002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
Unit IV. Maintenance
2.1
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
How to create a custom dashboard ..................................................................................................6
2.2
re
di
st
r
How to answer all questions at a glance ..........................................................................................6
How to fill the dashboard with statistics............................................................................................7
How understand that important protection components are disabled in the policy ..........................8
How to email reports.........................................................................................................................9
Which reports to email ....................................................................................................................11
How to create a custom report .......................................................................................................11
2.3
How to email notifications ...............................................................................................................13
3.1
or
Where to enable notifications .........................................................................................................13
Where to modify the addressee and the mail server ......................................................................14
About which events you need to know ...........................................................................................16
What to do with malware ................................................................................................................18
3.2
pi
e
d
Where to learn about threats ..........................................................................................................19
How to find computers with threats ................................................................................................19
How to understand what has happened to the threats ...................................................................20
How to find computers with non-disinfected threats .......................................................................21
How to scan critical areas...............................................................................................................22
How to isolate a computer and eliminate an active infection .........................................................23
How to reset virus counter ..............................................................................................................24
What to do if Kaspersky Endpoint Security does not work.............................................................25
3.3
co
Where to find out that Kaspersky Endpoint Security does not work ..............................................26
How to start protection remotely .....................................................................................................27
What to do if databases are outdated ............................................................................................28
3.4
be
Where to find out that databases are out of date ...........................................................................29
How to find out whether a computer has an update task ...............................................................30
How to find out whether the Server has an update task ................................................................33
Where to specify proxy server parameters.....................................................................................34
How to disable automatic assignment of distribution points...........................................................35
How to check whether KSN is used ...............................................................................................36
How to check the client-server connection .....................................................................................37
to
How to distinguish powered off computers.....................................................................................37
What to do if a computer has not connected for a long time ..........................................................37
How to make a computer connect to the Server ............................................................................38
How to reconnect a computer to the Server ...................................................................................40
How to contact technical support ...................................................................................................40
No
t
3.5
When and how to contact technical support...................................................................................40
How to remotely collect Windows and GetSystemInfo logs ...........................................................41
How to remotely collect trace logs ..................................................................................................42
How to collect logs locally...............................................................................................................43
How to send a request to technical support ...................................................................................44
4.1
Unit IV. Maintenance
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
How to install program updates ......................................................................................................45
Program update types ....................................................................................................................45
Where to find out that an update has been issued .........................................................................46
How to install only approved updates .............................................................................................46
How to find out that a new version has been released ..................................................................48
How to renew a license ..................................................................................................................50
ib
4.2
4.3
re
di
st
r
When to renew a license ................................................................................................................50
How to find out that the license expires..........................................................................................51
How to find out that the number of activations is exceeded ...........................................................52
How to switch over to a new license ..............................................................................................52
How to replace the active license ...................................................................................................54
How to configure backup ................................................................................................................55
Why back up? .................................................................................................................................55
How to configure backup ................................................................................................................56
How to restore from a backup ........................................................................................................57
How and why maintain the database .............................................................................................58
Maintenance: Summary..................................................................................................................60
No
t
to
be
co
pi
e
d
or
4.4
Unit IV. Maintenance
or
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
d
After you have installed Kaspersky Endpoint Security and Network Agent on the computers, created the
necessary policies and tasks, and configured them as necessary, you need to monitor the system to
make sure protection works, and react to incidents.
co
pi
e
To keep protection working, you have to perform routine maintenance; some things have to be done
often, and some infrequently. Most of the actions are obvious, but we will tell about them nevertheless,
just in case.
Check the most important things.
Why so often
There are no
unprocessed threats
on the computers
You install protection to repel threats. Kaspersky Endpoint Security blocks
most of them automatically. But if protection cannot handle the threat, you
should be informed about this as soon as possible and neutralize it
manually. The longer a threat is active, the more damage it can do.
be
What to check
No
t
to
Protection is installed
and works on the
computers
This is obvious enough.
If protection does not work, you do not know whether there is malware on
the computer. And the longer protection does not work, the more chances
that malware infects the computer.
1. How to maintain protection
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
Solve issues that affect protection. If time permits, do it daily; otherwise, solve secondary issues weekly.
Why so often
Computers have
the latest
signature
databases
Almost all protection components use signatures to detect malware. If
signatures are old, Kaspersky Endpoint Security will not be able to detect new
viruses. The older the signatures, the greater the risk. If signatures are two
days old, it is bad, but not critical. And if they are two months old, it is almost as
dangerous as if protection was not running at all
Protection uses
Kaspersky
Security Network
Kaspersky Security Network informs about known malicious files and helps to
detect them even if signatures are obsolete. Moreover, Kaspersky Security
Network informs about new malicious files earlier than signatures are issued
for them. Without Kaspersky Security Network, protection works not so well.
But still works and protects against most of the threats.
re
di
st
r
ib
What to check
Perform preventive maintenance on the Administration Server.
Why so often
Make sure that
you can
recover the
Server from a
backup copy
You spent quite a lot of time to install protection. If you lose the Administration
Server because of a hardware failure, you will have to spend almost as much
time to install and configure protection once again. Backup copying can
prevent this. The crucial point about backup copying is that making a copy is
not enough. You must verify that you will be able to restore the configuration.
Spend half an hour per month for maintenance to make sure that you do not
find yourself in a critical situation with a misconfigured backup from which you
cannot restore data.
Optimize the
Administration
Server
database
If the database is not optimized, eventually it grows in size and becomes
fragmented. You will have to spend more time generating reports or displaying
a computer selection, especially in a large network or if the resources are
scarce on the Administration Server (to be more precise, database server, but
it is often the same computer).
co
pi
e
d
or
What to check
be
Install updates and patches.
Why so often
If there are any
updates or patches
for Kaspersky
products
Kaspersky Security Center patches and Kaspersky Endpoint Security
maintenance releases are issued approximately once every quarter or two.
They correct errors, improve performance and sometimes add new functions
that are important for protection. You do not need to put much effort into
installing patches, but do not forget to test them beforehand.
No
t
to
What to check
1. How to maintain protection
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
Renew the license and install new versions.
Why so often
The license has not
expired and the node
limitation has not
been exceeded
Commercial licenses are typically issued for 1 year. Without a license,
protection keeps working, but the update task stops downloading
signatures and Kaspersky Endpoint Security stops using KSN. Eventually,
protection will be affected.
Whether there are any
new versions of
Kaspersky products
New versions or service packs are issued once every year or two. They
correct errors, improve performance, and also change settings and
products’ operation logic. New technologies, components, interception
methods, etc. appear in new versions or service packs. If an old version is
not updated for too long, it will not be able to fight the latest threats even
with up-to-date signatures and KSN. A few years after release, a version’s
support ends.
No
t
to
be
co
pi
e
d
or
re
di
st
r
ib
What to check
2. What to do daily
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
or
During a daily inspection:
Find out which threats Kaspersky Endpoint Security has detected since your last inspection. If
you perform inspection daily, you can focus on detections in the last 24 hours.
2.
Check whether Kaspersky Endpoint Security has neutralized all threats. If there are unprocessed
threats, remediate them immediately.
3.
Check whether protection works on all computers. If protection is not running or is not installed,
run or install it. Find out why it has happened.
pi
e
d
1.
be
co
To save time, configure the console to be able to quickly learn what you need about threats and
protection.
Kaspersky Security Center console provides a lot of information:
Reports
Events
Computer statuses
Computer properties
Statistics of installed applications in computer properties
Repositories
Task logs
No
t
to
—
—
—
—
—
—
—
However, these sources are either insufficiently clear as, for example, lists of events, or cannot be
reviewed all together as reports.
2. What to do daily
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
To get a general idea of the overall protection status, open the Monitoring & Reporting | Dashboard
page of the Web Console. The administrator selects which charts to show, which chart types to use and
how to organize them.
d
Protection status
Types of detected viruses and disinfection results
New devices
Network attacks
History of network attacks
Types of detected viruses and disinfection results
And other important data of your choice, for example, signature versions
pi
e
—
—
—
—
—
—
—
or
To save time, customize the Dashboard and add to it web widgets that inform about:
co
Types of web widgets are hardcoded, but abundant and can answer most of your questions.
By default, the Dashboard includes 7 web widgets devoted to various network status aspects: Protection
status, New devices, Threat activity, Most frequent threats, Most heavily infected devices, Threat
detection.
be
Usually, a web widget contains a chart with a legend or a table. By default, they represent events from all
managed computers over the last 24 hours. The administrator can narrow the scope or change the period
in the Properties window, which opens with the
button. The dashboard consists of several web
widgets.
to
The administrator can add, delete and move web widgets on the dashboard, modify their settings and
representation.
No
t
Overall, there are more than 25 types of web widgets grouped into categories. for the administrator to
choose from.
To modify dashboard contents, click Add or restore widget.
In the web widget settings, depending on its type, you can modify the time interval for the displayed data
and select the computers whose data will be shown. There are only two options for the computers: either
an administration group or computers from a specified selection.
2. What to do daily
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
You can also modify chart type and appearance in the web widget settings.
to
be
co
pi
e
d
or
The web widgets’ capability to display the history of changes over the specified period can be useful. For
example, you can view how many viruses were detected during each hour of the last day. These data
may help to select the threshold for the Virus outbreak event. Reports lack this capability.
