Kaspersky Security Center 14 Windows-English

Kaspersky Security Center 14
Windows
© 2023 AO Kaspersky Lab
1
Contents
Kaspersky Security Center 14 Help
What's new
Basic concepts
Administration Server
Hierarchy of Administration Servers
Virtual Administration Server
Mobile Device Server
Web Server
Network Agent
Administration groups
Managed device
Unassigned device
Administrator's workstation
Management plug-in
Management web plug-in
Policies
Policy pro les
Tasks
Task scope
How local application settings relate to policies
Distribution point
Connection gateway
About Kaspersky Security Center
Hardware and software requirements
Unsupported operating systems and platforms
List of supported Kaspersky applications and solutions
Licenses and features of Kaspersky Security Center 14
About compatibility of Administration Server and Kaspersky Security Center Web Console
Comparison of Kaspersky Security Center: Windows-based vs. Linux-based
About Kaspersky Security Center Cloud Console
Architecture
Main installation scenario
Ports used by Kaspersky Security Center
Certi cates for work with Kaspersky Security Center
About Kaspersky Security Center certi cates
About Administration Server certi cate
Requirements for custom certi cates used in Kaspersky Security Center
Scenario: Specifying the custom Administration Server certi cate
Replacing the Administration Server certi cate by using the klsetsrvcert utility
Connecting Network Agents to Administration Server by using the klmover utility
Reissuing the Web Server certi cate
Schemas for data tra ic and port usage
Administration Server and managed devices on LAN
Primary Administration Server on LAN and two secondary Administration Servers
Administration Server on LAN, managed devices on internet, TMG in use
2
Administration Server on LAN, managed devices on internet, connection gateway in use
Administration Server in DMZ, managed devices on internet
Interaction of Kaspersky Security Center components and security applications: more information
Conventions used in interaction schemas
Administration Server and DBMS
Administration Server and Administration Console
Administration Server and client device: Managing the security application
Upgrading software on a client device through a distribution point
Hierarchy of Administration Servers: primary Administration Server and secondary Administration Server
Hierarchy of Administration Servers with a secondary Administration Server in DMZ
Administration Server, a connection gateway in a network segment, and a client device
Administration Server and two devices in DMZ: a connection gateway and a client device
Administration Server and Kaspersky Security Center Web Console
Activating and managing the security application on a mobile device
Deployment best practices
Preparation for deployment
Planning Kaspersky Security Center deployment
Typical schemes of protection system deployment
About planning Kaspersky Security Center deployment in an organization's network
Selecting a structure for protection of an enterprise
Standard con gurations of Kaspersky Security Center
Standard con guration: Single o ice
Standard con guration: A few large-scale o ices run by their own administrators
Standard con guration: Multiple small remote o ices
How to select a DBMS for Administration Server
Selecting a DBMS
Managing mobile devices with Kaspersky Endpoint Security for Android
Providing internet access to Administration Server
Internet access: Administration Server on a local network
Internet access: Administration Server in DMZ
Internet access: Network Agent as connection gateway in DMZ
About distribution points
Calculating the number and con guration of distribution points
Virtual Administration Servers
Information about limitations of Kaspersky Security Center
Network load
Initial deployment of anti-virus protection
Initial update of anti-virus databases
Synchronizing a client with the Administration Server
Additional update of anti-virus databases
Processing of events from clients by Administration Server
Tra ic per 24 hours
Preparing to mobile device management
Exchange Mobile Device Server
How to deploy an Exchange Mobile Device Server
Rights required for deployment of Exchange Mobile Device Server
Account for Exchange ActiveSync service
3
iOS MDM Server
Standard con guration: Kaspersky Device Management for iOS in DMZ
Standard con guration: iOS MDM Server on the local network of an organization
Information about Administration Server performance
Limitations on connection to an Administration Server
Results of Administration Server performance testing
Results of KSN proxy server performance testing
Deploying Network Agent and the security application
Initial deployment
Con guring installers
Installation packages
MSI properties and transform les
Deployment with third-party tools for remote installation of applications
About remote installation tasks in Kaspersky Security Center
Deployment by capturing and copying the hard drive image of a device
Incorrect copying of a hard drive image
Deployment using group policies of Microsoft Windows
Forced deployment through the remote installation task of Kaspersky Security Center
Running stand-alone packages created by Kaspersky Security Center
Options for manual installation of applications
Remote installation of applications on devices with Network Agent installed
Managing device restarts in the remote installation task
Suitability of databases updating in an installation package of a security application
Using tools for remote installation of applications in Kaspersky Security Center for running relevant executable les on
managed devices
Monitoring the deployment
General information
Installation in silent mode (with a response le)
Installation of Network Agent in silent mode (without a response le)
Partial installation con guration through setup.exe
Administration Server installation parameters
Network Agent installation parameters
Virtual infrastructure
Tips on reducing the load on virtual machines
Support of dynamic virtual machines
Support of virtual machines copying
Support of le system rollback for devices with Network Agent
Local installation of applications
Local installation of Network Agent
Installing Network Agent in silent mode
Installing Network Agent for Linux in silent mode (with an answer le)
Installing Network Agent on Astra Linux in the closed software environment mode
Local installation of the application management plug-in
Installing applications in silent mode
Installing applications by using stand-alone packages
Network Agent installation package settings
4
Viewing the Privacy Policy
Deploying mobile device management systems
Deploying a system for management via Exchange ActiveSync protocol
Installing Mobile Device Server for Exchange ActiveSync
Connecting mobile devices to an Exchange Mobile Device Server
Con guring the Internet Information Services web server
Local installation of an Exchange Mobile Device Server
Remote installation of an Exchange Mobile Device Server
Deploying a system for management using iOS MDM protocol
Installing iOS MDM Server
Installing iOS MDM Server in silent mode
iOS MDM Server deployment scenarios
Simpli ed deployment scheme
Deployment scheme involving Kerberos constrained delegation (KCD)
Use of iOS MDM Server by multiple virtual Servers
Receiving an APNs certi cate
Renewing an APNs certi cate
Con guring a reserve iOS MDM Server certi cate
Installing an APNs certi cate on an iOS MDM Server
Con guring access to Apple Push Noti cation service
Issuing and installing a shared certi cate on a mobile device
Adding a KES device to the list of managed devices
Connecting KES devices to the Administration Server
Direct connection of devices to the Administration Server
Scheme for connecting KES devices to the Server involving Kerberos constrained delegation (KCD)
Using Google Firebase Cloud Messaging
Integration with Public Key Infrastructure
Kaspersky Security Center Web Server
Installation of Kaspersky Security Center
Preparing for installation
Accounts for working with the DBMS
Con guring accounts for work with SQL Server (Windows authentication)
Con guring accounts for work with SQL Server (SQL Server authentication)
Con guring accounts for work with MySQL and MariaDB
Scenario: Authenticating Microsoft SQL Server
Recommendations on Administration Server installation
Creating accounts for the Administration Server services on a failover cluster
De ning a shared folder
Remote installation with Administration Server tools through Active Directory group policies
Remote installation through delivery of the UNC path to a stand-alone package
Updating from the Administration Server shared folder
Installing images of operating systems
Specifying the address of the Administration Server
Standard installation
Step 1. Reviewing the License Agreement and Privacy Policy
Step 2. Selecting an installation method
Step 3. Installing Kaspersky Security Center Web Console
Step 4. Selecting network size
5
Step 5. Selecting a database
Step 6. Con guring the SQL Server
Step 7. Selecting an authentication mode
Step 8. Unpacking and installing les on the hard drive
Custom installation
Step 3. Selecting the components to be installed
Step 9. Selecting the account to start Administration Server
Step 10. Selecting the account for running the Kaspersky Security Center services
Step 11. Selecting a shared folder
Step 12. Con guring the connection to Administration Server
Step 13. De ning the Administration Server address
Step 14. Administration Server address for connection of mobile devices
Step 15. Selecting application management plug-ins
Deployment of the Kaspersky failover cluster
Scenario: Deployment of a Kaspersky failover cluster
About the Kaspersky failover cluster
Preparing a le server for a Kaspersky failover cluster
Preparing nodes for a Kaspersky failover cluster
Installing Kaspersky Security Center on the Kaspersky failover cluster nodes
Starting and stopping cluster nodes manually
Installing Administration Server on a Microsoft failover cluster
Step 2. Selecting the type of installation on a cluster
Step 3. Specifying the name of the virtual Administration Server
Step 4. Specifying the network details of the virtual Administration Server
Step 5. Specifying a cluster group
Step 6. Selecting a cluster data storage
Step 7. Specifying an account for remote installation
Step 14. Selecting the account for running the Kaspersky Security Center services
6
Installing Administration Server in silent mode
Installing Administration Console on the administrator's workstation
Changes in the system after Kaspersky Security Center installation
Removing the application
About upgrading Kaspersky Security Center
Upgrading Kaspersky Security Center from a previous version
Upgrading Kaspersky Security Center on the Kaspersky failover cluster nodes
Initial setup of Kaspersky Security Center
Administration Server Quick Start Wizard
About Quick Start Wizard
Starting Administration Server Quick Start Wizard
Step 1. Con guring a proxy server
Step 2. Selecting the application activation method
Step 3. Selecting the protection scopes and platforms
Step 4. Selecting plug-ins for managed applications
Step 5. Downloading distribution packages and creating installation packages
Step 6. Con guring Kaspersky Security Network usage
Step 7. Con guring email noti cations
Step 8. Con guring update management
Step 9. Creating an initial protection con guration
Step 10. Connecting mobile devices
Step 11. Downloading updates
Step 12. Device discovery
Step 13. Closing the Quick Start Wizard
Con guring the connection of Administration Console to Administration Server
Connecting out-of-o ice devices
Scenario: Connecting out-of-o ice devices through a connection gateway
Scenario: Connecting out-of-o ice devices through a secondary Administration Server in DMZ
About connecting out-of-o ice devices
Connecting external desktop computers to Administration Server
About connection pro les for out-of-o ice users
Creating a connection pro le for out-of-o ice users
About switching Network Agent to other Administration Servers
Creating a Network Agent switching rule by network location
Encrypt communication with TLS
Noti cations of events
Con guring event noti cation
Testing noti cations
Event noti cations displayed by running an executable le
Con guring the interface
Discovering networked devices
Scenario: Discovering networked devices
Unassigned devices
Device discovery
Windows network polling
Active Directory polling
IP range polling
Zeroconf polling
7
Working with Windows domains. Viewing and changing the domain settings
Con guring retention rules for unassigned devices
Working with IP ranges
Creating an IP range
Viewing and changing the IP range settings
Working with the Active Directory groups. Viewing and modifying group settings
Creating rules for moving devices to administration groups automatically
Using VDI dynamic mode on client devices
Enabling VDI dynamic mode in the properties of an installation package for Network Agent
Searching for devices that are part of VDI
Moving devices from VDI to an administration group
Equipment inventory
Adding information about new devices
Con guring criteria used to de ne enterprise devices
Con guring custom elds
Licensing
Events of the licensing limit exceeded
About licensing
About the license
About the End User License Agreement
About the license certi cate
About the license key
About the key le
About the subscription
About the activation code
Revoking consent with an End User License Agreement
About data provision
Kaspersky Security Center licensing options
Licensing features of Kaspersky Security Center and managed applications
Kaspersky applications. Centralized deployment
Replacing third-party security applications
Installing applications using a remote installation task
Installing an application on selected devices
Installing an application on client devices in an administration group
Installing an application through Active Directory group policies
Installing applications on secondary Administration Servers
Installing applications using Remote Installation Wizard
Viewing a protection deployment report
Remote removal of applications
Remote removal of an application from client devices of the administration group
Remote removal of an application from selected devices
Working with installation packages
Creating an installation package
Creating stand-alone installation packages
Creating custom installation packages
Viewing and editing properties of custom installation packages
Obtaining the Network Agent installation package from the Kaspersky Security Center distribution kit
Distributing installation packages to secondary Administration Servers
8
Distributing installation packages through distribution points
Transferring application installation results to Kaspersky Security Center
De ning the KSN proxy server address for installation packages
Receiving up-to-date versions of applications
Preparing a Windows device for remote installation. Riprep utility
Preparing a Windows device for remote installation in interactive mode
Preparing a Windows device for remote installation in silent mode
Preparing a Linux device for remote installation of Network Agent
Preparing a device running SUSE Linux Enterprise Server 15 for installation of Network Agent
Preparing a macOS device for remote installation of Network Agent
Kaspersky applications: licensing and activation
Licensing of managed applications
Viewing information about license keys in use
Adding a license key to the Administration Server repository
Deleting an Administration Server license key
Deploying a license key to client devices
Automatic distribution of a license key
Creating and viewing a license key usage report
Viewing information about the application license keys
Con guring network protection
Scenario: Con guring network protection
Policy setup and propagation: Device-centric approach
About device-centric and user-centric security management approaches
Manual setup of Kaspersky Endpoint Security policy
Con guring the policy in the Advanced Threat Protection section
Con guring the policy in the Essential Threat Protection section
Con guring the policy in the General Settings section
Con guring the policy in the Event con guration section
Manual setup of the group update task for Kaspersky Endpoint Security
Manual setup of the group task for scanning a device with Kaspersky Endpoint Security
Scheduling the Find vulnerabilities and required updates task
Manual setup of the group task for updates installation and vulnerabilities x
Setting the maximum number of events in the event repository
Setting the maximum storage period for the information about xed vulnerabilities
Managing tasks
Creating a task
Creating the Administration Server task
Creating a task for speci c devices
Creating a local task
Displaying an inherited group task in the workspace of a nested group
Automatically turning on devices before starting a task
Automatically turning o a device after a task is completed
Limiting task run time
Exporting a task
Importing a task
Converting tasks
Starting and stopping a task manually
Pausing and resuming a task manually
9
Monitoring task execution
Viewing task run results stored on the Administration Server
Con guring ltering of information about task run results
Modifying a task. Rolling back changes
Comparing tasks
Accounts to start tasks
Change Tasks Password Wizard
Step 1. Specifying credentials
Step 2. Selecting an action to take
Step 3. Viewing the results
Creating a hierarchy of administration groups subordinate to a virtual Administration Server
Policies and policy pro les
Hierarchy of policies, using policy pro les
Hierarchy of policies
Policy pro les
Inheritance of policy settings
Managing policies
Creating a policy
Displaying inherited policy in a subgroup
Activating a policy
Activating a policy automatically at the Virus outbreak event
Applying an out-of-o ice policy
Modifying a policy. Rolling back changes
Comparing policies
Deleting a policy
Copying a policy
Exporting a policy
Importing a policy
Converting policies
Managing policy pro les
About the policy pro le
Creating a policy pro le
Modifying a policy pro le
Deleting a policy pro le
Creating a policy pro le activation rule
Device moving rules
Cloning device moving rules
Software categorization
Prerequisites for installing applications on devices of a client organization
Viewing and editing local application settings
Updating Kaspersky Security Center and managed applications
Scenario: Regular updating Kaspersky databases and applications
About updating Kaspersky databases, software modules, and applications
About using di les for updating Kaspersky databases and software modules
Enabling the Downloading di les feature: scenario
Creating the task for downloading updates to the repository of the Administration Server
Creating the Download updates to the repositories of distribution points task
Con guring the Download updates to the repository of the Administration Server task
10
Verifying downloaded updates
Con guring test policies and auxiliary tasks
Viewing downloaded updates
Automatic installation of Kaspersky Endpoint Security updates on devices
O line model of update download
Enabling and disabling the o line model of update download
Automatic updating and patching for Kaspersky Security Center components
Enabling and disabling automatic updating and patching for Kaspersky Security Center components
Automatic distribution of updates
Distributing updates to client devices automatically
Distributing updates to secondary Administration Servers automatically
Assigning distribution points automatically
Assigning a device a distribution point manually
Removing a device from the list of distribution points
Downloading updates by distribution points
Deleting software updates from the repository
Patch installation for a Kaspersky application in cluster mode
Managing third-party applications on client devices
Installing third-party software updates
Scenario: Updating third-party software
Viewing information about available updates for third-party applications
Approving and declining software updates
Synchronizing updates from Windows Update with Administration Server
Step 1. De ning whether to reduce tra ic
Step 2. Applications
Step 3. Update categories
Step 4. Updates languages
Step 5. Selecting the account to start the task
Step 6. Con guring a task start schedule
Step 7. De ning the task name
Step 8. Completing creation of the task
Installing updates on devices manually
Con guring Windows updates in a Network Agent policy
Fixing third-party software vulnerabilities
Scenario: Finding and xing third-party software vulnerabilities
About nding and xing software vulnerabilities
Viewing information about software vulnerabilities
Viewing statistics of vulnerabilities on managed devices
Scanning applications for vulnerabilities
Fixing vulnerabilities in applications
Fixing vulnerabilities in an isolated network
Scenario: Fixing third-party software vulnerabilities in an isolated network
About xing third-party software vulnerabilities in an isolated network
Con guring the Administration Server with internet access to x vulnerabilities in an isolated network
Con guring isolated Administration Servers to x vulnerabilities in an isolated network
Transmitting patches and installing updates in an isolated network
Disabling the option to transmit patches and install updates in an isolated network
Ignoring software vulnerabilities
11
Selecting user xes for vulnerabilities in third-party software
Rules for update installation
Groups of applications
Scenario: Application Management
Creating application categories for Kaspersky Endpoint Security for Windows policies
Creating an application category with content added manually
Creating an application category that includes executable les from selected devices
Creating an application category that includes executable les from a speci c folder
Adding event-related executable les to the application category
Con guring application startup management on client devices
Viewing the results of static analysis of startup rules applied to executable les
Viewing the applications registry
Changing the software inventory start time
About license key management of third-party applications
Creating licensed applications groups
Managing license keys for licensed applications groups
Inventory of executable les
Viewing information about executable les
Monitoring and reporting
Scenario: Monitoring and reporting
Monitoring tra ic lights and logged events in Administration Console
Working with reports, statistics, and noti cations
Working with reports
Creating a report template
Viewing and editing report template properties
Extended lter format in report templates
Converting the lter into the extended format
Con guring the extended lter
Creating and viewing a report
Saving a report
Creating a report delivery task
Step 1. Selecting the task type
Step 2. Selecting the report type
Step 3. Actions on a report
Step 5. Con guring a task schedule
Managing statistics
Creating a certi cate for an SMTP server
Event selections
Viewing an event selection
Customizing an event selection
Creating an event selection
Exporting an event selection to a text le
Deleting events from a selection
Adding applications to exclusions by user requests
12
Device selections
Viewing a device selection
Con guring a device selection
Exporting the settings of a device selection to a le
Creating a device selection
Creating a device selection according to imported settings
Removing devices from administration groups in a selection
Monitoring of applications installation and uninstallation
Event types
Data structure of event type description
Administration Server events
Administration Server critical events
Administration Server functional failure events
Administration Server warning events
Administration Server informational events
Network Agent events
Network Agent functional failure events
Network Agent warning events
Network Agent informational events
iOS MDM Server events
iOS MDM Server functional failure events
iOS MDM Server warning events
iOS MDM Server informational events
Exchange Mobile Device Server events
Exchange Mobile Device Server functional failure events
Exchange Mobile Device Server informational events
Blocking frequent events
About blocking frequent events
Managing frequent events blocking
Removing blocking of frequent events
Exporting a list of frequent events to a le
Controlling changes in the status of virtual machines
Monitoring the anti-virus protection status using information from the system registry
Viewing and con guring the actions when devices show inactivity
Disabling Kaspersky announcements
Adjustment of distribution points and connection gateways
Standard con guration of distribution points: Single o ice
Standard con guration of distribution points: Multiple small remote o ices
Assigning a managed device to act as a distribution point
Connecting a Linux device as a gateway in the demilitarized zone
Connecting a Linux device to the Administration Server via a connection gateway
Adding a connection gateway in the DMZ as a distribution point
About local installation of Network Agent on a device selected as distribution point
About using a distribution point as connection gateway
Adding IP ranges to the scanned ranges list of a distribution point
Using a distribution point as a push server
Other routine work
13
Managing Administration Servers
Creating a hierarchy of Administration Servers: adding a secondary Administration Server
Connecting to an Administration Server and switching between Administration Servers
Access rights to Administration Server and its objects
Conditions of connection to an Administration Server over the internet
Encrypted connection to an Administration Server
Authenticating Administration Server when a device is connected
Administration Server authentication during Administration Console connection
Con guring an allowlist of IP addresses to connect to Administration Server
Using the klsc ag utility to close port 13291
Disconnecting from an Administration Server
Adding an Administration Server to the console tree
Removing an Administration Server from the console tree
Adding a virtual Administration Server to the console tree
Changing an Administration Server service account. Utility tool klsrvswch
Changing DBMS credentials
Resolving issues with Administration Server nodes
Viewing and modifying the settings of an Administration Server
Adjusting the general settings of Administration Server
Administration Console interface settings
Event processing and storage on the Administration Server
Viewing log of connections to the Administration Server
Control of virus outbreaks
Limiting tra ic
Con guring Web Server
Working with internal users
Backup and restoration of Administration Server settings
Using a le system snapshot to reduce the backup duration
A device with Administration Server is inoperable
The settings of Administration Server or the database are corrupted
Backup copying and restoration of Administration Server data
Creating a data backup task
Data backup and recovery utility (klbackup)
Data backup and recovery in interactive mode
Data backup and recovery in silent mode
Moving Administration Server and a database server to another device
Avoiding con icts between multiple Administration Servers
Two-step veri cation
About two-step veri cation
Scenario: con guring two-step veri cation for all users
Enabling two-step veri cation for your own account
Enabling two-step veri cation for all users
Disabling two-step veri cation for a user account
Disabling two-step veri cation for all users
Excluding accounts from two-step veri cation
Editing the name of a security code issuer
Changing the Administration Server shared folder
Managing administration groups
14
Creating administration groups
Moving administration groups
Deleting administration groups
Automatic creation of a structure of administration groups
Automatic installation of applications on devices in an administration group
Managing client devices
Connecting client devices to the Administration Server
Manually connecting a client device to the Administration Server. Klmover utility
Tunneling the connection between a client device and the Administration Server
Remotely connecting to the desktop of a client device
Connecting to Windows client devices
Connecting to macOS client devices
Connecting to devices through Windows Desktop Sharing
Con guring the restart of a client device
Auditing actions on a remote client device
Checking the connection between a client device and the Administration Server
Automatically checking the connection between a client device and the Administration Server
Manually checking the connection between a client device and the Administration Server. Klnagchk utility
About checking the time of connection between a device and the Administration Server
Identifying client devices on the Administration Server
Moving devices to an administration group
Changing the Administration Server for client devices
Clusters and server arrays
Turning on, turning o , and restarting client devices remotely
About the usage of the continuous connection between a managed device and the Administration Server
About forced synchronization
About connection schedule
Sending messages to device users
Managing Kaspersky Security for Virtualization
Con guring the switching of device statuses
Tagging devices and viewing assigned tags
Automatic device tagging
Viewing and con guring tags assigned to a device
Remote diagnostics of client devices. Kaspersky Security Center remote diagnostics utility
Connecting the remote diagnostics utility to a client device
Enabling and disabling tracing, downloading the trace le
Downloading application settings
Downloading event logs
Downloading multiple diagnostic information items
Starting diagnostics and downloading the results
Starting, stopping, and restarting applications
UEFI protection devices
Settings of a managed device
General policy settings
Network Agent policy settings
Managing user accounts
Working with user accounts
Adding an account of an internal user
15
Editing an account of an internal user
Changing the number of allowed password entry attempts
Con guring the check of the name of an internal user for uniqueness
Adding a security group
Adding a user to a group
Con guring access rights to application features. Role-based access control
Access rights to application features
Prede ned user roles
Adding a user role
Assigning a role to a user or a user group
Assigning permissions to users and groups
Propagating user roles to secondary Administration Servers
Assigning the user as a device owner
Delivering messages to users
Viewing the list of user mobile devices
Installing a certi cate for a user
Viewing the list of certi cates issued to a user
About the administrator of a virtual Administration Server
Remote installation of operating systems and applications
Creating images of operating systems
Con guring the KSN proxy server address
Adding drivers for Windows Preinstallation Environment (WinPE)
Adding drivers to an installation package with an operating system image
Con guring sysprep.exe utility
Deploying operating systems on new networked devices
Deploying operating systems on client devices
Creating installation packages of applications
Issuing a certi cate for installation packages of applications
Installing applications on client devices
Managing object revisions
About object revisions
Viewing the Revision history section
Comparing object revisions
Setting storage term for object revisions and for deleted object information
Viewing an object revision
Saving an object revision to a le
Rolling back changes
Adding a revision description
Deletion of objects
Deleting an object
Viewing information about deleted objects
Deleting objects permanently from the list of deleted objects
Mobile Device Management
Scenario: Mobile Device Management deployment
About group policy for managing EAS and iOS MDM devices
Enabling Mobile Device Management
Modifying the Mobile Device Management settings
16
Disabling Mobile Device Management
Working with commands for mobile devices
Commands for mobile device management
Sending commands
Viewing the statuses of commands in the command log
Working with certi cates of mobile devices
Starting the Certi cate Installation Wizard
Step 1. Selecting certi cate type
Step 2. Selecting device type
Step 3. Selecting a user
Step 4. Selecting certi cate source
Step 5. Assigning a tag to the certi cate
Step 6. Specifying certi cate publishing settings
Step 7. Selecting user noti cation method
Step 8. Generating the certi cate
Con guring certi cate issuance rules
Integration with public key infrastructure
Enabling support of Kerberos Constrained Delegation
Adding iOS mobile devices to the list of managed devices
Adding Android mobile devices to the list of managed devices
Managing Exchange ActiveSync mobile devices
Adding a management pro le
Removing a management pro le
Handling Exchange ActiveSync policies
Con guring the scan scope
Working with EAS devices
Viewing information about an EAS device
Disconnecting an EAS device from management
User's rights to manage Exchange ActiveSync mobile devices
Managing iOS MDM devices
Signing an iOS MDM pro le by a certi cate
Adding a con guration pro le
Installing a con guration pro le on a device
Removing the con guration pro le from a device
Adding a new device by publishing a link to a pro le
Adding a new device through pro le installation by the administrator
Adding a provisioning pro le
Installing a provisioning pro le to a device
Removing a provisioning pro le from a device
Adding a managed application
Installing an app on a mobile device
Removing an app from a device
Con guring roaming on an iOS MDM mobile device
Viewing information about an iOS MDM device
Disconnecting an iOS MDM device from management
Sending commands to a device
Checking the execution status of commands sent
17
Managing KES devices
Creating a mobile applications package for KES devices
Enabling certi cate-based authentication of KES devices
Viewing information about a KES device
Disconnecting a KES device from management
Data encryption and protection
Viewing the list of encrypted devices
Viewing the list of encryption events
Exporting the list of encryption events to a text le
Creating and viewing encryption reports
Transmitting encryption keys between Administration Servers
Data repositories
Exporting a list of repository objects to a text le
Main statuses of les in the repository
Triggering of rules in Smart Training mode
Viewing the list of detections performed using Adaptive Anomaly Control rules
Adding exclusions from the Adaptive Anomaly Control rules
Step 1. Selecting the application
Step 2. Selecting the policy (policies)
Step 3. Processing of the policy (policies)
Quarantine and Backup
Enabling remote management for les in the repositories
Viewing properties of a le placed in repository
Deleting les from repositories
Restoring les from repositories
Saving a le from repositories to disk
Scanning les in Quarantine
Active threats
Disinfecting an unprocessed le
Saving an unprocessed le to disk
Deleting les from the "Active threats" folder
Kaspersky Security Network (KSN)
About KSN
Setting up access to Kaspersky Security Network
Enabling and disabling KSN
Viewing the accepted KSN Statement
Viewing the KSN proxy server statistics
Accepting an updated KSN Statement
Enhanced protection with Kaspersky Security Network
Checking whether the distribution point works as KSN proxy server
Switching between Online Help and O line Help
Export of events to SIEM systems
Scenario: con guring event export to SIEM systems
Before you begin
About events in Kaspersky Security Center
About event export
About con guring event export in a SIEM system
18
Marking of events for export to SIEM systems in Syslog format
About marking events for export to SIEM system in the Syslog format
Marking events of a Kaspersky application for export in Syslog format
Marking general events for export in Syslog format
About exporting events using Syslog format
About exporting events using CEF and LEEF formats
Con guring Kaspersky Security Center for export of events to a SIEM system
Exporting events directly from the database
Creating an SQL query using the klsql2 utility
Example of an SQL query in the klsql2 utility
Viewing the Kaspersky Security Center database name
Viewing export results
Using SNMP for sending statistics to third-party applications
SNMP agent and object identi ers
Getting a string counter name from an object identi er
Values of object identi ers for SNMP
Troubleshooting
Working in a cloud environment
About work in a cloud environment
Scenario: Deployment for cloud environment
Prerequisites for deploying Kaspersky Security Center in a cloud environment
Hardware requirements for the Administration Server in a cloud environment
Licensing options in a cloud environment
Database options for work in a cloud environment
Working in Amazon Web Services cloud environment
About work in Amazon Web Services cloud environment
Creating IAM roles and IAM user accounts for Amazon EC2 instances
Ensuring that the Kaspersky Security Center Administration Server has the permissions to work with AWS
Creating an IAM role for the Administration Server
Creating an IAM user account for work with Kaspersky Security Center
Creating an IAM role for installation of applications on Amazon EC2 instances
Working with Amazon RDS
Creating an Amazon RDS instance
Creating option group for Amazon RDS instance
Modifying the option group
Modifying permissions for IAM role for Amazon RDS database instance
Preparing Amazon S3 bucket for database
Migrating the database to Amazon RDS
Working in Microsoft Azure cloud environment
About work in Microsoft Azure
Creating a subscription, Application ID, and password
Assigning a role to the Azure Application ID
Deploying Administration Server in Microsoft Azure and selecting database
Working with Azure SQL
Creating Azure storage account
Creating Azure SQL database and SQL Server
Migrating the database to Azure SQL
Working in Google Cloud
19
Creating client email, project ID, and private key
Working with Google Cloud SQL for MySQL instance
Prerequisites for client devices in a cloud environment necessary for work with Kaspersky Security Center
Creating installation packages required for Cloud Environment Con guration Wizard
Cloud Environment Con guration Wizard
About the Cloud Environment Con guration Wizard
Step 2. Selecting the cloud environment
Step 3. Authorization in the cloud environment
Step 4. Con guring synchronization with Cloud and choosing further actions
Step 5. Con guring Kaspersky Security Network in the cloud environment
Step 6. Con guring email noti cations in the cloud environment
Step 7. Creating an initial con guration of the protection of the cloud environment
Step 8. Selecting the action when the operating system must be restarted during installation (for the cloud
environment)
Step 9. Receiving updates by the Administration Server
Checking con guration
Cloud device group
Network segment polling
Adding connections for cloud segment polling
Deleting connections for cloud segment polling
Con guring the polling schedule
Installing applications on devices in a cloud environment
Viewing the properties of cloud devices
Synchronization with cloud
Using deployment scripts for deploying security applications
Deployment of Kaspersky Security Center in Yandex.Cloud
Appendices
Advanced features
Kaspersky Security Center operation automation. klakaut utility
Custom tools
Network Agent disk cloning mode
Preparing a reference device with Network Agent installed for creating an image of operating system
Con guring receipt of messages from File Integrity Monitor
Administration Server maintenance
User noti cation method window
General section
Device selection window
De ne the name of the new object window
Application categories section
Features of using the management interface
Console tree
How to update data in the workspace
How to navigate the console tree
How to open the object properties window in the workspace
How to select a group of objects in the workspace
How to change the set of columns in the workspace
Reference information
20
Context menu commands
List of managed devices. Description of columns
Statuses of devices, tasks, and policies
File status icons in Administration Console
Searching and exporting data
Finding devices
Device search settings
Using masks in string variables
Using regular expressions in the search eld
Exporting lists from dialog boxes
Settings of tasks
General task settings
Download updates to the Administration Server repository task settings
Download updates to the repositories of distribution points task settings
Find vulnerabilities and required updates task settings
Install required updates and x vulnerabilities task settings
Global list of subnets
Adding subnets to the global list of subnets
Viewing and modifying subnet properties in the global list of subnets
Usage of Network Agent for Windows, for macOS and for Linux: comparison
Kaspersky Security Center Web Console
About Kaspersky Security Center Web Console
Hardware and software requirements for Kaspersky Security Center Web Console
Deployment diagram of Kaspersky Security Center Administration Server and Kaspersky Security Center Web Console
Ports used by Kaspersky Security Center Web Console
Scenario: Installation and initial setup of Kaspersky Security Center Web Console
Installation
Installing a database management system
Con guring the MariaDB x64 server for working with Kaspersky Security Center 14
Con guring the MySQL x64 server for working with Kaspersky Security Center 14
Installing Kaspersky Security Center Web Console
Installation of Kaspersky Security Center Web Console on Linux platforms
Installing Kaspersky Security Center Web Console on Linux platforms
Kaspersky Security Center Web Console installation parameters
Installing Kaspersky Security Center Web Console connected to Administration Server installed on failover cluster nodes
Upgrading Kaspersky Security Center Web Console
Certi cates for work with Kaspersky Security Center Web Console
Reissuing the certi cate for Kaspersky Security Center Web Console
Replacing certi cate for Kaspersky Security Center Web Console
Specifying certi cates for trusted Administration Servers in Kaspersky Security Center Web Console
Converting a PFX certi cate to the PEM format
About migration to Kaspersky Security Center Cloud Console
Signing in to Kaspersky Security Center Web Console and signing out
Identity and Access Manager in Kaspersky Security Center Web Console
About Identity and Access Manager
Enabling Identity and Access Manager: scenario
Con guring Identity and Access Manager in Kaspersky Security Center Web Console
Registering Kaspersky Industrial CyberSecurity for Networks application in Kaspersky Security Center Web Console
21
Lifetime of tokens and authorization timeout for Identity and Access Manager
Downloading and distributing the IAM certi cates
Disabling Identity and Access Manager
Con guring domain authentication by using the NTLM and Kerberos protocols
Initial setup of Kaspersky Security Center Web Console
Quick Start Wizard (Kaspersky Security Center Web Console)
Step 1. Specifying the internet connection settings
Step 2. Downloading required updates
Step 3. Selecting the assets to secure
Step 4. Selecting encryption in solutions
Step 5. Con guring installation of plug-ins for managed applications
Step 6. Downloading distribution packages and creating installation packages
Step 7. Con guring Kaspersky Security Network
Step 9. Specifying the third-party update management settings
Step 10. Creating a basic network protection con guration
Step 12. Performing a network poll
Scenario: Connecting out-of-o ice devices through a secondary Administration Server in DMZ
Protection Deployment Wizard
Starting Protection Deployment Wizard
Step 1. Selecting the installation package
Step 2. Selecting a method for distribution of key le or activation code
Step 3. Selecting Network Agent version
Step 4. Selecting devices
Step 5. Specifying the remote installation task settings
Step 6. Restart management
Step 7. Removing incompatible applications before installation
Step 8. Moving devices to Managed devices
Step 9. Selecting accounts to access devices
Step 10. Starting installation
Con guring Administration Server
Con guring the connection of Kaspersky Security Center Web Console to Administration Server
Connection settings of UEFI protection devices
Creating a hierarchy of Administration Servers: adding a secondary Administration Server
Viewing the list of secondary Administration Servers
Deleting a hierarchy of Administration Servers
22
Managing virtual Administration Servers
Creating a virtual Administration Server
Enabling and disabling a virtual Administration Server
Deleting a virtual Administration Server
Enabling account protection from unauthorized modi cation
Scenario: Con guring two-step veri cation for all users
Generating a new secret key
Moving Administration Server to another device
Kaspersky applications deployment through Kaspersky Security Center Web Console
Scenario: Kaspersky applications deployment through Kaspersky Security Center Web Console
Getting plug-ins for Kaspersky applications
Updating plug-ins for Kaspersky applications
Downloading and creating installation packages for Kaspersky applications
Changing the limit on the size of custom installation package data
Downloading distribution packages for Kaspersky applications
Checking that Kaspersky Endpoint Security is deployed successfully
Viewing the list of stand-alone installation packages
Installing an application on speci c devices
Specifying settings for remote installation on Unix devices
Device discovery
IP range polling
Adding and modifying an IP range
Zeroconf polling
23
Deleting a license key from the repository
Renewing licenses for Kaspersky applications
Using Kaspersky Marketplace to choose Kaspersky business solutions
Policy setup and propagation: User-centric approach
Con guring Kaspersky Security Network
Checking the list of the networks protected by Firewall
Excluding software details from the Administration Server memory
Saving important policy events in the Administration Server database
Granting o line access to the external device blocked by Device Control
Removing applications or software updates remotely
Rolling back an object to a previous revision
Tasks
About tasks
About task scope
Creating a task
Starting a task manually
Viewing the task list
Starting the Change Tasks Password Wizard
Adding devices to an administration group manually
Moving devices to an administration group manually
Creating device moving rules
Copying device moving rules
Conditions for a device moving rule
About device statuses
24
Device selections
Viewing the device list from a device selection
Exporting the device list from a device selection
Device tags
About device tags
Creating a device tag
Renaming a device tag
Deleting a device tag
Viewing devices to which a tag is assigned
Viewing tags assigned to a device
Tagging a device manually
Removing an assigned tag from a device
Viewing rules for tagging devices automatically
Editing a rule for tagging devices automatically
Creating a rule for tagging devices automatically
Running rules for auto-tagging devices
Deleting a rule for tagging devices automatically
Managing device tags by using the klsc ag utility
Assigning a device tag
Removing a device tag
About policies and policy pro les
About lock and locked settings
Inheritance of policies and policy pro les
Policy pro les in a hierarchy of policies
How settings are implemented on a managed device
Managing policies
Viewing the list of policies
Creating a policy
Modifying a policy
Enabling and disabling a policy inheritance option
Copying a policy
Moving a policy
Viewing the policy distribution status chart
Deleting a policy
Viewing the pro les of a policy
Changing a policy pro le priority
25
Copying a policy pro le
Viewing the list of encrypted drives
Granting access to an encrypted drive in o line mode
Users and user roles
About user roles
Con guring access rights to application features. Role-based access control
Creating a user group
Editing a user group
Adding user accounts to an internal group
Assigning a user as a device owner
Deleting a user or a security group
Creating a user role
Editing a user role
Editing the scope of a user role
Deleting a user role
Associating policy pro les with roles
Managing objects in Kaspersky Security Center Web Console
Deleting an object
About KSN
Setting up access to KSN
Scenario: Upgrading Kaspersky Security Center and managed security applications
Updating Kaspersky databases and applications
Creating the Download updates to the Administration Server repository task
Creating the task for downloading updates to the repositories of distribution points
Enabling and disabling automatic updating and patching for Kaspersky Security Center components
Automatic installation of updates for Kaspersky Endpoint Security for Windows
Updating Administration Server
26
Updating Kaspersky databases and software modules on o line devices
Backing up and restoring web plug-ins
About assigning distribution points
Assigning distribution points manually
Modifying the list of distribution points for an administration group
Forced synchronization
Enabling a push server
About third-party applications
About third-party software updates
Creating the Find vulnerabilities and required updates task
Creating the Install required updates and x vulnerabilities task
Adding rules for update installation
Creating the Install Windows Update updates task
Viewing information about available third-party software updates
Exporting the list of available software updates to a le
Approving and declining third-party software updates
Creating the Perform Windows Update synchronization task
Updating third-party applications automatically
Creating the Fix vulnerabilities task
Viewing information about software vulnerabilities detected on all managed devices
Viewing information about software vulnerabilities detected on the selected managed device
Exporting the list of software vulnerabilities to a le
Managing applications run on client devices
About Application Control
Obtaining and viewing a list of applications installed on client devices
Obtaining and viewing a list of executable les stored on client devices
Creating application category with content added manually
Creating application category that includes executable les from selected devices
Creating application category that includes executable les from selected folder
27
Viewing the list of application categories
Con guring Application Control in the Kaspersky Endpoint Security for Windows policy
Creating an installation package of a third-party application from the Kaspersky database
Viewing and modifying the settings of an installation package of a third-party application from the Kaspersky database
Settings of an installation package of a third-party application from the Kaspersky database
Application tags
About application tags
Creating an application tag
Renaming an application tag
Assigning tags to an application
Removing assigned tags from an application
Deleting an application tag
About types of monitoring and reporting
Dashboard and widgets
Using the dashboard
Adding widgets to the dashboard
Hiding a widget from the dashboard
Moving a widget on the dashboard
Changing the widget size or appearance
Changing widget settings
About the Dashboard-only mode
Con guring the Dashboard-only mode
Reports
Using reports
Exporting a report to a le
Generating and viewing a report
Deleting report templates
Events and event selections
Using event selections
Editing an event selection
Viewing a list of an event selection
Viewing details of an event
Exporting events to a le
Viewing an object history from an event
Deleting events
Deleting event selections
Setting the storage term for an event
Event types
28
Receiving events from Kaspersky Security for Microsoft Exchange Servers
Noti cations and device statuses
Using noti cations
Viewing onscreen noti cations
Con guring noti cation delivery
Kaspersky announcements
About Kaspersky announcements
Specifying Kaspersky announcements settings
Viewing information about the detects of threats
Downloading and deleting les from Quarantine and Backup
Downloading les from Quarantine and Backup
About removing objects from the Quarantine, Backup, or Active threats repositories
Kaspersky Security Center Web Console activity logging
Integration between Kaspersky Security Center and other solutions
Con guring access to KATA/KEDR Web Console
Establishing a background connection
Exporting events to SIEM systems
Before you begin
About event export
Marking events of a Kaspersky application for export in the Syslog format
29
Con guring Kaspersky Security Center for export of events to a SIEM system
Working with Kaspersky Security Center Web Console in a cloud environment
Cloud Environment Con guration Wizard in Kaspersky Security Center Web Console
Step 1. Licensing the application
Step 2. Selecting the cloud environment and authorization
Step 3. Segment polling, con guring synchronization with Cloud and choosing further actions
Step 4. Con guring Kaspersky Security Network for Kaspersky Security Center
Step 5. Creating an initial con guration of protection
Network segment polling via Kaspersky Security Center Web Console
Deleting a connection for cloud segment polling
Con guring the polling schedule via Kaspersky Security Center Web Console
Viewing the results of cloud segment polling via Kaspersky Security Center Web Console
Viewing the properties of cloud devices via Kaspersky Security Center Web Console
Synchronization with Cloud: con guring the moving rule
Creating Backup of the Administration Server data task by using a cloud DBMS
Remote diagnostics of client devices
Opening the remote diagnostics window
Enabling and disabling tracing for applications
Downloading trace les of an application
Deleting trace les
Starting, stopping, restarting the application
Running the remote diagnostics of an application and downloading the results
Running an application on a client device
Generating a dump le for an application
Changing the language of the Kaspersky Security Center Web Console interface
API Reference Guide
Best Practices for Service Providers
Kaspersky Security Center standard con guration
Deployment and initial setup
Creating accounts for the Administration Server services on a failover cluster
Selecting a DBMS
30
Con guring protection on a client organization's network
Manual setup of the group task for scanning a device with Kaspersky Endpoint Security
Building a structure of administration groups and assigning distribution points
Standard MSP client con guration: Single o ice
Standard MSP client con guration: Multiple small remote o ices
Policy pro les
Tasks
Device moving rules
About multi-tenant applications
Initial deployment
General information about the remote installation tasks in Kaspersky Security Center
Suitability of databases updating in an installation package of an anti-virus application
Removing incompatible third-party security applications
Using tools for remote installation of applications in Kaspersky Security Center for running relevant executable les on
managed devices
General information
31
Deploying the Mobile Device Management feature
Scheme for connecting KES devices to the Server involving Kerberos constrained delegation (KCD)
Other routine work
Remote access to managed devices
Using the "Do not disconnect from the Administration Server" option to provide continuous connectivity between a
managed device and the Administration Server
About tunneling
Sizing Guide
About this Guide
Calculations for Administration Servers
Calculation of hardware resources for the Administration Server
Hardware requirements for the DBMS and the Administration Server
Calculation of database space
Calculation of disk space (with and without the use of the Vulnerability and patch management feature)
Calculation of the number and con guration of Administration Servers
Recommendations for connecting dynamic virtual machines to Kaspersky Security Center
Calculations for distribution points and connection gateways
Requirements for a distribution point
Calculation of the number of connection gateways
Logging of information about events for tasks and policies
Speci c considerations and optimal settings of certain tasks
Device discovery frequency
Administration Server data backup task and database maintenance task
Group tasks for updating Kaspersky Endpoint Security
Software inventory task
Details of network load spread among Administration Server and protected devices
Tra ic consumption under various scenarios
Average tra ic usage per 24 hours
Contact Technical Support
How to get technical support
Technical support via Kaspersky CompanyAccount
32
Sources of information about the application
Glossary
Active key
Additional subscription key
Administration Console
Administration group
Administration Server certi cate
Administration Server client (Client device)
Administration Server data backup
Administrator rights
Amazon EC2 instance
Amazon Machine Image (AMI)
Anti-virus databases
Anti-virus protection service provider
Application Shop
Authentication Agent
Available update
AWS Application Program Interface (AWS API)
AWS IAM access key
AWS Management Console
Backup folder
Broadcast domain
Centralized application management
Client administrator
Cloud environment
Con guration pro le
Connection gateway
Demilitarized zone (DMZ)
Device owner
Direct application management
Distribution point
EAS device
Event repository
Event severity
Forced installation
Group task
Home Administration Server
HTTPS
IAM role
IAM user
Identity and Access Management (IAM)
Incompatible application
Installation package
Internal users
iOS MDM device
33
iOS MDM pro le
iOS MDM Server
JavaScript
Kaspersky Private Security Network (KPSN)
Kaspersky Security Center Administrator
Kaspersky Security Center Operator
Kaspersky Security Center System Health Validator (SHV)
Kaspersky update servers
KES device
Key le
License term
Licensed applications group
Local installation
Local task
Managed devices
Management plug-in
Manual installation
MITM attack
Network Agent
Network anti-virus protection
Network protection status
Patch importance level
Policy
Pro le
Program settings
Protection status
Provisioning pro le
Remote installation
Restoration
Restoration of Administration Server data
Role group
Service provider's administrator
Shared certi cate
SSL
Task
Task for speci c devices
Task settings
UEFI protection device
Update
Virus activity threshold
Virus outbreak
Vulnerability
Windows Server Update Services (WSUS)
Information about third-party code
34
Trademark notices
Known issues
35
Kaspersky Security Center 14 Help
What's new Con guring network protection

