches for vulnerabilities in any email client. It may start performing a malicious action as soon as the user opens the infected message in this email client. Net-Worms spread over networks by using exploits. Nuker exploits are network packets that disable computers.
FileCryptor	Encryptors	They encrypt other malicious applications to conceal them from the anti-virus application.
Flooder	Programs for "contaminating" networks	They send numerous messages over network channels. This type of tools includes, for example, programs that contaminate Internet Relay Chats. Flooder-type tools do not include programs that "contaminate" channels that are used by email, IM clients, and mobile communication systems. These programs are distinguished as separate types that are described in the table (Email-Flooder, IM-Flooder, and SMS-Flooder).
HackTool	Hacking tools	They make it possible to hack the computer on which they are installed or attack another computer (for example, by adding new system accounts without the user's permission or by erasing system logs to conceal traces of their presence in the operating system). This type of tools includes some sniffers which feature malicious functions, such as password interception. Sniffers are programs that allow viewing network traffic.
Hoax	Hoaxes	They alarm the user with virus-like messages: they may "detect a virus" in an uninfected file or notify the user that the disk has been formatted, although this has not happened in reality.
Spoofer	Spoofing tools	They send messages and network requests with a fake address of the sender. Intruders use Spoofer-type tools to pass themselves off as the true senders of messages, for example.
VirTool	Tools that modify malicious applications	They allow modifying other malware programs, concealing them from anti-virus applications.
Email-Flooder	Programs that "contaminate" email addresses	They send numerous messages to various email addresses, thus "contaminating" them. A large volume of incoming messages prevents users from viewing useful messages in their inboxes.
IM-Flooder	Programs that "contaminate" traffic of IM clients	They flood users of IM clients with messages. A large volume of messages prevents users from viewing useful incoming messages.
SMS-Flooder	Programs that "contaminate" traffic with SMS messages	They send numerous SMS messages to cell phones.

Adware
Subcategory: advertising software (Adware);

Threat level: medium

Adware displays advertising information to the user. Adware programs display banner ads in the interfaces of other programs and redirect search queries to advertising web pages. Some of them collect marketing information about the user and send it to the developer: this information may include the names of the websites that are visited by the user or the content of the user's search queries. Unlike Trojan-Spy–type programs, adware sends this information to the developer with the user's permission.

Auto-dialers

Subcategory: legal software that may be used by criminals to damage your computer or personal data.

Danger level: medium

However, if intruders gain access to these programs, or if they plant them on the user's computer, some of the application's features may be used to violate security.

These applications differ by function; their types are described in the following table.

Type	Name	Description
Client-IRC	Internet chat clients	Users install these programs to talk to people in Internet Relay Chats. Intruders use them to spread malware.
Dialer	Auto-dialers	They can establish phone connections over a modem in hidden mode.
Downloader	Programs for downloading	They can download files from web pages in hidden mode.
Monitor	Programs for monitoring	They allow monitoring activity on the computer on which they are installed (seeing which applications are active and how they exchange data with applications that are installed on other computers).
PSWTool	Password restorers	They allow viewing and restoring forgotten passwords. Intruders secretly implant them on users' computers with the same purpose.
RemoteAdmin	Remote administration programs	They are widely used by system administrators. These programs allow obtaining access to the interface of a remote computer to monitor and manage it. Intruders secretly implant them on users' computers with the same purpose: to monitor and manage remote computers. Legal remote administration programs differ from Backdoor-type Trojans for remote administration. Trojans have the ability to penetrate the operating system independently and install themselves; legal programs are unable to do so.
Server-FTP	FTP servers	They function as FTP servers. Intruders implant them on the user's computer to open remote access to it via FTP.
Server-Proxy	Proxy servers	They function as proxy servers. Intruders implant them on the user's computer to send spam under the user's name.
Server-Telnet	Telnet servers	They function as Telnet servers. Intruders implant them on the user's computer to open remote access to it via Telnet.
Server-Web	Web servers	They function as web servers. Intruders implant them on the user's computer to open remote access to it via HTTP.
RiskTool	Tools for working at a local computer	They provide the user with additional options when working at the user's own computer. The tools allow the user to hide files or windows of active applications and terminate active processes.
NetTool	Network tools	They provide the user with additional options when working with other computers on the network. These tools allow restarting them, detecting open ports, and starting applications that are installed on the computers.
Client-P2P	P2P network clients	They allow working on peer-to-peer networks. They can be used by intruders for spreading malware.
Client-SMTP	SMTP clients	They send email messages without the user's knowledge. Intruders implant them on the user's computer to send spam under the user's name.
WebToolbar	Web toolbars	They add toolbars to the interfaces of other applications to use search engines.
FraudTool	Pseudo-programs	They pass themselves off as other programs. For example, there are pseudo-anti-virus programs which display messages about malware detection. However, in reality, they do not find or disinfect anything.

Detect other software that can be used by criminals to damage your computer or personal data

Subcategory: legal software that may be used by criminals to damage your computer or personal data.

Danger level: medium

However, if intruders gain access to these programs, or if they plant them on the user's computer, some of the application's features may be used to violate security.

These applications differ by function; their types are described in the following table.

Type	Name	Description
Client-IRC	Internet chat clients	Users install these programs to talk to people in Internet Relay Chats. Intruders use them to spread malware.
Dialer	Auto-dialers	They can establish phone connections over a modem in hidden mode.
Downloader	Programs for downloading	They can download files from web pages in hidden mode.
Monitor	Programs for monitoring	They allow monitoring activity on the computer on which they are installed (seeing which applications are active and how they exchange data with applications that are installed on other computers).
PSWTool	Password restorers	They allow viewing and restoring forgotten passwords. Intruders secretly implant them on users' computers with the same purpose.
RemoteAdmin	Remote administration programs	They are widely used by system administrators. These programs allow obtaining access to the interface of a remote computer to monitor and manage it. Intruders secretly implant them on users' computers with the same purpose: to monitor and manage remote computers. Legal remote administration programs differ from Backdoor-type Trojans for remote administration. Trojans have the ability to penetrate the operating system independently and install themselves; legal programs are unable to do so.
Server-FTP	FTP servers	They function as FTP servers. Intruders implant them on the user's computer to open remote access to it via FTP.
Server-Proxy	Proxy servers	They function as proxy servers. Intruders implant them on the user's computer to send spam under the user's name.
Server-Telnet	Telnet servers	They function as Telnet servers. Intruders implant them on the user's computer to open remote access to it via Telnet.
Server-Web	Web servers	They function as web servers. Intruders implant them on the user's computer to open remote access to it via HTTP.
RiskTool	Tools for working at a local computer	They provide the user with additional options when working at the user's own computer. The tools allow the user to hide files or windows of active applications and terminate active processes.
NetTool	Network tools	They provide the user with additional options when working with other computers on the network. These tools allow restarting them, detecting open ports, and starting applications that are installed on the computers.
Client-P2P	P2P network clients	They allow working on peer-to-peer networks. They can be used by intruders for spreading malware.
Client-SMTP	SMTP clients	They send email messages without the user's knowledge. Intruders implant them on the user's computer to send spam under the user's name.
WebToolbar	Web toolbars	They add toolbars to the interfaces of other applications to use search engines.
FraudTool	Pseudo-programs	They pass themselves off as other programs. For example, there are pseudo-anti-virus programs which display messages about malware detection. However, in reality, they do not find or disinfect anything.

Packed objects whose packing may be used to protect malicious code
Kaspersky Endpoint Security scans compressed objects and the unpacker module within SFX (self-extracting) archives.

To hide dangerous programs from anti-virus applications, intruders archive them by using special packers or create multi-packed files.

Kaspersky virus analysts have identified packers that are the most popular amongst hackers.

If Kaspersky Endpoint Security detects such a packer in a file, the file most likely contains a malicious application or an application that can be used by criminals to cause harm to your computer or personal data.

Kaspersky Endpoint Security singles out the following types of programs:
- Packed files that may cause harm – used for packing malware, such as viruses, worms, and Trojans.
- Multi-packed files (medium threat level) – the object has been packed three times by one or more packers.
Multi-packed files
Kaspersky Endpoint Security scans compressed objects and the unpacker module within SFX (self-extracting) archives.

To hide dangerous programs from anti-virus applications, intruders archive them by using special packers or create multi-packed files.

Kaspersky virus analysts have identified packers that are the most popular amongst hackers.

If Kaspersky Endpoint Security detects such a packer in a file, the file most likely contains a malicious application or an application that can be used by criminals to cause harm to your computer or personal data.

Kaspersky Endpoint Security singles out the following types of programs:
- Packed files that may cause harm – used for packing malware, such as viruses, worms, and Trojans.
- Multi-packed files (medium threat level) – the object has been packed three times by one or more packers.