No
t
Starting with Kaspersky Endpoint Security version 11, there is a protection level indicator in the policy
interface, which helps the administrator to evaluate the level of threat prevention, and provides a hint
which components should be enabled to improve it.
For example, if administrator enables all Essential Threat Protection and Advanced Threat Protection
components in the policy, but (by mistake or intentionally) disables a critically important component
Behavior Detection, which pinpoints threats by analyzing software activities (in particular, it can detect
complex threats such as ransomware). Once the Behavior Detection component is disabled, Protection
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
2. What to do daily
or
re
di
st
r
ib
ut
ed
level indicator will immediately turn red and show the status Low protection level. The following
information will appear to the right of the Protection level indicator after the settings are saved: Some of
the recommended protection components are disabled, and a link Learn more. If you click it, the
Recommended protection components window will open, which allows you to enable the recommended
components to maximize threat counteraction. If the administrator ignores the caution and clicks Save in
the policy window, Kaspersky Security Center will display an information window and suggest that you fix
the settings.
Protection level indicator can have one of the following values:
—
—
—
—
—
File Threat Protection;
Behavior Detection;
Exploit Prevention;
Remediation Engine.
Important
—
—
—
—
pi
e
Critical
co
—
d
— High protection level. The indicator turns green if the following components are enabled:
Kaspersky Security Network;
Web Threat Protection;
Mail Threat Protection;
Host Intrusion Prevention
be
— Medium protection level. The indicator turns yellow, if an important component is disabled.
— Low protection level. The indicator turns red if:
One or several critical components are disabled;
Two or more important components are disabled.
to
—
—
No
t
Some of the administrators open the Console only when they need to find out or configure something,
and prefer to be informed about issues by email. This way they use a single tool, mailbox, to learn about
issues of various subsystems instead of opening a dozen of various consoles.
2. What to do daily
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
Kaspersky Security Center can email notifications and reports. Reports that show what is happening in
the network better fit daily inspections. Notifications inform about specific threats that need immediate
attention.
or
To receive reports by email, use the corresponding task:
1. Go to Monitoring & Reporting | Reports and click New report delivery task
d
2. If a task of this type has already been created, the Web Console will inform you about it. To edit
its parameters, open the properties of the Deliver reports task and switch to the Application
settings tab
pi
e
3. If there is no task of this type yet, the Console will start the report delivery task creation wizard
4. Select the types of reports that you want to receive. The task shows all report templates available
on the Reports tab. However, those are not all of the report types that Kaspersky Security Center
can create. If some reports are missing, create them beforehand on the Monitoring & Reporting
| Reports page.
co
5. Select the format (html, xls or pdf) in the task parameters.
6. Select the action to be applied to reports: Reports can be emailed and/or saved to a folder.
7. Switch to the Schedule tab and select when to receive reports.
be
To select where to email reports, in the task properties, open the Application Settings tab, and in the
Action to apply to reports area, select the checkbox Send report by email; then click the Settings button.
Specify the recipient’s address and message subject. Check the sender’s address and mail server
parameters in the Administration Server properties.
No
t
to
Note: Unlike its MMC counterpart, the Quick Start Wizard of the Web Console does not create a report
delivery task automatically even if you specify the mail server in it.
2. What to do daily
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
For daily inspections, you will need reports that show threats and protection status:
Viruses (over the last day)
Network attacks (over the last day)
Phishing attempts (over the last day)
Host Intrusion Prevention rule triggered (over the last day)
d
—
—
—
—
or
— Threats:
—
—
—
pi
e
— Protection
Protection status
Anti-virus database usage
Errors (over the last day)
co
All pre-configured reports available on the Reports page either do not have any period or show events
over the last 30 days by default. 30-day reports are not very useful for daily inspections. It is difficult to
understand what has changed since yesterday.
to
be
You need to create one-day reports manually. Delete all the reports you are not going to use. For
example, reports about encryption errors if you do not have an encryption license.
No
t
Formally, the Reports page contains report templates, which describe report type and parameters, rather
than reports themselves. The Administration Server generates reports from templates when emailing
them, or when the administrator clicks a report name.
2. What to do daily
co
pi
e
d
or
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
To create a report (report template):
1. On the Reports page, click the Add button
2. Name the report comprehensibly, for example Threats report over the last day
be
3. Select the report type. There are more than 50 types of reports in Kaspersky Security Center
4. Select a scope for the report. A report can cover a group, individual computers (a list) or a
computer selection. Most of the reports should cover the whole network; for this purpose, select
the All networked devices scope.
to
5. Select the reporting period. For the daily reports, specify one day
No
t
Template settings also include the list of information fields to constitute the report tables. Some fields
contain insignificant information and can be deleted not to overload the report. For example, the Virtual
server field makes little sense in a report if virtual Administration Servers are not used in the network1.
The ‘Virtual Administration Server’ or ‘Virtual server’ terms that may be encountered in the reports should not be confused with
Administration Servers running inside a virtual machine. These two usages of the word “virtual” have almost nothing in common. If your
1
2. What to do daily
or
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
pi
e
d
Event storing parameters are specified in the policies of Kaspersky Endpoint Security and Network Agent,
and also in the Administration Server properties, on the Event configuration tab. The events are
grouped by four severity levels: Critical, Functional failure, Warning, and Info. The severity level is a
permanent attribute of an event, it cannot be modified. Each program has its own events with their default
settings.
An event has three storage settings:
— On the Administration Server—meaning, in the server database
co
This storing method is enabled for most critical and error events, as well as for many warning and
some info events. The default lifetime of Kaspersky Endpoint Security and Network Agent events is
30 days for all events (naturally, except for the events whose storage is disabled).
The Administration Server events’ default lifetime is the same for all severity levels: 30 days.
be
You can export events of the Administration Server and other Kaspersky applications installed on
the managed devices to a SIEM system. For this purpose, select the checkbox Export to SIEM via
Syslog (standard RFC 5424).
— In the OS event log on device—makes sense only for the Network Agent events. Kaspersky
Endpoint Security already has this capability in the settings of local event processing.
to
— In the OS event log on Administration Server—similarly to local Kaspersky Endpoint Security
events. If the Administration Server becomes inaccessible, the administrator will be able to find
information in the Windows log.
No
t
When the specified lifetime is over, events are automatically deleted from the Administration Server
database (but not from Windows logs, which have their own settings). Increasing the lifetime will also
increase the number of events stored in the database, and this will affect the time required to process
Administration Server runs in a virtual machine, it is still an ordinary Administration Server, not a virtual server. Virtual servers in the reports and
other parts of the Console are something else entirely. Virtual Administration Servers are described in course 302.
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
2. What to do daily
ut
ed
operations on events. On the other hand, when the administrator decreases event lifetime, the maximum
reporting period also decreases.
To be informed about important events, configure notifications. This is configured in the properties of
every particular event type that you want to be notified about. Kaspersky Security Center supports four
notification channels:
Email
SMS
Running an executable file or script
SNMP
ib
—
—
—
—
re
di
st
r
Notifications help to draw the administrator’s attention to the most important events.
co
pi
e
d
or
By default, notifications are not sent. To start receiving notifications, open the event properties and select
notification methods.
be
By default, all events are delivered with the same parameters, which are specified in the Administration
Server properties. To send different notifications to different addresses or with different text, open the
event properties and disable the option Use Administration Server settings. After that, change the
recipients’ addresses, text template and other notification parameters.
No
t
to
At first, email notification delivery parameters are specified in the Quick Start wizard. You can also modify
them later, in the Notification section of the General tab in the Administration Server properties.
2. What to do daily
Email notification delivery parameters include:
Recipients—email addresses separated by semicolons
SMTP server—name or IP address
SMTP server port
Use DNS MX lookup
Text of the notification message
or
—
—
—
—
—
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
d
These parameters are sufficient if the selected SMTP server does not require authorization. The recipient
address is also used for the sender address, and the subject of the sent notifications is made of the event
severity level and its type, for example, Critical event: Threats have been detected
Message template subject
Authorization username and password
Sender address
Specify a certificate for SMTP server authentication
co
—
—
—
—
pi
e
Additionally, you can configure the following:
When configuring the notification subject and text, you can use macros, which will be replaced by
the corresponding event attributes in the notifications:
be
%SEVERITY%—event severity level
%COMPUTER%—the sender computer
%DOMAIN%—Windows domain
%EVENT%—event
%DESCR%—event description
%RISE_TIME%—event time
%KLCSAK_EVENT_TASK_DISPLAY_NAME%—task name
%KL_PRODUCT%—program
%KL_VERSION%—version number
%HOST_IP%—IP address
%HOST_CONN_IP%—connection IP address
No
t
to
—
—
—
—
—
—
—
—
—
—
—
2. What to do daily
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
or
It is up to the administrator to decide about which events to receive notifications. However, prime
candidates are events about active threats and potentially successful attacks:
What does it mean?
Active threat detected.
Advanced Disinfection
should be started
The malicious file is not running on the computer, but Kaspersky
Endpoint Security cannot terminate it. The user or the administrator
must confirm starting the Advanced Disinfection procedure
A malicious object was detected using a request sent to KSN rather
than signatures. This means that it is a new threat, and the
administrator should carefully monitor what is happening in the network.