Find out what's new in the latest application release. Manage the security of the
organization.
Hardware and software requirements Kaspersky applications.

Updating databases and
Check which operating systems and application
software modules
versions are supported.
Maintain the reliability of the
protection system.
Deployment and initial setup Monitoring and reporting

Plan the use of resources, install the Administration View your infrastructure,
Server, install Network Agent and security applications protection statuses, and
on client devices, and consolidate devices into statistics.
administration groups.
Discovering networked devices Replacing third-party security

applications
Discover existing and new devices on your
organization's network. Learn methods for uninstalling
incompatible applications.
Kaspersky applications. Centralized deployment Adjustment of distribution

points and connection gateways
Deploy Kaspersky applications.
Con gure distribution points.
Upgrading Kaspersky Security Center from a Best Practices for Service

previous version Providers (Online Help only)
Upgrade Kaspersky Security Center 14 from a previous Learn recommendations on how
version. to deploy, con gure, and use the
application, as well as ways to
resolve typical issues in the
application operation.
Kaspersky applications. Licensing and activation Sizing Guide (Online Help only)
Activate Kaspersky applications in a few steps. For optimal performance under
varying conditions, take into
account the number of networked
devices, network topology, and set
of Kaspersky Security Center
features that you require.
Exporting events to SIEM systems Vulnerability and Patch

Management
Con gure exporting events to SIEM systems for
analysis. Find and x vulnerabilities in third-
party software.
Working in a cloud environment Frequently Asked Questions

Deploy Kaspersky Security Center in cloud Find instructions on how to
environments: Amazon Web Services™, Microsoft resolve common issues.
Azure™, Google™ Cloud Platform.
Kaspersky Endpoint Security for Business Quick

Start Guide
36
Get started with Kaspersky Endpoint Security for
Business: install and con gure this solution. You can
also examine the feature comparison of Kaspersky
Security Center, to choose the most appropriate way
of managing the network security.
37
What's new
Kaspersky Security Center 14 has several new features and improvements:
You can install updates and x vulnerabilities of third-party software (excluding Microsoft software) in an
isolated network. Such networks include Administration Servers and managed devices that have no internet
access. To x vulnerabilities in this kind of network, you need to download required updates by using an
Administration Server with internet access, and then transmit the patches to the isolated Administration
Servers.
Connection pro les for out-of-o ice users have been added for macOS devices. By using connection pro les,
you can con gure the rules for Network Agents on macOS devices to connect to the same or di erent
Administration Servers, depending on the device location.
Network Agent can now be installed on devices running Microsoft Windows 10 IoT Enterprise.
In the Report on threats, you can now lter the threat list to view only those threats that were detected by
Cloud Sandbox.
Kaspersky Security Center now supports Kaspersky Industrial CyberSecurity for Linux Nodes 1.3.
Kaspersky Security Center Web Console has several new features and improvements:
You can con gure the Dashboard-only mode for employees who do not manage the network but who want to
view the network protection statistics in Kaspersky Security Center (for example, a top manager). When a user
has this mode enabled, only a dashboard with a prede ned set of widgets is displayed to the user. Thus, he or
she can monitor the statistics speci ed in the widgets, for example, the protection status of all managed
devices, the number of recently detected threats, or the list of the most frequent threats in the network.
Kaspersky Security Center Web Console now supports Kaspersky Security for iOS as a security application.
In the task properties, you can specify whether or not you want to apply the task to subgroups and secondary
Administration Servers (including virtual ones).
Kaspersky Security Center Web Console now supports Kaspersky Industrial CyberSecurity for Linux Nodes 1.3.
Kaspersky Security Center 13.2
Kaspersky Security Center 13.2 has several new features and improvements:
You can now install Administration Server, Administration Console, Kaspersky Security Center 13.2 Web
Console, and Network Agent on the following new operation systems (see the software requirements for
details):
Microsoft Windows 11
Microsoft Windows 10 21H2 (October 2021 Update)
Windows Server 2022
You can use MySQL 8.0 as the database.
38
You can deploy Kaspersky Security Center on a Kaspersky failover cluster to provide high availability of
Kaspersky Security Center.
Kaspersky Security Center now works with IPv6 addresses as well as IPv4 addresses. Administration Server can
poll networks that have devices with IPv6 addresses.
Kaspersky Security Center 13.2 Web Console has several new features and improvements:
You can now manage mobile devices running Android via Kaspersky Security Center 13.2 Web Console.
Kaspersky marketplace is available as a new menu section: you can search for a Kaspersky application via
Kaspersky Security Center 13.2 Web Console.
Kaspersky Security Center now supports the following Kaspersky applications:
Kaspersky Endpoint Detection and Response Optimum 2.0
Kaspersky Sandbox 2.0
Kaspersky Industrial CyberSecurity for Networks 3.1
Kaspersky Security Center 13.1
Kaspersky Security Center 13.1 has several new features and improvements:
The integration with SIEM systems has been improved. You can now export events to SIEM systems via the
encrypted channel (TLS). The feature is available for Kaspersky Security Center Web Console and MMC-based
Administration Console.
You can now receive patches for the Administration Server as a distribution package, which you can use for
future updates to later versions.
A new section, Alerts, has been added for Kaspersky Endpoint Detection and Response Optimum to Kaspersky
Security Center 13.1 Web Console. Several new widgets are also added for working with the threats detected by
Kaspersky Endpoint Detection and Response Optimum.
In Kaspersky Security Center 13.1 Web Console, you can now receive noti cations about expiring licenses for
Kaspersky applications.
The response time for Kaspersky Security Center 13.1 Web Console has been decreased.
The following features are added to Kaspersky Security Center 13 Web Console:
Implemented two-step veri cation. You can enable two-step veri cation to reduce the risk of unauthorized
access to Kaspersky Security Center 13 Web Console.
Implemented domain authentication by using the NTLM and Kerberos protocols (single sign-on). The single
sign-on feature allows a Windows user to enable secure authentication in Kaspersky Security Center 13 Web
Console without having to re-enter the password on the corporate network.
You can now con gure a plug-in to work with Kaspersky Managed Detection and Response. You can use this
integration to view incidents and manage workstations.
39
You can now specify settings for Kaspersky Security Center 13 Web Console in the installation wizard of
Administration Server.
Noti cations are displayed about new releases of updates and patches. You can install an update immediately
or later at any time. You can now install patches for Administration Server via Kaspersky Security Center 13
Web Console.
When working with tables, you can now specify the order and the width of columns, sort data, and specify the
page size.
You can now open any report by clicking its name.
Kaspersky Security Center 13 Web Console is now available in the Korean language.
A new section, Kaspersky announcements, is available in the MONITORING & REPORTING menu. This section
keeps you informed by providing information related to your version of Kaspersky Security Center and the
managed applications installed on the managed devices. Kaspersky Security Center periodically updates the
information in this section by removing outdated announcements and adding new information. However, you
can disable Kaspersky announcements if you want.
Implemented additional authentication after changing the settings of a user account. You can enable
protecting a user account from unauthorized modi cation. If this option is enabled, modifying user account
settings requires authorization by a user with modi cation rights.
The following features are added to Kaspersky Security Center 13:
Implemented two-step veri cation. You can enable two-step veri cation to reduce the risk of unauthorized
access to the Administration Console. If this option is enabled, modifying user account settings requires
authorization of the user with the rights for modi cation. You can now enable or disable two-step veri cation
for KES devices.
You can send messages to Administration Server over the HTTP protocol. A reference guide and a Python
library for working with the OpenAPI of Administration Server are now available.
You can issue a reserve certi cate for use in iOS MDM pro les, to ensure seamless switching of managed iOS
devices after the iOS MDM Server certi cate expires.
The multi-tenancy applications folder is no longer displayed in Administration Console.
40
This section provides information about using Kaspersky Security Center 14.
Information provided in Online Help may di er from information provided in documents shipped with the
application; in this case, Online Help is considered up-to-date. You can proceed to Online Help by clicking links
in the application interface, or by clicking the Online Help link in documents. Online Help can be updated
without prior notice. You can switch between Online Help and O line Help if necessary.
Basic concepts
This section explains basic concepts related to Kaspersky Security Center.
Kaspersky Security Center components enable remote management of Kaspersky applications installed on client
devices.
Devices with the Administration Server component installed will be referred to as Administration Servers (also
referred to as Servers). Administration Servers must be protected, including physical protection, against any
unauthorized access.
Administration Server is installed on a device as a service with the following set of attributes:
With the name "Kaspersky Security Center Administration Server"
Set to start automatically when the operating system starts
With the LocalSystem account or the user account selected during the installation of Administration Server
Administration Server performs the following functions:
Storage of the administration groups' structure
Storage of information about the con guration of client devices
Organization of repositories for application distribution packages
Remote installation of applications to client devices and removal of applications
Updating application databases and software modules of Kaspersky applications
Management of policies and tasks on client devices
Storage of information about events that have occurred on client devices
Generation of reports on the operation of Kaspersky applications
Deployment of license keys to client devices and storing information about the license keys
41
Forwarding noti cations about the progress of tasks (such as detection of viruses on a client device)
Naming Administration Servers in the application interface
In the interface of the MMC-based Administration Console and Kaspersky Security Center Web Console,
Administration Servers can have the following names:
Name of the Administration Server device, for example: "device_name" or "Administration Server: device_name".
IP address of the Administration Server device, for example: "IP_address" or "Administration Server: IP_address".
Secondary Administration Servers and virtual Administration Servers have custom names that you specify
when you connect a virtual or a secondary Administration Server to the primary Administration Server.
If you use Kaspersky Security Center Web Console installed on a Linux device, the application displays the
names of the Administration Servers that you speci ed as trusted in the response le.
You can connect to Administration Server by using Administration Console or Kaspersky Security Center Web
Console.

Administration Servers can be arranged in a hierarchy. Each Administration Server can have several secondary
Administration Servers (referred to as secondary Servers) on di erent nesting levels of the hierarchy. The nesting
level for secondary Servers is unrestricted. The administration groups of the primary Administration Server will
then include the client devices of all secondary Administration Servers. Thus, isolated and independent sections of
networks can be managed by di erent Administration Servers which are in turn managed by the primary Server.
Virtual Administration Servers are a particular case of secondary Administration Servers.
The hierarchy of Administration Servers can be used to do the following:
Decrease the load on Administration Server (compared to a single installed Administration Server for an entire
network).
Decrease intranet tra ic and simplify work with remote o ices. You do not have to establish connections
between the primary Administration Server and all networked devices, which may be located, for example, in
di erent regions. It is su icient to install a secondary Administration Server in each network segment, distribute
devices among administration groups of secondary Servers, and establish connections between the secondary
Servers and the primary Server over fast communication channels.
Distribute responsibilities among the anti-virus security administrators. All capabilities for centralized
management and monitoring of the anti-virus security status in corporate networks remain available.
How service providers use Kaspersky Security Center. The service provider only needs to install Kaspersky
Security Center and Kaspersky Security Center Web Console. To manage a large number of client devices of
various organizations, a service provider can add virtual Administration Servers to the hierarchy of
Administration Servers.
Each device included in the hierarchy of administration groups can be connected to one Administration Server
only. You must independently monitor the connection of devices to Administration Servers. Use the feature
for device search in administration groups of di erent Servers based on network attributes.
42
Virtual Administration Server (also referred to as virtual Server) is a component of Kaspersky Security Center
intended for managing anti-virus protection of the network of a client organization.
Virtual Administration Server is a particular case of a secondary Administration Server and has the following
restrictions as compared with a physical Administration Server:
Virtual Administration Server can be created only on a primary Administration Server.
Virtual Administration Server uses the primary Administration Server database in its operation. Data backup
and restoration tasks, as well as update scan and download tasks, are not supported on a virtual Administration
Server.
Virtual Server does not support creation of secondary Administration Servers (including virtual Servers).
In addition, virtual Administration Server has the following restrictions:
In the virtual Administration Server properties window, the number of sections is limited.
To install Kaspersky applications remotely on client devices managed by the virtual Administration Server, you
must make sure that Network Agent is installed on one of the client devices, in order to ensure communication
with the virtual Administration Server. Upon rst connection to the virtual Administration Server, the device is
automatically assigned as a distribution point, thus functioning as a connection gateway between the client
devices and the virtual Administration Server.
A virtual Server can poll the network only through distribution points.
To restart a malfunctioning virtual Server, Kaspersky Security Center restarts the primary Administration
Server and all virtual Administration Servers.
The administrator of a virtual Administration Server has all privileges on this particular virtual Server.

Mobile Device Server is a component of Kaspersky Security Center that provides access to mobile devices and
allows managing them through Administration Console. Mobile Device Server receives information about mobile
devices and stores their pro les.
There are two types of Mobile Device Server:
Exchange Mobile Device Server. This is installed on a device where a Microsoft Exchange server has been
installed, allowing data retrieval from the Microsoft Exchange server and data transmission to Administration
Server. This Mobile Device Server is used for managing mobile devices that support Exchange ActiveSync
protocol.
iOS MDM Server. This Mobile Device Server is used for managing mobile devices that support Apple® Push
Noti cation service (APNs).
Mobile Device Servers of Kaspersky Security Center allow you to manage the following objects:
43
An individual mobile device.
Several mobile devices.
Several mobile devices connected to a cluster of servers simultaneously. After connecting to a cluster of
servers, the mobile devices server installed in this cluster is displayed in Administration Console as a single
server.
Web Server
Kaspersky Security Center Web Server (hereinafter also referred to as Web Server) is a component of Kaspersky
Security Center that is installed together with Administration Server. Web Server is designed for transmission,
over a network, of stand-alone installation packages, iOS MDM pro les, and les from a shared folder.
When you create a stand-alone installation package, it is automatically published on Web Server. The link for
downloading the stand-alone package is displayed in the list of created stand-alone installation packages. If
necessary, you can cancel publication of the stand-alone package or you can publish it on Web Server again.
When you create an iOS MDM pro le for a user's mobile device, it is also automatically published on Web Server.
The published pro le is automatically deleted from Web Server as soon as it is successfully installed on the user's
mobile device.
The shared folder is used for storage of information that is available to all users whose devices are managed
through the Administration Server. If a user has no direct access to the shared folder, he or she can be given
information from that folder by means of Web Server.
To provide users with information from a shared folder by means of Web Server, the administrator must create a
subfolder named "public" in the shared folder and paste the relevant information into it.
The syntax of the information transfer link is as follows:
https://<Web Server name>:<HTTPS port>/public/<object>
where:
<Web Server name> is the name of Kaspersky Security Center Web Server.
<HTTPS port> is an HTTPS port of Web Server that has been de ned by the Administrator. The HTTPS port
can be set in the Web Server section of the properties window of Administration Server. The default port
number is 8061.
<object> is the subfolder or le to which the user has access.
The administrator can send the new link to the user in any convenient way, such as by email.
By using this link, the user can download the required information to a local device.
Network Agent
Interaction between Administration Server and devices is performed by the Network Agent component of
Kaspersky Security Center. Network Agent must be installed on all devices on which Kaspersky Security Center is
used to manage Kaspersky applications.
44
Network Agent is installed on a device as a service, with the following set of attributes:
With the name "Kaspersky Security Center 14 Network Agent"
Set to start automatically when the operating system starts
Using the LocalSystem account
A device that has Network Agent installed is called a managed device or device.
You can install Network Agent on a Windows, Linux, or Mac device. You can get the component from one of the
following sources:
Installation package in Administration Server storage (you must have Administration Server installed)
Installation package located at Kaspersky web servers
You do not have to install Network Agent on the device where you install Administration Server, because the server
version of Network Agent is automatically installed together with Administration Server.
The name of the process that Network Agent starts is klnagent.exe.
Network Agent synchronizes the managed device with the Administration Server. We recommend that you set the
synchronization interval (also referred to as the heartbeat) to 15 minutes per 10,000 managed devices.
An administration group (hereinafter also referred to as group) is a logical set of managed devices combined on
the basis of a speci c trait for the purpose of managing the grouped devices as a single unit within Kaspersky
Security Center.
All managed devices within an administration group are con gured to do the following:
Use the same application settings (which you can specify in group policies).
Use a common operating mode for all applications through the creation of group tasks with speci ed settings.
Examples of group tasks include creating and installing a common installation package, updating the application
databases and modules, scanning the device on demand, and enabling real-time protection.
A managed device can belong to only one administration group.
You can create hierarchies that have any degree of nesting for Administration Servers and groups. A single
hierarchy level can include secondary and virtual Administration Servers, groups, and managed devices. You can
move devices from one group to another without physically moving them. For example, if a worker's position in the
enterprise changes from that of accountant to developer, you can move this worker's computer from the
Accountants administration group to the Developers administration group. Thereafter, the computer will
automatically receive the application settings required for developers.
Managed device
45
A managed device is a computer running Windows, Linux, or macOS on which Network Agent is installed, or a
mobile device on which a Kaspersky security application is installed. You can manage such devices by creating
tasks and policies for applications installed on these devices. You can also receive reports from managed devices.
You can make a non-mobile managed device function as a distribution point and as a connection gateway.
A device can be managed by only one Administration Server. One Administration Server can manage up to 100,000
devices, including mobile devices.
Unassigned device
An unassigned device is a device on the network that has not been included in any administration group. You can
perform some actions on unassigned devices, for example, move them to administration groups or install
applications on them.
When a new device is discovered on your network, this device goes to the Unassigned devices administration
group. You can con gure rules for devices to be moved automatically to other administration groups after the
devices are discovered.
Administrator's workstation is a device on which Administration Console is installed or that you use to open
Kaspersky Security Center Web Console. Administrators can use these devices for centralized remote
management of Kaspersky applications installed on client devices.
After Administration Console is installed on your device, its icon appears, allowing you to start Administration
Console. Find it in the Start → Programs → Kaspersky Security Center menu.
There are no restrictions on the number of administrator's workstations. From any administrator's workstation you
can manage administration groups of several Administration Servers on the network at once. You can connect an
administrator's workstation to an Administration Server (physical or virtual) of any level of the hierarchy.
You can include an administrator's workstation in an administration group as a client device.
Within the administration groups of any Administration Server, the same device can function as an Administration
Server client, an Administration Server, or an administrator's workstation.
Management plug-in
Kaspersky applications are managed through Administration Console by using a dedicated component
named management plug-in. Each Kaspersky application that can be managed through Kaspersky Security Center
includes a management plug-in.
Using the application management plug-in, you can perform the following actions in Administration Console:
Creating and editing application policies and settings, as well as the settings of application tasks.
Obtaining information about application tasks, application events, as well as application operation statistics
received from client devices.
You can download management plug-ins from the Kaspersky Technical Support webpage .
46
Management web plug-in
A special component—the management web plug-in—is used for remote administration of Kaspersky software by
means of Kaspersky Security Center Web Console. Hereinafter, a management web plug-in is also referred to as a
management plug-in. A management plug-in is an interface between Kaspersky Security Center Web Console and
a speci c Kaspersky application. With a management plug-in, you can con gure tasks and policies for the
application.
You can download management web plug-ins from the Kaspersky Technical Support webpage .
The management plug-in provides the following:
Interface for creating and editing application tasks and settings
Interface for creating and editing policies and policy pro les for remote and centralized con guration of
Kaspersky applications and devices
Transmission of events generated by the application
Kaspersky Security Center Web Console functions for displaying operational data and events of the
application, and statistics relayed from client devices
Policies
A policy is a set of Kaspersky application settings that are applied to an administration group and its subgroups.
You can install several Kaspersky applications on the devices of an administration group. Kaspersky Security
Center provides a single policy for each Kaspersky application in an administration group. A policy has one of the
following statuses (see the table below):
The status of the policy
Status Description
Active The current policy that is applied to the device. Only one policy may be active for a Kaspersky
application in each administration group. Devices apply the settings values of an active policy for
a Kaspersky application.
Inactive A policy that is not currently applied to a device.
Out- If this option is selected, the policy becomes active when the device leaves the corporate
of- network.
o ice
Policies function according to the following rules:
Multiple policies with di erent values can be con gured for a single application.
Only one policy can be active for the current application.
You can activate an inactive policy when a speci c event occurs. For example, you can enforce stricter anti-
virus protection settings during virus outbreaks.
A policy can have child policies.
47
Generally, you can use policies as preparations for emergency situations, such as a virus attack. For example, if
there is an attack via ash drives, you can activate a policy that blocks access to ash drives. In this case, the
current active policy automatically becomes inactive.
In order to prevent maintaining multiple policies, for example, when di erent occasions assume changing of several
settings only, you may use policy pro les.
A policy pro le is a named subset of policy settings values that replaces the settings values of a policy. A policy
pro le a ects the e ective settings formation on a managed device. E ective settings are a set of policy
settings, policy pro le settings, and local application settings that are currently applied for the device.
Policy pro les function according to the following rules:
A policy pro le takes an e ect when a speci c activation condition occurs.
Policy pro les contain values of settings that di er from the policy settings.
Activation of a policy pro le changes the e ective settings of the managed device.
A policy can include a maximum of 100 policy pro les.
Policy pro les

Sometimes it may be necessary to create several instances of a single policy for di erent administration groups;
you might also want to modify the settings of those policies centrally. These instances might di er by only one or
two settings. For example, all the accountants in an enterprise work under the same policy—but senior
accountants are allowed to use ash drives, while junior accountants are not. In this case, applying policies to
devices only through the hierarchy of administration groups can be inconvenient.
To help you avoid creating several instances of a single policy, Kaspersky Security Center enables you to create
policy pro les. Policy pro les are necessary if you want devices within a single administration group to run under
di erent policy settings.
A policy pro le is a named subset of policy settings. This subset is distributed on target devices together with the
policy, supplementing it under a speci c condition called the pro le activation condition. Pro les only contain
settings that di er from the "basic" policy, which is active on the managed device. Activation of a pro le modi es
the settings of the "basic" policy that were initially active on the device. The modi ed settings take values that
have been speci ed in the pro le.
Tasks
Kaspersky Security Center manages Kaspersky security applications installed on devices by creating and running
tasks. Tasks are required for installing, launching, and stopping applications, scanning les, updating databases and
software modules, and performing other actions on applications.
Tasks for a speci c application can be created only if the management plug-in for that application is installed.
Tasks can be performed on the Administration Server and on devices.
The following tasks are performed on the Administration Server:
48
Automatic distribution of reports
Downloading of updates to the repository of the Administration Server
Backup of Administration Server data
Maintenance of the database
Windows Update synchronization
Creation of an installation package based on the operating system (OS) image of a reference device
The following types of tasks are performed on devices:
Local tasks—Tasks that are performed on a speci c device

Local tasks can be modi ed either by the administrator, by using Administration Console tools, or by the user of
a remote device (for example, through the security application interface). If a local task has been modi ed
simultaneously by the administrator and the user of a managed device, the changes made by the administrator
will take e ect because they have a higher priority.
Group tasks—Tasks that are performed on all devices of a speci c group

Unless otherwise speci ed in the task properties, a group task also a ects all subgroups of the selected group.
A group task also a ects (optionally) devices that have been connected to secondary and virtual
Administration Servers deployed in the group or any of its subgroups.
Global tasks—Tasks that are performed on a set of devices, regardless of whether they are included in any
group
For each application, you can create any number of group tasks, global tasks, or local tasks.
You can make changes to the settings of tasks, view the progress of tasks, and copy, export, import, and delete
tasks.
A task is started on a device only if the application for which the task was created is running.
Results of tasks are saved in the Microsoft Windows event log and the Kaspersky Security Center event log, both
centrally on the Administration Server and locally on each device.
Do not include private data in task settings. For example, avoid specifying the domain administrator password.
Task scope
The scope of a task is the set of devices on which the task is performed. The types of scope are as follows:
For a local task, the scope is the device itself.
For an Administration Server task, the scope is the Administration Server.
For a group task, the scope is the list of devices included in the group.
49
When creating a global task, you can use the following methods to specify its scope:
Specifying certain devices manually.

