Network Agent policy settings
Expand all | Collapse all
To configure the Network Agent policy:
- In the main menu, go to Assets (Devices) → Policies & profiles.
- Click the name of the Network Agent policy.
The properties window of the Network Agent policy opens.
Consider that for Windows, macOS, and Linux-based devices, various settings are available.
General tab
On this tab you can modify the policy status and specify the inheritance of policy settings:
- In the Policy status block, you can select one of the policy modes:
- Active
- Inactive
If this option is selected, the policy becomes inactive, but it is still stored in the Policies folder. If required, the policy can be activated.
- In the Settings inheritance settings group, you can configure the policy inheritance:
- Inherit settings from parent policy
If this option is enabled, the policy setting values are inherited from the upper-level group policy and, therefore, are locked.
By default, this option is enabled.
- Force inheritance of settings in child policies
If this option is enabled, after policy changes are applied, the following actions will be performed:
- The values of the policy settings will be propagated to the policies of administration subgroups, that is, to the child policies.
- In the Settings inheritance block of the General section in the properties window of each child policy, the Inherit settings from parent policy option will be automatically enabled.
If this option is enabled, the child policies settings are locked.
By default, this option is disabled.
Event configuration tab
This tab allows you to configure event logging and event notification. Events are distributed according to importance level in the following sections on the Event configuration tab:
- Functional failure
- Warning
- Info
In each section, the event type list shows the types of events and the default event storage term on the Administration Server (in days). Clicking the Properties button lets you specify the settings of event logging and notifications about events selected in the list. By default, common notification settings specified for the entire Administration Server are used for all event types. However, you can change specific settings for required event types.
Application settings tab
Settings
In the Settings section, you can configure the Network Agent policy:
- Distribute files through distribution points only
If this option is enabled, client devices receive updates through distribution points only, not directly from update servers.
If this option is disabled, client devices can receive updates from various sources: directly from update servers and from a local or network folder.
By default, this option is disabled.
- Maximum size of event queue, in MB
- Application is allowed to retrieve policy's extended data on device
Network Agent installed on a managed device transfers information about the applied security application policy to the security application (for example, Kaspersky Endpoint Security for Windows). You can view the transferred information in the security application interface.
Network Agent transfers the following information:
- Protect Network Agent service against unauthorized removal or termination, and prevent changes to the settings
When this option is enabled, after Network Agent is installed on a managed device, the component cannot be removed or reconfigured without required privileges. The Network Agent service cannot be stopped. This option has no effect on domain controllers.
Enable this option to protect Network Agent on workstations operated with local administrator rights.
By default, this option is disabled.
- Use uninstallation password
If this option is enabled, by clicking the Modify button you can specify the password for the klmover utility and Network Agent remote uninstallation.
By default, this option is disabled.
Repositories
In the Repositories section, you can select the types of objects whose details will be sent from Network Agent to Administration Server. If modification of some settings in this section is prohibited by the Network Agent policy, you cannot modify these settings. The settings in the Repositories section are available only on devices running Windows:
- Details of installed applications
- Include information about patches
Information about patches of applications installed on client devices is sent to the Administration Server. Enabling this option may increase the load on the Administration Server and DBMS, as well as cause increased volume of the database.
By default, this option is enabled. It is available only for Windows.
- Details of Windows Update updates
If this option is enabled, information about Microsoft Windows Update updates that must be installed on client devices is sent to the Administration Server.
Sometimes, even if the option is disabled, updates are displayed in the device properties in the Available updates section. This might happen if, for example, the devices of the organization had vulnerabilities that could be fixed by these updates.
By default, this option is enabled. It is available only for Windows.
- Details of software vulnerabilities and corresponding updates
If this option is enabled, information about vulnerabilities in third-party software (including Microsoft software), detected on managed devices, and about software updates to fix third-party vulnerabilities (not including Microsoft software) is sent to the Administration Server.
Selecting this option (Details of software vulnerabilities and corresponding updates) increases the network load, Administration Server disk load, and Network Agent resource consumption.
By default, this option is enabled. It is available only for Windows.
To manage software updates of Microsoft software, use the Details of Windows Update updates option.
- Hardware registry details
Software updates and vulnerabilities
In the Software updates and vulnerabilities section, you can configure search of Windows updates, as well as enable scanning of executable files for vulnerabilities. The settings in the Software updates and vulnerabilities section are available only on devices running Windows:
- Under Allow users to manage installation of Windows Update updates, you can limit Windows updates that users can install on their devices manually by using Windows Update.
