Installation and uninstallation settings and command line options for the Windows Installer service

This section contains descriptions of the settings for installing and uninstalling Kaspersky Embedded Systems Security for Windows, their default values, keys for changing the installation settings, and their possible values. These keys can be used in conjunction with standard keys for the Windows Installer service's msiexec command when installing Kaspersky Embedded Systems Security for Windows from the command line.

Installation settings and command line options in Windows Installer

• Acceptance of the terms of the End User License Agreement: you must accept the terms to install Kaspersky Embedded Systems Security for Windows.

  The possible values for EULA=<value> command line option are as follows:

  • 0 – you reject the terms of the End User License Agreement (default value).
  • 1 – you accept the terms of the End User License Agreement.
• Acceptance of the terms of the Privacy Policy: you must accept the terms to install Kaspersky Embedded Systems Security for Windows.

  The possible values for PRIVACYPOLICY=<value> command line option are as follows:

  • 0 – you reject the terms of the Privacy Policy (default value).
  • 1 – you accept the terms of the Privacy Policy.
• Allow installation of Kaspersky Embedded Systems Security for Windows if the KB4528760 update not installed. For detailed information about the KB4528760 update please visit Microsoft website.

  The possible values for SKIPCVEWINDOWS10=<value> command line option are as follows:

  • 0 – cancel the installation of Kaspersky Embedded Systems Security for Windows if the KB4528760 update is not installed (default value).
  • 1 – allow the installation of Kaspersky Embedded Systems Security for Windows if the KB4528760 update is not installed.

  The KB4528760 update fixes the CVE-2020-0601 security vulnerability. For detailed information about the CVE-2020-0601 security vulnerability please visit the Microsoft website.

• Installation of Kaspersky Embedded Systems Security for Windows with preservation of the settings of the previous version during the upgrade.

  The possible values for RESTOREDEFSETTINGS=<value> command line option are as follows:

  • 0 – All data from the previous version is migrated to the new version during the upgrade (default value).
  • 1 – Only the file with activation data and private keys is migrated to the new version during the upgrade ([drive]:\ProgramData\Kaspersky Lab\<product>\<version>\Data\product.dat). All other data from the previous version, such as settings, anti-virus databases, reports, quarantine and backup objects, are deleted.
• Installation of Kaspersky Embedded Systems Security for Windows with preservation of the reports from previous versions during the upgrade.

  The possible values for KEEP_REPORTS=<value> command line option are as follows:

  • 0 – all data from the previous version, except for reports ([drive]:\ProgramData\Kaspersky Lab\<product>\<version>\Reports), is migrated to the new version during the upgrade. The reports are deleted.
  • 1 – all data from the previous version, such as settings, anti-virus databases, reports, quarantine and backup objects, are migrated to the new version during the upgrade (default value).
• Installation of Kaspersky Embedded Systems Security for Windows with a preliminary scan of active processes and the boot sectors of local disks.

  The possible values for PRESCAN=<value> command line option are as follows:

  • 0 – do not perform a preliminary scan of active processes and the boot sectors of local disks during the installation (default value).
  • 1 – perform a preliminary scan of active processes and the boot sectors of local disks during the installation.
• Destination folder where Kaspersky Embedded Systems Security for Windows files will be saved during installation. A different folder can be specified.

  The default values for INSTALLDIR=<full path to the folder> command line option are as follows:

  • Kaspersky Embedded Systems Security for Windows: %ProgramFiles%\Kaspersky Lab\Kaspersky Embedded Systems Security
  • Administration tools: %ProgramFiles%\Kaspersky Lab\Kaspersky Embedded Systems Security Admins Tools
  • On the x64-bit version of Microsoft Windows: %ProgramFiles(x86)%
• Start of the Real-Time File Protection task immediately after Kaspersky Embedded Systems Security for Windows starts.

  The possible values for the RUNRTP=<value> command line option are:

  • 1 – start (default value).
  • 0 – do not start.
• Run mode for the Real-Time File Protection task.

  The possible values for the RUNRTP=<value> command line option are:

  • 1 – Recommended (default value).
  • 0 – Notify only.
• Objects excluded from the protection scope according to Microsoft Corporation recommendations. In the Real-Time File Protection task exclude from the protection scope objects on the device that Microsoft Corporation recommends to exclude. Some applications on the protected device may become unstable when an anti-virus application intercepts or modifies the files they use. For example, Microsoft Corporation includes some domain controller applications in the list of such objects.

  The possible values for ADDMSEXCLUSION=<value> command line option are as follows:

  • 1 – exclude (default value).
  • 0 – do not exclude.
• Objects excluded from the protection scope according to Kaspersky recommendations. In the Real-Time File Protection task exclude from the protection scope objects on the device that Kaspersky recommends to exclude.

