Network Agent policy settings

Expand all | Collapse all

To configure the Network Agent policy:

1. In the console tree, select the Policies folder.
2. In the workspace of the folder, select the Network Agent policy.
3. In the context menu of the policy, select Properties.

The properties window of the Network Agent policy opens.

General

In the General section, you can modify the policy status and specify the inheritance of policy settings:

• In the Policy status block, you can select one of the policy modes:
  • Active policy

    If this option is selected, the policy becomes active.

    By default, this option is selected.

  • Out-of-office policy

    If this option is selected, the policy becomes active when the device leaves the corporate network.

  • Inactive policy

    If this option is selected, the policy becomes inactive, but it is still stored in the Policies folder. If required, the policy can be activated.

• In the Settings inheritance settings group, you can configure the policy inheritance:
  • Inherit settings from parent policy

    If this option is enabled, the policy setting values are inherited from the upper-level group policy and, therefore, are locked.

    By default, this option is enabled.

  • Force inheritance of settings in child policies

    If this option is enabled, after policy changes are applied, the following actions will be performed:

    • The values of the policy settings will be propagated to the policies of administration subgroups, that is, to the child policies.
    • In the Settings inheritance block of the General section in the properties window of each child policy, the Inherit settings from parent policy option will be automatically enabled.

    If this option is enabled, the child policies settings are locked.

    By default, this option is disabled.

Event configuration

The Event configuration section allows you to configure event logging and event notification. Events are distributed by importance level on the following tabs:

• Critical

  The Critical tab is not displayed in the Network Agent policy properties.

• Functional failure
• Warning
• Info

On each tab, the list shows the types of events and the default event storage term on the Administration Server (in days). Clicking the Properties button lets you specify the settings of event logging and notifications about events selected in the list. By default, common notification settings specified for the entire Administration Server are used for all event types. However, you can change specific settings for the required event types.

For example, on the Warning tab, you can configure the Security issue has occurred event type. Such events may happen, for instance, when the free disk space of a distribution point is less than 2 GB (at least 4 GB are required to install applications and download updates remotely). To configure the Security issue has occurred event, select it and click the Properties button. After that, you can specify where to store the occurred events and how to notify about them.

If Network Agent detected a security issue, you can manage this issue by using the settings of a managed device.

To select multiple event types, use the Shift or Ctrl key; to select all types, use the Select all button.

Settings

In the Settings section, you can configure the Network Agent policy:

• Distribute files through distribution points only

  If this option is enabled, Network Agents on managed devices retrieve updates from distribution points only.

  If this option is disabled, Network Agents on managed devices retrieve updates from distribution points or from Administration Server.

  Note that the security applications on managed devices retrieve updates from the source set in the update task for each security application. If you enable the Distribute files through distribution points only option, make sure that Kaspersky Security Center is set as an update source in the update tasks.

  By default, this option is disabled.

• Maximum size of event queue, in MB

  In this field you can specify the maximum space on the drive that an event queue can occupy.

  The default value is 2 megabytes (MB).

• Application is allowed to retrieve policy's extended data on device

  Network Agent installed on a managed device transfers information about the applied security application policy to the security application (for example, Kaspersky Endpoint Security for Windows). You can view the transferred information in the security application interface.

  Network Agent transfers the following information:

  • Time of the policy delivery to the managed device
  • Name of the active or out-of-office policy at the moment of the policy delivery to the managed device
  • Name and full path to the administration group that contained the managed device at the moment of the policy delivery to the managed device
  • List of active policy profiles

    You can use the information to ensure the correct policy is applied to the device and for troubleshooting purposes. By default, this option is disabled.

• Protect Network Agent service against unauthorized removal or termination, and prevent changes to the settings

  When this option is enabled, after Network Agent is installed on a managed device, the component cannot be removed or reconfigured without required privileges. The Network Agent service cannot be stopped. This option has no effect on domain controllers.

  Enable this option to protect Network Agent on workstations operated with local administrator rights.

  By default, this option is disabled.

• Use uninstallation password

  If this option is enabled, by clicking the Modify button you can specify the password for the klmover utility and Network Agent remote uninstallation.

  By default, this option is disabled.

Repositories

In the Repositories section, you can select the types of objects whose details will be sent from Network Agent to Administration Server. If modification of some settings in this section is prohibited by the Network Agent policy, you cannot modify these settings. The settings in the Repositories section are available only on devices running Windows:

• Details of Windows Update updates

  If this option is enabled, information about Microsoft Windows Update updates that must be installed on client devices is sent to the Administration Server.