Maybe even switch to a policy with stricter protection settings
pi
e
Malicious object
detected (KSN)
d
Event
Information that the link is dangerous has appeared only after a user
opened it (data about previous actions is stored in the KSN cache and
Remediation Engine’s logs). The user could have downloaded and
started new malware
Process terminated
Malware was running on a computer. Although Kaspersky Endpoint
Security terminated it, it could have done harm
be
co
Previously opened
dangerous link detected
If the attacking computer is located within the network, it may mean that
it is infected with unknown malware, or that protection does not work
there
Host Intrusion
Prevention rule
triggered
If you have configured Host Intrusion Prevention to protect documents
against ransomware, these events will inform when unknown programs
try to edit or delete the user’s documents
to
Network attack detected
No
t
All these events pertain to Kaspersky Endpoint Security. Configure the respective notification settings in
the Kaspersky Endpoint Security policy, on the Event configuration tab. The last event is an Info event.
The others are Critical events.
Some events (including important) may occur too frequently to send a notification for each of them. For
example, the Threats have been detected event during a virus outbreak may invoke tens and hundreds
of notifications.
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
2. What to do daily
ut
ed
To make each notification draw your attention, limit the number of notifications. For this purpose, in the
Administration Server properties, open the Notification section and click the link Configure numeric limit
of notifications.
No
t
to
be
co
pi
e
d
or
re
di
st
r
ib
Set the limit as the maximum number of notifications over a time span. As soon as the limit is reached,
notifications are suppressed until the specified period is over. If new events are received afterwards,
the limit is counted anew. The same limit is used for all notification types, but applies individually to each
event type. E.g., if notifications for the Threats have been detected event hit the limit, notifications for
other event types will not be affected.
3. What to do if something has happened
or
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
d
If no new events about threats have appeared on the computers over the last day, you do not need to do
anything. But what to do if there are some events?
pi
e
First of all, find out what has happened to the detected threats. If Kaspersky Endpoint Security deleted,
disinfected or blocked a threat, you do not need to do anything. Just reset the virus counter on the
computer to be able to see when new threats appear.
If malware is not treated or removed, act according to a plan. Prepare the plan beforehand.
co
A typical plan may include the following steps:
1. Run the critical areas scan task to understand whether the computer is infected
2.
If a computer is infected or you suspect that it may be infected with unknown malware:
be
2.1. Isolate the computer from other computers in the network
2.2. Disable the policy using the password
2.3. Raise the heuristics level and enable Advanced Disinfection technology
2.4. Check integrity of Kaspersky Endpoint Security by a local task
2.5. Perform full scan on the computer
to
If this does not help, restore the computer from an image. If all computers are installed from images at the
company, and the users’ data are stored in the network rather than on the computers, restoring from an
image may be the first step of your plan to save time.
No
t
If you find suspicious files during an investigation, send them to Kaspersky for analysis via the portal
companyaccount.kaspersky.com. Also, invite internal or external experts if you suspect a targeted attack
against your organization.
3. What to do if something has happened
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
or
You can find out that viruses have been found from events, reports, statistics and computers’ statuses.
Next to statistics, statuses draw your attention first of all.
d
Threat detection and their processing results define the computer status in the Administration Console:
OK, Warning or Critical. This allows the administrator to easily notice problematic computers when
looking through the groups.
pi
e
The Many viruses detected status tells that viruses were found on the computers. This status is related
to the virus counter parameter. Every time malware is detected on the computer, the counter increases its
value by 1. The counter value is transferred to the Administration Server during the synchronization.
The status is activated if the virus counter value exceeds the specified threshold. By default, the Many
viruses detected status is disabled.
be
co
To enable the status to show the computers where malware was found, go to the Devices | Hierarchy of
groups page and open the properties of the Managed devices group. Switch to the Device status tab
and activate the status Too many viruses detected. To make computers receive the Warning status and
be displayed yellow, activate the status in the Warning section. To make computers receive the Critical
status and be displayed red, activate the status in the Critical section. To paint computers yellow when
there are a few viruses on them, and red when the number of viruses exceeds, say, 5, configure different
thresholds for the status Many viruses detected (select the status and click the Edit button).
to
If at least one of the managed computers receives either There are active threats or Many viruses
detected status, the global Protection status also changes on the Dashboard.
No
t
The statuses OK, Warning, and Critical are links. If you click the Critical status, the selection of
devices that have the corresponding status will open. All statuses behave this way on the Dashboard
page. In the selection, you can find out why the device has received the corresponding status.
A selection is a dynamic set of computers selected by an attribute. There are standard selections on the
Administration Server, which show computers with various statuses. For example, There are active
threats and Many viruses detected
3. What to do if something has happened
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
or
You can take group actions on the computers joined into a selection, for example, start update and
search tasks, move into a group, etc. So, selections are very useful when dealing with the computers that
have a problem status.
d
The Threats report shows statistics of processing the malware detected on the managed computers: How
many objects were treated, how many blocked (by Web Threat Protection), how many deleted and how
many still remain unprocessed. It also shows the number of dangerous objects whose processing results
are unknown. These statistics are available for each type of malware.
No
t
to
be
co
pi
e
The Threats report can show which malware KES detected, and using which technology. To be able to
see this information, add the By KSN verdict column to the Details table. You can also add the
Detection technology that pinpointed the malicious code and SHA-256. For this purpose, in the
properties of Threats report, open the Fields tab, click the Add button, and select the necessary data in
the Field name list.
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
3. What to do if something has happened
ut
ed
Report on most heavily infected devices and Report on users of infected devices may also come in
handy. If some computers have been infected considerably more than others, it might be worthwhile to
find the reason and take appropriate measures.
ib
Network attacks are not included in the Viruses report. To see the big picture of all attacks, consult the
Network attack report. It shows which attack types were detected, and more importantly, the IP addresses
of the attacking computers. Knowing the address, the administrator can investigate the incidents and
better solve the problem.
The Network attack report is not created by default. To view it, create a new template on the Monitoring
& Reporting | Reports page.
re
di
st
r
In addition to reports, check computer events to understand how Kaspersky Endpoint Security copes with
threats. Events show what was happening simultaneously with threat detection, whether there were other
threats or errors in components’ operation. To understand where a threat ended, always check the last
event about it. It is normal for Kaspersky Endpoint Security to first inform that it cannot disinfect a file, and
in a second, report that the file was deleted successfully.
You do not have to study reports and events to be able to understand whether any computers are
infected.
or
Usually, if Kaspersky Endpoint Security cannot neutralize a malicious file, it informs the server about this
using the status There are active threats. This status is enabled by default and is displayed on the web
widget Types of detected viruses and disinfection results. It gives computers the Warning status, and
is displayed on the Dashboard page.
to
be
co
pi
e
d
This status is assigned to computers where malware programs were detected and were not cured.
No
t
The Active threats category can be comprised of widely different objects. It can be a virus in memory,
which actively counters the attempts to delete it. Or it can be an infected object on a network drive where
Kaspersky Endpoint Security has no Write permission to disinfect or delete the file.
When a user accesses a malicious file in a shared folder on a file server, the protection solution installed
on the server may block access and delete the file. Meanwhile, the protection software installed on the
user’s computer detects the threat at the same time, but cannot delete the file from the folder and informs
that there is an unprocessed threat, although in reality it has been processed on the server. This is a
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
3. What to do if something has happened
ut
ed
reason for paying attention anyway, since malicious files must not appear in shared folders, and you need
to find out how it got there.
To reset computer status, neutralize the detected objects. If an object cannot be neutralized, as in the
described situation with malware in a shared folder, delete the record about the unprocessed object from
the list of unprocessed objects:
1. In the Web Console, open Operations | Repositories | Active threats
re
di
st
r
ib
2. Find the file in the shared folder and carry out the Delete command on it
If many viruses or a previously opened malicious link have been detected on a computer, or a malicious
process has been terminated, it may mean that the computer can still be infected. To scan a computer for
known threats, run critical areas scan there.
There are a few ways to achieve this. The one which is always available is as follows:
1. Open the computer properties
2. Open the Tasks tab
3. Find the task Critical Areas Scan and run it
to
be
co
pi
e
d
or
Critical Areas Scan is a local task, which is available in each installation of Kaspersky Endpoint Security.
Local means that it is displayed only in the computer properties, but is not shown in groups or in the
Tasks node. This makes it less useful. To start it on several computers, you have to open their properties
one by one.
You can also use the group Virus Scan task, which has to be created manually. However, it will scan all
computers, and why slow down the computers where there are no threats?
No
t
To quickly scan critical areas on those computers where threats have been detected, make a virus scan
task for specific computers or the corresponding computer selection.
3. What to do if something has happened
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
Usually, even if malware is running, Kaspersky Endpoint Security can terminate it. Host Intrusion
Prevention, Behavior Detection, and Exploit Prevention components are responsible for this. File Threat
Protection does not scan programs in the memory.
ib
If a computer is infected and Kaspersky Endpoint Security cannot stop malware, use the Advanced
Disinfection technology.
re
di
st
r
This technology is disabled by default, because it blocks start of all programs and restarts the computer,
which would hamper the users. The user can agree to perform the Advanced Disinfection procedure and
take the risk of losing data, or refuse to start the procedure and leave the computer infected. Anyway, it
should be the administrator who makes the decision rather than the user.
