002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance Unit IV. Maintenance 2.1 ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. How to create a custom dashboard ..................................................................................................6 2.2 re di st r How to answer all questions at a glance ..........................................................................................6 How to fill the dashboard with statistics............................................................................................7 How understand that important protection components are disabled in the policy ..........................8 How to email reports.........................................................................................................................9 Which reports to email ....................................................................................................................11 How to create a custom report .......................................................................................................11 2.3 How to email notifications ...............................................................................................................13 3.1 or Where to enable notifications .........................................................................................................13 Where to modify the addressee and the mail server ......................................................................14 About which events you need to know ...........................................................................................16 What to do with malware ................................................................................................................18 3.2 pi e d Where to learn about threats ..........................................................................................................19 How to find computers with threats ................................................................................................19 How to understand what has happened to the threats ...................................................................20 How to find computers with non-disinfected threats .......................................................................21 How to scan critical areas...............................................................................................................22 How to isolate a computer and eliminate an active infection .........................................................23 How to reset virus counter ..............................................................................................................24 What to do if Kaspersky Endpoint Security does not work.............................................................25 3.3 co Where to find out that Kaspersky Endpoint Security does not work ..............................................26 How to start protection remotely .....................................................................................................27 What to do if databases are outdated ............................................................................................28 3.4 be Where to find out that databases are out of date ...........................................................................29 How to find out whether a computer has an update task ...............................................................30 How to find out whether the Server has an update task ................................................................33 Where to specify proxy server parameters.....................................................................................34 How to disable automatic assignment of distribution points...........................................................35 How to check whether KSN is used ...............................................................................................36 How to check the client-server connection .....................................................................................37 to How to distinguish powered off computers.....................................................................................37 What to do if a computer has not connected for a long time ..........................................................37 How to make a computer connect to the Server ............................................................................38 How to reconnect a computer to the Server ...................................................................................40 How to contact technical support ...................................................................................................40 No t 3.5 When and how to contact technical support...................................................................................40 How to remotely collect Windows and GetSystemInfo logs ...........................................................41 How to remotely collect trace logs ..................................................................................................42 How to collect logs locally...............................................................................................................43 How to send a request to technical support ...................................................................................44 4.1 Unit IV. Maintenance ut ed 002.11.6: Kaspersky Endpoint Security and Management. How to install program updates ......................................................................................................45 Program update types ....................................................................................................................45 Where to find out that an update has been issued .........................................................................46 How to install only approved updates .............................................................................................46 How to find out that a new version has been released ..................................................................48 How to renew a license ..................................................................................................................50 ib 4.2 4.3 re di st r When to renew a license ................................................................................................................50 How to find out that the license expires..........................................................................................51 How to find out that the number of activations is exceeded ...........................................................52 How to switch over to a new license ..............................................................................................52 How to replace the active license ...................................................................................................54 How to configure backup ................................................................................................................55 Why back up? .................................................................................................................................55 How to configure backup ................................................................................................................56 How to restore from a backup ........................................................................................................57 How and why maintain the database .............................................................................................58 Maintenance: Summary..................................................................................................................60 No t to be co pi e d or 4.4 Unit IV. Maintenance or re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. d After you have installed Kaspersky Endpoint Security and Network Agent on the computers, created the necessary policies and tasks, and configured them as necessary, you need to monitor the system to make sure protection works, and react to incidents. co pi e To keep protection working, you have to perform routine maintenance; some things have to be done often, and some infrequently. Most of the actions are obvious, but we will tell about them nevertheless, just in case. Check the most important things. Why so often There are no unprocessed threats on the computers You install protection to repel threats. Kaspersky Endpoint Security blocks most of them automatically. But if protection cannot handle the threat, you should be informed about this as soon as possible and neutralize it manually. The longer a threat is active, the more damage it can do. be What to check No t to Protection is installed and works on the computers This is obvious enough. If protection does not work, you do not know whether there is malware on the computer. And the longer protection does not work, the more chances that malware infects the computer. 1. How to maintain protection ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance Solve issues that affect protection. If time permits, do it daily; otherwise, solve secondary issues weekly. Why so often Computers have the latest signature databases Almost all protection components use signatures to detect malware. If signatures are old, Kaspersky Endpoint Security will not be able to detect new viruses. The older the signatures, the greater the risk. If signatures are two days old, it is bad, but not critical. And if they are two months old, it is almost as dangerous as if protection was not running at all Protection uses Kaspersky Security Network Kaspersky Security Network informs about known malicious files and helps to detect them even if signatures are obsolete. Moreover, Kaspersky Security Network informs about new malicious files earlier than signatures are issued for them. Without Kaspersky Security Network, protection works not so well. But still works and protects against most of the threats. re di st r ib What to check Perform preventive maintenance on the Administration Server. Why so often Make sure that you can recover the Server from a backup copy You spent quite a lot of time to install protection. If you lose the Administration Server because of a hardware failure, you will have to spend almost as much time to install and configure protection once again. Backup copying can prevent this. The crucial point about backup copying is that making a copy is not enough. You must verify that you will be able to restore the configuration. Spend half an hour per month for maintenance to make sure that you do not find yourself in a critical situation with a misconfigured backup from which you cannot restore data. Optimize the Administration Server database If the database is not optimized, eventually it grows in size and becomes fragmented. You will have to spend more time generating reports or displaying a computer selection, especially in a large network or if the resources are scarce on the Administration Server (to be more precise, database server, but it is often the same computer). co pi e d or What to check be Install updates and patches. Why so often If there are any updates or patches for Kaspersky products Kaspersky Security Center patches and Kaspersky Endpoint Security maintenance releases are issued approximately once every quarter or two. They correct errors, improve performance and sometimes add new functions that are important for protection. You do not need to put much effort into installing patches, but do not forget to test them beforehand. No t to What to check 1. How to maintain protection ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance Renew the license and install new versions. Why so often The license has not expired and the node limitation has not been exceeded Commercial licenses are typically issued for 1 year. Without a license, protection keeps working, but the update task stops downloading signatures and Kaspersky Endpoint Security stops using KSN. Eventually, protection will be affected. Whether there are any new versions of Kaspersky products New versions or service packs are issued once every year or two. They correct errors, improve performance, and also change settings and products’ operation logic. New technologies, components, interception methods, etc. appear in new versions or service packs. If an old version is not updated for too long, it will not be able to fight the latest threats even with up-to-date signatures and KSN. A few years after release, a version’s support ends. No t to be co pi e d or re di st r ib What to check 2. What to do daily re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance or During a daily inspection: Find out which threats Kaspersky Endpoint Security has detected since your last inspection. If you perform inspection daily, you can focus on detections in the last 24 hours. 