On devices running Windows 10, if Windows Update has already found updates for the device, the new option that you select under Allow users to manage installation of Windows Update updates will be applied only after the updates found are installed.
Select an item in the drop-down list:
- Allow users to install all applicable Windows Update updates
Users can install all of the Microsoft Windows Update updates that are applicable to their devices.
Select this option if you do not want to interfere in the installation of updates.
When the user installs Microsoft Windows Update updates manually, the updates may be downloaded from Microsoft servers rather than from Administration Server. This is possible if Administration Server has not yet downloaded these updates. Downloading updates from Microsoft servers results in extra traffic.
- Allow users to install only approved Windows Update updates
Users can install all of the Microsoft Windows Update updates that are applicable to their devices and that are approved by you.
For example, you may want to first check the installation of updates in a test environment and make sure that they do not interfere with the operation of devices, and only then allow the installation of these approved updates on client devices.
When the user installs Microsoft Windows Update updates manually, the updates may be downloaded from Microsoft servers rather than from Administration Server. This is possible if Administration Server has not yet downloaded these updates. Downloading updates from Microsoft servers results in extra traffic.
- Do not allow users to install Windows Update updates
Users cannot install Microsoft Windows Update updates on their devices manually. All of the applicable updates are installed as configured by you.
Select this option if you want to manage the installation of updates centrally.
For example, you may want to optimize the update schedule so that the network does not become overloaded. You can schedule after-hours updates, so that they do not interfere with user productivity.
- In the Windows Update search mode settings group, you can select the update search mode:
- Active
If this option is selected, Administration Server with support from Network Agent initiates a request from Windows Update Agent on the client device to the update source: Windows Update Servers or WSUS. Next, Network Agent passes information received from Windows Update Agent to Administration Server.
The option takes effect only if Connect to the update server to update data option of the Find vulnerabilities and required updates task is selected.
By default, this option is selected.
- Passive
If you select this option, Network Agent periodically passes Administration Server information about updates retrieved at the last synchronization of Windows Update Agent with the update source. If no synchronization of Windows Update Agent with an update source is performed, information about updates on Administration Server becomes out-of-date.
Select this option if you want to get updates from the memory cache of the update source.
- Disabled
If this option is selected, Administration Server does not request any information about updates.
Select this option if, for example, you want to test the updates on your local device first.
- Scan executable files for vulnerabilities when running them
If this option is enabled, executable files are scanned for vulnerabilities when they are run.
By default, this option is disabled.
Restart management
In the Restart management section, you can specify the action to be performed if the operating system of a managed device has to be restarted for correct use, installation, or uninstallation of an application. The settings in the Restart management section are available only on devices running Windows:
- Do not restart the operating system
Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.
- Restart the operating system automatically if necessary
Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).
- Prompt user for action
The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.
By default, this option is selected.
- Repeat the prompt every (min)
If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.
By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.
If this option is disabled, the prompt is displayed only once.
- Force restart after (min)
After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.
By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.
- Force closure of applications in blocked sessions
Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.
If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.
If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.
By default, this option is disabled.
Windows Desktop Sharing
In the Windows Desktop Sharing section, you can enable and configure the audit of the administrator's actions performed on a remote device when desktop access is shared. The settings in the Windows Desktop Sharing section are available only on devices running Windows:
- Enable audit
If this option is enabled, audit of the administrator's actions is enabled on the remote device. Records of the administrator's actions on the remote device are logged:
- In the event log on the remote device
- In a file with the syslog extension located in the Network Agent installation folder on the remote device
- In the event database of Kaspersky Security Center Cloud Console
Audit of the administrator's actions is available when the following conditions are met:
- The Vulnerability and patch management license is in use
- The administrator has the right to start shared access to the desktop of the remote device
If this option is disabled, the audit of the administrator's actions is disabled on the remote device.
By default, this option is disabled.
- Masks of files to monitor when read
The list contains file masks. When the audit is enabled, the application monitors the administrator's reading files that match the masks and saves information about files read. The list is available if the Enable audit check box is selected. You can edit file masks and add new ones to the list. Each new file mask should be specified in the list on a new line.
By default, the following file masks are specified:*.txt, *.rtf, *.doc, *.xls, *.docx, *.xlsx, *.odt, *.pdf.
- Masks of files to monitor when modified
The list contains masks of files on the remote device. When audit is enabled, the application monitors changes made by the administrator in files that match masks, and saves information about those modifications. The list is available if the Enable audit check box is selected. You can edit file masks and add new ones to the list. Each new file mask should be specified in the list on a new line.
