[Topic 127968]

About Kaspersky Endpoint Security for Windows

This section describes the functions, components, and distribution kit of Kaspersky Endpoint Security 11 for Windows (hereinafter referred to as Kaspersky Endpoint Security), and provides a list of hardware and software requirements of Kaspersky Endpoint Security.

[Topic 127969]

What's new

Kaspersky Endpoint Security for Windows offers the following features and improvements:

1. Integration of Endpoint Sensor, which is a component of Kaspersky Anti Targeted Attack Platform:
   • IoC scanner (Indicators of Compromise)
   • Incident response tools
   • Incident investigation capabilities
2. Support for server operating systems as part of the Behavior Detection, Remediation Engine, and Exploit Prevention components.
3. Protection of shared folders against remote encryption as part of the Behavior Detection component.
4. User interface improvements:
   • Grouping of protection components into the following sections:
     • Advanced Threat Protection.
     • Essential Threat Protection.
   • Naming of components in accordance with the current state of information security:
     • The File Anti-Virus component has been renamed to File Threat Protection.
     • The Mail Anti-Virus component has been renamed to Mail Threat Protection.
     • The Web Anti-Virus component has been renamed to Web Threat Protection.
     • The Network Attack Blocker component has been renamed to Network Threat Protection.
     • The System Watcher component has been split into the following components: Behavior Detection, Remediation Engine, Exploit Prevention.
     • The Application Privilege Control component has been renamed to Host Intrusion Prevention.
     • The Application Startup Control component has been renamed to Application Control.
5. Cloud mode for Threat Protection: condensed anti-virus databases when using Kaspersky Security Network require less RAM and hard drive space.
6. Device Control:
   • New Anti-Bridging feature (blocks unauthorized commuting between networks)
   • New capability to import/export a list of trusted devices (in XML format, which is convenient for manually reading and editing)
7. Application Control:
   • Enable test mode for individual rules
   • New KL category included in the Golden Image category: Trusted certificates.
8. You can use a simplified interface for Kaspersky Endpoint Security: you can bring up the context menu of the application icon in the taskbar. However, the main application window is unavailable from here.
9. The checksum (hash) of a detected file is sent to the Kaspersky Security Center Administration Server, is indicated in reports, and can be used for configuring exclusions (Trusted Zone).
10. Masks (*,?, **) are supported in Trusted zone settings.
11. Protection level indicator for a Kaspersky Security Center policy that notifies in case critically important protection components are disabled.
12. Various usability improvements:
    • Simplified Initial Configuration Wizard
    • Optimized license management

In Kaspersky Endpoint Security 11 for Windows, the following features are no longer supported: Quarantine, IM Anti-Virus, Vulnerability Scan.

[Topic 127970]

Distribution kit

The Kaspersky Endpoint Security distribution kit contains the following files:

• Files that are required for installing the application using any of the available methods:
• Update package files used during installation of the application.
• The klcfginst.msi file for installing the Kaspersky Endpoint Security administration plug-in via Kaspersky Security Center.
• The ksn_<language ID>.txt file, with which you can view the terms of participation in Kaspersky Security Network.
• The license.txt file, which you can use to view the End User License Agreement and the Privacy Policy.
• The incompatible.txt file that contains a list of incompatible software.
• The installer.ini file that contains the internal settings of the distribution kit.

  It is not recommended to change the values of these settings. If you want to change installation options, use the setup.ini file.

You must unpack the distribution kit to access the files.

[Topic 127971]

Organizing computer protection

Kaspersky Endpoint Security provides comprehensive computer protection against various types of threats, network and phishing attacks.

Each type of threat is handled by a dedicated component. Components can be enabled or disabled independently of one another, and their settings can be configured.

In addition to the real-time protection that the application components provide, we recommend that you regularly scan the computer for viruses and other threats. This helps to rule out the possibility of spreading malware that is undetected by protection components due to a low security level setting or for other reasons.

To keep Kaspersky Endpoint Security up to date, you must update the databases and modules that the application uses. The application is updated automatically by default, but if necessary, you can update the databases and application modules manually.

The following application components are control components:

• Application Control. This component keeps track of user attempts to start applications and regulates the startup of applications.
• Device Control. This component lets you set flexible restrictions on access to data storage devices (such as hard drives, removable drives, tape drives, and CD/DVD disks), data transmission equipment (such as modems), equipment that converts information into hard copies (such as printers), or interfaces for connecting devices to computers (such as USB, Bluetooth, and Infrared).
• Web Control. This component lets you set flexible restrictions on access to web resources for different user groups.

The operation of control components is based on the following rules:

• Application Control uses Application Control rules.
• Host Intrusion Prevention uses application privilege control rules.
• Device Control uses device access rules and connection bus access rules.
• Web Control uses web resource access rules.

The following application components are protection components:

• Behavior Detection. This component collects information about the actions of applications on your computer and provides this information to other components for more effective protection.
• Exploit Prevention. This component tracks executable files that are run by vulnerable applications. When there is an attempt to run an executable file from a vulnerable application that was not initiated by the user, Kaspersky Endpoint Security blocks this file from running.
• Host Intrusion Prevention. This component registers the actions of applications in the operating system and regulates application activity depending on the trust group of a particular application. A set of rules is specified for each group of applications. These rules regulate the access of applications to user data and to resources of the operating system. Such data includes user files (My Documents folder, cookies, user activity information) and files, folders, and registry keys that contain settings and important information from the most frequently used applications.
• Remediation Engine. This component lets Kaspersky Endpoint Security roll back actions that have been performed by malware in the operating system.
• File Threat Protection. This component protects the file system of the computer from infection. File Anti-Virus starts together with Kaspersky Endpoint Security, continuously remains active in computer memory, and scans all files that are opened, saved, or started on the computer and on all connected drives. This component intercepts every attempt to access a file and scans the file for viruses and other threats.
• Web Threat Protection. This component scans traffic that arrives on the user's computer via the HTTP and FTP protocols, and checks whether URLs are listed as malicious or phishing web addresses.
• Mail Threat Protection. This component scans incoming and outgoing email messages for viruses and other threats.
• Network Threat Protection. This component inspects inbound network traffic for activity that is typical of network attacks. Upon detecting an attempted network attack that targets your computer, Kaspersky Endpoint Security blocks network activity from the attacking computer.
• Firewall. This component protects data that is stored on the computer and blocks most possible threats to the operating system while the computer is connected to the Internet or to a local area network. The component filters all network activity according to rules of two kinds: network rules for applications and network packet rules.
• BadUSB Attack Prevention. This component prevents infected USB devices emulating a keyboard from connecting to the computer.
• Network Monitor. This component lets you view network activity of the computer in real time.

The following tasks are provided in Kaspersky Endpoint Security:

• Integrity Check. Kaspersky Endpoint Security checks the application modules in the application installation folder for corruption or modifications. If an application module has an incorrect digital signature, the module is considered corrupt.
• Full Scan. Kaspersky Endpoint Security scans the operating system, including RAM, objects that are loaded at startup, backup storage of the operating system, and all hard drives and removable drives.
• Custom Scan. Kaspersky Endpoint Security scans the objects that are selected by the user.
• Critical Areas Scan. Kaspersky Endpoint Security scans objects that are loaded at operating system startup, RAM, and objects that are targeted by rootkits.
• Rollback. Kaspersky Endpoint Security rolls back the last update of databases and modules.
• Update. Kaspersky Endpoint Security downloads updated databases and application modules. Updating keeps the computer protected against the latest viruses and other threats.

File encryption functionality lets you encrypt files and folders that are stored on local computer drives. The full disk encryption functionality allows encryption of hard drives and removable drives.

Remote administration through Kaspersky Security Center

Kaspersky Security Center makes it possible to remotely start and stop Kaspersky Endpoint Security on a client computer, and to remotely manage and configure application settings.

Service functions of the application

Kaspersky Endpoint Security includes a number of service functions. Service functions are meant to keep the application up to date, expand its functionality, and assist the user with operating the application.

• Reports. In the course of its operation, the application keeps a report on each application component and task. The report contains a list of Kaspersky Endpoint Security events and all operations that the application performs. In case of an incident, you can send reports to Kaspersky, where Technical Support specialists can look into the issue in more detail.
• Data storage. If the application detects infected files while scanning the computer for viruses and other threats, it blocks those files. Kaspersky Endpoint Security stores copies of disinfected and deleted files in Backup. Kaspersky Endpoint Security moves files that are not processed for any reason to the list of active threats. You can scan files, restore files to their original folders, and empty the data storage.
• Notification service. The notification service keeps the user informed about the current protection status of the computer and about the operation of Kaspersky Endpoint Security. Notifications can be displayed on the screen or sent by email.
• Kaspersky Security Network. User participation in Kaspersky Security Network enhances the effectiveness of computer protection through real-time collection of information on the reputation of files, web resources, and software from users worldwide.
• License. Purchasing a license unlocks full application functionality, provides access to application database and module updates, and support by phone or via email on issues related to installation, configuration, and use of the application.
• Support. All registered users of Kaspersky Endpoint Security can contact Technical Support specialists for assistance. You can send a request from My Kaspersky Account on the Technical Support website or receive assistance from support personnel over the phone.

If the application returns an error or hangs up during operation, it may be restarted automatically.

If the application encounters recurring errors that cause the application to crash, the application performs the following operations:

1. Disables control and protection functions (encryption functionality remains enabled).
2. Notifies the user that the functions have been disabled.
3. Attempts to restore the application to a functional state after updating anti-virus databases or applying application module updates.

The application receives information on recurring errors and system hangs using special-purpose algorithms defined by Kaspersky experts.

[Topic 127972]

Hardware and software requirements

To ensure proper operation of Kaspersky Endpoint Security, your computer must meet the following requirements:

Minimum general requirements:

• 2 GB of free disk space on the hard drive
• Processor with a clock speed of 1 GHz (that supports the SSE2 instruction set)
• RAM:
  • 1 GB for a 32-bit operating system
  • 2 GB for a 64-bit operating system.

Supported operating systems for personal computers:

• Windows 7 Home / Professional / Ultimate / Enterprise Service Pack 1 or later;
• Windows 8 Professional / Enterprise;
• Windows 8.1 Professional / Enterprise;
• Windows 10 Home / Pro / Education / Enterprise.

For details about support for the Microsoft Windows 10 operating system, please refer to the Technical Support Knowledge Base.

Supported operating systems for file servers:

• Windows Small Business Server 2008 Standard / Premium (64-bit);
• Windows Small Business Server 2011 Essentials / Standard (64-bit);

Microsoft Small Business Server 2011 Standard (64-bit) is supported only if Service Pack 1 for Microsoft Windows Server 2008 R2 is installed

• Windows MultiPoint Server 2011 (64-bit);
• Windows Server 2008 Standard / Enterprise / Datacenter Service Pack 2 or later;
• Windows Server 2008 R2 Foundation / Standard / Enterprise / Datacenter Service Pack 1 or later;
• Windows Server 2012 Foundation / Essentials / Standard / Datacenter;
• Windows Server 2012 R2 Foundation / Essentials / Standard / Datacenter;
• Windows Server 2016 Essentials / Standard / Datacenter;
• Windows Server 2019 Essentials / Standard / Datacenter.

For details about support for the Microsoft Windows Server 2016 and Microsoft Windows Server 2019 operating systems, please refer to the Technical Support Knowledge Base.

Supported virtual platforms:

• VMware Workstation 12.
• VMware ESXi 6.5.
• Microsoft Hyper-V 2016 Server.
• Citrix XenServer 7.2
• Citrix XenDesktop 7.14.
• Citrix Provisioning Services 7.14.

[Topic 167529]

Special considerations

You can view the list of known limitations and errors in the current version of Kaspersky Endpoint Security in Article 14210 of the Technical Support Knowledge Base: http://support.kaspersky.com/kes11.

[Topic 44831]

Installing and removing the application

This section guides you through installing Kaspersky Endpoint Security on your computer, completing initial configuration, upgrading from a previous version of the application, and removing the application from the computer.

[Topic 50360]

Installing the application

This section describes how to install Kaspersky Endpoint Security on your computer and complete initial configuration of the application.

[Topic 127973]

About ways to install the application

Kaspersky Endpoint Security for Windows can be installed locally (directly on the user's computer) or remotely from the administrator's workstation.

Local installation of Kaspersky Endpoint Security for Windows can be performed in one of the following modes:

• In interactive mode by using the Application Setup Wizard.

  The interactive mode requires your input in the setup process.

• In silent mode from the command line.

  After installation is started in silent mode, your involvement in the installation process is not required.

The application can be installed remotely on network computers using the following:

• Kaspersky Security Center software suite (for more detailed information, please refer to the Kaspersky Security Center Help Guide).
• Group Policy Editor of Microsoft Windows (see the operating system help files).
• System Center Configuration Manager.

We recommend closing all running applications before starting the installation of Kaspersky Endpoint Security (including remote installation).

[Topic 141289]

Installing the application by using the Setup Wizard

The interface of the application Setup Wizard consists of a sequence of windows corresponding to the application installation steps. You can navigate between the Setup Wizard pages by using the Back and Next buttons. To close the Setup Wizard after it completes its task, click the Terminate button. To stop the Setup Wizard at any stage, click the Cancel button.

To install the application or upgrade the application from a previous version by using the Setup Wizard:

1. Run the setup_kes.exe file included in the distribution kit.

   The Setup Wizard starts.

2. Follow the instructions of the Setup Wizard.

When the setup.exe file is launched, Kaspersky Endpoint Security checks the computer for any incompatible software. By default, upon detection of incompatible software the installation process is aborted and the list of applications incompatible with Kaspersky Endpoint Security appears on the screen. To continue installation, remove these applications from the computer.

[Topic 127974]

Step 1. Making sure that the computer meets installation requirements

Before installing Kaspersky Endpoint Security for Windows on a computer or upgrading a previous version of the application, the following conditions are checked:

• Whether or not the operating system and service pack meet the software requirements for product installation.
• Whether or not the hardware and software requirements are met.
• Whether or not the user has the rights to install the software product.

If any one of the previous requirements is not met, a relevant notification is displayed on the screen.

If the computer meets the listed requirements, the Setup Wizard searches for Kaspersky applications that could lead to conflicts when running at the same time as the application being installed. If such applications are found, you are prompted to remove them manually.

If the detected applications include previous versions of Kaspersky Endpoint Security, all data that can be migrated (such as activation data and application settings) is retained and used during the installation of Kaspersky Endpoint Security 11 for Windows, and the previous version of the application is automatically removed. This applies to the following application versions:

• Kaspersky Endpoint Security 10 Service Pack 1 for Windows (build 10.2.2.10535)
• Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 1 for Windows (build 10.2.2.10535(MR1))
• Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 2 for Windows (build 10.2.4.674)
• Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 3 for Windows (build 10.2.5.3201)
• Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 4 for Windows (build 10.2.6.3733)
• Kaspersky Endpoint Security 10 Service Pack 2 for Windows (build 10.3.0.6294)

[Topic 127976]

Step 2. Welcome page of the installation procedure

If all requirements for application installation are met, a welcome page appears after you start the installation package. The welcome page announces the beginning of installation of Kaspersky Endpoint Security on the computer.

To proceed with the Setup Wizard, click the Next button.

[Topic 44837]

Step 3. Viewing the License Agreement and Privacy Policy

At this step of the Setup Wizard, you must read the End User License Agreement that is to be concluded between you and Kaspersky, as well as the Privacy Policy.

Please carefully read the End User License Agreement and the Privacy Policy. If you agree with all the terms of the End User License Agreement and the Privacy Policy, in the I confirm I have fully read, understood, and accept the following section select the following check boxes:

• the terms and conditions of this EULA
• Privacy Policy describing the handling of data

Installation of the application on your device will continue after you select both check boxes.

If you do not accept the End User License Agreement and the Privacy Policy, cancel installation by clicking the Cancel button.

[Topic 127978]

Step 4. Selecting the installation type

At this step, you can select the most suitable type of Kaspersky Endpoint Security installation:

• Basic installation. If you choose this type of installation, all protection components, except for the BadUSB Attack Prevention component, are installed on the computer with settings recommended by Kaspersky experts.
• Standard installation. If you choose this type of installation, all protection and control components, except for the BadUSB Attack Prevention component, are installed on the computer with settings recommended by Kaspersky experts.
• Custom installation. If you select this type of installation, you are prompted to select the components to install and to specify the destination folder for the application.

  This type of installation lets you install the components that are not included in the basic and standard installations.

Standard installation is selected by default.

To return to the previous step of the Setup Wizard, click the Back button. To proceed with the Setup Wizard, click the Next button. To stop the Setup Wizard, click the Cancel button.

[Topic 127980]

Step 5. Selecting application components to install

This step is performed if you select Custom installation of the application.

At this step, you can select the components of Kaspersky Endpoint Security that you want to install. The File Threat Protection component is a mandatory component that must be installed. You cannot cancel its installation.

By default, all application components are selected for installation except the following components:

• BadUSB Attack Prevention.
• File Encryption.
• Full Disk Encryption.
• BitLocker Management.
• Endpoint Sensor.

BitLocker Management performs the following functions:

• Manages BitLocker encryption built in to the Windows operating system.
• Configures encryption in Kaspersky Security Center policy settings and checks their applicability for the managed computer.
• Starts encryption and decryption processes.
• Monitors the encryption status on the managed computer.
• Centrally stores recovery keys on the Kaspersky Security Center Administration Server.

Endpoint Sensor is a component of Kaspersky Anti Targeted Attack Platform. This solution is intended for rapid detection of threats such as targeted attacks. The component continually monitors processes, active network connections, and files that are modified, and relays this information to Kaspersky Anti Targeted Attack Platform.

To select a component to install, click the icon next to the component name to bring up the context menu and select Feature will be installed on the local hard drive. For more details on what tasks are performed by the selected component and how much disk space is required to install the component, refer to the lower part of the current Setup Wizard page.

To view detailed information about the available space on local hard drives, click the Volume button. Information will be displayed in the Disk Space Requirements window that opens.

To cancel installation of the component, select the Feature will be unavailable option in the context menu.

To return to the list of components installed by default, click the Reset button.

To return to the previous step of the Setup Wizard, click the Back button. To proceed with the Setup Wizard, click the Next button. To stop the Setup Wizard, click the Cancel button.

[Topic 131447]

Step 6. Selecting the destination folder

This step is available if you select Custom installation of the application.

During this step, you can specify the path to the destination folder where the application will be installed. To select the destination folder for the application, click the Browse button.

To view information about available space on local hard drives, click the Volume button. Information is shown in the Disk Space Requirements window that opens.

To return to the previous step of the Setup Wizard, click the Back button. To proceed with the Setup Wizard, click the Next button. To stop the Setup Wizard, click the Cancel button.

[Topic 123466]

Step 7. Adding scan exclusions

This step is available if you select Custom installation of the application.

At this step, you can specify which scan exclusions you want to add to the application settings.

The Exclude areas that are recommended by Microsoft from scan scope / Exclude areas that are recommended by Kaspersky from scan scope check boxes include / exclude areas that are recommended by Microsoft or Kaspersky in / from the trusted zone.

If one of these check boxes is selected, Kaspersky Endpoint Security includes, respectively, the areas that Microsoft or Kaspersky recommends in the trusted zone. Kaspersky Endpoint Security does not scan such areas for viruses and other threats.

The Exclude areas that are recommended by Microsoft from scan scope check box is available when Kaspersky Endpoint Security is installed on a computer running Microsoft Windows for file servers.

To return to the previous step of the Setup Wizard, click the Back button. To proceed with the Setup Wizard, click the Next button. To stop the Setup Wizard, click the Cancel button.

[Topic 123467]

Step 8. Preparing for application installation

It is recommended to protect the installation process because your computer may be infected with malicious programs that could interfere with installation of Kaspersky Endpoint Security for Windows.

Installation process protection is enabled by default.

However, if the application cannot be installed (for example, when performing remote installation with the help of Windows Remote Desktop), you are advised to disable protection of the installation process. If this is the case, abort the installation and start the Application Setup Wizard again. At the "Preparing for application installation" step, clear the Protect the installation process check box.

The Ensure compatibility with Citrix PVS check box enables / disables the function that installs drivers in Citrix PVS compatibility mode.

Select this check box only if you are working with Citrix Provisioning Services.

The Add the path to the file avp.com to the system variable %PATH% check box enables / disables an option that adds the path to the avp.com file to the %PATH% system variable.

If the check box is selected, starting Kaspersky Endpoint Security or any of its tasks from the command line does not require entering the path to the executable file. It is sufficient to enter the name of the executable file and the command to start the particular task.

To return to the previous step of the Setup Wizard, click the Back button. To install the program, click the Install button. To stop the Setup Wizard, click the Cancel button.

Current network connections may be terminated while the application is being installed on the computer. Most terminated network connections are restored after application installation is completed.

[Topic 127981]

Step 9. Application installation

Installation of the application can take some time. Wait for it to complete.

If you are updating a previous version of the application, this step also includes settings migration and removal of the previous version of the application.

After Kaspersky Endpoint Security installation finishes, the Initial Configuration Wizard starts.

[Topic 123468]

Installing the application from the command line

Kaspersky Endpoint Security can be installed from the command line in one of the following modes:

• In interactive mode by using the Application Setup Wizard.
• In silent mode. After installation is started in silent mode, your involvement in the installation process is not required. To install the application in silent mode, use the /s and /qn keys.

