Kaspersky Security 10.1.1 for Windows Server (version 10.1.1.746)
Kaspersky Security 10.1.1 for Windows Server was released on November 13, 2018. The full version number is 10.1.1.746.
Kaspersky Security 10.1.1 for Windows Server (previously called Kaspersky Anti-Virus for Windows Servers Enterprise Edition) is a solution for protecting corporate servers and data storage systems. The protection scope and set of functional components depend on the type of license purchased.
- Support for new versions of Microsoft Windows operating systems.
- Self-defense mechanisms based on ELAM and PPL technologies: now when the application is installed, it automatically registers an ELAM driver that makes it possible to start the Kaspersky Security service (kavfs.exe) with the Protected Process Light attribute. This makes it possible to bolster the application's self-defense and prevent a broad range of attacks. The functionality is available when the application is installed on computers running Microsoft Windows Server 2016 and higher.
- Support for checking and processing cloud files stored in Microsoft OneDrive.
- Improved capabilities of the installation package control subsystem. Now you can indicate which installation files can pass the trusted installation package attribute for the entire chain of files extracted from them. This makes it possible to increase the stability of the software installation processes on a server with enabled Applications Launch Control, but it also increases the scope for a potential attack by increasing the number of authorized application launches. We recommend using the parameter during complex software deployments, including when the server must be restarted during the software distribution process.
- Integration with WMI infrastructure. Now when the application is installed, a Kaspersky Security namespace is automatically created in the WMI root namespace on the local computer. You can use client solutions that support WMI queries to obtain information about the application and its components.
- Support for AMSI interfaces. Use of AMSI technology, which is integrated in Microsoft Windows, has enabled the improvement of the mechanism for intercepting script launches on the server. The stability of the Script Monitoring task is improved, the application’s influence on the environment is reduced when intercepting scripts and blocking them if threats are detected, and the task scope is significantly expanded – now the Script Monitoring component works not only with scripts in JS and VBS files, but also PS1 files. The functionality is available when the Script Monitoring component is installed on servers running Microsoft Windows Server 2016 or newer.
- The format for displaying information about the application and its components has been expanded for the KAVSHELL OMSINFO command. Now you can get information about the status of the Applications Launch Control task as well as information about installed critical updates of application modules.
- The mechanisms for detecting and isolating active viruses have been improved:
- Now the application detects fileless threats: viruses that have been started in the RAM and don’t have file bodies on the disk.
- The mechanisms for processing active viruses when they are detected have been fixed. The application now correctly terminates the infected processes.
- It is now possible to configure a list of processes to be considered critical for the operating system. The application will not kill these processes when an active infection is detected. For details, see this article.
- A feature has been implemented for configuring parameters for using the AccessTime attribute for files scanned by the On-Demand Scan task. By default, the application restores the last access time of a file (the AccessTime attribute) after it has been scanned. Now you can use the Microsoft Windows Registry to disable restoration of the AccessTime attribute if this mechanism is causing false positives for backup systems. For details, see this article.
- Improved capabilities for managing and monitoring application state using the Compact Diagnostic Interface.
- Now you can review the statistics counters for installed components on the Statistics tab of the Compact Diagnostic Interface.
- The password is not required upon accessing the Compact Diagnostic Interface, even if the password-protection feature is on: the application limits access to the information and control elements that are available in the Compact Diagnostic Interface basing only on the specified user permissions for the application management.
- Protecting the VPN traffic is not recommended (port 1723).
- The Opera Presto Engine web browser reports an attempt to connect using an untrusted certificate if Kaspersky Security for Windows Server is used to protect HTTPS traffic.
- IPv6 traffic is not scanned.
- The Traffic Security component is available only on Microsoft Windows Server 2008 R2 and newer.
- The application only works with TCP traffic.
On-Demand Scan, File Protection, Anti-Cryptor, Exploit Prevention
- Upon connection, anti-virus scanning of MTP devices is unavailable.
- Scanning of archive objects is not available without scanning SFX archives. When archive scanning mode in the Kaspersky Security for Windows Server security settings, the application automatically scans both objects in archives as well as objects in SFX archives. It is still possible to scan SFX archives without scanning all other archives.
- Exclusions from the Trusted Zone are not applied when scanning in Windows Server 2016 containers.
- iSwift technology is not applied when scanning in Windows Server 2016 containers.
- The Exploit Prevention component does not protect applications installed through the Microsoft Store on Windows Server 2012 and Windows Server 2012 R2.
- Exploit Prevention functionality is not available if the apphelp.dll library is absent in the current environment configuration.
- The Exploit Prevention component is incompatible with the EMET application (Microsoft solution) if used on computers running Windows Server 2016.
Computer control and diagnostics
- The Log Inspection task detects potential Kerberos (MS14-068) attack patterns only on computers running Windows Server 2008 and higher in the role of a domain controller with installed updates.
- The Device Control task blocks any connections with MTP devices when in Active mode.
- The Log Inspection task can detect a total clearing of the Windows Event Log only on servers running Windows Server 2008 or higher operating system.
- When the Firewall rule scope consists of one IP-address only, the IPv6 format support is unavailable.