You can use an IP address (or IP range), NetBIOS name, or DNS name as the device address.
Importing a list of devices from a TXT le with the device addresses to be added (each address must be placed
on an individual line).
If you import a list of devices from a le or create a list manually, and if devices are identi ed by their names, the
list can only contain devices for which information has already been entered into the Administration Server
database. Moreover, the information must have been entered when those devices were connected or during
device discovery.
Specifying a device selection.

Over time, the scope of a task changes as the set of devices included in the selection change. A selection of
devices can be made on the basis of device attributes, including software installed on a device, and on the basis
of tags assigned to devices. Device selection is the most exible way to specify the scope of a task.
Tasks for device selections are always run on a schedule by the Administration Server. These tasks cannot be
run on devices that lack connection to the Administration Server. Tasks whose scope is speci ed by using other
methods are run directly on devices and therefore do not depend on the device connection to the
Tasks for device selections are not run on the local time of a device; instead, they are run on the local time of
the Administration Server. Tasks whose scope is speci ed by using other methods are run on the local time of a
device.
How local application settings relate to policies

You can use policies to set identical values of the application settings for all devices in a group.
The values of the settings that a policy speci es can be rede ned for individual devices in a group by using local
application settings. You can set only the values of settings that the policy allows to be modi ed, that is, the
unlocked settings.
The value of a setting that the application uses on a client device is de ned by the lock position ( ) for that setting
in the policy:
If a setting modi cation is locked, the same value (de ned in the policy) is used on all client devices.
If a setting modi cation is unlocked, the application uses a local setting value on each client device instead of
the value speci ed in the policy. The setting can then be changed in the local application settings.
This means that, when a task is run on a client device, the application applies settings that have been de ned in
two di erent ways:
By task settings and local application settings, if the setting is not locked against changes in the policy.
By the group policy, if the setting is locked against changes.
Local application settings are changed after the policy is rst applied in accordance with the policy settings.
Distribution point
50
Distribution point (previously known as update agent) is a device with Network Agent installed that is used for
distribution of updates, remote installation of applications, and retrieval of information about networked devices. A
distribution point can perform the following functions:
Distribute updates and installation packages received from the Administration Server to client devices within
the group (including distribution through multicasting using UDP). Updates can be received either from the
Administration Server or from Kaspersky update servers. In the latter case, an update task must be created for
the distribution point.
Distribution point devices running macOS cannot download updates from Kaspersky update servers.
If one or more devices running macOS are within the scope of the Download updates to the repositories of
distribution points task, the task completes with the Failed status, even if it has successfully completed on
all Windows devices.
Distribution points accelerate update distribution and free up Administration Server resources.
Distribute policies and group tasks through multicasting using UDP.
Act as a gateway for connection to the Administration Server for devices in an administration group.
If a direct connection between managed devices within the group and the Administration Server cannot be
established, you can use the distribution point as connection gateway to the Administration Server for this
group. In this case, managed devices connect to the connection gateway, which in turn connects to the
The presence of a distribution point that functions as connection gateway does not block the option of a
direct connection between managed devices and the Administration Server. If the connection gateway is not
available, but direct connection with the Administration Server is technically possible, managed devices are
connected to the Administration Server directly.
Poll the network to detect new devices and update information about existing ones. A distribution point can
apply the same device discovery methods as the Administration Server.
Perform remote installation of third-party software and Kaspersky applications by using tools of the
distribution point operating system. Note that the distribution point can perform installation on client devices
without Network Agent.
This feature allows you to remotely transfer Network Agent installation packages to client devices located on
networks to which the Administration Server has no direct access.
Act as a proxy server participating in Kaspersky Security Network (KSN).

You can enable KSN proxy server on distribution point side to make the device act as a KSN proxy server. In this
case, the KSN proxy service (ksnproxy) is run on the device.
Files are transmitted from the Administration Server to a distribution point over HTTP or, if SSL connection is
enabled, over HTTPS. Using HTTP or HTTPS results in a higher level of performance, compared to SOAP, through
cutting tra ic.
Devices with Network Agent installed can be assigned distribution points either manually (by the administrator), or
automatically (by the Administration Server). The full list of distribution points for speci ed administration groups
is displayed in the report about the list of distribution points.
The scope of a distribution point is the administration group to which it has been assigned by the administrator, as
well as its subgroups of all levels of embedding. If multiple distribution points have been assigned in the hierarchy of
administration groups, Network Agent on the managed device connects to the nearest distribution point in the
hierarchy.
51
A network location can also be the scope of distribution points. The network location is used for manual creation
of a set of devices to which the distribution point will distribute updates. Network location can be determined only
for devices running a Windows operating system.
If distribution points are assigned automatically by the Administration Server, it assigns them by broadcast
domains, not by administration groups. This occurs when all broadcast domains are known. Network Agent
exchanges messages with other Network Agents in the same subnet and then sends Administration Server
information about itself and other Network Agents. Administration Server can use that information to group
Network Agents by broadcast domains. Broadcast domains are known to Administration Server after more than
70% Network Agents in administration groups are polled. Administration Server polls broadcast domains every two
hours. After distribution points are assigned by broadcast domains, they cannot be re-assigned by administration
groups.
If the administrator manually assigns distribution points, they can be assigned to administration groups or network
locations.
Network Agents with the active connection pro le do not participate in broadcast domain detection.
Kaspersky Security Center assigns each Network Agent a unique IP multicast address that di ers from every
other address. This allows you to avoid network overload that might occur due to IP overlaps.
If two or more distribution points are assigned to a single network area or to a single administration group, one of
them becomes the active distribution point, and the rest become standby distribution points. The active
distribution point downloads updates and installation packages directly from the Administration Server, while
standby distribution points receive updates from the active distribution point only. In this case, les are
downloaded once from the Administration Server and then are distributed among distribution points. If the active
distribution point becomes unavailable for any reason, one of the standby distribution points becomes active. The
Administration Server automatically assigns a distribution point to act as standby.
The distribution point status (Active/Standby) is displayed with a check box in the klnagchk report.
A distribution point requires at least 4 GB of free disk space. If the free disk space of the distribution point is less
than 2 GB, Kaspersky Security Center creates an incident with the Warning importance level. The incident will be
published in the device properties, in the Incidents section.
Running remote installation tasks on a device assigned as a distribution point requires additional free disk space.
The volume of free disk space must exceed the total size of all installation packages to be installed.
Running any updating (patching) tasks and vulnerability x tasks on a device assigned as a distribution point
requires additional free disk space. The volume of free disk space must be at least twice the total size of all
patches to be installed.
Devices functioning as distribution points must be protected, including physical protection, against any
Connection gateway
52
A connection gateway is a Network Agent acting in a special mode. A connection gateway accepts connections
from other Network Agents and tunnels them to the Administration Server through its own connection with the
Server. Unlike an ordinary Network Agent, a connection gateway waits for connections from the Administration
Server rather than establishes connections to the Administration Server.
A connection gateway can receive connections from up to 10,000 devices.
You have two options for using connection gateways:
We recommend that you install a connection gateway in a demilitarized zone (DMZ). For other Network Agents
installed on out-of-o ice devices, you need to specially con gure a connection to Administration Server
through the connection gateway.
A connection gateway does not in any way modify or process data that is transmitted from Network Agents to
Administration Server. Moreover, it does not write this data into any bu er and therefore cannot accept data
from a Network Agent and later forward it to Administration Server. If Network Agent attempts to connect to
Administration Server through the connection gateway, but the connection gateway cannot connect to
Administration Server, Network Agent perceives this as if Administration Server is inaccessible. All data remains
on Network Agent (not on the connection gateway).
A connection gateway cannot connect to Administration Server through another connection gateway. It means
that Network Agent cannot simultaneously be a connection gateway and use a connection gateway to connect
to Administration Server.
All connection gateways are included in the list of distribution points in the Administration Server properties.
You can also use connection gateways within the network. For example, automatically assigned distribution
points also become connection gateways in their own scope. However, within an internal network, connection
gateways do not provide considerable bene t. They reduce the number of network connections received by
Administration Server, but do not reduce the volume of incoming data. Even without connection gateways, all
devices could still connect to Administration Server.
About Kaspersky Security Center

The section contains information about the purpose of Kaspersky Security Center, its main features and
components, and ways to purchase Kaspersky Security Center.
Information provided in Online Help may di er from information provided in documents shipped with the
application; in this case, Online Help is considered up-to-date. You can proceed to Online Help by clicking links
in the application interface, or by clicking the Online Help link in documents. Online Help can be updated
without prior notice. You can switch between Online Help and O line Help if necessary.
Kaspersky Security Center is designed for centralized execution of basic administration and maintenance tasks on
an organization's network. The application provides the administrator access to detailed information about the
organization's network security level; it allows con guring all the components of protection built using Kaspersky
applications.
Kaspersky Security Center is an application aimed at corporate network administrators and employees responsible
for protection of devices in a wide range of organizations.
Using Kaspersky Security Center, you can do the following:
Create a hierarchy of Administration Servers to manage the organization's network, as well as networks at
remote o ices or client organizations.
The client organization is an organization whose anti-virus protection is ensured by the service provider.
53
Create a hierarchy of administration groups to manage a selection of client devices as a whole.
Manage an anti-virus protection system built based on Kaspersky applications.
Create images of operating systems and deploy them on client devices over the network, as well as perform
remote installation of applications by Kaspersky and other software vendors.
Remotely manage applications by Kaspersky and other vendors installed on client devices. Install updates, nd
and x vulnerabilities.
Perform centralized deployment of license keys for Kaspersky applications to client devices, monitor their use,
and renew licenses.
Receive statistics and reports about the operation of applications and devices.
Receive noti cations about critical events during the operation of Kaspersky applications.
Manage mobile devices.
Manage encryption of information stored on the hard drives of devices and removable drives and users' access
to encrypted data.
Perform inventory of hardware connected to the organization's network.
Centrally manage les moved to Quarantine or Backup by security applications, as well as manage les for
which processing by security applications has been postponed.
You can purchase Kaspersky Security Center through Kaspersky (for example, at https://www.kaspersky.com ) or
through partner companies.
If you purchase Kaspersky Security Center through Kaspersky, you can copy the application from our website.
Information that is required for application activation is sent to you by email after your payment is processed.
Minimum hardware requirements:
CPU with an operating frequency of 1 GHz or higher. For a 64-bit operating system, the minimum CPU
frequency is 1.4 GHz.
RAM: 4 GB.
Available disk space: 10 GB. When Vulnerability and Patch Management is used, at least 100 GB of free disk
space must be available.
For deployment in cloud environments, the requirements for Administration Server and database server are the
same as the requirements for physical Administration Server (depending on how many devices you want to
manage).
Software requirements:
54
Microsoft® Data Access Components (MDAC) 2.8
Microsoft Windows® DAC 6.0
Microsoft Windows Installer 4.5
The following operating systems are supported:
Microsoft Windows 10 Enterprise 2015 LTSB 32-bit/64-bit
Microsoft Windows 10 Enterprise 2019 LTSC 32-bit/64-bit
Microsoft Windows 10 Pro RS5 (October 2018 Update, 1809) 32-bit/64-bit
Microsoft Windows 10 Pro for Workstations RS5 (October 2018 Update, 1809) 32-bit/64-bit
Microsoft Windows 10 Enterprise RS5 (October 2018 Update, 1809) 32-bit/64-bit
Microsoft Windows 10 Education RS5 (October 2018 Update, 1809) 32-bit/64-bit
Microsoft Windows 10 Pro 19H1 32-bit/64-bit
Microsoft Windows 10 Pro for Workstations 19H1 32-bit/64-bit
Microsoft Windows 10 Enterprise 19H1 32-bit/64-bit
Microsoft Windows 10 Education 19H1 32-bit/64-bit
Microsoft Windows 10 Home 20H1 (May 2020 Update) 32-bit/64-bit
Microsoft Windows 10 Pro 20H1 (May 2020 Update) 32-bit/64-bit
Microsoft Windows 10 Enterprise 20H1 (May 2020 Update) 32-bit/64-bit
Microsoft Windows 10 Education 20H1 (May 2020 Update) 32-bit/64-bit
Microsoft Windows 10 Home 20H2 (October 2020 Update) 32-bit/64-bit
Microsoft Windows 10 Pro 20H2 (October 2020 Update) 32-bit/64-bit
Microsoft Windows 10 Enterprise 20H2 (October 2020 Update) 32-bit/64-bit
Microsoft Windows 10 Education 20H2 (October 2020 Update) 32-bit/64-bit
55
Microsoft Windows 11 Home 64-bit
Microsoft Windows 11 Pro 64-bit
Microsoft Windows 11 Enterprise 64-bit
Microsoft Windows 11 Education 64-bit
Microsoft Windows 8.1 Pro 32-bit/64-bit
Microsoft Windows 8.1 Enterprise 32-bit/64-bit
Microsoft Windows 8 Pro 32-bit/64-bit
Microsoft Windows 8 Enterprise 32-bit/64-bit
Microsoft Windows 7 Professional with Service Pack 1 and later 32-bit/64-bit
Microsoft Windows 7 Enterprise/Ultimate with Service Pack 1 and later 32-bit/64-bit
Windows Server 2012 Server Core 64-bit
Windows Server 2012 Datacenter 64-bit
Windows Server 2012 Essentials 64-bit
Windows Server 2012 Foundation 64-bit
Windows Server 2012 Standard 64-bit
Windows Server 2012 R2 Server Core 64-bit
Windows Server 2012 R2 Datacenter 64-bit
Windows Server 2012 R2 Essentials 64-bit
Windows Server 2012 R2 Foundation 64-bit
Windows Server 2012 R2 Standard 64-bit
Windows Server 2016 Datacenter (LTSB) 64-bit
56
Windows Server 2016 Standard (LTSB) 64-bit
Windows Server 2016 Server Core (Installation Option) (LTSB) 64-bit
Windows Server 2019 Core 64-bit
Windows Storage Server 2012 64-bit
Windows Storage Server 2012 R2 64-bit
The following virtualization platforms are supported:
VMware vSphere 6.7
VMware vSphere 7.0
VMware Workstation 16 Pro
Microsoft Hyper-V Server 2012 64-bit
Microsoft Hyper-V Server 2012 R2 64-bit
Citrix XenServer 7.1 LTSR
Citrix XenServer 8.x
Parallels Desktop 17
Oracle VM VirtualBox 6.x
The following database servers are supported (can be installed on a di erent device):
Microsoft SQL Server 2012 Express 64-bit
57
Microsoft SQL Server 2014 (all editions) 64-bit
Microsoft SQL Server 2016 (all editions) 64-bit
Microsoft SQL Server 2017 (all editions) on Windows 64-bit
Microsoft SQL Server 2017 (all editions) on Linux 64-bit
Microsoft SQL Server 2019 (all editions) on Windows 64-bit (requires additional actions)
Microsoft SQL Server 2019 (all editions) on Linux 64-bit (requires additional actions)
Microsoft Azure SQL Database
All supported SQL Server editions in Amazon RDS and Microsoft Azure cloud platforms
MySQL 5.7 Community 32-bit/64-bit
MySQL Standard Edition 8.0 (release 8.0.20 and later) 32-bit/64-bit
MySQL Enterprise Edition 8.0 (release 8.0.20 and later) 32-bit/64-bit
MariaDB 10.3 (build 10.3.22 and later) 32-bit/64-bit
MariaDB Server 10.3 32-bit/64-bit with InnoDB storage engine
MariaDB Galera Cluster 10.3 32-bit/64-bit with InnoDB storage engine
It is recommended to use MariaDB 10.3.22; if you use an earlier version, the Perform Windows update task
might take more than one day to work.
SIEM and other information management systems:
HP (Micro Focus) ArcSight ESM 7.0
IBM QRadar 7.3
Splunk 7.1
Kaspersky Security Center 14 Web Console
Kaspersky Security Center Web Console Server
CPU: 4 cores, operating frequency of 2.5 GHz
58
RAM: 8 GB
Available disk space: 40 GB
Microsoft Windows (64-bit versions only):
Microsoft Windows 10 Enterprise 2015 LTSB
Microsoft Windows 10 Enterprise 2019 LTSC
Microsoft Windows 10 Pro RS5 (October 2018 Update, 1809)
Microsoft Windows 10 Pro for Workstations RS5 (October 2018 Update, 1809)
Microsoft Windows 10 Enterprise RS5 (October 2018 Update, 1809)
Microsoft Windows 10 Education RS5 (October 2018 Update, 1809)
Microsoft Windows 10 Pro 19H1
Microsoft Windows 10 Pro for Workstations 19H1
Microsoft Windows 10 Enterprise 19H1
Microsoft Windows 10 Education 19H1
Microsoft Windows 10 Home 20H1 (May 2020 Update)
Microsoft Windows 10 Pro 20H1 (May 2020 Update)
Microsoft Windows 10 Enterprise 20H1 (May 2020 Update)
Microsoft Windows 10 Education 20H1 (May 2020 Update)
Microsoft Windows 10 Home 20H2 (October 2020 Update)
Microsoft Windows 10 Pro 20H2 (October 2020 Update)
Microsoft Windows 10 Enterprise 20H2 (October 2020 Update)
Microsoft Windows 10 Education 20H2 (October 2020 Update)
59
Microsoft Windows 11 Home
Microsoft Windows 11 Pro
Microsoft Windows 11 Enterprise
Microsoft Windows 11 Education
Windows Server 2012 Server Core
Windows Server 2012 Datacenter
Windows Server 2012 Essentials
Windows Server 2012 Foundation
Windows Server 2012 Standard
Windows Server 2012 R2 Server Core
Windows Server 2012 R2 Datacenter
Windows Server 2012 R2 Essentials
Windows Server 2012 R2 Foundation
Windows Server 2012 R2 Standard
Windows Server 2016 Datacenter (LTSB)
Windows Server 2016 Standard (LTSB)
Windows Server 2016 Server Core (Installation Option) (LTSB)
60
Linux (64-bit versions only):
Debian GNU/Linux 11.х (Bullseye)
Debian GNU/Linux 10.х (Buster)
Debian GNU/Linux 9.х (Stretch)
Ubuntu Server 20.04 LTS (Focal Fossa)
Ubuntu Server 18.04 LTS (Bionic Beaver)
CentOS 7.x
Red Hat Enterprise Linux Server 8.x
SUSE Linux Enterprise Server 12 (all Service Packs)
SUSE Linux Enterprise Desktop 15 (Service Pack 3) ARM
Astra Linux Special Edition RUSB.10015-01 (operational update 1.7)
Astra Linux Common Edition (operational update 2.12)
ALT Server 10
ALT Server 9.2
ALT 8 SP Server (LKNV.11100-01)
Oracle Linux 8
Oracle Linux 7
61
RED OS 7.3 Server
RED OS 7.3 Certi ed Edition
Among virtualization platforms, Kernel-based Virtual Machine is supported for the following operating systems:
ALT 8 SP Server (LKNV.11100-01) 64-bit
ALT Server 10 64-bit
Astra Linux Special Edition RUSB.10015-01 (operational update 1.7) 64-bit
Debian GNU/Linux 11.х (Bullseye) 32-bit/64-bit
Ubuntu Server 20.04 LTS (Focal Fossa) 64-bit
RED OS 7.3 Server 64-bit
RED OS 7.3 Certi ed Edition 64-bit
Client devices
For a client device, use of Kaspersky Security Center Web Console requires only a browser.
The hardware and software requirements for the device are identical to the requirements of the browser that is
used with Kaspersky Security Center Web Console.
Browsers:
Mozilla Firefox Extended Support Release 91.8.0 or later (91.8.0 released on April 5, 2022)
Mozilla Firefox Release 99.0 or later (99.0 released on April 5, 2022)
Google Chrome 100.0.4896.88 or later (o icial build)
Microsoft Edge 100 or later
Safari 15 on macOS
iOS Mobile Device Management (iOS MDM) Server
Hardware requirements:
RAM: 2 GB.
Available disk space: 2 GB.
Software requirements: Microsoft Windows (the version of the supported operating system is de ned by the
Administration Server requirements).
62
All software and hardware requirements for Exchange Mobile Device Server are included in the requirements for
Microsoft Exchange Server.
Compatibility with Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and Microsoft Exchange
Server 2013 is supported.
Hardware requirements:
RAM: 512 MB.
Software requirements:
Microsoft Windows operating system (supported version of the operating system is determined by the
requirements of Administration Server), except for the following operating systems:
Microsoft Management Console 2.0
Microsoft Windows Installer 4.5
Microsoft Internet Explorer 10.0 running on:
Microsoft Windows Server 2008 R2 Service Pack 1
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows 7 Service Pack 1
Microsoft Windows 8
Microsoft Windows 8.1
63
Microsoft Internet Explorer 11.0 running on:
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2012 R2 Service Pack 1
Microsoft Windows 7 Service Pack 1
Microsoft Windows 8.1
Microsoft Edge running on Microsoft Windows 10
Network Agent
RAM: 512 MB.
Software requirement for Linux-based devices: the Perl language interpreter version 5.10 or later must be installed.
Microsoft Windows Embedded POSReady 2009 with latest Service Pack 32-bit
Microsoft Windows Embedded POSReady 7 32-bit/64-bit
Microsoft Windows Embedded 7 Standard with Service Pack 1 32-bit/64-bit
Microsoft Windows Embedded 8 Standard 32-bit/64-bit
Microsoft Windows Embedded 8.1 Industry Pro 32-bit/64-bit
Microsoft Windows Embedded 8.1 Industry Enterprise 32-bit/64-bit
Microsoft Windows Embedded 8.1 Industry Update 32-bit/64-bit
Microsoft Windows 10 IoT Enterprise 2015 LTSB 32-bit/64-bit
Microsoft Windows 10 IoT Enterprise 2016 LTSB 32-bit/64-bit
64
Microsoft Windows 10 Enterprise 2019 LTSC 32-bit/64-bit
Microsoft Windows 10 IoT Enterprise version 1703 32-bit/64-bit
Microsoft Windows 10 20H2 IoT Enterprise 32-bit/64-bit
Microsoft Windows 10 IoT Enterprise 32-bit/64-bit
Microsoft Windows 10 IoT Enterprise LTSC 2021 32-bit/64-bit
Microsoft Windows 10 Home RS3 (Fall Creators Update, v1709) 32-bit/64-bit
Microsoft Windows 10 Pro RS3 (Fall Creators Update, v1709) 32-bit/64-bit
Microsoft Windows 10 Pro for Workstations RS3 (Fall Creators Update, v1709) 32-bit/64-bit
Microsoft Windows 10 Enterprise RS3 (Fall Creators Update, v1709) 32-bit/64-bit
Microsoft Windows 10 Education RS3 (Fall Creators Update, v1709) 32-bit/64-bit
Microsoft Windows 10 Home RS4 (April 2018 Update, 17134) 32-bit/64-bit
Microsoft Windows 10 Pro RS4 (April 2018 Update, 17134) 32-bit/64-bit
Microsoft Windows 10 Pro for Workstations RS4 (April 2018 Update, 17134) 32-bit/64-bit
Microsoft Windows 10 Enterprise RS4 (April 2018 Update, 17134) 32-bit/64-bit
Microsoft Windows 10 Education RS4 (April 2018 Update, 17134) 32-bit/64-bit
Microsoft Windows 10 Home RS5 (October 2018) 32-bit/64-bit
Microsoft Windows 10 Pro RS5 (October 2018) 32-bit/64-bit
Microsoft Windows 10 Pro for Workstations RS5 (October 2018) 32-bit/64-bit
Microsoft Windows 10 Enterprise RS5 (October 2018) 32-bit/64-bit
Microsoft Windows 10 Education RS5 (October 2018) 32-bit/64-bit
Microsoft Windows 10 Home 19H1 32-bit/64-bit
65
Microsoft Windows 11 Home 64-bit
Microsoft Windows 11 Pro 64-bit
Microsoft Windows 11 Enterprise 64-bit
Microsoft Windows 11 Education 64-bit
66
Microsoft Windows 7 Home Basic/Premium with Service Pack 1 and later 32-bit/64-bit
Microsoft Windows XP Professional Service Pack 3 and later 32-bit
Microsoft Windows XP Professional for Embedded Systems Service Pack 3 32-bit
Windows Small Business Server 2011 Essentials 64-bit
Windows Small Business Server 2011 Premium Add-on 64-bit
Windows Small Business Server 2011 Standard 64-bit
Windows MultiPoint Server 2011 Standard/Premium 64-bit
Windows MultiPoint Server 2012 Standard/Premium 64-bit
Windows Server 2008 Foundation with Service Pack 2 32-bit/64-bit
Windows Server 2008 Service Pack 2 (all editions) 32-bit/64-bit
Windows Server 2008 R2 Datacenter Service Pack 1 and later 64-bit
Windows Server 2008 R2 Enterprise Service Pack 1 and later 64-bit
Windows Server 2008 R2 Foundation with Service Pack 1 and later 64-bit
Windows Server 2008 R2 Core Mode Service Pack 1 and later 64-bit
Windows Server 2008 R2 Standard Service Pack 1 and later 64-bit
Windows Server 2008 R2 Service Pack 1 (all editions) 64-bit
Windows Server 2012 Essentials 64-bit
Windows Server 2012 Foundation 64-bit
67
Windows Server 2012 R2 Essentials 64-bit
Windows Server 2016 Datacenter (LTSB) 64-bit
Windows Server 2016 Standard (LTSB) 64-bit
Debian GNU/Linux 10.х (Buster) 32-bit/64-bit
Debian GNU/Linux 9.х (Stretch) 32-bit/64-bit
Ubuntu Server 20.04 LTS (Focal Fossa) 32-bit/64-bit
Ubuntu Server 20.04.04 LTS (Focal Fossa) ARM 64-bit
Ubuntu Server 18.04 LTS (Bionic Beaver) 32-bit/64-bit
Ubuntu Desktop 20.04 LTS (Focal Fossa) 32-bit/64-bit
Ubuntu Desktop 18.04 LTS (Bionic Beaver) 32-bit/64-bit
CentOS 8.x 64-bit
CentOS 7.x 64-bit
CentOS 7.x ARM 64-bit
68
Red Hat Enterprise Linux Server 8.x 64-bit
Red Hat Enterprise Linux Server 6.x 32-bit/64-bit
SUSE Linux Enterprise Server 12 (all Service Packs) 64-bit
SUSE Linux Enterprise Server 15 (all Service Packs) 64-bit
SUSE Linux Enterprise Desktop 15 (all Service Packs) 64-bit
SUSE Linux Enterprise Desktop 15 (Service Pack 3) ARM 64-bit
openSUSE 15 64-bit
EulerOS 2.0 SP8 ARM
Pardus OS 19.1 64-bit
Astra Linux Common Edition (operational update 2.12) 64-bit
Astra Linux Special Edition RUSB.10152-02 (operational update 4.7) ARM 64-bit
ALT Server 9.2 64-bit
ALT Workstation 10 32-bit/64-bit
ALT Workstation 9.2 32-bit/64-bit
ALT 8 SP Workstation (LKNV.11100-01) 32-bit/64-bit
Mageia 4 32-bit
Oracle Linux 7 64-bit
Linux Mint 19.x 32-bit
69
AlterOS 7.5 and later 64-bit
GosLinux IC6 64-bit
RED OS 7.3 64-bit
ROSA Enterprise Linux Server 7.3 64-bit
ROSA Enterprise Linux Desktop 7.3 64-bit
ROSA COBALT Workstation 7.3 64-bit
ROSA COBALT Server 7.3 64-bit
Lotos (Linux core version 4.19.50, DE: MATE) 64-bit
macOS Sierra (10.12)
macOS High Sierra (10.13)
macOS Mojave (10.14)
macOS Catalina (10.15)
macOS Big Sur (11.x)
macOS Monterey (12.x)
For Network Agent, the Apple Silicon (M1) architecture is also supported, as well as Intel.
The following virtualization platforms are supported:
VMware vSphere 6.7
VMware vSphere 7.0
VMware Workstation 16 Pro
Citrix XenServer 7.1 LTSR
70
Citrix XenServer 8.x
Kernel-based Virtual Machine. Supports the following operating systems:
RED OS 7.3 64-bit
On the devices running Windows 10 version RS4 or RS5, Kaspersky Security Center might be unable to detect
some vulnerabilities in folders where case sensitivity is enabled.
In Microsoft Windows XP, Network Agent might not perform some operations correctly.
We recommend that you install the same version of the Network Agent for Linux as Kaspersky Security
Center.
Network Agent for macOS is provided together with Kaspersky security application for this operating system.
Unsupported operating systems and platforms
Administration Server is not compatible with the following operating systems:
Microsoft Windows Embedded Standard 7 with Service Pack 1 32-bit/64-bit
Microsoft Windows Embedded 8 Industry Pro 32-bit/64-bit
71
Microsoft Windows Embedded 8 Industry Enterprise 32-bit/64-bit
Microsoft Windows 10 IoT Enterprise 2015 LTSB 32-bit/ARM
Microsoft Windows 10 Home (Threshold 1, 1507) 32-bit/64-bit
Microsoft Windows 10 Pro (Threshold 1, 1507) 32-bit/64-bit
Microsoft Windows 10 Enterprise (Threshold 1, 1507) 32-bit/64-bit
Microsoft Windows 10 Education (Threshold 1, 1507) 32-bit/64-bit
Microsoft Windows 10 Mobile (Threshold 1, 1507) 32-bit
Microsoft Windows 10 Mobile Enterprise (Threshold 1, 1507) 32-bit
Microsoft Windows 10 Home Threshold 2 (November 2015 Update, 1511) 32-bit/64-bit
Microsoft Windows 10 Pro Threshold 2 (November 2015 Update, 1511) 32-bit/64-bit
Microsoft Windows 10 Enterprise Threshold 2 (November 2015 Update, 1511) 32-bit/64-bit
Microsoft Windows 10 Education Threshold 2 (November 2015 Update, 1511) 32-bit/64-bit
Microsoft Windows 10 Mobile Threshold 2 (November 2015 Update, 1511) 32-bit
Microsoft Windows 10 Mobile Enterprise Threshold 2 (November 2015 Update, 1511) 32-bit
72
Microsoft Windows 10 Home RS1 (Anniversary Update, 1607) 32-bit/64-bit
Microsoft Windows 10 Pro RS1 (Anniversary Update, 1607) 32-bit/64-bit
Microsoft Windows 10 Enterprise RS1 (Anniversary Update, 1607) 32-bit/64-bit
Microsoft Windows 10 Education RS1 (Anniversary Update, 1607) 32-bit/64-bit
Microsoft Windows 10 Mobile RS1 (Anniversary Update, 1607) 32-bit
Microsoft Windows 10 Mobile Enterprise RS1 (Anniversary Update, 1607) 32-bit
Microsoft Windows 10 Home RS2 (Creators Update, 1703) 32-bit/64-bit
Microsoft Windows 10 Pro RS2 (Creators Update, 1703) 32-bit/64-bit
Microsoft Windows 10 Enterprise RS2 (Creators Update, 1703) 32-bit/64-bit
Microsoft Windows 10 Education RS2 (Creators Update, 1703) 32-bit/64-bit
Microsoft Windows 10 Mobile RS2 (Creators Update, 1703) 32-bit
Microsoft Windows 10 Mobile Enterprise RS2 (Creators Update, 1703) 32-bit
Microsoft Windows 10 Home RS3 (Fall Creators Update, 1709) 32-bit/64-bit
Microsoft Windows 10 Pro RS3 (Fall Creators Update, 1709) 32-bit/64-bit
Microsoft Windows 10 Pro for Workstations RS3 (Fall Creators Update, 1709) 32-bit/64-bit
Microsoft Windows 10 Enterprise RS3 (Fall Creators Update, 1709) 32-bit/64-bit
Microsoft Windows 10 Education RS3 (Fall Creators Update, 1709) 32-bit/64-bit
Microsoft Windows 10 Mobile RS3 32-bit
Microsoft Windows 10 Mobile Enterprise RS3 32-bit
Microsoft Windows 10 Home RS5 (October 2018 Update, 1809) 32-bit/64-bit
73
Microsoft Windows 11 22H2
Microsoft Windows 8 (Core) 32-bit/64-bit
Microsoft Windows 7 Professional 32-bit/64-bit
Microsoft Windows 7 Enterprise/Ultimate 32-bit/64-bit
Microsoft Windows 7 Home Basic/Premium 32-bit/64-bit
Microsoft Windows Vista Business with Service Pack 1 32-bit/64-bit
Microsoft Windows Vista Enterprise with Service Pack 1 32-bit/64-bit
Microsoft Windows Vista Ultimate with Service Pack 1 32-bit/64-bit
Microsoft Windows Vista Business with Service Pack 2 and later 32-bit/64-bit
Microsoft Windows Vista Enterprise with Service Pack 2 and later 32-bit/64-bit
Microsoft Windows Vista Ultimate with Service Pack 2 and later 32-bit/64-bit
Microsoft Windows XP Professional with Service Pack 3 and later 32-bit
Microsoft Windows XP Professional with Service Pack 2 32-bit/64-bit
Microsoft Windows XP Home Service Pack 3 and later 32-bit
Windows Essential Business Server 2008 Standard 64-bit
Windows Essential Business Server 2008 Premium 64-bit
Windows Small Business Server 2003 Standard with Service Pack 1 32-bit
Windows Small Business Server 2003 Premium with Service Pack 1 32-bit
Windows Small Business Server 2008 Premium 64-bit
74
Windows Home Server 2011 64-bit
Windows MultiPoint Server 2010 Standard 64-bit
Windows MultiPoint Server 2010 Premium 64-bit
Microsoft Windows 2000 Server 32-bit
Windows Server 2003 Enterprise with Service Pack 2 32-bit/64-bit
Windows Server 2003 Standard with Service Pack 2 32-bit/64-bit
Windows Server 2003 R2 Enterprise with Service Pack 2 32-bit/64-bit
Windows Server 2003 R2 Standard with Service Pack 2 32-bit/64-bit
Windows Server 2008 Datacenter Service Pack 1 32-bit/64-bit
Windows Server 2008 Enterprise Service Pack 1 32-bit/64-bit
Windows Server 2008 Service Pack 1 Server Core 32-bit/64-bit
Windows Server 2008 Standard Service Pack 1 32-bit/64-bit
Windows Server 2008 Standard 32-bit/64-bit
Windows Server 2008 Enterprise 32-bit/64-bit
Windows Server 2008 Datacenter 32-bit/64-bit
Windows Server 2008 R2 Standard with Service Pack 1 and later 64-bit
Windows Server 2008 R2 with Service Pack 1 (all editions) 64-bit
Windows Server 2008 R2 Enterprise 64-bit
75
Windows Server 2016 Nano (Installation option) (CBB) 64-bit
Windows Server 2016 Server Datacenter RS3 (1709) (LTSB/CBB) 64-bit
Windows Server 2016 Server Standard RS3 (1709) (LTSB/CBB) 64-bit
Windows Server 2016 Server Core RS3 (1709) (Installation Option) (LTSB/CBB) 64-bit
Windows Server 2016 Nano RS3 (1709) (Installation Option) (CBB) 64-bit
Windows Storage Server 2008 32-bit/64-bit
Windows Storage Server 2008 Service Pack 2 64-bit
Database server:
PostgreSQL 13 64-bit
Postgres Pro 13 64-bit
Postgres Pro 14 64-bit
PostgreSQL Pangolin 64-bit
Microsoft SQL Server 2005 (all editions) 32-bit/64-bit
Microsoft SQL Server 2008 (all editions) 32-bit/64-bit
Microsoft SQL Server 2008 R2 (all editions) 64-bit
Microsoft SQL Server 2008 R2 Service Pack 2 (all editions) 64-bit
Microsoft SQL Server 2012 (all editions except Express) 64-bit
MySQL 5.0 32-bit/64-bit
MySQL Enterprise 5.0 32-bit/64-bit
76
MySQL Standard Edition 5.5 32-bit/64-bit
MySQL Enterprise Edition 5.5 32-bit/64-bit
MySQL 5.6 Community 32-bit/64-bit
MariaDB Server 10.3 32-bit/64-bit with InnoDB storage engine
MariaDB Galera Cluster 10.3 32-bit/64-bit with InnoDB storage engine
MariaDB Galera Cluster 10.4 32-bit/64-bit
The following virtualization platforms are not supported:
VMware vSphere 4.1
VMware vSphere 5.0
VMware vSphere 5.1
VMware vSphere 5.5
VMware vSphere 6
VMware vSphere 6.5
VMware Workstation 9.x
VMware Workstation 12.x Pro
VMware Workstation Pro 14
77
Microsoft Hyper-V Server 2008 R2 Service Pack 1 and later 64-bit
Microsoft Virtual PC 2007 (6.0.156.0) 32-bit/64-bit
Citrix XenServer 5.6
Citrix XenServer 7
Parallels Desktop 7
Oracle VM VirtualBox 4.0.4-70112
Oracle VM VirtualBox 5.x
Kaspersky Security Center Web Console Server is not compatible with the following operating systems:
Microsoft Windows:
78
79
80
81
82
Windows Server 2008 R2 Standard Service Pack 1 and later 64-bit
Windows Server 2008 R2 Service Pack 1 (all editions) 64-bit
Windows Server 2016 Nano (Installation option) (CBB) 64-bit
Linux:
Debian GNU/Linux 7.х (up to 7.8) 32-bit/64-bit
Debian GNU/Linux 8.х (Jessie) 32-bit/64-bit
Ubuntu Server 14.04 LTS (Trusty Tahr) 32-bit/64-bit
Ubuntu Server 16.04 LTS (Xenial Xerus) 32-bit/64-bit
Ubuntu Server 20.04.04 LTS (Focal Fossa) ARM 64-bit
Ubuntu Server 22.04 LTS (Jammy Jelly sh) 64-bit
Ubuntu Desktop 14.04 LTS (Trusty Tahr) 32-bit/64-bit
Ubuntu Desktop 16.04 LTS (Xenial Xerus) 32-bit/64-bit
Ubuntu Desktop 18.04 LTS (Bionic Beaver) 32-bit/64-bit
Ubuntu Desktop 20.04 LTS (Focal Fossa) 32-bit/64-bit
CentOS 6.х (up to 6.6) 64-bit
CentOS 7.x ARM 64-bit
CentOS 8.x 64-bit
83
Red Hat Enterprise Linux Server 6.x 32-bit/64-bit
SUSE Linux Enterprise Desktop 15 (Service Pack 3) ARM 64-bit
openSUSE 15 64-bit
EulerOS 2.0 SP8 ARM
Pardus OS 19.1 64-bit
Astra Linux Special Edition RUSB.10152-02 (operational update 4.7) ARM 64-bit
ALT Workstation 10 32-bit/64-bit
ALT Workstation 9.2 32-bit/64-bit
Mageia 4 32-bit
AlterOS 7.5 and later 64-bit
RED OS 7.3 64-bit
GosLinux IC6 64-bit
ROSA Enterprise Linux Server 7.3 64-bit
ROSA Enterprise Linux Desktop 7.3 64-bit
ROSA COBALT Workstation 7.3 64-bit
ROSA COBALT Server 7.3 64-bit
ROSA COBALT 7.9 64-bit
84
ROSA CHROME 12 64-bit
Lotos (Linux core version 4.19.50, DE: MATE) 64-bit
Administration Console is not compatible with the following operating systems:

85
86
87
88
Windows Server 2016 Nano (Installation Option) (CBB) 64-bit
Network Agent
The following operating systems are not supported:

89
90
91
Windows Server 2016 Nano (Installation Option) (CBB)
Debian GNU/Linux 7.х (up to 7.8) 32-bit/64-bit
Debian GNU/Linux 8.х (Jessie) 32-bit/64-bit
Ubuntu Server 14.04 LTS (Trusty Tahr) 32-bit/64-bit
Ubuntu Server 16.04 LTS (Xenial Xerus) 32-bit/64-bit
Ubuntu Desktop 14.04 LTS (Trusty Tahr) 32-bit/64-bit
Ubuntu Desktop 16.04 LTS (Xenial Xerus) 32-bit/64-bit
CentOS 6.х (up to 6.6) 64-bit
Astra Linux Special Edition 1.5
ROSA COBALT 7.9 64-bit
92
ROSA CHROME 12 64-bit
OS X 10.10 (Yosemite)
OS X 10.11 (El Capitan)
The following virtualization platforms are not supported:
VMware vSphere 4.1
VMware vSphere 5.0
VMware vSphere 5.1
VMware vSphere 5.5
VMware vSphere 6
VMware vSphere 6.5
VMware Workstation 12.x Pro
Microsoft Hyper-V Server 2008 R2 Service Pack 1 and later 64-bit
Citrix XenServer 7
List of supported Kaspersky applications and solutions
93
Kaspersky Security Center supports centralized deployment and management of all Kaspersky applications and
solutions that are currently supported. The table below shows what Kaspersky applications and solutions are
supported by MMC-based Administration Console and Kaspersky Security Center Web Console. To nd out
versions of the applications and solutions, refer to the Product Support Lifecycle webpage .
List of Kaspersky applications and solutions supported by Kaspersky Security Center
Name of Kaspersky application or solution Supported by MMC- Supported by Kaspersky

based Administration Security Center Web
Console Console
For workstations
Kaspersky Endpoint Security for Windows
Kaspersky Endpoint Security for Linux
Kaspersky Endpoint Security for Linux Elbrus

Edition
Kaspersky Endpoint Security for Linux ARM

Edition
Kaspersky Endpoint Security for Mac
Kaspersky Endpoint Agent
Kaspersky Embedded Systems Security for

Windows
For industrial solutions
Kaspersky Industrial CyberSecurity for Nodes
Kaspersky Industrial CyberSecurity for Linux

Nodes
Kaspersky Industrial CyberSecurity for

Networks (centralized deployment is not
supported)
For mobile devices
Kaspersky Endpoint Security for Android
Kaspersky Security for iOS
For le servers
Kaspersky Security for Windows Server
For virtual environments
Kaspersky Security for Virtualization Light

Agent
Kaspersky Security for Virtualization Agentless
For mail and collaboration servers
Kaspersky Security for Linux Mail Server
Kaspersky Secure Mail Gateway
Kaspersky Security for Microsoft Exchange

94
Servers
For detection of targeted attacks
Kaspersky Sandbox Server
Kaspersky Endpoint Detection and Response

Optimum
Kaspersky Managed Detection and Response
For KasperskyOS devices
Kaspersky IoT Secure Gateway
KasperskyOS Thin Client
Licenses and features of Kaspersky Security Center 14

Kaspersky Security Center requires a license for some of its features.
The table below shows which license covers what features of Kaspersky Security Center.
Licenses and Kaspersky Security Center features
Features of Kaspersky Kaspersky Kaspersky Kaspersky Kaspersky Kaspersky Kaspers

Kaspersky Vulnerability Endpoint Endpoint Total Hybrid Hybrid EDR
Security and Patch Security Security Security Cloud Cloud Optimum
Center Management for for for Security Security
Business Business Business Standard Enterprise
Select Advanced
Vulnerability
assessment
Patch
management
Role-based
access
control
Installation of
operating
systems and
applications
Mobile device
management
(that is,
management
of users' iOS
and Android
devices)
Cloud
Environment
Con guration
Wizard for
work in cloud
environments
95
such as AWS,
Microsoft
Azure, or
Google Cloud
Exporting
events to
SIEM
systems:
Syslog
Exporting
events to
SIEM
systems:
QRadar by
IBM and
ArcSight by
Micro Focus
About compatibility of Administration Server and Kaspersky Security

Center Web Console
We recommend that you use the latest version of both Kaspersky Security Center Administration Server and
Kaspersky Security Center Web Console; otherwise, the functionality of Kaspersky Security Center may be
limited.
You can install and upgrade Kaspersky Security Center Administration Server and Kaspersky Security Center Web
Console independently. In this case you should ensure that the version of the installed Kaspersky Security Center
Web Console is compatible with the version of Administration Server to which you connect:
Kaspersky Security Center Web Console 14 supports Kaspersky Security Center Administration Server of the
following versions: 14, 13.2, and 13.1.
Kaspersky Security Center 14 Administration Server supports Kaspersky Security Center Web Console of the
following versions: 14, 13.2, and 13.1.
Comparison of Kaspersky Security Center: Windows-based vs. Linux-based

Kaspersky provides Kaspersky Security Center as an on-premises solution for two platforms—Windows and Linux.
In the Windows-based solution, you install Administration Server on a Windows device, and the Linux-based
solution has the Administration Server version that is designed to be installed on a Linux device. This Online Help
contains information about Kaspersky Security Center Windows. For detailed information about the Linux-based
solution, refer to the Kaspersky Security Center Linux Online Help .
The table below lets you compare the main features of Kaspersky Security Center as a Windows-based solution
and as a Linux-based solution.
Feature comparison of Kaspersky Security Center working as a Windows-based solution and Linux-based solution
Feature or property Kaspersky Security Center 14
96
Windows-based Linux-based solution
solution
Administration Server location On-premises On-premises
Database management system (DBMS) location On-premises On-premises
Operating system to install Administration Server on Windows Linux
Administration console type On-premises and Web-based

web-based
Operating system to install the web-based Windows or Linux Windows or Linux

administration console on
Administration group hierarchy
Network polling
(by IP ranges only)
Maximum number of managed devices 100,000 20,000
Protection of Windows, macOS, and Linux-managed

devices (protection of Linux
devices only)
Protection of mobile devices
Protection of virtual machines
Protection of public cloud infrastructure
Device-centric security management
User-centric security management
Application policies
Tasks for Kaspersky applications
Kaspersky Security Network
KSN Proxy
Kaspersky Private Security Network
Centralized deployment of license keys for Kaspersky

applications
Support for virtual Administration Servers
Installing third-party software updates and xing third-

party software vulnerabilities (by using a remote
installation task only)
Noti cations about events that occurred on managed

devices
Creating and managing user accounts
Monitoring the policies and tasks status
About Kaspersky Security Center Cloud Console

97
Using Kaspersky Security Center as an on-premises application means that you install Kaspersky Security Center,
including Administration Server, on a local device and manage the network security system through the Microsoft
Management Console-based Administration Console or Kaspersky Security Center Web Console.
However, you can use Kaspersky Security Center as a cloud service instead. In this case Kaspersky Security
Center is installed and maintained for you by Kaspersky experts in the cloud environment, and Kaspersky gives you
access to the Administration Server as a service. You manage the network security system through the cloud-
based Administration Console named Kaspersky Security Center Cloud Console. This console has an interface
similar to the interface of Kaspersky Security Center Web Console.
The interface and documentation of Kaspersky Security Center Cloud Console are available in the following
languages:
English
French
German
Italian
Japanese
Portuguese (Brazil)
Russian
Spanish
Spanish (LATAM)
More information about Kaspersky Security Center Cloud Console and its features is available in the Kaspersky
Security Center Cloud Console documentation and in the Kaspersky Endpoint Security for Business
documentation .
Architecture
This section provides a description of the components of Kaspersky Security Center and their interaction.
98
Kaspersky Security Center architecture
Kaspersky Security Center comprises the following main components:
Administration Console (also referred to as Console). Provides a user interface to the administration services
of Administration Server and Network Agent. Administration Console is implemented as a snap-in for Microsoft
Management Console (MMC). Administration Console allows remote connection to Administration Server over
the internet.
Kaspersky Security Center Web Console. Provides a web interface for creating and maintaining the protection
system of a client organization's network that is managed by Kaspersky Security Center.
Kaspersky Security Center Administration Server (also referred to as Server). Centralizes storage of
information about applications installed on the organization's network and about how to manage them.
Kaspersky update servers. HTTP(S) servers at Kaspersky from which Kaspersky applications download
database and application module updates.
KSN servers. Servers that contain a Kaspersky database with constantly updated information about the
reputation of les, web resources, and software. Kaspersky Security Network ensures faster responses by
Kaspersky applications to threats, improves the performance of some protection components, and reduces
the likelihood of false positives.
Client devices. Client company's devices protected by Kaspersky Security Center. Each device that has to be
protected must have one of the Kaspersky security applications installed.
99
Main installation scenario
Following this scenario, you can deploy Administration Server, as well as install Network Agent and security
applications on networked devices. You can use this scenario both for a closer look at the application and for the
application installation for further work.
Installation of Kaspersky Security Center consists of the following steps:
1. Preparation work
2. Installation of Kaspersky Security Center and a Kaspersky security application on the Administration Server
device
3. Centralized deployment of Kaspersky security applications on client devices
Deployment of Kaspersky Security Center in cloud environments and deployment of Kaspersky Security Center
for service providers are described in other Help sections.
We recommend that you assign a minimum of one hour for Administration Server installation and a minimum of one
working day for completion of the scenario. We also recommend that you install a security application, such as
Kaspersky Security for Windows Server or Kaspersky Endpoint Security, on the computer that will act as
Kaspersky Security Center Administration Server.
Upon completion of the scenario, protection will be deployed in the organization's network in the following way:
The DBMS will be installed for the Administration Server.
Kaspersky Security Center Administration Server will be installed.
All required policies and tasks will be created; the default settings of policies and tasks will be speci ed.
Security applications (for example, Kaspersky Endpoint Security for Windows) and Network Agent will be
installed on managed devices.
Administration groups will be created (possibly combined into a hierarchy).
Mobile device protection will be deployed, if necessary.
Distribution points will be assigned, if necessary.
Kaspersky Security Center installation proceeds in stages:
Preparation work
1 Getting the necessary les
Make sure that you have a license key (activation code) for Kaspersky Security Center or license keys (activation
codes) for Kaspersky security applications.
Unpack the archive that you received from your vendor. This archive contains the license keys (KEY les),
activation codes, and the list of Kaspersky applications that can be activated by each license key.
If you rst want to try out Kaspersky Security Center, you can get a free 30-day trial at the Kaspersky website .
100
For detailed information about the licensing of the Kaspersky security applications that are not included in
Kaspersky Security Center, you can refer to the documentation of those applications.
2 Selecting a structure for protection of an organization
Find out more about the Kaspersky Security Center components. Select the protection structure and the
network con guration which suit your organization best. Based on the network con guration and throughput of
communication channels, de ne the number of Administration Servers to use and how they must be distributed
among your o ices (if you run a distributed network).
To obtain and maintain optimum performance under varying operational conditions, please take into account the
number of networked devices, network topology, and set of Kaspersky Security Center features that you require
(for more details, refer to the Kaspersky Security Center Sizing Guide).
De ne whether a hierarchy of Administration Servers will be used in your organization. To do this, you must
evaluate whether it is possible and expedient to cover all client devices with a single Administration Server or it is
necessary to build a hierarchy of Administration Servers. You may also have to build a hierarchy of Administration
Servers that is identical to the organizational structure of the organization whose network you want to protect.
If you have to ensure protection of mobile devices, perform all prerequisite actions required for con guration of
an Exchange Mobile Device Server and iOS MDM Server.
Make sure that the devices that you selected as Administration Servers, as well as those for Administration
Console installation, meet all the hardware and software requirements.
3 Preparation for the use of custom certi cates
If your organization's Public Key Infrastructure (PKI) requires that you use custom certi cates issued by a
speci c certi cation authority (CA), prepare those certi cates and make sure that they meet all the
requirements.
4 Preparation for Kaspersky Security Center licensing
If you plan to use a Kaspersky Security Center version with Mobile Device Management, Integration with SIEM
systems, and/or with Vulnerability and Patch Management support, make sure that you have a key le or
activation code for the application licensing.
5 Preparation for licensing of managed security applications
During protection deployment, you have to provide Kaspersky with the active license keys for the applications
that you intend to manage through Kaspersky Security Center (see the list of manageable security applications).
For detailed information about the licensing of any security application, you can refer to the documentation of
this application.
6 Selecting the hardware con guration of the Administration Server and DBMS
Plan the hardware con guration for the DBMS and the Administration Server, taking into account the number of
devices on your network.
7 Selecting a DBMS
When selecting a DBMS, take into account the number of managed devices to be covered by this Administration
Server. If your network includes fewer than 10 000 devices and you do not plan to increase this number, you can
choose a free-of-charge DBMS, such as SQL Express, or MySQL, and install it on the same device as
Administration Server. Alternatively, you can choose the MariaDB DBMS that allows you to manage up to 20 000
devices. If your network includes more than 10 000 devices (or if you plan to expand your network up to that
number of devices), we recommend that you choose a paid-for SQL DBMS and install it on a dedicated device. A
paid DBMS can work with multiple Administration Servers, but a DBMS that is free of charge can work with only
one.
If you select SQL Server DBMS, note that you can migrate the data stored in the database to MySQL, MariaDB,
or Azure SQL DBMS. To perform the migration, back up your data and restore it into the new DBMS.
8 Installing the DBMS and creating the database
101
Find out more about the accounts for work with the DBMS and install your DBMS. Write down and save the
DBMS settings because you will need them during Administration Server installation. These settings include the
SQL Server name, number of the port used for connecting to SQL Server, and account name and password for
accessing the SQL Server.
By default, the Kaspersky Security Center Installer creates the database for storage of Administration Server
information, but you can opt out of creating this database and use a di erent database instead. In this case,
make sure that the database has been created, you know its name, and the account under which the
Administration Server will gain access to this database has the db_owner role for it.
If necessary, contact your DBMS administrator for more information.
9 Con guring ports
Make sure that all the necessary ports are open for interaction between components in accordance with your
selected security structure.
If you have to provide Internet access to the Administration Server, con gure the ports and specify the
connection settings, depending on the network con guration.
10 Checking accounts
Make sure that you have all local administrator rights required for successful installation of Kaspersky Security
Center Administration Server and further protection deployment on the devices. Local administrator rights on
client devices are required for Network Agent installation on these devices. After Network Agent is installed, you
can use it to install applications on devices remotely, without using the account with the device administrator
rights.
By default, on the device selected for Administration Server installation, the Kaspersky Security Center Installer
creates three local accounts under which Administration Server and the Kaspersky Security Center services will
be run:
KL-AK-*: Administration Server service account
NT Service/KSC*: Account for other services from the Administration Server pool
KlPxeUser: Account for deployment of operating systems
You can opt out of creating accounts for the Administration Server services and other services. You use your
existing accounts instead, such as domain accounts, if you plan to install Administration Server on a failover
cluster, or plan to use domain accounts instead of local accounts for any other reason. In this case, make sure
that the accounts intended for running Administration Server and the Kaspersky Security Center services have
been created, are non-privileged and have all permissions required for access to the DBMS. (If you plan further
deployment of operating systems on devices through Kaspersky Security Center, do not opt out of creating
accounts.)
Installation of Kaspersky Security Center and a Kaspersky security application on the

Administration Server device
1 Installing the Administration Server, Administration Console, Kaspersky Security Center Web Console, and
management plug-ins for security applications
Download Kaspersky Security Center from the Kaspersky website . You can download the full package, Web
Console only, or Administration Console only.
Install Administration Server on the device that you selected (or multiple devices, if you plan to use multiple
Administration Servers). You can select standard or custom installation of Administration Server. Administration
Console will be installed together with Administration Server. It is recommended to install the Administration
Server on a dedicated server instead of a domain controller.
102
Standard installation is recommended if you want to try out Kaspersky Security Center by, for example, testing
its operation on a small area within your network. During standard installation, you only con gure the database.
You can also install only the default set of management plug-ins for Kaspersky applications. You can also use
standard installation if you already have some experience working with Kaspersky Security Center and are able
to specify all relevant settings after standard installation.
Custom installation is recommended if you plan to modify the Kaspersky Security Center settings, such as a
path to the shared folder, accounts and ports for connection to the Administration Server, and database
settings. Custom installation enables you to specify which Kaspersky management plug-ins to install. If
necessary, you can start custom installation in silent mode.
Administration Console and the server version of Network Agent are installed together with Administration
Server. You can also choose to install Kaspersky Security Center Web Console during the installation.
If you want, install Administration Console and/or Kaspersky Security Center Web Console on the
administrator's workstation separately to manage Administration Server over the network.
2 Initial setup and licensing
When Administration Server installation is complete, at the rst connection to the Administration Server the
Quick Start Wizard starts automatically. Perform initial con guration of Administration Server according to the
existing requirements. During the initial con guration stage, the Wizard uses the default settings to create the
policies and tasks that are required for protection deployment. However, the default settings may be less than
optimal for the needs of your organization. If necessary, you can edit the settings of policies and tasks (Scenario:
Con guring network protection, Con guring protection on a client organization's network).
If you plan to use the features that are outside the basic functionality, license the application. You can do this at
one of the steps of the Quick Start Wizard.
3 Checking Administration Server installation for success
When all the previous steps are complete, Administration Server is installed and ready for further use.
Make sure that Administration Console is running and you can connect to the Administration Server through
Administration Console. Also, make sure that the Download updates to the repository of the Administration
Server task is available in Administration Server (in the Tasks folder of the console tree), as well as the policy for
Kaspersky Endpoint Security (in the Policies folder of the console tree).
When the check is complete, proceed to the steps below.
Centralized deployment of Kaspersky security applications on client devices
1 Discovering networked devices
This step is part of the Quick Start Wizard. You can also start the device discovery manually. Kaspersky Security
Center receives the addresses and names of all devices detected in the network. You can then use Kaspersky
Security Center to install Kaspersky applications and software from other vendors on the detected devices.
Kaspersky Security Center regularly starts device discovery, which means that if any new instances appear in
the network, they will be detected automatically.
2 Installing Network Agent and security applications on networked devices
Deployment of protection (Scenario: Con guring network protection, Con guring protection on a client
organization's network) of an organization's network entails installation of Network Agent and security
applications (for example, Kaspersky Endpoint Security) on devices that have been detected by Administration
Server during the device discovery.
Security applications protect devices against viruses and/or other programs posing a threat. Network Agent
ensures communication between the device and Administration Server. Network Agent settings are con gured
automatically by default.
If you want, you can install Network Agent in silent mode with a response le or without a response le.
103
Before you start install Network Agent and the security applications on networked devices, make sure that these
devices are accessible (that is, turned on). You can install Network Agent on virtual machines as well as on
physical devices.
Security applications and Network Agent can be installed remotely or locally.
Remote installation—Using the Protection Deployment Wizard, you can remotely install the security application
(for example, Kaspersky Endpoint Security for Windows) and Network Agent on devices that have been
detected by Administration Server in the organization's network. Normally, the Remote installation task
successfully deploys protection to most networked devices. However, it may return an error on some devices if,
for example, a device is turned o or cannot be accessed for any other reason. In this case, we recommend that
you connect to the device manually and use local installation.
Local installation—Used on network devices on which protection could not be deployed using the remote
installation task. To install protection on such devices, create a stand-alone installation package that you can run
locally on those devices.
Network Agent installation on devices running Linux and macOS operating systems is described in the
documentation for Kaspersky Endpoint Security for Linux and Kaspersky Endpoint Security for Mac,
respectively. Although devices running Linux and macOS operating systems are considered less vulnerable than
devices running Windows, we recommend that you nonetheless install security applications on such devices.
After installation, make sure that the security application is installed on managed devices. Run a Kaspersky
software version report and view its results.
3 Deploying license keys to client devices
Deploy license keys to client devices to activate managed security applications on those devices.
4 Con guring mobile device protection
This step is part of the Quick Start Wizard.
If you want to manage enterprise mobile devices, take the necessary steps for preparation and deploy Mobile
Device Management.
5 Creating an administration group structure
In some cases, deploying protection on networked devices in the most convenient way may require you to divide
the entire pool of devices into administration groups taking into account the structure of the organization. You
can create moving rules to distribute devices among groups, or you can distribute devices manually. You can
assign group tasks for administration groups, de ne the scope of policies, and assign distribution points.
Make sure that all managed devices have been correctly assigned to the appropriate administration groups, and
that there are no longer any unassigned devices on the network.
6 Assigning distribution points
Kaspersky Security Center assigns distribution points to administration groups automatically, but you can assign
them manually, if necessary. We recommend that you use distribution points on large-scale networks to reduce
the load on the Administration Server, and on networks that have a distributed structure to provide the
Administration Server with access to devices (or device groups) communicated through channels with low
throughput rates. You can use devices running Linux as distribution points, as well as devices running Windows.
Ports used by Kaspersky Security Center

The tables below show the default ports that must be open on Administration Servers and on client devices. If you
want, you can change default port numbers.
104
The table below shows the default ports that must be open on Administration Server. However, if you install the
Administration Server and the database on di erent devices, you must make available the necessary ports on the
device where the database is located (for example, port 3306 for MySQL Server and MariaDB Server, or port 1433
for Microsoft SQL Server). Please refer to the DBMS documentation for the relevant information.
Ports that must be open on Administration Server
Name of
the
Port process
Protocol Port purpose Scope
number that
opens
the port
8060 klcsweb TCP Transmitting published Publishing installation packages.

installation packages to client
You can change the default port number
devices
in the Web Server section of the
Administration Server properties window
in the Administration Console or in
Kaspersky Security Center Web Console.
8061 klcsweb TCP Transmitting published Publishing installation packages.

(TLS) installation packages to client
devices
in the Web Server section of the
Administration Server properties window
in the Administration Console or in
13000 klserver TCP Receiving connections from Managing client devices and secondary
(TLS) Network Agents and Administration Servers.
secondary Administration
You can change the number of the default
Servers; also used on
port for receiving connections from
secondary Administration
Network Agents when con guring
Servers for receiving
connection ports; you can change the
connections from the primary
number of default port for receiving
Administration Server (for
connections from secondary
example, if the secondary
Administration Servers when creating a
Administration Server is in
hierarchy of Administration Servers in the
DMZ)
Administration Console or in Kaspersky
Security Center Web Console.
13000 klserver UDP Receiving information about Managing client devices.

devices that were turned o
from Network Agents
in the Network Agent policy settings in
the Administration Console or in
13291 klserver TCP Receiving connections from Managing Administration Server.