2. Check whether Kaspersky Endpoint Security has neutralized all threats. If there are unprocessed threats, remediate them immediately. 3. Check whether protection works on all computers. If protection is not running or is not installed, run or install it. Find out why it has happened. pi e d 1. be co To save time, configure the console to be able to quickly learn what you need about threats and protection. Kaspersky Security Center console provides a lot of information: Reports Events Computer statuses Computer properties Statistics of installed applications in computer properties Repositories Task logs No t to — — — — — — — However, these sources are either insufficiently clear as, for example, lists of events, or cannot be reviewed all together as reports. 2. What to do daily re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance To get a general idea of the overall protection status, open the Monitoring & Reporting | Dashboard page of the Web Console. The administrator selects which charts to show, which chart types to use and how to organize them. d Protection status Types of detected viruses and disinfection results New devices Network attacks History of network attacks Types of detected viruses and disinfection results And other important data of your choice, for example, signature versions pi e — — — — — — — or To save time, customize the Dashboard and add to it web widgets that inform about: co Types of web widgets are hardcoded, but abundant and can answer most of your questions. By default, the Dashboard includes 7 web widgets devoted to various network status aspects: Protection status, New devices, Threat activity, Most frequent threats, Most heavily infected devices, Threat detection. be Usually, a web widget contains a chart with a legend or a table. By default, they represent events from all managed computers over the last 24 hours. The administrator can narrow the scope or change the period in the Properties window, which opens with the button. The dashboard consists of several web widgets. to The administrator can add, delete and move web widgets on the dashboard, modify their settings and representation. No t Overall, there are more than 25 types of web widgets grouped into categories. for the administrator to choose from. To modify dashboard contents, click Add or restore widget. In the web widget settings, depending on its type, you can modify the time interval for the displayed data and select the computers whose data will be shown. There are only two options for the computers: either an administration group or computers from a specified selection. 2. What to do daily re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance You can also modify chart type and appearance in the web widget settings. to be co pi e d or The web widgets’ capability to display the history of changes over the specified period can be useful. For example, you can view how many viruses were detected during each hour of the last day. These data may help to select the threshold for the Virus outbreak event. Reports lack this capability. No t Starting with Kaspersky Endpoint Security version 11, there is a protection level indicator in the policy interface, which helps the administrator to evaluate the level of threat prevention, and provides a hint which components should be enabled to improve it. For example, if administrator enables all Essential Threat Protection and Advanced Threat Protection components in the policy, but (by mistake or intentionally) disables a critically important component Behavior Detection, which pinpoints threats by analyzing software activities (in particular, it can detect complex threats such as ransomware). Once the Behavior Detection component is disabled, Protection 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance 2. What to do daily or re di st r ib ut ed level indicator will immediately turn red and show the status Low protection level. The following information will appear to the right of the Protection level indicator after the settings are saved: Some of the recommended protection components are disabled, and a link Learn more. If you click it, the Recommended protection components window will open, which allows you to enable the recommended components to maximize threat counteraction. If the administrator ignores the caution and clicks Save in the policy window, Kaspersky Security Center will display an information window and suggest that you fix the settings. Protection level indicator can have one of the following values: — — — — — File Threat Protection; Behavior Detection; Exploit Prevention; Remediation Engine. Important — — — — pi e Critical co — d — High protection level. The indicator turns green if the following components are enabled: Kaspersky Security Network; Web Threat Protection; Mail Threat Protection; Host Intrusion Prevention be — Medium protection level. The indicator turns yellow, if an important component is disabled. — Low protection level. The indicator turns red if: One or several critical components are disabled; Two or more important components are disabled. to — — No t Some of the administrators open the Console only when they need to find out or configure something, and prefer to be informed about issues by email. This way they use a single tool, mailbox, to learn about issues of various subsystems instead of opening a dozen of various consoles. 2. What to do daily re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance Kaspersky Security Center can email notifications and reports. Reports that show what is happening in the network better fit daily inspections. Notifications inform about specific threats that need immediate attention. or To receive reports by email, use the corresponding task: 1. Go to Monitoring & Reporting | Reports and click New report delivery task d 2. If a task of this type has already been created, the Web Console will inform you about it. To edit its parameters, open the properties of the Deliver reports task and switch to the Application settings tab pi e 3. If there is no task of this type yet, the Console will start the report delivery task creation wizard 4. Select the types of reports that you want to receive. The task shows all report templates available on the Reports tab. However, those are not all of the report types that Kaspersky Security Center can create. If some reports are missing, create them beforehand on the Monitoring & Reporting | Reports page. co 5. Select the format (html, xls or pdf) in the task parameters. 6. Select the action to be applied to reports: Reports can be emailed and/or saved to a folder. 7. Switch to the Schedule tab and select when to receive reports. be To select where to email reports, in the task properties, open the Application Settings tab, and in the Action to apply to reports area, select the checkbox Send report by email; then click the Settings button. Specify the recipient’s address and message subject. Check the sender’s address and mail server parameters in the Administration Server properties. No t to Note: Unlike its MMC counterpart, the Quick Start Wizard of the Web Console does not create a report delivery task automatically even if you specify the mail server in it. 2. What to do daily re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance For daily inspections, you will need reports that show threats and protection status: Viruses (over the last day) Network attacks (over the last day) Phishing attempts (over the last day) Host Intrusion Prevention rule triggered (over the last day) d — — — — or — Threats: — — — pi e — Protection Protection status Anti-virus database usage Errors (over the last day) co All pre-configured reports available on the Reports page either do not have any period or show events over the last 30 days by default. 30-day reports are not very useful for daily inspections. It is difficult to understand what has changed since yesterday. to be You need to create one-day reports manually. Delete all the reports you are not going to use. For example, reports about encryption errors if you do not have an encryption license. No t Formally, the Reports page contains report templates, which describe report type and parameters, rather than reports themselves. The Administration Server generates reports from templates when emailing them, or when the administrator clicks a report name. 2. What to do daily co pi e d or re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance To create a report (report template): 1. On the Reports page, click the Add button 2. Name the report comprehensibly, for example Threats report over the last day be 3. Select the report type. There are more than 50 types of reports in Kaspersky Security Center 4. Select a scope for the report. A report can cover a group, individual computers (a list) or a computer selection. Most of the reports should cover the whole network; for this purpose, select the All networked devices scope. to 5. Select the reporting period. For the daily reports, specify one day No t Template settings also include the list of information fields to constitute the report tables. Some fields contain insignificant information and can be deleted not to overload the report. For example, the Virtual server field makes little sense in a report if virtual Administration Servers are not used in the network1. The ‘Virtual Administration Server’ or ‘Virtual server’ terms that may be encountered in the reports should not be confused with Administration Servers running inside a virtual machine. These two usages of the word “virtual” have almost nothing in common. If your 1 2. What to do daily or re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance pi e d Event storing parameters are specified in the policies of Kaspersky Endpoint Security and Network Agent, and also in the Administration Server properties, on the Event configuration tab. The events are grouped by four severity levels: Critical, Functional failure, Warning, and Info. The severity level is a permanent attribute of an event, it cannot be modified. Each program has its own events with their default settings. An event has three storage settings: — On the Administration Server—meaning, in the server database co This storing method is enabled for most critical and error events, as well as for many warning and some info events. The default lifetime of Kaspersky Endpoint Security and Network Agent events is 30 days for all events (naturally, except for the events whose storage is disabled). The Administration Server events’ default lifetime is the same for all severity levels: 30 days. be You can export events of the Administration Server and other Kaspersky applications installed on the managed devices to a SIEM system. For this purpose, select the checkbox Export to SIEM via Syslog (standard RFC 5424). — In the OS event log on device—makes sense only for the Network Agent events. Kaspersky Endpoint Security already has this capability in the settings of local event processing. to — In the OS event log on Administration Server—similarly to local Kaspersky Endpoint Security events. If the Administration Server becomes inaccessible, the administrator will be able to find information in the Windows log. No t When the specified lifetime is over, events are automatically deleted from the Administration Server database (but not from Windows logs, which have their own settings). Increasing the lifetime will also increase the number of events stored in the database, and this will affect the time required to process Administration Server runs in a virtual machine, it is still an ordinary Administration Server, not a virtual server. Virtual servers in the reports and other parts of the Console are something else entirely. Virtual Administration Servers are described in course 302. 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance 2. What to do daily ut ed operations on events. On the other hand, when the administrator decreases event lifetime, the maximum reporting period also decreases. To be informed about important events, configure notifications. This is configured in the properties of every particular event type that you want to be notified about. Kaspersky Security Center supports four notification channels: Email SMS Running an executable file or script SNMP ib — — — — re di st r Notifications help to draw the administrator’s attention to the most important events. co pi e d or By default, notifications are not sent. To start receiving notifications, open the event properties and select notification methods. be By default, all events are delivered with the same parameters, which are specified in the Administration Server properties. To send different notifications to different addresses or with different text, open the event properties and disable the option Use Administration Server settings. After that, change the recipients’ addresses, text template and other notification parameters. No t to At first, email notification delivery parameters are specified in the Quick Start wizard. You can also modify them later, in the Notification section of the General tab in the Administration Server properties. 