Exclusions

This table contains information about scan exclusions.

You can exclude objects from scans by using the following methods:

Specify the path to the file or folder.
Enter the object hash.
Use masks:
- The * (asterisk) character, which takes the place of any set of characters, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\*\*.txt will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders.
- Two consecutive * characters take the place of any set of characters (including an empty set) in the file or folder name, including the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\**\*.txt will include all paths to files with the TXT extension located in the folder named Folder and its subfolders. The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
- The ? (question mark) character, which takes the place of any single character, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\???.txt will include paths to all files residing in the folder named Folder that have the TXT extension and a name consisting of three characters.
Enter the name of the object type according to the classification of the Kaspersky Encyclopedia (for example, Email-Worm, Rootkit or RemoteAdmin). You can use masks with the ? character (replaces any single character) and the * character (replaces any number of characters). For example, if the Client* mask is specified, Kaspersky Endpoint Security excludes Client-IRC, Client-P2P and Client-SMTP objects from scans.

Trusted applications

This table lists trusted applications whose activity is not monitored by Kaspersky Endpoint Security during its operation.

The Application Control component regulates the startup of each of the applications regardless of whether or not the application is included in the table of trusted applications.

Merge values when inheriting

(available only in the Kaspersky Security Center Console)

This merges the list of scan exclusions and trusted applications in the parent and child policies of Kaspersky Security Center. To merge lists, the child policy must be configured to inherit the settings of the parent policy of Kaspersky Security Center.

If the check box is selected, list items from the Kaspersky Security Center parent policy are displayed in child policies. This way you can, for example, create a consolidated list of trusted applications for the entire organization.

Inherited list items in a child policy cannot be deleted or edited. Items on the list of scan exclusions and the list of trusted applications that are merged during inheritance can be deleted and edited only in the parent policy. You can add, edit or delete list items in lower-level policies.

If items on lists of the child and parent policy match, these items are displayed as the same item of the parent policy.

If the check box is not selected, list items are not merged when inheriting the settings of Kaspersky Security Center policies.

Allow use of local exclusions / Allow use of local trusted applications

(available only in the Kaspersky Security Center Console)

Local exclusions and local trusted applications (local trusted zone) – user-defined list of objects and applications in Kaspersky Endpoint Security for a specific computer. Kaspersky Endpoint Security does not monitor objects and applications from the local trusted zone. This way, users can create their own local lists of exclusions and trusted applications in addition to the general trusted zone in a policy.

If the check box is selected, a user can create a local list of scan exclusions and a local list of trusted applications. An administrator can use Kaspersky Security Center to view, add, edit, or delete list items in the computer properties.

If the check box is cleared, a user can access only the general lists of scan exclusions and trusted applications generated in the policy. If local lists were generated, after this functionality is disabled Kaspersky Endpoint Security continues excluding the listed objects from scans.

Trusted system certificate store

If one of the trusted system certificate stores is selected, Kaspersky Endpoint Security excludes applications signed with a trusted digital signature from scans. Kaspersky Endpoint Security automatically assigns such applications to the Trusted group.

If Do not use is selected, Kaspersky Endpoint Security scans applications regardless of whether or not they have a digital signature. Kaspersky Endpoint Security places an application in a trust group depending on the level of danger that this application may pose to the computer.

See also: Managing the application via the local interface

Creating a scan exclusion

Enabling and disabling a scan exclusion

Editing the list of trusted applications

Enabling and disabling trusted zone rules for an application in the list of trusted applications

Using trusted system certificate storage

Page top

[Topic 178481]

Application settings

You can configure the following general settings of the application:

Operating mode
Self-Defense
Performance
Debug information

Computer status when settings are applied

Application settings

Parameter	Description
Start Kaspersky Endpoint Security at computer startup	When the check box is selected, Kaspersky Endpoint Security is started after the operating system loads, protecting the computer during the entire session. When the check box is cleared, Kaspersky Endpoint Security is not started after the operating system loads, until the user starts it manually. Computer protection is disabled and user data may be exposed to threats.
Enable Advanced Disinfection technology	If the check box is selected, a pop-up notification appears on the screen when malicious activity is detected in the operating system. In its notification, Kaspersky Endpoint Security offers the user to perform Advanced Disinfection of the computer. After the user approves this procedure, Kaspersky Endpoint Security neutralizes the threat. After completing the advanced disinfection procedure, Kaspersky Endpoint Security restarts the computer. The advanced disinfection technology uses considerable computing resources, which may slow down other applications. If Kaspersky Endpoint Security is installed on a computer running Windows for Servers, Kaspersky Endpoint Security does not show the notification. Therefore, the user cannot select an action to disinfect an active threat. To disinfect a threat, you need to enable advanced disinfection technology in application settings and run advanced disinfection immediately in Virus Scan task settings. Then you need to start Virus Scan task.
Use Kaspersky Security Center as proxy server for activation (available only in the Kaspersky Security Center Console)	If this check box is selected, the Kaspersky Security Center Administration Server is used as a proxy server when activating the application.
Enable Self-Defense	When this check box is selected, Kaspersky Endpoint Security prevents alteration or deletion of application files on the hard drive, memory processes, and entries in the system registry.
Allow managing Kaspersky Endpoint Security settings via remote control applications	If the check box is selected, trusted remote administration applications (such as TeamViewer, LogMeIn Pro, and Remotely Anywhere) can modify Kaspersky Endpoint Security settings. Untrusted remote administration applications are prohibited from modifying Kaspersky Endpoint Security settings even when the check box is selected.
Enable external service control	If the check box is selected, Kaspersky Endpoint Security allows management of application services from a remote computer. When an attempt is made to manage application services remotely, a notification is displayed in the Microsoft Windows taskbar, above the application icon (unless the notification service has been disabled by the user).
Postpone scheduled tasks while running on battery power	If the check box is selected, energy conservation mode is enabled. Kaspersky Endpoint Security postpones scheduled tasks. You can start scan and update tasks manually, if necessary.
Concede resources to other applications	When Kaspersky Endpoint Security runs scheduled tasks, this may result in increased workload on the CPU and disk subsystems, which slows down the performance of other applications. When the check box is selected, Kaspersky Endpoint Security suspends scheduled tasks when it detects an increased load and frees up operating system resources for user applications.
Enable dump writing	If the check box is selected, Kaspersky Endpoint Security writes dumps when it crashes. If the check box is cleared, Kaspersky Endpoint Security does not write dumps. The application also deletes existing dump files from the computer hard drive.
Enable dump and trace files protection	If the check box is selected, access to dump files is granted to the system administrator and local administrator as well as to the user who enabled dump writing. Only system and local administrators can access trace files. If the check box is cleared, any user can access dump files and trace files.
Computer status when settings are applied (available only in the Kaspersky Security Center Console)	Settings for displaying the statuses of client computers with Kaspersky Endpoint Security installed in the Web Console when errors occur while applying a policy or executing a task. The OK, Warning, and Critical statuses are available.

See also: Managing the application via the local interface

Enabling or disabling Advanced Disinfection technology

Kaspersky Endpoint Security Self-Defense

Enabling or disabling energy-saving mode

Enabling or disabling conceding of resources to other applications

Dump writing

Protecting dump files and trace files

Page top

[Topic 178491]

Reports and storage

Reports

Reports are stored in the folder C:\ProgramData\Kaspersky Lab\KES\Report.

Backup

Backup copies of files are stored in the folder C:\ProgramData\Kaspersky Lab\KES\QB.

Kaspersky Endpoint Security does not provide the capability to configure user access permissions to backup copies of files.

Settings of reports and storage

Parameter	Description
Store reports no longer than N days	If the check box is selected, the maximum report storage term is limited to the defined time interval. The default maximum storage term for reports is 30 days. After that period of time, Kaspersky Endpoint Security automatically deletes the oldest entries from the report file.
Limit the size of report file to N MB	If the check box is selected, the maximum report file size is limited to the defined value. By default, the maximum file size is 1024 MB. To avoid exceeding the maximum report file size, Kaspersky Endpoint Security automatically deletes the oldest entries from the report file when the maximum report file size is reached.
Store objects no longer than N days	If the check box is selected, the maximum file storage term is limited to the defined time interval. The default maximum storage term for files is 30 days. After expiration of the maximum storage term, Kaspersky Endpoint Security deletes the oldest files from Backup.
Limit the size of Backup to N MB	If the check box is selected, the maximum storage size is limited to the defined value. By default, the maximum size is 100 MB. To avoid exceeding the maximum storage size, Kaspersky Endpoint Security automatically deletes the oldest files from storage when the maximum storage size is reached.
Data transfer to Administration Server (available only in Kaspersky Security Center)	Categories of events on client computers whose information must be relayed to the Administration Server.