(TLS) Administration Console to
in the Administration Server properties
window in the Administration Console.
13299 klserver TCP Receiving connections from Kaspersky Security Center Web Console,
(TLS) Kaspersky Security Center OpenAPI.
Web Console to the
Administration Server;
receiving connections to the
Administration Server over
OpenAPI
105
window (in the Connection ports
subsection of the General section) in the
Administration Console, or when creating
a hierarchy of Administration Servers in
the Administration Console or in
14000 klserver TCP Receiving connections from Managing client devices.

Network Agents
when con guring connection ports during
the installation of Kaspersky Security
Center, or when manually connecting a
client device to the Administration Server.
13111 ksnproxy TCP Receiving requests from KSN proxy server.

(only if managed devices to KSN
KSN proxy server
proxy
window.
service
is run on
the
device)
15111 ksnproxy UDP Receiving requests from KSN proxy server.

(only if managed devices to KSN
KSN proxy server
proxy
window.
service
is run on
the
device)
17000 klactprx TCP Receiving connections for Activation proxy server used by non-
(TLS) application activation from mobile devices to activate Kaspersky
managed devices (except for applications with activation codes.
mobile devices)
window.
17100 klactprx TCP Receiving connections for Activation proxy server for mobile
(only if (TLS) application activation from devices.
you mobile devices
manage
mobile
window.
devices)
19170 klserver HTTPS Tunneling connections to Remotely connecting to managed devices

(TLS) managed devices by using the by using Kaspersky Security Center Web
klsctunnel utility Console.
window (in the Additional ports
Administration Console only.
13292 klserver TCP Receiving connections from Mobile Device Management.

(only if (TLS) mobile devices
you
manage
106
mobile You can change the default port number
devices) in the Administration Server properties
window in the Administration console or in
13294 klserver TCP Receiving connections from Managing UEFI protection client devices.
(only if (TLS) UEFI protection devices
you
when connecting mobile devices, or later
manage
mobile
window (in the Additional ports
devices)
Administration Console or in Kaspersky
The table below shows the port that must be open on the iOS MDM Server (only if you manage mobile devices).
Port used by Kaspersky Security Center iOS MDM Server
Port Name of the process

number that opens the port
443 kliosmdmservicesrv TCP Receiving connections Mobile Device Management.

(TLS) from iOS mobile You can change the default port
devices number when installing iOS MDM
Server.
The table below shows the port that must be open on Kaspersky Security Center Web Console Server. It can be
the same device where Administration Server is installed or a di erent device.
Port used by Kaspersky Security Center Web Console Server
Name of
the
Port process Port
Protocol Scope
number that purpose
opens the
port
8080 Node.js: TCP Receiving Kaspersky Security Center Web Console.

Server- (TLS) connections You can change the default port number when installing
side from Kaspersky Security Center Web Console on a device
JavaScript browser to running Windows or on a Linux platform. If you install
Kaspersky Kaspersky Security Center Web Console on the Linux ALT
Security operating system, you must specify a port number other
Center Web than 8080, because port 8080 is used by the operating
Console system.
The table below shows the port that must be open on managed devices where Network Agent is installed.
Ports used by Network Agent
Name of
the
Port process
number that
opens
the port
15000 klnagent UDP Management signals from Managing client devices.

Administration Server or
Distribution point to Network
Agents
107
You can change the default port
number in the Network Agent policy
settings in the Administration
Console or in Kaspersky Security
Center Web Console.
15000 klnagent UDP Getting data about other Delivering updates and installation
broadcast Network Agents within the packages.
same broadcasting domain (the
data is then sent to the
Administration Server)
15001 klnagent UDP Receiving multicast requests Receiving updates and installation
from a distribution point (if in packages from a distribution point.
use)
You can change the default port
number in the distribution point
properties window in the
Administration Console or in
Kaspersky Security Center Web
Console.
Please note that the klnagent process can also request free ports from the dynamic port range of an endpoint
operating system. These ports are allocated to the klnagent process automatically by the operating system, so
klnagent process can use some ports that are used by another software. If the klnagent process a ects that
software operations, change the port settings in this software, or change the default dynamic port range in your
operating system to exclude the port used by the software a ected.
Also take into account that recommendations on the compatibility of Kaspersky Security Center with third-party
software are described for reference only and may not be applicable to new versions of third-party software. The
described recommendations for con guring ports are based on the experiences of Technical Support and our
best practices.
The table below shows the ports that must be open on a managed device with Network Agent installed acting as a
distribution point. The listed ports must be open on the distribution point devices in addition to the ports used by
Network Agents (see table above).
Ports used by Network Agent functioning as distribution point
Name of
the
Port process
number that
opens
the port
13000 klnagent TCP Receiving connections from Network Agents Managing client
(TLS) and from Kaspersky Security Center when the devices, delivering
distribution point acts as a connection updates and
gateway in DMZ. If a device with installed installation packages.
Administration Server speci ed as a
See the following
distribution point, port 13001 is used for SSL
topic for details:
connection by default instead of 13000.
Administration Server,
a connection gateway
in a network segment,
and a client device.
108
You can change the
default port number in
the distribution point
properties window in
the Administration
Console or in
Kaspersky Security
Center Web Console.
13111 (only if ksnproxy TCP Receiving requests from managed devices to KSN proxy server.
KSN proxy KSN proxy server
You can change the
service is
run on the
device)
the Administration
Console or in
Kaspersky Security
Center Web Console.
15111 (only if ksnproxy UDP Receiving requests from managed devices to KSN proxy server.
KSN proxy KSN proxy server
You can change the
service is
run on the
device)
the Administration
Console or in
Kaspersky Security
Center Web Console.
13295 (only klnagent TCP Receiving connections from client devices Push server.
if you use (TLS)
You can change the
the
distribution
point as a
push
the Administration
server)
Console or in
Kaspersky Security
Center Web Console.
Certi cates for work with Kaspersky Security Center

This section contains information about Kaspersky Security Center certi cates and describes how to issue a
custom certi cate for Administration Server.
About Kaspersky Security Center certi cates

Kaspersky Security Center uses the following types of certi cates to enable a secure interaction between the
application components:
Mobile certi cate
109
iOS MDM Server certi cate
Kaspersky Security Center Web Server certi cate
Kaspersky Security Center Web Console certi cate
By default, Kaspersky Security Center uses self-signed certi cates (that is, issued by Kaspersky Security Center
itself), but you can replace them with custom certi cates to better meet the requirements of your organization's
network and comply with the security standards. After Administration Server veri es whether a custom certi cate
meets all applicable requirements, this certi cate assumes the same functional scope as a self-signed certi cate.
The only di erence is that a custom certi cate is not reissued automatically upon expiration. You replace
certi cates with custom ones by means of the klsetsrvcert utility or through the Administration Server properties
section in Administration Console, depending on the certi cate type. When you use the klsetsrvcert utility, you
need to specify a certi cate type by using one of the following values:
C—Common certi cate for ports 13000 and 13291.
CR—Common reserve certi cate for ports 13000 and 13291.
M—Mobile certi cate for port 13292.
MR—Mobile reserve certi cate for port 13292.
MCA—Mobile certi cation authority for auto-generated user certi cates.
You do not need to download the klsetsrvcert utility. It is included in the Kaspersky Security Center
distribution kit. The utility is not compatible with previous Kaspersky Security Center versions.
The maximum validity period for any of the Administration Server certi cates must be 397 days or less.
Administration Server certi cates
An Administration Server certi cate is required for authentication of Administration Server, as well as for secure
interaction between Administration Server and Network Agent on managed devices. When you connect
Administration Console to Administration Server for the rst time, you are prompted to con rm the use of the
current Administration Server certi cate. Such con rmation is also required every time the Administration Server
certi cate is replaced, after every reinstallation of Administration Server, and when connecting a secondary
Administration Server to the primary Administration Server. This certi cate is called common ("C").
Also, a common reserve ("CR") certi cate exists. Kaspersky Security Center automatically generates this
certi cate 90 days before the expiration of the common certi cate. The common reserve certi cate is
subsequently used for seamless replacement of the Administration Server certi cate. When the common
certi cate is about to expire, the common reserve certi cate is used to maintain the connection with Network
Agent instances installed on managed devices. With this purpose, the common reserve certi cate automatically
becomes the new common certi cate 24 hours before the old common certi cate expires.
You can also back up the Administration Server certi cate separately from other Administration Server settings in
order to move Administration Server from one device to another without data loss.
Mobile certi cates
A mobile certi cate ("M") is required for authentication of the Administration Server on mobile devices. You
con gure the use of the mobile certi cate on the dedicated step of the Quick Start Wizard.
110
Also, a mobile reserve ("MR") certi cate exists: it is used for seamless replacement of the mobile certi cate. When
the mobile certi cate is about to expire, the mobile reserve certi cate is used to maintain the connection with
Network Agent instances installed on managed mobile devices. With this purpose, the mobile reserve certi cate
automatically becomes the new mobile certi cate 24 hours before the old mobile certi cate expires.
Automatically reissuing mobile certi cates is not supported. We recommend that you specify a new mobile
certi cate when the existing one is about to expire. If the mobile certi cate expires and the mobile reserve
certi cate is not speci ed, the connection between Administration Server and Network Agent instances
installed on managed mobile devices will be lost. In this case, to reconnect managed mobile devices, you must
specify a new mobile certi cate and reinstall Kaspersky Security for Mobile on each managed mobile device.
If the connection scenario requires the use of a client certi cate on mobile devices (connection involving two-way
SSL authentication), you generate those certi cates by means of the certi cate authority for auto-generated
user certi cates ("MCA"). Also, the Quick Start Wizard enables you to start using custom client certi cates issued
by a di erent certi cation authority, while integration with the domain Public Key Infrastructure (PKI) of your
organization enables you to issue client certi cates by means of your domain certi cation authority.
iOS MDM Server certi cate
An iOS MDM Server certi cate is required for authentication of Administration Server on mobile devices running
the iOS operating system. The interaction with these devices is performed via the Apple mobile device
management (MDM) protocol that involves no Network Agent. Instead, you install a special iOS MDM pro le,
containing a client certi cate, on each device, to ensure two-way SSL authentication.
Also, the Quick Start Wizard enables you to start using custom client certi cates issued by a di erent
certi cation authority, while integration with the domain Public Key Infrastructure (PKI) of your organization
enables you to issue client certi cates by means of your domain certi cation authority.
Client certi cates are transmitted to iOS devices when you download those iOS MDM pro les. Each iOS MDM
Server client certi cate is unique. You generate all iOS MDM Server client certi cates by means of the certi cation
authority for auto-generated user certi cates ("MCA").
Kaspersky Security Center Web Server certi cate
A special type of certi cate is used by Kaspersky Security Center Web Server (hereinafter referred to as Web
Server), a component of Kaspersky Security Center Administration Server. This certi cate is required for
publishing Network Agent installation packages that you subsequently download to managed devices, as well as
for publishing iOS MDM pro les, iOS apps, and Kaspersky Security for Mobile installation packages. For this
purpose, Web Server can use various certi cates.
If the mobile device support is disabled, Web Server uses one of the following certi cates, in order of priority:
1. Custom Web Server certi cate that you speci ed manually by means of Administration Console
2. Common Administration Server certi cate ("C")
If the mobile device support is enabled, Web Server uses one of the following certi cates, in order of priority:
1. Custom Web Server certi cate that you speci ed manually by means of Administration Console
2. Custom mobile certi cate
3. Self-signed mobile certi cate ("M")
111
4. Common Administration Server certi cate ("C")
Kaspersky Security Center Web Console certi cate
The Server of Kaspersky Security Center Web Console (hereinafter referred to as Web Console) has its own
certi cate. When you open a website, a browser veri es whether your connection is trusted. The Web Console
certi cate allows you to authenticate the Web Console and is used to encrypt tra ic between a browser and the
Web Console.
When you open the Web Console, the browser may inform you that the connection to the Web Console is not
private and the Web Console certi cate is invalid. This warning appears because the Web Console certi cate is
self-signed and automatically generated by Kaspersky Security Center. To remove this warning, you can do one of
the following:
Replace the Web Console certi cate with a custom one (recommended option). Create a certi cate that is
trusted in your infrastructure and that meets the requirements for custom certi cates.
Add the Web Console certi cate to the list of trusted browser certi cates. We recommend that you use this
option only if you cannot create a custom certi cate.
About Administration Server certi cate

Two operations are performed based on the Administration Server certi cate: Administration Server
authentication during connection by Administration Console and data exchange with devices. The certi cate is
also used for authentication when the primary Administration Servers are connected to secondary Administration
Servers.
Certi cate issued by Kaspersky
The Administration Server certi cate is created automatically during installation of the Administration Server
component and it is stored in the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\1093\cert
folder.
The Administration Server certi cate is valid for ve years, if the certi cate was issued before September 1, 2020.
Otherwise, the certi cate validity term is limited to 397 days. A new certi cate is generated by the Administration
Server as the reserve certi cate 90 days before the expiration date of the current certi cate. Subsequently, the
new certi cate automatically replaces the current certi cate one day before the expiration date. All Network
Agents on the client devices are automatically recon gured to authenticate the Administration Server with the
new certi cate.
Custom certi cates
If necessary, you can assign a custom certi cate for the Administration Server. For example, this may be necessary
for better integration with the existing PKI of your enterprise or for custom con guration of the certi cate elds.
112
When replacing the certi cate, all Network Agents that were previously connected to Administration Server
through SSL, will lose their connection and will return "Administration Server authentication error." To eliminate this
error, you will have to restore the connection after the certi cate replacement.
If the Administration Server certi cate is lost, you must reinstall the Administration Server component, and then
restore the data in order to recover it.
Requirements for custom certi cates used in Kaspersky Security Center

The table below shows the requirements for custom certi cates speci ed for di erent components of Kaspersky
Security Center.
Requirements for Kaspersky Security Center certi cates
Certi cate Requirements Comments

type
Common Minimum key length: 2048. Extended Key Usage parameter is

certi cate, optional.
Basic constraints:
Common
Path Length Constraint value may be an
reserve CA: true
integer di erent from "None", but not
certi cate
less than 1.
("C", "CR") Path Length Constraint: None
Key Usage:
Digital signature
Certi cate signing
Key encryption
CRL Signing
Extended Key Usage (optional): server

authentication, client authentication.
Mobile Minimum key length: 2048. Extended Key Usage parameter is
certi cate, optional.
Basic constraints:
Mobile reserve
Path Length Constraint value may be an
certi cate CA: true
integer di erent from "None", if
("M", "MR")
Common certi cate has a Path Length
Path Length Constraint: None
Constraint value not less than 1.
Key Usage:
Digital signature
Certi cate signing
Key encryption
CRL Signing

authentication.
Certi cate CA Minimum key length: 2048. Extended Key Usage parameter is
113
for auto- Basic constraints: optional.
generated
CA: true Path Length Constraint value may be an
user
integer di erent from "None," if
certi cates
Path Length Constraint: None Common certi cate has a Path Length
("MCA")
Constraint value not less than 1.
Key Usage:
Digital signature
Certi cate signing
Key encryption
CRL Signing

authentication, client authentication.
Web Server Extended Key Usage: server authentication. Not applicable.
certi cate
The PKCS #12 / PEM container from which the
certi cate is speci ed includes the entire chain
of public keys.
The Subject Alternative Name (SAN) of the
certi cate is present; that is, the value of the
subjectAltName eld is valid.
The certi cate meets the e ective
requirements of browsers imposed on server
certi cates, as well as the current baseline
requirements of the CA/Browser Forum .
Kaspersky The PEM container from which the certi cate is Encrypted certi cates are not
Security speci ed includes the entire chain of public supported by Kaspersky Security
Center Web keys. Center Web Console.
Console
The Subject Alternative Name (SAN) of the
certi cate
certi cate is present; that is, the value of the
subjectAltName eld is valid.
The certi cate meets the e ective
requirements of browsers to server certi cates,
as well as the current baseline requirements of
the CA/Browser Forum .
Scenario: Specifying the custom Administration Server certi cate

You can assign the custom Administration Server certi cate, for example, for better integration with the existing
public key infrastructure (PKI) of your enterprise or for custom con guration of the certi cate elds. It is useful to
replace the certi cate immediately after installation of Administration Server and before the Quick Start Wizard
nishes.
114
Prerequisites
The new certi cate must be created in the PKCS#12 format (for example, by means of the organization's PKI) and
must be issued by trusted certi cation authority (CA). Also, the new certi cate must include the entire chain of
trust and a private key, which must be stored in the le with the pfx or p12 extension. For the new certi cate, the
requirements listed in the table below must be met.
Requirements for the Administration Server certi cates
Certi cate type Requirements
Common certi cate, Minimum key length: 2048.

common reserve Basic constraints:
certi cate ("C", "CR")
CA: true

Path Length Constraint value may be an integer di erent from "None," but not
less than 1.
Key Usage:
Digital signature
Certi cate signing
Key encryption
CRL Signing
Extended Key Usage (EKU): server authentication and client authentication. The
EKU is optional, but if your certi cate contains it, the server and client
authentication data must be speci ed in the EKU.
Mobile certi cate, Minimum key length: 2048.

mobile reserve Basic constraints:
certi cate ("M", "MR")
CA: true

Path Length Constraint value may be an integer di erent from "None" if the
common certi cate has a Path Length Constraint value not less than 1.
Key Usage:
Digital signature
Certi cate signing
Key encryption
CRL Signing
Extended Key Usage (EKU): server authentication. The EKU is optional, but if your
certi cate contains it, the server authentication data must be speci ed in the EKU.
Certi cate CA for Minimum key length: 2048.

auto-generated user Basic constraints:
certi cates ("MCA")
115
CA: true

Path Length Constraint value may be an integer di erent from "None" if the
Common certi cate has a Path Length Constraint value not less than 1.
Key Usage:
Digital signature
Certi cate signing
Key encryption
CRL Signing
Extended Key Usage (EKU): client authentication. The EKU is optional, but if your
certi cate contains it, the client authentication data must be speci ed in the EKU.
Certi cates issued by a public CA do not have the certi cate signing permission. To use such certi cates,
make sure that you installed Network Agent version 13 or later on distribution points or connection gateways in
your network. Otherwise, you will not be able to use certi cates without the signing permission.
Stages
Specifying the Administration Server certi cate proceeds in stages:
1 Replacing the Administration Server certi cate
Use the command-line klsetsrvcert utility for this purpose.
2 Specifying a new certi cate and restoring connection of Network Agents to the Administration Server
When the certi cate is replaced, all Network Agents that were previously connected to Administration Server
through SSL lose their connection and return "Administration Server authentication error." To specify the new
certi cate and restore the connection, use the command-line klmover utility.
3 Specifying a new certi cate in the settings of Kaspersky Security Center Web Console
After you replace the certi cate, specify it in the settings of Kaspersky Security Center Web Console.
Otherwise, Kaspersky Security Center Web Console will not be able to connect to the Administration Server.
Results
When you nish the scenario, the Administration Server certi cate is replaced and the server is authenticated by
Network Agents on the managed devices.
Replacing the Administration Server certi cate by using the klsetsrvcert

utility
To replace the Administration Server certi cate:
116
From the command line, run the following utility:
klsetsrvcert [-t <type> {-i <inputfile> [-p <password>] [-o <chkopt>] | -g <dnsname>}]
[-f <time>][-r <calistfile>][-l <logfile>]
You do not need to download the klsetsrvcert utility. It is included in the Kaspersky Security Center
distribution kit. It is not compatible with previous Kaspersky Security Center versions.
The description of the klsetsrvcert utility parameters is presented in the table below.
Values of the klsetsrvcert utility parameters
Parameter Value
-t <type> Type of certi cate to be replaced. Possible values of the <type> parameter:
C—Replace the common certi cate for ports 13000 and 13291.
CR—Replace the common reserve certi cate for ports 13000 and 13291.
M—Replace the certi cate for mobile devices on port 13292.
MR—Replace the mobile reserve certi cate for port 13292.
MCA—Mobile client CA for auto-generated user certi cates.
-f <time> Schedule for changing the certi cate, using the format "DD-MM-YYYY hh:mm" (for ports
13000 and 13291).
Use this parameter if you want to replace the common or common reserve certi cate
before it expires.
Specify the time when managed devices must synchronize with Administration Server on
a new certi cate.
-i Container with the certi cate and a private key in the PKCS#12 format ( le with the .p12 or
<inputfile> .pfx extension).
-p Password used for protection of the p12 container.

<password> The certi cate and a private key are stored in the container, therefore, the password is
required to decrypt the le with the container.
-o <chkopt> Certi cate validation parameters (semicolon separated).

To use a custom certi cate without signing permission, specify -o NoCA in the
klsetsrvcert utility. This is useful for certi cates issued by a public CA.
-g A new certi cate will be created for the speci ed DNS name.
<dnsname>
-r Trusted root Certi cate Authority list, format PEM.

<calistfile>
-l Results output le. By default, the output is redirected into the standard output stream.
<logfile>
For example, to specify the custom Administration Server certi cate, use the following command:
klsetsrvcert -t C -i <inputfile> -p <password> -o NoCA
117
After the certi cate is replaced, all Network Agents connected to Administration Server through SSL lose their
connection. To restore it, use the command-line klmover utility.
Automatically reissuing mobile certi cates is not supported. We recommend that you specify a new mobile
certi cate when the existing one is about to expire. If the mobile certi cate expires and the mobile reserve
certi cate is not speci ed, the connection between Administration Server and Network Agent instances
installed on managed mobile devices will be lost. In this case, to reconnect managed mobile devices, you must
specify a new mobile certi cate and reinstall Kaspersky Security for Mobile on each managed mobile device.
To avoid losing the Network Agents connections, use the following command:
klsetsrvcert.exe -f "DD-MM-YYYY hh:mm" -t CR -i <inputfile> -p <password> -o NoCA
where "DD-MM-YYYY hh:mm" is the date 3–4 weeks ahead of the current one. The time shift for changing the
certi cate to a backup one will allow a new certi cate to be distributed to all Network Agents.
Connecting Network Agents to Administration Server by using the klmover

utility
After you replace the Administration Server certi cate by using the command-line klsetsrvcert utility, you need to
establish the SSL connection between Network Agents and Administration Server because the connection is
broken.
To specify the new Administration Server certi cate and restore the connection:
From the command line, run the following utility:
klmover [-address <server address>] [-pn <port number>] [-ps <SSL port number>] [-
nossl] [-cert <path to certificate file>]
The administrator rights are required to run the utility.
This utility is automatically copied to the Network Agent installation folder, when Network Agent is installed on a
client device.
The description of the klmover utility parameters is presented in the table below.
Values of the klmover utility parameters
Parameter Value
-address <server Address of the Administration Server for connection.

address> You can specify an IP address, the NetBIOS name, or the DNS name.
-pn <port number> Number of the port through which non-encrypted connection to the
Administration Server is established.
The default port number is 14000.
-ps <SSL port Number of the SSL port through which encrypted connection to the
number> Administration Server is established by using SSL.
118
-nossl Use non-encrypted connection to the Administration Server.
If the key is not in use, Network Agent is connected to the Administration
Server by using encrypted SSL protocol.
-cert <path to Use the speci ed certi cate le for authentication of access to Administration
certificate file> Server.
-virtserv Name of the virtual Administration Server.
-cloningmode Network Agent disk cloning mode.

Use one of the following parameters to con gure the disk cloning mode:
-cloningmode—Request the status of the disk cloning mode.
-cloningmode 1—Enable the disk cloning mode.
-cloningmode 0—Disable the disk cloning mode.
For example, to connect Network Agent to Administration Server, run the following command:
klmover -address kscserver.mycompany.com -logfile klmover.log
Reissuing the Web Server certi cate

The Web Server certi cate used in Kaspersky Security Center is required for publishing Network Agent installation
packages that you subsequently download to managed devices, as well as for publishing iOS MDM pro les, iOS
apps, and Kaspersky Endpoint Security for Mobile installation packages. Depending on the current application
con guration, various certi cates can function as the Web Server certi cate (for more detail, see About
Kaspersky Security Center certi cates).
You may need to reissue the Web Server certi cate to meet the speci c security requirements of your
organization or to maintain continuous connection of your managed devices before starting to upgrade the
application. Kaspersky Security Center provides two ways of reissuing the Web Server certi cate; the choice
between the two methods depends on whether you have mobile devices connected and managed through the
mobile protocol (i.e., by using the mobile certi cate).
If you have never speci ed your own custom certi cate as the Web Server certi cate in the Web Server
section of the Administration Server properties window, the mobile certi cate acts as the Web Server
certi cate. In this case, the Web Server certi cate reissuance is performed through the reissuance of the
mobile protocol itself.
To reissue the Web Server certi cate when you have no mobile devices managed through the mobile protocol:
1. In the console tree, right-click the name of the relevant Administration Server and in the context menu select
Properties.
2. In the Administration Server properties window that opens, in the left pane, select the Administration Server
connection settings section.
3. In the list of subsections, select the Certi cates subsection.
4. If you plan to continue using the certi cate issued by Kaspersky Security Center, do the following:
119
a. On the right pane, in the Administration Server authentication by mobile devices group of settings, select
the Certi cate issued through Administration Server option and click the Reissue button.
b. In the Reissue certi cate window that opens, in the Connection address and Activation term group of
settings, select the relevant options and click OK.
c. In the con rmation window, click Yes.
Alternatively, if you plan to use your own custom certi cate, do the following:
a. Check whether your custom certi cate meets the requirements of Kaspersky Security Center and the
requirements for trusted certi cates by Apple . If necessary, modify the certi cate.
b. Select the Other certi cate option and click the Browse button.
c. In the Certi cate window that opens, in the Certi cate type eld select the type of your certi cate and
then specify the certi cate location and settings:
If you have selected PKCS #12 container, click the Browse button next to the Certi cate le eld and
specify the certi cate le on your hard drive. If the certi cate le is password-protected, enter the
password in the Password (if any) eld.
If you have selected X.509 certi cate, click the Browse button next to the Private key (.prk, .pem) eld
and specify the private key on your hard drive. If the private key is password-protected, enter the
password in the Password (if any) eld. Then click the Browse button next to the Public key (.cer) eld
and specify the private key on your hard drive.
d. In the Certi cate window, click OK.
e. In the con rmation window, click Yes.
The mobile certi cate is reissued to be used as the Web Server certi cate.
To reissue the Web Server certi cate when you have any mobile devices managed through the mobile protocol:
1. Generate your custom certi cate and prepare it for the usage in Kaspersky Security Center. Check whether
your custom certi cate meets the requirements of Kaspersky Security Center and the requirements for
trusted certi cates by Apple . If necessary, modify the certi cate.
You can use the kliossrvcertgen.exe utility for certi cate generation.
2. In the console tree, right-click the name of the relevant Administration Server and in the context menu select
Properties.
3. In the Administration Server properties window that opens, in the left pane, select the Web Server section.
4. In the Over HTTPS menu, select the Specify another certi cate option.
5. In the Over HTTPS menu, click the Change button.
6. In the Certi cate window that opens, in the Certi cate type eld select the type of your certi cate:
If you have selected PKCS #12 container, click the Browse button next to the Certi cate le eld and
specify the certi cate le on your hard drive. If the certi cate le is password-protected, enter the
password in the Password (if any) eld.
120
If you have selected X.509 certi cate, click the Browse button next to the Private key (.prk, .pem) eld and
specify the private key on your hard drive. If the private key is password-protected, enter the password in
the Password (if any) eld. Then click the Browse button next to the Public key (.cer) eld and specify the
private key on your hard drive.
7. In the Certi cate window, click OK.
8. If necessary, in the Administration Server properties window, in the Web Server HTTPS port eld change the
number of the HTTPS port for Web Server. Click OK.
The Web Server certi cate is reissued.
Schemas for data tra ic and port usage

This section provides schemas for data tra ic between Kaspersky Security Center components, managed
security applications, and external servers under various con gurations. The schemas are provided with numbers
for the ports that must be available on the local devices.
Administration Server and managed devices on LAN

The gure below shows the tra ic of the data if Kaspersky Security Center is deployed on a local area network
(LAN) only.
121
Administration Server and managed devices on a local area network (LAN)
The gure shows how di erent managed devices connect to the Administration Server in di erent ways: directly
or via a distribution point. Distribution points reduce the load on the Administration Server during update
distribution and optimize network tra ic. However, distribution points are only needed if the number of managed
devices is large enough. If the number of managed devices is small, all the managed devices can receive updates
from the Administration Server directly.
122
The arrows indicate the initiation of tra ic: each arrow points from a device that initiates the connection to the
device that "answers" the call. The number of the port and the name of the protocol used for data transfer are
provided. Each arrow has a number label, and details about the corresponding data tra ic are as follows:
1. Administration Server sends data to the database. If you install the Administration Server and the database on
di erent devices, you must make available the necessary ports on the device where the database is located
(for example, port 3306 for MySQL Server and MariaDB Server, or port 1433 for Microsoft SQL Server). Please
refer to the DBMS documentation for the relevant information.
2. Requests for communication from the Administration Server are transferred to all non-mobile managed devices
through UDP port 15000.
Network Agents send requests to each other within one broadcasting domain. The data is then sent to the
Administration Server and is used for de ning the limits of the broadcasting domain and for automatic
assignment of distribution points (if this option is enabled).
If Administration Server does not have direct access to the managed devices, communication requests from
Administration Server to these devices are not sent directly.
3. Information about shutdown of the managed devices is transferred from Network Agent to the Administration
Server through UDP port 13000.
4. The Administration Server receives connection from Network Agents and from secondary Administration
Servers through SSL port 13000.
If you used an earlier version of Kaspersky Security Center, the Administration Server on your network can
receive connection from Network Agents through non-SSL port 14000. Kaspersky Security Center also
supports connection of Network Agents through port 14000, although using SSL port 13000 is recommended.
The distribution point was called "Update agent" in earlier versions of Kaspersky Security Center.
5. The managed devices (except for mobile devices) request activation through TCP port 17000. This is not
necessary if the device has its own access to the internet; in this case, the device sends the data to Kaspersky
servers over the internet directly.
6. Data from MMC-based Administration Console is transferred to the Administration Server through port 13291.
(The Administration Console can be installed on the same or on a di erent device.)
7. Applications on a single device exchange local tra ic (either on the Administration Server or on a managed
device). No external ports have to be opened.
8. Data from the Administration Server to the Kaspersky servers (such as KSN data or information about licenses)
and data from the Kaspersky servers to the Administration Server (such as application updates and anti-virus
database updates) are transferred using the HTTPS protocol.
If you do not want your Administration Server to have access to the internet, you must manage this data
manually.
9. Kaspersky Security Center Web Console Server sends data to the Administration Server, which may be
installed on the same or on a di erent device, through TLS port 13299.
Primary Administration Server on LAN and two secondary Administration

Servers
123
The gure below shows the hierarchy of Administration Servers: the primary Administration Server is on a local
area network (LAN). A secondary Administration Server is in the demilitarized zone (DMZ); another secondary
Administration Server is on the internet.
124
125
Hierarchy of Administration Servers: primary Administration Server and two secondary Administration Servers
126
manually.
9a. Data from the browser, which is installed on a separate device of the administrator, is transferred to
Kaspersky Security Center Web Console Server through TLS port 8080. The Kaspersky Security Center Web
Console Server can be installed either on the Administration Server or on another device.
Administration Server on LAN, managed devices on internet, TMG in use

The gure below shows data tra ic if the Administration Server is on a local area network (LAN) and the managed
devices, including mobile devices, are on the internet. In this gure, Microsoft Forefront Threat Management
Gateway (TMG) is in use. However, if you want to use a corporate rewall, you can use a di erent application; refer
to the documentation of the application of your choice for details.
127
128
Administration Server on a local area network; managed devices connect to the Administration Server through Microsoft Forefront Threat Management
Gateway
This deployment scheme is recommended if you do not want the mobile devices to connect to the Administration
Server directly and do not want to assign a connection gateway in the DMZ.
manually.
129
10. For Android mobile devices only: data from the Administration Server is transferred to Google servers. This
connection is used to notify Android mobile devices that they are required to connect to the Administration
Server. Then push noti cations are sent to the mobile devices.
11. For Android mobile devices only: push noti cations from Google servers are sent to the mobile device. This
connection is used to notify mobile devices that they are required to connect to the Administration Server.
12. For iOS mobile devices only: data from the iOS MDM Server is transferred to Apple Push Noti cation servers.
Then push noti cations are sent to the mobile devices.
13. For iOS mobile devices only: push noti cations are sent from Apple servers to the mobile device. This
connection is used to notify iOS mobile devices that they are required to connect to the Administration Server.
14. For mobile devices only: data from the managed application is transferred to the Administration Server (or to
the connection gateway) through TLS port 13292 / 13293—directly or through a Microsoft Forefront Threat
Management Gateway (TMG).
15. For mobile devices only: data from the mobile device is transferred to the Kaspersky infrastructure.
15a. If a mobile device does not have internet access, the data is transferred to Administration Server through
port 17100, and the Administration Server sends it to the Kaspersky infrastructure; however, this scenario
applies very rarely.
16. Requests for packages from managed devices, including mobile devices, are transferred to the Web Server,
which is on the same device as the Administration Server.
17. For iOS mobile devices only: data from the mobile device is transferred through TLS port 443 to the iOS MDM
Server, which is on the same device as the Administration Server or on the connection gateway.
Administration Server on LAN, managed devices on internet, connection

gateway in use
The gure below shows data tra ic if the Administration Server is on a local area network (LAN) and the managed
devices, including mobile devices, are on the internet. A connection gateway is in use.
This deployment scheme is recommended if you do not want the mobile devices to connect to the Administration
Server directly and do not want to use a Microsoft Forefront Threat Management Gateway (TMG) or corporate
rewall.
130
131
Managed mobile devices connected to the Administration Server through a connection gateway
In this gure, the managed devices are connected to the Administration Server through a connection gateway that
is located in the DMZ. No TMG or corporate rewall is in use.
manually.
132
Administration Server in DMZ, managed devices on internet

The gure below shows data tra ic if the Administration Server is in the demilitarized zone (DMZ) and the managed
devices, including mobile devices, are on the internet.
133
134
Administration Server in DMZ, managed mobile devices on the internet
In this gure, a connection gateway is not in use: the mobile devices connect to the Administration Server directly.
4a. A connection gateway in DMZ also receives connection from the Administration Server through SSL port
13000. Because a connection gateway in DMZ cannot reach the Administration Server's ports, the
Administration Server creates and maintains a permanent signal connection with a connection gateway. The
signal connection is not used for data transfer; it is only used for sending an invitation to the network
interaction. When the connection gateway needs to connect to the Server, it noti es the Server through this
signal connection, and then the Server creates the required connection for data transfer.
Out-of-o ice devices connect to the connection gateway through SSL port 13000 as well.
135
manually.
Interaction of Kaspersky Security Center components and security

applications: more information
This section provides the schemas for interaction of Kaspersky Security Center components and managed
security applications. The schemas provide the numbers of the ports that must be available and the names of the
processes that open those ports.
Conventions used in interaction schemas

The following table provides the conventions used across the schemas.
Document conventions
Icon Meaning
136
Secondary Administration Server
DBMS
Client device (that has Network Agent and an application from Kaspersky Endpoint Security family
installed, or has a di erent security application installed that Kaspersky Security Center can
manage)
Connection gateway
Distribution point
Mobile client device with Kaspersky Security for Mobile
Browser on the user's device
Process running on the device and opening a port
Port and its number
TCP tra ic (the arrow direction shows the tra ic ow direction)
UDP tra ic (the arrow direction shows the tra ic ow direction)
COM invoke
DBMS transport
DMZ boundary

Data from the Administration Server enter the SQL Server, MySQL, or MariaDB database.
137
If you install the Administration Server and the database on di erent devices, you must make available the
necessary ports on the device where the database is located (for example, port 3306 for MySQL Server and
MariaDB Server, or port 1433 for Microsoft SQL Server). Please refer to the DBMS documentation for the
relevant information.
For schema clari cations, see the table below.
Administration Server and Administration Console (tra ic)
Device Port Name of the process that Protocol TLS Port purpose
number opens the port
Administration 13291 klserver TCP Yes Receiving connections from

Server Administration Console
Administration Server and client device: Managing the security application

The Administration Server receives connection from Network Agents via SSL port 13000 (see gure below).
Administration Server and client device: managing the security application, connection via port 13000 (recommended)
If you used an earlier version of Kaspersky Security Center, the Administration Server on your network can receive
connections from Network Agents via non-SSL port 14000 (see gure below). Kaspersky Security Center 14 also
supports connection of Network Agents via port 14000, although using SSL port 13000 is recommended.
138
Administration Server and client device: managing the security application, connection via port 14000 (lower security)
For clari cations of schemas, see the table below.
Administration Server and client device: Managing the security application (tra ic)
Device Port Name of the process that Protocol TLS (for Port purpose
number opens the port TCP only)
Network 15000 klnagent UDP Null Multicasting for Network

Agent Agents
Administration 13000 klserver TCP Yes Receiving connections

Server from Network Agents
Administration 14000 klserver TCP No Receiving connections


The client device connects to the distribution point via port 13000 and, if you are using the distribution point as a
push server, also via port 13295; the distribution point multicasts to Network Agents via port 15000 (see gure
below). Updates and installation packages are received from a distribution point via port 15001.