To install the application or upgrade the application version:

1. Run the command line interpreter (cmd.exe) as an administrator.
2. Go to the folder where the Kaspersky Endpoint Security distribution package is located.
3. Run the following command:

   setup_kes.exe /pEULA=1 /pPRIVACYPOLICY=1 [/pKSN=1|0] [/pALLOWREBOOT=1|0] [/pADDLOCAL=<component>] [/pSKIPPRODUCTCHECK=1|0] [/pSKIPPRODUCTUNINSTALL=1|0] [/pKLLOGIN=<user name> /pKLPASSWD=<password> /pKLPASSWDAREA=<password scope>] [/pENABLETRACES=1|0 /pTRACESLEVEL=<tracing level>] /s

   or

   msiexec /i <distribution kit name> EULA=1 PRIVACYPOLICY=1 [KSN=1|0] [ALLOWREBOOT=1|0] [ADDLOCAL=<component>] [SKIPPRODUCTCHECK=1|0] [SKIPPRODUCTUNINSTALL=1|0] [KLLOGIN=<user name> KLPASSWD=<password> KLPASSWDAREA=<password scope>] [ENABLETRACES=1|0 TRACESLEVEL=<tracing level>] /qn

   EULA	Acceptance or rejection of the terms of the End User License Agreement. Available values: 1 – acceptance of the terms of the End User License Agreement. 0 – rejection of the terms of the End User License Agreement. The text of the License Agreement is included in the distribution kit of Kaspersky Endpoint Security. Accepting the terms of the End User License Agreement is necessary for installing the application or upgrading the application version.
   PRIVACYPOLICY	Acceptance or rejection of the Privacy Policy. Available values: 1 – acceptance of the Privacy Policy. 0 – rejection of the Privacy Policy. The text of the Privacy Policy is included in the Kaspersky Endpoint Security distribution kit. To install the application or upgrade the application version, you must accept the Privacy Policy.
   KSN	Agreement or refusal to participate in Kaspersky Security Network (KSN). If no value is set for this parameter, Kaspersky Endpoint Security will prompt to confirm your consent or refusal to participate in KSN when Kaspersky Endpoint Security is first started. Available values: 1 – agreement to participate in KSN. 0 – refusal to participate in KSN (default value). The Kaspersky Endpoint Security distribution package is optimized for use with Kaspersky Security Network. If you opted not to participate in Kaspersky Security Network, you should update Kaspersky Endpoint Security immediately after the installation is complete.
   ALLOWREBOOT=1	Automatic restart of the computer, if required after installation or upgrade of the application. If no value is set for this parameter, automatic computer restart is blocked. Restart is not required when installing Kaspersky Endpoint Security. Restart is required only if you have to remove incompatible applications prior to installation. Restart may also be required when updating the application version.
   ADDLOCAL	Selection of additional application components to be installed. By default, all application components are selected for installation except the following components: BadUSB Attack Prevention, File Level Encryption, Full Disk Encryption, BitLocker Management, and Endpoint Sensor. Available values: MSBitLockerFeature. Installation of the BitLocker Management component. AntiAPTFeature. The Endpoint Sensor component is installed.
   SKIPPRODUCTCHECK=1	Disabling checking for incompatible software. The list of incompatible software is available in the incompatible.txt file that is included in the distribution kit. If no value is set for this parameter and incompatible software is detected, the installation of Kaspersky Endpoint Security will be terminated.
   SKIPPRODUCTUNINSTALL=1	Disable automatic removal of detected incompatible software. If no value is set for this parameter, Kaspersky Endpoint Security attempts to remove incompatible software.
   KLLOGIN	Set the user name for accessing the features and settings of Kaspersky Endpoint Security (the Password protection component). The user name is set together with the KLPASSWD and KLPASSWDAREA parameters. The user name KLAdmin is used by default.
   KLPASSWD	Specify a password for accessing Kaspersky Endpoint Security features and settings (the password is specified together with the KLLOGIN and KLPASSWDAREA parameters). If you specified a password but did not specify a user name with the KLLOGIN parameter, the KLAdmin user name is used by default.
   KLPASSWDAREA	Specify the scope of the password for accessing Kaspersky Endpoint Security. When a user attempts to perform an action that is included in this scope, Kaspersky Endpoint Security prompts for the user’s account credentials (KLLOGIN and KLPASSWD parameters). Use the ";" character to specify multiple values. Available values: SET – modifying application settings. EXIT – exiting the application. DISPROTECT – disabling protection components and stopping scan tasks. DISPOLICY – disabling Kaspersky Security Center policy. UNINST – removing the application from the computer. DISCTRL – disabling control components. REMOVELIC – removing the key. REPORTS – viewing reports.
   ENABLETRACES	Enabling or disabling application traces. After Kaspersky Endpoint Security starts, it saves trace files in the folder %ProgramData%/Kaspersky Lab. Available values: 1 – traces are enabled. 0 – traces are disabled (default value).
   TRACESLEVEL	Level of detail of traces. Available values: 100 (critical). Only messages about fatal errors. 200 (high). Messages about all errors, including fatal errors. 300 (diagnostic). Messages about all errors, and a selection of messages containing warnings. 400 (important). All warnings and messages about ordinary and critical errors, and a selection of messages that contain additional information. 500 (normal). All warnings and messages about normal and fatal errors, and also messages containing detailed information about normal operation (default value). 600 (low). All possible messages.
   Example: setup.exe /pEULA=1 /pPRIVACYPOLICY=1 /pKSN=1 /pALLOWREBOOT=1 /s msiexec /i kes_win.msi EULA=1 PRIVACYPOLICY=1 KSN=1 KLLOGIN=Admin KLPASSWD=Password KLPASSWDAREA=EXIT;DISPOLICY;UNINST /qn setup.exe /pEULA=1 /pPRIVACYPOLICY=1 /pKSN=1 /pENABLETRACES=1 /pTRACESLEVEL=600 /s

After the application is installed, Kaspersky Endpoint Security activates the trial license unless you indicated an activation code in the setup.ini file. A trial license usually has a short term. When the trial license expires, all Kaspersky Endpoint Security features become disabled. To continue using the application, you must activate a commercial license.

When installing the application or upgrading the application version in silent mode, use of the following files is supported:

• setup.ini – general settings for application installation
• install.cfg – settings of Kaspersky Endpoint Security operation
• setup.reg – registry keys

  Registry keys from the setup.reg file are written to the registry only if the setup.reg value is set for the SetupReg parameter in the setup.ini file. The setup.reg file is generated by Kaspersky experts. It is not recommended to modify the contents of this file.

To apply settings from the setup.ini, install.cfg, and setup.reg files, place these files into the folder containing the Kaspersky Endpoint Security distribution package.

[Topic 132945]

Remotely installing the application using System Center Configuration Manager

These instructions apply to System Center Configuration Manager 2012 R2.

To remotely install an application using System Center Configuration Manager:

1. Open the Configuration Manager console.
2. In the right part of the console, in the App management section, select Packages.
3. In the upper part of the console in the control panel, click the Create package button.

   This starts the New Package and Application Wizard.

4. In the New Package and Application Wizard:
   1. In the Package section:
      • In the Name field, enter the name of the installation package.
      • In the Source folder field, specify the path to the folder containing the distribution kit of Kaspersky Endpoint Security.
   2. In the Application type section, select the Standard application option.
   3. In the Standard application section:
      • In the Name field, enter the unique name for the installation package (for example, the application name including the version).
      • In the Command line field, specify the Kaspersky Endpoint Security installation options from the command line.
      • Click the Browse button to specify the path to the executable file of the application.
      • Make sure that the Execution mode list has the Run with administrator rights item selected.
   4. In the Requirements section:
      • Select the Start another application first check box if you want a different application to be started before installing Kaspersky Endpoint Security.

        Select the application from the Application drop-down list or specify the path to the executable file of this application by clicking the Browse button.

      • Select the This application can be started only on the specified platforms option in the Platform requirements section if you want the application to be installed only in the specified operating systems.

        In the list below, select the check boxes opposite the operating systems in which Kaspersky Endpoint Security will be installed.

      This step is optional.

   5. In the Summary section, check all entered values of the settings and click Next.

   The created installation package will appear in the Packages section in the list of available installation packages.

5. In the context menu of the installation package, select Deploy.

   This starts the Deployment Wizard.

6. In the Deployment Wizard:
   1. In the General section:
      • In the Software field, enter the unique name of the installation package or select the installation package from the list by clicking the Browse button.
      • In the Collection field, enter the name of the collection of computers on which the application will be installed, or select the collection by clicking the Browse button.
   2. In the Contains section, add distribution points (for more detailed information, please refer to the help documentation for System Center Configuration Manager).
   3. If required, specify the values of other settings in the Deployment Wizard. These settings are optional for remote installation of Kaspersky Endpoint Security.
   4. In the Summary section, check all entered values of the settings and click Next.

   After the Deployment Wizard finishes, a task will be created for remote installation of Kaspersky Endpoint Security.

[Topic 127982]

Description of setup.ini file installation settings

The setup.ini file is used when installing the application from the command line or when using the Group Policy Editor of Microsoft Windows. To apply settings from the setup.ini file, place this file into the folder containing the Kaspersky Endpoint Security distribution package.

The setup.ini file consists of the following sections:

• [Setup] – general settings of application installation.
• [Components] – selection of application components to be installed. If none of the components are specified, all components that are available for the operating system are installed. File Threat Protection is a mandatory component and is installed on the computer regardless of which settings are indicated in this section.
• [Tasks] – selection of tasks to be included in the list of Kaspersky Endpoint Security tasks. If no task is specified, all tasks are included in the task list of Kaspersky Endpoint Security.

The alternatives to the value 1 are the values yes, on, enable, and enabled.

The alternatives to the value 0 are the values no, off, disable, and disabled.

Settings of the setup.ini file

[Topic 44850]

Initial Configuration Wizard

The Initial Configuration Wizard of Kaspersky Endpoint Security starts at the end of the application setup procedure. The Initial Configuration Wizard lets you activate the application and gathers information about the applications that are included in the operating system. These applications are added to the list of trusted applications whose actions within the operating system are not subject to any restrictions.

The interface of the Initial Configuration Wizard consists of a sequence of pages (steps). You can navigate between the Initial Configuration Wizard pages by using the Back and Next buttons. To complete the Initial Configuration Wizard procedure, click the Terminate button. To stop the Initial Configuration Wizard procedure at any stage, click Cancel.

If the Initial Configuration Wizard is interrupted for some reason, the already specified settings are not saved. The next time you attempt to use the application, the Initial Configuration Wizard will start again, and you will have to configure the settings from scratch.

[Topic 124699]

Step 1. Application activation

The application must be activated on a computer with the current system date and time. If the system date and time are changed after activation of the application, the key becomes inoperable. The application switches to a mode of operation without updates, and Kaspersky Security Network is not available. The key can be made operable again only by reinstalling the operating system.

At this step, select one of the following Kaspersky Endpoint Security activation options:

• Activate with an activation code. To activate the application with an activation code, select this option and enter an activation code.
• Activate with a key file. Select this option to activate the application with a key file.
• Activate trial version. To activate the trial version of the application, select this option. The user can use the fully-functional version of the application for the duration of the term that is limited by the license for the trial version of the application. After the license expires, the application functionality is blocked and you cannot activate the trial version again.
• Activate later. Select this option if you want to skip the stage of Kaspersky Endpoint Security activation. The user will be able to work with only the File Threat Protection and Firewall components. The user will be able to update anti-virus databases and modules of Kaspersky Endpoint Security only once after installation. The Activate later option is available only at the first start of the Initial Configuration Wizard, immediately after installing the application.

An Internet connection is required to activate the trial version of the application, or to activate the application with an activation code.

To proceed with the Initial Configuration Wizard, select an activation option and click the Next button. To stop the Initial Configuration Wizard, click the Cancel button.

[Topic 44962]

Step 2. Activating with an activation code

This step is available only when you activate the application with an activation code. This step is skipped when you activate the trial version of the application or when you activate the application with a key file.

During this step, Kaspersky Endpoint Security sends data to the activation server to verify the entered activation code:

• If the activation code verification is successful, the Initial Configuration Wizard automatically proceeds to the next window.
• If the activation code verification fails, a corresponding message appears. In this case, you should seek advice from the software vendor that sold you the license to Kaspersky Endpoint Security.
• If the number of activations with the activation code is exceeded, a corresponding notification appears. The Initial Configuration Wizard is interrupted, and the application suggests that you contact Kaspersky Technical Support.

To return to the previous step of the Initial Configuration Wizard, click the Back button. To stop the Initial Configuration Wizard, click the Cancel button.

[Topic 128182]

Step 3. Activating with a key file

This step is available only when you activate the application with a key file.

At this step, specify the path to the key file. To do so, click the Browse button and select a key file of the form <File ID>.key.

After you select a key file, the following information is displayed in the lower part of the window:

• key;
• License type (commercial or trial) and the number of computers that are covered by this license
• date of application activation on the computer;
• license expiration date;
• application functionality available under the license;
• Notifications about key problems, if any. For example, Black list of keys corrupted.

To return to the previous step of the Initial Configuration Wizard, click the Back button. To proceed with the Initial Configuration Wizard, click the Next button. To stop the Initial Configuration Wizard, click the Cancel button.

[Topic 128184]

Step 4. Selecting the functions to activate

This step is available only when you activate the trial version of the application.

At this step, you can select the functionality that will become available after activation of the application:

• Basic installation. If this option is selected, only the protection components and the Host Intrusion Prevention component will be available after activation of the application.
• Standard installation. If this option is selected, only protection and control components of the application will be available after activation.
• Full installation. If this option is selected, all installed application components, including data encryption functionality, will be available after activation of the application.

If you selected more components than the acquired license permits during installation, after activation of the application the components that are unavailable under the license will be installed but will not be operational. If the license purchased allows using more components than are currently installed, after the application is activated the components that have not been installed are listed in the Licensing section.

Standard installation is selected by default.

To return to the previous step of the Initial Configuration Wizard, click the Back button. To proceed with the Initial Configuration Wizard, click the Next button. To stop the Initial Configuration Wizard, click the Cancel button.

[Topic 123446]

Step 5. Completing activation

During this step, the Initial Configuration Wizard informs you about successful activation of Kaspersky Endpoint Security. The following information about the license is provided:

• License type (commercial or trial) and the number of computers that are covered by this license
• license expiration date;
• application functionality available under the license.

To proceed with the Initial Configuration Wizard, click the Next button. To stop the Initial Configuration Wizard, click the Cancel button.

[Topic 127984]

Step 6. Finishing the initial configuration of the application

The Initial Configuration Wizard completion window contains information about the completion of the Kaspersky Endpoint Security installation process.

If you want to start Kaspersky Endpoint Security, click the Finish button.

If you want to exit the Initial Configuration Wizard without starting Kaspersky Endpoint Security, clear the Start Kaspersky Endpoint Security for Windows check box and click Finish.

[Topic 44961]

Step 7. Analyzing the operating system

During this step, information is collected about applications that are included in the operating system. These applications are added to the list of trusted applications whose actions within the operating system are not subject to any restrictions.

Other applications are analyzed after they are started for the first time following Kaspersky Endpoint Security installation.

To stop the Initial Configuration Wizard, click the Cancel button.

[Topic 127977]

Step 8. Kaspersky Security Network Statement

At this step, you are invited to accept participation in Kaspersky Security Network by performing the following actions:

1. Review the Kaspersky Security Network Statement.
2. Select one of the following options:
   • If you accept all of its terms, select the I agree to use Kaspersky Security Network option.
   • If you do not accept the terms of participation in Kaspersky Security Network, select the I do not agree to use Kaspersky Security Network option.

     The Kaspersky Endpoint Security distribution kit is optimized for use with Kaspersky Security Network. If you opted not to participate in Kaspersky Security Network, you should update Kaspersky Endpoint Security immediately after the installation is complete.

3. To confirm your selection, click OK.

[Topic 123470]

Updating to the new version of the application

When you update a previous version of the application to a newer version, consider the following:

• When updating a previous version to Kaspersky Endpoint Security for Windows 11.0.0, there is no need to remove the previous version of the application.
• We recommend quitting all active applications before starting the update.
• To update Kaspersky Endpoint Security from version 10 to version 11, you need to decrypt all encrypted hard drives.

Before updating, Kaspersky Endpoint Security blocks the Full Disk Encryption functionality. If Full Disk Encryption could not be blocked, the update installation will not start. After updating the application, the Full Disk Encryption functionality will be restored.

You can update the following applications to Kaspersky Endpoint Security 11.0.0 for Windows:

• Kaspersky Endpoint Security 10 Service Pack 1 for Windows (build 10.2.2.10535)
• Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 2 for Windows (build 10.2.4.674)
• Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 3 for Windows (build 10.2.5.3201)
• Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 4 for Windows (build 10.2.6.3733)
• Kaspersky Endpoint Security 10 Service Pack 2 for Windows (build 10.3.0.6294)
• Kaspersky Endpoint Security 10 Service Pack 2 Maintenance Release 1 for Windows (build 10.3.0.6294)
• Kaspersky Endpoint Security 10 Service Pack 2 Maintenance Release 2 for Windows (build 10.3.0.6294)
• Kaspersky Endpoint Security 10 Service Pack 2 Maintenance Release 3 for Windows (build 10.3.3.275).
.

When updating Kaspersky Endpoint Security 10 Service Pack 2 for Windows to Kaspersky Endpoint Security 11.0.0 for Windows, the files that were placed in Backup or Quarantine in the previous version of the application will be transferred to Backup in the new version of the application. For versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows, files that were placed in Backup and Quarantine in a previous version of the application are not migrated to the newer version.

Kaspersky Endpoint Security can be updated on the computer in the following ways:

• locally, by using the Setup Wizard.
• locally from the command line.
• remotely, by using the Kaspersky Security Center software suite (refer to the Kaspersky Security Center Help for more information).
• remotely through the Microsoft Windows Group Policy Management Editor (for more details, see Microsoft Technical Support website).
• remotely, by using the System Center Configuration Manager.

[Topic 50362]

Removing the application

This section describes how you can remove Kaspersky Endpoint Security from your computer.

[Topic 127986]

About ways to remove the application

Removing Kaspersky Endpoint Security leaves the computer and user data unprotected against threats.

Kaspersky Endpoint Security can be removed from the computer in several ways:

• Locally in interactive mode, by using the Setup Wizard
• Locally in non-interactive mode, from the command line
• Remotely using the Kaspersky Security Center software suite (please refer to the Kaspersky Security Center Help Guide for more information)
• Remotely via the Group Policy Editor of Microsoft Windows (see the operating system help files)

[Topic 127987]

Removing the application by using the Setup Wizard

To remove Kaspersky Endpoint Security by using the Setup Wizard:

1. Open the Control Panel window in one of the following ways:
   • If you are using Windows 7, select Control Panel in the Start menu.
   • If you are using Windows 8 or Windows 8.1, press the Win+I key combination and select Control Panel.
   • If you are using Windows 10, press the Win+X key combination and select Control Panel.
2. In the Control Panel window, select Apps and Features.
3. In the list of installed applications, select Kaspersky Endpoint Security for Windows.
4. Click the Modify/Uninstall button.

   This opens the Custom installation window of the Application Setup Wizard.

5. In the Modify, Repair or Remove application window of the Setup Wizard, click the Remove button.
6. Follow the instructions of the Setup Wizard.

[Topic 128449]

Step 1. Saving application data for future use

During this step, you can specify which of the data used by the application you want to keep for further use during the next installation of the application (for example, when installing a newer version). If you do not specify any data, the application will be completely removed.

To save application data for future use,

select the check boxes next to the data types that you want to save:

• Activation data - data that eliminates the need to activate the application you install in the future. It is activated automatically under the current license, as long as the license has not expired by the time of installation.
• Backup files are files that are scanned by the application and placed in Backup.

  Backup files that are saved after removal of the application can be accessed only from the same version of the application that was used to save those files.

  If you plan to use Backup objects after removal of the application, you must restore those objects from storage before removing the application. However, Kaspersky experts do not recommend restoring objects from Backup because this may harm the computer.

• Operational settings of the application - values of application settings that are selected during application configuration.
• Local storage of encryption keys - data that provides direct access to files and devices that were encrypted before removal of the application. Encrypted files and drives can be accessed directly after the application is reinstalled with encryption functionality.

  This check box is selected by default.

To proceed with the Setup Wizard, click the Next button. To stop the Setup Wizard, click the Cancel button.

[Topic 44856]

Step 2. Confirming application removal

Because removing the application jeopardizes the security of your computer, you are asked to confirm that you want to remove the application. To do so, click the Delete button.

To stop removal of the application at any time, you can cancel this operation by clicking the Cancel button.

[Topic 44858]

Step 3. Application removal. Completing removal

During this step, the Setup Wizard removes the application from the computer. Wait until application removal is complete.

When removing the application, your operating system may require a restart. If you decide to not restart immediately, completion of the application removal procedure is postponed until the operating system is restarted, or until the computer is turned off and then turned on again.

[Topic 123471]

Removing the application from the command line

You can start the application uninstallation process from the command line executing the command from the folder containing the distribution kit. Uninstallation is performed in interactive or silent mode (without starting the Application Setup Wizard).

To start the application uninstallation process in interactive mode,

in the command line type setup_kes.exe /x or msiexec.exe /x {E7012AFE-DB97-4B8B-9513-E98C0C3AACE3}.

The Setup Wizard starts. Follow the instructions of the Setup Wizard.

To start the application uninstallation process in silent mode,

in the command line type setup_kes.exe /s /x or msiexec.exe /x {E7012AFE-DB97-4B8B-9513-E98C0C3AACE3} /qn.

This starts the application uninstallation process in silent mode (without starting the Setup Wizard).

If the application uninstallation operation is password protected, the user name and its corresponding password must be entered in the command line.

To remove the application from the command line in interactive mode when the user name and password for authentication of Kaspersky Endpoint Security removal, modification, or repair are set:

In the command line, type setup_kes.exe /pKLLOGIN=<User name> /pKLPASSWD=***** /x or

msiexec.exe KLLOGIN=<User name> KLPASSWD=***** /x {E7012AFE-DB97-4B8B-9513-E98C0C3AACE3}.

The Setup Wizard starts. Follow the instructions of the Setup Wizard.

To remove the application from the command line in silent mode when the user name and password for authentication of Kaspersky Endpoint Security removal, modification, or repair are set:

In the command line, type setup_kes.exe /pKLLOGIN=<User name> /pKLPASSWD=***** /s /x or

msiexec.exe /x {E7012AFE-DB97-4B8B-9513-E98C0C3AACE3} KLLOGIN=<User name> KLPASSWD=***** /qn.

[Topic 128199]

Removing objects and data that remained after test operation of Authentication Agent

During application uninstallation, if Kaspersky Endpoint Security detects objects and data that remained on the system hard drive after test operation of Authentication Agent, application uninstallation is interrupted and becomes impossible until such objects and data are removed.

Objects and data may remain on the system hard drive after test operation of Authentication Agent only in exceptional cases. For example, this can happen if the computer has not been restarted after a Kaspersky Security Center policy with encryption settings was applied, or if the application fails to start after test operation of Authentication Agent.

You can remove objects and data that remained on the system hard drive after test operation of Authentication Agent in two ways:

• Using the Kaspersky Security Center policy.
• Using Restore Utility.

To use a Kaspersky Security Center policy to remove objects and data that remained after test operation of Authentication Agent:

1. Apply to the computer a Kaspersky Security Center policy with settings configured to decrypt all computer hard drives.
2. Start Kaspersky Endpoint Security.

    

To remove information about application incompatibility with Authentication Agent,

type the avp pbatestreset command in the command line.