See also: Managing the application via the local interface

View reports

Saving a report to file

Clearing reports

Page top

[Topic 178483]

Network settings

You can configure the proxy server used for connecting to the Internet and updating anti-virus databases, select the network port monitoring mode, and configure encrypted connections scan.

Network options

Parameter	Description
Limit traffic on metered connections	If this check box is selected, the application limits its own network traffic when the Internet connection is limited. Kaspersky Endpoint Security identifies a high-speed mobile Internet connection as a limited connection and identifies a Wi-Fi connection as an unlimited connection. Cost-Aware Networking works on computers running Windows 8 or later.
Inject script into web traffic to interact with web pages	If the check box is selected, Kaspersky Endpoint Security injects a web page interaction script into web traffic. This script ensures that the Web Control component can work correctly. The script enables registration of Web Control events. Without this script, you cannot enable user Internet activity monitoring. Kaspersky experts recommend injecting this web page interaction script into traffic to ensure correct operation of Web Control.
Proxy server	Settings of the proxy server used for Internet access of users of client computers. Kaspersky Endpoint Security uses these settings for certain protection components, including for updating databases and application modules. For automatic configuration of a proxy server, Kaspersky Endpoint Security uses the WPAD protocol (Web Proxy Auto-Discovery Protocol). If the IP address of the proxy server cannot be determined by using this protocol, Kaspersky Endpoint Security uses the proxy server address that is specified in the Microsoft Internet Explorer browser settings.
Bypass proxy server for local addresses	If the check box is selected, Kaspersky Endpoint Security does not use a proxy server when performing an update from a shared folder.
Monitored ports	Monitor all network ports. In this network port monitoring mode, the protection components (File Threat Protection, Web Threat Protection, Mail Threat Protection) monitor data streams that are transmitted via any open network ports of the computer. Monitor selected network ports only. In this network port monitoring mode, the protection components monitor the selected ports of the computer and the network activity of the selected applications. The list of network ports that are normally used for transmission of email and network traffic is configured according to the recommendations of Kaspersky experts. Monitor all ports for the applications from the list recommended by Kaspersky. This uses a predefined list of applications whose network ports are monitored by Kaspersky Endpoint Security. For example, this list includes Google Chrome, Adobe Reader, Java, and other applications. Monitor all ports for specified applications. This uses a list of applications whose network ports are monitored by Kaspersky Endpoint Security.
Encrypted connections scan	Kaspersky Endpoint Security scans encrypted network traffic transmitted over the following protocols: SSL 3.0. TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3. Kaspersky Endpoint Security supports the following encrypted connection scanning modes: Do not scan encrypted connections Kaspersky Endpoint Security will not have access to the contents of websites whose addresses begin with `https://`. Scan encrypted connections upon request from protection components. Kaspersky Endpoint Security will scan encrypted traffic only when requested by the File Threat Protection, Mail Threat Protection, and Web Control components. Always scan encrypted connections Kaspersky Endpoint Security will scan encrypted network traffic even if protection components are disabled. Kaspersky Endpoint Security does not scan encrypted connections that were established by trusted applications for which traffic scanning is disabled. Kaspersky Endpoint Security does not scan encrypted connections from the predefined list of trusted websites. The predefined list of trusted websites is created by Kaspersky experts. This list is updated with the application's anti-virus databases. You can view the predefined list of trusted websites only in the Kaspersky Endpoint Security interface. You cannot view the list in the Kaspersky Security Center Console.
When visiting a domain with an untrusted certificate	Allow. If this option is selected, when visiting a domain with an untrusted certificate, Kaspersky Endpoint Security allows the network connection. When opening a domain with an untrusted certificate in a browser, Kaspersky Endpoint Security displays an HTML page showing a warning and the reason why visiting that domain is not recommended. A user can click the link from the HTML warning page to obtain access to the requested web resource. After following this link, during the next hour Kaspersky Endpoint Security will not display warnings about an untrusted certificate when visiting other resources on this same domain. Block connection. If this option is selected, when visiting a domain with an untrusted certificate, Kaspersky Endpoint Security blocks the network connection. When opening a domain with an untrusted certificate in a browser, Kaspersky Endpoint Security displays an HTML page showing the reason why that domain is blocked.
When encrypted connection scan errors occur	Block connection. If this item is selected, when an encrypted connection scan error occurs, Kaspersky Endpoint Security blocks the network connection. Add domain to exclusions. If this item is selected, when an encrypted connection scan error occurs, Kaspersky Endpoint Security adds the domain that resulted in the error to the list of domains with scan errors and does not monitor encrypted network traffic when this domain is visited. You can view a list of domains with encrypted connections scan errors only in the local interface of the application. To clear the list contents, you need to select Block connection.
Block SSL 2.0 connections	If the check box is selected, Kaspersky Endpoint Security blocks network connections established over the SSL 2.0 protocol. If the check box is cleared, Kaspersky Endpoint Security does not block network connections established over the SSL 2.0 protocol and does not monitor network traffic transmitted over these connections.
Decrypt encrypted connections with websites that use EV certificates	EV certificates (Extended Validation Certificates) confirm the authenticity of websites and enhance the security of the connection. Browsers use a lock icon in their address bar to indicate that a website has an EV certificate. Browsers may also fully or partially color the address bar in green. If the check box is selected, Kaspersky Endpoint Security decrypts and monitors encrypted connections with websites that use an EV certificate. If the check box is cleared, Kaspersky Endpoint Security does not have access to the contents of HTTPS traffic. For this reason, the application monitors HTTPS traffic only based on the website address, for example, `https://facebook.com`. If you are opening a website with an EV certificate for the first time, the encrypted connection will be decrypted regardless of whether or not the check box is selected.
Trusted addresses	This uses a list of web addresses for which Kaspersky Endpoint Security does not scan network connections. You can enter a domain name or IP address. Kaspersky Endpoint Security supports the `` character when entering a domain name mask. Kaspersky Endpoint Security does not support masks for IP addresses. Examples: `domain.com` – this entry includes the following addresses: `https://domain.com`, `https://www.domain.com`, `https://domain.com/page123`. This entry excludes subdomains (for example, `subdomain.domain.com`). `subdomain.domain.com` – this entry includes the following addresses: `https://subdomain.domain.com`, `https://subdomain.domain.com/page123`. The entry excludes the domain `domain.com`. `.domain.com` – this entry includes the following addresses: `https://movies.domain.com`, `https://images.domain.com/page123`. The entry excludes the domain `domain.com`.
Trusted applications	List of applications whose activity is not monitored by Kaspersky Endpoint Security during its operation. You can select the types of application activity that Kaspersky Endpoint Security will not monitor (for example, do not scan network traffic). Kaspersky Endpoint Security supports environment variables and the `*` and `?` characters when entering a mask.
Scan secure traffic in Mozilla applications (available only in the Kaspersky Endpoint Security interface)	If this check box is selected, Kaspersky Endpoint Security scans encrypted traffic in the Mozilla Firefox browser and Thunderbird mail client. Access to some websites via the HTTPS protocol may be blocked. To scan traffic in the Mozilla Firefox browser and the Thunderbird mail client, you must enable the Encrypted Connections Scan. If Encrypted Connections Scan is disabled, Kaspersky Endpoint Security does not scan traffic in the Mozilla Firefox browser and Thunderbird mail client. Kaspersky Endpoint Security uses the Kaspersky root certificate to decrypt and analyze encrypted traffic. You can select the certificate store that will contain the Kaspersky root certificate. Use Windows certificate store. The Kaspersky root certificate is added to this store during installation of Kaspersky Endpoint Security. Use Mozilla certificate store. Mozilla Firefox and Thunderbird use their own certificate stores. If the Mozilla certificate store is selected, you need to manually add the Kaspersky root certificate to this store through the browser properties.

See also: Managing the application via the local interface

Monitoring user Internet activity

Using a proxy server for updates

Network ports monitoring

Creating a list of monitored network ports

Encrypted connections scan

Configuring the encrypted connections scan settings

Creating the list of trusted web addresses

Editing the list of trusted applications

Scanning encrypted connections in Firefox and Thunderbird

Page top

[Topic 178492]

Interface

You can configure the settings of the application interface.