2. What to do daily Email notification delivery parameters include: Recipients—email addresses separated by semicolons SMTP server—name or IP address SMTP server port Use DNS MX lookup Text of the notification message or — — — — — re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance d These parameters are sufficient if the selected SMTP server does not require authorization. The recipient address is also used for the sender address, and the subject of the sent notifications is made of the event severity level and its type, for example, Critical event: Threats have been detected Message template subject Authorization username and password Sender address Specify a certificate for SMTP server authentication co — — — — pi e Additionally, you can configure the following: When configuring the notification subject and text, you can use macros, which will be replaced by the corresponding event attributes in the notifications: be %SEVERITY%—event severity level %COMPUTER%—the sender computer %DOMAIN%—Windows domain %EVENT%—event %DESCR%—event description %RISE_TIME%—event time %KLCSAK_EVENT_TASK_DISPLAY_NAME%—task name %KL_PRODUCT%—program %KL_VERSION%—version number %HOST_IP%—IP address %HOST_CONN_IP%—connection IP address No t to — — — — — — — — — — — 2. What to do daily re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance or It is up to the administrator to decide about which events to receive notifications. However, prime candidates are events about active threats and potentially successful attacks: What does it mean? Active threat detected. Advanced Disinfection should be started The malicious file is not running on the computer, but Kaspersky Endpoint Security cannot terminate it. The user or the administrator must confirm starting the Advanced Disinfection procedure A malicious object was detected using a request sent to KSN rather than signatures. This means that it is a new threat, and the administrator should carefully monitor what is happening in the network. Maybe even switch to a policy with stricter protection settings pi e Malicious object detected (KSN) d Event Information that the link is dangerous has appeared only after a user opened it (data about previous actions is stored in the KSN cache and Remediation Engine’s logs). The user could have downloaded and started new malware Process terminated Malware was running on a computer. Although Kaspersky Endpoint Security terminated it, it could have done harm be co Previously opened dangerous link detected If the attacking computer is located within the network, it may mean that it is infected with unknown malware, or that protection does not work there Host Intrusion Prevention rule triggered If you have configured Host Intrusion Prevention to protect documents against ransomware, these events will inform when unknown programs try to edit or delete the user’s documents to Network attack detected No t All these events pertain to Kaspersky Endpoint Security. Configure the respective notification settings in the Kaspersky Endpoint Security policy, on the Event configuration tab. The last event is an Info event. The others are Critical events. Some events (including important) may occur too frequently to send a notification for each of them. For example, the Threats have been detected event during a virus outbreak may invoke tens and hundreds of notifications. 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance 2. What to do daily ut ed To make each notification draw your attention, limit the number of notifications. For this purpose, in the Administration Server properties, open the Notification section and click the link Configure numeric limit of notifications. No t to be co pi e d or re di st r ib Set the limit as the maximum number of notifications over a time span. As soon as the limit is reached, notifications are suppressed until the specified period is over. If new events are received afterwards, the limit is counted anew. The same limit is used for all notification types, but applies individually to each event type. E.g., if notifications for the Threats have been detected event hit the limit, notifications for other event types will not be affected. 3. What to do if something has happened or re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance d If no new events about threats have appeared on the computers over the last day, you do not need to do anything. But what to do if there are some events? pi e First of all, find out what has happened to the detected threats. If Kaspersky Endpoint Security deleted, disinfected or blocked a threat, you do not need to do anything. Just reset the virus counter on the computer to be able to see when new threats appear. If malware is not treated or removed, act according to a plan. Prepare the plan beforehand. co A typical plan may include the following steps: 1. Run the critical areas scan task to understand whether the computer is infected 2. If a computer is infected or you suspect that it may be infected with unknown malware: be 2.1. Isolate the computer from other computers in the network 2.2. Disable the policy using the password 2.3. Raise the heuristics level and enable Advanced Disinfection technology 2.4. Check integrity of Kaspersky Endpoint Security by a local task 2.5. Perform full scan on the computer to If this does not help, restore the computer from an image. If all computers are installed from images at the company, and the users’ data are stored in the network rather than on the computers, restoring from an image may be the first step of your plan to save time. No t If you find suspicious files during an investigation, send them to Kaspersky for analysis via the portal companyaccount.kaspersky.com. Also, invite internal or external experts if you suspect a targeted attack against your organization. 3. What to do if something has happened re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance or You can find out that viruses have been found from events, reports, statistics and computers’ statuses. Next to statistics, statuses draw your attention first of all. d Threat detection and their processing results define the computer status in the Administration Console: OK, Warning or Critical. This allows the administrator to easily notice problematic computers when looking through the groups. pi e The Many viruses detected status tells that viruses were found on the computers. This status is related to the virus counter parameter. Every time malware is detected on the computer, the counter increases its value by 1. The counter value is transferred to the Administration Server during the synchronization. The status is activated if the virus counter value exceeds the specified threshold. By default, the Many viruses detected status is disabled. be co To enable the status to show the computers where malware was found, go to the Devices | Hierarchy of groups page and open the properties of the Managed devices group. Switch to the Device status tab and activate the status Too many viruses detected. To make computers receive the Warning status and be displayed yellow, activate the status in the Warning section. To make computers receive the Critical status and be displayed red, activate the status in the Critical section. To paint computers yellow when there are a few viruses on them, and red when the number of viruses exceeds, say, 5, configure different thresholds for the status Many viruses detected (select the status and click the Edit button). to If at least one of the managed computers receives either There are active threats or Many viruses detected status, the global Protection status also changes on the Dashboard. No t The statuses OK, Warning, and Critical are links. If you click the Critical status, the selection of devices that have the corresponding status will open. All statuses behave this way on the Dashboard page. In the selection, you can find out why the device has received the corresponding status. A selection is a dynamic set of computers selected by an attribute. There are standard selections on the Administration Server, which show computers with various statuses. For example, There are active threats and Many viruses detected 3. What to do if something has happened re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance or You can take group actions on the computers joined into a selection, for example, start update and search tasks, move into a group, etc. So, selections are very useful when dealing with the computers that have a problem status. d The Threats report shows statistics of processing the malware detected on the managed computers: How many objects were treated, how many blocked (by Web Threat Protection), how many deleted and how many still remain unprocessed. It also shows the number of dangerous objects whose processing results are unknown. These statistics are available for each type of malware. No t to be co pi e The Threats report can show which malware KES detected, and using which technology. To be able to see this information, add the By KSN verdict column to the Details table. You can also add the Detection technology that pinpointed the malicious code and SHA-256. For this purpose, in the properties of Threats report, open the Fields tab, click the Add button, and select the necessary data in the Field name list. 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance 3. What to do if something has happened ut ed Report on most heavily infected devices and Report on users of infected devices may also come in handy. If some computers have been infected considerably more than others, it might be worthwhile to find the reason and take appropriate measures. ib Network attacks are not included in the Viruses report. To see the big picture of all attacks, consult the Network attack report. It shows which attack types were detected, and more importantly, the IP addresses of the attacking computers. Knowing the address, the administrator can investigate the incidents and better solve the problem. The Network attack report is not created by default. To view it, create a new template on the Monitoring & Reporting | Reports page. re di st r In addition to reports, check computer events to understand how Kaspersky Endpoint Security copes with threats. Events show what was happening simultaneously with threat detection, whether there were other threats or errors in components’ operation. To understand where a threat ended, always check the last event about it. It is normal for Kaspersky Endpoint Security to first inform that it cannot disinfect a file, and in a second, report that the file was deleted successfully. You do not have to study reports and events to be able to understand whether any computers are infected. or Usually, if Kaspersky Endpoint Security cannot neutralize a malicious file, it informs the server about this using the status There are active threats. This status is enabled by default and is displayed on the web widget Types of detected viruses and disinfection results. It gives computers the Warning status, and is displayed on the Dashboard page. to be co pi e d This status is assigned to computers where malware programs were detected and were not cured. No t The Active threats category can be comprised of widely different objects. It can be a virus in memory, which actively counters the attempts to delete it. Or it can be an infected object on a network drive where Kaspersky Endpoint Security has no Write permission to disinfect or delete the file. When a user accesses a malicious file in a shared folder on a file server, the protection solution installed on the server may block access and delete the file. Meanwhile, the protection software installed on the user’s computer detects the threat at the same time, but cannot delete the file from the folder and informs that there is an unprocessed threat, although in reality it has been processed on the server. This is a 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance 3. What to do if something has happened ut ed reason for paying attention anyway, since malicious files must not appear in shared folders, and you need to find out how it got there. To reset computer status, neutralize the detected objects. If an object cannot be neutralized, as in the described situation with malware in a shared folder, delete the record about the unprocessed object from the list of unprocessed objects: 1. In the Web Console, open Operations | Repositories | Active threats re di st r ib 2. Find the file in the shared folder and carry out the Delete command on it If many viruses or a previously opened malicious link have been detected on a computer, or a malicious process has been terminated, it may mean that the computer can still be infected. To scan a computer for known threats, run critical areas scan there. There are a few ways to achieve this. The one which is always available is as follows: 1. Open the computer properties 2. Open the Tasks tab 3. Find the task Critical Areas Scan and run it to be co pi e d or Critical Areas Scan is a local task, which is available in each installation of Kaspersky Endpoint Security. Local means that it is displayed only in the computer properties, but is not shown in groups or in the Tasks node. This makes it less useful. To start it on several computers, you have to open their properties one by one. You can also use the group Virus Scan task, which has to be created manually. However, it will scan all computers, and why slow down the computers where there are no threats? No t To quickly scan critical areas on those computers where threats have been detected, make a virus scan task for specific computers or the corresponding computer selection. 