If you suspect that a computer is infected, it is best to reinstall it from the image. If it is unacceptable or
impossible, try to disinfect the computer:
1.
Disconnect the computer from the corporate network
2.
Disable the policy using the command Disable policy on the shortcut menu of KES icon
3.
4.
Open the Kaspersky Endpoint Security window and click Protection components
Go to General and select the checkbox Use Advanced Disinfection technology
Run a Virus scan task: Return to the main window of Kaspersky Endpoint Security and click the
Tasks area
to
5.
be
co
pi
e
d
or
To use this command, enable password protection in the Kaspersky Endpoint Security policy
No
t
6.
If Kaspersky Endpoint Security finds a threat and prompts you to perform a special disinfection
procedure, agree
With Advanced Disinfection technology enabled, Kaspersky Endpoint Security does not permit
new programs to start, scans memory, takes more aggressive methods when terminating
processes, tries to delete malicious files at restart
7.
Restart the computer, connect it to the internet and update the signatures
8.
Scan the whole computer once again
3. What to do if something has happened
be
co
pi
e
d
or
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
After all threats have been neutralized, reset the virus counters on the computer.
No
t
to
The virus counter can only increase without interference from outside, and the only method of changing
this status is to manually reset the counter. For this purpose, open the computer properties: On the
General tab, in the Protection section, there is the button Reset virus counter.
3. What to do if something has happened
or
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
If protection does not work, it may be caused by various reasons. Before contacting technical support,
please Make sure that:
Kaspersky Endpoint
Security is installed
on the computer
d
The user could have uninstalled Network Agent; then the Console would
show the last data which the Agent had sent to the Server. Reinstall the
Agent and protect it from the user: Set an uninstallation password
pi
e
The Network Agent is
installed on the
computer
The user may have uninstalled Kaspersky Endpoint Security. Reinstall it
and protect from the user: Set a password
A computer may belong to a group without a policy, or a Kaspersky
Endpoint Security version for which there is no policy on the server can be
installed on the computer. Create policies in all groups and for all used
versions of Kaspersky Endpoint Security
Policy settings are
locked
If the locks are open, the user can modify parameter values and
potentially can disable components or even start of Kaspersky Endpoint
Security. Close the locks for all important parameters in the policy
Password protection
is enabled
If password protection is not enabled, the user can exit Kaspersky
Endpoint Security even without administrative permissions
be
co
A policy is applied to
the computer
No
t
to
After you’ve checked for trivial causes, look at the errors. If Kaspersky Endpoint Security will not run
because of failures, collect diagnostic logs and contact the technical support of Kaspersky.
3. What to do if something has happened
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
or
The following computer statuses may mean that protection does not work:
Security application is
not installed
This condition is enabled by default for the Warning and Critical
statuses
Real-time protection
level differs from
the level set by
the administrator
It is disabled by default. You can set one of the following values:
co
pi
e
d
—
—
—
—
—
—
—
—
—
Starting
Running (maximum speed)
Running
Stopped
Running (recommended settings)
Running (custom settings)
Paused
Failed to start
Running
This condition is enabled by default for the Critical status
Security application is
not running
It is enabled by default for the Critical status
be
Protection is disabled
to
The status Real-time protection level differs from the level set by the administrator, although disabled by
default, is more useful than the status Protection is disabled. The status ‘Protection is disabled’ does not
show what is wrong: The application is malfunctioning or the user has exited it. The status Real-time
protection level differs from the level set by the administrator shows this difference.
We recommend that you enable the condition Real-time protection level differs from the level set by
the administrator for the Critical status and select the Running value for it.
No
t
There are standard computer selections for the statuses Protection is disabled and Security application is
not installed. The administrator can create custom selections for other statuses.
The status Security application is not running is always accompanied by the status Protection is disabled,
but not the other way around. If Kaspersky Endpoint Security works, but all protection components are
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
3. What to do if something has happened
ut
ed
disabled, the computer’s status will be Protection is disabled without the status Security application is not
running.
Protection is considered to be running in Kaspersky Endpoint Security if at least one of the protection
components works. Even if it is only Mail Threat Protection
1. Go to Monitoring & Reporting | Event Selections
Click the Functional failures selection
re
di
st
r
2.
ib
To understand that components have not started on the computer because of a failure, consult the Errors
report or an event selection. To check all errors:
be
co
pi
e
d
or
To understand which components are running on a computer, open the Tasks tab in the computer
properties. Components are listed among other tasks and the list shows which ones are running and
which are not.
The Protection is disabled status is one of the most critical protection statuses. To solve this problem,
carry out the command for the Network Agent to start Kaspersky Endpoint Security on the Applications
tab of the computer properties.
to
If individual components are not running, you can start them on the Tasks tab.
No
t
Another method of starting Kaspersky Endpoint Security—the Start or stop application task. This task is
an advanced task of Kaspersky Security Center that can be created for groups or specific computers.
A group task is convenient if the Virus outbreak event is registered—it can start protection on all network
computers, in case the protection is stopped somewhere.
A task for specific computers can better serve the purpose of rectifying the Protection is disabled status.
3. What to do if something has happened
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
To create a task that starts Kaspersky Endpoint Security:
1. Run the task creation wizard on the Devices | Tasks page
2. Select Kaspersky Security Center and task type Start or stop application
or
3. Specify the devices to which the task is to be assigned—Selection
4. Specify the computer selection Protection is disabled
No
t
to
be
co
pi
e
d
5. Select the Kaspersky Endpoint Security versions that need to be run and the command Start
application
If protection does not work, it is very bad. However, if it works with old signatures, it is not any better. Pay
attention to computers that have old signatures, update them and find out why the signatures have not
been updated.
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
3. What to do if something has happened
ut
ed
First, solve trivial issues. Check the following:
This task is created by default. However, when groups and
tasks become numerous, it may turn out that some
computers do not have an update task for the necessary
version of Kaspersky Endpoint Security
Task schedule
If the administrator created update tasks manually, he or she
might fail to set a schedule for them by mistake
Task source
Within the network, the Kaspersky Security Center source
must be specified
The Administration Server has a
“Download updates to the
repository” task
It is created by default, but may have been deleted by
mistake
Schedule and source of
the “Download updates to
the repository” task
It is created by default, but may have been deleted
accidentally, or its schedule may be misconfigured
The Administration Server can
access the selected source
Probably, the internet is accessible only through a proxy
server, but its address and authentication data (username
and password) are not specified or need to be updated.
re
di
st
r
ib
The computers have an update
task
or
After that, check for update task errors. If errors result from Kaspersky Endpoint Security failures, collect
logs and contact the technical support.
No
t
to
be
co
pi
e
d
Specifically consider whether you need distribution points. They are not of much help in a small network,
and complicate diagnostics. The Administration Server automatically assigns distribution points by
default. You can disable this.
The web widget Distribution of antivirus databases on the Dashboard page provides the most
important information about the databases in use. If everything is fine, the web widget will display a green
pie chart and the time when the latest updates were downloaded to the server repository. If there is an
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
3. What to do if something has happened
ut
ed
issue, a part of the chart will become yellow or red and the value of the corresponding counter will
increase.
Database statuses displayed in the web widget are links that open the respective device selections:
Devices with up-to-date databases
Devices with databases updated in the last 24 hours
Devices with databases updated in the last 3 days
Devices with databases updated in the last 7 days
Devices with databases that have not been updated for more than 7 days
ib
—
—
—
—
—
re
di
st
r
More detailed information about the databases in use and computers with issues is available within the
appropriate reports. The Database usage report shows the number of computers where databases are 1day old, 3-day old, 7, and more.
co
pi
e
d
or
If the databases became obsolete on the computer not because it was off, but because of update task
errors, the administrator would need to view update task events to find out the reason. The events sent to
the Administration Server are often insufficient for thorough analysis of the situation. The local update
report of Kaspersky Endpoint Security usually contains more events.
Computer statuses inform about old signature databases.
be
Computers with old databases receive a Warning or Critical status depending on how old their
databases are. The status criteria are configured in the group properties. By default, the Warning status
is given to the computers whose databases are 7 or more days old, and Critical is assigned after 14
days.
No
t
to
To understand why the computer status is not OK, consult the Status description column of the Devices
| Managed devices page or the Protection section of computer properties. To view detailed information
about the signatures and, specifically, the last update date, open the properties of the Kaspersky
Endpoint Security program on the Applications tab of computer properties.
Updates from the Administration Server repository are distributed to the client computers by group update
tasks.
3. What to do if something has happened
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
To ensure coverage of all managed computers, the update task must be created as a group task within
the Managed devices group. The Quick Start wizard creates this type of task: Install update. If
computers are combined into groups and the optimal updating procedure is different for various groups,
you can create a customized update task for each group.
d
or
If both parent and child groups have tasks of the same type, the computers of the child group will run both
tasks. This will most likely result in errors, since if an update task is already running, another one cannot
start. To avoid that, either delete the task in the parent group or disable its scheduled start or exclude the
subgroups that have their own tasks from the parent group task scope.