Interface settings

Parameter	Description
Interaction with user (available only in the Kaspersky Security Center Console)	With simplified interface. On a client computer, the main application window is inaccessible, and only the icon in the Windows notification area is available. In the context menu of the icon, the user can perform a limited number of operations with Kaspersky Endpoint Security. Kaspersky Endpoint Security also displays notifications above the application icon. With full interface. On a client computer, the main window of Kaspersky Endpoint Security and the icon in the Windows notification area are available. In the context menu of the icon, the user can perform operations with Kaspersky Endpoint Security. Kaspersky Endpoint Security also displays notifications above the application icon. No interface. On a client computer, no signs of Kaspersky Endpoint Security operation are displayed. The icon in the Windows notification area and notifications are not available.
Notification settings	A table with the settings of notifications about events of different importance levels that may occur during the operation of a component, task, or the entire application. Kaspersky Endpoint Security shows notifications about these events on the screen, sends them by email, or logs them.
Email notification settings	SMTP server settings for delivery of notifications about events registered during operation of the application.
Show application's status in notifications area	Categories of application events that cause the Kaspersky Endpoint Security icon to change in the Microsoft Windows taskbar notification area ( or ) and result in a pop-up notification.
Local anti-virus database status notifications	Settings of notifications about outdated anti-virus databases used by the application.
Password protection	If the toggle button is switched on, Kaspersky Endpoint Security prompts the user for a password when the user attempts to perform an operation that is within the scope of Password Protection. The Password Protection scope includes forbidden operations (such as disabling protection components) and the user accounts to which the Password Protection scope is applied. After Password Protection is enabled, Kaspersky Endpoint Security prompts you to set a password for performing operations.
Technical Support web resources (available only in the Kaspersky Security Center Console)	List of links to web resources containing information about technical support for Kaspersky Endpoint Security. Added links are displayed in the Support window of the Kaspersky Endpoint Security local interface instead of standard links.
Message to user (available only in the Kaspersky Security Center Console)	Message that is displayed in the Support window of the local interface of Kaspersky Endpoint Security.

See also: Managing the application via the local interface

Simplified application interface

Password protection

Page top

[Topic 201016]

Manage Settings

You can save the current Kaspersky Endpoint Security settings to a file and use them to quickly configure the application on a different computer. You can also use a configuration file when deploying the application through Kaspersky Security Center 12 with an installation package. You can restore the default settings at any time.

Application configuration management settings are available only in the Kaspersky Endpoint Security interface.

Application configuration management settings

Settings	Description
Import	Extract application settings from a file in CFG format and apply them.
Export	Save the current application settings to a file in CFG format.
Restore	You can restore the settings recommended by Kaspersky for Endpoint Security at any time. When the settings are restored, the Recommended security level is set for all protection components.

See also: Managing the application via the local interface

Creating and using a configuration file

Restoring the default application settings

Creating an installation package

Page top

[Topic 178441]

Task management

You can create the following types of tasks to administer Kaspersky Endpoint Security through Kaspersky Security Center:

Local tasks that are configured for an individual client computer.
Group tasks that are configured for client computers within administration groups.
Tasks for a selection of computers.

Task management settings

Parameter

Description

Allow use of local tasks

Allow group tasks to be displayed

If the check box is selected, group tasks are displayed in the Kaspersky Endpoint Security local interface. The user can view the list of all tasks in the application interface.

If the check box is cleared, Kaspersky Endpoint Security displays an empty task list.

Allow management of group tasks

If the check box is cleared, Kaspersky Endpoint Security starts scheduled tasks automatically, or the administrator starts tasks manually in Kaspersky Security Center.

Page top

[Topic 199173]

Scanning the computer

Kaspersky Endpoint Security does not scan files whose contents are located in OneDrive cloud storage, and creates log entries stating that these files have not been scanned.

Full Scan

A thorough scan of the entire computer. Kaspersky Endpoint Security scans the following objects:

Kernel memory
Objects that are loaded at startup of the operating system
Boot sectors
Operating system backup
All hard and removable drives

Kaspersky experts recommend that you do not change the scan scope of the Full Scan task.

To conserve computer resources, it is recommended to run a background scan task instead of a full scan task. This will not affect the security level of the computer.

Critical Areas Scan

By default, Kaspersky Endpoint Security scans the kernel memory, running processes, and disk boot sectors.

Kaspersky experts recommend that you do not change the scan scope of the Critical Areas Scan task.

Custom Scan

Kaspersky Endpoint Security scans the objects that are selected by the user. You can scan any object from the following list:

Kernel memory
Objects that are loaded at startup of the operating system
Operating system backup
Microsoft Outlook mailbox
Hard, removable, and network drives
Any selected file

Background scan

Integrity check

Kaspersky Endpoint Security checks the application modules for corruption or modifications.

Scan settings

Parameter	Description
Security level	Kaspersky Endpoint Security can use different groups of settings for running a scan. These groups of settings that are stored in the application are called security levels: High. Kaspersky Endpoint Security scans all types of files. When scanning compound files, Kaspersky Endpoint Security also scans mail-format files. Recommended. Kaspersky Endpoint Security scans only the specified file formats on all hard drives, network drives, and removable storage media of the computer, and also embedded OLE objects. Kaspersky Endpoint Security does not scan archives or installation packages. Low. Kaspersky Endpoint Security scans only new or modified files with the specified extensions on all hard drives, removable drives, and network drives of the computer. Kaspersky Endpoint Security does not scan compound files.
Action on threat detection	Disinfect; delete if disinfection fails. If this option is selected, Kaspersky Endpoint Security automatically attempts to disinfect all infected files that are detected. If disinfection fails, Kaspersky Endpoint Security deletes the files. Disinfect; block if disinfection fails. If this option is selected, Kaspersky Endpoint Security automatically attempts to disinfect all infected files that are detected. If disinfection is not possible, Kaspersky Endpoint Security adds the information about the infected files that are detected to the list of active threats. Inform. If this option is selected, Kaspersky Endpoint Security adds the information about infected files to the list of active threats on detection of these files. Before attempting to disinfect or delete an infected file, Kaspersky Endpoint Security creates a backup copy of the file in case you need to restore the file or if it can be disinfected in the future.
Protection scope	List of objects that Kaspersky Endpoint Security scans while performing a scan task. Objects within the scan scope can include the kernel memory, running processes, boot sectors, system backup storage, mail databases, hard drive, removable drive or network drive, folder or file.
Scan schedule	Manually. Run mode in which you can start scan manually at a time when it is convenient for you. Scheduled. In this scan task run mode, Kaspersky Endpoint Security starts the scan task in accordance with the schedule that you create. If this scan task run mode is selected, you can also start the scan task manually.
Run skipped tasks (available only in the Kaspersky Security Center Console)	If the check box is selected, Kaspersky Endpoint Security starts the skipped scan task as soon as it becomes possible. The scan task may be skipped, for example, if the computer was off at the scheduled scan task start time. If the check box is cleared, Kaspersky Endpoint Security does not run skipped scan tasks. Instead, it carries out the next scan task in accordance with the current schedule.
Run only when the computer is idling	Postponed start of the scan task when computer resources are busy. Kaspersky Endpoint Security starts the scan task if the computer is locked or if the screen saver is on.
Run scan as	By default the scan task is run in the name of the user with whose rights you are registered in the operating system. The protection scope may include network drives or other objects that require special rights to access. You can specify a user that has the required rights in the Kaspersky Endpoint Security settings and run the scan task under this user's account.
File types	Kaspersky Endpoint Security considers files without an extension as executable ones. Kaspersky Endpoint Security always scans executable files regardless of the file types that you select for scanning. All files. If this setting is enabled, Kaspersky Endpoint Security checks all files without exception (all formats and extensions). Files scanned by format. If this setting is enabled, Kaspersky Endpoint Security scans infectable files only. Before scanning a file for malicious code, the internal header of the file is analyzed to determine the format of the file (for example, .txt, .doc, or .exe). The scan also looks for files with particular file extensions. Files scanned by extension. If this setting is enabled, Kaspersky Endpoint Security scans infectable files only. The file format is then determined based on the file's extension.
Scan only new and changed files	Scans only new files and those files that have been modified since the last time they were scanned. This helps reduce the duration of a scan. This mode applies both to simple and to compound files.
Skip files that are scanned for longer than N seconds	Limits the duration for scanning a single object. After the specified amount of time, Kaspersky Endpoint Security stops scanning a file. This helps reduce the duration of a scan.
Scan archives	Scans archives in the following formats: RAR, ARJ, ZIP, CAB, LHA, JAR, and ICE.
Scan distribution packages	This check box enables/disables scanning of third-party distribution packages.
Scan files in Microsoft Office formats	Scans Microsoft Office files (DOC, DOCX, XLS, PPT and other Microsoft extensions). Office format files include OLE objects as well.
Scan email formats	This check box enables / disables the option for Kaspersky Endpoint Security to scan files in email formats and mail databases. The application only fully scans MS Outlook, Windows Mail/Outlook Express and EML mail file formats and only if the computer has the MS Outlook x86 mail client. If the check box is selected, Kaspersky Endpoint Security splits the mail-format file into its components (header, body, attachments) and scans them for threats. If this check box is cleared, Kaspersky Endpoint Security scans the mail-format file as a single file.
Scan password-protected archives	If the check box is selected, Kaspersky Endpoint Security scans password-protected archives. Before files in an archive can be scanned, you are prompted to enter the password. If the check box is cleared, Kaspersky Endpoint Security skips scanning of password-protected archives.
Do not unpack large compound files	If this check box is selected, Kaspersky Endpoint Security does not scan compound files if their size exceeds the specified value. If this check box is cleared, Kaspersky Endpoint Security scans compound files of all sizes. Kaspersky Endpoint Security scans large files that are extracted from archives regardless of whether the check box is ticked or not.
Machine learning and signature analysis	The machine learning and signature analysis method uses the Kaspersky Endpoint Security databases that contain descriptions of known threats and ways to neutralize them. Protection that uses this method provides the minimum acceptable security level. Based on the recommendations of Kaspersky experts, machine learning and signature analysis is always enabled.
Heuristic Analysis	The technology was developed for detecting threats that cannot be detected by using the current version of Kaspersky application databases. It detects files that may be infected with an unknown virus or a new variety of a known virus. When scanning files for malicious code, the heuristic analyzer executes instructions in the executable files. The number of instructions that are executed by the heuristic analyzer depends on the level that is specified for the heuristic analyzer. The heuristic analysis level ensures a balance between the thoroughness of searching for new threats, the load on the resources of the operating system, and the duration of heuristic analysis.
iSwift Technology	This technology allows increasing scan speed by excluding certain files from scanning. Files are excluded from scanning by using a special algorithm that takes into account the release date of Kaspersky Endpoint Security databases, the date that the file was last scanned on, and any modifications to the scanning settings. The iSwift technology is an advancement of the iChecker technology for the NTFS file system.
iChecker Technology	This technology allows increasing scan speed by excluding certain files from scanning. Files are excluded from scans by using a special algorithm that takes into account the release date of Kaspersky Endpoint Security databases, the date when the file was last scanned, and any modifications to the scan settings. There are limitations to iChecker Technology: it does not work with large files and applies only to files with a structure that the application recognizes (for example, EXE, DLL, LNK, TTF, INF, SYS, COM, CHM, ZIP, and RAR).