Encryption components must be installed for the avp pbatestreset command to be executed.

[Topic 127988]

Application interface

This section describes the primary elements of the application interface.

[Topic 127989]

Application icon in the taskbar notification area

Immediately after installation of Kaspersky Endpoint Security, the application icon appears in the Microsoft Windows taskbar notification area.

The icon serves the following purposes:

• It indicates application activity.
• It acts as a shortcut to the context menu and main window of the application.

Indication of application activity

The application icon serves as an indicator of application activity:

• The  icon signifies that all protection components of the application are enabled.
• The  icon signifies that important events that require your attention have occurred in the operation of Kaspersky Endpoint Security. For example, the File Threat Protection component is disabled and the application databases are out of date.
• The  icon signifies that critical events have occurred in the operation of Kaspersky Endpoint Security. For example, a failure in the operation of a component, or corruption of the application databases.

[Topic 127990]

Application icon context menu

The context menu of the application icon contains the following items:

• Kaspersky Endpoint Security for Windows. Opens the main application window. In this window, you can adjust the operation of application components and tasks, and view the statistics of processed files and detected threats.
• Settings. Opens the Settings window. The Settings tab lets you change the default application settings.
• Pause protection and control / Resume protection and control. Temporarily pauses / resumes the operation of protection and control components. This context menu item does not affect the update task and scan tasks, being only available when the Kaspersky Security Center policy is disabled.

  Kaspersky Security Network is used by Kaspersky Endpoint Security regardless of whether the operation of protection and control components is paused / resumed.

• Disable policy / Enable policy. Disables / enables the Kaspersky Security Center policy. This context menu item is available if a policy has been applied to a computer on which Kaspersky Endpoint Security is installed, and a password for disabling the Kaspersky Security Center policy has been set.
• About. This item opens an information window with application details.
• Exit. This item quits Kaspersky Endpoint Security. Clicking this context menu item causes the application to be unloaded from the computer RAM.

  

  Application icon context menu

You can open the context menu of the application icon by resting the pointer on the application icon in the taskbar notification area of Microsoft Windows and right-clicking.

[Topic 127991]

Main application window

The main window of Kaspersky Endpoint Security contains interface elements that provide access to the main functions of the application.

The main application window contains the following items:

• Link to Kaspersky Endpoint Security for Windows. Clicking this link opens the About window containing information about the application version.
• Button . Clicking this button takes you to the help system of Kaspersky Endpoint Security.
• Threat detection technologies section. The section contains the following information:
  • The left part of the section displays a list of threat detection technologies. The number of threats that were detected using the specific technology appears to the right of the name of each threat detection technology.
  • Depending on the presence of active threats, the center of the section displays one of the following captions:
    • No threats. If this caption is displayed, clicking the Threat detection technologies section opens the Threat detection technologies window, which provides a brief description of the threat detection technologies as well as the status and global statistics of the Kaspersky Security Network cloud service infrastructure.
    • N active threats. If this caption is displayed, clicking the Threat detection technologies section opens the Active threats window, which displays a list of events associated with infected files that were not processed for some reason.
• Protection components section. Clicking this section opens the Protection components window. In this window, you can view the operating status of installed components. From this window, you can also open a subsection in the Settings window containing the settings of any installed component except encryption components.
• Tasks section. Clicking this section opens the Tasks window. In this window, you can manage the operation of Kaspersky Endpoint Security tasks that are used to update application modules and databases, scan files for viruses and other malware, and run an integrity check.
• Reports button. Clicking this button opens the Reports window containing information about events that have occurred during operation of the application in general or its separate components, or during the performance of tasks.
• Repositories button. Clicking this button opens the Backup window. In this window, you can view a list of copies of infected files that the application has deleted.
• Support button. Clicking this button opens the Support window, which contains information on the operating system, the current version of Kaspersky Endpoint Security, and links to Kaspersky information resources.
• Settings button. Clicking this button opens the Settings window in which you can modify the default settings of the application.
• Button / / . Clicking this button opens the Events window that contains information about available updates as well as requests to access encrypted files and devices.
• License link. Clicking this link opens the Licensing window containing information about the current license.

  

  Main application window

To open the main window of Kaspersky Endpoint Security, perform one of the following actions:

• Click the application icon in the Microsoft Windows taskbar notification area.
• Select Kaspersky Endpoint Security for Windows in the context menu of the application icon.

[Topic 128000]

Renewing a license

When your license approaches expiration, you can renew it. This ensures that your computer remains protected after expiration of the current license and until you activate the application under a new license.

To renew a license:

1. Receive a new application activation code or key file.
2. Add an additional key with the activation code or the key file that you have received.

An

It may take some time for the key to be updated from additional to active due to load distribution across activation servers of Kaspersky.

[Topic 127992]

Application settings window

The Kaspersky Endpoint Security settings window lets you configure overall application settings, individual components, reports and storages, scan tasks and update tasks, and communication with Kaspersky Security Network servers.

The application settings window consists of two parts (see the following figure):

• The left part contains application components, tasks, and an advanced settings section consisting of several subsections.
• The right part contains control elements that you can use to configure the settings of the component or task selected in the left part of the window, as well as advanced settings.

  

  Application settings window

To open the application settings window, perform one of the following actions:

• In the main application window, select the Settings tab.
• In the context menu of the application icon, select Settings.

[Topic 158640]

Simplified application interface

If a Kaspersky Security Center policy configured to display the simplified application interface is applied to a client computer on which Kaspersky Endpoint Security is installed, the main application window is not available on this client computer. Right-click to open the context menu of the Kaspersky Endpoint Security icon (see the figure below) containing the following items:

• Disable policy. Disables the Kaspersky Security Center policy on the client computer that has Kaspersky Endpoint Security installed. This context menu item is available if a policy has been applied to the computer and a password for disabling the Kaspersky Security Center policy has been set.
• Tasks. Drop-down list containing the following items:
  • Update.
  • Rollback.
  • Full Scan.
  • Custom Scan.
  • Critical Areas Scan.
  • Integrity Check.
• Support. This opens the Support window containing information necessary for contacting Kaspersky Technical Support.
• Exit. Exit Kaspersky Endpoint Security.

Context menu of the application icon when displaying the simplified interface

[Topic 69238]

Application licensing

This section provides information about general concepts related to the application licensing.

[Topic 127993]

About the End User License Agreement

The End User License Agreement is a binding agreement between you and AO Kaspersky Lab stipulating the terms on which you may use the application.

We recommend carefully reading the terms of the License Agreement before using the application.

You can view the terms of the License Agreement in the following ways:

• When installing Kaspersky Endpoint Security in interactive mode.
• By reading the license.txt file. This document is included in the application distribution kit.

By confirming that you agree with the End User License Agreement when installing the application, you signify your acceptance of the terms of the End User License Agreement. If you do not accept the terms of the End User License Agreement, you must abort the installation.

[Topic 123473]

About the license

A license is a time-limited right to use the application, granted under the End User License Agreement.

A valid license entitles you to the following kinds of services:

• Use of the application in accordance with the terms of the End User License Agreement
• Technical Support

The scope of services and application usage term depend on the type of license under which the application was activated.

The following license types are provided:

• Trial – a free license intended for trying out the application.

  A trial license usually has a short term. When the trial license expires, all Kaspersky Endpoint Security features become disabled. To continue using the application, you must purchase a commercial license.

  You can activate the application under a trial license only once.

• Commercial – a paid license that is provided when you purchase Kaspersky Endpoint Security.

  Application functionality available under the commercial license depends on the choice of product. The selected product is indicated in the License Certificate. Information on available products may be found on the Kaspersky website.

  When the commercial license expires, key features of the application become disabled. To continue using the application, you must renew your commercial license. If you are not planning to renew your license, you must remove the application from your computer.

[Topic 73976]

About the license certificate

A license certificate is a document transferred to the user together with a key file or activation code.

The license certificate contains the following license information:

• Order number
• Details of the user to whom the license is granted
• Details of the application that can be activated using the license
• Limitation on the number of licensed units (for example, the number of devices on which the application can be used under the license)
• License term start date
• License expiration date or license term
• License type

[Topic 135439]

About subscription

A subscription for Kaspersky Endpoint Security is a purchase order for the application with specific parameters (such as the subscription expiry date and number of devices protected). You can order a subscription for Kaspersky Endpoint Security from your service provider (such as your ISP). A subscription can be renewed manually or automatically, or you may cancel your subscription. You can manage your subscription on the website of the service provider.

Subscription can be limited (for one year, for example) or unlimited (without an expiry date). To keep Kaspersky Endpoint Security working after expiry of the limited subscription term, you have to renew your subscription. Unlimited subscription is renewed automatically if the vendor's services have been prepaid on time.

When a limited subscription expires, you may be provided a subscription renewal grace period during which the application continues to function. The availability and duration of such a grace period is decided by the service provider.

To use Kaspersky Endpoint Security under subscription, you have to apply the activation code received from the service provider. After the activation code is applied, the active key is installed. The active key defines the license for using the application under subscription. An additional key can be installed only using an activation code and cannot be installed using a key file or under subscription.

The possible subscription management options may vary with each service provider. The service provider may not offer a grace period for renewing subscription, during which time the application will retain its functionality.

Activation codes purchased under subscription may not be used to activate previous versions of Kaspersky Endpoint Security.

[Topic 127994]

About activation code

An activation code is a unique alphanumeric sequence of twenty Latin letters and numerals that you receive when purchasing a commercial license for Kaspersky Endpoint Security.

To activate the application with an activation code, Internet access is required to connect to Kaspersky activation servers.

When the application is activated using an activation code, the active key is installed. An additional key can be installed only using an activation code and cannot be installed using a key file or under subscription.

If an activation code is lost after activating the application, you can restore the activation code. You may need an activation code, for example, to register a Kaspersky CompanyAccount. To restore an activation code, you must contact Kaspersky Technical Support.

[Topic 124700]

About the key

A key is a unique alphanumeric sequence. A key makes it possible to use the application on the terms indicated in the License Certificate (type of license, license validity period, license restrictions).

A license certificate is not provided for a key installed under subscription.

A key can be added to the application using an activation code or a key file.

You can add, edit, or delete keys. The key can be blocked by Kaspersky if the terms of the End User License Agreement are violated. If the key has been blocked, you have to add a different key to continue using the application.

If a key for an expired license has been deleted, application functionality is not available. You cannot add such a key again after it has been deleted.

There are two types of keys: active and additional.

An active key is a key that is currently used by the application. A trial or commercial license key can be added as the active key. The application cannot have more than one active key.

An additional key is a key that entitles the user to use the application, but is not currently in use. At the expiry of the active key, an additional key automatically becomes active. An additional key can be added only if the active key is available.

A key for a trial license can be added only as an active key. It cannot be added as the additional key. A trial license key cannot replace the active key to a commercial license.

If a key gets blacklisted, the application functionality defined by the license under which the application has been activated remains available for eight days. Kaspersky Security Network and database and application module updates are available with no restrictions. The application notifies that user that the key has been blacklisted. After eight days, application functionality becomes limited to the functionality level that is available after the license term expires: the application operates without updates and Kaspersky Security Network is not available.

[Topic 127995]

About the key file

A key file is a file with the .key extension that you receive from Kaspersky after purchasing Kaspersky Endpoint Security. The purpose of a key file is to add a key that activates the application.

You do not need to connect to Kaspersky activation servers in order to activate the application with a key file.

You can recover a key file if it has been accidentally deleted. You may need a key file to register a Kaspersky CompanyAccount, for example.

To recover a key file, do one of the following:

• Contact the license vendor.
• Obtain a key file on the Kaspersky website based on your existing activation code.

When the application is activated using a key file, an active key is added. A reserve license key can be added only by using a key file and cannot be added using an activation code.

[Topic 127996]

About data provision

If an activation code is applied to activate Kaspersky Endpoint Security, you agree to periodically transmit the following information automatically for the purposes of verifying correct use of the application:

• Type, version, and localization of Kaspersky Endpoint Security
• Versions of installed updates for Kaspersky Endpoint Security
• ID of the computer and ID of the specific Kaspersky Endpoint Security installation on the computer
• Activation code and unique ID of the specific activation of the current license
• Type, version and bit rate of the operating system, and name of the virtual environment (if Kaspersky Endpoint Security is installed in a virtual environment)
• IDs of Kaspersky Endpoint Security components that are active when the information is transmitted

Kaspersky may also use this information to generate statistics on the dissemination and use of Kaspersky software.

By using an activation code, you agree to automatically transmit the data listed above. If you do not agree to transmit this information to Kaspersky, you should use a key file to activate Kaspersky Endpoint Security.

By accepting the terms of the End User License Agreement, you agree to automatically transmit the following information:

• When upgrading Kaspersky Endpoint Security:
  • Version of Kaspersky Endpoint Security
  • ID of the active license
  • ID of Kaspersky Endpoint Security
  • Serial number of the active license
  • Unique ID of the upgrade task start
  • Unique ID of the Kaspersky Endpoint Security installation
• When following links from the Kaspersky Endpoint Security interface:
  • Version of Kaspersky Endpoint Security
  • Version of the operating system
  • Kaspersky Endpoint Security activation date
  • License expiration date
  • Key creation date
  • Kaspersky Endpoint Security installation date
  • ID of Kaspersky Endpoint Security
  • ID of the active license
  • ID of the detected vulnerability in the operating system
  • ID of the last update installed for Kaspersky Endpoint Security
  • ID of the vulnerability found when scanning for vulnerable applications
  • Hash of the detected threat, and the name of this threat according to the Kaspersky classification
  • Kaspersky Endpoint Security activation error category
  • Error code
  • Kaspersky Endpoint Security activation error code
  • Number of days until key expiration
  • Number of days that have elapsed since the key was added
  • Number of days that have elapsed since the license expired
  • Number of computers on which the active license is applied
  • Serial number of the active license
  • Kaspersky Endpoint Security license term
  • Current status of the license
  • Type of active license
  • Application type
  • Unique ID of the upgrade task start
  • Unique ID of the Kaspersky Endpoint Security installation
  • Unique software installation ID on the computer
  • Kaspersky Endpoint Security interface language
• About participation in Kaspersky Security Network:
  • Whether the Kaspersky Security Network Statement was accepted or declined
  • Date and time when the Kaspersky Security Network Statement was accepted or rejected
  • ID of the Kaspersky Security Network Statement and the version of the Kaspersky Security Network Statement that was accepted or rejected by the user
  • Information about whether the Enable Kaspersky Security Network check box is selected or cleared
  • Information about whether the Enable extended KSN mode check box is selected or cleared
  • Unique IDs of the personal computer and user
  • Full version of the application and application type

  If Kaspersky Security Network is fully disabled, these statistics will be transmitted every 4 hours during the 24-hour period after it is disabled. If you decline participation in Kaspersky Security Network during installation of Kaspersky Endpoint Security, these statistics will also be transmitted every 4 hours during the 24-hour period after Kaspersky Security Network is disabled on the computer.

Received information is protected by Kaspersky in accordance with the law and the requirements and applicable regulations of Kaspersky.

Read the End User License Agreement and visit the Kaspersky website to learn more about how we collect, process, store, and destroy information about application usage after you accept the End User License Agreement and consent to the Kaspersky Security Network Statement. The license.txt and ksn_<language ID>.txt files contain the text of the End User License Agreement and Kaspersky Security Network Statement and are included in the application distribution kit.

[Topic 128001]

Viewing license information

To view license information:

1. Open the main application window.
2. Click the / button in the lower part of the main application window.

The Licensing window opens. Information about the license is displayed in the section that is located in the upper part of the Licensing window.

[Topic 127999]

Purchasing a license

You may purchase a license after installing the application. On purchasing a license, you receive an activation code or a key file for activating the application.

To purchase a license:

1. Open the main application window.
2. Click the / button in the lower part of the main application window.

   The Licensing window opens.

3. In the Licensing window, do one of the following:
   • If no keys have been added or a key for trial license has been added, click the Purchase license button.
   • If the key for a commercial license is added, click the Renew license button.

   A window will open with the website of the Kaspersky online store, where you can purchase a license.

[Topic 124701]

Renewing subscription

When you use the application under subscription, Kaspersky Endpoint Security automatically contacts the activation server at specific intervals until your subscription expires.

If you use the application under unlimited subscription, Kaspersky Endpoint Security automatically checks the activation server for renewed keys in background mode. If a key is available on the activation server, the application adds it by replacing the previous key. In this way, unlimited subscription for Kaspersky Endpoint Security is renewed without user involvement.

If you are using the application under a limited subscription, on the expiration date of the subscription (or on the expiration date of the subscription renewal grace period), Kaspersky Endpoint Security notifies you about this and stops attempting to renew the subscription automatically. In this case, Kaspersky Endpoint Security behaves in the same way as it does when a commercial license for the application expires: the application operates without updates and the Kaspersky Security Network is unavailable.

You can renew subscription on the website of the service provider.

You can update subscription status manually in the Licensing window. This may be required if the subscription has been renewed after the grace period and the application has not updated the subscription status automatically.

[Topic 128204]

Visiting the website of the service provider

To visit the website of the service provider from the application interface:

1. Open the main application window.
2. Click the / button in the lower part of the main application window.

   The Licensing window opens.

3. In the Licensing window, click Contact your subscription provider.

[Topic 127997]

About application activation methods

Activation is the process of activating a license that allows you to use a fully functional version of the application until the license expires. The application activation process involves adding a key.

You can activate the application in one of the following ways:

• When installing the application, with the help of the Initial Configuration Wizard. You can add the active key in this way.
• Locally from the application interface, by using the Activation Wizard You can add both the active key and the additional key in this way.
• Remotely with the Kaspersky Security Center software suite by creating and then starting an add key task. You can add both the active key and the additional key in this way.
• Remotely by distributing keys and activation codes stored in the Kaspersky Security Center Administration Server key storage to client computers (please refer to the Kaspersky Security Center Help Guide for more information about this). You can add both the active key and the additional key in this way.

  The activation code purchased under subscription is distributed in the first place.

• Using the command line.

It may take some time for the application to be activated with an activation code (during either remote or non-interactive installation) due to load distribution across activation servers of Kaspersky. If you need to activate the application right away, you may interrupt the ongoing activation process and start activation using the Activation Wizard.

[Topic 127998]

Using the Activation Wizard to activate the application

To activate Kaspersky Endpoint Security by using the Activation Wizard:

1. Click the / button in the lower part of the main application window.

   The Licensing window opens.

2. In the Licensing window, click the Activate the application under a new license button.

   The Application Activation Wizard starts.

3. Follow the instructions of the Activation Wizard.

For more detailed information on the application activation procedure, please refer to the section on the Initial Configuration Wizard.

[Topic 123476]

Activating the application from the command line

To activate the application from the command line,

type avp.com license /add <activation code or key file> /password=<password> in the command line.

[Topic 34213]

Starting and stopping the application

This section describes how you can configure automatic startup of the application, start or stop the application manually, and pause or resume protection and control components.

[Topic 128004]

Enabling and disabling automatic startup of the application

Automatic startup means that Kaspersky Endpoint Security starts immediately after operating system startup, without user intervention. This application startup option is enabled by default.

After installation, Kaspersky Endpoint Security starts automatically for the first time.

Downloading Kaspersky Endpoint Security anti-virus databases after startup of the operating system can take up to two minutes depending on the capabilities of the computer. During this time, the level of computer protection is reduced. Downloading anti-virus databases when Kaspersky Endpoint Security is started on an already loaded operating system does not cause a reduction in the level of computer protection.

To enable or disable automatic startup of the application:

1. Open the application settings window.
2. In the left part of the window, in the General Settings section, select Application Settings.
3. Do one of the following:
   • If you want to enable autorun of the application, select the Start Kaspersky Endpoint Security for Windows at computer startup check box.
   • If you want to disable autorun of the application, clear the Start Kaspersky Endpoint Security for Windows at computer startup check box.
4. To save changes, click the Save button.

[Topic 128005]

Starting and stopping the application manually

Kaspersky experts recommend against manually stopping Kaspersky Endpoint Security because doing so exposes the computer and your personal data to threats. If necessary, you can pause computer protection for as long as you need to, without stopping the application.

Kaspersky Endpoint Security needs to be started manually if you have previously disabled automatic startup of the application.

To start the application manually,

In the Start menu, select Applications Kaspersky Endpoint Security for Windows.

To stop the application manually:

1. Right-click to bring up the context menu of the application icon that is in the taskbar notification area.
2. In the context menu, select Exit.

[Topic 128006]

Pausing and resuming computer protection and control

Pausing computer protection and control means disabling all protection and control components of Kaspersky Endpoint Security for some time.

The application status is displayed using the application icon in the taskbar notification area.

• The icon signifies that computer protection and control are paused.
• The icon signifies that computer protection and control are disabled.

Pausing or resuming computer protection and control does not affect scan or update tasks.

If any network connections are already established when you pause or resume computer protection and control, a notification about the termination of these network connections is displayed.

To pause computer protection and control:

1. Right-click to bring up the context menu of the application icon that is in the taskbar notification area.
2. In the context menu, select Pause protection and control.

   The Pause protection window opens.

3. Select one of the following options:
   • Pause for the specified time - Computer protection and control resume after the amount of time that is specified in the drop-down list below.
   • Pause until restart - Computer protection and control resume after you quit and reopen the application or restart the operating system. Automatic startup of the application must be enabled to use this option.
   • Pause - Computer protection and control resume when you decide to re-enable them.
4. If you selected the Pause for the specified time option during the previous step, select the necessary interval in the drop-down list.

To resume computer protection and control:

1. Right-click to bring up the context menu of the application icon that is in the taskbar notification area.
2. In the context menu, select Resume protection and control.

You can resume computer protection and control at any time, regardless of the computer protection and control pause option that you selected previously.

[Topic 34491]

Participation in Kaspersky Security Network

This section contains information about participation in Kaspersky Security Network and instructions on how to enable or disable use of Kaspersky Security Network.

[Topic 128164]

About participation in Kaspersky Security Network

To protect your computer more effectively, Kaspersky Endpoint Security uses data that is received from users around the globe. Kaspersky Security Network is designed to collect such data.

Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to the online Kaspersky Knowledge Base that contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky Endpoint Security to new threats, improves the performance of some protection components, and reduces the likelihood of false positives.

Depending on the location of the infrastructure, there is a Global KSN service (the infrastructure is hosted by Kaspersky servers) and a Private KSN service.

After changing the license, submit the details of the new key to the service provider in order to be able to use Private KSN. Otherwise, data exchange with Private KSN will not be possible.