3. What to do if something has happened ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance Usually, even if malware is running, Kaspersky Endpoint Security can terminate it. Host Intrusion Prevention, Behavior Detection, and Exploit Prevention components are responsible for this. File Threat Protection does not scan programs in the memory. ib If a computer is infected and Kaspersky Endpoint Security cannot stop malware, use the Advanced Disinfection technology. re di st r This technology is disabled by default, because it blocks start of all programs and restarts the computer, which would hamper the users. The user can agree to perform the Advanced Disinfection procedure and take the risk of losing data, or refuse to start the procedure and leave the computer infected. Anyway, it should be the administrator who makes the decision rather than the user. If you suspect that a computer is infected, it is best to reinstall it from the image. If it is unacceptable or impossible, try to disinfect the computer: 1. Disconnect the computer from the corporate network 2. Disable the policy using the command Disable policy on the shortcut menu of KES icon 3. 4. Open the Kaspersky Endpoint Security window and click Protection components Go to General and select the checkbox Use Advanced Disinfection technology Run a Virus scan task: Return to the main window of Kaspersky Endpoint Security and click the Tasks area to 5. be co pi e d or To use this command, enable password protection in the Kaspersky Endpoint Security policy No t 6. If Kaspersky Endpoint Security finds a threat and prompts you to perform a special disinfection procedure, agree With Advanced Disinfection technology enabled, Kaspersky Endpoint Security does not permit new programs to start, scans memory, takes more aggressive methods when terminating processes, tries to delete malicious files at restart 7. Restart the computer, connect it to the internet and update the signatures 8. Scan the whole computer once again 3. What to do if something has happened be co pi e d or re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance After all threats have been neutralized, reset the virus counters on the computer. No t to The virus counter can only increase without interference from outside, and the only method of changing this status is to manually reset the counter. For this purpose, open the computer properties: On the General tab, in the Protection section, there is the button Reset virus counter. 3. What to do if something has happened or re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance If protection does not work, it may be caused by various reasons. Before contacting technical support, please Make sure that: Kaspersky Endpoint Security is installed on the computer d The user could have uninstalled Network Agent; then the Console would show the last data which the Agent had sent to the Server. Reinstall the Agent and protect it from the user: Set an uninstallation password pi e The Network Agent is installed on the computer The user may have uninstalled Kaspersky Endpoint Security. Reinstall it and protect from the user: Set a password A computer may belong to a group without a policy, or a Kaspersky Endpoint Security version for which there is no policy on the server can be installed on the computer. Create policies in all groups and for all used versions of Kaspersky Endpoint Security Policy settings are locked If the locks are open, the user can modify parameter values and potentially can disable components or even start of Kaspersky Endpoint Security. Close the locks for all important parameters in the policy Password protection is enabled If password protection is not enabled, the user can exit Kaspersky Endpoint Security even without administrative permissions be co A policy is applied to the computer No t to After you’ve checked for trivial causes, look at the errors. If Kaspersky Endpoint Security will not run because of failures, collect diagnostic logs and contact the technical support of Kaspersky. 3. What to do if something has happened re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance or The following computer statuses may mean that protection does not work: Security application is not installed This condition is enabled by default for the Warning and Critical statuses Real-time protection level differs from the level set by the administrator It is disabled by default. You can set one of the following values: co pi e d — — — — — — — — — Starting Running (maximum speed) Running Stopped Running (recommended settings) Running (custom settings) Paused Failed to start Running This condition is enabled by default for the Critical status Security application is not running It is enabled by default for the Critical status be Protection is disabled to The status Real-time protection level differs from the level set by the administrator, although disabled by default, is more useful than the status Protection is disabled. The status ‘Protection is disabled’ does not show what is wrong: The application is malfunctioning or the user has exited it. The status Real-time protection level differs from the level set by the administrator shows this difference. We recommend that you enable the condition Real-time protection level differs from the level set by the administrator for the Critical status and select the Running value for it. No t There are standard computer selections for the statuses Protection is disabled and Security application is not installed. The administrator can create custom selections for other statuses. The status Security application is not running is always accompanied by the status Protection is disabled, but not the other way around. If Kaspersky Endpoint Security works, but all protection components are 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance 3. What to do if something has happened ut ed disabled, the computer’s status will be Protection is disabled without the status Security application is not running. Protection is considered to be running in Kaspersky Endpoint Security if at least one of the protection components works. Even if it is only Mail Threat Protection 1. Go to Monitoring & Reporting | Event Selections Click the Functional failures selection re di st r 2. ib To understand that components have not started on the computer because of a failure, consult the Errors report or an event selection. To check all errors: be co pi e d or To understand which components are running on a computer, open the Tasks tab in the computer properties. Components are listed among other tasks and the list shows which ones are running and which are not. The Protection is disabled status is one of the most critical protection statuses. To solve this problem, carry out the command for the Network Agent to start Kaspersky Endpoint Security on the Applications tab of the computer properties. to If individual components are not running, you can start them on the Tasks tab. No t Another method of starting Kaspersky Endpoint Security—the Start or stop application task. This task is an advanced task of Kaspersky Security Center that can be created for groups or specific computers. A group task is convenient if the Virus outbreak event is registered—it can start protection on all network computers, in case the protection is stopped somewhere. A task for specific computers can better serve the purpose of rectifying the Protection is disabled status. 3. What to do if something has happened re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance To create a task that starts Kaspersky Endpoint Security: 1. Run the task creation wizard on the Devices | Tasks page 2. Select Kaspersky Security Center and task type Start or stop application or 3. Specify the devices to which the task is to be assigned—Selection 4. Specify the computer selection Protection is disabled No t to be co pi e d 5. Select the Kaspersky Endpoint Security versions that need to be run and the command Start application If protection does not work, it is very bad. However, if it works with old signatures, it is not any better. Pay attention to computers that have old signatures, update them and find out why the signatures have not been updated. 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance 3. What to do if something has happened ut ed First, solve trivial issues. Check the following: This task is created by default. However, when groups and tasks become numerous, it may turn out that some computers do not have an update task for the necessary version of Kaspersky Endpoint Security Task schedule If the administrator created update tasks manually, he or she might fail to set a schedule for them by mistake Task source Within the network, the Kaspersky Security Center source must be specified The Administration Server has a “Download updates to the repository” task It is created by default, but may have been deleted by mistake Schedule and source of the “Download updates to the repository” task It is created by default, but may have been deleted accidentally, or its schedule may be misconfigured The Administration Server can access the selected source Probably, the internet is accessible only through a proxy server, but its address and authentication data (username and password) are not specified or need to be updated. re di st r ib The computers have an update task or After that, check for update task errors. If errors result from Kaspersky Endpoint Security failures, collect logs and contact the technical support. No t to be co pi e d Specifically consider whether you need distribution points. They are not of much help in a small network, and complicate diagnostics. The Administration Server automatically assigns distribution points by default. You can disable this. The web widget Distribution of antivirus databases on the Dashboard page provides the most important information about the databases in use. If everything is fine, the web widget will display a green pie chart and the time when the latest updates were downloaded to the server repository. If there is an 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance 3. What to do if something has happened ut ed issue, a part of the chart will become yellow or red and the value of the corresponding counter will increase. Database statuses displayed in the web widget are links that open the respective device selections: Devices with up-to-date databases Devices with databases updated in the last 24 hours Devices with databases updated in the last 3 days Devices with databases updated in the last 7 days Devices with databases that have not been updated for more than 7 days ib — — — — — re di st r More detailed information about the databases in use and computers with issues is available within the appropriate reports. The Database usage report shows the number of computers where databases are 1day old, 3-day old, 7, and more. co pi e d or If the databases became obsolete on the computer not because it was off, but because of update task errors, the administrator would need to view update task events to find out the reason. The events sent to the Administration Server are often insufficient for thorough analysis of the situation. The local update report of Kaspersky Endpoint Security usually contains more events. Computer statuses inform about old signature databases. be Computers with old databases receive a Warning or Critical status depending on how old their databases are. The status criteria are configured in the group properties. By default, the Warning status is given to the computers whose databases are 7 or more days old, and Critical is assigned after 14 days. No t to To understand why the computer status is not OK, consult the Status description column of the Devices | Managed devices page or the Protection section of computer properties. To view detailed information about the signatures and, specifically, the last update date, open the properties of the Kaspersky Endpoint Security program on the Applications tab of computer properties. Updates from the Administration Server repository are distributed to the client computers by group update tasks. 