Upgrading software through a distribution point (tra ic)
Device Port Name of the process Protocol TLS (for Port purpose
number that opens the port TCP
only)
Network 15000 klnagent UDP Null Multicasting for Network Agents

Agent
Network 15001 klnagent UDP Null Receiving updates and installation

Agent packages from a distribution point
Distribution 13000 klnagent TCP Yes Receiving connections from

139
point Network Agents
Distribution 13295 klnagent TCP Yes Receiving connections from client

point devices (server push)
Hierarchy of Administration Servers: primary Administration Server and

secondary Administration Server
The schema (see gure below) shows how to use port 13000 to ensure interaction between Administration Servers
combined into a hierarchy.
When combining two Administration Servers into a hierarchy, make sure that port 13291 is accessible on both
Administration Servers. Administration Console connects to the Administration Server through port 13291.
Subsequently, when the Administration Servers are combined into a hierarchy, you will be able to administer both of
them by using Administration Console connected to the primary Administration Server. Therefore, the accessibility
of port 13291 of the primary Administration Server is the only prerequisite.
Hierarchy of Administration Servers: primary Administration Server and secondary Administration Server

Hierarchy of Administration Servers (tra ic)
Device Port Name of the process Protocol TLS Port purpose

Primary 13000 klserver TCP Yes Receiving connections from

Administration secondary Administration
Server Servers
Hierarchy of Administration Servers with a secondary Administration Server

in DMZ
Hierarchy of Administration Servers with a secondary Administration Server in DMZ
140
The schema shows a hierarchy of Administration Servers in which the secondary Administration Server located in
DMZ receives a connection from the primary Administration Server (see the table below for schema clari cations).
Administration Servers. Administration Console connects to the Administration Server through port 13291.
Subsequently, when the Administration Servers are combined into a hierarchy, you will be able to administer both of
them by using Administration Console connected to the primary Administration Server. Therefore, the accessibility
of port 13291 of the primary Administration Server is the only prerequisite.
Hierarchy of Administration Servers with a secondary Administration Server in DMZ (tra ic)

Secondary 13000 klserver TCP Yes Receiving connections from

Administration the primary Administration
Server Server
Administration Server, a connection gateway in a network segment, and a

client device
Administration Server, a connection gateway in a network segment, and a client device

Administration Server, a connection gateway in a network segment, and a client device (tra ic)
Administration 13000 klserver TCP Yes Receiving connections

Network 13000 klnagent TCP Yes Receiving connections

Agent from Network Agents
Administration Server and two devices in DMZ: a connection gateway and a

client device
141
Administration Server with a connection gateway and a client device in DMZ

Administration Server with a connection gateway in a network segment and a client device (tra ic)
Network 13000 klnagent TCP Yes Receiving connections from

Agent Network Agents

Administration Server and Kaspersky Security Center Web Console (tra ic)
Device Port Name of the Protocol TLS Port purpose

number process that
opens the port
Administration Server 13299 klserver TCP Yes Receiving connections from

Kaspersky Security Center
Web Console to the
Administration Server over
OpenAPI
Kaspersky Security Center 8080 Node.js: TCP Yes Receiving connections from
Web Console Server or Server-side Kaspersky Security Center
Administration Server JavaScript Web Console
Kaspersky Security Center Web Console can be installed on the Administration Server or on another device.
142

Activating and managing the security application on a mobile device (tra ic)

Administration 13292 klserver TCP Yes Receiving connections from

Server Administration Console to
Administration 17100 klactprx TCP Yes Receiving connections for

Server application activation from mobile
devices
Deployment best practices

Kaspersky Security Center is a distributed application. Kaspersky Security Center includes the following
applications:
Administration Server—The core component, designed for managing devices of an organization and storing
data in a DBMS.
Administration Console—The basic tool for the administrator. Administration Console is shipped together with
Administration Server, but it can also be installed individually on one or several devices run by the administrator.
Network Agent—Designed for managing the security application installed on a device, as well as getting
information about that device and transferring this information to the Administration Server. Network Agents
are installed on devices of an organization.
Deployment of Kaspersky Security Center on an organization's network is performed as follows:
Installation of Administration Server
Installation of Administration Console on the administrator's device
Installation of Network Agent and the security application on devices of the enterprise
143
Preparation for deployment
This section describes steps you must take before deploying Kaspersky Security Center.

This section provides information about the most convenient options for deployment of Kaspersky Security
Center components on an organization's network, depending on the following criteria:
Total number of devices
Units (local o ices, branches) that are detached organizationally or geographically
Separate networks connected by narrow channels
Need for internet access to the Administration Server
Typical schemes of protection system deployment

This section describes the standard deployment schemes of a protection system in an enterprise network using
The system must be protected against any type of unauthorized access. We recommend that you install all
available security updates for your operating system before installing the application on your device and physically
protect Administration Server(s) and distribution point(s).
You can use Kaspersky Security Center to deploy a protection system on a corporate network by means of the
following deployment schemes:
Deploying a protection system through Kaspersky Security Center, in one of the following ways:
Through Administration Console
Through Kaspersky Security Center Web Console
Kaspersky applications are automatically installed on client devices, which in turn are automatically connected
to the Administration Server by using Kaspersky Security Center.
The basic deployment scheme is protection system deployment through Administration Console. Using
Kaspersky Security Center Web Console allows you to launch installation of Kaspersky applications from a
browser.
Deploying a protection system manually using stand-alone installation packages generated by Kaspersky
Security Center.
Installation of Kaspersky applications on client devices and the administrator's workstation is performed
manually; the settings for connecting client devices to the Administration Server are speci ed when Network
Agent is installed.
This deployment method is recommended in cases when remote installation is not possible.
144
Kaspersky Security Center also allows you to deploy your protection system using Microsoft Active
Directory® group policies.
About planning Kaspersky Security Center deployment in an organization's network

One Administration Server can support a maximum of 100,000 devices. If the total number of devices on an
organization's network exceeds 100,000, multiple Administration Servers must be deployed on that network and
combined into a hierarchy for convenient centralized management.
If an organization includes large-scale remote local o ices (branches) with their own administrators, it is useful to
deploy Administration Servers in those o ices. Otherwise, those o ices must be viewed as detached networks
connected by low-throughput channels; see section "Standard con guration: A few large-scale o ices run by their
own administrators".
When detached networks connected with narrow channels are used, tra ic can be saved by assigning one or
several Network Agents to act as distribution points (see table for calculation of the number of distribution
points). In this case, all devices on a detached network retrieve updates from such local update centers. Actual
distribution points can download updates both from the Administration Server (default scenario), and from
Kaspersky servers on the internet (see section "Standard con guration: Multiple small remote o ices").
Section "Standard con gurations of Kaspersky Security Center" provides detailed descriptions of the standard
con gurations of Kaspersky Security Center. When planning the deployment, choose the most suitable standard
con guration, depending on the organization's structure.
At the stage of deployment planning, the assignment of the special certi cate X.509 to the Administration Server
must be considered. Assignment of the X.509 certi cate to the Administration Server may be useful in the
following cases (partial list):
Inspecting secure socket layer (SSL) tra ic by means of an SSL termination proxy or for using a reverse proxy
Integration with the public keys infrastructure (PKI) of an organization
Specifying required values in certi cate elds
Providing the required encryption strength of a certi cate
Selecting a structure for protection of an enterprise

Selection of a structure for protection of an organization is de ned by the following factors:
Organization's network topology.
Organizational structure.
Number of employees in charge of the network protection, and allocation of their responsibilities.
Hardware resources that can be allocated to protection management components.
Throughput of communication channels that can be allocated to maintenance of protection components on

the organizational network.
145
Time limits for execution of critical administrative operations on the organization's network. Critical
administrative operations include, for example, the distribution of anti-virus databases and modi cation of
policies for client devices.
When you select a protection structure, it is recommended rst to estimate the available network and hardware
resources that can be used for the operation of a centralized protection system.
To analyze the network and hardware infrastructure, it is recommended that you follow the process below:
1. De ne the following settings of the network on which the protection will be deployed:
Number of network segments.
Speed of communication channels between individual network segments.
Number of managed devices in each of the network segments.
Throughput of each communication channel that can be allocated to maintain the operation of the
protection.
2. Determine the maximum allowed time for the execution of key administrative operations for all managed
devices.
3. Analyze information from steps 1 and 2, as well as data from load testing of the administration system. Based on
the analysis, answer the following questions:
Is it possible to serve all the clients with a single Administration Server, or is a hierarchy of Administration
Servers required?
Which hardware con guration of Administration Servers is required in order to deal with all the clients within
the time limits speci ed in step 2?
Is it required to use distribution points to reduce load on communication channels?
Upon obtaining answers to the questions in step 3 above, you can compile a set of allowed structures of the
organization's protection.
On the organization's network you can use one of the following standard protection structures:
One Administration Server. All client devices are connected to a single Administration Server. Administration
Server functions as distribution point.
One Administration Server with distribution points. All client devices are connected to a single Administration
Server. Some of the networked client devices function as distribution points.
Hierarchy of Administration Servers. For each network segment, an individual Administration Server is allocated
and becomes part of a general hierarchy of Administration Servers. The primary Administration Server
functions as distribution point.
Hierarchy of Administration Servers with distribution points. For each network segment, an individual
Administration Server is allocated and becomes part of a general hierarchy of Administration Servers. Some of
the networked client devices function as distribution points.
Standard con gurations of Kaspersky Security Center
146
This section describes the following standard con gurations used for deployment of Kaspersky Security Center
components on an organization's network:
Single o ice
A few large-scale o ices, which are geographically detached and run by their own administrators
Multiple small o ices, which are geographically detached
Standard con guration: Single o ice

One or several Administration Servers can be deployed on the organization's network. The number of
Administration Servers can be selected either based on available hardware, or on the total number of managed
devices.
One Administration Server can support up to 100,000 devices. You must consider the possibility of increasing the
number of managed devices in the near future: it may be useful to connect a slightly smaller number of devices to
a single Administration Server.
Administration Servers can be deployed either on the internal network, or in the DMZ, depending on whether
internet access to the Administration Servers is required.
If multiple Servers are used, it is recommended that you combine them into a hierarchy. Using an Administration
Server hierarchy allows you to avoid dubbed policies and tasks, and handle the whole set of managed devices as if
they are managed by a single Administration Server (that is, search for devices, build selections of devices, and
create reports).
Standard con guration: A few large-scale o ices run by their own administrators
If an organization has a few large-scale, geographically separate o ices, you must consider the option of deploying
Administration Servers at each of the o ices. One or several Administration Servers can be deployed per o ice,
depending on the number of client devices and hardware available. In this case, each of the o ices can be viewed
as a "Standard con guration: Single o ice". For ease of administration, it is recommended to combine all of the
Administration Servers into a hierarchy (possibly multi-level).
If some employees move between o ices with their devices (laptops), create Network Agent connection pro les in
the Network Agent policy. Network Agent connection pro les are only supported for Windows and macOS hosts.
Standard con guration: Multiple small remote o ices

This standard con guration provides for a headquarters o ice and many remote small o ices that may
communicate with the HQ o ice over the internet. Each of the remote o ices may be located behind a Network
Address Translation (NAT), that is, no connection can be established between two remote o ices because they
are isolated.
An Administration Server must be deployed at the headquarters o ice, and one or multiple distribution points
must be assigned to all other o ices. If the o ices are linked through the internet, it may be useful to create a
Download updates to the repositories of distribution points task for the distribution points, so that they will
download updates directly from Kaspersky servers, local or network folder, not from the Administration Server.
If some devices at a remote o ice have no direct access to the Administration Server (for example, access to the
Administration Server is provided over the internet but some devices have no internet access), distribution points
must be switched into connection gateway mode. In this case, Network Agents on devices at the remote o ice will
be connected, for further synchronization, to the Administration Server—but through the gateway, not directly.
As the Administration Server, most probably, will not be able to poll the remote o ice network, it may be useful to
turn this function over to a distribution point.
147
The Administration Server will not be able to send noti cations to port 15000 UDP to managed devices located
behind the NAT at the remote o ice. To resolve this issue, you can enable the mode of continuous connection to
the Administration Server in the properties of devices acting as distribution points (Do not disconnect from the
Administration Server check box). This mode is available if the total number of distribution points does not exceed
300. Use push servers to make sure that there is continuous connectivity between a managed device and the
Administration Server. Refer to the following topic for details: Using a distribution point as a push server.
How to select a DBMS for Administration Server

When selecting the database management system (DBMS) to be used by an Administration Server, you must take
into account the number of devices covered by the Administration Server.
SQL Server Express Edition has limitations on the memory volume used, number of CPU cores used, and maximum
size of the database. Therefore, you cannot use SQL Server Express Edition if your Administration Server covers
more than 10,000 devices, or if Application Control is used on managed devices. If the Administration Server is
used as Windows Server Update Services (WSUS) server, you cannot use SQL Server Express Edition either.
If the Administration Server covers more than 10,000 devices, we recommend that you use SQL Server versions
with fewer limitations, such as: SQL Server Workgroup Edition, SQL Server® Web Edition, SQL Server Standard
Edition, or SQL Server Enterprise Edition.
If the Administration Server covers 50,000 devices (or less), and if Application Control is not used on managed
devices, you can also use MySQL 8.0.20 and the later versions.
If the Administration Server covers 20,000 devices (or fewer) and if Application Control is not used on managed
devices, you can use MariaDB Server 10.3 as the DBMS.
If the Administration Server covers 10,000 devices (or less), and if Application Control is not used on managed
devices, you can also use MySQL 5.5, 5.6, or 5.7 as the DBMS.
MySQL versions 5.5.1, 5.5.2, 5.5.3, 5.5.4, and 5.5.5 are no longer supported.
If you are using SQL Server 2019 as a DBMS and you do not have cumulative patch CU12 or later, you have to
perform the following after installing Kaspersky Security Center:
1. Connect to SQL Server using SQL Management Studio.
2. Run the following commands (if you chose a di erent name for the database, use that name instead of KAV):
USE KAV
GO
ALTER DATABASE SCOPED CONFIGURATION SET TSQL_SCALAR_UDF_INLINING = OFF
GO
3. Restart the SQL Server 2019 service.
Otherwise, using SQL Server 2019 may result in errors, such as "There is insu icient system memory in resource
pool 'internal' to run this query."
Selecting a DBMS
148
When installing Administration Server, you can select the DBMS that Administration Server will use. When
selecting the database management system (DBMS) to be used by an Administration Server, you must take into
account the number of devices covered by the Administration Server.
The following table lists the valid DBMS options, as well as the restrictions on their use.
Restrictions on DBMS
DBMS Restrictions
SQL Server Express Edition Use this DBMS if you intend to run a single Administration Server for less
2012 or later than 10,000 devices.
It is recommended to disable the Software inventory task and disable (in
the Kaspersky Endpoint Security policy settings) noti cations of
Administration Server on started applications . Refer to the following
topic for details: Calculation of database space.
Concurrent use of the SQL Server Express Edition DBMS by
Administration Server and another application is strictly forbidden.
The Microsoft SQL Express database is not supported for the Perform
Windows Update synchronization task.
Local SQL Server edition, No limitations.

other than Express, 2012 or
later
Remote SQL Server edition, Only valid if both devices are in the same Windows® domain; if the domains
other than Express, 2012 or di er, a two-way trust relationship must be established between them.
later
Local or remote MySQL 5.5, Not recommended if you intend to run a single Administration Server for
5.6, or 5.7 (MySQL versions more than 10,000 devices.
5.5.1, 5.5.2, 5.5.3, 5.5.4, and 5.5.5 It is recommended to disable the Software inventory task and disable (in
are no longer supported) the Kaspersky Endpoint Security policy settings) noti cations of
Local or remote MySQL 8.0.20 Not recommended if you intend to run a single Administration Server for
or later more than 50,000 devices.
Local or remote MariaDB Not recommended if you intend to run a single Administration Server for
Server 10.3, MariaDB 10.3 (build more than 20,000 devices.
10.3.22 or later) It is recommended to disable the Software inventory task and disable (in
USE KAV
GO
149
GO
Concurrent use of the SQL Server Express Edition DBMS by Administration Server and another application is
strictly forbidden.

Mobile devices with installed Kaspersky Endpoint Security for Android™ (hereinafter referred to as KES devices)
are managed by means of the Administration Server. Kaspersky Security Center supports the following features
for managing KES devices:
Handling mobile devices as client devices:
Membership in administration groups
Monitoring, such as viewing statuses, events, and reports
Modifying local settings and assigning policies for Kaspersky Endpoint Security for Android
Sending commands in centralized mode
Installing mobile apps packages remotely
Administration Server manages KES devices through TLS, TCP port 13292.

The following cases require internet access to the Administration Server:
Regular updating of Kaspersky databases, software modules, and applications
Updating third-party software

By default, internet connection is not required for Administration Server to install Microsoft software updates
on the managed devices. For example, the managed devices can download the Microsoft software updates
directly from Microsoft Update servers or from Windows Server with Microsoft Windows Server Update
Services (WSUS) deployed in your organization's network. Administration Server must be connected to the
internet in the following cases:
When you use Administration Server as WSUS server
To install updates of third-party software other than Microsoft software

Internet connection is required for Administration Server to perform the following tasks:
150
To make a list of recommended xes for vulnerabilities in Microsoft software. The list is created and regularly
updated by Kaspersky specialists.
To x vulnerabilities in third-part software other than Microsoft software.
Managing devices (laptops) of out-of-o ice users
Managing devices in remote o ices
Interacting with primary or secondary Administration Servers located in remote o ices
Managing mobile devices
This section describes typical ways of providing access to the Administration Server over the internet. Each of the
cases focusing on providing internet access to the Administration Server may require a dedicated certi cate for
the Administration Server.
Internet access: Administration Server on a local network

If the Administration Server is located on the internal network of an organization, you might want to make TCP port
13000 of the Administration Server accessible from outside by means of port forwarding. If mobile device
management is required, you might want to make accessible port 13292 TCP.
Internet access: Administration Server in DMZ

If the Administration Server is located in the DMZ of the organization's network, it has no access to the
organization's internal network. Therefore, the following limitations apply:
The Administration Server cannot detect new devices.
The Administration Server cannot perform initial deployment of Network Agent through forced installation on
devices on the internal network of the organization.
This only applies to the initial installation of Network Agent. Any further upgrades of Network Agent or the security
application installation can, however, be performed by the Administration Server. At the same time, the initial
deployment of Network Agents can be performed by other means, for example, through group policies of
Microsoft® Active Directory®.
The Administration Server cannot send noti cations to managed devices through port 15000 UDP, which is not
critical for the Kaspersky Security Center functioning.
The Administration Server cannot poll Active Directory. However, results of Active Directory polling are not
required in most scenarios.
If the above limitations are viewed as critical, they can be removed by using distribution points located on the
organization's network:
To perform initial deployment on devices without Network Agent, you rst install Network Agent on one of the
devices and then assign it the distribution point status. As a result, initial installation of Network Agent on other
devices will be performed by the Administration Server through this distribution point.
To detect new devices on the internal network of the organization and poll Active Directory, you must enable
the relevant device discovery methods on one of the distribution points.
151
To ensure a successful sending of noti cations to port 15000 UDP on managed devices located on the internal
network of the organization, you must cover the entire network with distribution points. In the properties of the
distribution points that were assigned, select the Do not disconnect from the Administration Server check box.
As a result, the Administration Server will establish a continuous connection to the distribution points while they
will be able to send noti cations to port 15000 UDP on devices that are on the organization's internal network (it
can be an IPv4 or IPv6 network).
Internet access: Network Agent as connection gateway in DMZ

Administration Server can be located on the internal network of the organization, and in that network's DMZ there
can be a device with Network Agent running as a connection gateway with reverse connectivity (Administration
Server establishes a connection to Network Agent). In this case, the following conditions must be met to ensure
internet access:
Network Agent must be installed on the device that is in the DMZ. When you install Network Agent, in the
Connection gateway window of the Setup Wizard, select Use Network Agent as a connection gateway in
DMZ.
The device with the installed connection gateway must be added as a distribution point. When you add the
connection gateway, in the Add distribution point window, select the Select → Add connection gateway in
DMZ by address option.
To use an internet connection to connect external desktop computers to the Administration Server, the
installation package for Network Agent must be corrected. In the properties of the created installation
package, select the Advanced → Connect to Administration Server by using a connection gateway option,
and then specify the newly created connection gateway.
For the connection gateway in the DMZ, Administration Server creates a certi cate signed with the Administration
Server certi cate. If the administrator decides to assign a custom certi cate to Administration Server, it must be
done before a connection gateway is created in the DMZ.
If some employees use laptops that can connect to Administration Server either from the local network or over
the internet, it may be useful to create a switching rule for Network Agent in the Network Agent's policy.

A device with Network Agent installed can be used as a distribution point. In this mode, Network Agent can
perform the following functions:
Distribute updates (these can be retrieved either from the Administration Server or from Kaspersky servers). In
the latter case, the Download updates to the repositories of distribution points task must be created for the
device that serves as the distribution point:
Install software (including initial deployment of Network Agents) on other devices.
Deployment of distribution points on an organization's network has the following objectives:
Reducing the load on the Administration Server.
Optimizing tra ic.
152
Providing the Administration Server with access to devices in hard-to-reach spots of the organization's
network. The availability of a distribution point on the network behind a NAT (in relation to the Administration
Server) allows the Administration Server to perform the following actions:
Send noti cations to devices over UDP on the IPv4 or IPv6 network
Poll the IPv4 or IPv6 network
Perform initial deployment
Act as a push server
A distribution point is assigned for an administration group. In this case, the scope of the distribution point includes
all devices within the administration group and all of its subgroups. However, the device that acts as the
distribution point may not be included in the administration group to which it has been assigned.
You can make a distribution point function as a connection gateway. In this case, devices in the scope of the
distribution point will be connected to the Administration Server through the gateway, not directly. This mode can
be useful in scenarios that do not allow the establishment of a direct connection between the Administration
Server and managed devices.

The more client devices a network contains, the more distribution points it requires. We recommend that you not
disable automatic assignment of distribution points. When automatic assignment of distribution points is enabled,
Administration Server assigns distribution points if the number of client devices is quite large and de nes their
con guration.
Using exclusively assigned distribution points
If you plan to use certain speci c devices as distribution points (that is, exclusively assigned servers), you can opt
out of using automatic assignment of distribution points. In this case, make sure that the devices that you intend
to make distribution points have su icient volume of free disk space, are not shut down regularly, and have Sleep
mode disabled.
Number of exclusively assigned distribution points on a network that contains a single network segment, based on the number of networked devices
Number of client devices in the Number of distribution points

network segment
Less than 300 0 (Do not assign distribution points)
More than 300 Acceptable: (N/10,000 + 1), recommended: (N/5000 + 2), where N is the
number of networked devices
Number of exclusively assigned distribution points on a network that contains multiple network segments, based on the number of networked devices
Number of client devices per Number of distribution points

network segment
10–100 1
153
Using standard client devices (workstations) as distribution points
If you plan to use standard client devices (that is, workstations) as distribution points, we recommend that you
assign distribution points as shown in the tables below in order to avoid excessive load on the communication
channels and on Administration Server:
Number of workstations functioning as distribution points on a network that contains a single network segment, based on the number of networked
devices

network segment
More than 300 (N/300 + 1), where N is the number of networked devices; there must
be at least 3 distribution points
Number of workstations functioning as distribution points on a network that contains multiple network segments, based on the number of networked
devices

network segment
10–30 1
31–300 2
More than 300 (N/300 + 1), where N is the number of networked devices; there must be
at least 3 distribution points
If a distribution point is shut down (or not available for some other reason), the managed devices in its scope can
access the Administration Server for updates.

An MSP may run multiple Administration Servers. It can be inconvenient to administer several separate
Administration Servers, so a hierarchy can be applied. A "primary/secondary" con guration for two Administration
Servers provides the following options:
A secondary Administration Server inherits policies and tasks from the primary Administration Server, thus
preventing duplication of settings.
Selections of devices on the primary Administration Server can include devices from secondary Administration
Servers.
Reports on the primary Administration Server can contain data (including detailed information) from secondary
154
On the basis of a physical Administration Server, multiple virtual Administration Servers can be created, which will
be similar to secondary Administration Servers. Compared to the discretionary access model, which is based on
access control lists (ACLs), the virtual Administration Server model is more functional and provides a larger degree
of isolation. In addition to a dedicated structure of administration groups for assigned devices with policies and
tasks, each virtual Administration Server features its own group of unassigned devices, own sets of reports,
selected devices and events, installation packages, moving rules, etc. The functional scope of virtual
Administration Servers can be used both by service providers (xSP) to maximize the isolation of customers, and by
large-scale organizations with sophisticated work ows and numerous administrators.
Virtual Administration Servers are very similar to secondary Administration Servers, but with the following
distinctions:
A virtual Administration Server lacks most global settings and its own TCP ports.
A virtual Administration Server has no secondary Administration Servers.
A virtual Administration Server has no other virtual Administration Servers.
A physical Administration Server views devices, groups, events, and objects on managed devices (items in
Quarantine, applications registry, etc.) of all its virtual Administration Servers.
A virtual Administration Server can only scan the network with distribution points connected.

