Registering the Kaspersky Security Service as a protected service
October 25, 2023
Protected Process Light ("PPL") technology ensures that the operating system only loads trusted services and processes. To start a service as a protected service, the Early Launch Antimalware driver must be installed on the protected device.
An Early Launch Antimalware (also referred to as "ELAM") driver provides protection for the devices in your network when they start and before third-party drivers are initialized.
An ELAM driver is automatically installed during Kaspersky Embedded Systems Security for Windows installation and is used for registering the Kaspersky Security Service as a PPL when the operating system starts. When the Kaspersky Security Service (KAVFS) is started as a system protected process, other non-protected processes on the system are not able to inject threads, write into the virtual memory of the protected process, or stop the service.
When a process is started as a PPL, it cannot be managed by a user regardless of the assigned user permissions. The Kaspersky Security Service registration as PPL using the ELAM driver is supported on the Microsoft Windows 10 and higher operating systems. If you install Kaspersky Embedded Systems Security for Windows on a server running an operating system that supports PPL, permission management will not be available for the Kaspersky Security Service (KAVFS).
To install Kaspersky Embedded Systems Security for Windows as a PPL, run the following command:
msiexec /i ess
_x64.msi NOPPL=0 EULA=1 PRIVACYPOLICY=1 /qn