- On the Firewall Management task launch the following rules types are automatically erased from the Windows Firewall rules list:
- deny rules
- outbound rules
- Predefined rules for the Firewall Management policy ensure basic interaction between local computers and the Administration Server. To use the full functionality of Kaspersky Security Center, you must manually set rules to allow ports. For more information about port numbers, protocols, and their functions, see this article.
- When requests are made by the Firewall Management task at minute intervals, the application does not control changes to Windows Firewall rules and groups of rules that were added when installing the Firewall Management component. To update the status and presence of such rules, you must restart the Firewall Management task.
- For the proper functioning of the Firewall Management component on computers running a Microsoft Windows Server 2008 operating system or higher, you need to start the Windows Firewall Service (launched by default).
- On the Microsoft Windows Server 2003 family of operating systems the SharedAccess service must be started for Windows Firewall to work. By default, the service is suspended and the service is started only with Administrator privileges. If the Firewall Management component is started when the SharedAccess service is suspended, the component state displayed by the application is out of date. Visually, the task is active and running, but Windows Firewall is not started and the network rules are not applied.
- The application does not receive Windows Firewall events for the Firewall Management task log when working on servers running a Microsoft Windows Server 2003 operating system. To record task statistics it is necessary to turn on the processes tracking function in the security settings of the Microsoft Windows local policy.
Installation and migration to the new version
- During installation of the application, a warning occurs about the path being too long if the full path to the installation folder for Kaspersky Security for Windows Server contains more than 150 characters. The warning does not affect the installation process.
- Installation of the SNMP Protocol Support component requires the SNMP service on the protected server.
- To install the SNMP Protocol Support component, you must restart the the SNMP service if this service is protected.
- Kaspersky Security for Windows Server Administration Tools cannot be installed through Microsoft Active Directory group policies.
- When installing the application on computers running operating systems that are no longer supported and are unable to receive regular updates, you must check for the following root certificates:
The absence of these certificates may prevent the application from working properly. To find out how to download and apply up-to-date certificates, see this article.
- DigiCert Assured ID Root CA
- The automatic adding of read permissions for NETWORK SERVICE user is not supported when migrating to a new version. By default this permission is assigned in the application management access permissions settings during the installation of Kaspersky Security 10.1.1 for Windows Server. To avoid errors in the functioning of the WMI Provider after the update, you need to manually allow reading for the NETWORK SERVICE user in the application settings or apply the updated Kaspersky Security Center policy.
- The operating system uses an incorrect directory if the CaseSensitive attribute is used for the Kaspersky Security installation directory. The services.exe process detects the Kaspersky Security for Windows Server installation directory incorrectly and cannot execute services that are critical for the application core functions. This behavior can only be fixed with Microsoft Windows updates. To avoid errors, we recommend installing Kaspersky Security for Windows Server in a directory without the CaseSensitive attribute.
The application cannot be activated using a key from the installation wizard if the key file is located on a disk created using the SUBST command or the specified path to the key file is a network path.
After installation of critical updates of Kaspersky Security for Windows Server modules, the Kaspersky Security for Windows Server icon is hidden by default.
- In the Kaspersky Security for Windows Server Console, filters in the Quarantine, Backup, System Audit Log, and Task Logs nodes are case sensitive.
- When configuring the protection and scan scope in Kaspersky Security Console, you can use only one mask in a path and only at the end of the path. Correct mask examples:
This limitation does not apply to Trusted Zone settings.
Kaspersky Security Center integration.
- Kaspersky Security Center Administration Server checks the application database updates before its distribution on the computer network. The application module updates are not verified by the Administration Server.
- When working with components that transfer dynamic, changing data to Kaspersky Security Center using network lists (such as Quarantine or Backup), make sure that the appropriate check boxes are ticked in the settings for Administration Server interaction.
- The application partially supports CaseSensitive directories. Known scenarios in which CaseSensitive directories are not supported by the application include:
- exclusions specified in the settings of protection and scan tasks.
- Trusted Zone exclusions
- Applications Launch Control rules. When processing application launches in the scope of rules applied by the path, the application adjusts path values to the upper register. This broadens the scope of allowing and denying rules for the CaseSensitive-directories. To lower the risks of starting blocked applications due to the expansion of the allowing rules scope, it is recommended to set allowing rules with strict criteria (check sum or digital certificate).
- When using a command line utility, special characters may be displayed if the operating system’s regional settings match the localization of Kaspersky Security for Windows Server.
- When basic authentication is used on a proxy server, authentication errors may occur when the user name or password are set using multi-byte encoding.
- When a file is restored from Quarantine or Backup, the Encrypted value in the file attributes is not restored.
- The mirror server cannot be used if the application is connected to syslog-server via the UDP protocol.
- The device type may not be recognized when a USB connection event is generated. In this case only the device’s GUID will be displayed.
- Insufficient rights for managing root WMI namespaces on a computer can lead to errors creating application namespaces. If Kaspersky Security namespace is absent in the root namespace of the computer after the WMI Provider component installation, please, send a request to Kaspersky Lab technical support via Kaspersky Lab CompanyAccount for recommendations on configuring WMI security settings on the computer.