Thanks to users who participate in KSN, Kaspersky is able to promptly receive information about types and sources of threats, develop solutions for neutralizing them, and minimize the number of false alarms displayed by application components.

When using extended KSN mode, the application automatically sends its resultant operating statistics to KSN. The application can also send certain files (or parts of files) that hackers could use to harm the computer or data to Kaspersky for additional scanning.

For more detailed information about sending Kaspersky statistical information that is generated during participation in KSN, and about the storage and destruction of such information, please refer to the Kaspersky Security Network Statement and the Kaspersky website. The ksn_<language ID>.txt file containing the text of the Kaspersky Security Network Statement is included in the application distribution kit.

To reduce the load on KSN servers, Kaspersky may release application anti-virus databases that temporarily disable or partly restrict requests to Kaspersky Security Network. In this case, the status of the connection to KSN appears as Enabled with restrictions.

User computers managed by Kaspersky Security Center Administration Server can interact with KSN via the KSN Proxy service.

The KSN Proxy service provides the following capabilities:

• The user's computer can query KSN and submit information to KSN even without direct access to the Internet.
• KSN Proxy caches processed data, thereby reducing the load on the external network connection and speeding up receipt of the information that is requested by the user's computer.

More details about the KSN Proxy service can be found in the Kaspersky Security Center Help Guide.

KSN Proxy service settings can be configured in the properties of the Kaspersky Security Center policy.

Use of Kaspersky Security Network is voluntary. The application prompts you to use KSN during initial configuration of the application. Users can begin or discontinue participation in KSN at any time.

[Topic 126799]

Enabling and disabling use of Kaspersky Security Network

To enable or disable use of Kaspersky Security Network:

1. In the main application window, click the Settings button.
2. In the application settings window, select Advanced Threat Protection → Kaspersky Security Network.
3. Select the Kaspersky Security Network check box if you want Kaspersky Endpoint Security to use information about the reputation of files, web resources, and applications received from Kaspersky Security Network databases.

   Kaspersky Endpoint Security will display the Kaspersky Security Network Statement. Please read and accept the terms of the Kaspersky Security Network (KSN) Statement if you agree to them.

   By default, Kaspersky Endpoint Security uses the Extended KSN mode. Extended KSN mode is a mode in which Kaspersky Endpoint Security sends additional data to Kaspersky.

4. If required, clear the Enable Extended KSN mode check box.
5. Save your changes.

[Topic 165983]

About data provision when using Kaspersky Security Network

By accepting the Kaspersky Security Network Statement, you agree to automatically transmit the following information:

• If the Enable Kaspersky Security Network check box is selected and the Enable extended KSN mode check box is cleared, the following information is transmitted:
  • Web address of the page from which the user was directed to the scanned web address
  • Web address whose reputation is requested
  • Version of the protocol used to connect to Kaspersky services
  • ID of the anti-virus databases
  • ID of the scan task that detected the threat
  • ID of the subsystem that initiated the request
  • ID of the connection protocol and the utilized port number
  • IDs of installed updates
  • Name and ID of the detected threat according to the Kaspersky classification
  • Public certificate key
  • Type and full version of Kaspersky Endpoint Security
  • Hash (SHA256) of the certificate with which the scanned object was signed
  • Hash of the scanned file (MD5, SHA2-256 and SHA1) and file templates (MD5)
• If the Enable extended KSN mode check box is selected in addition to the Enable Kaspersky Security Network check box, the following information is also transmitted in addition to the information listed above:
  • Trusted executable files and non-executable files, or parts thereof, transmitted for the purpose of preventing false positives.
  • The following information included in application activity reports is transmitted:
    • Web addresses and IP addresses called by the application
    • Web addresses and IP addresses from which the started file was received
    • Certificate term start and expiration date and time, if the transmitted file has a digital signature - the date and time of the signature, name of the certificate issuer, information about the certificate owner, thumbprint and public certificate key and their computation algorithms, and the serial number of the certificate
    • Headers of process windows
    • ID of anti-virus databases, name of the detected threat according to the classification of the Rightholder
    • Names and paths to files that were accessed by the process
    • Names of registry keys and their values that were accessed by the process
    • Account name used to start the process
    • Name, size, and version of the transmitted file, its description and checksums (MD5, SHA2-256, SHA1), format ID, name of its developer, name of the product to which the file belongs, full path to the file on the computer and the path template code, and the date and time of file creation and modification
    • Information about the license installed in the software, license ID, and its type and expiration date
    • checksums (MD5, SHA2-256, SHA1) of the name of the computer on which the process was started
    • Local time of the computer when the information was transmitted
  • The following additional information is transmitted:
    • Web addresses and IP addresses of the requested web resource, information about the file and web client accessing the web resource, the name, size and checksums (MD5, SHA2-256, SHA1) of the file, full path to the file and path template code, the result of checking its digital signature, and its status in KSN
    • If a potentially malicious object is detected, the following information about process memory data is provided: elements of the system object hierarchy (ObjectManager), UEFI BIOS memory data, and the names and values of registry keys.
    • Web pages and emails containing suspicious and malicious objects.
    • Version of the software update component, the number of software update component crashes when running update tasks during component operation, ID of the update task type, the number of unsuccessful update task terminations of the software update component.
    • Data on errors that occurred in the operation of the software component: ID of the software status, error code and type, as well as the time it occurred, IDs of the component, module and process of the product in which the error occurred, ID of the task or category of the update during which the error occurred, logs of drivers used by the software (error code, module name, name of the source file and string where the error occurred), ID of the method for identifying the error that occurred in software operation, and the name of the process that initiated the interception or exchange of traffic that led to the error in software operation.
    • Data on a system dump (BSOD): indicator of a BSOD occurring on the computer, name of the driver that caused the BSOD, memory stack and address in the driver, indicator of the duration of the OS session prior to the BSOD, memory stack of the driver crash, type of saved memory dump, indicator that the OS session lasted more than 10 minutes prior to the BSOD, unique ID of the dump, and the date and time of the BSOD.
    • Data on updates of anti-virus databases and components of the software: names, dates, and time of index files loaded as a result of the last update and loaded in the current update, as well as the date and time when the last update finished, and the names of the updated categories of files and their checksums (MD5, SHA2-256, SHA1).
    • ID of the scan task that detected the threat.
    • Information for authenticating certificates with which files were signed: certificate thumbprint, checksum computation algorithm, public key and serial number of the certificate, name of the certificate issuer, result of checking the certificate, and the ID of the certificate database.
    • Information about the version of the operating system (OS) installed on the computer and installed update packages, bit rate, revision and settings of the OS operating mode, and the version and checksums (MD5, SHA2-256, SHA1) of the OS kernel file.
    • Information about rollback of malware actions: data on the file whose activity was rolled back (name of the file, full path to the file, its size and checksums (MD5, SHA2-256, SHA1)), data on successful and unsuccessful actions to delete, rename and copy files and restore the values in the registry (names of registry keys and their values), and information about system files modified by malware, before and after rollback.
    • Information about executable file emulation: size of the file and its checksums (MD5, SHA2-256, SHA1), version of the emulation component, depth of emulation, vector of characteristics of logical blocks and functions within logical blocks obtained during emulation, and data from the executable file PE-header structure.
    • Information about the date of installation and activation of the software on the computer: the type of license installed and its validity period, the ID of the partner from whom the license was purchased, the license serial number, the type of software installation on the computer (new installation, upgrade, etc.), the indicator of successful installation or the number of the installation error, the unique ID of the software installation on the computer, the type and ID of the application with which the update is performed, and the ID of the update task.
    • Information about loaded software modules: name, size and checksums (MD5, SHA2-256, SHA1) of the module file, full path to it and the path template code, digital signature settings of the module file, data and time of signature creation, name of the subject and organization that signed the module file, ID of the process in which the module was loaded, name of the module supplier, and the sequence number of the module in the loading queue.
    • Information about files downloaded by the user: URLs and IP addresses from which the files were downloaded and the download pages, ID of the download protocol and connection port number, indicator of malicious activity of addresses, attributes and size of the file and its checksums (MD5, SHA2-256, SHA1), information about the process that downloaded the file (checksums (MD5, SHA2-256, SHA1), date and time of creation and linking, autorun indicator, attributes, names of packers, information about the signature, executable file indicator, format ID, entropy), file name, file path on the computer, digital signature of the file and information about the signature, URL on which the detection occurred, number of the script on the page that turned out to be suspicious or malicious, information about completed http requests and responses to them.
    • Information about running applications and their modules: data on processes running in the system (process ID (PID), process name, details of the account under which the process was started and the application and command that started the process, as well as an indicator of whether the application or process is trusted, the full path to process files and the command line, level of integrity of the process, description of the product to which the process belongs (the product name and publisher details), as well as information about currently used digital certificates and information required to verify them or indication of the absence of a digital signature of the file), as well as information about modules loaded into processes (name, size, type, creation date, attributes, check sums (MD5, SHA2-256, SHA1), and path), PE file header information, and the name of the packer (if the file was packed).
    • Information about the set of all installed updates and about the set of the most recently installed updates and/or remote updates, type of event that caused update information to be sent, amount of time that elapsed after installation of the last update, and information about the anti-virus databases that were loaded when the information was transmitted.
    • Information about an unsuccessful last restart of the operating system: the number of unsuccessful restarts since the OS was installed, system dump data (error code and parameters, name, version and checksum (CRC32) of the module that caused the error in OS operation, error address as an offset in the module, and checksums (MD5, SHA2-256, SHA1) of the system dump).
    • Information about the Rightholder's software: full version, type, localization and operating status of the utilized software, versions of installed software components and their operating status, data on installed software updates, the TARGET filter value, and the version of the protocol utilized to connect to the Rightholder's services.
    • Information about scanned objects: the assigned trust group to which or from which the file was moved, the reason for moving the file to the given category, the category ID, information about the source of categories and the category database versions, indicator of whether the file has a trusted certificate, name of the file developer, file version, and the name and version of the application to which the file belongs.
    • Information about scanned files and URLs: checksums of the scanned file (MD5, SHA2-256, SHA1) and file patterns (MD5), size of the pattern, type of detected threat and its name according to the Rightholder's classification, ID of anti-virus databases, URL whose reputation was queried, as well as the URL of the page from which the user was directed to the scanned URL, the ID of the connection protocol, and the utilized port number.
    • Information about the process that launched the attack on the software's self-defense: name and size of the process file, its checksums (MD5, SHA2-256, SHA1), full path to the file and the path template code, dates and time of creation and linking of the process file, executable file indicator, attributes of the process file, information about the certificate with which the process file was signed, code of the account used to start the process, ID of the operations that were performed for access to the process, type of resource with which the operation is performed (process, file, registry object, window search using the FindWindow function), name of the resource with which the operation is performed, indicator of operation success, the status of the process file and its signature in KSN.
    • Information about the operation of protection components: full versions of components, code of the event that overflowed the event queue, and the number of such events, the total number of event queue overflows, information about the process file that initiated the event (name of the file and path to it on the computer, path template code, checksums (MD5, SHA2-256, SHA1) of the process associated with the file, file version), ID of the completed event capture, full version of the capture filter, ID of the captured event type, size of the event queue and the number of events between the first event in queue and the current event, the number of overdue events in queue, information about the process that initiated the current event (name of the process file and path to it on the computer, path template code, checksums (MD5, SHA2-256, SHA1) of the process), event processing time, maximum permissible event processing time, and the data transmission probability value.
    • Information about software operation on the computer: data on CPU usage, data on memory usage (Private Bytes, Non-Paged Pool, Paged Pool), number of active threads in the software process and pending threads, and the duration of software operation prior to the error.
    • Information about the results of categorizing requested web resources containing the scanned URL and IP address of the host, version of the software component that performed the categorization, categorization method, and the set of categories determined for the web resource.
    • Information about network attacks: IP addresses of the attacking computer (IPv4 and IPv6), computer port number targeted by the network attack, ID of the protocol of the IP packet in which the attack was registered, target of the attack (company name, website), attack response flag, weighted level of the attack, and the trust level value.
    • Information about network connections: version and check sums (MD5, SHA2-256, SHA1) of the file of a process that opened the port, path to the process file and its digital signature, local and remote IP addresses, numbers of the local and remote connection ports, connection status, and port opening time.
    • Information about events in system logs: event time, name of the log in which the event was detected, event type and category, and the name of the event source and its description.
    • Information about the computer's anti-virus protection status: versions, dates and time of release of the anti-virus databases being used, statistical data on updates and connections with the Rightholder's services, and the ID of the task and ID of the software component that performed the scan.
    • Information about third-party applications that caused an error: their name, version and localization, error code and information about it from the system log of applications, address of error occurrence and memory stack of the third-party application, indicator of the error in the software component, amount of time the third-party application operated prior to the error, checksums (MD5, SHA2-256, SHA1) of the application process image in which the error occurred, path to this application process image and the path template code, information from the OS system log with a description of the error associated with the application, information about the application module in which the error occurred (error ID, error address as an offset in the module, name and version of the module, ID of the application crash in the Rightholder's plug-in and memory stack of the crash, and the amount of time the application operated prior to the malfunction).
    • Information about software crashes: date and time of dump creation, its type, name of the process associated with the dump, version and time when statistics were sent with the dump, type of event that caused the software crash (unexpected power outage, crash of a third-party Rightholder's application, intercept processing errors), and the date and time of the unexpected power outage.
    • Information about attacks related to spoofing network resources, and DNS- and IP addresses (IPv4 or IPv6) of visited websites.
    • Information about utilized digital certificates required for verifying their authenticity: checksums (SHA256) of the certificate with which the scanned object was signed, and the public certificate key.
    • Information about detected vulnerabilities: the vulnerability ID in the vulnerabilities database, the vulnerability danger class, and the status of detection.
    • Information about the hardware installed on the computer: the type, name, model, and version of the firmware, specifications of embedded and connected devices, and the unique ID of the computer on which the software is installed.
    • Information about software installed on the computer: name of the software and its developers, utilized registry keys and their values, information about files of the installed software (checksums (MD5, SHA2-256, SHA1), name, path to the file on the computer, size, version and digital signature), information about kernel objects, drivers, services, Microsoft Internet Explorer extensions, printing system extensions, Windows Explorer extensions, Active Setup elements, control panel applets, entries of the hosts file and system registry, and the versions of browsers and mail clients.
    • Information about all potentially malicious objects and activities: name of the detected object and full path to the object on the computer, checksums of processed files (MD5, SHA2-256, SHA1), detection date and time, names and sizes of infected files and paths to them, path template code, indicator of whether the object is a container, names of the packer (if the file was packed), file type code, file format ID, list of actions performed by malware and the decision made by the software and user in response to them, ID of the anti-virus databases that were used to make the decision, the name of the detected threat according to the Rightholder's classification, the level of danger, the detection status and detection method, reason for inclusion into the analyzed context and sequence number of the file in the context, checksums (MD5, SHA2-256, SHA1), the name and attributes of the executable file of the application through which the infected message or link was transmitted, depersonalized IP addresses (IPv4 and IPv6) of the host of the blocked object, file entropy, file autorun indicator, time when the file was first detected in the system, the number of times the file has been run since the last statistics were sent, information about the name, checksums (MD5, SHA2-256, SHA1) and size of the mail client through which the malicious object was received, ID of the software task that performed the scan, indicator of whether the file reputation or signature was checked, file processing result, checksum (MD5) of the pattern collected for the object, the size of the pattern in bytes, and the technical specifications of the applied detection technologies.
    • Executable files and non-executable files, wholly or partially.
    • Number of software dumps and system dumps (BSOD) since the software was installed and since the last update, ID and version of the software module in which the malfunction occurred, the memory stack in the software process, and information about the anti-virus databases when the malfunction occurred.
    • Description of WMI repository classes and class instances.
    • Reports on activities of applications.
    • Network traffic data packages.
    • Sectors participating in the OS loading process.
    • Service information about software operation: version of the compiler, indicator of malicious activity of the scanned object, version of the set of transmitted statistics, information about the availability and validity of statistical data, ID of the condition for generating the transmitted statistics, and indicator of whether the software is operating in interactive mode.
    • Computer RAM segments.

[Topic 155760]

Enabling and disabling cloud mode for protection components

When using Kaspersky Private Security Network, cloud mode functionality is available starting with Kaspersky Private Security Network version 3.0.

To enable or disable cloud mode for protection components:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select Kaspersky Security Network.

   Kaspersky Security Network settings are displayed in the right part of the window.

3. Do one of the following:
   • Select the Enable cloud mode for protection components check box.

     If the check box is selected, Kaspersky Endpoint Security uses the light version of anti-virus databases, which reduces the load on operating system resources.

     Kaspersky Endpoint Security downloads the light version of anti-virus databases during the next update after the check box was selected.

     If the light version of anti-virus databases is not available for use, Kaspersky Endpoint Security automatically switches to the premium version of anti-virus databases.

   • Clear the Enable cloud mode for protection components check box.

     If the check box is cleared, Kaspersky Endpoint Security uses the full version of anti-virus databases.

     Kaspersky Endpoint Security downloads the full version of anti-virus databases during the next update after the check box was cleared.

   This check box is available if the Enable Kaspersky Security Network check box is selected.

4. To save changes, click the Save button.

[Topic 126800]

Checking the connection to Kaspersky Security Network

To check the connection to Kaspersky Security Network:

1. Open the main application window.
2. In the upper part of the window, click the Threat detection technologies section.

   The Threat detection technologies window opens.

   The following information about Kaspersky Security Network performance appears in the lower part of the Threat detection technologies window:

   • One of the following status values of Kaspersky Endpoint Security connection to Kaspersky Security Network appears under the KASPERSKY SECURITY NETWORK (KSN) line:
     • Enabled. Available.

       This status means that Kaspersky Security Network is being used in Kaspersky Endpoint Security operations and KSN servers are available.

     • Enabled. Not available.

       This status means that Kaspersky Security Network is being used in Kaspersky Endpoint Security operations and KSN servers are unavailable.

     • Disabled.

       This status means that Kaspersky Security Network is not being used in Kaspersky Endpoint Security operations.

   • The lines Whitelisted objects, Blacklisted objects, and Threats neutralized in the last 24 hours display global statistics of the infrastructure of Kaspersky Security Network cloud services.
   • The Last synchronization line shows the date and time of the most recent synchronization of Kaspersky Endpoint Security with KSN servers.

     The application gathers KSN usage statistics when the Threat detection technologies window is opened. The global statistics of the Kaspersky Security Network cloud service infrastructure and the Last synchronization line are not refreshed in real time.

     If the time that has elapsed since the last synchronization with KSN servers exceeds 15 minutes or shows the Unknown status, the status of the Kaspersky Endpoint Security connection to Kaspersky Security Network takes the Enabled value. Not available.

     A connection to Kaspersky Security Network servers may be absent due to the following reasons:

     • The computer is not connected to the Internet.
     • Application is not activated.
     • License expired.
     • Key-related problems have been detected (for example, the key has been blacklisted).

     If the connection with Kaspersky Security Network servers cannot be restored, it is recommended to contact Technical Support or your service provider.

[Topic 128451]

Checking the reputation of a file in Kaspersky Security Network

The KSN service lets you retrieve information about applications that are included in Kaspersky reputation databases. This enables flexible management of application startup policies at the company level, thereby preventing the startup of adware and other programs that can be used by criminals to damage your computer or personal data.

To check the reputation of a file in Kaspersky Security Network:

1. Right-click to bring up the context menu of the file whose reputation you want to check.
2. Select the Check reputation in KSN option.

   This option is available if you have accepted the terms of the Kaspersky Security Network Statement.

   This opens the <File name> - Reputation in KSN window. The <File name> - Reputation in KSN window displays the following information about the file being checked:

   • Path. Path in which the file is saved to disk.
   • Product version. Application version (information is displayed only for executable files).
   • Digital signature. Presence of a digital signature with the file.
   • Signed. Date on which the certificate was signed with a digital signature.
   • Created. File creation date.
   • Modified. Date of last modification of the file.
   • Size. Disk space occupied by the file.
   • Information about how many users trust the file or block the file.

[Topic 74345]

Enhanced protection with Kaspersky Security Network

Kaspersky offers an extra layer of protection to users through the Kaspersky Security Network. This protection method is designed to combat advanced persistent threats and zero-day attacks. Integrated cloud technologies and the expertise of Kaspersky virus analysts make Kaspersky Endpoint Security the unsurpassed choice for protection against the most sophisticated network threats.

Details on enhanced protection in Kaspersky Endpoint Security are available on the Kaspersky website.

[Topic 151031]

Application Behavior Detection

This section contains information about application Behavior Detection and instructions on how to configure the component settings.

[Topic 151039]

About Behavior Detection

The application Behavior Detection component collects data on the actions of applications on your computer and provides this information to other protection components to improve their performance.

The application Behavior Detection component utilizes Behavior Stream Signatures (BSS). These signatures contain sequences of actions that Kaspersky Endpoint Security classifies as dangerous. If application activity matches a behavior stream signature, Kaspersky Endpoint Security performs the selected responsive action. Kaspersky Endpoint Security functionality based on behavior stream signatures provides proactive defense for the computer.

[Topic 151064]

Enabling and disabling Behavior Detection

By default, Behavior Detection is enabled and runs in the mode recommended by Kaspersky experts. You can disable Behavior Detection if necessary.

It is not recommended to disable Behavior Detection unless absolutely necessary because doing so would reduce the effectiveness of the protection components. The protection components may request data collected by the Behavior Detection component to detect threats.

To enable or disable Behavior Detection:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select the Behavior Detection subsection.

   In the right part of the window, the settings of the Behavior Detection component are displayed.

3. Do one of the following:
   • Select the Enable Behavior Detection check box if you want Kaspersky Endpoint Security to use behavior stream signatures to analyze application activity in the operating system.
   • Clear the Enable Behavior Detection check box if you do not want Kaspersky Endpoint Security to use behavior stream signatures to analyze application activity in the operating system.
4. To save changes, click the Save button.

[Topic 151065]

Choose action in the event malicious activity is detected in a program

When Kaspersky Endpoint Security detects malicious activity, it logs an entry containing information about the detected application activity.

In order to choose what to do if a program engages in malicious activity, perform the following steps:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select the Behavior Detection subsection.

   In the right part of the window, the settings of the Behavior Detection component are displayed.

3. Select the necessary action in the On detecting malware activity drop-down list:
   • Delete file.

     If this item is selected, on detecting malicious activity Kaspersky Endpoint Security deletes the executable file of the malicious application and creates a backup copy of the file in Backup.

   • Terminate the program.