  Sometimes, even if the option is disabled, updates are displayed in the device properties in the Available updates section. This might happen if, for example, the devices of the organization had vulnerabilities that could be fixed by these updates.

  By default, this option is enabled. It is available only for Windows.

• Details of software vulnerabilities and corresponding updates

  If this option is enabled, information about vulnerabilities in third-party software (including Microsoft software), detected on managed devices, and about software updates to fix third-party vulnerabilities (not including Microsoft software) is sent to the Administration Server.

  Selecting this option (Details of software vulnerabilities and corresponding updates) increases the network load, Administration Server disk load, and Network Agent resource consumption.

  By default, this option is enabled. It is available only for Windows.

  To manage software updates of Microsoft software, use the Details of Windows Update updates option.

• Hardware registry details

  Network Agent installed on a device sends information about the device hardware to the Administration Server. You can view the hardware details in the device properties.

  Ensure that the lshw utility is installed on Linux devices from which you want to fetch hardware details. Hardware details fetched from virtual machines may be incomplete depending on the hypervisor used.

• Details of installed applications

  If this option is enabled, information about applications installed on client devices is sent to the Administration Server.

  By default, this option is enabled.

• Include information about patches

  Information about patches of applications installed on client devices is sent to the Administration Server. Enabling this option may increase the load on the Administration Server and DBMS, as well as cause increased volume of the database.

  By default, this option is enabled. It is available only for Windows.

Software updates and vulnerabilities

In the Software updates and vulnerabilities section, you can configure search and distribution of Windows updates, as well as enable scanning of executable files for vulnerabilities. The settings in the Software updates and vulnerabilities section are available only on devices running Windows:

• Use Administration Server as a WSUS server

  If this option is enabled, Windows updates are downloaded to the Administration Server. The Administration Server provides downloaded updates to Windows Update on client devices in centralized mode through Network Agents.

  If this option is disabled, the Administration Server is not used for downloading Windows updates. In this case, client devices receive Windows updates on their own.

  By default, this option is disabled.

• Under Allow users to manage installation of Windows Update updates, you can limit Windows updates that users can install on their devices manually by using Windows Update.

  On devices running Windows 10, if Windows Update has already found updates for the device, the new option that you select under Allow users to manage installation of Windows Update updates will be applied only after the updates found are installed.

  Select an item in the drop-down list:

  • Allow users to install all applicable Windows Update updates

    Users can install all of the Microsoft Windows Update updates that are applicable to their devices.

    Select this option if you do not want to interfere in the installation of updates.

    When the user installs Microsoft Windows Update updates manually, the updates may be downloaded from Microsoft servers rather than from Administration Server. This is possible if Administration Server has not yet downloaded these updates. Downloading updates from Microsoft servers results in extra traffic.

  • Allow users to install only approved Windows Update updates

    Users can install all of the Microsoft Windows Update updates that are applicable to their devices and that are approved by you.

    For example, you may want to first check the installation of updates in a test environment and make sure that they do not interfere with the operation of devices, and only then allow the installation of these approved updates on client devices.

    When the user installs Microsoft Windows Update updates manually, the updates may be downloaded from Microsoft servers rather than from Administration Server. This is possible if Administration Server has not yet downloaded these updates. Downloading updates from Microsoft servers results in extra traffic.

  • Do not allow users to install Windows Update updates

    Users cannot install Microsoft Windows Update updates on their devices manually. All of the applicable updates are installed as configured by you.

    Select this option if you want to manage the installation of updates centrally.

    For example, you may want to optimize the update schedule so that the network does not become overloaded. You can schedule after-hours updates, so that they do not interfere with user productivity.

• In the Windows Update search mode settings group, you can select the update search mode:
  • Active

    If this option is selected, Administration Server with support from Network Agent initiates a request from Windows Update Agent on the client device to the update source: Windows Update Servers or WSUS. Next, Network Agent passes information received from Windows Update Agent to Administration Server.

    The option takes effect only if Connect to the update server to update data option of the Find vulnerabilities and required updates task is selected.

    By default, this option is selected.

  • Passive

    If you select this option, Network Agent periodically passes Administration Server information about updates retrieved at the last synchronization of Windows Update Agent with the update source. If no synchronization of Windows Update Agent with an update source is performed, information about updates on Administration Server becomes out-of-date.

    Select this option if you want to get updates from the memory cache of the update source.

  • Disabled

    If this option is selected, Administration Server does not request any information about updates.

    Select this option if, for example, you want to test the updates on your local device first.