Page top

[Topic 178480]

Background scan

After an anti-virus database update.
30 minutes after Kaspersky Endpoint Security is started.
Every six hours.
When the computer is idling for five minutes or more (the computer is locked or the screensaver is on).

Background scan when the computer is idling is interrupted when any of the following conditions are true:

The computer went into active mode.
If the background scan has not been run for more than ten days, the scan is not interrupted.
The computer (laptop) has switched to battery mode.

When performing a background scan, Kaspersky Endpoint Security does not scan files whose contents are located in OneDrive cloud storage.

See also: Managing the application via the local interface

Enabling and disabling File Threat Protection

Automatic pausing of File Threat Protection

Page top

[Topic 178476]

Scan from context menu

Kaspersky Endpoint Security lets you run a scan of individual files for viruses and other malware from the context menu (see the figure below).

When performing a scan from the context menu, Kaspersky Endpoint Security does not scan files whose contents are located in OneDrive cloud storage.

Scan from context menu

Scan from Context Menu task settings

Parameter	Description
Action on threat detection	Disinfect; delete if disinfection fails. If this option is selected, Kaspersky Endpoint Security automatically attempts to disinfect all infected files that are detected. If disinfection fails, Kaspersky Endpoint Security deletes the files. Disinfect; block if disinfection fails. If this option is selected, Kaspersky Endpoint Security automatically attempts to disinfect all infected files that are detected. If disinfection is not possible, Kaspersky Endpoint Security adds the information about the infected files that are detected to the list of active threats. Inform. If this option is selected, Kaspersky Endpoint Security adds the information about infected files to the list of active threats on detection of these files.
Scan only new and changed files	Scans only new files and those files that have been modified since the last time they were scanned. This helps reduce the duration of a scan. This mode applies both to simple and to compound files.
Skip files that are scanned for longer than N sec	Limits the duration for scanning a single object. After the specified amount of time, Kaspersky Endpoint Security stops scanning a file. This helps reduce the duration of a scan.
Scan archives	Scans archives in the following formats: RAR, ARJ, ZIP, CAB, LHA, JAR, and ICE.
Scan distribution packages	The check box enables or disables scanning of distribution packages.
Scan files in Microsoft Office formats	Scans Microsoft Office files (DOC, DOCX, XLS, PPT and other Microsoft extensions). Office format files include OLE objects as well.
Do not unpack large compound files	If this check box is selected, Kaspersky Endpoint Security does not scan compound files if their size exceeds the specified value.
Machine learning and signature analysis	The machine learning and signature analysis method uses the Kaspersky Endpoint Security databases that contain descriptions of known threats and ways to neutralize them. Protection that uses this method provides the minimum acceptable security level. Based on the recommendations of Kaspersky experts, machine learning and signature analysis is always enabled.
Heuristic Analysis	The technology was developed for detecting threats that cannot be detected by using the current version of Kaspersky application databases. It detects files that may be infected with an unknown virus or a new variety of a known virus. When scanning files for malicious code, the heuristic analyzer executes instructions in the executable files. The number of instructions that are executed by the heuristic analyzer depends on the level that is specified for the heuristic analyzer. The heuristic analysis level ensures a balance between the thoroughness of searching for new threats, the load on the resources of the operating system, and the duration of heuristic analysis.
iSwift Technology	This technology allows increasing scan speed by excluding certain files from scanning. Files are excluded from scanning by using a special algorithm that takes into account the release date of Kaspersky Endpoint Security databases, the date that the file was last scanned on, and any modifications to the scanning settings. The iSwift technology is an advancement of the iChecker technology for the NTFS file system.
iChecker Technology	This technology allows increasing scan speed by excluding certain files from scanning. Files are excluded from scans by using a special algorithm that takes into account the release date of Kaspersky Endpoint Security databases, the date when the file was last scanned, and any modifications to the scan settings. There are limitations to iChecker Technology: it does not work with large files and applies only to files with a structure that the application recognizes (for example, EXE, DLL, LNK, TTF, INF, SYS, COM, CHM, ZIP, and RAR).

See also: Managing the application via the local interface

Changing the action to take on infected files

Generating a list of objects to scan

Selecting the type of files to scan

Using scan technologies

Page top

[Topic 178477]

Removable drives scan

Kaspersky Endpoint Security allows you to scan removable drives that are connected to your computer for viruses and other malware.

Removable drives scan task settings

Parameter	Description
Action on connection of a removable drive	Do not scan. Detailed Scan If this option is selected, after a removable drive is connected Kaspersky Endpoint Security scans all files located on the removable drive, including files within compound objects. Quick Scan If this option is selected, after a removable drive is connected Kaspersky Endpoint Security scans only files of specific formats that are most vulnerable to infection, and does not unpack compound objects.
Maximum removable drive size	If this check box is selected, Kaspersky Endpoint Security performs the action that is selected in the Action on connection of a removable drive drop-down list on removable drives with a size not more than the specified maximum drive size. If the check box is cleared, Kaspersky Endpoint Security performs the action that is selected in the Action on connection of a removable drive drop-down list on removable drives of any size.
Show scan progress	If the check box is selected, Kaspersky Endpoint Security displays the progress of removable drives scan in a separate window and in the Tasks window. If the check box is cleared, Kaspersky Endpoint Security performs removable drives scan in the background.
Block the stopping of the scan task	If the check box is selected, the Stop button in the Tasks window and the Stop button in the Virus Scan window are not available in the local interface of Kaspersky Endpoint Security.

See also: Managing the application via the local interface

Scanning removable drives when they are connected to the computer

Page top

[Topic 201526]

Integrity check

Application integrity breaches may occur in the following cases:

A malicious object modified files of Kaspersky Endpoint Security. In this case, perform the procedure for restoring Kaspersky Endpoint Security using the tools of the operating system. After restoration, run a full scan of the computer and repeat the integrity check.

The digital signature expired. In this case, update Kaspersky Endpoint Security.

Integrity check task settings

Parameter	Description
Scan schedule	Manually. Run mode in which you can start scan manually at a time when it is convenient for you. Scheduled. In this scan task run mode, Kaspersky Endpoint Security starts the scan task in accordance with the schedule that you create. If this scan task run mode is selected, you can also start the scan task manually.
Run skipped tasks	If the check box is selected, Kaspersky Endpoint Security starts the skipped scan task as soon as it becomes possible. The scan task may be skipped, for example, if the computer was off at the scheduled scan task start time. If the check box is cleared, Kaspersky Endpoint Security does not run skipped scan tasks. Instead, it carries out the next scan task in accordance with the current schedule.
Run only when the computer is idling	Postponed start of the scan task when computer resources are busy. Kaspersky Endpoint Security starts the scan task if the computer is locked or if the screen saver is on.
Run as (available only in the Kaspersky Security Center Console)	By default the scan task is run in the name of the user with whose rights you are registered in the operating system. Special permissions may be required for accessing the application installation folder. You can specify a user that has the required rights in the Kaspersky Endpoint Security settings and run the scan task under this user's account.