     If this item is selected, on detecting malicious activity Kaspersky Endpoint Security terminates this application.

   • Inform.

     If this item is selected and malware activity of an application is detected, Kaspersky Endpoint Security adds information about the malware activity of the application to the list of active threats.

4. To save changes, click the Save button.

[Topic 151229]

Configuring protection of shared folders against external encryption

The component monitors operations performed only with those files that are stored on mass storage devices with the NTFS file system and that are not encrypted with EFS.

Protection of shared folders against external encryption analyzes activity in shared folders analyzes activity in shared folders. If this activity matches a behavior stream signature that is typical for external encryption, Kaspersky Endpoint Security performs the selected action.

You can configure protection of shared folders against external encryption as follows:

• Select the action to take on detection of external encryption of shared folders.
• Configure addresses of exclusions from protection of shared folders against external encryption.

[Topic 151230]

Enabling and disabling protection of shared folders against external encryption

By default, protection of shared folders against external encryption is disabled.

After Kaspersky Endpoint Security is installed, protection of shared folders against external encryption will be limited until the computer is restarted.

To enable or disable protection of shared folders against external encryption:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select the Behavior Detection subsection.

   In the right part of the window, the settings of the Behavior Detection component are displayed.

3. Do one of the following:
   • In the Protection of shared folders against external encryption section, select the Enable protection of shared folders against external encryption check box if you want Kaspersky Endpoint Security to analyze the activity that is typical for external encryption.
   • In the Protection of shared folders against external encryption section, clear the Enable protection of shared folders against external encryption check box if you do not want Kaspersky Endpoint Security to analyze the activity that is typical for external encryption.
4. To save changes, click the Save button.

[Topic 151231]

Selecting the action to take on detection of external encryption of shared folders

When it detects an attempt to modify files in shared folders, Kaspersky Endpoint Security logs an entry containing information about the detected attempt to modify files in shared folders.

To select the action to take on detection of external encryption of shared folders:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select the Behavior Detection subsection.

   In the right part of the window, the settings of the Behavior Detection component are displayed.

3. In the Protection of shared folders against external encryption section, in the On detection of external encryption of shared folders drop-down list, select the necessary action:
   • Block connection.

     If this item is selected, on detecting an attempt to modify files in shared folders, Kaspersky Endpoint Security blocks network activity originating from the computer attempting to modify files, creates backup copies of modified files, and logs an entry containing information about this attempt to modify files in shared folders. Also, if the Remediation Engine component is enabled, Kaspersky Endpoint Security restores modified files from backup copies.

     If you selected Block connection, you can specify the duration (in minutes) that the network connection will be blocked in the Block connection for field.

   • Inform.

     If this item is selected, on detecting an attempt to modify files in shared folders, Kaspersky Endpoint Security adds information about this attempt to modify files in shared folders to the list of active threats.

4. To save changes, click the Save button.

[Topic 151232]

Configuring addresses of exclusions from protection of shared folders against external encryption

The Audit Logon service must be enabled to enable exclusions of addresses from protection of shared folders against external encryption. By default, the Audit Logon service is disabled (for detailed information about enabling the Audit Logon service, please visit the Microsoft website).

The functionality for excluding addresses from shared folder protection does not work on a remote computer if the remote computer was turned on before Kaspersky Endpoint Security was started. You can restart this remote computer after Kaspersky Endpoint Security is started to ensure that the functionality for excluding addresses from shared folder protection works on this remote computer.

To exclude remote computers that perform external encryption of shared folders:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select the Behavior Detection subsection.

   In the right part of the window, the settings of the Behavior Detection component are displayed.

3. In the Protection of shared folders against external encryption section, click the Exclusions button.

   The Exclusions window opens.

4. Do one of the following:
   • If you want to add an IP address or computer name to the list of exclusions, click the Add button.
   • If you want to edit an IP address or computer name, select it in the list of exclusions and click the Edit button.

   The Computers window opens.

5. Enter the IP address or name of the computer from which external encryption attempts must not be handled.
6. In the Computers window, click OK.
7. In the Exclusions window, click OK.
8. To save changes, click the Save button.

[Topic 151109]

Exploit Prevention

This section contains information about Exploit Prevention and instructions on how to configure the component settings.

[Topic 151127]

About Exploit Prevention

The

[Topic 151128]

Enabling and disabling Exploit Prevention

By default, Exploit Prevention is enabled and runs in the mode recommended by Kaspersky experts. You can disable Exploit Prevention if necessary.

To enable or disable Exploit Prevention:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select the Exploit Prevention subsection.

   The settings of the Exploit Prevention component are displayed in the right part of the window.

3. Do one of the following:
   • Select the Enable Exploit Prevention check box if you want Kaspersky Endpoint Security to monitor executable files that are run by vulnerable applications.

     If Kaspersky Endpoint Security detects that an executable file from a vulnerable application was run by something other than the user, Kaspersky Endpoint Security will perform the action that is selected in the On detecting exploit drop-down list.

   • Clear the Enable Exploit Prevention check box if you do not want Kaspersky Endpoint Security to monitor executable files that are run by vulnerable applications.
4. To save changes, click the Save button.

[Topic 158232]

Configuring Exploit Prevention

You can perform the following actions for configuring the Exploit Prevention component:

• Select an action to take when an exploit is detected
• Enable or disable system process memory protection.

[Topic 151129]

Selecting an action to take when an exploit is detected

By default, on detection of an exploit, Kaspersky Endpoint Security blocks operations attempted by the exploit.

To choose an action to be taken when an exploit is detected:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select the Exploit Prevention subsection.

   The settings of the Exploit Prevention component are displayed in the right part of the window.

3. Select the necessary action in the On detecting exploit drop-down list:
   • Block operation.

     If this item is selected, on detecting an exploit, Kaspersky Endpoint Security blocks the operations of this exploit and makes a log entry with information about this exploit.

   • Inform.

     If this item is selected, when Kaspersky Endpoint Security detects an exploit it logs an entry containing information about the exploit and adds information about this exploit to the list of active threats.

4. To save changes, click the Save button.

[Topic 158231]

Enabling and disabling system processes memory protection

By default, protection of system process memory is enabled.

To enable or disable system process memory protection:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select the Exploit Prevention subsection.

   The settings of the Exploit Prevention component are displayed in the right part of the window.

3. Do one of the following:
   • In the System processes memory protection section, select the Enable system process memory protection check box if you want Kaspersky Endpoint Security to block external processes that attempt to access system processes.
   • In the System processes memory protection section, clear the Enable system process memory protection check box if you do not want Kaspersky Endpoint Security to block external processes that attempt to access system processes.
4. To save changes, click the Save button.

[Topic 39265]

Host Intrusion Prevention

This component is available if Kaspersky Endpoint Security is installed on a computer that runs on Microsoft Windows for workstations. This component is unavailable if Kaspersky Endpoint Security is installed on a computer that runs on Microsoft Windows for file servers.

This section contains information about Host Intrusion Prevention and instructions on how to configure the component settings.

[Topic 45193]

About Host Intrusion Prevention

The Host Intrusion Prevention component prevents applications from performing actions that may be dangerous for the operating system, and ensures control over access to operating system resources and personal data.

This component controls the activity of applications, including their access to protected resources (such as files and folders, registry keys) by using application control rules. Application privilege control rules are a set of restrictions that apply to various actions of applications in the operating system and to rights to access computer resources.

The network activity of applications is monitored by the Firewall component.

When an application is started for the first time, the Host Intrusion Prevention component checks the security of the application and places it into one of the trust groups. A trust group defines the rules that Kaspersky Endpoint Security applies when controlling application activity.

You are advised to participate in Kaspersky Security Network to help the Host Intrusion Prevention component work more effectively. Data that is obtained through Kaspersky Security Network allows you to sort applications into groups with more accuracy and to apply optimum application privilege control rules.

The next time the application starts, Host Intrusion Prevention verifies the integrity of the application. If the application is unchanged, the component applies the current application privilege control rules to it. If the application has been modified, Host Intrusion Prevention analyzes the application as if it were being started for the first time.

[Topic 134861]

Limitations of audio and video device control

About audio stream protection

Audio stream protection has the following special considerations:

• The Host Intrusion Prevention component must be enabled for this functionality to work.
• If the application started receiving the audio stream before the Host Intrusion Prevention component was started, Kaspersky Endpoint Security allows the application to receive the audio stream and does not show any notifications.
• If you moved the application to the Untrusted group or High Restricted group after the application began receiving the audio stream, Kaspersky Endpoint Security allows the application to receive the audio stream and does not show any notifications.
• After the settings for the application's access to sound recording devices have been changed (for example, if the application has been blocked from receiving the audio stream in the Host Intrusion Prevention settings window), this application must be restarted to stop it from receiving the audio stream.
• Control of access to the audio stream from sound recording devices does not depend on an application's webcam access settings.
• Kaspersky Endpoint Security protects access to only built-in microphones and external microphones. Other audio streaming devices are not supported.
• Kaspersky Endpoint Security cannot guarantee the protection of an audio stream from such devices as DSLR cameras, portable video cameras, and action cameras.

Special considerations for the operation of audio and video devices during installation and upgrade of Kaspersky Endpoint Security

When you run audio and video recording or playback applications for the first time since installation of Kaspersky Endpoint Security, audio and video playback or recording may be interrupted. This is necessary in order to enable the functionality that controls access to sound recording devices by applications. The system service that controls audio hardware will be restarted when Kaspersky Endpoint Security is run for the first time.

About access to webcams by applications

Webcam access protection functionality has the following special considerations and limitations:

• The application controls video and still images derived from the processing of webcam data.
• The application controls the audio stream if it is part of the video stream received from the webcam.
• The application controls only webcams connected via USB or IEEE1394 that are displayed as Imaging Devices in the Windows Device Manager.

Supported webcams

Kaspersky Endpoint Security supports the following webcams:

• Logitech HD Webcam C270
• Logitech HD Webcam C310
• Logitech Webcam C210
• Logitech Webcam Pro 9000
• Logitech HD Webcam C525
• Microsoft LifeCam VX-1000
• Microsoft LifeCam VX-2000
• Microsoft LifeCam VX-3000
• Microsoft LifeCam VX-800
• Microsoft LifeCam Cinema

Kaspersky cannot guarantee support for webcams that are not specified in this list.

[Topic 128217]

Enabling and disabling Host Intrusion Prevention

By default, the Host Intrusion Prevention component is enabled and runs in the mode recommended by Kaspersky experts. You can disable the Host Intrusion Prevention component if necessary.

To enable or disable the Host Intrusion Prevention component:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select Host Intrusion Prevention.

   In the right part of the window, the settings of the Host Intrusion Prevention component are displayed.

3. In the right part of the window, do one of the following:
   • Select the Enable Host Intrusion Prevention check box if you want to enable the Host Intrusion Prevention component.
   • Clear the Enable Host Intrusion Prevention check box if you want to disable the Host Intrusion Prevention component.
4. To save changes, click the Save button.

[Topic 130895]

Managing application trust groups

When each application is started for the first time, the Host Intrusion Prevention component checks the security of the application and places the application into one of the

trust groups

You can select a trust group to which Kaspersky Endpoint Security automatically assigns all unknown applications. Applications that were started before Kaspersky Endpoint Security are automatically moved to the trust group specified in the Select trust group window.

The trust groups are as follows:

• Trusted. This group includes applications for which one or more of the following conditions are met:
  • applications are digitally signed by trusted vendors;
  • applications are recorded in the trusted applications database of Kaspersky Security Network;
  • the user has placed applications in the Trusted group.

  No operations are prohibited for these applications.

• Low Restricted. This group includes applications for which the following conditions are met:
  • applications are not digitally signed by trusted vendors;
  • applications are not recorded in the trusted applications database of Kaspersky Security Network;
  • the user has placed applications in the "Low Restricted" group.

  Such applications are subject to minimal restrictions on access to operating system resources.

• High Restricted. This group includes applications for which the following conditions are met:
  • applications are not digitally signed by trusted vendors;
  • applications are not recorded in the trusted applications database of Kaspersky Security Network;
  • the user has placed applications in the High Restricted group.

  Such applications are subject to high restrictions on access to operating system resources.

• Untrusted. This group includes applications for which the following conditions are met:
  • applications are not digitally signed by trusted vendors;
  • applications are not recorded in the trusted applications database of Kaspersky Security Network;
  • the user has placed applications in the Untrusted group.

  Such applications are subject to high restrictions on access to operating system resources.

   

You can select a trust group to which Kaspersky Endpoint Security automatically assigns all unknown applications. Applications that were started before Kaspersky Endpoint Security are automatically moved to the trust group specified in the Select trust group window.

The trust groups are as follows:

• Trusted. This group includes applications for which one or more of the following conditions are met:
  • applications are digitally signed by trusted vendors;
  • applications are recorded in the trusted applications database of Kaspersky Security Network;
  • the user has placed applications in the Trusted group.

  No operations are prohibited for these applications.

• Low Restricted. This group includes applications for which the following conditions are met:
  • applications are not digitally signed by trusted vendors;
  • applications are not recorded in the trusted applications database of Kaspersky Security Network;
  • the user has placed applications in the "Low Restricted" group.

  Such applications are subject to minimal restrictions on access to operating system resources.

• High Restricted. This group includes applications for which the following conditions are met:
  • applications are not digitally signed by trusted vendors;
  • applications are not recorded in the trusted applications database of Kaspersky Security Network;
  • the user has placed applications in the High Restricted group.

  Such applications are subject to high restrictions on access to operating system resources.

• Untrusted. This group includes applications for which the following conditions are met:
  • applications are not digitally signed by trusted vendors;
  • applications are not recorded in the trusted applications database of Kaspersky Security Network;
  • the user has placed applications in the Untrusted group.

  Such applications are subject to high restrictions on access to operating system resources.

   

At the first stage of the application scan, Kaspersky Endpoint Security searches the internal database of known applications for a matching entry and simultaneously sends a request to the Kaspersky Security Network database (if an Internet connection is available). Based on the results of the search in the internal database and the Kaspersky Security Network database, the application is placed into a trust group. Each time the application is subsequently started, Kaspersky Endpoint Security sends a new query to the KSN database and places the application into a different trust group if the reputation of the application in the KSN database has changed.

You can select a trust group to which Kaspersky Endpoint Security automatically assigns all unknown applications. Applications that were started before Kaspersky Endpoint Security are automatically moved to the trust group specified in the Select trust group window.

For applications that were started before Kaspersky Endpoint Security, only network activity is controlled. Control is performed according to the network rules specified in the Firewall settings.

[Topic 128240]

Configuring the settings for assigning applications to trust groups

If participation in Kaspersky Security Network is enabled, Kaspersky Endpoint Security sends KSN a query about the reputation of an application each time the application is started. Based on the received response, the application may be moved to a trust group that is different from the one specified in the Host Intrusion Prevention component settings.

Kaspersky Endpoint Security always places applications signed by Microsoft certificates or Kaspersky certificates into the Trusted group.

To configure the settings for placement of applications in trust groups:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select Host Intrusion Prevention.

   In the right part of the window, the settings of the Host Intrusion Prevention component are displayed.

3. If you want to automatically place digitally signed applications from trusted vendors in the Trusted group, select the Trust applications that have a digital signature check box.

Trusted vendors are those software vendors that are included in the trusted group by Kaspersky. You can also add vendor certificate to the trusted system certificate store manually.

4. To move all unknown applications to a specified trust group, select the required trust group from the If trust group cannot be defined, automatically move applications to drop-down list.

   For security reasons, the Trusted group is not included in the values of the If trust group cannot be defined, automatically move applications to setting.

5. To save changes, click the Save button.

[Topic 123280]

Modifying a trust group

When an application is first started, Kaspersky Endpoint Security automatically places the application in a trust group. You can move the application to another trust group manually, if necessary.

Kaspersky specialists do not recommend moving applications from the automatically assigned trust group to a different trust group. Instead, you can edit the activity control rules for an individual application if necessary.

To change the trust group to which an application has been automatically assigned by Kaspersky Endpoint Security when first started:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select Host Intrusion Prevention.

   In the right part of the window, the settings of the Host Intrusion Prevention component are displayed.

3. Click the Applications button.

   The Applications window opens, with the Application Privilege Control tab displayed.

4. Select the relevant application on the Application Privilege Control tab.
5. Do one of the following:
   • Right-click to display the context menu of the application. In the context menu of the application, select Move to group  <group name>.
   • To open the context menu, click the Trusted / Low Restricted / High Restricted / Untrusted link. In the context menu, select the required trust group.
6. Click OK.
7. To save changes, click the Save button.

[Topic 130891]

Selecting a trust group for applications started before Kaspersky Endpoint Security

For applications that were started before Kaspersky Endpoint Security, only network activity is controlled. Control is performed according to the network rules specified in the Firewall settings. To specify which network rules must be applied to network activity monitoring for such applications, you must select a trust group.

To select the trust group for applications started before Kaspersky Endpoint Security:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select Host Intrusion Prevention.

   In the right part of the window, the settings of the Host Intrusion Prevention component are displayed.

3. Click the Edit button.

   This opens the Select trust group window.

4. Select the necessary trust group.
5. Click OK.
6. To save changes, click the Save button.

[Topic 39278]

Managing Application control rules

By default, application activity is controlled by application privilege control rules that are defined for the trust group to which Kaspersky Endpoint Security assigned the application on first launch. If necessary, you can edit the application privilege control rules for an entire trust group, for an individual application, or a group of applications that are within a trust group.

Application privilege control rules that are defined for individual applications or groups of applications within a trust group have a higher priority than application control rules that are defined for a trust group. In other words, if the settings of the application control rules for an individual application or a group of applications within a trust group differ from the settings of application control rules for the trust group, the Host Intrusion Prevention component controls the activity of the application or the group of applications within the trust group according to the application control rules that are defined for the application or the group of applications.

[Topic 133777]

Changing application control rules for trust groups and groups of applications

The optimal application privilege control rules for different trust groups are created by default. The settings of rules for application group control inherit values from the settings of trust group control rules. You can edit the preset trust group control rules and the rules for application group control.

To edit the trust group control rules or the rules for application group control:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select Host Intrusion Prevention.

   In the right part of the window, the settings of the Host Intrusion Prevention component are displayed.

3. Click the Applications button.

   This opens the Application Privilege Control tab in the Host Intrusion Prevention window.

4. Select the necessary trust group or application group.
5. From the context menu of a trust group or of a group of applications, select Group rules.

   The Application group control rules window opens.

6. In the Application group control rules window, do one of the following:
   • To edit trust group control rules or application group control rules that govern the rights of the trust group or application group to access the operating system registry, user files, and application settings, select the Files and system registry tab.
   • To edit trust group control rules or application group control rules that govern the rights of the trust group or application group to access operating system processes and objects, select the Rights tab.
7. For the required resource, in the column of the corresponding action, right-click to open the context menu.
8. From the context menu, select the required item.
   • Inherit
   • Allow
   • Block
   • Log events

   If you are editing trust group control rules, the Inherit item is not available.

9. Click OK.
10. In the Applications window, click OK.
11. To save changes, click the Save button.

[Topic 133778]

Editing an application control rule

By default, the settings of application control rules of applications that belong to an application group or trust group inherit the values of settings of trust group control rules. You can edit the settings of application control rules.

To change an application control rule:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select Host Intrusion Prevention.

   In the right part of the window, the settings of the Host Intrusion Prevention component are displayed.

3. Click the Applications button.

   This opens the Application Privilege Control tab in the Host Intrusion Prevention window.

4. Select the necessary application.
5. Do one of the following:
   • From the context menu of the application, select Application rules.
   • Click the Additional button in the lower-right corner of the Application Privilege Control tab.

   The Application control rules window opens.

6. In the Application control rules window, do one of the following:
   • To edit application control rules that govern the rights of the application to access the operating system registry, user files, and application settings, select the Files and system registry tab.
   • To edit application control rules that govern the rights of the application to access operating system processes and objects, select the Rights tab.
7. For the required resource, in the column of the corresponding action, right-click to open the context menu.
8. From the context menu, select the required item.
   • Inherit
   • Allow
   • Block
   • Log events
9. Click OK.
10. In the Applications window, click OK.
11. To save changes, click the Save button.

[Topic 39270]

Disabling downloads and updates of application control rules from the Kaspersky Security Network database

By default, when new information about an application is detected in the Kaspersky Security Network database, Kaspersky Endpoint Security applies the control rules downloaded from the KSN database for this application. You can then manually edit the control rules for the application.

If an application was not in the Kaspersky Security Network database when started for the first time, but information about it was added to the database later, by default Kaspersky Endpoint Security automatically updates the control rules for this application.

You can disable downloads of application control rules from the Kaspersky Security Network database and automatic updates of control rules for previously unknown applications.

To disable downloads and updates of application control rules from the Kaspersky Security Network database:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select Host Intrusion Prevention.

   In the right part of the window, the settings of the Host Intrusion Prevention component are displayed.

3. Clear the Update control rules for previously unknown applications from KSN databases check box.
4. To save changes, click the Save button.

[Topic 133779]

Disabling the inheritance of restrictions from the parent process

Application startup may be initiated either by the user or by another running application. When application startup is initiated by another application, a startup sequence is created, which consists of parent and child processes.

When an application attempts to obtain access to a protected resource, the Host Intrusion Prevention analyzes all parent processes of the application to determine whether these processes have rights to access the protected resource. The minimum priority rule is then observed: when comparing the access rights of the application to those of the parent process, the access rights with a minimum priority are applied to the application's activity.

The priority of access rights is as follows:

1. Allow This access right has the highest priority.
2. Block This access right has the lowest priority.

This mechanism prevents a non-trusted application or an application with restricted rights from using a trusted application to perform actions that require certain privileges.

If the activity of an application is blocked due to the lack of rights that are granted to a parent process, you can edit these rights or disable the inheritance of restrictions from the parent process.

To disable the inheritance of restrictions from the parent process:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select Host Intrusion Prevention.

   In the right part of the window, the settings of the Host Intrusion Prevention component are displayed.

3. Click the Applications button.

   This opens the Application control rules tab in the Host Intrusion Prevention window.

4. Select the necessary application.
5. From the context menu of the application, select Application rules.

   The Application control rules window opens.

6. In the Application control rules window, select the Exclusions tab.
7. Select the Do not inherit restrictions of the parent process (application) check box.
8. Click OK.
9. In the Applications window, click OK.
10. To save changes, click the Save button.

[Topic 133780]

Excluding specific application actions from application control rules

To exclude specific application actions from application control rules:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select Host Intrusion Prevention.

   In the right part of the window, the settings of the Host Intrusion Prevention component are displayed.