• Scan executable files for vulnerabilities when running them

  If this option is enabled, executable files are scanned for vulnerabilities when they are run.

  By default, this option is enabled.

Restart management

In the Restart management section, you can specify the action to be performed if the operating system of a managed device has to be restarted for correct use, installation, or uninstallation of an application. The settings in the Restart management section are available only on devices running Windows:

• Do not restart the operating system

  The operating system will not be restarted.

• Restart the operating system automatically if necessary

  If necessary, the operating system is restarted automatically.

• Prompt user for action

  The application prompts the user to allow restarting the operating system.

  By default, this option is selected.

  • Repeat the prompt every (min)

    If this option is enabled, the application prompts the user to allow restarting the operating system with the frequency specified in the field next to the check box. By default, the prompting frequency is 5 minutes.

    If this option is disabled, the application does not prompt the user to allow restarting repeatedly.

    By default, this option is enabled.

  • Force restart after (min)

    If this option is enabled, after prompting the user, the application forces restart of the operating system upon expiration of the time interval specified in the field next to the check box.

    If this option is disabled, the application does not force restart.

    By default, this option is enabled.

  • Wait time before forced closure of applications in blocked sessions (min)

    Applications are forced to close when the user's device goes locked (automatically after a specified interval of inactivity, or manually).

    If this option is enabled, applications are forced to close on the locked device upon expiration of the time interval specified in the entry field.

    If this option is disabled, applications do not close on the locked device.

    By default, this option is disabled.

Windows Desktop sharing

In the Windows Desktop Sharing section, you can enable and configure the audit of the administrator's actions performed on a remote device when desktop access is shared. The settings in the Windows Desktop Sharing section are available only on devices running Windows:

• Enable audit

  If this option is enabled, audit of the administrator's actions is enabled on the remote device. Records of the administrator's actions on the remote device are logged:

  • In the event log on the remote device
  • In a file with the syslog extension located in the Network Agent installation folder on the remote device
  • In the event database of Kaspersky Security Center

  Audit of the administrator's actions is available when the following conditions are met:

  • The Vulnerability and patch management license is in use
  • The administrator has the right to start shared access to the desktop of the remote device

  If this option is disabled, the audit of the administrator's actions is disabled on the remote device.

  By default, this option is disabled.

• Masks of files to monitor when read

  The list contains file masks. When the audit is enabled, the application monitors the administrator's reading files that match the masks and saves information about files read. The list is available if the Enable audit check box is selected. You can edit file masks and add new ones to the list. Each new file mask should be specified in the list on a new line.

  By default, the following file masks are specified:*.txt, *.rtf, *.doc, *.xls, *.docx, *.xlsx, *.odt, *.pdf.

• Masks of files to monitor when modified

  The list contains masks of files on the remote device. When audit is enabled, the application monitors changes made by the administrator in files that match masks, and saves information about those modifications. The list is available if the Enable audit check box is selected. You can edit file masks and add new ones to the list. Each new file mask should be specified in the list on a new line.

  By default, the following file masks are specified:*.txt, *.rtf, *.doc, *.xls, *.docx, *.xlsx, *.odt, *.pdf.

Manage patches and updates

In the Manage patches and updates section, you can configure download and distribution of updates, as well as installation of patches, on managed devices:

• Automatically install applicable updates and patches for components that have the Undefined status

  If this option is enabled, Kaspersky patches that have the Undefined approval status are automatically installed on managed devices immediately after they are downloaded from update servers.

  If this option is disabled, Kaspersky patches that have been downloaded and tagged with the Undefined status will be installed only after you change their status to Approved.

  By default, this option is enabled.

• Download updates and anti-virus databases from Administration Server in advance (recommended)

  If this option is enabled, the offline model of update download is used. When the Administration Server receives updates, it notifies Network Agent (on devices where it is installed) of the updates that will be required for managed applications. When Network Agent receives information about these updates, it downloads the relevant files from the Administration Server in advance. At the first connection with Network Agent, the Administration Server initiates an update download. After Network Agent downloads all the updates to a client device, the updates become available for applications on that device.

  When a managed application on a client device attempts to access Network Agent for updates, Network Agent checks whether it has all required updates. If the updates are received from the Administration Server not more than 25 hours before they were requested by the managed application, Network Agent does not connect to the Administration Server but supplies the managed application with updates from the local cache instead. Connection with the Administration Server may not be established when Network Agent provides updates to applications on client devices, but connection is not required for updating.

  If this option is disabled, the offline model of update download is not used. Updates are distributed according to the schedule of the update download task.

  By default, this option is enabled.