No
t
to
be
co
pi
e
Note: If earlier or other Kaspersky Endpoint Security versions (for example, Kaspersky Endpoint Security
for Mac or Kaspersky Security for Windows Servers) are used in your network, they need separate
update
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
3. What to do if something has happened
1. Open computer properties and switch to the Applications tab
ut
ed
If there are many groups in the Web console, and different versions of Kaspersky Endpoint Security are
installed on the computers, it is hard to immediately understand whether all computers have update tasks.
If signatures are outdated on a computer, to understand whether it has an update task:
2. Memorize the complete name of Kaspersky Endpoint Security, including the Service Pack version
3. Go to the computer’s group
ib
4. Switch to the Tasks tab
re
di
st
r
5. Look for a task that has the Update type and Kaspersky Endpoint Security version coincides with
that displayed in the computer properties
If there is no such a task, create it in this group or in a parental group. Try to create as few tasks as
possible. One update task per each version of Kaspersky Endpoint Security created in the root group
Managed devices is often sufficient.
Each product update task has a specific schedule and settings, including:
The list of update sources
Update parameters
The settings used to copy updates to a specified folder
The list of subgroups on whose computers the task will not run
or
—
—
—
—
d
The standard schedule for the Kaspersky Endpoint Security update tasks is When new updates are
downloaded to the repository. Unlike a periodical schedule when Kaspersky Endpoint Security defines
the start time and starts the task regardless of whether the Administration Server can be reached or not,
the When new updates are downloaded to the repository schedule means that the task is always
started by the Administration Server command.
co
pi
e
The Administration Server sends a ‘wake up’ call to UDP port 15000 of all affected client computers that
there are new settings for them. The port is listened to by the Network Agents, and upon receiving the call
the Agents connect to the Administration Server and download whatever new settings are available. Upon
connection to the Server, the Agent receives the command to start the task and transfers it to Kaspersky
Endpoint Security, which carries it out. If the ‘wake up’ call doesn’t reach some computers, they will
receive the command during a planned synchronization performed every 15 minutes by default (the
period is defined in the Network Agent policy).
be
The schedule When new updates are downloaded to the repository guarantees that the client
computers will receive updates as soon as possible and without calling the server every now and then.
Alternatively, a simple periodical schedule can be used (for example, once an hour).
To prevent serious peak loads on the update source and the network at the moment of task start,
randomization of the task launch within a certain interval is used. E.g., if the 5-minute interval is selected,
the computer will begin the next scheduled update after a random delay ranging from 0 to 5 minutes.
to
By default, the Administration Server automatically defines the randomization interval depending on the
number of computers the task pertains to. The administrator can also specify it manually.
No
t
If signatures are outdated on the computers, check the update task schedule. If the schedule is set to
Manually, weekly or monthly, change it to When new updates are downloaded to the repository or Once
every N hours
3. What to do if something has happened
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
To specify the list of sources, open the task properties and switch to the Application Settings | Local
mode tab. Updates can be retrieved from the following sources:
re
di
st
r
ib
— Kaspersky Security Center—the recommended source for all managed computers. Moreover,
the most natural source for the When new updates are downloaded to the repository
schedule
— Kaspersky update servers—the recommended source for the computers outside the corporate
perimeter or a backup source if the specified Administration Server is not accessible. However,
the administrators often prefer the computers to wait for the Administration Server connection
rather than create extra internet traffic
— Local or network update folder—another option for backup update sources. You can specify an
HTTP or FTP address instead of a shared folder. For example, if there are several Administration
Servers in the network (this case is described in course KL 302 Kaspersky Endpoint Security and
Management: Advanced Skills), HTTP addresses of update folders located on other servers can
be used as backup sources
A task can have several different sources organized in a list. If the first source turns out to be
inaccessible, the task will attempt to download updates from the next.
or
Updates are retrieved from the Administration Server by the Network Agents. With the Kaspersky update
servers or other FTP or HTTP locations, updates are downloaded by Kaspersky Endpoint Security
without the Agent.
If signatures are outdated on the computers, check the update task source. Select the Kaspersky Security
Center source. If you want to use a folder or FTP server, make sure that updates are accessible at this
address, and the computers can access the files
No
t
to
be
co
pi
e
d
In the update task properties, you can configure copying updates into a separate folder. This mode can
be used for creating an update source in small networks or subnets without their own Administration
Server. In larger networks, Distribution Points are used to create intermediate update sources. The
Administration Server assigns distribution points automatically (for more details, refer to course KL 302
Kaspersky Endpoint Security and Management: Advanced Skills.)
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
3. What to do if something has happened
ut
ed
The task that updates the Administration Server repository is named Download updates to the
repository. The Quick Start wizard automatically creates this task. You can find it in the console, on the
Devices | Tasks tab of the <Administration Server name> group.
If databases are outdated on the computers, check whether the Administration Server has an update
task. Open the Devices | Tasks page of the Administration Server node and look for the Download
updates to the repository task.
re
di
st
r
ib
You can have only one task of this type. If it is present already, the task creation wizard doesn’t permit
creating another one. However, it is possible to delete the automatically created Download updates to
the repository task and create a new one for troubleshooting.
The settings of that task include the schedule, the update sources, connection parameters, the list of
updates to be downloaded and a few additional options.
Since there can only be one such task, it is recommended to schedule it to run regularly at small intervals
ranging from 15-20 minutes to several hours. The default value is 1 hour.
The following update sources are possible:
— Kaspersky update servers—a list of FTP and HTTP servers officially maintained by Kaspersky.
These servers are located in various countries worldwide to ensure high reliability of the update
procedure. If the task cannot connect to a server, it will try contacting the next one in the list. The
list of servers is downloaded together with the other updates
or
— Master Administration Server—this option is used if there are several Administration Servers and
they are connected in a hierarchy (described in detail in course KL 302 Kaspersky Endpoint
Security and Management. Advanced Skills)
d
— Local or network folder—an update source created by administrators. You may specify not only a
network folder, but also an FTP or HTTP address
co
pi
e
The task can have several different sources organized in a list. If the first source turns out to be
inaccessible2, the task will attempt to download updates from the next.
be
You may need to specify the proxy server parameters for the Administration Server update source. All
sources would share the same proxy server. If some sources are accessible without it, enable the Do not
use proxy server option in their properties.
The proxy server is not specified by default. The Quick Start wizard prompts for the proxy server
parameters. To specify a proxy server later:
1. In the Administration Server properties, open General | Configuring internet access
Specify the proxy server address, port and authentication parameters: Username and password
to
2.
No
t
These settings will be used for downloading updates and for KSN requests.
2
The Kaspersky update servers source is considered to be inaccessible if none of known servers are available.
3. What to do if something has happened
co
pi
e
d
or
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
be
If an FTP or HTTP server address is selected in a computers’ update task and it is accessible via a proxy
server, specify the proxy server parameters in the Kaspersky Endpoint Security policy. Open the
properties of policy on the Application Settings tab, select the General Settings section and click the link
Network settings.
No
t
to
By default, an automatically detected proxy server is used. This means that Kaspersky Endpoint Security
will take the proxy server settings specified in the internet options in Windows Control Panel. The
administrator can explicitly specify the address, port and account for authentication.
Distribution points are additional update sources in a network. Any computer where the Network Agent is
installed can act as a distribution point. The Administration Server automatically selects the computers to
which it assigns the distribution point role. The administrator can disable automatic allocation and assign
distribution points manually.
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
3. What to do if something has happened
To disable automatic assignment of distribution points:
ut
ed
Automatically selected distribution points multicast update files and you cannot disable multicasting.
Network administrators often do not like uncontrollable traffic in the network. Also, in a small network of a
few hundred machines, the Administration Server can cope with updates alone, without distribution
points.
1. Open the Distribution points section in the Administration Server properties
ib
2. Select Manually assign distribution points
re
di
st
r
With this option selected, the administrator can manually specify the computers to be assigned
distribution points.
For more details about distribution points, please refer to course KL 302. Scaling.
be
co
pi
e
d
or
Kaspersky Security Network learns about new malicious files quicker than update tasks. If computers
have no access to KSN, they are more likely to get infected.
If Kaspersky Endpoint Security has no access to KSN, it informs the Administration Server about this via
the event KSN servers unavailable. To quickly find all computers that have no access to KSN, create a
custom computer selection.
to
By default, Kaspersky Endpoint Security accesses KSN via the Administration Server service named
Kaspersky Security Network proxy server. The service accepts connections on TCP port 13111. If
computers cannot access KSN, make sure that:
No
t
— The service Proxy server Kaspersky Security Network is running on the Administration Server
— Port 13111 is not closed by a firewall
3. What to do if something has happened
or
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
In a large network, computers are almost never turned on simultaneously. Some are off at any moment in
time.
No
t
to
be
co
pi
e
d
They differ by the icon in the console: Powered off computers have a red triangle icon with an
exclamation mark in the Visible in the network column. Also, check the columns Network Agent is
installed, Network Agent is running, and Last connected to the Administration Server. If the Agent is not
running, and the last connection was established long ago, do not pay attention to the computer
protection status, it can be inaccurate.