The following table displays the limitations of the current version of Kaspersky Security Center.
Limitations of Kaspersky Security Center
Type of limitation Value
Maximum number of managed devices per Administration Server 100,000
Maximum number of devices with the Do not disconnect from the

300
Administration Server option selected
Maximum number of administration groups 10,000
Maximum number of events to store 45,000,000
Maximum number of policies 2000
Maximum number of tasks 2000
Maximum total number of Active Directory objects (organizational units,

1,000,000
OUs) and accounts of users, devices, and security groups)
Maximum number of pro les in a policy 100
Maximum number of secondary Administration Servers on a single

500
primary Administration Server
Maximum number of virtual Administration Servers 500
Maximum number of devices that a single distribution point can cover

10,000
(distribution points can cover non-mobile devices only)
Maximum number of devices that may use a single connection gateway 10,000, including mobile devices
Maximum number of mobile devices per Administration Server 100,000 minus the number of
stationary managed devices
155
Network load
This section contains information about the volume of network tra ic that the client devices and Administration
Server exchange during key administrative scenarios.
The main load on the network is caused by the following administrative scenarios in progress:
Synchronization of a client device with Administration Server
Regular updates of anti-virus databases
Processing of events on client devices by Administration Server

This section provides information about tra ic volume values after Network Agent 14 and Kaspersky Endpoint
Security for Windows are installed on the client device (see the table below).
The Network Agent is installed using forced installation, when the les required for setup are copied by
Administration Server to a shared folder on the client device. After installation, the Network Agent retrieves the
distribution package of Kaspersky Endpoint Security for Windows, using the connection to the Administration
Server.
Tra ic
Scenario Network Agent Installing Kaspersky Endpoint Concurrent installation of

installation for a Security for Windows on one client Network Agent and
single client device (with databases updated) Kaspersky Endpoint Security
device for Windows
Tra ic from a 1638.4 7843.84 9707.52

client device to
Administration
Server, KB
Tra ic from 69,990.4 259,317.76 329,318.4

Administration
Server to a client
device, KB
Total tra ic (for a 71,628.8 267,161.6 339,025.92

single client
device), KB
After Network Agents are installed on the client devices, one of the devices in the administration group can be
assigned to act as distribution point. It is used for distribution of installation packages. In this case, tra ic volume
transferred during initial deployment of anti-virus protection varies signi cantly depending on whether you are
using IP multicasting.
156
If IP multicasting is used, installation packages are sent once to all running devices in the administration group.
Thus, total tra ic becomes N times smaller, where N stands for the total number of running devices in the
administration group. If you are not using IP multicasting, the total tra ic is identical to the tra ic calculated as if
the distribution packages are downloaded from the Administration Server. However, the package source is the
distribution point, not the Administration Server.
The tra ic rates during initial update of anti-virus databases (when starting the database update task for the rst
time on a client device), are as follows:
Tra ic from a client device to Administration Server: 1,8 MB.
Tra ic from Administration Server to a client device: 113 MB.
Total tra ic (for a single client device): 114 MB.
The data may vary slightly depending upon the current version of the anti-virus database.
Synchronizing a client with the Administration Server
This scenario describes the state of the administration system when intensive data synchronization occurs
between a client device and the Administration Server. Client devices connect to the Administration Server with
the interval de ned by the administrator. The Administration Server compares the status of data on a client device
with that on the Server, records information in the database about the last client device connection, and
synchronizes data.
This section contains information about tra ic values for basic administration scenarios when connecting a client
to the Administration Server (see table below). The data in the table may vary slightly depending upon the current
version of the anti-virus database.
Tra ic
Scenario Tra ic from client Tra ic from Total tra ic (for

devices to Administration Server a single client
Administration Server, to client devices, KB device), KB
KB
Initial synchronization prior to 699.44 568.42 1267.86

updating databases on a client
device
Initial synchronization after 735.8 4474.88 5210.68

updating databases on a client
device
Synchronization with no changes 11.99 6.73 18.72

on a client device and the
Synchronization after changing 9.79 11.39 21.18

the value of a setting in a group
policy
Synchronization after changing 11.27 11.72 22.99

the value of a setting in a group
task
Forced synchronization with no 77.59 99.45 177.04

changes on a client device
Overall tra ic volume varies considerably depending on whether IP multicasting is used within administration
groups. If IP multicasting is used, the total tra ic volume decreases approximately by N times for the group, where
N stands for the total number of devices included in the administration group.
157
The volume of tra ic at initial synchronization before and after an update of the databases is speci ed for the
following cases:
Installing Network Agent and a security application on a client device
Moving a client device to an administration group
Applying a policy and tasks that have been created for the group by default, to a client device
The table speci es tra ic rates in case of changes to one of the protection settings that are included in the
Kaspersky Endpoint Security policy settings. Data for other policy settings may di er from data displayed in the
table.
Additional update of anti-virus databases
The tra ic rates in case of an incremental update of anti-virus databases 20 hours after the previous update are
as follows:
Tra ic from a client device to Administration Server: 169 KB.
Tra ic from Administration Server to a client device: 16 MB.
Total tra ic (for a single client device): 16.3 MB.
The data in the table may vary slightly depending upon the current version of the anti-virus database.
Tra ic volume varies signi cantly depending on whether IP multicasting is used within administration groups. If IP
multicasting is used, the total tra ic volume decreases approximately by N times for the group, where N stands for
the total number of devices included in the administration group.
Processing of events from clients by Administration Server
This section provides information about tra ic volume values when a client device encounters a "Virus detected"
event, which is then sent to the Administration Server and registered in the database (see table below).
Tra ic
Scenario Data transfer to Administration Data transfer to Administration Server

Server when a "Virus detected" event when nine "Virus detected" events
occurs occur
Tra ic from a client 49.66 64.05

device to Administration
Server, KB
Tra ic from 28.64 31.97

Administration Server to
a client device, KB
Total tra ic (for a single 78.3 96.02

client device), KB
Data in the table may vary slightly depending upon the current version of the anti-virus application and the events
that are de ned in its policy for registration in the Administration Server database.
Tra ic per 24 hours
This section contains information about tra ic rates for 24 hours of the administration system's activity in a "quiet"
condition, when no data changes are made either by client devices or by the Administration Server (see table
below).
158
Data presented in the table describe the network's condition after standard installation of Kaspersky Security
Center and completion of the Quick Start Wizard. The frequency of synchronization of the client device with
Administration Server was 20 minutes; updates were downloaded to the Administration Server repository once per
hour.
Tra ic rates per 24 hours in idle state
Tra ic ow Value
Tra ic from a client device to Administration Server, KB 3235.84
Tra ic from Administration Server to a client device, KB 64,378.88
Total tra ic (for a single client device), KB 67,614.72
Preparing to mobile device management

This section provides the following information:
About Exchange Mobile Device Server intended for management of mobile devices over the Exchange
ActiveSync protocol
About iOS MDM Server intended for management of iOS devices by installing dedicated iOS MDM pro les on
them
About management of mobile devices that have Kaspersky Endpoint Security for Android installed

An Exchange Mobile Device Server allows you to manage mobile devices that are connected to an Administration
Server using the Exchange ActiveSync protocol (EAS devices).
How to deploy an Exchange Mobile Device Server

If multiple Microsoft Exchange servers within a Client Access Server array have been deployed in the organization,
an Exchange Mobile Device Server must be installed on each of the servers in that array. The Cluster mode option
must be enabled in the Exchange Mobile Device Server Installation Wizard. In this case, the set of instances of the
Exchange Mobile Device Server installed on servers in the array is called the cluster of Exchange Mobile Device
Servers.
If no Client Access server array of Microsoft Exchange Servers has been deployed in the organization, an Exchange
Mobile Device Server must be installed on a Microsoft Exchange Server that has Client Access. In this case, the
Standard mode option must be enabled in the Setup Wizard of the Exchange Mobile Device Server.
Together with the Exchange Mobile Device Server, Network Agent must be installed on the device; it helps
integrate the Exchange Mobile Device Server with Kaspersky Security Center.
The default scan scope of the Exchange Mobile Device Server is the current Active Directory domain in which it
was installed. Deploying an Exchange Mobile Device Server on a server with Microsoft Exchange Server (versions
2010, 2013) installed allows you to expand the scan scope to include the entire domain forest in the Exchange
Mobile Device Server (see section "Con guring the scan scope"). Information requested during a scan includes
accounts of Microsoft Exchange server users, Exchange ActiveSync policies, and users' mobile devices connected
to the Microsoft Exchange Server over Exchange ActiveSync protocol.
159
Multiple instances of Exchange Mobile Device Server cannot be installed within a single domain if they run in
Standard mode being managed by a single Administration Server. Within a single Active Directory domain
forest, multiple instances of Exchange Mobile Device Server (or multiple clusters of Exchange Mobile Device
Servers) cannot be installed either—if they run in Standard mode with an expanded scan scope that includes
the entire domain forest and if they are connected to a single Administration Server.
Rights required for deployment of Exchange Mobile Device Server

Deployment of an Exchange Mobile Device Server on Microsoft Exchange Server (2010, 2013) requires domain
administrator rights and the Organization Management role. Deployment of an Exchange Mobile Device Server on
Microsoft Exchange Server (2007) requires domain administrator rights and membership in the Exchange
Organization Administrators security group.
Account for Exchange ActiveSync service

When an Exchange Mobile Device Server is installed, an account is automatically created in Active Directory:
On Microsoft Exchange Server (2010, 2013): KLMDM4ExchAdmin***** account with the KLMDM Role Group role.
On Microsoft Exchange Server (2007): KLMDM4ExchAdmin***** account, a member of the KLMDM Secure
Group security group.
The Exchange Mobile Device Server service runs under this account.
If you want to cancel the automatic generation of an account, you need to create a custom one with the following
rights:
When using Microsoft Exchange Server (2010, 2013), the account must be assigned a role that has been allowed
to execute the following cmdlets:
Get-CASMailbox
Set-CASMailbox
Remove-ActiveSyncDevice
Clear-ActiveSyncDevice
Get-ActiveSyncDeviceStatistics
Get-AcceptedDomain
Set-AdServerSettings
Get-ActiveSyncMailboxPolicy
New-ActiveSyncMailboxPolicy
Set-ActiveSyncMailboxPolicy
Remove-ActiveSyncMailboxPolicy
When using a Microsoft Exchange Server (2007), the account must be granted the access rights to Active
Directory objects (see the table below).
Access rights to Active Directory objects

160
Access Object Cmdlet
Full Thread "CN=Mobile Mailbox Policies,CN= Add-ADPermission -User <User or gro

<Organization name>,CN=Microsoft name> -Identity "CN=Mobile Mailbox
Exchange,CN=Services,CN=Con guration,DC= Policies,CN=<Organization
<Domain name>" name>,CN=Microsoft
Exchange,CN=Services,CN=Configurati
<Domain name>" -InheritanceType All
AccessRight GenericAll
Read Thread "CN=<Organization Add-ADPermission -User <User or gro

name>,CN=Microsoft name> -Identity "CN=<Organization
Exchange,CN=Services,CN=Con guration,DC= name>,CN=Microsoft
<Domain name>" Exchange,CN=Services,CN=Configurati
<Domain name>" -InheritanceType All
AccessRight GenericRead
Read/write Properties msExchMobileMailboxPolicyLink Add-ADPermission -User <User or gro

and msExchOmaAdminWirelessEnable for name> -Identity "DC=<Domain name>"
objects in Active Directory InheritanceType All -AccessRight
ReadProperty,WriteProperty -Propert
msExchMobileMailboxPolicyLink,
msExchOmaAdminWirelessEnable
Extended Mailbox repositories of Exchange server, Get-MailboxDatabase | Add-ADPermiss

right ms- thread "CN=Databases,CN=Exchange User <User or group name> -Extended
Exch- Administrative Group ms-Exch-Store-Admin
Store- (FYDIBOHF23SPDLT),CN=Administrative
Active Groups,CN=<Organization
name>,CN=Microsoft
Exchange,CN=Services,CN=Con guration,DC=
<Domain name>"
iOS MDM Server

iOS MDM Server allows you to manage iOS devices by installing dedicated iOS MDM pro les on them. The following
features are supported:
Device lock
Password reset
Data wipe
Installation or removal of apps
Use of an iOS MDM pro le with advanced settings (such as VPN settings, email settings, Wi-Fi settings, camera
settings, certi cates, etc.)
iOS MDM Server is a web service that receives inbound connections from mobile devices through its TLS port (by
default, port 443), which is managed by Kaspersky Security Center using Network Agent. Network Agent is
installed locally on a device with an iOS MDM Server deployed.
When deploying an iOS MDM Server, the administrator must perform the following actions:
Provide Network Agent with access to the Administration Server
161
Provide mobile devices with access to the TCP port of the iOS MDM Server
This section addresses two standard con gurations of an iOS MDM Server.
Standard con guration: Kaspersky Device Management for iOS in DMZ

An iOS MDM Server is located in the DMZ of an organization's local network with internet access. A special feature
of this approach is the absence of any problems when the iOS MDM web service is accessed from devices over
the internet.
Because management of an iOS MDM Server requires Network Agent to be installed locally, you must ensure the
interaction of Network Agent with the Administration Server. You can ensure this by using one of the following
methods:
By moving the Administration Server to the DMZ.
By using a connection gateway:
a. On the device with iOS MDM Server deployed, connect Network Agent to the Administration Server
through a connection gateway.
b. On the device with iOS MDM Server deployed, assign Network Agent to act as connection gateway.
Standard con guration: iOS MDM Server on the local network of an organization
An iOS MDM Server is located on the internal network of an organization. Port 443 (default port) must be enabled
for external access, for example, by publishing the iOS MDM web service on Microsoft Forefront® Threat
Management Gateway (hereinafter referred to as TMG).
Any standard con guration requires access to Apple web services for the iOS MDM Server (range 17.0.0.0/8)
through TCP port 2197. This port is used for notifying devices of new commands by means of a dedicated service
named APNs.

162
Information about Administration Server performance
This section presents the results of performance testing of the Administration Server for di erent hardware
con gurations, as well as the limitations on connecting managed devices to the Administration Server.
Limitations on connection to an Administration Server

An Administration Server supports management of up to 100,000 devices without a loss in performance.
Limitations on connections to an Administration Server without a loss in performance:
One Administration Server can support up to 500 virtual Administration Servers.
The primary Administration Server supports no more than 1000 sessions simultaneously.
Virtual Administration Servers support no more than 1000 sessions simultaneously.
Results of Administration Server performance testing

Results of Administration Server performance testing have allowed us to determine the maximum numbers of
client devices with which Administration Server can be synchronized for speci ed time intervals. You can use this
information to select the optimal scheme for deploying anti-virus protection on computer networks.
Devices with the following hardware con gurations (see the tables below) were used for testing:
Administration Server hardware con guration
Parameter Value
CPU Intel Xeon CPU E5630, clock speed of 2.53 GHz, 2 socket, 8 cores, 16 logical processors
RAM 26 GB
Hard drive IBM ServeRAID M5014 SCSI Disk Device, 487 GB
Operating system Microsoft Windows Server 2019 Standard, version 10.0.17763, build 17763
Network QLogic BCM5709C Gigabit Ethernet (NDIS VBD Client)
Hardware con guration of the SQL Server device
Parameter Value
CPU Intel Xeon CPU X5570, clock speed of 2.93 GHz, 2 socket, 8 cores, 16 logical processors
RAM 32 GB
Hard drive Adaptec Array SCSI Disk Device, 2047 GB
Operating system Microsoft Windows Server 2019 Standard, version 10.0.17763, build 17763
Network Intel 82576 Gigabit
Administration Server supported creation of 500 virtual Administration Servers.

163
The synchronization interval was 15 minutes for every 10,000 managed devices (see the table below).
Summarized results of Administration Server load testing
Synchronization interval (min) Number of managed devices
15 10,000
30 20,000
45 30,000
60 40,000
75 50,000
90 60,000
105 70,000
120 80,000
135 90,000
150 100,000
If you connect Administration Server to a MySQL or SQL Express database server, it is not recommended to
use the application to manage more than 10,000 devices. For the MariaDB database management system, the
maximum recommended number of managed devices is 20,000.
Results of KSN proxy server performance testing

If your enterprise network includes a large amount of client devices and they use the Administration Server as KSN
proxy server, the Administration Server hardware must meet speci c requirements to be able to process the
requests from the client devices. You can use the testing results below to evaluate the Administration Server load
on your network and plan the hardware resources to provide for normal functioning of the KSN proxy service.
The tables below show the hardware con guration of the Administration Server and SQL Server. This
con guration was used for testing.
Administration Server hardware con guration
Parameter Value
RAM 32 GB
Operating system Microsoft Windows Server 2016 Standard
SQL Server hardware con guration
Parameter Value
RAM 32 GB
Operating system Microsoft Windows Server 2019 Standard
164
The table below shows the results of the test.
Summarized results of KSN proxy server performance testing
Parameter Value
Maximum number of requests processed per second 4914
Maximum CPU utilization 36%

To manage devices in an organization, you have to install Network Agent on each of them. Deployment of
distributed Kaspersky Security Center on corporate devices normally begins with installation of Network Agent on
them.
In Microsoft Windows XP, Network Agent might not perform the following operations correctly: downloading
updates directly from Kaspersky servers (as a distribution point); functioning as a KSN proxy server (as a
distribution point); and detecting third-party vulnerabilities (if Vulnerability and Patch Management is used).
Initial deployment
If a Network Agent has already been installed on a device, remote installation of applications on that device is
performed through this Network Agent. The distribution package of an application to be installed is transferred
over communication channels between Network Agents and Administration Server, along with the installation
settings de ned by the administrator. To transfer the distribution package, you can use relay distribution nodes,
that is, distribution points, multicast delivery, etc. For more details on how to install applications on managed
devices with Network Agent already installed, see below in this section.
You can perform initial installation of Network Agent on devices running Windows, using one of the following
methods:
With third-party tools for remote installation of applications.
By cloning an image of the administrator's hard drive with the operating system and Network Agent: using tools
provided by Kaspersky Security Center for handling disk images, or using third-party tools.
With Windows group policies: using standard Windows management tools for group policies, or in automatic
mode, through the corresponding, dedicated option in the remote installation task of Kaspersky Security
Center.
In forced mode, using special options in the remote installation task of Kaspersky Security Center.
By sending device users links to stand-alone packages generated by Kaspersky Security Center. Stand-alone
packages are executable modules that contain the distribution packages of selected applications with their
settings de ned.
Manually, by running application installers on devices.
165
On managed devices running platforms other than Microsoft Windows, you can perform remote installation of
Network Agent. Before remote installation of Network Agent on a device running Linux or a device running macOS,
you have to prepare the device. You can also install Network Agent on a Linux device in the silent mode by using an
answer le. You can upgrade Network Agent to a new version or install other Kaspersky applications on non-
Windows platforms, using Network Agents (already installed on devices) to perform remote installation tasks. In
this case, installation is identical to that on devices running Microsoft Windows.
When selecting a method and a strategy for deployment of applications on a managed network, you must consider
a number of factors (partial list):
Organization's network con guration.
Total number of devices.
Presence of devices on the organization's network, which are not members of any Active Directory domain, and
presence of uniform accounts with administrator rights on those devices.
Capacity of the channel between the Administration Server and devices.
Type of communication between Administration Server and remote subnets and capacity of network channels
in those subnets.
Security settings applied on remote devices at the start of deployment (such as use of UAC and Simple File
Sharing mode).

Before starting deployment of Kaspersky applications on a network, you must specify the installation settings, that
is, those de ned during the application installation. When installing Network Agent, you should specify, at a
minimum, an address for connection to Administration Server; some advanced settings may also be required.
Depending on the installation method that you have selected, you can de ne settings in di erent ways. In the
simplest case (manual interactive installation on a selected device), all relevant settings can be de ned through the
user interface of the installer.
This method of de ning the settings is inappropriate for silent installation of applications on groups of devices. In
general, the administrator must specify values for settings in centralized mode; those values can subsequently be
used for silent installation on selected networked devices.
The rst and main method of de ning the installation settings of applications is all-purpose and thus suitable for all
installation methods, both with Kaspersky Security Center tools, and with most third-party tools. This method
consists of creating installation packages of applications in Kaspersky Security Center.
Installation packages are generated using the following methods:
Automatically, from speci ed distribution packages, on the basis of included descriptors ( les with the kud
extension that contain rules for installation and results analysis, and other information)
From the executable les of installers or from installers in native format (.msi, .deb, .rpm), for standard or
supported applications
166
Generated installation packages are organized hierarchically as folders with subfolders and les. In addition to the
original distribution package, an installation package contains editable settings (including the installer's settings and
rules for processing such cases as necessity of restarting the operating system in order to complete installation),
as well as minor auxiliary modules.
Values of installation settings that would be speci c for an individual supported application can be de ned in the
user interface of Administration Console when the installation package is created. When performing remote
installation of applications through Kaspersky Security Center tools, installation packages are delivered to devices
so that running the installer of an application makes all administrator-de ned settings available for that application.
When using third-party tools for installation of Kaspersky applications, you only have to ensure the availability of
the entire installation package on the device, that is, the availability of the distribution package and its settings.
Installation packages are created and stored by Kaspersky Security Center in a dedicated subfolder of the shared
folder.
Do not specify any details of privileged accounts in the parameters of installation packages.
For the instruction about using this con guration method for Kaspersky applications before deployment through
third-party tools, see section "Deployment using group policies of Microsoft Windows".
Immediately after Kaspersky Security Center installation, a few installation packages are automatically generated;
they are ready for installation and include Network Agent packages and security application packages for
Microsoft Windows.
Although the license key for an application can be set in the properties of an installation package, it is
advisable to avoid this method of license distribution because there it is easy to obtain read access to
installation packages. You should use automatically distributed license keys or installation tasks for license
keys.

Another way of con guring installation on Windows platform is to de ne MSI properties and transform les. This
method can be applied in the following cases:
When installing through Windows group policies, by using regular Microsoft tools or other third-party tools for
handling Windows group policies.
When installing applications by using third-party tools intended for handling installers in Microsoft Installer
format.

When any tools for remote installation of applications (such as Microsoft System Center) are available in an
organization, it is convenient to perform initial deployment by using those tools.
The following actions must be performed:
Select the method for con guring installation that best suits the deployment tool to be used.
De ne the mechanism for synchronization between the modi cation of the settings of installation packages
(through the Administration Console interface) and the operation of selected third-party tools used for
167
deployment of applications from installation package data.
When performing installation from a shared folder, you must make sure that this le resource has su icient
capacity.
About remote installation tasks in Kaspersky Security Center

Kaspersky Security Center provides various mechanisms for remote installation of applications, which are
implemented as remote installation tasks (forced installation, installation by copying a hard drive image, installation
through group policies of Microsoft Windows). You can create a remote installation task both for a speci ed
administration group and for speci c devices or a selection of devices (such tasks are displayed in Administration
Console, in the Tasks folder). When creating a task, you can select installation packages (those of Network Agent
and / or another application) to be installed within this task, as well as specify certain settings that de ne the
method of remote installation. In addition, you can use the Remote Installation Wizard, which is based on creation
of a remote installation task and results monitoring.
Tasks for administration groups a ect both devices included in a speci ed group and all devices in all
subgroups within that administration group. A task covers devices of secondary Administration Servers
included in a group or any of its subgroups if the corresponding setting is enabled in the task.
Tasks for speci c devices refresh the list of client devices at each run in accordance with the selection contents
at the moment the task starts. If a selection includes devices that have been connected to secondary
Administration Servers, the task will run on those devices, too. For details on those settings and installation
methods see below in this section.
To ensure a successful operation of a remote installation task on devices connected to secondary

Administration Servers, you must use the relaying task to relay installation packages used by your task to
corresponding secondary Administration Servers in advance.
Deployment by capturing and copying the hard drive image of a device

If you need to install Network Agent on devices on which an operating system and other software also must be
installed (or reinstalled), you can use the mechanism of capturing and copying the hard drive of that device.
To perform deployment by capturing and copying a hard drive:
1. Create a reference device with an operating system and the relevant software installed, including Network
Agent and a security application.
2. Capture the reference image on the device and distribute that image on new devices through the dedicated
task of Kaspersky Security Center.
To capture and install disk images, you can use either third-party tools available in the organization, or the
feature provided (under the Vulnerability and Patch Management license) by Kaspersky Security Center.
If you use any third-party tools to process disk images, you must delete the information that Kaspersky
Security Center uses to identify the managed device, when performing deployment on a device from a
reference image. Otherwise, Administration Server will not be able to properly distinguish devices that have
been created by copying the same image.
168
When capturing a disk image with Kaspersky Security Center tools, this issue is solved automatically.
Copying a disk image with third-party tools
When applying third-party tools for capturing the image of a device with Network Agent installed, use one of the
following methods:
Recommended method. When installing Network Agent on a reference device, capture the device image before
the rst run of Network Agent service (because unique information identifying the device is created at the rst
connection of Network Agent to the Administration Server). After that, it is recommended that you avoid
running Network Agent service until the completion of the image capturing operation.
On the reference device, stop the Network Agent service and run the klmover utility with the -dup x key. The
utility klmover is included in the installation package of Network Agent. Avoid any subsequent runs of Network
Agent service until the image capturing operation completes.
Make sure that klmover will be run with the -dup x key before (mandatory requirement) the rst run of the
Network Agent service on target devices, at the rst launch of the operating system after the image
deployment. The utility klmover is included in the installation package of Network Agent.
If the hard drive image has been copied incorrectly, you can resolve this problem.
You can apply an alternate scenario for Network Agent deployment on new devices through operating system
images:
The captured image contains no Network Agent installed.
A stand-alone installation package of Network Agent located in the shared folder of Kaspersky Security Center
has been added to the list of executable les that are run upon completion of the image deployment on target
devices.
This deployment scenario adds exibility: you can use a single operating system image together with various
installation options for Network Agent and / or the security application, including device moving rules related to
the standalone package. This slightly complicates the deployment process: you have to provide access to the
network folder with stand-alone installation packages from a device.
Incorrect copying of a hard drive image

If a hard drive image with Network Agent installed has been copied without following the rules of deployment,
some devices may be displayed together in Administration Console under a single icon with a name that changes
constantly.
You can resolve this issue using one of the following methods:
Removing Network Agent

This method is the most reliable. You must remove Network Agent on devices that have been incorrectly copied
from the image, using third-party tools, and then install it again. Network Agent cannot be removed through
Kaspersky Security Center tools, because Administration Server cannot distinguish between faulty devices
(they all share the same icon in Administration Console).
169
Running the klmover utility with the "-dup x" key
Use third-party tools to run the klmover utility, located in the Network Agent installation folder, with the "-
dup x" key (klmover -dup x) once on faulty devices (those incorrectly copied from the image). You cannot run
the utility with Kaspersky Security Center tools, because Administration Server cannot distinguish between
faulty devices (they all share the same icon in Administration Console).
Then delete the icon on which the faulty devices had been displayed before you run the utility.
Toughening up the rule for detection of incorrectly copied devices.
This method is only applicable if Administration Server and Network Agents version 10 Service Pack 1 or
later are installed.
The rule for detection of incorrectly copied Network Agents must be toughened so that changing the NetBIOS
name of a device results in an automatic " x" of those Network Agents (with the assumption that all of the
copied devices have unique NetBIOS names).
On the device with Administration Server, you must import the reg le shown below to the Registry and then
restart the Administration Server service.
If a 32-bit operating system is installed on the device with Administration Server:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1093\1.0.0.0\ServerFlags]
"KLSRV_CheckClones"=dword:00000003
If a 64-bit operating system is installed on the device with Administration Server:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1093\1.0.0.0\ServerF
"KLSRV_CheckClones"=dword:00000003

It is recommended that you perform the initial deployment of Network Agents through Microsoft Windows group
policies if the following conditions are met:
This device is member of an Active Directory domain.
The deployment scheme allows you to wait for the next routine restart of target devices before starting
deployment of Network Agents on them (or you can force a Windows group policy to be applied to those
devices).
This deployment scheme consists of the following:
The application distribution package in Microsoft Installer format (MSI package) is located in a shared folder (a
folder where the LocalSystem accounts of target devices have read permissions).
In the Active Directory group policy, an installation object is created for the distribution package.
170
The installation scope is set by specifying the organizational unit (OU) and / or the security group, which
includes the target devices.
The next time a target device logs in to the domain (before device users log in to the system), all installed
applications are checked for the presence of the required application. If the application is not found, the
distribution package is downloaded from the resource speci ed in the policy and is then installed.
An advantage of this deployment scheme is that assigned applications are installed on target devices while the
operating system is loading, that is, even before the user logs in to the system. Even if a user with su icient rights
removes the application, it will be reinstalled at the next launch of the operating system. This deployment scheme's
shortcoming is that changes made by the administrator to the group policy will not take e ect until the devices are
restarted (if no additional tools are involved).
You can use group policies to install both Network Agent and other applications if their respective installers are in
Windows Installer format.
When this deployment scheme is selected, you must also assess the load on the le resource from which les will
be copied to devices after applying the Windows group policy.
Handling Microsoft Windows policies through the remote installation task of Kaspersky Security
Center
The simplest way to install applications through group policies of Microsoft Windows is to select the Assign
package installation in Active Directory group policies option in the properties of the remote installation task of
Kaspersky Security Center. In this case, Administration Server automatically performs the following actions when
you run the task:
Creates required objects in the group policy of Microsoft Windows.
Creates dedicated security groups, includes the target devices in those groups, and assigns installation of
selected applications for them. The set of security groups will be updated at every task run, in accordance with
the pool of devices at the moment of the run.
To make this feature operable, in the task properties, specify an account that has write permissions in Active
Directory group policies.
If you intend to install both Network Agent and another application through the same task, selecting the Assign
package installation in Active Directory group policies option causes the application to create an installation
object in the Active Directory policy for Network Agent only. The second application selected in the task will be
installed through the tools of Network Agent as soon as the latter is installed on the device. If you want to install an
application other than Network Agent through Windows group policies, you must create an installation task for this
installation package only (without the Network Agent package). Not every application can be installed using
Microsoft Windows group policies. To nd out about this capability, you can refer to information about the possible
methods for installing the application.
If required objects are created in the group policy by using Kaspersky Security Center tools, the shared folder of
Kaspersky Security Center will be used as the source of the installation package. When planning the deployment,
you must correlate the reading speed for this folder with the number of devices and the size of the distribution
package to be installed. It may be useful to locate the shared folder of Kaspersky Security Center in a high-
performance dedicated le repository.
In addition to its ease of use, automatic creation of Windows group policies through Kaspersky Security Center
has this advantage: when planning Network Agent installation, you can easily specify the Kaspersky Security
Center administration group into which devices will be automatically moved after installation completes. You can
specify this group in the Add Task Wizard or in the settings window of the remote installation task.
171
When handling Windows group policies through Kaspersky Security Center, you can specify devices for a
group policy object by creating a security group. Kaspersky Security Center synchronizes the contents of the
security group with the current set of devices in the task. When using other tools for handling group policies,
you can associate objects of group policies with selected OUs of Active Directory directly.
Unassisted installation of applications through policies of Microsoft Windows
The administrator can create objects required for installation in a Windows group policy on his or her own behalf. In
this case, he or she can provide links to packages stored in the shared folder of Kaspersky Security Center, or
upload those packages to a dedicated le server and then provide links to them.
The following installation scenarios are possible:
The administrator creates an installation package and sets up its properties in Administration Console. The
group policy object provides a link to the MSI le of this package stored in the shared folder of Kaspersky
Security Center.
The administrator creates an installation package and sets up its properties in Administration Console. Then the
administrator copies the entire EXEC subfolder of this package from the shared folder of Kaspersky Security
Center to a folder on a dedicated le resource of the organization. The group policy object provides a link to
the MSI le of this package stored in a subfolder on the dedicated le resource of the organization.
The administrator downloads the application distribution package (including that of Network Agent) from the
internet and uploads it to the dedicated le resource of the organization. The group policy object provides a link
to the MSI le of this package stored in a subfolder on the dedicated le resource of the organization. The
installation settings are de ned by con guring the MSI properties or by con guring MST transform les.
If you need to start deploying Network Agents or other applications immediately, without waiting for the next time
target devices log in to the domain, or if any target devices that are not members of the Active Directory domain
are available, you can force installation of selected installation packages through the remote installation task of
In this case, you can specify target devices either explicitly (with a list), or by selecting the Kaspersky Security
Center administration group to which they belong, or by creating a selection of devices based upon a speci c
criterion. The installation start time is de ned by the task schedule. If the Run missed tasks setting is enabled in
the task properties, the task can be run either immediately after target devices are turned on, or when they are
moved to the target administration group.
This type of installation consists in copying les to the administrative resource (admin$) on each device and
performing remote registration of supporting services on them. The following conditions must be met in this case:
Devices must be available for connection either from the Administration Server side, or from the distribution
point side.
Name resolution for target devices must function properly in the network.
The administrative shares (admin$) must remain enabled on target devices.
The Server system service must be running on target devices (by default, it is running).
172
The following ports must be open on target devices to allow remote access through Windows tools: TCP 139,
TCP 445, UDP 137, and UDP 138.
Simple File Sharing mode must be disabled on target devices.
On target devices, the access sharing and security model must be set as Classic – local users authenticate as
themselves, it can be in no way Guest only – local users authenticate as Guest.
Target devices must be members of the domain, or uniform accounts with administrator rights must be created
on target devices in advance.
Devices in workgroups can be adjusted in accordance with the above requirements by using the riprep.exe utility,
which is described on Kaspersky Technical Support website.
During installation on new devices that have not yet been allocated to any of the Kaspersky Security Center
administration groups, you can open the remote installation task properties and specify the administration group
to which devices will be moved after Network Agent installation.
When creating a group task, keep in mind that each group task a ects all devices in all nested groups within a
selected group. Therefore, you must avoid duplicating installation tasks in subgroups.
Automatic installation is a simpli ed way to create tasks for forced installation of applications. To do this, open the
administration group properties, open the list of installation packages and select the ones that must be installed on
devices in this group. As a result, the selected installation packages will be automatically installed on all devices in
this group and all of its subgroups. The time interval over which the packages will be installed depends on the
network throughput and the total number of networked devices.
Forced installation can also be applied if devices cannot be directly accessed by the Administration Server: for
example, devices are on isolated networks, or they are on a local network while the Administration Server item is in
DMZ. To make forced installation possible, you must provide distribution points to each of the isolated networks.
Using distribution points as local installation centers may also be useful when performing installation on devices in
subnets communicated with Administration Server via a low-capacity channel while a broader channel is available
between devices in the same subnet. However, note that this installation method places a signi cant load on
devices acting as distribution points. Therefore, it is recommended that you select powerful devices with high-
performance storage units as distribution points. Moreover, the free disk space in the partition with the
%ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit folder must exceed, by many times, the total
size of the distribution packages of installed applications.

The above-described methods of initial deployment of Network Agent and other applications cannot always be
implemented because it is not possible to meet all of the applicable conditions. In such cases, you can create a
common executable le called a stand-alone installation package through Kaspersky Security Center, using
installation packages with the relevant installation settings that have been prepared by the administrator. The
stand-alone installation package is stored in the shared folder of Kaspersky Security Center.
You can use Kaspersky Security Center to send selected users an email message containing a link to this le in the
shared folder, prompting them to run the le (either in interactive mode, or with the key "-s" for silent installation).
You can attach the stand-alone installation package to an email message and then send it to the users of devices
that have no access to the shared folder of Kaspersky Security Center. The administrator can also copy the
stand-alone package to a removable drive, deliver it to a relevant device, and then run it later.
173
You can create a stand-alone package from a Network Agent package, a package of another application (for
example, the security application), or both. If the stand-alone package has been created from Network Agent and
another application, installation starts with Network Agent.
When creating a stand-alone package with Network Agent, you can specify the administration group to which new
devices (those that have not been allocated to any of the administration groups) will be automatically moved when
Network Agent installation completes on them.
Stand-alone packages can run in interactive mode (by default), displaying the result for installation of applications
they contain, or they can run in silent mode (when run with the key "-s"). Silent mode can be used for installation
from scripts, for example, from scripts con gured to run after an operating system image is deployed. The result of
installation in silent mode is determined by the return code of the process.

Administrators or experienced users can install applications manually in interactive mode. They can use either
original distribution packages or installation packages generated from them and stored in the shared folder of
Kaspersky Security Center. By default, installers run in interactive mode and prompt users for all required values.
However, when running the process setup.exe from the root of an installation package with the key "-s", the installer
will be running in silent mode and with the settings that have been de ned when con guring the installation
package.
When running setup.exe from the root of an installation package stored in the shared folder of Kaspersky
Security Center, the package will rst be copied to a temporary local folder, and then the application installer
will be run from the local folder.