3. Click the Applications button.

   This opens the Application control rules tab in the Host Intrusion Prevention window.

4. Select the necessary application.
5. From the context menu of the application, select Application rules.

   The Application control rules window opens.

6. Select the Exclusions tab.
7. Select check boxes next to application actions that do not need to be monitored.
8. Click OK.
9. In the Applications window, click OK.
10. To save changes, click the Save button.

[Topic 128039]

Removing outdated application control rules

By default, control rules for applications that have not been started in 60 days are deleted automatically. You can change the storage duration for control rules for unused applications or disable the automatic deletion of rules.

To delete outdated application control rules:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select Host Intrusion Prevention.

   In the right part of the window, the settings of the Host Intrusion Prevention component are displayed.

3. Do one of the following:
   • If you want Kaspersky Endpoint Security to delete control rules of unused applications, select the Delete control rules for applications that are not started for more than check box and specify the relevant number of days.
   • To disable the automatic deletion of control rules of unused applications, clear the Delete control rules for applications that are not started for more than check box.
4. To save changes, click the Save button.

    

[Topic 39271]

Protecting operating system resources and identity data

The Host Intrusion Prevention component manages the rights of applications to take actions on various categories of operating system resources and personal data.

Kaspersky specialists have established preset categories of protected resources. You cannot edit or delete the preset categories of protected resources or the protected resources that are within these categories.

You can perform the following actions:

• Add a new category of protected resources.
• Add a new protected resource.
• Disable protection of a resource.

[Topic 133781]

Adding a category of protected resources

To add a new category of protected resources:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select Host Intrusion Prevention.

   In the right part of the window, the settings of the Host Intrusion Prevention component are displayed.

3. Click the Resources button.

   This opens the Protected resources tab in the Host Intrusion Prevention window.

4. In the left part of the Protected resources tab, select a section or category of protected resources to which you want to add a new category of protected resources.
5. Click the Add button and in the drop-down list select Category.

   The Category of protected resources window opens.

6. In the Category of protected resources window that opens, enter a name for the new category of protected resources.
7. Click OK.

   A new item appears in the list of categories of protected resources.

8. In the Host Intrusion Prevention window, click OK.
9. To save changes, click the Save button.

After you add a category of protected resources, you can edit or remove it by clicking the Edit or Remove buttons in the upper-left part of the Protected resources tab.

[Topic 133782]

Adding a protected resource

To add a protected resource:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select Host Intrusion Prevention.

   In the right part of the window, the settings of the Host Intrusion Prevention component are displayed.

3. Click the Resources button.

   This opens the Protected resources tab in the Host Intrusion Prevention window.

4. In the left part of the Protected resources tab, select a category of protected resources to which you want to add a new protected resource.
5. Click the Add button and in the drop-down list select the type of resource that you want to add:
   • File or folder.
   • Registry key.

   The Protected resource window opens.

6. In the Protected resource window, enter the name of the protected resource in the Name field.
7. Click the Browse button.
8. In the window that opens, specify the necessary settings depending on the type of protected resource that you want to add. Click OK.
9. In the Protected resource window, click OK.

   A new item appears in the list of protected resources of the selected category on the Protected resources tab.

10. In the Host Intrusion Prevention window, click OK.
11. To save changes, click the Save button.

After you add a protected resource, you can edit or remove it by clicking the Edit or Remove buttons in the upper-left part of the Protected resources tab.

[Topic 133783]

Disabling resource protection

To disable resource protection:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select Host Intrusion Prevention.

   In the right part of the window, the settings of the Host Intrusion Prevention component are displayed.

3. In the right part of the window, click the Resources button.

   This opens the Protected resources tab in the Host Intrusion Prevention window.

4. Do one of the following:
   • In the left part of the tab, in the list of protected resources, select the resource for which you want to disable protection and clear the check box next to its name.
   • Click Exclusions and do the following:
     1. In the Exclusions window, click the Add button. In the drop-down list, select the type of resource that you want to add to the list of exclusions from protection by the Host Intrusion Prevention component: File or folder or Registry key.

        The Protected resource window opens.

     2. In the Protected resource window, enter the name of the protected resource in the Name field.
     3. Click the Browse button.
     4. In the window that opens, specify the necessary settings depending on the type of protected resource that you want to add to the list of exclusions from protection by the Host Intrusion Prevention component.
     5. Click OK.
     6. In the Protected resource window, click OK.

        A new item appears in the list of resources that are excluded from protection by the Host Intrusion Prevention component.

        After adding a resource to the list of exclusions from protection by the Host Intrusion Prevention component, you can edit or remove it by clicking the Edit or Remove buttons in the upper part of the Exclusions window.

     7. In the Exclusions window, click OK.
5. In the Host Intrusion Prevention window, click OK.
6. To save changes, click the Save button.

[Topic 151135]

Remediation Engine

This section contains information about Remediation Engine and instructions on enabling or disabling the component.

[Topic 151136]

About Remediation Engine

The Remediation Engine lets Kaspersky Endpoint Security roll back actions that have been performed by malware in the operating system.

When rolling back malware activity in the operating system, Kaspersky Endpoint Security handles the following types of malware activity:

• File activity.

  Kaspersky Endpoint Security deletes executable files that have been created by a malicious program and are located on any media, except for network ones.

  Kaspersky Endpoint Security deletes executable files that were created by programs that have been infiltrated by malware.

  Kaspersky Endpoint Security does not restore changed or deleted files.

• Registry activity.

  Kaspersky Endpoint Security deletes partitions and registry keys that have been created by malware.

  Kaspersky Endpoint Security does not restore modified or deleted partitions and registry keys.

• System activity.

  Kaspersky Endpoint Security terminates processes that have been initiated by a malicious program.

  Kaspersky Endpoint Security terminates processes into which a malicious program has penetrated.

  Kaspersky Endpoint Security does not resume processes that have been halted by a malicious program.

• Network activity.

  Kaspersky Endpoint Security blocks the network activity of malicious programs.

  Kaspersky Endpoint Security blocks network activity of processes into which a malicious program has penetrated.

A rollback of malware actions can be started by the File Threat Protection component or during a virus scan.

Rolling back malware operations affects a strictly defined set of data. Rollback has no adverse effects on the operating system or on the integrity of your computer data.

[Topic 151137]

Enabling and disabling Remediation Engine

To enable or disable Remediation Engine:

1. Open the application settings window.
2. In the left part of the window, in the Advanced Threat Protection section, select the Remediation Engine subsection.
3. Do one of the following:
   • If you want Kaspersky Endpoint Security to roll back actions that were performed by malware in the operating system when it detects such malware, select the Enable Remediation Engine check box in the right part of the window.
   • If you do not want Kaspersky Endpoint Security to roll back actions that were performed by malware in the operating system when it detects such malware, clear the Enable Remediation Engine check box in the right part of the window.
4. To save changes, click the Save button.

[Topic 34233]

File Threat Protection

This section contains information about the File Threat Protection component and instructions on how to configure the component settings.

[Topic 128007]

About File Threat Protection

The File Threat Protection component lets you prevent infection of the file system of the computer. By default, the File Threat Protection component starts together with Kaspersky Endpoint Security, continuously resides in the computer's RAM, and scans files that are opened or run on the computer and on its attached drives to find viruses and other potential threats. The scan is performed according to the application settings.

On detecting a threat in a file, Kaspersky Endpoint Security performs the following:

1. Detects the type of object detected in the file (such as a virus or Trojan).
2. The application displays a notification about the malicious object detected in the file (if notifications are configured), and processes the file by taking the action specified in the File Threat Protection component settings.

[Topic 133730]

Enabling and disabling File Threat Protection

By default, the File Threat Protection component is enabled and runs in the mode recommended by Kaspersky experts. You can disable File Threat Protection if necessary.

To enable or disable File Threat Protection:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select File Threat Protection.

   The settings of the File Threat Protection component are displayed in the right part of the window.

3. Do one of the following:
   • If you want to enable File Threat Protection, select the Enable File Threat Protection check box.
   • If you want to disable File Threat Protection, clear the Enable File Threat Protection check box.
4. To save changes, click the Save button.

[Topic 123514]

Automatic pausing of File Threat Protection

You can configure File Threat Protection to automatically pause at a specified time or when working with specific applications.

File Threat Protection should be paused only as a last resort when it conflicts with some applications. In case of any conflicts during the operation of a component, we recommend contacting Kaspersky Technical Support (https://companyaccount.kaspersky.com). The support experts will help you set up the File Threat Protection component to run simultaneously with other applications on your computer.

To configure automatic pausing of File Threat Protection:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select File Threat Protection.

   The settings of the File Threat Protection component are displayed in the right part of the window.

3. In the Security level section, click the Settings button.

   The File Threat Protection window opens.

4. In the File Threat Protection window, select the Additional tab.
5. In the Pause task section:
   • If you want to configure automatic pausing of File Threat Protection at a specified time, select the By schedule check box and click the Schedule button.

     The Pause task window opens.

   • If you want to configure automatic pausing of File Threat Protection at startup of specified applications, select the At application startup check box and click the Select button.

     The Applications window opens.

6. Do one of the following:
   • If you are configuring automatic pausing of File Threat Protection at a specified time, in the Pause task window, use the Pause task at and Resume task at fields to specify the time period (in HH:MM format) during which File Threat Protection should be paused. Click OK.
   • If you are configuring automatic pausing of File Threat Protection at startup of the specified applications, use the Add, Edit, and Remove buttons in the Applications window to create a list of applications during whose operation File Threat Protection should be paused. Click OK.
7. In the File Threat Protection window, click OK.
8. To save changes, click the Save button.

    

[Topic 128009]

File Threat Protection settings

You can perform the following actions for configuring the File Threat Protection component:

• Change the security level.

  You can select one of the preset security levels or manually configure security level settings. If you change the security level settings, you can always revert back to the recommended security level settings.

• Change the action that is performed by the File Threat Protection component when it detects an infected file.
• Form the protection scope of the File Threat Protection component.

  You can expand or restrict the protection scope by adding or removing scan objects, or by changing the type of files to be scanned.

• Configure Heuristic Analyzer.

  The File Threat Protection component uses a scanning technique called Machine learning and signature analysis. During signature analysis, the File Threat Protection component compares the detected object with records in the application anti-virus databases. Based on the recommendations of Kaspersky experts, machine learning and signature analysis is always enabled.

  To increase the effectiveness of protection, you can use heuristic analysis. During heuristic analysis, the File Threat Protection component analyzes the activity of objects in the operating system. Heuristic analysis enables detection of malicious objects for which no records are currently available in the antivirus databases of the application.

• Optimize scanning.

  You can optimize the file scanning that is performed by the File Threat Protection component by reducing the scan time and increasing the operating speed of Kaspersky Endpoint Security. This can be achieved by scanning only new files and those files that have been modified since the previous scan. This mode applies both to simple and to compound files.

  You can also enable the use of the iChecker and iSwift technologies that optimize the speed of file scanning by excluding files that have not been modified since the most recent scan.

• Configure scanning of compound files.
• Change the file scan mode.

[Topic 133731]

Changing the security level

To protect the computer's file system, the File Threat Protection component applies various groups of settings. These groups of settings are called security levels. There are three preset security levels: High, Recommended, and Low. The Recommended security level settings are considered to be the optimal settings recommended by Kaspersky experts.

To change a security level:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select File Threat Protection.

   The settings of the File Threat Protection component are displayed in the right part of the window.

3. In the Security level section, do one of the following:
   • If you want to set one of the preset security levels (High, Recommended, or Low), select it with the slider.
   • If you want to configure a custom security level, click the Settings button and enter your custom settings in the File Threat Protection window that opens.

     After you configure a custom security level, the name of the security level in the Security level section changes to Custom.

   • If you want to change the security level to Recommended, click the Default button.
4. To save changes, click the Save button.

[Topic 128010]

Changing the action taken on infected files by the File Threat Protection component

By default, the File Threat Protection component automatically tries to disinfect all infected files that are detected. If disinfection fails, the File Threat Protection component deletes these files.

To change the action taken on infected files by the File Threat Protection component:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select File Threat Protection.

   The settings of the File Threat Protection component are displayed in the right part of the window.

3. In the Action on threat detection section, select the required option:
   • Disinfect, delete if disinfection fails.

     If this option is selected, the File Threat Protection component automatically attempts to disinfect all infected files that are detected. If disinfection fails, the File Threat Protection component deletes these files.

   • Disinfect, block if disinfection fails.

     If this option is selected, the File Threat Protection component automatically attempts to disinfect all infected files that are detected. If disinfection fails, the File Threat Protection component blocks these files.

   • Block.

     If this option is selected, the File Threat Protection component automatically blocks all infected files without attempting to disinfect them.

4. To save changes, click the Save button.

    

[Topic 123504]

Forming the protection scope of the File Threat Protection component

The protection scope refers to the objects that the component scans when enabled. The protection scopes of different components have different properties. The location and type of files to be scanned are properties of the protection scope of the File Threat Protection component. By default, the File Threat Protection component scans only

To create the protection scope:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select File Threat Protection.

   The settings of the File Threat Protection component are displayed in the right part of the window.

3. In the Security level section, click the Settings button.

   The File Threat Protection window opens.

4. In the File Threat Protection window, select the General tab.
5. In the File types section, specify the type of files that you want the File Threat Protection component to scan:
   • If you want to scan all files, select All files.
   • If you want to scan files of formats which are the most vulnerable to infection, select Files scanned by format.
   • If you want to scan files with extensions that are the most vulnerable to infection, select Files scanned by extension.

   When selecting the type of files to scan, remember the following information:

   • There are some file formats (such as .txt) for which the probability of intrusion of malicious code and its subsequent activation is quite low. At the same time, there are file formats that contain or may contain executable code (such as .exe, .dll, and .doc). The risk of intrusion and activation of malicious code in such files is quite high.
   • An intruder may send a virus or another malicious program to your computer in an executable file that has been renamed with the .txt extension. If you select scanning of files by extension, such a file is skipped by the scan. If scanning of files by format is selected, the File Threat Protection component analyzes the file header regardless of the extension. This analysis may reveal that the file is in EXE format. Such a file is thoroughly scanned for viruses and other malware.
6. In the Protection scope list, do one of the following:
   • If you want to add a new object to the scan scope, click the Add button.
   • If you want to change the location of an object, select the object from the scan scope and click the Edit button.

   The Select scan scope window opens.

   • If you want to remove an object from the list of objects to be scanned, select one from the list of objects to be scanned and click the Delete button.

     A window for confirming deletion opens.

7. Do one of the following:
   • If you want to add a new object or change the location of an object from the list of objects to be scanned, select the object in the Select scan scope window and click the Add button.

     All objects that are selected in the Select scan scope window are displayed in the Protection scope list in the File Threat Protection window.

     Click OK.

   • If you want to remove an object, click the Yes button in the window for confirming removal.
8. If necessary, repeat steps 6-7 for adding, moving, or removing objects from the list of objects to be scanned.
9. To exclude an object from the list of objects to be scanned, clear the check box next to the object in the Protection scope list. However, the object remains on the list of objects to be scanned, though it is excluded from scanning by the File Threat Protection component.
10. In the File Threat Protection window, click OK.
11. To save changes, click the Save button.

     

[Topic 133732]

Using heuristic analysis in the operation of the File Threat Protection component

To configure the use of heuristic analysis in the operation of the File Threat Protection component:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select File Threat Protection.

   The settings of the File Threat Protection component are displayed in the right part of the window.

3. In the Security level section, click the Settings button.

   The File Threat Protection window opens.

4. In the File Threat Protection window, select the Performance tab.
5. In the Scan methods section:
   • If you want the File Threat Protection component to use heuristic analysis, select the Heuristic analysis check box and use the slider to set the heuristic analysis level: Light scan, Medium scan, or Deep scan.
   • If you do not want the File Threat Protection component to use heuristic analysis, clear the Heuristic analysis check box.
6. Click OK.
7. To save changes, click the Save button.

    

[Topic 133733]

Using scan technologies in the operation of the File Threat Protection component

To configure the use of scan technologies in the operation of the File Threat Protection component:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select File Threat Protection.

   The settings of the File Threat Protection component are displayed in the right part of the window.

3. In the Security level section, click the Settings button.

   The File Threat Protection window opens.

4. In the File Threat Protection window, select the Additional tab.
5. In the Scan technologies section:
   • Select the check boxes next to the names of the technologies that you want to use in the operation of the File Threat Protection component.
   • Clear the check boxes next to the names of the technologies that you do not want to use in the operation of the File Threat Protection component.
6. Click OK.
7. To save changes, click the Save button.

[Topic 133734]

Optimizing file scanning

To optimize file scanning:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select File Threat Protection.

   The settings of the File Threat Protection component are displayed in the right part of the window.

3. Click the Settings button.

   The File Threat Protection window opens.

4. In the File Threat Protection window, select the Performance tab.
5. In the Scan optimization section, select the Scan only new and changed files check box.
6. Click OK.
7. To save changes, click the Save button.

    

[Topic 128011]

Scanning compound files

A common technique for concealing viruses and other malware is to embed them in compound files such as archives or email databases. To detect viruses and other malware that are hidden in this way, the compound file must be unpacked, which may slow down scanning. You can limit the set of compound files to be scanned, thus speeding up scanning.

The method used to process an infected compound file (disinfection or deletion) depends on the type of file.

The File Threat Protection component disinfects compound files in the RAR, ARJ, ZIP, CAB, and LHA formats and deletes files in all other formats (except mail databases).

To configure scanning of compound files:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select File Threat Protection.

   The settings of the File Threat Protection component are displayed in the right part of the window.

3. In the Security level section, click the Settings button.

   The File Threat Protection window opens.

4. In the File Threat Protection window, select the Performance tab.
5. In the Scan of compound files section, specify the types of compound files that you want to scan: archives, installation packages, or files in office formats.
6. To scan only new and changed compound files, select the Scan only new and changed files check box.

   The File Threat Protection component will scan only new and changed compound files of all types.

7. Click the Additional button.

   The Compound files window opens.

8. In the Background scan section, do one of the following:
   • To block the File Threat Protection component from unpacking compound files in the background, clear the Unpack compound files in the background check box.
   • To allow the File Threat Protection component to unpack compound files when scanning in the background, select the Unpack compound files in the background check box and specify the required value in the Minimum file size field.
9. In the Size limit section, do one of the following:
   • To block the File Threat Protection component from unpacking large compound files, select the Do not unpack large compound files check box and specify the required value in the Maximum file size field. The File Threat Protection component will not unpack compound files that are larger than the specified size.
   • To allow the File Threat Protection component to unpack large compound files, clear the Do not unpack large compound files check box.

     A file is considered large if its size exceeds the value in the Maximum file size field.

   The File Threat Protection component scans large-sized files that are extracted from archives, regardless of whether the Do not unpack large compound files check box is selected.

10. Click OK.
11. In the File Threat Protection window, click OK.
12. To save changes, click the Save button.

[Topic 133735]

Changing the scan mode

Scan mode refers to the condition that triggers file scanning by the File Threat Protection component. By default, Kaspersky Endpoint Security scans files in smart mode. In this file scan mode, the File Threat Protection component decides whether or not to scan files after analyzing operations that are performed with the file by the user, by an application on behalf of the user (under the account that was used to log in or a different user account), or by the operating system. For example, when working with a Microsoft Office Word document, Kaspersky Endpoint Security scans the file when it is first opened and last closed. Intermediate operations that overwrite the file do not cause it to be scanned.

To change the file scan mode:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select File Threat Protection.

   The settings of the File Threat Protection component are displayed in the right part of the window.

3. In the Security level section, click the Settings button.

   The File Threat Protection window opens.

4. In the File Threat Protection window, select the Additional tab.
5. In the Scan mode section, select the required mode:
   • Smart mode.
   • On access and modification.
   • On access.
   • On execution.
6. Click OK.
7. To save changes, click the Save button.

[Topic 34322]

Web Threat Protection

This component is available if Kaspersky Endpoint Security is installed on a computer that runs on Microsoft Windows for workstations. This component is unavailable if Kaspersky Endpoint Security is installed on a computer that runs on Microsoft Windows for file servers.

This section contains information about the Web Threat Protection component and instructions on how to configure the component settings.

[Topic 128016]

About Web Threat Protection

Every time you go online, you expose information that is stored on your computer to viruses and other malware. They can infiltrate the computer while the user is downloading free software or browsing websites that are compromised by criminals. Network worms can find a way onto your computer as soon as you establish an Internet connection, even before you open a web page or download a file.

The Web Threat Protection component protects incoming and outgoing data that is sent to and from the computer over the HTTP and FTP protocols and checks URLs against the list of malicious or phishing web addresses.

The Web Threat Protection component intercepts every web page or file that is accessed by the user or an application via the HTTP or FTP protocol and analyzes them for viruses and other threats. The following happens next:

• If the page or file is found not to contain malicious code, the user gains immediate access to them.
• If a user accesses a web page or file that contains malicious code, the application performs the action that is specified in the Web Threat Protection component settings.

[Topic 128209]

Enabling and disabling Web Threat Protection

By default, the Web Threat Protection component is enabled and runs in the mode recommended by Kaspersky experts. You can disable the Web Threat Protection component if necessary.

To enable or disable the Web Threat Protection component:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Web Threat Protection.

   The settings of the Web Threat Protection component are displayed in the right part of the window.

3. Do one of the following:
   • If you want to enable the Web Threat Protection component, select the Enable Web Threat Protection check box.
   • If you want to disable the Web Threat Protection component, clear the Enable Web Threat Protection check box.
4. To save changes, click the Save button.

[Topic 128017]

Web Threat Protection settings

You can perform the following actions for configuration of the Web Threat Protection component:

• Change web traffic security level.

  You can select one of the pre-installed security levels for web traffic that is received or transmitted via the HTTP and FTP protocols, or configure a custom web traffic security level.

  If you change the web traffic security level settings, you can always revert to the recommended web traffic security level settings.

• Change the action that Kaspersky Endpoint Security performs on malicious web traffic objects.

  If web traffic scanning of an object by the Web Threat Protection component shows that the object contains malicious code, the response by the Web Threat Protection component against this object depends on the action that you have specified.

• Configure link scanning by the Web Threat Protection component to check them against databases of phishing and malicious web addresses.
• Configure use of heuristic analysis when scanning web traffic for viruses and other malicious programs.

  To increase the effectiveness of protection, you can use heuristic analysis. During heuristic analysis, Kaspersky Endpoint Security analyzes the activity of applications in the operating system. Heuristic analysis can detect threats for which there are currently no records in the Kaspersky Endpoint Security databases.

