Kaspersky Endpoint Security for Windows

Kaspersky Endpoint Security for Windows (hereinafter also referred to as Kaspersky Endpoint Security) provides comprehensive computer protection against various types of threats, network and phishing attacks.

The application is not intended to be used in technological processes that involve automated control systems. To protect devices in such systems, it is recommended to use Kaspersky Industrial CyberSecurity for Nodes application.

Threat detection technologies

Machine learning

Kaspersky Endpoint Security uses a model based on machine learning. The model is developed by Kaspersky experts. Subsequently, the model is continuously fed with threat data from KSN (model training).

Cloud analysis

Kaspersky Endpoint Security receives threat data from the Kaspersky Security Network. Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to the online Kaspersky Knowledge Base that contains information about the reputation of files, web resources, and software.

Expert analysis

Kaspersky Endpoint Security uses threat data added by Kaspersky virus analysts. Virus analysts evaluate objects if the reputation of an object cannot be determined automatically.

Behavior analysis

Kaspersky Endpoint Security analyzes the activity of an object in real time.

Automatic analysis

Kaspersky Endpoint Security receives data from the automatic object analysis system. The system processes all objects that are sent to Kaspersky. The system then determines the reputation of the object and adds the data to anti-virus databases. If the system cannot determine the reputation of the object, the system queries Kaspersky virus analysts.

Sandbox

Kaspersky Endpoint Security processes the object in a virtual machine. Kaspersky Sandbox analyzes the behavior of the object and decides on its reputation. This technology is available only if you are using the Kaspersky Sandbox solution.

Cloud Sandbox

Kaspersky Endpoint Security scans objects in an isolated environment provided by Kaspersky. Cloud Sandbox technology is permanently enabled and is available to all Kaspersky Security Network users regardless of the type of license they are using. If you have already deployed Endpoint Detection and Response solution, you can enable a separate counter for threats detected by Cloud Sandbox.

Selection tree

Each type of threat is handled by a dedicated component. Components can be enabled or disabled independently, and their settings can be configured.

Selection tree

Section

Component

Essential Threat Protection

File Threat Protection

The File Threat Protection component lets you prevent infection of the file system of the computer. By default, the File Threat Protection component permanently resides in the computer's RAM. The component scans files on all drives of the computer, as well as on connected drives. The component provides computer protection with the help of anti-virus databases, the Kaspersky Security Network cloud service, and heuristic analysis.

Web Threat Protection

The Web Threat Protection component prevents downloads of malicious files from the Internet, and also blocks malicious and phishing websites. The component provides computer protection with the help of anti-virus databases, the Kaspersky Security Network cloud service, and heuristic analysis.

Mail Threat Protection

The Mail Threat Protection component scans the attachments of incoming and outgoing email messages for viruses and other threats. The component provides computer protection with the help of anti-virus databases, the Kaspersky Security Network cloud service, and heuristic analysis.

Mail Threat Protection can scan both incoming and outgoing messages. The application supports POP3, SMTP, IMAP, and NNTP in the following mail clients:

  • Microsoft Office Outlook
  • Mozilla Thunderbird
  • Windows Mail
  • MyOffice Mail
  • R7-Office Organizer

To scan traffic in Mozilla Thunderbird, MyOffice Mail and R7-Office Organizer mail clients, you need to add Kaspersky certificate to the certificate store and select the own certificate store.

Mail Threat Protection does not support other protocols and mail clients.

Mail Threat Protection may not always be able to gain protocol-level access to messages (for example, when using the Microsoft Exchange solution). For this reason, Mail Threat Protection includes an extension for Microsoft Office Outlook. The extension allows scanning messages at the level of the mail client. The Mail Threat Protection extension supports operations with Outlook 2010, 2013, 2016, 2019 and 2021.

Network Threat Protection

The Network Threat Protection component (also called Intrusion Detection System) monitors inbound network traffic for activity characteristic of network attacks. When Kaspersky Endpoint Security detects an attempted network attack on the user's computer, it blocks the network connection with the attacking computer. Descriptions of currently known types of network attacks and ways to counteract them are provided in Kaspersky Endpoint Security databases. The list of network attacks that the Network Threat Protection component detects is updated during database and application module updates.

