Kaspersky Embedded Systems Security 2.0 release notes
Kaspersky Embedded Systems Security 2.0 was released on June 7, 2017. Full version number is 184.108.40.2065.
Kaspersky Embedded Systems Security protects a variety of embedded systems under Microsoft Windows OS, including ATM (automated teller machines) and POS (points of sale), against viruses and other computer threats.
Kaspersky Embedded Systems Security protects devices with limited RAM (256 MB or more) and limited hard disk space (100 MB or more).
Kaspersky Embedded Systems Security uses the following protection technologies:
- Real-time file protection (implemented in the Real-Time File Protection task). The application scans files and alternative steams of file systems (NTFS-streams) when a protected computer accesses them. If a file is recognized as infected, the protected computer’s access to that file is restricted.
- On-demand anti-virus scan (implemented in the On-Demand Scan tasks). One-time scan of specified areas for viruses and other computer security threats. The application scans the protected computer’s files, autorun objects and RAM.
- Kaspersky Security Network services integration (implemented in the KSN Usage task). Use of data from Kaspersky Security Network ensures a faster response time by Kaspersky Embedded Systems Security when encountering new types of threats.
- With the user’s consent, the application can use checksums (MD5) of the analyzed files when executing the KSN Usage task. Kaspersky Security Network services integration functionality gets requests for file scanning when the following tasks are being performed: Real-time file protection, On-demand anti-virus scan, Applications Launch Control.
- Application launch control functionality (implemented in the Applications Launch Control task). The application allows or denies the executable files launch, scripts launch, MSI packages launch, driver loading, and DLL modules loading via specified applications launch control rules, KSN conclusions, or according to the Default Deny principle.
- You can create the applications launch control rules both manually and automatically for a computer (by settings the events of a local Applications Launch Control task) and for a group of computers (via Kaspersky Security Center denied launches report).
- Control of external devices connected via USB (implemented in the Device Control task). Kaspersky Embedded Systems Security allows or restricts usage of storage devices connected to a protected computer via USB. External devices control is based on the allowing of rules and the Default Deny principle.
- Rules for the Device Control task are generated automatically based on system data about registered storage devices, or by the Rule Generator for Device Control task.
- Windows Firewall Management (implemented in the Firewall Management task). The application provides a reliable and ergonomic solution for network connection protection via priority interception of the OS firewall settings management.
- Protected system integrity inspection (implemented in the File Integrity Monitor task and the Log Inspection task). Kaspersky Embedded Systems Security checks the integrity of the protected environment based on information about file operations that have been detected in the critical areas, as well as the results of the Windows Event Log analysis.
- Kaspersky Embedded Systems Security alerts the administrator if it detects any patterns of abnormal activity within a protected system that might be evidence of a possible abuse attempt.
- Memory protection against vulnerability exploitations (implemented in the Exploit Prevention component). Kaspersky Embedded Systems Security controls the integrity of protected processes and takes the actions specified to reduce the potential risks and side-effects of vulnerability exploitations.
Kaspersky Embedded Systems Security 2.0 offers the following features:
- An added Exploit Prevention component. You can now configure the memory protection settings using common mitigation techniques.
- An added File Integrity Monitor task. You can now specify objects, as well as entire areas, whose integrity you want to monitor.
- An added Log Inspection task. You can now create custom rules for analyzing Windows Event Log, as well as configure settings for the heuristic analyzer to analyze the Windows Event Log.
- An added SIEM Integration feature. You can now configure settings for exporting application logs to external security information and event management systems via the syslog protocol.
- An added USB connections monitoring functionality. Now you can configure notifications about all connections to a protected computer via USB ports for a range of device types.
- A Security Log has been implemented. You can now observe all the events that indicate a possible compromise of a protected system in a single log.
The following features have been improved in Kaspersky Embedded Systems Security 2.0:
- The Applications Launch Control component. The algorithm for perceiving the type of an application launched has been improved. Now the application uses a file header that enables a more precise selection of a rule type (Script or Binary) for the subsequent processing of such file launches. Moreover, the procedure for using the component has been simplified by the addition of predefined applications launch control rules to the rules list.
- The Device Control component. You can now add mass storages to a trusted list based on data about devices that are currently connected to a protected computer.
- The Trusted Zone. You can now use more flexible criteria when configuring the trusted list. Now you can define the following trusted criteria: full path, hash sum, or both the full path and the hash sum.
- The configuring of the protection scope and the scan scope. You can now configure the processing of parent container objects when an embedded threat is detected. The application deletes the entire parent container object, if it cannot be modified by the application because of read-only formatting.
- The Windows 10 Redstone 2 operating system is now supported.
Limitations and known issues
On-demand scan, real-time file protection and memory protection
- Scan on connection is unavailable for the MTP devices.
- The archive objects scan also scans the SFX archives. When archive scan mode is enabled in the Kaspersky Embedded Systems Security security settings, objects are scanned both in archives and in SFX archives. It is still possible to scan SFX archives without scanning all other archives.
- The exploit prevention functionality is unavailable if a protected computer does not have access to a apphelp.dll library.
- The Exploit Protection component is incompatible with the EMET application (Microsoft solution) if used on computers running Windows 10. Kaspersky Embedded Systems Security blocks EMET functions if the installation or removal of the Exploit Protection component is performed on a computer with the EMET application installed.