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
3. What to do if something has happened
Network Agent has been
inactive for a long time
ut
ed
If a computer remains powered off for a long time, Administration Server assigns one of the following two
statuses to it:
By default, computers receive this status in 14 days. You can change
this in the status settings, in the properties of the Managed devices
node
ib
This status means that the Network Agent has not connected to the
Server all this time, and the Server was not able to connect to the
computer during the full network poll either
This status means that the Network Agent has not connected to the
Server, but the Server connected to the computer during the full
network poll
pi
e
d
or
re
di
st
r
Device has become
unmanaged
co
If a computer has the status ’Network Agent has been inactive for a long time’, investigate what has
happened. If the computer does not exist anymore, delete it from the group and then once again from the
Discovery & deployment | Unassigned devices page. If its owner is on vacation, do nothing.
be
If employees may not connect to the network for a long time (months), increase the period after which the
Administration Server automatically deletes computers from groups (60 days by default). Open the
properties of the Managed devices group, switch to the Settings tab, and in the Device activity section,
change the value of the parameter Remove the device from the group if it has been inactive for
longer than (days). Or disable this parameter at all, if employees may work out of office for an
indefinitely long time.
No
t
to
To enable computers to connect to the Administration Server, to receive settings, and inform about
threats when outside the office, configure access to the Administration Server ports from the internet.
How to do it is described in course KL 302 Kaspersky Endpoint Security and Management: Advanced
Skills
If a computer has the status Not connected in a long time, make sure that:
— Network Agent is installed
— Network Agent is running
3. What to do if something has happened
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
If the user has uninstalled the Network Agent, configure password protection in the Network Agent policy.
If the Agent is installed and running, check its settings. Use the utility klnagchk.exe from the Network
Agent’s folder %ProgramFiles(x86)%\Kaspersky Lab\NetworkAgent:
or
— Run the command line interface (cmd.exe) as an administrator
— Go to the Network Agent’s folder
— Start the klnagchk.exe utility
pi
e
d
When run without parameters, the utility outputs the Network Agent settings, tries to connect to the
Administration Server with these settings, publishes the result, and finally outputs the connection
statistics.
During the test connection, the Agent neither checks whether new settings are available on the server nor
sends its data to the server.
co
To make the Agent synchronize with the Server, carry out the command klnagchck.exe –sendhb
This command must be executed locally on the client computer.
The Web Console also has commands for checking connection to a computer:
Verifies the computer status Visible in the network against the
Administration Server database. Does not try to connect to the
computer, and therefore adds nothing to what the computer icon
shows
Force synchronization
(Device properties, the
General tab, section
General)
Sends a signal to UDP port 15000 of the computer.
No
t
to
be
Check device accessibility
(This command is available
only in the MMC
Administration Console)
3. What to do if something has happened
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
or
If the Network Agent has incorrect Server connection parameters, modify them using the utility
klmover.exe that is located in the same folder of Network Agent:
d
— Run the command line interface (cmd.exe) as an administrator
— Go to the Network Agent’s folder
— Run the utility klmover.exe with the parameter –address and Server address:
pi
e
klmover.exe –address 10.28.0.20
If the Server’s port is non-standard, add the parameter –ps and the port number.
be
co
To fix incorrect connection parameters remotely, reinstall the Network Agent. Before that, check the
settings of the Network Agent package. If an Agent has incorrect parameters, they may also be incorrect
in the package.
to
If Kaspersky Endpoint Security does not work or works differently from what the administrator has
configured, and simple measures cannot help, contact the tech support.
To receive an answer quicker, collect all logs and attach them to your request:
Kaspersky Endpoint Security logs
Trace logs of Kaspersky Endpoint Security around the moment when the issue arises
Windows logs
GetSystemInfo log—information about the computer
No
t
—
—
—
—
3. What to do if something has happened
To contact the technical support:
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
1. Create a request at https://companyaccount.kaspersky.com
2. Select the product and functional area
or
3. Describe the steps that result in the issue
4. Attach the logs
No
t
to
be
co
pi
e
d
You can collect logs locally on the computer, remotely using the Kaspersky Security Center remote
diagnostics utility or via the MMC Kaspersky Security Center console.
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
3. What to do if something has happened
ut
ed
To collect logs remotely, connect to the computer using the remote diagnostics utility:
1. Start the utility from the Kaspersky Security Center folder in the Start menu.
Specify the target Device and the Administration Server address
3.
Click the Sign In button
4.
To receive information about the computer, click the link Load system information in the upperleft corner of the window
5.
To receive Windows logs, select the log and click the link Download event log… in the upper-left
corner of the window
ib
2.
re
di
st
r
Download Kaspersky Event Log and any other logs that contain events concerning the issue
co
pi
e
d
or
The diagnostics utility saves the files in a folder on the desktop. Open it using the link Download folder in
the lower-left corner of the window.
To collect trace logs using the diagnostics utility:
be
1. Select Kaspersky Endpoint Security in the tree
2. Click the link Enable tracing on the left, do not change the trace level, and click OK
3. Reproduce the steps that demonstrate the issue
4. Click the link Disable tracing in the diagnostics utility
to
5. Expand the folder Trace files under Kaspersky Endpoint Security
6. Select files one by one and download them using the link Download file on the left
No
t
If the problem does not pertain to Kaspersky Endpoint Security or not only to it, collect trace logs of
Network Agent, Administration Server, Updater component in a similar manner.
When you close the diagnostics utility, it will ask whether to delete the download folder. Do not delete the
folder until you send the logs to the technical support.
3. What to do if something has happened
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
or
Sometimes, an issue can be easier reproduced locally on the computer. In this case, collect the logs
locally, too.
d
To collect information about the system, download the GetSystemInfo utility from the getsysteminfo.com
website. Run it and save the log in a folder. The utility also collects information about the system and
Windows logs, and you will not have to add them manually.
pi
e
To collect the trace logs:
1. In the Kaspersky Endpoint Security window, click the button Support
2. In the Support window, click Support tools
3. Select checkbox Enable application traces, select level Normal (500) and click Save
co
(You can select traces with rotation. In this case, you will be able to limit the maximum number
of trace files and the maximum size of a trace file. If the number of trace files reaches the limit,
the oldest file will be deleted to free space for a new one.
4. Reproduce the issue
be
5. Disable tracing
6. Collect the trace logs from the folder %ProgramData%\Kaspersky Lab\
The file name includes the creation date and time; select the latest logs
No
t
to
How to locally enable trace logs for Kaspersky Security Center components is explained in the article
http://support.kaspersky.com/9323
3. What to do if something has happened
be
co
pi
e
d
or
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
When you have all logs at hand, contact the technical support:
1. Log on to the website companyaccount.kaspersky.com
to
If you have no account, sign up: Specify your email and license for Kaspersky products (the
activation code or key file)
2. Click the button New request and select Make a request for Tech Support
3. Select the protection scope, product, version, operating system, request type and subtype
No
t
4. Type the request subject: Define the problem briefly
5. Describe the issue: The steps that result in it, which result you expect, and which get instead
6. Attach the archive with all logs
4. What to do from time to time
d
or
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
Are installed by Kaspersky Endpoint Security installation task and the installation
wizard of Kaspersky Security Center
Are released approximately yearly, sometimes rarer. Upgrade components and
drivers, may add new settings and capabilities, but the changed are not as significant
as in a new version
be
Service
Packs
Are released once every few years, introduce new capabilities, components, settings,
etc.
co
New
versions
pi
e
Except for signature updates, which are issued continually, there are program updates, which are
released much rarer:
Are installed by Kaspersky Endpoint Security installation task and the installation
wizard of Kaspersky Security Center
For Kaspersky Endpoint Security, MRs are released once every quarter or two, fix
errors, may slightly change settings, are installed by the update task
to
Maintenance
For Kaspersky Security Center, a Maintenance Release is almost the same as a
Releases
Service Pack: They are released in a year after a new version or Service Pack, and
are installed by the installation wizard of Kaspersky Security Center
Are not released for Kaspersky Endpoint Security. For Kaspersky Security Center,
patches are released quarterly, fix errors, slightly alter operation, are installed
automatically on Network Agents
Private fixes
Are released by request, correct specific issues for individual customers. Usually, for
customers with a Maintenance Service Agreement
No
t
Patch
4. What to do from time to time
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
or
You can learn that a minor update (Maintenance Release for Kaspersky Endpoint Security or patch for
Kaspersky Security Center) has been released in Operations | Kaspersky applications | Kaspersky
software updates and patches. Also, consult messages on the Monitoring & Reporting | Notifications
page, in the Updates section.
pi
e
d
Minor updates are installed automatically, but only after the administrator approves them. Usually, to
install an update, you need to accept the license agreement. You need to accept the License
Agreements for updates status informs about this.
be
co
To be able to install updates by other manufacturers, you need a Vulnerability and Patch Management
license, for example, KESB Advanced. This is described in course KL 009 Vulnerability and Patch
Management. The current version of Web console only partly supports the Vulnerability and Patch
Management functionality.
Kaspersky Endpoint Security can do without application updates. If there are no critical issues that
impede work, you can use Kaspersky Endpoint Security until a new version or Service Pack is released.
to
Still, module updates can be useful. They can improve computer performance, increase protection
efficiency and add new functionality to the product. Often benefits outweigh the risks. And the risks can
be mitigated by testing the updates and installing only approved ones. As far as module updates are
concerned, the administrator has the following option in the update task of Kaspersky Endpoint Security:
No
t
— Install approved application module updates—enabled by default. Can be disabled in the
groups where computers are extremely sensitive to changes, e.g., groups with important servers
— Automatically install critical application module updates—installs the updates marked as
approved by the administrator and the updates marked as critical by Kaspersky without
the administrator’s approval. Installing unapproved updates may be risky because unforeseen
issues might arise
4. What to do from time to time
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
To approve an update:
1. Select the update on the tab Operations | Kaspersky applications | Kaspersky software
updates and patches
or
2. Click the Approve button above the list of updates
3. If the update has a license agreement, the respective window will open. Accept the license
agreement
d
If you approve a wrong update by mistake, open its properties and change the value of the Update
approval field to Undefined or Declined.
pi
e
Prior to approving an update, install it on test computers and make sure that it is not causing any issues.
co
After a program update is installed, a restart may be required.