Firewall

The Firewall blocks unauthorized connections to the computer while working on the Internet or local network. The Firewall also controls the network activity of applications on the computer. This allows you to protect your corporate LAN from identity theft and other attacks. The component provides computer protection with the help of anti-virus databases, the Kaspersky Security Network cloud service, and predefined network rules.

BadUSB Attack Prevention

The BadUSB Attack Prevention component prevents infected USB devices emulating a keyboard from connecting to the computer.

AMSI Protection

AMSI Protection component is intended to support Antimalware Scan Interface from Microsoft. The Antimalware Scan Interface (AMSI) allows third-party applications with AMSI support to send objects (for example, PowerShell scripts) to Kaspersky Endpoint Security for an additional scan and then receive the results from scanning these objects.

Advanced Threat Protection

Kaspersky Security Network

Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to the online Kaspersky Knowledge Base that contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky Endpoint Security to new threats, improves the performance of some protection components, and reduces the likelihood of false positives. If you are participating in Kaspersky Security Network, KSN services provide Kaspersky Endpoint Security with information about the category and reputation of scanned files, as well as information about the reputation of scanned web addresses.

Behavior Detection

The Behavior Detection component receives data on the actions of applications on your computer and provides this information to other protection components to improve their performance. The Behavior Detection component utilizes Behavior Stream Signatures (BSS) for applications. If application activity matches a behavior stream signature, Kaspersky Endpoint Security performs the selected responsive action. Kaspersky Endpoint Security functionality based on behavior stream signatures provides proactive defense for the computer.

Exploit Prevention

The Exploit Prevention component detects program code that takes advantage of vulnerabilities on the computer to exploit administrator privileges or to perform malicious activities. For example, exploits can utilize a buffer overflow attack. To do so, the exploit sends a large amount of data to a vulnerable application. When processing this data, the vulnerable application executes malicious code. As a result of this attack, the exploit can start an unauthorized installation of malware. When there is an attempt to run an executable file from a vulnerable application that was not performed by the user, Kaspersky Endpoint Security blocks this file from running or notifies the user.

Host Intrusion Prevention

The Host Intrusion Prevention component prevents applications from performing actions that may be dangerous for the operating system, and ensures control over access to operating system resources and personal data. The component provides computer protection with the help of anti-virus databases and the Kaspersky Security Network cloud service.

Remediation Engine

The Remediation Engine lets Kaspersky Endpoint Security roll back actions that have been performed by malware in the operating system.

Security Controls

Application Control

Application Control manages the startup of applications on users' computers. This allows you to implement a corporate security policy when using applications. Application Control also reduces the risk of computer infection by restricting access to applications.

Device Control

Device Control manages user access to devices that are installed on or connected to the computer (for example, hard drives, cameras, or Wi-Fi modules). This lets you protect the computer from infection when such devices are connected, and prevent loss or leaks of data.

Web Control

Web Control manages users' access to web resources. This helps reduce traffic and inappropriate use of work time. When a user tries to open a website that is restricted by Web Control, Kaspersky Endpoint Security blocks access or shows a warning.

Adaptive Anomaly Control

The Adaptive Anomaly Control component monitors and blocks actions that are not typical of the computers in a company's network. Adaptive Anomaly Control uses a set of rules to track non-typical behavior (for example, the Start of Microsoft PowerShell from office application rule). Rules are created by Kaspersky specialists based on typical scenarios of malicious activity. You can configure how Adaptive Anomaly Control handles each rule and, for example, allow the execution of PowerShell scripts that automate certain workflow tasks. Kaspersky Endpoint Security updates the set of rules along with the application databases.

Log Inspection

Log Inspection monitors the integrity of the protected environment based on the Windows event log analysis. When the application detects signs of atypical behavior in the system, it informs the administrator, as this behavior may indicate an attempted cyber attack.

System Integrity Monitoring

The System Integrity Monitoring component monitors changes in the operating system that may indicate computer security breaches. When such changes are detected, Kaspersky Endpoint Security generates corresponding events and alerts the administrator.