3. What to do if something has happened re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance To ensure coverage of all managed computers, the update task must be created as a group task within the Managed devices group. The Quick Start wizard creates this type of task: Install update. If computers are combined into groups and the optimal updating procedure is different for various groups, you can create a customized update task for each group. d or If both parent and child groups have tasks of the same type, the computers of the child group will run both tasks. This will most likely result in errors, since if an update task is already running, another one cannot start. To avoid that, either delete the task in the parent group or disable its scheduled start or exclude the subgroups that have their own tasks from the parent group task scope. No t to be co pi e Note: If earlier or other Kaspersky Endpoint Security versions (for example, Kaspersky Endpoint Security for Mac or Kaspersky Security for Windows Servers) are used in your network, they need separate update 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance 3. What to do if something has happened 1. Open computer properties and switch to the Applications tab ut ed If there are many groups in the Web console, and different versions of Kaspersky Endpoint Security are installed on the computers, it is hard to immediately understand whether all computers have update tasks. If signatures are outdated on a computer, to understand whether it has an update task: 2. Memorize the complete name of Kaspersky Endpoint Security, including the Service Pack version 3. Go to the computer’s group ib 4. Switch to the Tasks tab re di st r 5. Look for a task that has the Update type and Kaspersky Endpoint Security version coincides with that displayed in the computer properties If there is no such a task, create it in this group or in a parental group. Try to create as few tasks as possible. One update task per each version of Kaspersky Endpoint Security created in the root group Managed devices is often sufficient. Each product update task has a specific schedule and settings, including: The list of update sources Update parameters The settings used to copy updates to a specified folder The list of subgroups on whose computers the task will not run or — — — — d The standard schedule for the Kaspersky Endpoint Security update tasks is When new updates are downloaded to the repository. Unlike a periodical schedule when Kaspersky Endpoint Security defines the start time and starts the task regardless of whether the Administration Server can be reached or not, the When new updates are downloaded to the repository schedule means that the task is always started by the Administration Server command. co pi e The Administration Server sends a ‘wake up’ call to UDP port 15000 of all affected client computers that there are new settings for them. The port is listened to by the Network Agents, and upon receiving the call the Agents connect to the Administration Server and download whatever new settings are available. Upon connection to the Server, the Agent receives the command to start the task and transfers it to Kaspersky Endpoint Security, which carries it out. If the ‘wake up’ call doesn’t reach some computers, they will receive the command during a planned synchronization performed every 15 minutes by default (the period is defined in the Network Agent policy). be The schedule When new updates are downloaded to the repository guarantees that the client computers will receive updates as soon as possible and without calling the server every now and then. Alternatively, a simple periodical schedule can be used (for example, once an hour). To prevent serious peak loads on the update source and the network at the moment of task start, randomization of the task launch within a certain interval is used. E.g., if the 5-minute interval is selected, the computer will begin the next scheduled update after a random delay ranging from 0 to 5 minutes. to By default, the Administration Server automatically defines the randomization interval depending on the number of computers the task pertains to. The administrator can also specify it manually. No t If signatures are outdated on the computers, check the update task schedule. If the schedule is set to Manually, weekly or monthly, change it to When new updates are downloaded to the repository or Once every N hours 3. What to do if something has happened ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance To specify the list of sources, open the task properties and switch to the Application Settings | Local mode tab. Updates can be retrieved from the following sources: re di st r ib — Kaspersky Security Center—the recommended source for all managed computers. Moreover, the most natural source for the When new updates are downloaded to the repository schedule — Kaspersky update servers—the recommended source for the computers outside the corporate perimeter or a backup source if the specified Administration Server is not accessible. However, the administrators often prefer the computers to wait for the Administration Server connection rather than create extra internet traffic — Local or network update folder—another option for backup update sources. You can specify an HTTP or FTP address instead of a shared folder. For example, if there are several Administration Servers in the network (this case is described in course KL 302 Kaspersky Endpoint Security and Management: Advanced Skills), HTTP addresses of update folders located on other servers can be used as backup sources A task can have several different sources organized in a list. If the first source turns out to be inaccessible, the task will attempt to download updates from the next. or Updates are retrieved from the Administration Server by the Network Agents. With the Kaspersky update servers or other FTP or HTTP locations, updates are downloaded by Kaspersky Endpoint Security without the Agent. If signatures are outdated on the computers, check the update task source. Select the Kaspersky Security Center source. If you want to use a folder or FTP server, make sure that updates are accessible at this address, and the computers can access the files No t to be co pi e d In the update task properties, you can configure copying updates into a separate folder. This mode can be used for creating an update source in small networks or subnets without their own Administration Server. In larger networks, Distribution Points are used to create intermediate update sources. The Administration Server assigns distribution points automatically (for more details, refer to course KL 302 Kaspersky Endpoint Security and Management: Advanced Skills.) 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance 3. What to do if something has happened ut ed The task that updates the Administration Server repository is named Download updates to the repository. The Quick Start wizard automatically creates this task. You can find it in the console, on the Devices | Tasks tab of the <Administration Server name> group. If databases are outdated on the computers, check whether the Administration Server has an update task. Open the Devices | Tasks page of the Administration Server node and look for the Download updates to the repository task. re di st r ib You can have only one task of this type. If it is present already, the task creation wizard doesn’t permit creating another one. However, it is possible to delete the automatically created Download updates to the repository task and create a new one for troubleshooting. The settings of that task include the schedule, the update sources, connection parameters, the list of updates to be downloaded and a few additional options. Since there can only be one such task, it is recommended to schedule it to run regularly at small intervals ranging from 15-20 minutes to several hours. The default value is 1 hour. The following update sources are possible: — Kaspersky update servers—a list of FTP and HTTP servers officially maintained by Kaspersky. These servers are located in various countries worldwide to ensure high reliability of the update procedure. If the task cannot connect to a server, it will try contacting the next one in the list. The list of servers is downloaded together with the other updates or — Master Administration Server—this option is used if there are several Administration Servers and they are connected in a hierarchy (described in detail in course KL 302 Kaspersky Endpoint Security and Management. Advanced Skills) d — Local or network folder—an update source created by administrators. You may specify not only a network folder, but also an FTP or HTTP address co pi e The task can have several different sources organized in a list. If the first source turns out to be inaccessible2, the task will attempt to download updates from the next. be You may need to specify the proxy server parameters for the Administration Server update source. All sources would share the same proxy server. If some sources are accessible without it, enable the Do not use proxy server option in their properties. The proxy server is not specified by default. The Quick Start wizard prompts for the proxy server parameters. To specify a proxy server later: 1. In the Administration Server properties, open General | Configuring internet access Specify the proxy server address, port and authentication parameters: Username and password to 2. No t These settings will be used for downloading updates and for KSN requests. 2 The Kaspersky update servers source is considered to be inaccessible if none of known servers are available. 3. What to do if something has happened co pi e d or re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance be If an FTP or HTTP server address is selected in a computers’ update task and it is accessible via a proxy server, specify the proxy server parameters in the Kaspersky Endpoint Security policy. Open the properties of policy on the Application Settings tab, select the General Settings section and click the link Network settings. No t to By default, an automatically detected proxy server is used. This means that Kaspersky Endpoint Security will take the proxy server settings specified in the internet options in Windows Control Panel. The administrator can explicitly specify the address, port and account for authentication. Distribution points are additional update sources in a network. Any computer where the Network Agent is installed can act as a distribution point. The Administration Server automatically selects the computers to which it assigns the distribution point role. The administrator can disable automatic allocation and assign distribution points manually. 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance 3. What to do if something has happened To disable automatic assignment of distribution points: ut ed Automatically selected distribution points multicast update files and you cannot disable multicasting. Network administrators often do not like uncontrollable traffic in the network. Also, in a small network of a few hundred machines, the Administration Server can cope with updates alone, without distribution points. 