Protected Process Light ("PPL") technology ensures that the operating system only loads trusted services and processes. To start a service as a protected service, the Early Launch Antimalware driver must be installed on the device.
An Early Launch Antimalware ("ELAM") driver provides protection for devices in your network when they start and when third-party drivers are initialized.
An ELAM driver is automatically installed during Kaspersky Industrial CyberSecurity for Nodes installation and is used for registering the Kaspersky Security service as a protected process when the operating system starts. When the Kaspersky Security Service (KAVFS) is started as a system protected process, other non-protected processes on the system are not able to inject threads, write into the virtual memory of the protected process, or stop the service.
When a process starts as a protected process, it cannot be managed by a user regardless of the assigned user permissions. The Kaspersky Security service can be registered as a protected process using the ELAM driver on Microsoft Windows Server 2016 RS3 build 16299 and later operating systems. If you install Kaspersky Industrial CyberSecurity for Nodes on a protected device running an operating system that supports PPL, permission management will not be available for the Kaspersky Security Service (KAVFS).
To install Kaspersky Industrial CyberSecurity for Nodes as a protected process, run:
msiexec /i kics_x64.msi NOPPL=0 EULA=1 PRIVACYPOLICY=1 /qn
Where the NOPPL option indicates registering the Kaspersky Security service as a protected process. Possible option values:
0: Kaspersky Security service is registered in the operating system as a protected process.1: Kaspersky Security service is not registered in the operating system as a protected process.