Computer control and diagnostics
- The Device Control task scope includes MTP-connected storage devices if a protected computer works under OS Microsoft Windows 7 or higher. Kaspersky Embedded Systems Security controls MTP-connected storage devices on a protected computer running Microsoft Windows XP, if the driver sets the GUID class for external devices to the same value as the standard Windows driver GUID value.
- IP-address exclusions for the Log Inspection heuristic analyzer are not available on computers running an operating system from the Windows XP family. The restriction is not valid for computers running Windows Vista or higher, or one of the Windows Server operating system family.
- The Log Inspection task does not detect Windows Event Log event ID602 on computers running an operating system of the Windows XP family. The restriction is invalid for computers running Windows Vista or higher, or one of the Windows Server operating system family.
- The Log Inspection task detects entire Windows Event Log clearing only on computers running Windows Vista or higher.
- The Log Inspection task detects patterns of a possible Kerberos (MS14-068) attack only on computers running Windows Server 2008 or higher in the domain controller role and with the patches applied.
- When the Firewall rule scope consists of one IP-address only, the IPv6 format support is unavailable.
- On the Firewall Management task launch the following rules types are automatically erased from the Windows Firewall rules list:
- deny rules
- outbound rules
- The application is unable to receive Windows Firewall events for the Firewall Management task log if installed on a computer running Microsoft Windows XP. Enabling of the audit process tracking in the Microsoft Windows local policy settings is required to activate the task log writing.
- Predefined rules for the Windows Firewall Management policy ensure basic interaction between local computers and Kaspersky Security Center Administration Server. For advanced functions usage you need to configure rules for ports manually. A full list of ports, protocols and their descriptions is available in the Kaspersky Security Knowledge Base.
- When requests are made by the Firewall Management task at minute intervals, the application does not control changes to Windows Firewall rules and groups of rules that were added when installing the Firewall Management component. To refresh the state and availability of such rules it is necessary to restart the task.
- For the proper functioning of the Firewall Management component on computers running a Windows Vista operating system or higher, you need to start the Windows Firewall Service (launched by default).
- The Application Setup Wizard warns that an excessively long path has been specified should full path to the Kaspersky Embedded Systems Security installation folder contain more than 150 characters. This warning does not affect the application installation and further operations are successful.
- Installing the SNMP Protocol Support component requires restarting the SNMP service if this service is running.
- Windows Installer 3.1 is required for Kaspersky Embedded Systems Security to install and work properly on a computer running OS Microsoft Windows XP SP2. By default, the component is not included in the OS Microsoft Windows XP SP2 distribution kit. You can download and install Windows Installer 3.1 component manually.
- The Filter Manager component is required for Kaspersky Embedded Systems Security to install and work properly on a computer running embedded operating systems.
- Installation of Kaspersky Embedded Systems Security Administration Tools using Microsoft Active Directory group policies is not supported.
- When installing the application on the computers running an out-dated OS that is unable to receive updates, it is necessary to check that the following root certificates are present in the system: DigiCert Assured ID Root CA, DigiCert_High_Assurance_EV_Root_CA, DigiCertAssuredIDRootCA. The absence of these certificates may prevent the application from working properly. It is recommended to install these certificates by any means available.
Kaspersky Embedded Systems Security cannot be activated with a key via the Application Setup Wizard if the key file is located on a drive created using the SUBST command, or if a network path to the key file is specified.
After the critical software modules updates are installed, the Kaspersky Embedded Systems Security icon is hidden by default.
- In Kaspersky Embedded Systems Security Console, the filter is case-sensitive for the following nodes: Quarantine, Backup, System Audit Log, Task Logs.
- The remote connection to the Kaspersky Embedded Systems Security Console is unavailable if the application is installed on a computer that is running Microsoft Windows XP SP2 with default network access configurations and is not connected to a domain. By default, the Guest only mode is applied for an XP OS local accounts security model.
- To enable the remote application management via the Console, configure the local policy security settings manually by setting the Classic value on the computer with Kaspersky Embedded Systems Security installed.
- When protection and scan scopes are configured using Kaspersky Embedded Systems Security Console, it is possible to use only one mask in each path and only at the end of the path (for example: C:\Temp\Temp* or C:\Temp\Temp???.doc, or C:\Temp\Temp*.doc). This limitation does not apply to the Trusted Zone component.
- If User Account Control is enabled in the operating system, the user account must be included into the ESS Administrators group to allow Kaspersky Embedded Systems Security Console to open when double-clicking the application icon in the taskbar notification area. Otherwise, the About window opens.
- Removal of the application is unavailable via the Programs and Features window in the operating system if the User Account Control is applied.
Kaspersky Security Center integration.
- Kaspersky Security Center Administration Server checks the application’s database updates before its distribution on the computer network. The application module updates are not verified by the Administration Server.
- When working with components that transfer dynamic, changing data to Kaspersky Security Center using network lists (such as Quarantine or Backup), make sure that the appropriate check boxes are ticked in the settings for Administration Server interaction.
- When the command line tool is applied, special characters are only displayed if the regional settings of the operating system match the current Kaspersky Embedded Systems Security localization.
- When basic authentication is used on a proxy server, authentication errors may occur when the user name or password are set using multi-byte encoding.
- When a file is restored from Quarantine or Backup, the Encrypted value in the file attributes is not restored.
- The mirror server cannot be used if the application connects to syslog-server via the UDP protocol.
- When connecting a USB device, there is a likelihood that the application will not recognize the device type. In this case only the device’s GUID will be displayed.
- The Device Instance Path values are specified in different formats for the Device Control component and the USB connections monitor functionality.