Page top

[Topic 199174]

Updating databases and application software modules

Regular updates require a license in effect. If there is no current license, you will be able to perform an update only once.

The main update source for Kaspersky Endpoint Security is Kaspersky update servers.

Updates are downloaded over the HTTPS protocol. They may also be downloaded over the HTTP protocol when it is impossible to download updates over the HTTPS protocol.

While performing an update, the following objects are downloaded and installed on your computer:

Kaspersky Endpoint Security databases. Computer protection is provided using databases that contain signatures of viruses and other threats and information on ways to neutralize them. Protection components use this information when searching for and neutralizing infected files on your computer. The databases are constantly updated with records of new threats and methods for counteracting them. Therefore, we recommend that you update the databases regularly.
In addition to the Kaspersky Endpoint Security databases, the network drivers that enable the application's components to intercept network traffic are updated.
Application modules. In addition to the databases of Kaspersky Endpoint Security, you can also update the application modules. Updating the application modules fixes vulnerabilities in Kaspersky Endpoint Security, adds new functions, or enhances existing functions.

Context help files can be updated together with application module updates.

If the databases are obsolete, the update package may be large, which may cause additional Internet traffic (up to several dozen MB).

Information about the current status of Kaspersky Endpoint Security databases is displayed in the Update section in the Tasks window.

Information on update results and on all events that occur during the performance of the update task is logged in the Kaspersky Endpoint Security report.

Application module and database update settings

Parameter	Description
Run mode	Automatically. In this mode, Kaspersky Endpoint Security checks the update source for availability of new update packages with a certain frequency. The frequency of checking for the update package increases during virus outbreaks and decreases when there are none. After detecting a fresh update package, Kaspersky Endpoint Security downloads it and installs updates on your computer. Manually. This update task run mode allows you to manually start the update task. Scheduled. In this update task run mode, Kaspersky Endpoint Security runs the update task in accordance with the schedule that you have specified. If this update task run mode is selected, you can also start the Kaspersky Endpoint Security update task manually.
Run skipped tasks	If the check box is selected, Kaspersky Endpoint Security starts the skipped update task as soon as this becomes possible. The update task can be skipped, for example, if the computer was turned off at the update task start time. If the check box is cleared, Kaspersky Endpoint Security does not start missed update tasks. Instead, it runs the next update task in accordance with the current schedule.
Update source	An update source is a resource that contains updates for databases and application modules of Kaspersky Endpoint Security. Update sources include the Kaspersky Security Center server, Kaspersky update servers, and network or local folders. The default list of update sources includes Kaspersky Security Center and Kaspersky update servers. You can add other update sources to the list. You can specify HTTP/FTP servers and shared folders as update sources. Kaspersky Endpoint Security does not support updates from HTTPS servers unless they are Kaspersky's update servers. If several resources are selected as update sources, Kaspersky Endpoint Security tries to connect to them one after another, starting from the top of the list, and performs the update task by retrieving the update package from the first available source.
Run task as	By default, the Kaspersky Endpoint Security update task is started on behalf of the user whose account you have used to log in to the operating system. However, Kaspersky Endpoint Security may be updated from an update source that the user cannot access due to a lack of required rights (for example, from a shared folder that contains an update package) or an update source for which proxy server authentication is not configured. In the Kaspersky Endpoint Security settings, you can specify a user that has such rights and start the Kaspersky Endpoint Security update task under that user account.
Download updates of application modules	This check box enables / disables downloads of application module updates along with anti-virus database updates. If the check box is selected, Kaspersky Endpoint Security notifies the user about available application module updates and includes application module updates in the update package while running the update task. The way application module updates are applied is determined by the following settings: Install critical and approved updates. If this option is selected, when application module updates are available Kaspersky Endpoint Security installs critical updates automatically and all other application module updates only after their installation is approved locally via the application interface or on the side of Kaspersky Security Center. Install only approved updates. If this option is selected, when application module updates are available Kaspersky Endpoint Security installs them only after their installation is approved locally via the application interface or on the side of Kaspersky Security Center. This option is selected by default. If the check box is cleared, Kaspersky Endpoint Security does not notify the user about available application module updates and does not include application module updates in the update package while running the update task. If application module updates require reviewing and accepting the terms of the End User License Agreement, the application installs updates after the terms of the End User License Agreement have been accepted. This check box is selected by default.
Copy updates to folder	If this check box is selected, Kaspersky Endpoint Security copies the update package to the shared folder specified under the check box. After that, other computers on your LAN are able to receive the update package from this shared folder. This reduces Internet traffic because the update package is downloaded only once. The following folder is specified by default: `C:\ProgramData\Kaspersky Lab\KES\Update distribution\`.
Proxy server for updates (available only in the Kaspersky Endpoint Security interface)	Proxy server settings for Internet access of users of client computers to update application modules and databases. For automatic configuration of a proxy server, Kaspersky Endpoint Security uses the WPAD protocol (Web Proxy Auto-Discovery Protocol). If the IP address of the proxy server cannot be determined by using this protocol, Kaspersky Endpoint Security uses the proxy server address that is specified in the Microsoft Internet Explorer browser settings.
Bypass proxy server for local addresses (available only in the Kaspersky Endpoint Security interface)	If the check box is selected, Kaspersky Endpoint Security does not use a proxy server when performing an update from a shared folder.

Page top

[Topic 193496]

Appendix 2. Application trust groups

Kaspersky Endpoint Security categorizes all applications that are started on the computer into trust groups. Applications are categorized into trust groups depending on the level of threat that the applications pose to the operating system.

The trust groups are as follows:

Trusted. This group includes applications for which one or more of the following conditions are met:
- Applications are digitally signed by trusted vendors.
- Applications are recorded in the trusted applications database of Kaspersky Security Network.
- The user has placed applications in the Trusted group.
No operations are prohibited for these applications.
Low Restricted. This group includes applications for which the following conditions are met:
- Applications are not digitally signed by trusted vendors.
- Applications are not recorded in the trusted applications database of Kaspersky Security Network.
- The user has placed applications in the "Low Restricted" group.
Such applications are subject to minimal restrictions on access to operating system resources.
High Restricted. This group includes applications for which the following conditions are met:
- Applications are not digitally signed by trusted vendors.
- Applications are not recorded in the trusted applications database of Kaspersky Security Network.
- The user has placed applications in the High Restricted group.
Such applications are subject to high restrictions on access to operating system resources.
Untrusted. This group includes applications for which the following conditions are met:
- Applications are not digitally signed by trusted vendors.
- Applications are not recorded in the trusted applications database of Kaspersky Security Network.
- The user has placed applications in the Untrusted group.
For these applications, all operations are blocked.

Page top

[Topic 39925]

Appendix 3. File extensions for quick removable drives scan

com – executable file of an application no larger than 64 KB

exe – executable file or self-extracting archive

sys – Microsoft Windows system file

prg – program text for dBase, Clipper or Microsoft Visual FoxPro, or a WAVmaker program

bin – binary file

bat – batch file

cmd – command file for Microsoft Windows NT (similar to a bat file for DOS), OS/2

dpl – compressed Borland Delphi library

dll – dynamic link library

scr – Microsoft Windows splash screen

cpl – Microsoft Windows control panel module

ocx – Microsoft OLE (Object Linking and Embedding) object

tsp – program running in split-time mode

drv – device driver

vxd – Microsoft Windows virtual device driver

pif – program information file

lnk – Microsoft Windows link file

reg – Microsoft Windows system registry key file

ini – configuration file which contains configuration data for Microsoft Windows, Windows NT, and some applications

cla – Java class

vbs – Visual Basic script

vbe – BIOS video extension

js, jse – JavaScript source text

htm – hypertext document

htt – Microsoft Windows hypertext header

hta – hypertext program for Microsoft Internet Explorer

asp – Active Server Pages script

chm – compiled HTML file

pht – HTML file with integrated PHP scripts

php – script that is integrated into HTML files

wsh – Microsoft Windows Script Host file

wsf – Microsoft Windows script

the – Microsoft Windows 95 desktop wallpaper file

hlp – Win Help file

eml – Microsoft Outlook Express email message

nws – new Microsoft Outlook Express email message

msg – Microsoft Mail email message

plg – email message

mbx – saved Microsoft Office Outlook email message

doc* – Microsoft Office Word documents, such as: doc for Microsoft Office Word documents, docx for Microsoft Office Word 2007 documents with XML support, and docm for Microsoft Office Word 2007 documents with macro support