1. Open the Distribution points section in the Administration Server properties ib 2. Select Manually assign distribution points re di st r With this option selected, the administrator can manually specify the computers to be assigned distribution points. For more details about distribution points, please refer to course KL 302. Scaling. be co pi e d or Kaspersky Security Network learns about new malicious files quicker than update tasks. If computers have no access to KSN, they are more likely to get infected. If Kaspersky Endpoint Security has no access to KSN, it informs the Administration Server about this via the event KSN servers unavailable. To quickly find all computers that have no access to KSN, create a custom computer selection. to By default, Kaspersky Endpoint Security accesses KSN via the Administration Server service named Kaspersky Security Network proxy server. The service accepts connections on TCP port 13111. If computers cannot access KSN, make sure that: No t — The service Proxy server Kaspersky Security Network is running on the Administration Server — Port 13111 is not closed by a firewall 3. What to do if something has happened or re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance In a large network, computers are almost never turned on simultaneously. Some are off at any moment in time. No t to be co pi e d They differ by the icon in the console: Powered off computers have a red triangle icon with an exclamation mark in the Visible in the network column. Also, check the columns Network Agent is installed, Network Agent is running, and Last connected to the Administration Server. If the Agent is not running, and the last connection was established long ago, do not pay attention to the computer protection status, it can be inaccurate. 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance 3. What to do if something has happened Network Agent has been inactive for a long time ut ed If a computer remains powered off for a long time, Administration Server assigns one of the following two statuses to it: By default, computers receive this status in 14 days. You can change this in the status settings, in the properties of the Managed devices node ib This status means that the Network Agent has not connected to the Server all this time, and the Server was not able to connect to the computer during the full network poll either This status means that the Network Agent has not connected to the Server, but the Server connected to the computer during the full network poll pi e d or re di st r Device has become unmanaged co If a computer has the status ’Network Agent has been inactive for a long time’, investigate what has happened. If the computer does not exist anymore, delete it from the group and then once again from the Discovery & deployment | Unassigned devices page. If its owner is on vacation, do nothing. be If employees may not connect to the network for a long time (months), increase the period after which the Administration Server automatically deletes computers from groups (60 days by default). Open the properties of the Managed devices group, switch to the Settings tab, and in the Device activity section, change the value of the parameter Remove the device from the group if it has been inactive for longer than (days). Or disable this parameter at all, if employees may work out of office for an indefinitely long time. No t to To enable computers to connect to the Administration Server, to receive settings, and inform about threats when outside the office, configure access to the Administration Server ports from the internet. How to do it is described in course KL 302 Kaspersky Endpoint Security and Management: Advanced Skills If a computer has the status Not connected in a long time, make sure that: — Network Agent is installed — Network Agent is running 3. What to do if something has happened re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance If the user has uninstalled the Network Agent, configure password protection in the Network Agent policy. If the Agent is installed and running, check its settings. Use the utility klnagchk.exe from the Network Agent’s folder %ProgramFiles(x86)%\Kaspersky Lab\NetworkAgent: or — Run the command line interface (cmd.exe) as an administrator — Go to the Network Agent’s folder — Start the klnagchk.exe utility pi e d When run without parameters, the utility outputs the Network Agent settings, tries to connect to the Administration Server with these settings, publishes the result, and finally outputs the connection statistics. During the test connection, the Agent neither checks whether new settings are available on the server nor sends its data to the server. co To make the Agent synchronize with the Server, carry out the command klnagchck.exe –sendhb This command must be executed locally on the client computer. The Web Console also has commands for checking connection to a computer: Verifies the computer status Visible in the network against the Administration Server database. Does not try to connect to the computer, and therefore adds nothing to what the computer icon shows Force synchronization (Device properties, the General tab, section General) Sends a signal to UDP port 15000 of the computer. No t to be Check device accessibility (This command is available only in the MMC Administration Console) 3. What to do if something has happened re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance or If the Network Agent has incorrect Server connection parameters, modify them using the utility klmover.exe that is located in the same folder of Network Agent: d — Run the command line interface (cmd.exe) as an administrator — Go to the Network Agent’s folder — Run the utility klmover.exe with the parameter –address and Server address: pi e klmover.exe –address 10.28.0.20 If the Server’s port is non-standard, add the parameter –ps and the port number. be co To fix incorrect connection parameters remotely, reinstall the Network Agent. Before that, check the settings of the Network Agent package. If an Agent has incorrect parameters, they may also be incorrect in the package. to If Kaspersky Endpoint Security does not work or works differently from what the administrator has configured, and simple measures cannot help, contact the tech support. To receive an answer quicker, collect all logs and attach them to your request: Kaspersky Endpoint Security logs Trace logs of Kaspersky Endpoint Security around the moment when the issue arises Windows logs GetSystemInfo log—information about the computer No t — — — — 3. What to do if something has happened To contact the technical support: re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance 1. Create a request at https://companyaccount.kaspersky.com 2. Select the product and functional area or 3. Describe the steps that result in the issue 4. Attach the logs No t to be co pi e d You can collect logs locally on the computer, remotely using the Kaspersky Security Center remote diagnostics utility or via the MMC Kaspersky Security Center console. 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance 3. What to do if something has happened ut ed To collect logs remotely, connect to the computer using the remote diagnostics utility: 1. Start the utility from the Kaspersky Security Center folder in the Start menu. Specify the target Device and the Administration Server address 3. Click the Sign In button 4. To receive information about the computer, click the link Load system information in the upperleft corner of the window 5. To receive Windows logs, select the log and click the link Download event log… in the upper-left corner of the window ib 2. re di st r Download Kaspersky Event Log and any other logs that contain events concerning the issue co pi e d or The diagnostics utility saves the files in a folder on the desktop. Open it using the link Download folder in the lower-left corner of the window. To collect trace logs using the diagnostics utility: be 1. Select Kaspersky Endpoint Security in the tree 2. Click the link Enable tracing on the left, do not change the trace level, and click OK 3. Reproduce the steps that demonstrate the issue 4. Click the link Disable tracing in the diagnostics utility to 5. Expand the folder Trace files under Kaspersky Endpoint Security 6. Select files one by one and download them using the link Download file on the left No t If the problem does not pertain to Kaspersky Endpoint Security or not only to it, collect trace logs of Network Agent, Administration Server, Updater component in a similar manner. When you close the diagnostics utility, it will ask whether to delete the download folder. Do not delete the folder until you send the logs to the technical support. 3. What to do if something has happened re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance or Sometimes, an issue can be easier reproduced locally on the computer. In this case, collect the logs locally, too. d To collect information about the system, download the GetSystemInfo utility from the getsysteminfo.com website. Run it and save the log in a folder. The utility also collects information about the system and Windows logs, and you will not have to add them manually. pi e To collect the trace logs: 1. In the Kaspersky Endpoint Security window, click the button Support 2. In the Support window, click Support tools 3. Select checkbox Enable application traces, select level Normal (500) and click Save co (You can select traces with rotation. In this case, you will be able to limit the maximum number of trace files and the maximum size of a trace file. If the number of trace files reaches the limit, the oldest file will be deleted to free space for a new one. 4. Reproduce the issue be 5. Disable tracing 6. Collect the trace logs from the folder %ProgramData%\Kaspersky Lab\ The file name includes the creation date and time; select the latest logs No t to How to locally enable trace logs for Kaspersky Security Center components is explained in the article http://support.kaspersky.com/9323 3. What to do if something has happened be co pi e d or re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance When you have all logs at hand, contact the technical support: 1. Log on to the website companyaccount.kaspersky.com to If you have no account, sign up: Specify your email and license for Kaspersky products (the activation code or key file) 2. Click the button New request and select Make a request for Tech Support 3. Select the protection scope, product, version, operating system, request type and subtype No t 4. Type the request subject: Define the problem briefly 5. Describe the issue: The steps that result in it, which result you expect, and which get instead 6. Attach the archive with all logs 4. What to do from time to time d or re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance Are installed by Kaspersky Endpoint Security installation task and the installation wizard of Kaspersky Security Center Are released approximately yearly, sometimes rarer. Upgrade components and drivers, may add new settings and capabilities, but the changed are not as significant as in a new version be Service Packs Are released once every few years, introduce new capabilities, components, settings, etc. co New versions pi e Except for signature updates, which are issued continually, there are program updates, which are released much rarer: Are installed by Kaspersky Endpoint Security installation task and the installation wizard of Kaspersky Security Center For Kaspersky Endpoint Security, MRs are released once every quarter or two, fix errors, may slightly change settings, are installed by the update task to Maintenance For Kaspersky Security Center, a Maintenance Release is almost the same as a Releases Service Pack: They are released in a year after a new version or Service Pack, and are installed by the installation wizard of Kaspersky Security Center Are not released for Kaspersky Endpoint Security. For Kaspersky Security Center, patches are released quarterly, fix errors, slightly alter operation, are installed automatically on Network Agents Private fixes Are released by request, correct specific issues for individual customers. Usually, for customers with a Maintenance Service Agreement No t Patch 4. What to do from time to time re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance or You can learn that a minor update (Maintenance Release for Kaspersky Endpoint Security or patch for Kaspersky Security Center) has been released in Operations | Kaspersky applications | Kaspersky software updates and patches. Also, consult messages on the Monitoring & Reporting | Notifications page, in the Updates section. pi e d Minor updates are installed automatically, but only after the administrator approves them. Usually, to install an update, you need to accept the license agreement. You need to accept the License Agreements for updates status informs about this. be co To be able to install updates by other manufacturers, you need a Vulnerability and Patch Management license, for example, KESB Advanced. This is described in course KL 009 Vulnerability and Patch Management. The current version of Web console only partly supports the Vulnerability and Patch Management functionality. Kaspersky Endpoint Security can do without application updates. If there are no critical issues that impede work, you can use Kaspersky Endpoint Security until a new version or Service Pack is released. to Still, module updates can be useful. They can improve computer performance, increase protection efficiency and add new functionality to the product. Often