• Configure use of heuristic analysis when scanning web pages for phishing links.
• Optimize Web Threat Protection scanning of web traffic that is sent and received over the HTTP and FTP protocols.
• Create a list of trusted web addresses.

  You can create a list of URLs whose content you trust. The Web Threat Protection component does not analyze information from trusted web addresses to check them for viruses or other threats. This option may be useful, for example, if the Web Threat Protection component interferes with the downloading of a file from a known website.

  A URL may be the address of a specific web page or the address of a website.

[Topic 133738]

Changing the web traffic security level

To protect data that is received and transmitted via the HTTP and FTP protocols, the Web Threat Protection component applies various groups of settings. Such groups of settings are called web traffic security levels. There are three pre-installed web traffic security levels: High, Recommended, and Low. The Recommended web traffic security level is considered the optimal setting, and is recommended by Kaspersky.

To change the web traffic security level:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Web Threat Protection.

   The settings of the Web Threat Protection component are displayed in the right part of the window.

3. In the Security level section, do one of the following:
   • If you want to install one of the pre-installed web traffic security levels (High, Recommended, or Low), use the slider to select one.
   • If you want to configure a custom web traffic security level, click the Settings button and specify settings in the Web Threat Protection window that opens.

     When you have configured a custom web traffic security level, the name of the security level in the Security level section changes to Custom.

   • If you want to change the web traffic security level to Recommended, click the Default button.
4. To save changes, click the Save button.

    

[Topic 133739]

Changing the action to take on malicious web traffic objects

By default, on detection of an infected object in web traffic, the Web Threat Protection component blocks access to the object and displays a notification about the action.

To change the action to take on malicious web traffic objects:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Web Threat Protection.

   The settings of the Web Threat Protection component are displayed in the right part of the window.

3. In the Action on threat detection section, select the action that Kaspersky Endpoint Security performs on malicious web traffic objects:
   • Block download.

     If this option is selected, on detecting an infected object in web traffic, the Web Threat Protection component blocks access to the object, displays a notification about the blocked access attempt, and makes a log entry with information about the infected object.

   • Inform.

     If this option is selected and an infected object is detected in the web traffic, the Web Threat Protection component allows this object to be downloaded to the computer; Kaspersky Endpoint Security logs an event containing information about the infected object and adds information about the infected object to the list of active threats.

4. To save changes, click the Save button.

    

[Topic 128018]

Web Threat Protection scanning of links to check them against databases of phishing and malicious web addresses

Scanning links to see if they are included in the list of phishing web addresses allows avoiding phishing attacks. A phishing attack can be disguised, for example, as an email message supposedly from your bank with a link to the official website of the bank. By clicking the link, you go to an exact copy of the bank's website and can even see its real web address in the browser, even though you are on a counterfeit site. From this point forward, all of your actions on the site are tracked and can be used to steal your money.

Because links to phishing websites may be received not only in an email message but also from other sources such as ICQ messages, the Web Threat Protection component monitors attempts to access a phishing website at the web traffic scan level and blocks access to such websites. Lists of phishing URLs are included with the Kaspersky Endpoint Security distribution kit.

To configure the Web Threat Protection component to check links against the databases of phishing and malicious web addresses:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Web Threat Protection.

   The settings of the Web Threat Protection component are displayed in the right part of the window.

3. Click the Settings button.

   The Web Threat Protection window opens.

4. In the Web Threat Protection window, select the General tab.
5. Do the following:
   • If you want the Web Threat Protection component to check links against the databases of malicious web addresses, in the Scan methods section, select the Check if links are listed in the database of malicious links check box.
   • If you want the Web Threat Protection component to check links against the databases of phishing web addresses, in the Anti-Phishing Settings section, select the Check if links are listed in the database of phishing links check box.

   You can also check links against the reputation databases of Kaspersky Security Network.

6. Click OK.
7. To save changes, click the Save button.

[Topic 128019]

Using heuristic analysis in the operation of the Web Threat Protection component

To configure the use of heuristic analysis:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Web Threat Protection.

   The settings of the Web Threat Protection component are displayed in the right part of the window.

3. In the Security level section, click the Settings button.

   The Web Threat Protection window opens.

4. Select the General tab.
5. If you want the Web Threat Protection component to use heuristic analysis to scan web traffic for viruses and other malware, in the Scan methods section, select the Heuristic analysis for detecting viruses check box and use the slider to set the heuristic analysis level: Light scan, Medium scan, or Deep scan.
6. If you want the Web Threat Protection component to use heuristic analysis to scan web pages for phishing links, in the Anti-Phishing Settings section, select the Heuristic analysis for detecting phishing links check box.
7. Click OK.
8. To save changes, click the Save button.

    

[Topic 128021]

Editing the list of trusted web addresses

To create a list of trusted web addresses:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Web Threat Protection.

   The settings of the Web Threat Protection component are displayed in the right part of the window.

3. Click the Settings button.

   The Web Threat Protection window opens.

4. Select the Trusted web addresses tab.
5. Select the Do not scan web traffic from trusted web addresses check box.
6. Create a list of URLs / web pages whose content you trust. To create a list:
   1. Click the Add button.

      The Web address / Web address mask window opens.

   2. Enter the address of the website / web page or the address mask of the website / web page.
   3. Click OK.

      A new record appears in the list of trusted web addresses.

7. Click OK.
8. To save changes, click the Save button.

[Topic 34268]

Mail Threat Protection

This component is available if Kaspersky Endpoint Security is installed on a computer that runs on Microsoft Windows for workstations. This component is unavailable if Kaspersky Endpoint Security is installed on a computer that runs on Microsoft Windows for file servers.

This section contains information about the Mail Threat Protection component and instructions on how to configure the component settings.

[Topic 128014]

About Mail Threat Protection

The Mail Threat Protection component scans incoming and outgoing email messages for viruses and other threats. It starts together with Kaspersky Endpoint Security, continuously remains active in computer memory, and scans all messages that are sent or received via the POP3, SMTP, IMAP, MAPI, and NNTP protocols. If no threats are detected in the email message, it becomes available and/or is processed.

When a threat is detected in an email message, the Mail Threat Protection component performs the following actions:

1. Assigns the Infected status to the email message.

   This status is assigned to the email message in the following cases:

   • A scan of the email message finds a section of code of a known virus that is included in the anti-virus databases of Kaspersky Endpoint Security.
   • The email message contains a section of code that is typical of viruses or other malware, or the modified code of a known virus.
2. Identifies the type of object detected in the email message (such as a Trojan).
3. Blocks the email message.
4. Displays a notification about the detected object (if configured to do so in the notification settings).
5. Performs the action defined in the Mail Threat Protection component settings.

This component interacts with mail clients installed on the computer. An embeddable extension is available for the Microsoft Office Outlook mail client that lets you fine-tune the message scan settings. The Mail Threat Protection extension is embedded in the Microsoft Office Outlook mail client during installation of Kaspersky Endpoint Security.

[Topic 128208]

Enabling and disabling Mail Threat Protection

By default, the Mail Threat Protection component is enabled and runs in the mode recommended by Kaspersky experts. You can disable the Mail Threat Protection component if necessary.

To enable or disable the Mail Threat Protection component:

1. Open the Configure application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Mail Threat Protection.

   The settings of the Mail Threat Protection component are displayed in the right part of the window.

3. Do one of the following:
   • If you want to enable the Mail Threat Protection component, select the Enable Mail Threat Protection check box.
   • If you want to disable the Mail Threat Protection component, clear the Enable Mail Threat Protection check box.
4. To save changes, click the Save button.

    

[Topic 128358]

Mail Threat Protection settings

You can perform the following actions for configuring the Mail Threat Protection component:

• Change the mail security level.

  You can select one of the pre-installed email security levels or configure a custom email security level.

  If you have changed the email security level settings, you can always revert to the recommended email security level settings.

• Change the action that Kaspersky Endpoint Security performs on infected messages.
• Form the protection scope of the Mail Threat Protection component.
• Configure scanning of compound files attached to email messages.

  You can enable or disable scanning of message attachments, limit the maximum size of message attachments to be scanned, and limit the maximum message attachment scan duration.

• Configure filtering by the type of email message attachments.

  Filtering of message attachments by type allows for automatic renaming or deletion of files of the specified types.

• Configure Heuristic Analyzer.

  To increase the effectiveness of protection, you can use

  heuristic analysis

  The technology was developed for detecting threats that cannot be detected by using the current version of Kaspersky application databases. It detects files that may be infected with an unknown virus or a new variety of a known virus.

  . During heuristic analysis, Kaspersky Endpoint Security analyzes the activity of applications in the operating system. Heuristic analysis can detect threats in messages for which there are currently no records in the Kaspersky Endpoint Security databases.

• Configure email scanning in Microsoft Office Outlook.

  An embeddable extension is available for the Microsoft Office Outlook mail client that allows convenient configuration of mail scan settings.

  When working with other mail clients, including Microsoft Outlook Express, Windows Mail, and Mozilla Thunderbird, the Mail Threat Protection component scans traffic of the SMTP, POP3, IMAP, and NNTP mail protocols.

  When working with the Mozilla Thunderbird mail client, the Mail Threat Protection component does not scan messages that are transmitted via the IMAP protocol for viruses and other threats if filters are used to move messages from the Inbox folder.

[Topic 133737]

Changing the mail security level

The Mail Threat Protection component applies various groups of settings to protect mail. The settings groups are called email security levels. There are three email security levels: High, Recommended, and Low. The Recommended file security level is considered the optimal setting, and is recommended by Kaspersky.

To change the email security level:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Mail Threat Protection.

   The settings of the Mail Threat Protection component are displayed in the right part of the window.

3. In the Security level section, do one of the following:
   • If you want to install one of the pre-installed email security levels (High, Recommended, or Low), use the slider to select one.
   • If you want to configure a custom security level, click the Settings button and enter your custom settings in the Mail Threat Protection window that opens.

     After you configure a custom email security level, the name of the security level in the Security level section changes to Custom.

   • If you want to change the email security level to Recommended, click the Default button.
4. To save changes, click the Save button.

[Topic 129850]

Changing the action to take on infected email messages

By default, the Mail Threat Protection component automatically attempts to disinfect all infected email messages that are detected. If disinfection fails, the Mail Threat Protection component deletes the infected email messages.

To change the action to take on infected email messages:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Mail Threat Protection.

   The settings of the Mail Threat Protection component are displayed in the right part of the window.

3. In the Action on threat detection section, select the action for Kaspersky Endpoint Security to perform when an infected message is detected:
   • Disinfect, delete if disinfection fails.

     If this option is selected, the Mail Threat Protection component automatically attempts to disinfect all infected email messages that are detected. If disinfection fails, the Mail Threat Protection component deletes the infected email messages.

   • Disinfect, block if disinfection fails.

     If this option is selected, the Mail Threat Protection component automatically attempts to disinfect all infected email messages that are detected. If disinfection fails, the Mail Threat Protection component blocks the infected email messages.

   • Block.

     If this option is selected, the Mail Threat Protection component automatically blocks all infected email messages without attempting to disinfect them.

4. To save changes, click the Save button.

    

[Topic 128357]

Forming the protection scope of the Mail Threat Protection component

The protection scope refers to the objects that are scanned by the component when it is active. The protection scopes of different components have different properties. The properties of the protection scope of the Mail Threat Protection component include the settings for integrating the Mail Threat Protection component into mail clients, and the type of email messages and email protocols whose traffic is scanned by the Mail Threat Protection component. By default, Kaspersky Endpoint Security scans both incoming and outgoing email messages and traffic of the POP3, SMTP, NNTP, and IMAP protocols, and is integrated into the Microsoft Office Outlook mail client.

To form the protection scope of the Mail Threat Protection component:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Mail Threat Protection.

   The settings of the Mail Threat Protection component are displayed in the right part of the window.

3. Click the Settings button.

   The Mail Threat Protection window opens.

4. Select the General tab.
5. In the Protection scope section, do one of the following:
   • If you want the Mail Threat Protection component to scan all incoming and outgoing messages on your computer, select the Incoming and outgoing messages option.
   • If you want the Mail Threat Protection component to scan only incoming messages on your computer, select the Incoming messages only option.

     If you choose to scan only incoming messages, it is recommended that you perform a one-time scan of all outgoing messages because there is a chance that your computer has email worms that are being spread over email. This helps to avoid problems resulting from unmonitored mass emailing of infected messages from your computer.

6. In the Connectivity section, do the following:
   • If you want the Mail Threat Protection component to scan messages that are transmitted via the POP3, SMTP, NNTP and IMAP protocols before they arrive on your computer, select the POP3 / SMTP / NNTP / IMAP traffic check box.

     If you do not want the Mail Threat Protection component to scan messages that are transmitted via the POP3, SMTP, NNTP and IMAP protocols before they arrive on your computer, clear the POP3 / SMTP / NNTP / IMAP traffic check box. In this case, messages are scanned by the Mail Threat Protection extension embedded in the Microsoft Office Outlook mail client after they are received on the user computer if the Additional: Microsoft Office Outlook extension check box is selected.

     If you use a mail client other than Microsoft Office Outlook, messages that are transmitted via the POP3, SMTP, NNTP and IMAP protocols are not scanned by the Mail Threat Protection component when the POP3 / SMTP / NNTP / IMAP traffic check box is cleared.

   • If you want to allow access to Mail Threat Protection component settings from Microsoft Office Outlook and enable scanning of messages that are transmitted via the POP3, SMTP, NNTP, IMAP, and MAPI protocols after they arrive on the computer using the extension that is embedded into Microsoft Office Outlook, select the Additional: Microsoft Office Outlook extension check box.

     If you want to block access to Mail Threat Protection component settings from Microsoft Office Outlook and disable scanning of messages that are transmitted via the POP3, SMTP, NNTP, IMAP, and MAPI protocols after they arrive on the computer using the extension that is embedded into Microsoft Office Outlook, clear the Additional: Microsoft Office Outlook extension check box.

     The Mail Threat Protection extension is embedded in the Microsoft Office Outlook mail client during installation of Kaspersky Endpoint Security.

7. Click OK.
8. To save changes, click the Save button.

[Topic 128886]

Scanning compound files attached to email messages

To configure scanning of compound files attached to email messages:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Mail Threat Protection.

   The settings of the Mail Threat Protection component are displayed in the right part of the window.

3. Click the Settings button.

   The Mail Threat Protection window opens.

4. Select the General tab.
5. Perform the following in the Scan of compound files section:
   • If you want the Mail Threat Protection component to skip archives that are attached to messages, clear the Scan attached archives check box.
   • If you want the Mail Threat Protection component to skip Office format files that are attached to messages, clear the Scan attached Office formats check box.
   • If you want the Mail Threat Protection to skip message attachments that are larger than N megabytes in size, select the Do not scan archives larger than N MB check box. If you select this check box, specify the maximum archive size in the field that is opposite the name of the check box.
   • If you want the Mail Threat Protection component to scan message attachments that take more than N seconds to scan, clear the Do not scan archives for more than N sec check box.
6. Click OK.
7. To save changes, click the Save button.

    

[Topic 128353]

Filtering email message attachments

The attachment filtering functionality is not applied to outgoing email messages.

Malicious programs can be distributed in the form of attachments in email messages. You can configure filtering based on the type of message attachments so that files of the specified types are automatically renamed or deleted. By renaming an attachment of a certain type, Kaspersky Endpoint Security can protect your computer against automatic execution of a malicious program.

To configure filtering of attachments:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Mail Threat Protection.

   The settings of the Mail Threat Protection component are displayed in the right part of the window.

3. In the Security level section, click the Settings button.

   The Mail Threat Protection window opens.

4. In the Mail Threat Protection window, select the Attachment filter tab.
5. Do one of the following:
   • If you do not want the Mail Threat Protection component to filter message attachments, select the Disable filtering option.
   • If you want the Mail Threat Protection component to rename message attachments of the specified types, select the Rename attachments of selected types option.

     Note that the actual format of a file may not match its file name extension.

     If you enabled filtering of email attachments, the Mail Threat Protection component may rename or delete files with the following extensions:

     com – executable file of an application no larger than 64 KB

     exe – executable file or self-extracting archive

     sys – Microsoft Windows system file

     prg – program text for dBase, Clipper or Microsoft Visual FoxPro, or a WAVmaker program

     bin – binary file

     bat – batch file

     cmd – command file for Microsoft Windows NT (similar to a bat file for DOS), OS/2

     dpl – compressed Borland Delphi library

     dll – dynamic link library

     scr – Microsoft Windows splash screen

     cpl – Microsoft Windows control panel module

     ocx – Microsoft OLE (Object Linking and Embedding) object

     tsp – program running in split-time mode

     drv – device driver

     vxd – Microsoft Windows virtual device driver

     pif – program information file

     lnk – Microsoft Windows link file

     reg – Microsoft Windows system registry key file

     ini – configuration file which contains configuration data for Microsoft Windows, Windows NT, and some applications

     cla – Java class

     vbs – Visual Basic script

     vbe – BIOS video extension

     js, jse – JavaScript source text

     htm – hypertext document

     htt – Microsoft Windows hypertext header

     hta – hypertext program for Microsoft Internet Explorer

     asp – Active Server Pages script

     chm – compiled HTML file

     pht – HTML file with integrated PHP scripts

     php – script that is integrated into HTML files

     wsh – Microsoft Windows Script Host file

     wsf – Microsoft Windows script

     the – Microsoft Windows 95 desktop wallpaper file

     hlp – Win Help file

     eml – Microsoft Outlook Express email message

     nws – new Microsoft Outlook Express email message

     msg – Microsoft Mail email message

     plg – email message

     mbx – saved Microsoft Office Outlook email message

     doc* – Microsoft Office Word documents, such as: doc for Microsoft Office Word documents, docx for Microsoft Office Word 2007 documents with XML support, and docm for Microsoft Office Word 2007 documents with macro support

     dot* – Microsoft Office Word document templates, such as: dot for Microsoft Office Word document templates, dotx for Microsoft Office Word 2007 document templates, dotm for Microsoft Office Word 2007 document templates with macro support

     fpm – database program, Microsoft Visual FoxPro start file

     rtf – Rich Text Format document

     shs – Windows Shell Scrap Object Handler fragment

     dwg – AutoCAD drawing database

     msi – Microsoft Windows Installer package

     otm – VBA project for Microsoft Office Outlook

     pdf – Adobe Acrobat document

     swf – Shockwave Flash package object

     jpg, jpeg – compressed image graphics format

     emf – Enhanced Metafile format file. Next generation of Microsoft Windows OS metafiles. EMF files are not supported by 16-bit Microsoft Windows.

     ico – object icon file

     ov? – Microsoft Office Word executable files

     xl* – Microsoft Office Excel documents and files, such as: xla, the extension for Microsoft Office Excel, xlc for diagrams, xlt for document templates, xlsx for Microsoft Office Excel 2007 workbooks, xltm for Microsoft Office Excel 2007 workbooks with macro support, xlsb for Microsoft Office Excel 2007 workbooks in binary (non-XML) format, xltx for Microsoft Office Excel 2007 templates, xlsm for Microsoft Office Excel 2007 templates with macro support, and xlam for Microsoft Office Excel 2007 plug-ins with macro support

     pp* – Microsoft Office PowerPoint documents and files, such as: pps for Microsoft Office PowerPoint slides, ppt for presentations, pptx for Microsoft Office PowerPoint 2007 presentations, pptm for Microsoft Office PowerPoint 2007 presentations with macros support, potx for Microsoft Office PowerPoint 2007 presentation templates, potm for Microsoft Office PowerPoint 2007 presentation templates with macro support, ppsx for Microsoft Office PowerPoint 2007 slide shows, ppsm for Microsoft Office PowerPoint 2007 slide shows with macro support, and ppam for Microsoft Office PowerPoint 2007 plug-ins with macro support

     md* – Microsoft Office Access documents and files, such as: mda for Microsoft Office Access workgroups and mdb for databases

     sldx – a Microsoft PowerPoint 2007 slide

     sldm – a Microsoft PowerPoint 2007 slide with macro support

     thmx – a Microsoft Office 2007 theme

      

   • If you want the Mail Threat Protection component to delete message attachments of the specified types, select the Delete attachments of selected types option.
6. If you selected the Rename attachments of selected types option or the Delete attachments of selected types option during the previous step, select the check boxes opposite the relevant types of files.

   You can change the list of file types by using the Add, Edit, and Remove buttons.

7. Click OK.
8. To save changes, click the Save button.

    

[Topic 128015]

Scanning emails in Microsoft Office Outlook

During installation of Kaspersky Endpoint Security, the Mail Threat Protection extension is embedded into Microsoft Office Outlook (hereinafter also referred to as Outlook). It allows you to open the Mail Threat Protection component settings from within Outlook, and to specify when email messages are to be scanned for viruses and other threats. The Mail Threat Protection extension for Outlook can scan incoming and outgoing messages that are transmitted via the POP3, SMTP, NNTP, IMAP, and MAPI protocols.

The Mail Threat Protection extension supports operations with Outlook 2010, 2013, 2016.

The Mail Threat Protection component settings can be configured directly in Outlook if the Additional: Microsoft Office Outlook extension check box is selected in the interface of Kaspersky Endpoint Security.

In Outlook, incoming messages are first scanned by the Mail Threat Protection component (if the POP3 / SMTP / NNTP / IMAP traffic check box is selected in the interface of Kaspersky Endpoint Security) and then by the Mail Threat Protection extension for Outlook. If the Mail Threat Protection component detects a malicious object in a message, it notifies you about this event.

Outgoing messages are first scanned by the Mail Threat Protection extension for Outlook, and are then scanned by the Mail Threat Protection component.

Page top

[Topic 134239]

Configuring mail scanning in Outlook

To configure mail scanning in Outlook 2007:

1. Open the main window of Outlook 2007.
2. Select Service → Settings from the menu bar.

   The Options window opens.

3. In the Options window, select the Email protection tab.

To configure mail scanning in Outlook 2010 / 2013 / 2016:

1. Open the main Outlook window.

   Select the File tab in the upper left corner.

2. Click the Options button.

   The Outlook Options window opens.

3. Select the Add-Ins section.

   Settings of plug-ins embedded into Outlook are displayed in the right part of the window.