Connectivity

The Connectivity section includes three nested subsections:

• Network
• Connection profiles (only for Windows and macOS)
• Connection schedule

In the Network subsection, you can configure the connection to Administration Server, enable the use of a UDP port, and specify its number. The following options are available:

• In the Connection to Administration Server settings group, you can configure connection to the Administration Server and specify the time interval for synchronization between client devices and the Administration Server:
  • Compress network traffic

    If this option is enabled, the speed of data transfer by Network Agent is increased by means of a decrease in the amount of information being transferred and a consequent decreased load on the Administration Server.

    The workload on the CPU of the client computer may increase.

    By default, this check box is enabled.

  • Open Network Agent ports in Microsoft Windows Firewall

    If this option is enabled, the ports, necessary for the work of Network Agent, are added to the Microsoft Windows Firewall exclusion list.

    By default, this option is enabled.

  • Use SSL

    If this option is enabled, connection to the Administration Server is established through a secure port via SSL.

    By default, this option is enabled.

  • Use connection gateway on distribution point (if available) under default connection settings

    If this option is enabled, the connection gateway on the distribution point is used under the settings specified in the administration group properties.

    By default, this option is enabled.

• Use UDP port

  If you need Network Agent to connect to Administration Server through a UDP port, enable the Use UDP port option and specify a UDP port number. By default, this option is enabled. The default UDP port to connect to Administration Server is 15000.

• UDP port number

  In this field you can enter the UDP port number. The default port number is 15000.

  The decimal system is used for records.

  If the client device runs Windows XP Service Pack 2, the integrated firewall blocks UDP port 15000. This port should be opened manually.

• Use distribution point to force connection to the Administration Server

  Select this option if you selected the Use this distribution point as a push server option in the distribution point settings window. Otherwise, the distribution point will not act as a push server.

In the Connection profiles subsection, you can specify the network location settings, configure connection profiles for Administration Server, and enable out-of-office mode when Administration Server is not available. The settings in the Connection profiles section are available only on devices running Windows and macOS:

• Network location settings

  Network location settings define the characteristics of the network to which the client device is connected and specify rules for Network Agent switching from one Administration Server connection profile to another when those network characteristics are altered.

• Administration Server connection profiles

  In this section, you can view and add profiles for Network Agent connection to the Administration Server. In this section, you can also create rules for switching Network Agent to different Administration Servers when the following events occur:

  • When the client device connects to a different local network
  • When the device loses connection with the local network of the organization
  • When the connection gateway address is changed or the DNS server address is modified

  Connection profiles are supported only for devices running Windows and macOS.

• Enable out-of-office mode when Administration Server is not available

  If this option is enabled, in case of connection through this profile, applications installed on the client device use policy profiles for devices in out-of-office mode, as well as out-of-office policies. If no out-of-office policy has been defined for the application, the active policy will be used.

  If this option is disabled, applications will use active policies.

  By default, this option is disabled.

In the Connection schedule subsection, you can specify the time intervals during which Network Agent sends data to the Administration Server:

• Connect when necessary

  If this option is selected, the connection is established when Network Agent has to send data to the Administration Server.

  By default, this option is selected.

• Connect at specified time intervals

  If this option is selected, Network Agent connects to the Administration Server at a specified time. You can add several connection time periods.

Distribution points

The Distribution points section includes four nested subsections:

• Network polling
• Internet connection settings
• KSN Proxy
• Updates

In the Network polling subsection, you can configure automatic polling of the network. You can enable three types of polling, that is, network polling, IP range polling, and Active Directory polling:

• Enable network polling

  If the option is enabled, the Administration Server automatically polls the network according to the schedule that you configured by clicking the Set quick polling schedule and Set full polling schedule links.

  If this option is disabled, the Administration Server polls the network with the interval specified in the Frequency of network polls (min) field.

  The device discovery interval for Network Agent versions prior to 10.2 can be configured in the Frequency of polls from Windows domains (min) (for quick Windows network poll) and Frequency of network polls (min) (for full Windows network poll) fields.

  By default, this option is disabled.

• Enable IP range polling

  If the option is enabled, the distribution point automatically polls IP ranges according to the schedule that you configured by clicking the Set polling schedule button.

  If this option is disabled, the distribution point does not poll IP ranges.

  The frequency of IP range polling for Network Agent versions prior to 10.2 can be configured in the Poll interval (min) field. The field is available if the option is enabled.

  By default, this option is disabled.