  The possible values for ADDKLEXCLUSION=<value> command line option are as follows:

  • 1 – exclude (default value).
  • 0 – do not exclude.
• Allow remote connection to the Application Console. By default, remote connection to the Application Console installed on the protected device is not allowed. During the installation, you can allow connection. Kaspersky Embedded Systems Security for Windows creates allowing rules for the process kavfsgt.exe using the TCP protocol for all ports.

  The possible values for ALLOWREMOTECON=<value> command line option are as follows:

  • 1 – allow.
  • 0 – deny (default value).
• Path to the key file (LICENSEKEYPATH). By default, the Windows Installer attempts to find the file with .key extension in the \exec folder of the distribution kit. If the \exec folder contains several key files, the Windows Installer will select the key file whose expiration date is the farthest into the future. A key file can be saved beforehand in the \exec folder or by specifying another path to the key file using the Add key setting. You can add a key after Kaspersky Embedded Systems Security for Windows is installed using an administrative tool of your choice: for example, the Application Console. If you do not add a key during installation of the application, Kaspersky Embedded Systems Security for Windows will not function.
• Path to the configuration file. Kaspersky Embedded Systems Security for Windows imports settings from the specified configuration file created in the application. Kaspersky Embedded Systems Security for Windows does not import passwords from the configuration file, for example, account passwords for starting tasks, or passwords for connecting to a proxy server. Once the settings are imported, you will have to enter all passwords manually. If the configuration file is not specified, the application will start to work with the default settings after setup.

  The default value for CONFIGPATH=<configuration file name> is not specified.

• Mode of the Scan at Operating System Startup task (SCANSTARTUP_BLOCKING). If you install Kaspersky Embedded Systems Security for Windows in the install mode without the SCANSTARTUP_BLOCKING key, the Scan at Operating System Startup task has the following parameters assigned to the Scan scope setting:
  • Action to perform on infected and other objects: Notify only
  • Action to perform on probably infected objects: Notify only

  If you install Kaspersky Embedded Systems Security for Windows in the install mode using the SCANSTARTUP_BLOCKING key, the Scan at Operating System Startup task has the following parameters assigned to the Scan scope setting:

  • Action to perform on infected and other objects: Perform recommended action
  • Action to perform on probably infected objects: Perform recommended action

  The Scan at Operating System Startup task is created automatically. By default, the Notify only mode is applied. In this case, after you deploy Kaspersky Embedded Systems Security for Windows on the devices, you can enable the Scan at Operating System Startup task if no issues with system services were discovered during scanning. If the application detects critical system services as infected or probably infected objects, the Notify only mode gives you time to figure out the reason and solve the issue. If the application applies the Perform recommended action mode, which calls the Disinfect. Remove, if disinfection fails action. Disinfection or removal of the system files may result in critical issues with operating system startup.

• Enabling network connections for the Application Console option is used to install Kaspersky Embedded Systems Security for Windows Console on another device. You can remotely manage device protection from another device with the Kaspersky Embedded Systems Security for Windows Console installed. Port 135 (TCP) is opened in Microsoft Windows Firewall, network connections are allowed for the executable file kavfsrcn.exe for remote management of Kaspersky Embedded Systems Security for Windows, and access is granted to DCOM applications. When installation is complete, add users to the ESS Administrators group to let them remotely manage the application, and allow network connections to the Kaspersky Security Management Service (kavfsgt.exe file) on the protected device. You can read more about additional configuration when the Kaspersky Embedded Systems Security for Windows Console is installed on another device.

  The possible values for ADDWFEXCLUSION=<value> command line option are as follows:

  • 1 – allow.
  • 0 – deny (default value).
• Disabling the check for incompatible software. Use this setting to enable or disable the check for incompatible software during background installation of the application on the protected device. Regardless of the value of this setting, during installation of Kaspersky Embedded Systems Security for Windows, the application always warns about other versions of the application installed on the protected device.

  The possible values for SKIPINCOMPATIBLESW=<value> command line option are as follows:

  • 0 – The check for incompatible software is performed (default value).
  • 1 – The check for incompatible software is not performed.

Uninstallation settings and command line options in Windows Installer

• Restoring quarantined objects.

  The possible values for RESTOREQTN=<value> command line option are as follows:

  • 0 – Remove quarantined content (default value).
  • 1 – Restore quarantined content to the folder specified by the RESTOREPATH parameter into the \Quarantine subfolder.
• Restoring the content of backup.

  The possible values for RESTOREBCK=<value> command line option are as follows:

  • 0 – Remove backup content (default value).
  • 1 – Restore backup contents to the folder specified by the RESTOREPATH parameter into the \Backup subfolder.
• Enter the current password to confirm the uninstallation (if password protection is enabled).

  The default value for UNLOCK_PASSWORD=<specified password> is not specified.

• Folder for restored objects. Restored objects will be saved to the specified folder.

  The default value for the RESTOREPATH=<full path to the folder> command line option is %ALLUSERSPROFILE%\Application Data\Kaspersky Lab\Kaspersky Embedded Systems Security\3.3\Restored