4. Click the Add-In Options button.

    

[Topic 134240]

Configuring mail scan using Kaspersky Security Center

If mail is scanned using the Mail Threat Protection extension for Outlook, it is recommended to use Cached Exchange Mode. For more detailed information about the Exchange caching mode and recommendations on its use, please refer to the Microsoft Knowledge Base: https://technet.microsoft.com/en-us/library/cc179175.aspx

To configure the operating mode of the Mail Threat Protection extension for Outlook using Kaspersky Security Center:

1. Open the Kaspersky Security Center Administration Console.
2. In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group for which you want to configure mail scanning.
3. In the workspace, select the Policies tab.
4. Select the necessary policy.
5. Open the Properties: <Policy name> window by using one of the following methods:
   • In the context menu of the policy, select Properties.
   • Click the Configure policy link located in the right part of the Administration Console workspace.
6. In the Essential Threat Protection section, select Mail Threat Protection.
7. In the Security level section, click the Settings button.

   The Mail Threat Protection window opens.

8. In the Connectivity section, click the Settings button.

   The Email protection window opens.

9. In the Email protection window:
   • Select the Scan when receiving check box if you want the Mail Threat Protection extension for Outlook to scan incoming messages as they arrive to the mailbox.
   • Select the Scan when reading check box if you want the Mail Threat Protection extension for Outlook to scan incoming messages when the user opens them.
   • Select the Scan when sending check box if you want the Mail Threat Protection extension for Outlook to scan outgoing messages as they are sent.
10. In the Email protection window, click OK.
11. In the Mail Threat Protection window, click OK.
12. Apply the policy.

    For details on applying a Kaspersky Security Center policy, please refer to the Kaspersky Security Center Help Guide.

[Topic 34430]

Network Threat Protection

This section contains information about Network Threat Protection and instructions on how to configure the component settings.

[Topic 135511]

About Network Threat Protection

The Network Threat Protection component scans inbound network traffic for activity that is typical of network attacks. Upon detecting an attempted network attack that targets your computer, Kaspersky Endpoint Security blocks network activity from the attacking computer. Your screen then displays a warning stating that a network attack was attempted, and shows information about the attacking computer.

Network traffic from the attacking computer is blocked for one hour. You can edit the settings for blocking an attacking computer.

Descriptions of currently known types of network attacks and ways to fight them are provided in Kaspersky Endpoint Security databases. The list of network attacks that the Network Threat Protection component detects is updated during database and application module updates.

[Topic 128211]

Enabling and disabling Network Threat Protection

By default, Network Threat Protection is enabled and running in the optimal mode. You can disable Network Threat Protection if necessary.

To enable or disable Network Threat Protection:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Network Threat Protection.

   The Network Threat Protection component settings are displayed in the right part of the window.

3. Do the following:
   • If you want to enable Network Threat Protection, select the Enable Network Threat Protection check box.
   • If you want to disable Network Threat Protection, clear the Enable Network Threat Protection check box.
4. To save changes, click the Save button.

[Topic 133639]

Network Threat Protection settings

You can perform the following actions for configuring Network Threat Protection settings:

• Configure the settings used for blocking an attacking computer.
• Generate a list of addresses for exclusions from blocking.

[Topic 133746]

Editing the settings used in blocking an attacking computer

To edit the settings for blocking an attacking computer:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Network Threat Protection.

   The Network Threat Protection component settings are displayed in the right part of the window.

3. Select the Add the attacking computer to the list of blocked computers for check box.

   If this check box is selected, on detecting a network attack attempt, the Network Threat Protection component blocks network activity from the attacking computer for the specified amount of time. This automatically protects the computer against possible future network attacks from the same address.

   If this check box is cleared, on detecting a network attack attempt, the Network Threat Protection component does not enable automatic protection against possible future network attacks from the same address.

4. Change the amount of time during which an attacking computer is blocked in the field next to the Add the attacking computer to the list of blocked computers for check box.
5. To save changes, click the Save button.

[Topic 130879]

Configuring addresses of exclusions from blocking

To configure addresses of exclusions from blocking:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Network Threat Protection.

   The Network Threat Protection component settings are displayed in the right part of the window.

3. Click the Exclusions button.

   The Exclusions window opens.

4. Do one of the following:
   • If you want to add a new IP address, click the Add button.
   • If you want to edit a previously added IP address, select it in the list of addresses and click the Edit button.

   The IP address window opens.

5. Enter the IP address of the computer from which network attacks must not be blocked.
6. In the IP address window, click OK.
7. In the Exclusions window, click OK.
8. To save changes, click the Save button.

[Topic 43497]

Firewall

This section contains information about Firewall and instructions on how to configure the component settings.

[Topic 139899]

About Firewall

During use on LANs and the Internet, a computer is exposed to viruses, other malware, and a variety of attacks that exploit vulnerabilities in operating systems and software.

The firewall protects personal data that is stored on the user's computer, blocking most possible threats to the operating system while the computer is connected to the Internet or a local area network. Firewall detects all network connections of the user's computer and provides a list of IP addresses, with an indication of the status of the default network connection.

The Firewall component filters all network activity according to network rules. Configuring network rules lets you specify the desired level of computer protection, from blocking Internet access for all applications to allowing unlimited access.

[Topic 128210]

Enabling or disabling Firewall

By default, Firewall is enabled and functions in the optimal mode. If needed, you can disable Firewall.

To enable or disable Firewall:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Firewall.

   In the right part of the window, the settings of the Firewall component are displayed.

3. Do one of the following:
   • To enable Firewall, select the Enable Firewall check box.
   • To disable Firewall, deselect the Enable Firewall check box.
4. To save changes, click the Save button.

[Topic 136337]

About network rules

Network rules are allowed or blocked actions that are performed by Firewall on detecting a network connection attempt.

Firewall provides protection against network attacks of different kinds at two levels: the network level and the program level. Protection at the network level is provided by applying network packet rules. Protection at the program level is provided by applying rules by which installed applications can access network resources.

Based on the two levels of Firewall protection, you can create:

• Network packet rules. Network packet rules impose restrictions on network packets, regardless of the program. Such rules restrict inbound and outbound network traffic through specific ports of the selected data protocol. Firewall specifies certain network packet rules by default.
• Application network rules. Application network rules impose restrictions on the network activity of a specific application. They factor in not only the characteristics of the network packet, but also the specific application to which this network packet is addressed or which issued this network packet. Such rules make it possible to fine-tune network activity filtering: for example, when a certain type of network connection is blocked for some applications but is allowed for others.

Network packet rules have a higher priority than network rules for applications. If both network packet rules and network rules for applications are specified for the same type of network activity, the network activity is handled according to the network packet rules.

You can specify an execution priority for each network packet rule and each network rule for applications.

Network packet rules have a higher priority than network rules for applications. If both network packet rules and network rules for applications are specified for the same type of network activity, the network activity is handled according to the network packet rules.

Network rules for applications work as follows: a network rule for applications includes access rules based on the network status: public, local, or trusted. For example, applications in the High Restricted trust group are not allowed any network activity in networks of all statuses by default. If a network rule is specified for an individual application (parent application), then the child processes of other applications will run according to the network rule of the parent application. If there is no network rule for the application, the child processes will run according to network access rule of the application’s trust group.

For example, you have prohibited any network activity in networks of all statuses for all applications, except browser X. If you start browser Y installation (child process) from browser X (parent application), then browser Y installer will access the network and download the necessary files. After installation, browser Y will be denied any network connections according to the Firewall settings. To prohibit network activity of browser Y installer as a child process, you must add a network rule for the installer of browser Y.

[Topic 44427]

About the network connection status

Firewall controls all network connections on the user's computer and automatically assigns a status to each detected network connection.

The network connection can have one of the following status types:

• Public network. This status is for networks that are not protected by any anti-virus applications, firewalls, or filters (for example, for Internet cafe networks). When the user operates a computer that is connected to such a network, Firewall blocks access to files and printers of this computer. External users are also unable to access data through shared folders and remote access to the desktop of this computer. Firewall filters the network activity of each application according to the network rules that are set for it.

  Firewall assigns Public network status to the Internet by default. You cannot change the status of the Internet.

• Local network. This status is assigned to networks whose users are trusted to access files and printers on this computer (for example, a LAN or home network).
• Trusted network. This status is intended for a safe network in which the computer is not exposed to attacks or unauthorized data access attempts. Firewall permits any network activity within networks with this status.

[Topic 133742]

Changing the network connection status

To change the network connection status:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Firewall.

   In the right part of the window, the settings of the Firewall component are displayed.

3. Click the Available networks button.

   The Firewall window opens.

4. Select the network connection whose status you want to change.
5. In the context menu, select the network connection status:
   • Public network.
   • Local network.
   • Trusted network.
6. In the Firewall window, click OK.
7. To save changes, click the Save button.

[Topic 44428]

Managing network packet rules

You can perform the following actions while managing network packet rules:

• Create a new network packet rule.

  You can create a new network packet rule by creating a set of conditions and actions that is applied to network packets and data streams.

• Enable or disable a network packet rule.

  All network packet rules that are created by Firewall by default have Enabled status. When a network packet rule is enabled, Firewall applies this rule.

  You can disable any network packet rule that is selected in the list of network packet rules. When a network packet rule is disabled, Firewall temporarily does not apply this rule.

  A new custom network packet rule is added to the list of network packet rules by default with Enabled status.

• Edit the settings of an existing network packet rule.

  After you create a new network packet rule, you can always return to editing its settings and modify them as needed.

• Change the Firewall action for a network packet rule.

  In the list of network packet rules, you can edit the action that is taken by Firewall on detecting network activity that matches a specific network packet rule. 

• Change the priority of a network packet rule.

  You can raise or lower the priority of a network packet rule that is selected in the list.

• Remove a network packet rule.

  You can remove a network packet rule to stop Firewall from applying this rule on detecting network activity and to stop this rule from showing in the list of network packet rules with Disabled status.

   

[Topic 123451]

Creating and editing a network packet rule

When creating network packet rules, remember that they have priority over network rules for applications.

To create or edit a network packet rule:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Firewall.
3. Click the Network packet rules button.
4. The Firewall window opens to the Network packet rules tab.

   This tab shows a list of default network packet rules that are set by Firewall.

5. Do one of the following:
   • To create a new network packet rule, click the Add button.
   • To edit a network packet rule, select it in the list of network packet rules and click the Edit button.

   The Network rule window opens.

6. In the Action drop-down list, select the action to be performed by Firewall on detecting this kind of network activity:
   • Allow
   • Block
   • By application rules.
7. In the Name field, specify the name of the network service in one of the following ways:
   • Click the icon to the right of the Name field and select the name of the network service in the drop-down list.

     The drop-down list includes network services that define the most frequently used network connections.

   • Manually enter the name of the network service in the Name field.
8. Specify the data transfer protocol:
   1. Select the Protocol check box.
   2. In the drop-down list, select the type of protocol for which network activity is to be monitored.

      Firewall monitors network connections that use the TCP, UDP, ICMP, ICMPv6, IGMP, and GRE protocols.

      If you select a network service from the Name drop-down list, the Protocol check box is selected automatically and the drop-down list next to the check box contains the protocol type that corresponds to the selected network service. By default, the Protocol check box is cleared.

9. In the Direction drop-down list, select the direction of the monitored network activity.

   Firewall monitors network connections with the following directions:

   • Inbound (packet).
   • Inbound.
   • Inbound / Outbound
   • Outbound (packet).
   • Outbound.
10. If ICMP or ICMPv6 is selected as the protocol, you can specify the ICMP packet type and code:
    1. Select the ICMP type check box and select the ICMP packet type in the drop-down list.
    2. Select the ICMP code check box and select the ICMP packet code in the drop-down list.
11. If TCP or UDP is selected as the protocol type, you can specify the comma-delimited port numbers of the local and remote computers between which the connection is to be monitored:
    1. Type the ports of the remote computer in the Remote ports field.
    2. Type the ports of the local computer in the Local ports field.
12. In the Network adapters table, specify the settings of network adapters from which network packets can be sent or which can receive network packets. To do so, use the Add, Edit, and Delete buttons.
13. If you want to restrict control of network packets based on their time to live (TTL), select the TTL check box and in the field next to it, specify the range of values of the time to live for inbound and/or outbound network packets.

    A network rule will control the transmission of network packets whose time to live does not exceed the specified value.

    Otherwise, clear the TTL check box.

14. Specify the network addresses of remote computers that can send and/or receive network packets. To do so, select one of the following values in the Remote addresses drop-down list:
    • Any address. The network rule controls network packets sent and/or received by remote computers with any IP address.
    • Subnet addresses. The network rule controls network packets sent and/or received by remote computers with IP addresses associated with the selected network type: Trusted networks, Local networks, or Public networks.
    • Addresses from the list. The network rule controls network packets sent and/or received by remote computers with IP addresses that can be specified in the list below using the Add, Edit, and Delete buttons.
15. Specify the network addresses of computers that have Kaspersky Endpoint Security installed and can send and/or receive network packets. To do so, select one of the following values in the Local addresses drop-down list:
    • Any address. The network rule controls network packets sent and/or received by computers with Kaspersky Endpoint Security installed and with any IP address.
    • Addresses from the list. The network rule controls network packets sent and/or received by computers with Kaspersky Endpoint Security installed and with IP addresses that can be specified in the list below using the Add, Edit, and Delete buttons.

    Sometimes a local address cannot be obtained for applications that work with network packets. If this is the case, the value of the Local addresses setting is ignored.

16. If you want the actions of the network rule to be reflected in the report, select the Log events check box.
17. In the Network rule window, click OK.

    If you create a new network rule, the rule is displayed on the Network packet rules tab of the Firewall window. By default, the new network rule is placed at the end of the list of network packet rules.

18. In the Firewall window, click OK.
19. To save changes, click the Save button.

[Topic 133743]

Enabling or disabling a network packet rule

To enable or disable a network packet rule:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Firewall.

   In the right part of the window, the settings of the Firewall component are displayed.

3. Click the Network packet rules button.

   The Firewall window opens to the Network packet rules tab.

4. Select the necessary network packet rule in the list.
5. Do one of the following:
   • To enable the rule, select the check box next to the name of the network packet rule.
   • To disable the rule, clear the check box next to the name of the network packet rule.
6. Click OK.
7. To save changes, click the Save button.

[Topic 133744]

Changing the Firewall action for a network packet rule

To change the Firewall action that is applied to a network packet rule:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Firewall.

   In the right part of the window, the settings of the Firewall component are displayed.

3. Click the Network packet rules button.

   The Firewall window opens to the Network packet rules tab.

4. In the list, select the network packet rule whose action you want to change.
5. In the Permission column, right-click to bring up the context menu and select the action that you want to assign:
   • Allow
   • Block
   • According to the application rule
   • Log events
6. In the Firewall window, click OK.
7. To save changes, click the Save button.

[Topic 133745]

Changing the priority of a network packet rule

The priority of a network packet rule is determined by its position in the list of network packet rules. The topmost network packet rule in the list of network packet rules has the highest priority.

Every manually created network packet rule is added to the end of the list of network packet rules and is of the lowest priority.

Firewall executes rules in the order in which they appear in the list of network packet rules, from top to bottom. According to each processed network packet rule that applies to a particular network connection, Firewall either allows or blocks network access to the address and port that are specified in the settings of this network connection.

To change the network packet rule priority:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Firewall.

   In the right part of the window, the settings of the Firewall component are displayed.

3. Click the Network packet rules button.

   The Firewall window opens to the Network packet rules tab.

4. In the list, select the network packet rule whose priority you want to change.
5. Use the Move up and Move down buttons to move the network packet rule to the desired spot in the list of network packet rules.
6. Click OK.
7. To save changes, click the Save button.

[Topic 128236]

Managing application network rules

By default, Kaspersky Endpoint Security groups all applications that are installed on the computer by the name of the vendor of the software whose file or network activity it monitors. Application groups are in turn categorized into trust groups. All applications and application groups inherit properties from their parent group: application control rules, application network rules, and their execution priority.

Like the Host Intrusion Prevention component, by default the Firewall component applies the network rules for an application group when filtering the network activity of all applications within the group. The application group network rules define the rights of applications within the group to access different network connections.

By default, Firewall creates a set of network rules for each application group that is detected by Kaspersky Endpoint Security on the computer. You can change the Firewall action that is applied to the application group network rules that are created by default. You cannot edit, remove, disable, or change the priority of application group network rules that are created by default.

You can also create a network rule for an individual application. Such a rule will have a higher priority than the network rule of the group to which the application belongs.

You can perform the following actions while managing network rules of applications:

• Create a new network rule.

  You can create a new network rule by which the Firewall must regulate the network activity of the application or applications that belong to the selected group of applications.

• Enable or disable a network rule.

  All network rules are added to the list of network rules of applications with Enabled status. If a network rule is enabled, Firewall applies this rule.

  You can disable a network rule that was manually created. If a network rule is disabled, Firewall temporarily does not apply this rule.

• Change the settings of a network rule.

  After you create a new network rule, you can always return to its settings and modify them as needed.

• Change the Firewall action for a network rule.

  In the list of network rules, you can edit the action that the Firewall applies for the network rule upon detecting network activity in this application or application group.

• Change the priority of a network rule.

  You can raise or lower the priority of a custom network rule.

• Delete a network rule.

  You can delete a custom network rule to stop the Firewall from applying this network rule to the selected application or application group upon detecting network activity, and to stop this rule from being displayed in the list of application network rules.

   

[Topic 123452]

Creating and editing an application network rule

To create or edit a network rule for an application group:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Firewall.
3. Click the Application rules button.

   The Firewall window opens to the Application network rules tab.

4. In the list of applications, select the application or group of applications for which you want to create or edit a network rule.
5. Right-click to bring up the context menu and select Application rules or Group rules depending on what you need to do.

   This opens the Application control rules or Application group control rules window.

6. Select the Network rules tab in the Application control rules or Application group control rules window.
7. Do one of the following:
   • To create a new network rule, click the Add button.
   • To edit a network rule, select it in the list of network rules and click the Edit button.

   The Network rule window opens.

8. In the Action drop-down list, select the action to be performed by Firewall on detecting this kind of network activity:
   • Allow
   • Block
9. In the Name field, specify the name of the
   network service

   Set of parameters that define network activity. For this network activity, you can create a network rule that regulates the operation of Firewall.

   in one of the following ways:
   • Click the icon to the right of the Name field and select the name of the network service in the drop-down list.

     The drop-down list includes network services that define the most frequently used network connections.

   • Manually enter the name of the network service in the Name field.
10. Specify the data transfer protocol:
    1. Select the Protocol check box.
    2. In the drop-down list, select the type of protocol on which to monitor network activity.

       Firewall monitors network connections that use the TCP, UDP, ICMP, ICMPv6, IGMP, and GRE protocols. If you select a network service from the Name drop-down list, the Protocol check box is selected automatically and the drop-down list next to the check box contains the protocol type that corresponds to the selected network service. By default, the Protocol check box is cleared.

11. In the Direction drop-down list, select the direction of the monitored network activity.

    Firewall monitors network connections with the following directions:

    • Inbound.
    • Inbound / Outbound.
    • Outbound.
12. If ICMP or ICMPv6 is selected as the protocol, you can specify the ICMP packet type and code:
    1. Select the ICMP type check box and select the ICMP packet type in the drop-down list.
    2. Select the ICMP code check box and select the ICMP packet code in the drop-down list.
13. If TCP or UDP is selected as the protocol type, you can specify the comma-delimited port numbers of the local and remote computers between which the connection is to be monitored:
    1. Type the ports of the remote computer in the Remote ports field.
    2. Type the ports of the local computer in the Local ports field.
14. Specify the network addresses of remote computers that can send and/or receive network packets. To do so, select one of the following values in the Remote addresses drop-down list:
    • Any address. The network rule controls network packets sent and/or received by remote computers with any IP address.
    • Subnet addresses. The network rule controls network packets sent and/or received by remote computers with IP addresses associated with the selected network type: Trusted networks, Local networks, or Public networks.
    • Addresses from the list. The network rule controls network packets sent and/or received by remote computers with IP addresses that can be specified in the list below using the Add, Edit, and Delete buttons.
15. Specify the network addresses of computers that have Kaspersky Endpoint Security installed and can send and/or receive network packets. To do so, select one of the following values in the Local addresses drop-down list:
    • Any address. The network rule controls network packets sent and/or received by computers with Kaspersky Endpoint Security installed and with any IP address.
    • Addresses from the list. The network rule controls network packets sent and/or received by computers with Kaspersky Endpoint Security installed and with IP addresses that can be specified in the list below using the Add, Edit, and Delete buttons.

    Sometimes a local address cannot be obtained for applications that work with network packets. If this is the case, the value of the Local addresses setting is ignored.

16. If you want the actions of the network rule to be reflected in the report, select the Log events check box.
17. In the Network rule window, click OK.

    If you created a new network rule, the rule is displayed on the Network rules tab.

18. Click OK in the Application group control rules window if the rule is intended for a group of applications, or in the Application control rules window if the rule is intended for an application.
19. In the Firewall window, click OK.
20. To save changes, click the Save button.

[Topic 133631]

Enabling and disabling an application network rule

To enable or disable an application network rule:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Firewall.

   In the right part of the window, the settings of the Firewall component are displayed.

3. Click the Application rules button.

   The Firewall window opens to the Application network rules tab.

4. In the list, select the application or group of applications for which you want to enable or disable a network rule.
5. Right-click to bring up the context menu and select Application rules or Group rules depending on what you need to do.

   This opens the Application control rules or Application group control rules window.

6. In the window that opens, select the Network rules tab.
7. In the list of network rules for an application group, select the relevant network rule.
8. Do one of the following:
   • If you want to enable the rule, select the check box next to the name of the network rule.
   • If you want to disable the rule, clear the check box next to the name of the network rule.

     You cannot disable an application group network rule that is created by Firewall by default.

9. Click OK in the Application group control rules window if the rule is intended for a group of applications, or in the Application control rules window if the rule is intended for an application.
10. In the Firewall window, click OK.
11. To save changes, click the Save button.

[Topic 133632]

Changing the Firewall action for an application network rule

You can change the Firewall action that is applied to all network rules for an application or application group that were created by default, and change the Firewall action for a single custom network rule for an application or application group.

To change the Firewall action for all network rules for an application or group of applications:

1. Open the application settings window.
2. In the left part of the window, in the Essential Threat Protection section, select Firewall.

   In the right part of the window, the settings of the Firewall component are displayed.

3. Click the Application rules button.

   The Firewall window opens to the Application network rules tab.

4. If you want to change the Firewall action that is applied to all network rules that are created by default, select an application or group of applications in the list. Manually created network rules are left unchanged.
5. In the Network column, click to display the context menu and select the action that you want to assign:
   • Inherit
   • Allow
   • Block
6. Click OK.
7. To save changes, click the Save button.