This section provides a scenario for regular updating of Kaspersky databases, software modules, and applications. After you complete the Configuring network protection scenario, you must maintain the reliability of the protection system to make sure that the Administration Servers and managed devices are kept protected against various threats, including viruses, network attacks, and phishing attacks.
Network protection is kept up-to-date by regular updates of the following:
When you complete this scenario, you can be sure of the following:
The managed devices must have a connection to the Administration Server. If they do not have a connection, consider updating Kaspersky databases, software modules, and applications manually or directly from the Kaspersky update servers.
Administration Server must have a connection to the internet.
Before you start, make sure that you have done the following:
Updating Kaspersky databases and applications proceeds in stages:
There are several schemes that you can use to install updates to Kaspersky Security Center components and security applications. Choose the scheme or several schemes that meet the requirements of your network best.
This task is created automatically by Kaspersky Security Center Quick Start Wizard. If you did not run the Wizard, create the task now.
This task is required to download updates from Kaspersky update servers to the repository of the Administration Server, as well as to update Kaspersky databases and software modules for Kaspersky Security Center. After the updates are downloaded, they can be propagated to the managed devices.
If your network has assigned distribution points, the updates are automatically downloaded from the Administration Server repository to the repositories of the distribution points. In this case the managed devices included in the scope of a distribution point download the updates from the repository of the distribution point instead of the Administration Server repository.
By default, the updates are downloaded to the distribution points from the Administration server. You can configure Kaspersky Security Center to download the updates to the distribution points directly from Kaspersky update servers. Download to the repositories of distribution points is preferable if the traffic between the Administration Server and the distribution points is more expensive than the traffic between the distribution points and Kaspersky update servers, or if your Administration Server does not have internet access.
When your network has assigned distribution points and the Download updates to the repositories of distribution points task is created, the distribution points download updates from Kaspersky update servers, and not from the Administration Server repository.
When your network has assigned distribution points, make sure that the Deploy updates option is enabled in the properties of all required distribution points. When this option is disabled for a distribution point, the devices included in the scope of the distribution point download updates from the repository of the Administration Server.
If you want the managed devices to receive updates only from the distribution points, enable the Distribute files through distribution points only option in the Network Agent policy.
You can optimize the update process by using the offline model of update download (enabled by default) or by using diff files. For each network segment, you have to choose which of these two features to enable, because they cannot work simultaneously.
When the offline model of update download is enabled, Network Agent downloads the required updates to the managed device once the updates are downloaded to the Administration Server repository, before the security application requests the updates. This enhances the reliability of the update process. To use this feature, enable the Download updates and anti-virus databases from the Administration Server in advance option in the Network Agent policy.
If you do not use the offline model of update download, you can optimize traffic between the Administration Server and the managed devices by using diff files. When this feature is enabled, the Administration Server or a distribution point downloads diff files instead of entire files of Kaspersky databases or software modules. A diff file describes the differences between two versions of a file of a database or software module. Therefore, a diff file occupies less space than an entire file. This results in decrease in the traffic between the Administration Server or distribution points and the managed devices. To use this feature, enable the Download diff files option in the properties of the Download updates to the Administration Server repository task and/or the Download updates to the repositories of distribution points task.
How-to instructions: Using diff files for updating Kaspersky databases and software modules
Before installing the downloaded updates, you can verify the updates through the Update verification task. This task sequentially runs the device update tasks and virus scan tasks configured through settings for the specified collection of test devices. Upon obtaining the task results, the Administration Server starts or blocks the update propagation to the remaining devices.
The Update verification task can be performed as part of the Download updates to the repository of the Administration Server task. In the properties of the Download updates to the repository of the Administration Server task, enable the Verify updates before distributing option in the Administration Console or the Run update verification option in Kaspersky Security Center 13 Web Console.
By default, the downloaded software updates have the Undefined status. You can change the status to Approved or Declined. The approved updates are always installed. If an update requires reviewing and accepting the terms of the End User License Agreement, then you first need to accept the terms. After that the update can be propagated to the managed devices. The undefined updates can only be installed on Network Agent and other Kaspersky Security Center components in accordance with the Network Agent policy settings. The updates for which you set Declined status will not be installed on devices. If a declined update for a security application was previously installed, Kaspersky Security Center will try to uninstall the update from all devices. Updates for Kaspersky Security Center components cannot be uninstalled.
Starting from version 10 Service Pack 2, the downloaded updates and patches for Network Agent and other Kaspersky Security Center components are installed automatically. If you have left the Automatically install applicable updates and patches for components that have the Undefined status option enabled in the Network Agent properties, then all updates will be installed automatically after they are downloaded to the repository (or several repositories). If this option is disabled, Kaspersky patches that have been downloaded and tagged with the Undefined status will be installed only after you change their status to Approved.
For Network Agent versions earlier than 10 Service Pack 2, make sure that the Update Network Agent modules option is enabled in the properties of the Download updates to the repository of the Administration Server task or the Download updates to the repositories of distribution points task.
Software updates for the Administration Server do not depend on the update statuses. They are not installed automatically and must be preliminarily approved by the administrator on the Monitoring tab in the Administration Console (Administration Server <server name> → Monitoring) or on the NOTIFICATIONS section in Kaspersky Security Center 13 Web Console (MONITORING & REPORTING → NOTIFICATIONS). After that, the administrator must explicitly run installation of the updates.
Create the Update tasks for the managed applications to provide timely updates to the applications, software modules and Kaspersky databases, including anti-virus databases. To ensure timely updates, we recommend that you select the When new updates are downloaded to the repository option when configuring the task schedule.
By default, updates for Kaspersky Endpoint Security for Windows and Kaspersky Endpoint Security for Linux are installed only after you change the update status to Approved. You can change the update settings in the Update task.
If an update requires reviewing and accepting the terms of the End User License Agreement, then you first need to accept the terms. After that the update can be propagated to the managed devices.
Upon completion of the scenario, Kaspersky Security Center is configured to update Kaspersky databases and installed Kaspersky applications after the updates are downloaded to the repository of the Administration Server or to the repositories of distribution points. You can then proceed to monitoring the network status.