dot* – Microsoft Office Word document templates, such as: dot for Microsoft Office Word document templates, dotx for Microsoft Office Word 2007 document templates, dotm for Microsoft Office Word 2007 document templates with macro support

fpm – database program, Microsoft Visual FoxPro start file

rtf – Rich Text Format document

shs – Windows Shell Scrap Object Handler fragment

dwg – AutoCAD drawing database

msi – Microsoft Windows Installer package

otm – VBA project for Microsoft Office Outlook

pdf – Adobe Acrobat document

swf – Shockwave Flash package object

jpg, jpeg – compressed image graphics format

emf – Enhanced Metafile format file;

ico – object icon file

ov? – Microsoft Office Word executable files

xl* – Microsoft Office Excel documents and files, such as: xla, the extension for Microsoft Office Excel, xlc for diagrams, xlt for document templates, xlsx for Microsoft Office Excel 2007 workbooks, xltm for Microsoft Office Excel 2007 workbooks with macro support, xlsb for Microsoft Office Excel 2007 workbooks in binary (non-XML) format, xltx for Microsoft Office Excel 2007 templates, xlsm for Microsoft Office Excel 2007 templates with macro support, and xlam for Microsoft Office Excel 2007 plug-ins with macro support

pp* – Microsoft Office PowerPoint documents and files, such as: pps for Microsoft Office PowerPoint slides, ppt for presentations, pptx for Microsoft Office PowerPoint 2007 presentations, pptm for Microsoft Office PowerPoint 2007 presentations with macros support, potx for Microsoft Office PowerPoint 2007 presentation templates, potm for Microsoft Office PowerPoint 2007 presentation templates with macro support, ppsx for Microsoft Office PowerPoint 2007 slide shows, ppsm for Microsoft Office PowerPoint 2007 slide shows with macro support, and ppam for Microsoft Office PowerPoint 2007 plug-ins with macro support

md* – Microsoft Office Access documents and files, such as: mda for Microsoft Office Access workgroups and mdb for databases

sldx – a Microsoft PowerPoint 2007 slide

sldm – a Microsoft PowerPoint 2007 slide with macro support

thmx – a Microsoft Office 2007 theme

Page top

[Topic 39921]

Appendix 4. File Types for the Mail Threat Protection attachment filter

Note that the actual format of a file may not match its file name extension.

If you enabled filtering of email attachments, the Mail Threat Protection component may rename or delete files with the following extensions:

com – executable file of an application no larger than 64 KB

exe – executable file or self-extracting archive

sys – Microsoft Windows system file

prg – program text for dBase, Clipper or Microsoft Visual FoxPro, or a WAVmaker program

bin – binary file

bat – batch file

cmd – command file for Microsoft Windows NT (similar to a bat file for DOS), OS/2

dpl – compressed Borland Delphi library

dll – dynamic link library

scr – Microsoft Windows splash screen

cpl – Microsoft Windows control panel module

ocx – Microsoft OLE (Object Linking and Embedding) object

tsp – program running in split-time mode

drv – device driver

vxd – Microsoft Windows virtual device driver

pif – program information file

lnk – Microsoft Windows link file

reg – Microsoft Windows system registry key file

ini – configuration file which contains configuration data for Microsoft Windows, Windows NT, and some applications

cla – Java class

vbs – Visual Basic script

vbe – BIOS video extension

js, jse – JavaScript source text

htm – hypertext document

htt – Microsoft Windows hypertext header

hta – hypertext program for Microsoft Internet Explorer

asp – Active Server Pages script

chm – compiled HTML file

pht – HTML file with integrated PHP scripts

php – script that is integrated into HTML files

wsh – Microsoft Windows Script Host file

wsf – Microsoft Windows script

the – Microsoft Windows 95 desktop wallpaper file

hlp – Win Help file

eml – Microsoft Outlook Express email message

nws – new Microsoft Outlook Express email message

msg – Microsoft Mail email message

plg – email message

mbx – saved Microsoft Office Outlook email message

fpm – database program, Microsoft Visual FoxPro start file

rtf – Rich Text Format document

shs – Windows Shell Scrap Object Handler fragment

dwg – AutoCAD drawing database

msi – Microsoft Windows Installer package

otm – VBA project for Microsoft Office Outlook

pdf – Adobe Acrobat document

swf – Shockwave Flash package object

jpg, jpeg – compressed image graphics format

emf – Enhanced Metafile format file;

ico – object icon file

ov? – Microsoft Office Word executable files

md* – Microsoft Office Access documents and files, such as: mda for Microsoft Office Access workgroups and mdb for databases

sldx – a Microsoft PowerPoint 2007 slide

sldm – a Microsoft PowerPoint 2007 slide with macro support

thmx – a Microsoft Office 2007 theme

Page top

[Topic 202507]

Appendix 5. Network settings for interaction with external services

Kaspersky Endpoint Security uses the following network settings for interacting with external services.

Network settings

Address	Description
`activation-v2.kaspersky.com/activationservice/activationservice.svc` Protocol: `HTTPS` Port: `443`	Activating the application
`s00.upd.kaspersky.com` `s01.upd.kaspersky.com` `s02.upd.kaspersky.com` `s03.upd.kaspersky.com` `s04.upd.kaspersky.com` `s05.upd.kaspersky.com` `s06.upd.kaspersky.com` `s07.upd.kaspersky.com` `s08.upd.kaspersky.com` `s09.upd.kaspersky.com` `s10.upd.kaspersky.com` `s11.upd.kaspersky.com` `s12.upd.kaspersky.com` `s13.upd.kaspersky.com` `s14.upd.kaspersky.com` `s15.upd.kaspersky.com` `s16.upd.kaspersky.com` `s17.upd.kaspersky.com` `s18.upd.kaspersky.com` `s19.upd.kaspersky.com` `cm.k.kaspersky-labs.com` Protocol: `HTTPS` Port: `443`	Updating databases and application modules
`downloads.upd.kaspersky.com` Protocol: `HTTPS` Port: `443`	Updating databases and application modules Checking if Kaspersky servers are accessible. If access to the servers using system DNS is not possible, the application uses public DNS. This is necessary to make sure anti-virus databases are updated and the level of security is maintained for the computer. Kaspersky Endpoint Security uses the following list of public DNS servers in the following order: Google Public DNS (8.8.8.8). Cloudflare DNS (1.1.1.1). Alibaba Cloud DNS (223.6.6.6). Quad9 DNS (9.9.9.9). CleanBrowsing (185.228.168.168). Requests emitted by the application may contain addresses of domains and the public IP address of the user because the application establishes a TCP/UDP connection with the DNS server. This information is needed, for example, to validate the certificate of a web resource when using HTTPS. If Kaspersky Endpoint Security is using a public DNS server, data processing is governed by the privacy policy of the relevant service. If you want to prevent Kaspersky Endpoint Security from using a public DNS server, contact Technical Support for a private patch.
`touch.kaspersky.com` Protocol: `HTTP`	Receiving the trusted time for checking the validity period of the certificate (TLS connection). Warning about access denial to a web resource in the browser (Web Threat Protection and Web Control)
`p00.upd.kaspersky.com` `p01.upd.kaspersky.com` `p02.upd.kaspersky.com` `p03.upd.kaspersky.com` `p04.upd.kaspersky.com` `p05.upd.kaspersky.com` `p06.upd.kaspersky.com` `p07.upd.kaspersky.com` `p08.upd.kaspersky.com` `p09.upd.kaspersky.com` `p10.upd.kaspersky.com` `p11.upd.kaspersky.com` `p12.upd.kaspersky.com` `p13.upd.kaspersky.com` `p14.upd.kaspersky.com` `p15.upd.kaspersky.com` `p16.upd.kaspersky.com` `p17.upd.kaspersky.com` `p18.upd.kaspersky.com` `p19.upd.kaspersky.com` `downloads.kaspersky-labs.com` `cm.k.kaspersky-labs.com` Protocol: `HTTP` Port: `80`	Updating databases and application modules
`ds.kaspersky.com` Protocol: `HTTPS` Port: `443`	Using Kaspersky Security Network
`ksn-a-stat-geo.kaspersky-labs.com` `ksn-file-geo.kaspersky-labs.com` `ksn-verdict-geo.kaspersky-labs.com` `ksn-url-geo.kaspersky-labs.com` `ksn-a-p2p-geo.kaspersky-labs.com` `ksn-info-geo.kaspersky-labs.com` `ksn-cinfo-geo.kaspersky-labs.com` Protocol: `Any` Port: `443`, `1443`	Using Kaspersky Security Network
`click.kaspersky.com` `redirect.kaspersky.com` Protocol: `HTTPS`	Follow links from the interface
`crl.kaspersky.com` `ocsp.kaspersky.com` Protocol: `HTTP` Port: `80`	Public Key Infrastructure (PKI)