Tasks

Malware Scan

Kaspersky Endpoint Security scans the computer for viruses and other threats. Malware Scan helps to rule out the possibility of spreading malware that was not detected by protection components, for example, due to a low security level.

Update of databases and application modules

Kaspersky Endpoint Security downloads updated databases and application modules. Updating keeps the computer protected against the latest viruses and other threats. The application is updated automatically by default, but if necessary, you can update the databases and application modules manually.

Last update rollback

Kaspersky Endpoint Security rolls back the last update of databases and modules. This lets you roll back the databases and application modules to their previous versions when necessary, for example, when the new database version contains an invalid signature that causes Kaspersky Endpoint Security to block a safe application.

Application Integrity Check

Kaspersky Endpoint Security checks the application modules in the application installation folder for corruption or modifications. If an application module has an incorrect digital signature, the module is considered corrupt.

Data Encryption

File Level Encryption

The component allows creating file encryption rules. You can select predefined folders for encryption, select a folder manually, or select individual files by extension.

Full Disk Encryption

The component allows encrypting the hard disk using Kaspersky Disk Encryption or BitLocker Drive Encryption.

Encryption of removable drives

The component allows protecting data on removable drives. You can use Full Disk Encryption (FDE) or File Level Encryption (FLE).

Detection and Response

Endpoint Detection and Response Optimum

Built-in agent for the Kaspersky Endpoint Detection and Response Optimum solution (hereinafter also "EDR Optimum"). Kaspersky Endpoint Detection and Response is a solution for protecting the corporate IT infrastructure from advanced cyber threats. The functionality of the solution combines automatic detection of threats with the ability to react to these threats to counteract advanced attacks including new exploits, ransomware, fileless attacks, as well as methods using legitimate system tools. For more information about the solution, refer to the Kaspersky Endpoint Detection and Response Optimum Help.

Endpoint Detection and Response Expert

Built-in agent for the Kaspersky Endpoint Detection and Response Expert solution (hereinafter also "EDR Expert"). EDR Expert offers more threat monitoring and response functionality than EDR Optimum. For more information about the solution, refer to the Kaspersky Endpoint Detection and Response Expert Help.

Endpoint Detection and Response (KATA) and Network Detection and Response (KATA)

Built-in agents for managing the Endpoint Detection and Response and Network Detection and Response components that are part of the Kaspersky Anti Targeted Attack Platform solution. Kaspersky Anti Targeted Attack Platform is a solution designed for timely detection of sophisticated threats such as targeted attacks, advanced persistent threats (APT), zero-day attacks, and others. Kaspersky Anti Targeted Attack Platform includes three functional units:

  • Kaspersky Anti Targeted Attack Platform (KATA)
  • Kaspersky Endpoint Detection and Response (EDR (KATA))
  • Network Detection and Response (NDR (KATA)).

You can purchase all functional units or individual functional units separately. For details about the solution, please refer to the Kaspersky Anti Targeted Attack Platform Help.

Sandbox

Built-in agent for Sandbox. The Sandbox component detects and automatically blocks advanced threats on computers. Sandbox analyzes object behavior to detect malicious activity and activity characteristic of targeted attacks on the IT infrastructure of the organization. Sandbox analyzes and scans objects on special servers with deployed virtual images of Microsoft Windows operating systems (the Sandbox servers). For details about the solution, please refer to the Kaspersky Sandbox Help and Kaspersky Anti Targeted Attack Platform Help.

Managed Detection and Response

Built-in agent to support the operation of the Kaspersky Managed Detection and Response solution. The Kaspersky Managed Detection and Response (MDR) solution automatically detects and analyzes security incidents in your infrastructure. To do so, MDR uses telemetry data received from endpoints and machine learning. MDR sends incident data to Kaspersky experts. The experts can then process the incident and, for example, add a new entry to Anti-Virus databases. Alternatively, the experts can issue recommendations on processing the incident and, for example, suggest isolating computer from the network. For detailed information about how the solution works, please refer to the Kaspersky Managed Detection and Response Help.

In this Help section

Distribution kit

Hardware and software requirements

Comparison of available application features depending on the type of operating system

Comparison of application functions depending on the management tools

Compatibility with other applications

Page top