Approved updates of Network Agent are installed automatically without tasks. After the administrator
approves an update, Agents will start downloading it during planned synchronizations and install locally.
be
By default, the Administration Server installs all Network Agent updates rather than only approved ones.
To install only approved updates:
1. On the Devices | Policies and profiles page, open the Network Agent policy
2. Switch to the Application Settings tab and go to the Manage patches and updates section
to
3. Disable the option Automatically install applicable updates and patches for components
that have Undefined status
No
t
To test Network Agent updates, create a group for test computers and enable installing unapproved
updates in the policy of this group
The administrator can always select not to install some update, even if automatic update is configured in
the policy. For this purpose, open the update properties and for the parameter Update approval, select
Declined.
4. What to do from time to time
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
To prevent distributing Network Agent updates of older version (up to version 10 SP1 inclusive), disable
the respective parameter in the task Download updates to the repository:
or
1. On the Devices | Tasks tab, open the properties of the Download updates to the repository
task
2. Switch to the Application Settings tab and in the Other settings area, click Configure
3. Clear the checkbox Update Network Agent modules (for Network Agent versions earlier
than 10 Service Pack 2)
No
t
to
be
co
pi
e
d
Since only one task of this type exists, module updates of Network Agents up to version 10 SP1
inclusive will or will not be installed in the whole network. You cannot enable installation of these
updates in some groups and disable in others.
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
4. What to do from time to time
ut
ed
The Monitoring & Reporting | Notifications | Updates page also informs about new product versions and
Service Packs. Monitor the messages:
— Updates are available for Kaspersky Security Center components
— Updates are available for Kaspersky applications
— There are <N> new version(s) of Kaspersky applications available for download
ib
All of them lead to the Installation packages window.
re
di
st
r
To open this window in another way, go to Operations | Kaspersky applications | Current application
versions
The window shows the list of available product versions by Kaspersky, which are manageable via
Kaspersky Security Center. You can download them from Kaspersky servers through this window.
Program versions include:
— Distributions that can be downloaded to the Administration Server
— Distributions that cannot be transformed into a package, but can just be downloaded
— Management plug-ins, which can be downloaded and installed in the console
or
The list includes numerous programs, a few versions of each program and several localizations of each
version, and it’s easy to get lost.
To find what you need, for example, the latest version of Kaspersky Endpoint Security in English,
configure a filter:
Workstations
Kaspersky Endpoint Security for various platforms (Windows, Mac)
Distributions and plug-ins of Antivirus Kaspersky for Windows File
Servers,
co
File Servers
and Storages
Distributions and patches of Kaspersky Security Center and Network
Agent components for various platforms
pi
e
Controls
d
— Components:
Kaspersky Anti-Virus for Windows Servers and
Kaspersky Security for Windows Server
be
Virtualization
Distributions and plug-ins of Kaspersky Security for Virtualization Light
Agent
Distributions and plug-ins of Kaspersky Security for Mobile (Android)
Embedded
Systems (ATM
and POS)
Kaspersky Embedded Systems Security distributions and plug-ins
to
Mobile devices
— Update type: full distribution package, patch, plug-in or web plug-in
— Specify the necessary program version
No
t
— Specify the program interface language
4. What to do from time to time
or
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
Initially, a license is purchased together with the product to entitle its use. Later, another license can be
purchased to overcome one of the following license limitations:
d
— Prolong—the most typical situation, when the company is satisfied with the product and it is
necessary to renew the license to keep using it
pi
e
— Increase the number of computers—if the company grows and the number of computers is about to
exceed the license limit
— Extend functionality—if the necessity to use additional product functions has appeared at the
company, for example, Encryption or automatic installation of Windows updates
co
Also, a license may be denylisted if it is exposed to the internet. Kaspersky blocks these licenses, and
they stop working. Products receive denylists of licenses together with signature updates.
Without a license, Kaspersky Endpoint Security works with limitations:
Only File Threat Protection and Firewall work.
If a commercial license has
expired
All components keep working, but update tasks will not start
and KSN servers are inaccessible. Protection level gradually
decreases.
to
be
Before the first license is
installed
No
t
If a trial license has expired or a
commercial license has been
denylisted
Only File Threat Protection and Firewall will keep working.
Protection will be resumed after you activate the product with
a valid commercial license.
4. What to do from time to time
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
or
If the license is about to expire or has expired on a computer, the administrator should pay attention.
to
be
co
pi
e
d
The license expiration date is displayed in the license properties in Operations | Licensing | Kaspersky
licenses.
The computer statuses configured in the administration group properties may also attract the
administrator’s attention. Two status conditions relate to licenses:
No
t
— License term expired—sets the computer status to Critical. By default, the condition is triggered in
0 days, meaning, right after the license expires. It can be configured to trigger several days after
the license expiration so that the license could update automatically rather than waste the
administrator’s time
— License term expires soon—sets the computer status to Warning. By default, is displayed 7 days
before the expiration, but this parameter is adjustable
4. What to do from time to time
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
or
Most of the information about the keys that the administrator would ever need is available on
the Operations | Licensing | Kaspersky licenses page. including node restriction and use percentage.
d
The Administration Server shows how many of the managed computers are using the license. It does not
receive data from Kaspersky activation servers, which may have different statistics if the license is also
used on computers without the Network Agent
pi
e
Administration Server events inform about exceeding the node limitation:
— License restriction has been exceeded—there are two events with this name, critical and
warning. A critical event is generated when the number of installations constitutes 110% of
the license limit. A warning informs of reaching the limit (100%);
co
— Over 90% of this key is used up—an information message
be
The Administration Server does not impose any technical limitations if the license limit reaches either
100% or 110%. If keys are used for activation, the administrator can distribute them with a key installation
task to any number of computers. From the viewpoint of the license agreement, a license entitles you to
use software on the number of devices specified in the license certificate. However, if the Deploy key
automatically option is enabled in the key properties, the Administration Server will not only distribute it to
computers, but also remove the key from excessive computers if the license limit is surpassed.
No
t
to
If activation codes are used, Kaspersky activation servers may impose technical limitations. Each
instance of Kaspersky Endpoint Security which needs to be activated, the Activation Servers issue a
ticket for using the product. If the number of simultaneously issued tickets greatly exceeds the license
limit (1.5 to 2 times), the activation server will stop issuing tickets.
When a license is soon to expire, the company can purchase a new license. The problem is how to switch
from one license to another without a time gap and without reducing the effective license period of any of
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
4. What to do from time to time
re
di
st
r
ib
ut
ed
the licenses. You would rather not replace the old license when there still several days left of the licensing
period. However, you want to activate the new license before the old one expires.
or
To prevent losing the validity period of neither old nor new license, use one of the following approaches:
1. Distribute a new key to the computers using a key installation task beforehand. In the task
settings, specify that it is an additional (backup) key
d
Additional keys and codes can be added in almost all Kaspersky products. Once the active key
expires, the product is automatically activated with the additional key or code.
pi
e
2. Add the new license to the Administration Server and enable the option Deploy key automatically
in its properties
When the previous key expires on the computers, they will receive the new automatically
distributed key from the Administration Server.
co
Automatically deployed license keys are sent to all computers. If a computer does not have an active
license, the automatically distributed key will be activated on it. If an active license is already available,
the automatically distributed key will be deployed as an additional one. If a computer has both an active
and an additional license, the automatically distributed key will not be installed.
be
The key or code to be distributed can be added in the Quick Start wizard. To add keys later, on the
Operations | Licensing | Kaspersky licenses page, click the button Add.
to
Registered keys and codes can be imported from the storage as key files or text files with the code. (This
functionality is available only in the MMC Administration Console.) These can be used for local activation
if necessary, or for backup purposes.
No
t
Only the extended functions of Kaspersky Security Center Administration Server available in KESB Select
and KESB Advanced licenses require activation.
The operations described in this course do not require activating the Administration Server.
To replace the active key or add another one to the Administration Server, open the Keys section in the
Server properties. You can specify the active and additional license in this section. You can also replace
or delete licenses as necessary.
4. What to do from time to time
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
You can select a license for the Administration Server from among those added to the Kaspersky
licenses storage.
or
To add a key to the Administration Server, select a key specifically designed for Kaspersky Security
Center. Check what is written in key table in the Application name column. There is usually a descriptor
there: Security Center or Kaspersky Endpoint Security that indicates the key purpose.
No
t
to
be
co
pi
e
d
If you are adding a code, you do not need to check the name, the same code activates all products
covered by the license: Kaspersky Endpoint Security and Kaspersky Security Center.
Sometimes you need to install a specific key on a specific computer or a group of computers. Automatic
distribution would not serve this purpose. Instead, you can create an Add key task.