Page top

[Topic 209858]

Appendix 6. Application events in the Windows Event Log

Expand all | Collapse all

System audit

Codes of events

Event ID	Description	Enabled by default
`201`	End User License Agreement violated
`203`	License has almost expired	–
`204`	License expires soon	–
`206`	Databases are missing or corrupted	–
`207`	Databases are extremely out of date	–
`208`	Databases are out of date	–
`209`	Application autorun is disabled	–
`210`	Automatic updates are disabled	–
`211`	Self-Defense is disabled	–
`212`	Task cannot run	–
`213`	The operation with application resources is blocked by Self-Defense	–
`214`	Protection components are disabled	–
`215`	Computer is running in safe mode	–
`216`	There are unprocessed files	–
`217`	Report cleared
`218`	Application settings changed
`219`	Group policy applied
`220`	Group policy disabled	–
`221`	Task started	–
`222`	Task stopped	–
`223`	Task completed	–
`224`	Restart the application to complete the update	–
`225`	Computer restart required
`226`	The license allows the use of components that have not been installed	–
`227`	Installed components match the license	–
`229`	Activation error
`230`	Incorrect reserve activation code	–
`231`	Active threat detected Advanced Disinfection must be started	–
`232`	Advanced Disinfection started	–
`233`	Advanced Disinfection completed	–
`235`	Application started
`236`	Application stopped
`237`	Application crashed during previous session
`240`	License expires soon
`238`	Subscription settings have changed
`239`	Subscription has been renewed
`335`	Object restored from Backup
`336`	Cannot restore object from Backup
`245`	Processing of some OS functions is disabled
`250`	Encrypted connection terminated
`708`	Task settings applied successfully	–
`335`	Object restored from Backup
`2000`	Enter a user name and password	–
`2001`	Suspicious network activity detected	–
`2020`	Participation in KSN is enabled	–
`2021`	Participation in KSN is disabled	–
`2022`	KSN servers available	–
`2023`	KSN servers unavailable	–
`2024`	The application works and processes data under relevant laws and uses the appropriate infrastructure
`227`	All application components that are defined by the license have been installed and run in normal mode	–

Behavior Detection

Codes of events

Event ID	Description	Enabled by default
`303`	Detected legitimate software that can be used by intruders to damage your computer or personal data	–
`307`	Object deleted	–
`308`	A backup copy of the object was created	–
`311`	Cannot create a backup copy	–
`313`	Cannot be deleted	–
`323`	Object will be deleted on restart	–
`329`	Object renamed	–
`331`	Blocked	–
`452`	Process terminated	–
`453`	Cannot terminate the process	–
`455`	Rollback completed	–
`458`	Registry value restored	–
`459`	Registry value deleted	–
`453`	File/code execution blocked	–

Exploit Prevention

Codes of events

Event ID	Description	Enabled by default
`302`	Malicious object detected	–
`331`	Blocked	–
`455`	Rollback completed	–
`323`	Object will be deleted on restart	–
`307`	Object deleted	–
`329`	Object renamed	–
`457`	File restored	–
`458`	Registry value restored	–
`459`	Registry value deleted	–

Host Intrusion Prevention

Codes of events

Event ID	Description	Enabled by default
`301`	Object processed	–
`302`	Malicious object detected	–
`303`	Detected legitimate software that can be used by intruders to damage your computer or personal data	–
`306`	Object disinfected	–
`307`	Object deleted	–
`308`	A backup copy of the object was created	–
`310`	Cannot create a backup copy	–
`312`	Disinfection not possible	–
`313`	Cannot be deleted	–
`314`	Object not processed	–
`315`	Object skipped	–
`317`	Processing error
`318`	Archive detected	–
`319`	Packed object detected	–
`320`	Object encrypted	–
`321`	Object corrupted	–
`322`	Password-protected archive detected	–
`323`	Object will be deleted on restart	–
`324`	Object will be disinfected on restart	–
`327`	Overwritten by a copy that was disinfected earlier	–
`332`	Information about detected object	–
`335`	Object restored from Backup	–
`336`	Cannot restore object from Backup
`340`	Object is on the Private KSN allowlist
`401`	Application placed in the trusted group	–
`402`	Application placed in restricted group	–
`403`	Host Intrusion Prevention was triggered	–
`452`	Process terminated	–
`453`	Cannot terminate the process	–

File Threat Protection

Codes of events

Event ID	Description	Enabled by default
`302`	Malicious object detected
`317`	Processing error
`336`	Cannot restore object from Backup
`340`	Object is on the Private KSN allowlist
`301`	Object processed	–
`306`	Object disinfected	–
`307`	Object deleted	–
`308`	A backup copy of the object was created	–
`310`	Cannot create a backup copy	–
`312`	Disinfection not possible	–
`313`	Cannot be deleted	–
`314`	Object not processed	–
`315`	Object skipped	–
`318`	Archive detected	–
`319`	Packed object detected	–
`320`	Object encrypted	–
`321`	Object corrupted	–
`322`	Password-protected archive detected	–
`323`	Object will be deleted on restart	–
`324`	Object will be disinfected on restart	–
`325`	Overwritten by a copy that was disinfected earlier	–
`303`	Detected legitimate software that can be used by intruders to damage your computer or personal data	–
`329`	Object renamed	–
`335`	Object restored from Backup	–
`452`	Process terminated	–
`453`	Cannot terminate the process	–
`332`	Information about detected object	–

Web Threat Protection

Codes of events

Event ID	Description	Enabled by default
`301`	Object processed	–
`302`	Malicious object detected
`303`	Detected legitimate software that can be used by intruders to damage your computer or personal data	–
`317`	Processing error
`318`	Archive detected	–
`319`	Packed object detected	–
`321`	Object corrupted	–
`322`	Password-protected archive detected	–
`329`	Object renamed	–
`362`	Dangerous link blocked
`1201`	Previously opened dangerous link detected
`1211`	Previously opened malicious link detected
`363`	Dangerous link opened
`341`	Object download was blocked	–
`370`	Link is on the Private KSN allowlist
`370`	Object is on the Private KSN allowlist
`332`	Information about detected object	–

Mail Threat Protection

Codes of events

Event ID	Description	Enabled by default
`301`	Object processed	–
`306`	Object disinfected	–
`302`	Malicious object detected
`317`	Processing error
`340`	Object is on the Private KSN allowlist
`307`	Object deleted	–
`308`	A backup copy of the object was created	–
`312`	Disinfection not possible	–
`314`	Object not processed	–
`318`	Archive detected	–
`319`	Packed object detected	–
`321`	Object corrupted	–
`322`	Password-protected archive detected	–
`329`	Object renamed	–
`303`	Detected legitimate software that can be used by intruders to damage your computer	–
`332`	Information about detected object	–

Network Threat Protection

Codes of events

Event ID	Description	Enabled by default
`601`	Network activity allowed	–
`602`	Network activity blocked	–

Codes of events

Event ID	Description	Enabled by default
`651`	Network attack detected	–

BadUSB Attack Prevention

Codes of events

Event ID	Description	Enabled by default
`2050`	Keyboard authorized	–
`2051`	Keyboard not authorized
`2052`	Keyboard authorization error

AMSI Protection

Codes of events

Event ID	Description	Enabled by default
`301`	Object processed	–
`302`	Malicious object detected
`303`	Detected legitimate software that can be used by intruders to damage your computer or personal data	–
`314`	Object not processed	–
`315`	Object skipped	–
`317`	Processing error
`318`	Archive detected	–
`319`	Packed object detected	–
`320`	Object encrypted	–
`321`	Object corrupted	–
`322`	Password-protected archive detected	–
`1512`	The object scan result has been sent to a third-party application	–
`329`	Object renamed	–
`332`	Information about detected object	–
`340`	Object is on the Private KSN allowlist
`2200`	AMSI request blocked

Codes of events

Event ID	Description	Enabled by default
`701`	Application startup allowed	–
`702`	Application startup prohibited	–
`703`	Application startup prohibited in test mode	–
`704`	Application startup allowed in test mode	–
`707`	Error in task settings. Task settings not applied	–
`710`	Prohibited process was started before Kaspersky Endpoint Security for Windows was started	–
`708`	Task settings applied successfully	–

Codes of events

Event ID	Description	Enabled by default
`801`	Operation with the device allowed	–
`802`	Operation with the device prohibited	–
`803`	Temporary access to device activated
`808`	File operation performed	–
`809`	Network connection blocked	–

Codes of events

Event ID	Description	Enabled by default
`751`	Access allowed	–
`752`	Access blocked	–
`753`	Warning about undesirable content	–
`754`	Undesirable content was accessed after a warning	–
`751`	Allowed page opened	–