• Use Zeroconf polling (on Linux platforms only; manually specified IP ranges will be ignored)

  If this option is enabled, the distribution point automatically polls the network with IPv6 devices by using zero-configuration networking (also referred to as Zeroconf). In this case, the enabled IP range polling is ignored, because the distribution point polls the whole network.

  To start to use Zeroconf, the following conditions must be fulfilled:

  • The distribution point must run Linux.
  • You must install the avahi-browse utility on the distribution point.

  If this option is disabled, the distribution point does not poll networks with IPv6 devices.

  By default, this option is disabled.

• Enable Active Directory polling

  If the option is enabled, the distribution point automatically polls Active Directory according to the schedule that you configured by clicking the Set polling schedule link.

  If this option is disabled, the Administration Server does not poll Active Directory.

  The frequency of Active Directory polling for Network Agent versions prior to 10.2 can be configured in the Poll interval (min) field. The field is available if this option is enabled.

  By default, this option is disabled.

In the Internet connection settings subsection, you can specify the internet access settings:

• Use proxy server

  If this check box is selected, in the entry fields you can configure the proxy server connection.

  By default, this check box is cleared.

• Proxy server address

  Address of the proxy server.

• Port number

  Port number that is used for connection.

• Bypass proxy server for local addresses

  If this option is enabled, no proxy server is used to connect to devices on the local network.

  By default, this option is disabled.

• Proxy server authentication

  If this check box is selected, in the entry fields you can specify the credentials for proxy server authentication.

  By default, this check box is cleared.

• User name

  User account under which connection to the proxy server is established.

• Password

  Password of the account under which the task will be run.

In the KSN Proxy subsection, you can configure the application to use the distribution point to forward KSN requests from the managed devices:

• Enable KSN Proxy on the distribution point side

  The KSN proxy service is run on the device that is used as a distribution point. Use this feature to redistribute and optimize traffic on the network.

  The distribution point sends the KSN statistics, which are listed in the Kaspersky Security Network statement, to Kaspersky. By default, the KSN statement is located in %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center\ksneula.

  By default, this option is disabled. Enabling this option takes effect only if the Use Administration Server as a proxy server and I agree to use Kaspersky Security Network options are enabled in the Administration Server properties window.

  You can assign a node of an active-passive cluster to a distribution point and enable KSN proxy server on this node.

• Forward KSN requests to Administration Server

  The distribution point forwards KSN requests from the managed devices to the Administration Server.

  By default, this option is enabled.

• Access KSN Cloud/KPSN directly over the internet

  The distribution point forwards KSN requests from managed devices to the KSN Cloud or KPSN. The KSN requests generated on the distribution point itself are also sent directly to the KSN Cloud or KPSN.

  The distribution points that have Network Agent version 11 (or earlier) installed cannot access KPSN directly. If you want to reconfigure the distribution points to send KSN requests to KPSN, enable the Forward KSN requests to Administration Server option for each distribution point.

  The distribution points that have Network Agent version 12 (or later) installed can access KPSN directly.

• TCP port

  The number of the TCP port that the managed devices will use to connect to KSN proxy server. The default port number is 13111.

• Use UDP port

  If you need Network Agent to connect to Administration Server through a UDP port, enable the Use UDP port option and specify a UDP port number. By default, this option is enabled. The default UDP port to connect to Administration Server is 15000.

In the Updates subsection, you can specify whether Network Agent should download diff files by enabling or disabling the Download diff files option. (By default, this option is enabled.)

Revision history

On the Revision history tab, you can view the history of Network Agent policy revisions. You can compare revisions, view revisions, and perform advanced operations, such as save revisions to a file, roll back to a revision, and add and edit revision descriptions.

Feature comparison by the Network Agent operating systems

The table below shows which Network Agent policy settings you can use to configure Network Agent with a specific operating system.

Network Agent policy settings: comparison by operating systems

Policy section	Windows	Mac	Linux
General
Event configuration
Settings			The following options are available: Distribute files through distribution points only Maximum size of event queue, in MB Application is allowed to retrieve policy's extended data on device
Repositories			The following options are available: Details of installed applications Hardware registry details
Software updates and vulnerabilities
Restart management
Windows Desktop Sharing
Manage patches and updates
Connectivity → Network			Except the Open Network Agent ports in Microsoft Windows Firewall option.
Connectivity → Connection profiles
Connectivity → Connection schedule
Distribution points → Network polling			The following options are available: Zeroconf IP ranges
Distribution points → Internet connection settings
Distribution points → KSN Proxy
Distribution points → Updates
Revision history

See also: Scenario: Regular updating Kaspersky databases and applications Installing third-party software updates

Page top