benefits outweigh the risks. And the risks can be mitigated by testing the updates and installing only approved ones. As far as module updates are concerned, the administrator has the following option in the update task of Kaspersky Endpoint Security: No t — Install approved application module updates—enabled by default. Can be disabled in the groups where computers are extremely sensitive to changes, e.g., groups with important servers — Automatically install critical application module updates—installs the updates marked as approved by the administrator and the updates marked as critical by Kaspersky without the administrator’s approval. Installing unapproved updates may be risky because unforeseen issues might arise 4. What to do from time to time re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance To approve an update: 1. Select the update on the tab Operations | Kaspersky applications | Kaspersky software updates and patches or 2. Click the Approve button above the list of updates 3. If the update has a license agreement, the respective window will open. Accept the license agreement d If you approve a wrong update by mistake, open its properties and change the value of the Update approval field to Undefined or Declined. pi e Prior to approving an update, install it on test computers and make sure that it is not causing any issues. co After a program update is installed, a restart may be required. Approved updates of Network Agent are installed automatically without tasks. After the administrator approves an update, Agents will start downloading it during planned synchronizations and install locally. be By default, the Administration Server installs all Network Agent updates rather than only approved ones. To install only approved updates: 1. On the Devices | Policies and profiles page, open the Network Agent policy 2. Switch to the Application Settings tab and go to the Manage patches and updates section to 3. Disable the option Automatically install applicable updates and patches for components that have Undefined status No t To test Network Agent updates, create a group for test computers and enable installing unapproved updates in the policy of this group The administrator can always select not to install some update, even if automatic update is configured in the policy. For this purpose, open the update properties and for the parameter Update approval, select Declined. 4. What to do from time to time re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance To prevent distributing Network Agent updates of older version (up to version 10 SP1 inclusive), disable the respective parameter in the task Download updates to the repository: or 1. On the Devices | Tasks tab, open the properties of the Download updates to the repository task 2. Switch to the Application Settings tab and in the Other settings area, click Configure 3. Clear the checkbox Update Network Agent modules (for Network Agent versions earlier than 10 Service Pack 2) No t to be co pi e d Since only one task of this type exists, module updates of Network Agents up to version 10 SP1 inclusive will or will not be installed in the whole network. You cannot enable installation of these updates in some groups and disable in others. 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance 4. What to do from time to time ut ed The Monitoring & Reporting | Notifications | Updates page also informs about new product versions and Service Packs. Monitor the messages: — Updates are available for Kaspersky Security Center components — Updates are available for Kaspersky applications — There are <N> new version(s) of Kaspersky applications available for download ib All of them lead to the Installation packages window. re di st r To open this window in another way, go to Operations | Kaspersky applications | Current application versions The window shows the list of available product versions by Kaspersky, which are manageable via Kaspersky Security Center. You can download them from Kaspersky servers through this window. Program versions include: — Distributions that can be downloaded to the Administration Server — Distributions that cannot be transformed into a package, but can just be downloaded — Management plug-ins, which can be downloaded and installed in the console or The list includes numerous programs, a few versions of each program and several localizations of each version, and it’s easy to get lost. To find what you need, for example, the latest version of Kaspersky Endpoint Security in English, configure a filter: Workstations Kaspersky Endpoint Security for various platforms (Windows, Mac) Distributions and plug-ins of Antivirus Kaspersky for Windows File Servers, co File Servers and Storages Distributions and patches of Kaspersky Security Center and Network Agent components for various platforms pi e Controls d — Components: Kaspersky Anti-Virus for Windows Servers and Kaspersky Security for Windows Server be Virtualization Distributions and plug-ins of Kaspersky Security for Virtualization Light Agent Distributions and plug-ins of Kaspersky Security for Mobile (Android) Embedded Systems (ATM and POS) Kaspersky Embedded Systems Security distributions and plug-ins to Mobile devices — Update type: full distribution package, patch, plug-in or web plug-in — Specify the necessary program version No t — Specify the program interface language 4. What to do from time to time or re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance Initially, a license is purchased together with the product to entitle its use. Later, another license can be purchased to overcome one of the following license limitations: d — Prolong—the most typical situation, when the company is satisfied with the product and it is necessary to renew the license to keep using it pi e — Increase the number of computers—if the company grows and the number of computers is about to exceed the license limit — Extend functionality—if the necessity to use additional product functions has appeared at the company, for example, Encryption or automatic installation of Windows updates co Also, a license may be denylisted if it is exposed to the internet. Kaspersky blocks these licenses, and they stop working. Products receive denylists of licenses together with signature updates. Without a license, Kaspersky Endpoint Security works with limitations: Only File Threat Protection and Firewall work. If a commercial license has expired All components keep working, but update tasks will not start and KSN servers are inaccessible. Protection level gradually decreases. to be Before the first license is installed No t If a trial license has expired or a commercial license has been denylisted Only File Threat Protection and Firewall will keep working. Protection will be resumed after you activate the product with a valid commercial license. 4. What to do from time to time re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance or If the license is about to expire or has expired on a computer, the administrator should pay attention. to be co pi e d The license expiration date is displayed in the license properties in Operations | Licensing | Kaspersky licenses. The computer statuses configured in the administration group properties may also attract the administrator’s attention. Two status conditions relate to licenses: No t — License term expired—sets the computer status to Critical. By default, the condition is triggered in 0 days, meaning, right after the license expires. It can be configured to trigger several days after the license expiration so that the license could update automatically rather than waste the administrator’s time — License term expires soon—sets the computer status to Warning. By default, is displayed 7 days before the expiration, but this parameter is adjustable 4. What to do from time to time re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance or Most of the information about the keys that the administrator would ever need is available on the Operations | Licensing | Kaspersky licenses page. including node restriction and use percentage. d The Administration Server shows how many of the managed computers are using the license. It does not receive data from Kaspersky activation servers, which may have different statistics if the license is also used on computers without the Network Agent pi e Administration Server events inform about exceeding the node limitation: — License restriction has been exceeded—there are two events with this name, critical and warning. A critical event is generated when the number of installations constitutes 110% of the license limit. A warning informs of reaching the limit (100%); co — Over 90% of this key is used up—an information message be The Administration Server does not impose any technical limitations if the license limit reaches either 100% or 110%. If keys are used for activation, the administrator can distribute them with a key installation task to any number of computers. From the viewpoint of the license agreement, a license entitles you to use software on the number of devices specified in the license certificate. However, if the Deploy key automatically option is enabled in the key properties, the Administration Server will not only distribute it to computers, but also remove the key from excessive computers if the license limit is surpassed. No t to If activation codes are used, Kaspersky activation servers may impose technical limitations. Each instance of Kaspersky Endpoint Security which needs to be activated, the Activation Servers issue a ticket for using the product. If the number of simultaneously issued tickets greatly exceeds the license limit (1.5 to 2 times), the activation server will stop issuing tickets. When a license is soon to expire, the company can purchase a new license. The problem is how to switch from one license to another without a time gap and without reducing the effective license period of any of 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance 4. What to do from time to time re di st r ib ut ed the licenses. You would rather not replace the old license when there still several days left of the licensing period. However, you want to activate the new license before the old one expires. or To prevent losing the validity period of neither old nor new license, use one of the following approaches: 1. Distribute a new key to the computers using a key installation task beforehand. In the task settings, specify that it is an additional (backup) key d Additional keys and codes can be added in almost all Kaspersky products. Once the active key expires, the product is automatically activated with the additional key or code. pi e 2. Add the new license to the Administration Server and enable the option Deploy key automatically in its properties When the previous key expires on the computers, they will receive the new automatically distributed key from the Administration Server. co Automatically deployed license keys are sent to all computers. If a computer does not have an active license, the automatically distributed key will be activated on it. If an active license is already available, the automatically distributed key will be deployed as an additional one. If a computer has both an active and an additional license, the automatically distributed key will not be installed. be The key or code to be distributed can be added in the Quick Start wizard. To add keys later, on the Operations | Licensing | Kaspersky licenses page, click the button Add. to Registered keys and codes can be imported from the storage as key files or text files with the code. (This functionality is available only in the MMC Administration Console.) These can be used for local activation if necessary, or for backup purposes. No t Only the extended functions of Kaspersky Security Center Administration Server available in KESB Select and KESB Advanced licenses require activation. The operations described in this course do not require activating the Administration Server. To replace the active key or add another one to the Administration Server, open the Keys section in the Server properties. You can specify the active and additional license in this section. You can also replace or delete licenses as necessary. 4. What to do from time to time re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance You can select a license for the Administration Server from among those added to the Kaspersky licenses storage. or To add a key to the Administration Server, select a key specifically designed for Kaspersky Security Center. Check what is written in key table in the Application name column. There is usually a descriptor there: Security Center or Kaspersky Endpoint Security that indicates the key purpose. No t to be co pi e d If you are adding a code, you do not need to check the name, the same code activates all products covered by the license: Kaspersky Endpoint Security and Kaspersky Security Center. Sometimes you need to install a specific key on a specific computer or a group of computers. Automatic distribution would not serve this purpose. Instead, you can create an Add key task. This task can be created using the typical task creation wizard on the Devices | Tasks page. 