This task can be created using the typical task creation wizard on the Devices | Tasks page.
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
4. What to do from time to time
ut
ed
If two products require different Console plug-ins to be managed, they would require different Add key
tasks as well. For example, Kaspersky Endpoint Security 10 Service Pack 2 and Kaspersky Endpoint
Security 10 Service Pack 1 have independent plug-ins. Therefore, a task to add key to Kaspersky
Endpoint Security 10 SP2 wouldn’t run on Kaspersky Endpoint Security 10 SP1 and vice versa.
co
pi
e
d
or
re
di
st
r
ib
In the task creation wizard or later in the task properties, you can select a license from the list of keys and
codes (those available on the Operations | Licensing | Kaspersky licenses page). There is an option in
the task that permits installing the selected key or code as an additional key. This option is enabled by
default, because the main license is supposed to be installed through the automatic installation feature
(an option in the key or code properties).
be
Creating backup copies is a good practice that can save you a lot of trouble. The administrator will be
able to restore the entire management system from a backup copy within about an hour. To ensure a
quick recovery, it is important to store backups in a reliable location.
to
A backup copy of the Kaspersky Security Center data includes all visible and invisible configuration
settings. This includes the event database (which contains more than just the events), administration
group structure, tasks and policies, report templates, installation packages3, selections of computers and
events, the Administration Server certificate, and more. Updates are not included, because they quickly
become outdated, and there is no reason to keep an old copy.
No
t
Since the Encryption functionality has appeared in Kaspersky Endpoint Security, backups have become
even more important. The Administration Server configuration now includes the encryption key store that
contains master keys for all computers where encryption is used. These keys are necessary for
recovering access to encrypted data in case of failures. If the master keys stored on the Administration
3
Including stand-alone, but excluding operating system image packages. (These packages are described in detail in course KL 009
Vulnerability and Patch Management.)
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
4. What to do from time to time
ut
ed
Server are lost, encrypted data may also be lost irretrievably. Encryption and the risks involved are
described in course KL 008 Encryption.
ib
However, even if we leave encryption out of consideration, losing Administration Server data can result in
many hours or days or even weeks spent on system recovery. In a large network, even creating
a structure of groups can be difficult and may consume much time and effort. If the server is reinstalled,
its certificate changes, which means that Network Agents, even if they use the correct address, will not be
able to establish a connection to the new Administration Server. Generally, to recover connection to
the computers, all Network Agents will have to be reinstalled.
re
di
st
r
A backup copy relieves the administrators from these issues, because a copy includes the server
certificate, all the settings, and the encryption key store.
Backup copies can be used as an alternative method of upgrading the Kaspersky Security Center
version. A standard upgrade procedure implies installing a new version over the old one. In this case, the
installer detects a previous version and upgrades its components, saving old settings if possible. Using
the backup mechanism, you can create a backup copy of your old system, uninstall it, then install the new
version of the Administration Server, and restore its configuration from the backup. You can use this
method when it is necessary to upgrade not only the software components of the Administration Server,
but also its hardware configuration.
or
In a similar manner, you can use backups to move the Administration Server to a different computer. First
create a backup copy, and then install the Administration Server on another system. Restore the
Administration Server settings from the backup copy. In this case, it is important to ensure that the same
SQL server type (Microsoft SQL or MySQL) is installed for both new and old instances of the
Administration Server.
d
If you move the Administration Server to another system and want to change the Server’s name, you
must make this change before the migration. For details, refer to course KL 302 Kaspersky Endpoint
Security and Management. Scaling.
co
pi
e
The most important thing about backup copying is to regularly make sure that you can restore the system
from a backup copy
Spend half an hour once a month or at least quarter to restore Administration Server data on a test
computer. This way, you will make sure that the backup copies are not corrupted and sharpen your skills.
In case of a real failure, you will be able to restore systems quickly and easily.
be
To create backup copies, Kaspersky Security Center has a special task called Backup of Administration
Server data. Only one instance of this task can exist on the Administration Server, and the default one is
created by the Quick Start wizard. If necessary, you can delete and recreate it as a troubleshooting
measure.
to
The actual job of creating backup copies is performed by klbackup.exe, a utility for backup and recovery
of the Administration Server. The task launches the utility with the specified options, which then creates
a backup copy.
Starting with Kaspersky Security Center version 10 SP3, when creating a backup copy, the klbackup.exe
utility does not stop any services; it copies the Server settings and data, then instructs the SQL server to
back up the database.
No
t
Only one parameter is required for the backup task: the location of backup copies. This folder will contain
subfolders for each backup copy. The names of the subfolders consist of the date and time of creation.
The default location of backup copies is the SC_Backup folder in the Administration Server data directory
(%ProgramData%\KasperskySC\SC_Backup).
4. What to do from time to time
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
or
It is risky to store backup copies on the disk where the Administration Server is installed, because in the
event of a hardware failure, both the current system and its backup copy will suffer. We strongly
recommend that you store backup copies in another location. The administrator can either specify a
network location or use an additional process to move backup copies to a safer place for storage.
d
It is important to realize that backup copies of the Administration Server data are created under
the Administration Server account, whereas backups of the database are created under the database
server account. If you specify a network path as the target location for backup copies, both the
Administration Server and SQL server must have access to this folder. Also, the specified drive must
have enough free space.
pi
e
Since a backup copy can be up to several gigabytes in size (depending on the network and the amount of
stored data), it makes sense to limit the number of stored backup copies. By default, the maximum
number of backup copies is three.
co
The Administration Server certificate is stored in an encrypted form for security reasons. This security
measure prevents intruders from using the certificate to gain control over the client systems. To enable
certificate encryption, you need to provide a password. By default, the password is empty.
be
The backup data copying task is scheduled to start every two days at 2am by default; therefore, only
three backup copies of the last six days are stored.
to
There is no task in Kaspersky Security Center that would restore data from a backup copy. This is done
by design, because an accidental launch of such a task would result in the loss of newly added settings
and data.
No
t
In order to restore the Administration Server data, the klbackup.exe utility is used again, which can be
run from the Start menu. When started without command line options, this utility works as a wizard that
prompts you to choose the restore option and enter the path to the backup copy and the password for
decrypting the Administration Server certificate. You need to specify the full path to the subfolder that
contains the backup copy. For example, if you specified the c:\backups path for the backup task, to
restore the system, you need to enter something similar to c:\backups\klbackup2018-12-27#02-00-02
The backup copying utility can not only restore the data from backup copies, but it can also create backup
copies. To do so, at the Choose Action step, select Backup of Administration Server data.
4. What to do from time to time
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
Also, you can enable the mode for only backing up or restoring the Administration Server certificate. This
mode can be used, for example, when you only need to restore connection between the Network Agents
and the Server, but want to create the structure and settings from scratch. This limited backup is not
available in the backup task.
or
The klbackup.exe utility can be launched from the command line with the following parameters:
— –path—backup copy destination folder, or the source folder during a recovery
d
— –restore—the option that instructs the utility to restore data; without it, the utility will create a
backup copy
pi
e
— –use_ts—the option that creates a subfolder with a name consisting of the time and date of
creation; without it, the utility will create a backup copy right in the folder specified by the path
option
co
— –password—the option that specifies the password for encrypting the Administration Server
certificate
be
With time, the Administration Server database may slow down. In particular, the reports may be
generated slowly, and lists of events or computers may be displayed only after a noticeable pause.
to
To speed up the console’s work with the events stored in the database, the database is to be optimized.
Before Kaspersky Security Center 10 SP2, it could have been done only using the database server tools.
Kaspersky Security Center 10 SP2 features a special task named Database maintenance, which can
optimize a Microsoft SQL database of the Administration Server. The task does not support MySQL
databases. If you use MySQL, optimize the database using the database server tools.
To speed up the Administration Server database, the Database maintenance task performs
the following:
Looks for errors in the database and fixes them
Rebuilds indexes
Updates the database statistics
Optionally shrinks the database
No
t
—
—
—
—
The task has few parameters. In addition to the schedule, there is only the Shrink database option,
which decreases the database size. The database is recommended to be optimized once a week.
4. What to do from time to time
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
If the Administration Server works slowly because its resources are scarce, the Maintenance database
task will not help
No
t
to
be
co
pi
e
d
or
There can be only one Maintenance database task. It is created by the Quick Start wizard. By default,
the task starts every Saturday, at 1am
4. What to do from time to time
re
di
st
r
ib
ut
ed
002.11.6: Kaspersky Endpoint Security and Management.
Unit IV. Maintenance
or
To keep protection working on the computers, monitor important events:
— Configure notifications about possibly infected computers
— Configure reports to be emailed
— Organize daily inspections of the protection status: Customize the Dashboard
pi
e
d
Investigate grave incidents, such as an infection, immediately. Solve less important issues once a week.
Do not allow them to pile up; otherwise, it will soon be difficult to notice something important among them.
If you cannot solve an issue, contact the technical support. To receive a precise answer earlier, collect
logs and attach them to your request.
Install updates and new versions. They correct errors and improve performance and protection.
co
Back up the Administration Server data. Regularly make sure that you can restore data from a backup.
No
t
to
be
Do not forget to renew the license. Configure statuses and notifications to be informed of its expiration
beforehand.
v1.0.3