By default, the following file masks are specified:*.txt, *.rtf, *.doc, *.xls, *.docx, *.xlsx, *.odt, *.pdf.
Manage patches and updates
In the Manage patches and updates section, you can configure download and distribution of updates, as well as installation of patches, on managed devices: enable or disable the Automatically install applicable updates and patches for components that have the Undefined status option.
Connectivity
The Connectivity section includes three subsections:
- Network
- Connection profiles
- Connection schedule
In the Network subsection, you can configure the connection to Administration Server, enable the use of a UDP port, and specify the UDP port number.
- In the Connection to Administration Server settings group, you can specify the following settings:
- Use UDP port
If you need the managed devices to connect to KSN proxy server through a UDP port, enable the Use UDP port option and specify a UDP port number. By default, this option is enabled. The default UDP port to connect to the KSN proxy server is 15111.
- UDP port number
In this field you can enter the UDP port number. The default port number is 15000.
The decimal system is used for records.
If the client device runs Windows XP Service Pack 2, the integrated firewall blocks UDP port 15000. This port should be opened manually.
- Use the distribution point to force a connection to Administration Server
Select this option if you selected the Run push server option in the distribution point settings window. Otherwise, the distribution point will not act as a push server.
In the Connection profiles subsection, no new items can be added to the Administration Server connection profiles list so the Add button is inactive. The preset connection profiles cannot be modified, either.
In the Connection schedule subsection, you can specify the time intervals during which Network Agent sends data to the Administration Server:
- Connect when necessary
- Connect at specified time intervals
In the Connection schedule subsection, you can specify the time intervals during which Network Agent sends data to the Administration Server:
- Connect when necessary
If this option is selected, the connection is established when Network Agent has to send data to the Administration Server.
By default, this option is selected.
- Connect at specified time intervals
If this option is selected, Network Agent connects to the Administration Server at a specified time. You can add several connection time periods.
Network polling by distribution points
In the Network polling by distribution points section, you can configure automatic polling of the network. The polling settings are available only on devices running Windows. You can use the following options to enable the polling and set its frequency:
- Windows network
If this option is enabled, the distribution point automatically polls the network according to the schedule configured by clicking the Set quick polling schedule and Set full polling schedule links.
If this option is disabled, the Administration Server does not poll the network.
By default, this option is enabled.
- IP ranges
If this option is enabled, the distribution point automatically polls IP ranges according to the schedule configured by clicking the Set polling schedule link.
If this option is disabled, the distribution point does not poll IP ranges.
By default, this option is disabled.
- Domain controllers
If the option is enabled, the distribution point automatically polls domain controllers according to the schedule that you configured by clicking the Set polling schedule button.
If this option is disabled, the distribution point does not poll domain controllers.
The frequency of domain controller polling for Network Agent versions prior to 10.2 can be configured in the Poll interval (min) field. The field is available if this option is enabled.
By default, this option is disabled.
Network settings for distribution points
In the Network settings for distribution points section, you can specify the internet access settings:
- Use proxy server
- Address
- Port number
- Bypass proxy server for local addresses
If this option is enabled, no proxy server is used to connect to devices on the local network.
By default, this option is disabled.
- Proxy server authentication
If this check box is selected, in the entry fields you can specify the credentials for proxy server authentication.
By default, this check box is cleared.
- User name
- Password
KSN Proxy (distribution points)
In the KSN Proxy (distribution points) section, you can configure the application to use the distribution point to forward KSN requests from the managed devices:
- Enable KSN Proxy on the distribution point side
The KSN proxy service is run on the device that is used as a distribution point. Use this feature to redistribute and optimize traffic on the network.
This feature is not supported by distribution point devices running Linux or macOS.
The distribution point sends the KSN statistics, which are listed in the Kaspersky Security Network statement, to Kaspersky. By default, the KSN statement is located in %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center\ksneula.
By default, this option is disabled. Enabling this option takes effect only if the I agree to use Kaspersky Security Network option is enabled in the Administration Server properties window.
You can assign a node of an active-passive cluster to a distribution point and enable KSN proxy server on this node.
- Port
The number of the TCP port that the managed devices will use to connect to KSN proxy server. The default port number is 13111.
- UDP port
If you need the managed devices to connect to KSN proxy server through a UDP port, enable the Use UDP port option and specify a UDP port number. By default, this option is enabled. The default UDP port to connect to the KSN proxy server is 15111.
Page top