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance 4. What to do from time to time ut ed If two products require different Console plug-ins to be managed, they would require different Add key tasks as well. For example, Kaspersky Endpoint Security 10 Service Pack 2 and Kaspersky Endpoint Security 10 Service Pack 1 have independent plug-ins. Therefore, a task to add key to Kaspersky Endpoint Security 10 SP2 wouldn’t run on Kaspersky Endpoint Security 10 SP1 and vice versa. co pi e d or re di st r ib In the task creation wizard or later in the task properties, you can select a license from the list of keys and codes (those available on the Operations | Licensing | Kaspersky licenses page). There is an option in the task that permits installing the selected key or code as an additional key. This option is enabled by default, because the main license is supposed to be installed through the automatic installation feature (an option in the key or code properties). be Creating backup copies is a good practice that can save you a lot of trouble. The administrator will be able to restore the entire management system from a backup copy within about an hour. To ensure a quick recovery, it is important to store backups in a reliable location. to A backup copy of the Kaspersky Security Center data includes all visible and invisible configuration settings. This includes the event database (which contains more than just the events), administration group structure, tasks and policies, report templates, installation packages3, selections of computers and events, the Administration Server certificate, and more. Updates are not included, because they quickly become outdated, and there is no reason to keep an old copy. No t Since the Encryption functionality has appeared in Kaspersky Endpoint Security, backups have become even more important. The Administration Server configuration now includes the encryption key store that contains master keys for all computers where encryption is used. These keys are necessary for recovering access to encrypted data in case of failures. If the master keys stored on the Administration 3 Including stand-alone, but excluding operating system image packages. (These packages are described in detail in course KL 009 Vulnerability and Patch Management.) 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance 4. What to do from time to time ut ed Server are lost, encrypted data may also be lost irretrievably. Encryption and the risks involved are described in course KL 008 Encryption. ib However, even if we leave encryption out of consideration, losing Administration Server data can result in many hours or days or even weeks spent on system recovery. In a large network, even creating a structure of groups can be difficult and may consume much time and effort. If the server is reinstalled, its certificate changes, which means that Network Agents, even if they use the correct address, will not be able to establish a connection to the new Administration Server. Generally, to recover connection to the computers, all Network Agents will have to be reinstalled. re di st r A backup copy relieves the administrators from these issues, because a copy includes the server certificate, all the settings, and the encryption key store. Backup copies can be used as an alternative method of upgrading the Kaspersky Security Center version. A standard upgrade procedure implies installing a new version over the old one. In this case, the installer detects a previous version and upgrades its components, saving old settings if possible. Using the backup mechanism, you can create a backup copy of your old system, uninstall it, then install the new version of the Administration Server, and restore its configuration from the backup. You can use this method when it is necessary to upgrade not only the software components of the Administration Server, but also its hardware configuration. or In a similar manner, you can use backups to move the Administration Server to a different computer. First create a backup copy, and then install the Administration Server on another system. Restore the Administration Server settings from the backup copy. In this case, it is important to ensure that the same SQL server type (Microsoft SQL or MySQL) is installed for both new and old instances of the Administration Server. d If you move the Administration Server to another system and want to change the Server’s name, you must make this change before the migration. For details, refer to course KL 302 Kaspersky Endpoint Security and Management. Scaling. co pi e The most important thing about backup copying is to regularly make sure that you can restore the system from a backup copy Spend half an hour once a month or at least quarter to restore Administration Server data on a test computer. This way, you will make sure that the backup copies are not corrupted and sharpen your skills. In case of a real failure, you will be able to restore systems quickly and easily. be To create backup copies, Kaspersky Security Center has a special task called Backup of Administration Server data. Only one instance of this task can exist on the Administration Server, and the default one is created by the Quick Start wizard. If necessary, you can delete and recreate it as a troubleshooting measure. to The actual job of creating backup copies is performed by klbackup.exe, a utility for backup and recovery of the Administration Server. The task launches the utility with the specified options, which then creates a backup copy. Starting with Kaspersky Security Center version 10 SP3, when creating a backup copy, the klbackup.exe utility does not stop any services; it copies the Server settings and data, then instructs the SQL server to back up the database. No t Only one parameter is required for the backup task: the location of backup copies. This folder will contain subfolders for each backup copy. The names of the subfolders consist of the date and time of creation. The default location of backup copies is the SC_Backup folder in the Administration Server data directory (%ProgramData%\KasperskySC\SC_Backup). 4. What to do from time to time re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance or It is risky to store backup copies on the disk where the Administration Server is installed, because in the event of a hardware failure, both the current system and its backup copy will suffer. We strongly recommend that you store backup copies in another location. The administrator can either specify a network location or use an additional process to move backup copies to a safer place for storage. d It is important to realize that backup copies of the Administration Server data are created under the Administration Server account, whereas backups of the database are created under the database server account. If you specify a network path as the target location for backup copies, both the Administration Server and SQL server must have access to this folder. Also, the specified drive must have enough free space. pi e Since a backup copy can be up to several gigabytes in size (depending on the network and the amount of stored data), it makes sense to limit the number of stored backup copies. By default, the maximum number of backup copies is three. co The Administration Server certificate is stored in an encrypted form for security reasons. This security measure prevents intruders from using the certificate to gain control over the client systems. To enable certificate encryption, you need to provide a password. By default, the password is empty. be The backup data copying task is scheduled to start every two days at 2am by default; therefore, only three backup copies of the last six days are stored. to There is no task in Kaspersky Security Center that would restore data from a backup copy. This is done by design, because an accidental launch of such a task would result in the loss of newly added settings and data. No t In order to restore the Administration Server data, the klbackup.exe utility is used again, which can be run from the Start menu. When started without command line options, this utility works as a wizard that prompts you to choose the restore option and enter the path to the backup copy and the password for decrypting the Administration Server certificate. You need to specify the full path to the subfolder that contains the backup copy. For example, if you specified the c:\backups path for the backup task, to restore the system, you need to enter something similar to c:\backups\klbackup2018-12-27#02-00-02 The backup copying utility can not only restore the data from backup copies, but it can also create backup copies. To do so, at the Choose Action step, select Backup of Administration Server data. 4. What to do from time to time re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance Also, you can enable the mode for only backing up or restoring the Administration Server certificate. This mode can be used, for example, when you only need to restore connection between the Network Agents and the Server, but want to create the structure and settings from scratch. This limited backup is not available in the backup task. or The klbackup.exe utility can be launched from the command line with the following parameters: — –path—backup copy destination folder, or the source folder during a recovery d — –restore—the option that instructs the utility to restore data; without it, the utility will create a backup copy pi e — –use_ts—the option that creates a subfolder with a name consisting of the time and date of creation; without it, the utility will create a backup copy right in the folder specified by the path option co — –password—the option that specifies the password for encrypting the Administration Server certificate be With time, the Administration Server database may slow down. In particular, the reports may be generated slowly, and lists of events or computers may be displayed only after a noticeable pause. to To speed up the console’s work with the events stored in the database, the database is to be optimized. Before Kaspersky Security Center 10 SP2, it could have been done only using the database server tools. Kaspersky Security Center 10 SP2 features a special task named Database maintenance, which can optimize a Microsoft SQL database of the Administration Server. The task does not support MySQL databases. If you use MySQL, optimize the database using the database server tools. To speed up the Administration Server database, the Database maintenance task performs the following: Looks for errors in the database and fixes them Rebuilds indexes Updates the database statistics Optionally shrinks the database No t — — — — The task has few parameters. In addition to the schedule, there is only the Shrink database option, which decreases the database size. The database is recommended to be optimized once a week. 4. What to do from time to time re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance If the Administration Server works slowly because its resources are scarce, the Maintenance database task will not help No t to be co pi e d or There can be only one Maintenance database task. It is created by the Quick Start wizard. By default, the task starts every Saturday, at 1am 4. What to do from time to time re di st r ib ut ed 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance or To keep protection working on the computers, monitor important events: — Configure notifications about possibly infected computers — Configure reports to be emailed — Organize daily inspections of the protection status: Customize the Dashboard pi e d Investigate grave incidents, such as an infection, immediately. Solve less important issues once a week. Do not allow them to pile up; otherwise, it will soon be difficult to notice something important among them. If you cannot solve an issue, contact the technical support. To receive a precise answer earlier, collect logs and attach them to your request. Install updates and new versions. They correct errors and improve performance and protection. co Back up the Administration Server data. Regularly make sure that you can restore data from a backup. No t to be Do not forget to renew the license. Configure statuses and notifications to be informed of its expiration beforehand. v1.0.3