If an operable Network Agent connected to the primary Administration Server (or to any of its secondary Servers)
is installed on a device, you can upgrade Network Agent on this device, as well as install, upgrade, or remove any
supported applications through Network Agent.
You can enable the Using Network Agent option in the properties of the remote installation task.
If this option is selected, installation packages with installation settings de ned by the administrator will be
transferred to target devices over communication channels between Network Agent and the Administration
Server.
To optimize the load on the Administration Server and minimize tra ic between the Administration Server and the
devices, it is useful to assign distribution points on every remote network or in every broadcasting domain (see
sections "About distribution points" and "Building a structure of administration groups and assigning distribution
points"). In this case, installation packages and the installer settings are distributed from the Administration Server
to target devices through distribution points.
Moreover, you can use distribution points for broadcasting (multicast) delivery of installation packages, which
allows reducing network tra ic signi cantly when deploying applications.
When transferring installation packages to target devices over communication channels between Network Agents
and the Administration Server, all installation packages that have been prepared for transfer will also be cached in
the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\1093\.working\FTServer folder. When using
multiple large installation packages of various types and involving a large number of distribution points, the size of
this folder may increase dramatically.
174
Files cannot be deleted from the FTServer folder manually. When original installation packages are deleted,
the corresponding data will be automatically deleted from the FTServer folder.
The data received by distribution points is saved in the folder %ALLUSERSPROFILE%\Application

Data\KasperskyLab\adminkit\1103\$FTClTmp.
Files cannot be deleted from the $FTClTmp folder manually. As tasks using data from this folder complete, the
contents of this folder will be deleted automatically.
Because installation packages are distributed over communication channels between Administration Server and
Network Agents from an intermediate repository in a format optimized for network transfers, no changes are
allowed in installation packages stored in the original folder of each installation package. Those changes will not be
automatically registered by Administration Server. If you need to modify the les of installation packages manually
(although you are recommended to avoid this scenario), you must edit any of the settings of an installation
package in Administration Console. Editing the settings of an installation package in Administration Console
causes Administration Server to update the package image in the cache that has been prepared for transfer to
target devices.

Devices often need a restart to complete the remote installation of applications (particularly on Windows).
If you use the remote installation task of Kaspersky Security Center, in the Add Task Wizard or in the properties
window of the task that has been created (Operating system restart section), you can select the action to
perform when a restart is required:
Do not restart the device. In this case, no automatic restart will be performed. To complete the installation, you
must restart the device (for example, manually or through the device management task). Information about the
required restart will be saved in the task results and in the device status. This option is suitable for installation
tasks on servers and other devices where continuous operation is critical.
Restart the device. In this case, the device is always restarted automatically if a restart is required for
completion of the installation. This option is useful for installation tasks on devices that provide for regular
pauses in their operation (shutdown or restart).
Prompt user for action. In this case, the restart reminder is displayed on the screen of the client device,
prompting the user to restart it manually. Some advanced settings can be de ned for this option: text of the
message for the user, the message display frequency, and the time interval after which a restart will be forced
(without the user's con rmation). The Prompt user for action is the most suitable for workstations where users
need a possibility of selecting the most convenient time for a restart.
Suitability of databases updating in an installation package of a security

application
Before starting the protection deployment, you must keep in mind the possibility of updating anti-virus databases
(including modules of automatic patches) shipped together with the distribution package of the security
application. It is useful to update the databases in the installation package of the application before starting the
deployment (for example, by using the corresponding command in the context menu of a selected installation
package). This will reduce the number of restarts required for completion of protection deployment on target
devices.
175
Using tools for remote installation of applications in Kaspersky Security
Center for running relevant executable les on managed devices
Using the New Package Wizard, you can select any executable le and de ne the settings of the command line for
it. For this you can add to the installation package either the selected le itself or the entire folder in which this le
is stored. Then you must create the remote installation task and select the installation package that has been
created.
While the task is running, the speci ed executable le with the de ned settings of the command prompt will be run
on target devices.
If you use installers in Microsoft Windows Installer (MSI) format, Kaspersky Security Center analyzes the
installation results by means of standard tools.
If the Vulnerability and Patch Management license is available, Kaspersky Security Center (when creating an
installation package for any supported application in the corporate environment) also uses rules for installation and
analysis of installation results that are in its updatable database.
Otherwise, the default task for executable les waits for the completion of the running process, and of all its child
processes. After completion of all of the running processes, the task will be completed successfully regardless of
the return code of the initial process. To change such behavior of this task, before creating the task, you have to
manually modify the .kpd les that were generated by Kaspersky Security Center in the folder of the newly created
installation package and its subfolders.
For the task not to wait for the completion of the running process, set the value of the Wait setting to 0 in the
[SetupProcessResult] section:
Example:
[SetupProcessResult]
Wait=0
For the task to wait only for the completion of the running process on Windows, not for the completion of all child
processes, set the value of the WaitJob setting to 0 in the [SetupProcessResult], section, for example:
Example:
WaitJob=0
For the task to complete successfully or return an error depending on the return code of the running process, list
successful return codes in the [SetupProcessResult_SuccessCodes], section, for example:
Example:
[SetupProcessResult_SuccessCodes]
0=
3010=
In this case, any code other than those listed will result in an error returned.
To display a string with a comment on the successful completion of the task or an error in the task results, enter
brief descriptions of errors corresponding to return codes of the process in the
[SetupProcessResult_SuccessCodes] and [SetupProcessResult_ErrorCodes] sections, for example:
Example:
176
0= Installation completed successfully
3010=A restart is required to complete the installation
[SetupProcessResult_ErrorCodes]
1602=Installation canceled by the user
1603=Fatal error during installation
To use Kaspersky Security Center tools for managing the device restart (if a restart is required to complete an
operation), list the return codes of the process that indicate that a restart must be performed, in the
[SetupProcessResult_NeedReboot] section:
Example:
[SetupProcessResult_NeedReboot]
3010=

To monitor the Kaspersky Security Center deployment and make sure that a security application and Network
Agent are installed on managed devices, you have to check the tra ic light in the Deployment section. This tra ic
light is located in the workspace of the Administration Server node in the main window of Administration Console.
The tra ic light re ects the current deployment status. The number of devices with Network Agent and security
applications installed is displayed next to the tra ic light. When any installation tasks are running, you can monitor
their progress here. If any installation errors occur, the number of errors is displayed here. You can view the details
of any error by clicking the link.
You can also use the deployment schema in the workspace of the Managed devices folder on the Groups tab. The
chart re ects the deployment process, showing the number of devices without Network Agent, with Network
Agent, or with Network Agent and a security application.
For more details on the progress of the deployment (or the operation of a speci c installation task) open the
results window of the relevant remote installation task: Right-click the task and select Results in the context menu.
The window displays two lists: the upper one contains the task statuses on devices, while the lower one
contains task events on the device that is currently selected in the upper list.
Information about deployment errors are added to the Kaspersky Event Log on Administration Server. Information
about errors is also available through the corresponding event selection in the Administration Server node on the
Events tab.

This section provides information about the les of Kaspersky Security Center installers and the installation
settings, as well as recommendations on how to install Administration Server and Network Agent in silent mode.
General information
177
Installers of Kaspersky Security Center 14 components (Administration Server, Network Agent, and Administration
Console) are built on Windows Installer technology. An MSI package is the core of an installer. This format of
packaging allows using all of the advantages provided by Windows Installer: scalability, availability of a patching
system, transformation system, centralized installation through third-party solutions, and transparent registration
with the operating system.

The installers of Administration Server and Network Agent have the feature of working with the response le
(ss_install.xml), where the parameters for installation in silent mode without user participation are integrated. The
ss_install.xml le is located in the same folder as the MSI package; it is used automatically during installation in
silent mode. You can enable the silent installation mode with the command line key "/s".
An overview of an example run follows:
setup.exe /s
Before you start the installer in silent mode, read the End User License Agreement (EULA). If the Kaspersky
Security Center distribution kit does not include a TXT le with the text of the EULA, you can download the
le from the Kaspersky website .
The ss_install.xml le is an instance of the internal format of parameters of the Kaspersky Security Center installer.
Distribution packages contain the ss_install.xml le with the default parameters.
Please do not modify ss_install.xml manually. This le can be modi ed through the tools of Kaspersky Security
Center when editing the parameters of installation packages in Administration Console.
To modify the response le for Administration Server installation:
1. Open the Kaspersky Security Center distribution package. If you use a full package EXE le, then unpack it.
2. Form the Server folder, open the command line, and then run the following command:
setup.exe /r ss_install.xml
The Kaspersky Security Center installer starts.
3. Follow the Wizard's steps to con gure the Kaspersky Security Center installation.
When you complete the Wizard, the response le is automatically modi ed according to the new settings that
you speci ed.

You can install Network Agent with a single .msi package, specifying the values of MSI properties in the standard
way. This scenario allows Network Agent to be installed by using group policies. To avoid con icts between
parameters de ned through MSI properties and parameters de ned in the response le, you can disable the
response le by setting the property DONT_USE_ANSWER_FILE=1. The MSI le is located in the Kaspersky Security
Center distribution package, in the Packages\NetAgent\exec folder. An example of a run of the Network Agent
installer with an .msi package is as follows.
178
Installation of Network Agent in silent mode requires acceptance of the terms of the End User License Agreement.
Use the EULA=1 parameter only if you have fully read, understand and accept the terms of the End User License
Agreement.
Example:
msiexec /i "Kaspersky Network Agent.msi" /qn DONT_USE_ANSWER_FILE=1
SERVERADDRESS=kscserver.mycompany.com EULA=1
You can also de ne the installation parameters for an .msi package by preparing the response le in advance (one
with an .mst extension). This command appears as follows:
Example:
msiexec /i "Kaspersky Network Agent.msi" /qn TRANSFORMS=test.mst;test2.mst
You can specify several response les in a single command.

When running installation of applications through setup.exe, you can add the values of any properties of MSI to the
MSI package.
This command appears as follows:
Example:
/v"PROPERTY_NAME1=PROPERTY_VALUE1 PROPERTYNAME2=PROPERTYVALUE2"

The table below describes the MSI properties that you can con gure when installing Administration Server. All of
the parameters are optional, except for EULA and PRIVACYPOLICY.
Parameters of Administration Server installation in silent mode
MSI property Description Available values
EULA Acceptance of the terms of

1—I have fully read, understand and
the License Agreement
accept the terms of the End User
(required)
License Agreement.
Other value or no value—I do not accept

the terms of the License Agreement
(installation is not performed).
PRIVACYPOLICY Acceptance of the terms of

1—I am aware and agree that my data will
the Privacy Policy (required)
be handled and transmitted (including to
third countries) as described in the
Privacy Policy. I con rm that I have fully
read and understand the Privacy Policy.

the terms of the Privacy Policy
179
INSTALLATIONMODETYPE Type of Administration Server
Standard.
installation
Custom.
INSTALLDIR Application installation folder String value.
ADDLOCAL List of components to install CSAdminKitServer, NAgent,

(separated by commas) CSAdminKitConsole, NSAC, MobileSupport,
KSNProxy, SNMPAgent, GdiPlusRedist,
Microsoft_VC90_CRT_x86,
Microsoft_VC100_CRT_x86.
Minimum list of components su icient for
proper Administration Server installation:
ADDLOCAL=CSAdminKitServer,
CSAdminKitConsole, KSNProxy,
Microsoft_VC100_CRT_x86
NETRANGETYPE Network size

NRT_1_100—From 1 to 100 devices.
NRT_100_1000—From 101 to 1000

devices.
NRT_GREATER_1000—More than 1000

devices.
SRV_ACCOUNT_TYPE Way of specifying the user for

SrvAccountDefault—The user account
the operation of the
will be created automatically.
Administration Server service
SrvAccountUser—The user account is
de ned manually.
SERVERACCOUNTNAME User name for the service String value.
SERVERACCOUNTPWD User password for the service String value.
DBTYPE Database type

MySQL—A MySQL or MariaDB database
will be used.
MSSQL—A Microsoft SQL Server (SQL

Express) database will be used.
MYSQLSERVERNAME Full name of MySQL or String value.

MariaDB server
MYSQLSERVERPORT Number of port for Numerical value.

connection to MySQL or
MariaDB server
MYSQLDBNAME Name of MySQL or MariaDB String value.

server database
MYSQLACCOUNTNAME User name for connection to String value.

MySQL or MariaDB server
database
180
MYSQLACCOUNTPWD User password for connection String value.
to MySQL or MariaDB server
database
MSSQLCONNECTIONTYPE Type of use of MSSQL

InstallMSSEE—Install from a package.
database
ChooseExisting—Use the installed
server.
MSSQLSERVERNAME Full name of SQL Server String value.

instance
MSSQLDBNAME Name of SQL Server String value.

database
MSSQLAUTHTYPE Method of authentication for

Windows.
connection to SQL Server
SQLServer.
MSSQLACCOUNTNAME User name for connection to String value.

SQL Server in SQLServer
mode
MSSQLACCOUNTPWD User password for connection String value.

to SQL Server in SQLServer
mode
CREATE_SHARE_TYPE Method of specifying the

Create—Create a new shared folder. In
shared folder
this case, the following properties must
be de ned:
SHARELOCALPATH—Path to a local
folder.
SHAREFOLDERNAME—Network
name of a folder.
Null—EXISTSHAREFOLDERNAME
property must be speci ed.
EXISTSHAREFOLDERNAME Full path to an existing shared String value.

folder
SERVERPORT Port number to connect to Numerical value.

SERVERSSLPORT Number of port for Numerical value.

establishing SSL connection
to Administration Server
SERVERADDRESS Administration Server address String value.
SERVERCERT2048BITS Size of the key for the

1—The size of the key for the
Administration Server certi cate is 2048
certi cate (bits)
bit.

181
bit.
If no value is speci ed, the size of the

key for the Administration Server
certi cate is 1024 bit.
MOBILESERVERADDRESS Address of the Administration String value.

Server for connection of
mobile devices; ignored if the
MobileSupport component
has not been selected

The table below describes the MSI properties that you can con gure when installing Network Agent. All of the
parameters are optional, except for EULA and SERVERADDRESS.
Parameters of Network Agent installation in silent mode
EULA Acceptance of the terms of the License

1—I have fully read,
Agreement
understand and accept
the terms of the End User
License Agreement.
0—I do not accept the

terms of the License
Agreement (installation is
not performed).
No value—I do not accept

the terms of the License
not performed).
DONT_USE_ANSWER_FILE Read installation settings from response

1—Do not use.
le
Other value or no value—
Read.
INSTALLDIR Path to the Network Agent installation String value.

folder
SERVERADDRESS Administration Server address (required) String value.
SERVERPORT Number of port for connection to Numerical value.

SERVERSSLPORT Number of the port for encrypted Numerical value.

connection to Administration Server by
using SSL protocol
USESSL Whether to use SSL connection

1—Use.
182
Do not use.
OPENUDPPORT Whether to open a UDP port

1—Open.

Do not open.
UDPPORT UDP port number Numerical value.
USEPROXY Whether to use a proxy server

1—Use.

Do not use.
PROXYLOCATION Proxy address and number of port for String value.

(PROXYADDRESS:PROXYPORT) connection to proxy server
PROXYLOGIN Account for connection to proxy server String value.
PROXYPASSWORD Password of account for connection to String value.

proxy server (Do not specify any details
of privileged accounts in the parameters
of installation packages.)
GATEWAYMODE Connection gateway use mode

0—Do not use connection
gateway.
1—Use this Network Agent

as connection gateway.
2—Connect to the
using connection gateway.
GATEWAYADDRESS Connection gateway address String value.
CERTSELECTION Method of receiving a certi cate

GetOnFirstConnection—
Receive a certi cate from
GetExistent—Select an
existing certi cate If this
option is selected, the
CERTFILE property must
be speci ed.
CERTFILE Path to the certi cate le String value.
VMVDI Enable dynamic mode for Virtual

1—Enable.
Desktop Infrastructure (VDI)
0—Do not enable.
183
No value—Do not enable.
LAUNCHPROGRAM Whether to start the Network Agent

1—Start.
service after installation
Do not start.
NAGENTTAGS Tag for Network Agent (has priority over String value.
the tag given in the response le)
Kaspersky Security Center supports the use of virtual machines. You can install Network Agent and the security
application on each virtual machine, and you can protect virtual machines at the hypervisor level. In the rst case,
you can use either a standard security application or Kaspersky Security for Virtualization Light Agent to protect
your virtual machines. In the second case, you can use Kaspersky Security for Virtualization Agentless .
Kaspersky Security Center supports rollbacks of virtual machines to their previous state.

When installing Network Agent on a virtual machine, you are advised to consider disabling some Kaspersky
Security Center features that seem to be of little use for virtual machines.
When installing Network Agent on a virtual machine or on a template intended for generation of virtual machines,
we recommend the following actions:
If you are running a remote installation, in the properties window of the Network Agent installation package, in
the Advanced section, select the Optimize settings for VDI option.
If you are running an interactive installation through a Wizard, in the Wizard window, select the Optimize the
Network Agent settings for the virtual infrastructure option.
Selecting those options alters the settings of Network Agent so that the following features remain disabled by
default (before a policy is applied):
Retrieving information about software installed
Retrieving information about hardware
Retrieving information about vulnerabilities detected
Retrieving information about updates required
Usually, those features are not necessary on virtual machines because they use uniform software and virtual
hardware.
Disabling the features is invertible. If any of the disabled features is required, you can enable it through the policy
of Network Agent, or through the local settings of Network Agent. The local settings of Network Agent are
available through the context menu of the relevant device in Administration Console.
184
Kaspersky Security Center supports dynamic virtual machines. If a virtual infrastructure has been deployed on the
organization's network, dynamic (temporary) virtual machines can be used in certain cases. The dynamic VMs are
created under unique names based on a template that has been prepared by the administrator. The user works on
a VM for a while and then, after being turned o , this virtual machine will be removed from the virtual
infrastructure. If Kaspersky Security Center has been deployed on the organization's network, a virtual machine
with installed Network Agent will be added to the Administration Server database. After you turn o a virtual
machine, the corresponding entry must also be removed from the database of Administration Server.
To make functional the feature of automatic removal of entries on virtual machines, when installing Network Agent
on a template for dynamic virtual machines, select the Enable dynamic mode for VDI option:
For remote installation—In the properties window of the installation package of Network Agent (Advanced
section)
For interactive installation—In the Network Agent Installation Wizard
Avoid selecting the Enable dynamic mode for VDI option when installing Network Agent on physical devices.
If you want events from dynamic virtual machines to be stored on the Administration Server for a while after you
remove those virtual machines, then, in the Administration Server properties window, in the Events repository
section, select the Store events after devices are deleted option and specify the maximum storage term for
events (in days).

Copying a virtual machine with installed Network Agent or creating one from a template with installed Network
Agent is identical to the deployment of Network Agents by capturing and copying a hard drive image. So, in general
case, when copying virtual machines, you need to perform the same actions as when deploying Network Agent by
copying a disk image.
However, the two cases described below showcase Network Agent, which detects the copying automatically.
Owing to the above reasons, you do not have to perform the sophisticated operations described under
"Deployment by capturing and copying the hard drive of a device":
The Enable dynamic mode for VDI option was selected when Network Agent was installed—After each restart
of the operating system, this virtual machine will be recognized as a new device, regardless of whether it has
been copied or not.
One of the following hypervisors is in use: VMware™, HyperV®, or Xen®: Network Agent detects the copying of
the virtual machine by the changed IDs of the virtual hardware.
Analysis of changes in virtual hardware is not absolutely reliable. Before applying this method widely, you must
test it on a small pool of virtual machines for the version of the hypervisor currently used in your organization.

185
Kaspersky Security Center is a distributed application. Rolling back the le system to a previous state on a device
with Network Agent installed will lead to data desynchronization and improper functioning of Kaspersky Security
Center.
The le system (or a part of it) can be rolled back in the following cases:
When copying an image of the hard drive.
When restoring a state of the virtual machine by means of the virtual infrastructure.
When restoring data from a backup copy or a recovery point.
Scenarios under which third-party software on devices with Network Agent installed a ects the
%ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\ folder are only critical scenarios for Kaspersky
Security Center. Therefore, you must always exclude this folder from the recovery procedure, if possible.
Because the workplace rules of some organizations provide for rollbacks of the le system on devices, support for
the le system rollback on devices with Network Agent installed has been added to Kaspersky Security Center,
starting with version 10 Maintenance Release 1 (Administration Server and Network Agents must be of version 10
Maintenance Release 1 or later). When detected, those devices are automatically reconnected to the
Administration Server with full data cleansing and full synchronization.
By default, support of le system rollback detection is enabled in Kaspersky Security Center 14.
As much as possible, avoid rolling back the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\

folder on devices with Network Agent installed, because full resynchronization of data requires a large amount of
resources.
A rollback of the system state is absolutely not allowed on a device with Administration Server installed. Nor is
a rollback of the database used by Administration Server.
You can restore a state of Administration Server from a backup copy only with the standard klbackup utility.
Local installation of applications

This section provides an installation procedure for applications that can be installed on local devices only.
To perform local installation of applications on a speci c client device, you must have administrator rights on this
device.
To install applications locally on a speci c client device:
1. Install Network Agent on the client device and con gure the connection between the client device and
2. Install the requisite applications on the device as described in the guides of these applications.
3. Install a management plug-in for each of the installed applications on the administrator's workstation.
Kaspersky Security Center also supports the option of local installation of applications using a stand-alone
installation package. Kaspersky Security Center does not support installation of all Kaspersky applications.
186
Local installation of Network Agent
To install Network Agent on a device locally:
1. On the device, run the setup.exe le from the distribution package downloaded from the internet. Refer to the
following topic for details: Obtaining the Network Agent installation package from the Kaspersky Security
Center distribution kit.
A window opens prompting you to select Kaspersky applications to install.
2. In the application selection window, click the Install only Kaspersky Security Center 14 Network Agent link to
start the Network Agent setup wizard. Follow the instructions of the wizard.
a. Administration Server
Port
Speci es the non-SSL port used by the Administration Server to receive connections from Network
Agents.
By default, this option is set to 14000.
SSL port
Speci es the SSL port used by the Administration Server to receive connections from Network
Agents.
Use SSL to connect to Administration Server
If this option is enabled, connection to the Administration Server is established through a secure port
via SSL.
By default, this option is enabled.
Allow Network Agent to open UDP port
If this option is enabled, the installer automatically opens the port used by the Administration Server to
manage the client device and receive information about it.
UDP port
Allows you to con gure the port used by the Administration Server to manage the client device and
receive information about it.
b. Proxy server con guration
187
Use proxy server
If this option is enabled, you can specify the credentials for proxy server authentication.
We recommend that you specify the credentials of an account that has minimum privileges required
only for the proxy server authentication.
By default, this option is disabled.
Address
Port
Account
User name of the account under which connection to the proxy server is established.
Password
Password of the account under which connection to the proxy server is established.
c. Connection gateway
Do not use connection gateway
Use Network Agent as a connection gateway in DMZ
Select this option to use Network Agent as a connection gateway in the demilitarized zone (DMZ) to
connect to Administration Server, communicate with it, and keep data on the Network Agent safe
during data transmission.
Connect to Administration Server by using a connection gateway
Select this option and then specify the device that will act as the connection gateway.
d. Administration Server certi cate
e. Agent tags
f. Advanced settings
188
Automatically install applicable updates and patches for components that have the Unde ned
status
We recommend to keep this option enabled. You can clear this option to disable automatic updating
and patching for Kaspersky Security Center components. The administrator can re-enable automatic
updating and patching later by using a policy.
Enable Network Agent service protection
When this option is enabled, after Network Agent is installed on a managed device, the component
cannot be removed or recon gured without required privileges. The Network Agent service cannot be
stopped. This option has no e ect on domain controllers.
Enable this option to protect Network Agent on workstations operated with local administrator rights.
Enable dynamic mode for VDI
If this option is enabled, dynamic mode for Virtual Desktop Infrastructure (VDI) will be enabled for
Network Agent installed on a virtual machine.
Optimize the Kaspersky Security Center Network Agent settings for the virtual infrastructure.
Disable vulnerability scan and inventory of applications and hardware. You can edit the current
settings through Network Agent policies.
If this option is enabled, the following features are disabled in the Network Agent settings:
g. Start application
When the setup wizard nishes, Network Agent will be installed on the device.
You can view the properties of the Kaspersky Security Center Network Agent service; you can also start, stop, and
monitor Network Agent activity by means of standard Microsoft Windows tools: Computer Management\Services.
Installing Network Agent in silent mode
189
Network Agent can be installed in silent mode, that is, without the interactive input of installation parameters.
Silent installation uses a Windows Installer package (MSI) for Network Agent. The MSI le is located in
the Kaspersky Security Center distribution package, in the Packages\NetAgent\exec folder.
To install Network Agent on a local device in silent mode:
1. Read the End User License Agreement. Use the command below only if you understand and accept the terms
of the End User License Agreement.
2. Run the command

msiexec /i "Kaspersky Network Agent.msi" /qn <setup_parameters>
where setup_parameters is a list of parameters and their respective values, separated by a space
(PROP1=PROP1VAL PROP2=PROP2VAL).
In the list of parameters, you must include EULA=1. Otherwise Network Agent will not be installed.
If you are using the standard connection settings for Kaspersky Security Center 11 and later, and Network Agent on
remote devices, run the command:
msiexec /i "Kaspersky Network Agent.msi" /qn /l*vx c:\windows\temp\nag_inst.log

/l*vx is the key for writing logs. The log is created during the installation of Network Agent and saved at
C:\windows\temp\nag_inst.log.
In addition to nag_inst.log, the application creates the $klssinstlib.log le, which contains the installation log. This
le is stored in the %windir%\temp or %temp% folder. For troubleshooting purposes, you or a Kaspersky Technical
Support specialist may need both log les—nag_inst.log and $klssinstlib.log.
If you need to additionally specify the port for connection to the Administration Server run the command:
msiexec /i "Kaspersky Network Agent.msi" /qn /l*vx c:\windows\temp\nag_inst.log

SERVERADDRESS=kscserver.mycompany.com EULA=1 SERVERPORT=14000
The parameter SERVERPORT corresponds to the number of port for connection to Administration Server.
The names and possible values for parameters that can be used when installing Network Agent in silent mode are
listed in the Network Agent installation parameters section.
Installing Network Agent for Linux in silent mode (with an answer le)
You can install Network Agent on Linux devices by using an answer le—a text le that contains a custom set of
installation parameters: variables and their respective values. Using this answer le allows you to run an installation
in silent mode, that is, without user participation.
To perform installation of Network Agent for Linux in silent mode:
1. Prepare the relevant Linux device for remote installation. Download and create the remote installation package,
by using a .deb or .rpm package of Network Agent, by means of any suitable package management system.
2. If you want to install Network Agent on devices with the SUSE Linux Enterprise Server 15 operating system,
install the insserv-compat package rst to con gure Network Agent.
3. Read the End User License Agreement. Follow the steps below only if you understand and accept the terms of
the End User License Agreement.
190
4. Set the value of the KLAUTOANSWERS environment variable by entering the full name of the answer le
(including the path), for example, as follows:
export KLAUTOANSWERS=/tmp/nagent_install/answers.txt
5. Create the answer le (in TXT format) in the directory that you have speci ed in the environment variable. Add
to the answer le a list of variables in the VARIABLE_NAME=variable_value format, each variable on a separate
line.
For correct usage of the answer le, you must include in it a minimum set of the three required variables:
KLNAGENT_SERVER
KLNAGENT_AUTOINSTALL
EULA_ACCEPTED
You can also add any optional variables to use more speci c parameters of your remote installation. The
following table lists all of the variables that can be included in the answer le:
Variables of the answer le used as parameters of Network Agent for Linux installation in silent mode
191
Variables of the answer le used as parameters of Network Agent for Linux installation in silent mode
Variable name Required Description Possible values
KLNAGENT_SERVER Yes Contains the Administration DNS name or IP

Server name presented as address.
fully quali ed domain name
(FQDN) or IP address.
KLNAGENT_AUTOINSTALL Yes De nes whether silent 1—Silent mode is

installation mode is enabled. enabled; the user is
not prompted for
any actions during
installation.
Other—Silent mode
is disabled; the user
may be prompted
for actions during
installation.
EULA_ACCEPTED Yes De nes whether the user 1—I con rm that I

accepts the End User License have fully read,
Agreement (EULA) of understand, and
Network Agent; when missing, accept the terms
can be interpreted as non- and conditions of
acceptance of the EULA. this End User
License Agreement.
Other or not
speci ed—I do not
accept the terms of
the License
Agreement
(installation is not
performed).
KLNAGENT_PROXY_USE No De nes whether connection 1—Proxy settings

with the Administration are used.
Server will use proxy settings.
The default value is 0. Other—Proxy
settings are not
used.
KLNAGENT_PROXY_ADDR No De nes the address of the DNS name or IP

proxy server used for address.
connection with the
KLNAGENT_PROXY_LOGIN No De nes the user name used Any existing user

for login to the proxy server. name.
KLNAGENT_PROXY_PASSWORD No De nes the user password Any set of

used for login to the proxy alphanumeric
server. characters allowed
by the password
format in the
operating system.
KLNAGENT_VM_VDI No De nes whether Network 1—Network Agent is

Agent is installed on an image installed on an
192
for creation of dynamic virtual image, which is
machines. subsequently used
for creation of
dynamic virtual
machines.
Other—No image is
used during
installation.
KLNAGENT_VM_OPTIMIZE No De nes whether the Network 1—The default local
Agent settings are optimal for settings of Network
hypervisor. Agent are modi ed
so that they allow
optimized usage on
hypervisor.
KLNAGENT_TAGS No Lists the tags assigned to the One or multiple tag

Network Agent instance. names separated
with semicolon.
KLNAGENT_UDP_PORT No De nes the UDP port used by Any existing port

Network Agent. The default number.
value is 15000.
KLNAGENT_PORT No De nes the non-TLS port Any existing port

used by Network Agent. The number.
default value is 14000.
KLNAGENT_SSLPORT No De nes the TLS port used by Any existing port

Network Agent. The default number.
value is 13000.
KLNAGENT_USESSL No De nes whether Transport 1 (default)—TLS is

Layer Security (TLS) is used used.
for connection.
Other—TLS is not
used.
KLNAGENT_GW_MODE No De nes whether connection 1 (default)—The

gateway is used. current settings are
not modi ed (at the
rst call, no
connection
gateway is
speci ed).
2—No connection
gateway is used.
3—Connection
gateway is used.
4—The Network
Agent instance is
used as connection
gateway in
demilitarized zone
(DMZ).
KLNAGENT_GW_ADDRESS No De nes the address of the DNS name or IP

connection gateway. The address.
193
value is applicable only if
KLNAGENT_GW_MODE=3.
6. Install Network Agent:
To install Network Agent from an RPM package to a 32-bit operating system, execute the following
command:
# rpm -i klnagent-<build number>.i386.rpm
To install Network Agent from an RPM package to a 64-bit operating system, execute the following
command:
# rpm -i klnagent64-<build number>.x86_64.rpm
To install Network Agent from an RPM package on a 64-bit operating system for the Arm architecture,
execute the following command:
# rpm -i klnagent64-<build number>.aarch64.rpm
To install Network Agent from a DEB package to a 32-bit operating system, execute the following command:
# apt-get install ./klnagent_<build number>_i386.deb
# apt-get install ./klnagent64_<build number>_amd64.deb
To install Network Agent from a DEB package on a 64-bit operating system for the Arm architecture,
# apt-get install ./klnagent64_<build number>_arm64.deb
Installation of Network Agent for Linux starts in silent mode; the user is not prompted for any actions during the
process.
Installing Network Agent on Astra Linux in the closed software environment mode
This section describes how to install Network Agent for Linux on the Astra Linux Special Edition operating system.
Before installation:
Make sure that the device on which you want to install Network Agent for Linux is running one of the supported
Linux distributions.
Download the kaspersky_astra_pub_key.gpg application key.
Download the necessary Network Agent installation le from the Kaspersky website.
Run the commands provided in this instruction under an account with root privileges.
To install Network Agent for Linux on the Astra Linux Special Edition (operational update 1.7) and Astra Linux
Special Edition (operational update 1.6) operating system:
1. Open the /etc/digsig/digsig_initramfs.conf le, and then specify the following setting:
DIGSIG_ELF_MODE=1
2. In the command line, run the following command to install the compatibility package:
194
apt install astra-digsig-oldkeys
3. Create a directory for the application key:

mkdir -p /etc/digsig/keys/legacy/kaspersky/
4. Place the application key in the directory created in the previous step:
cp kaspersky_astra_pub_key.gpg /etc/digsig/keys/legacy/kaspersky/
5. Update the RAM disks:

update-initramfs -u -k all
Reboot the system.
6. Install Network Agent:
# apt-get install ./klnagent_<build number>_i386.deb
# apt-get install ./klnagent64_<build number>_amd64.deb
To install Network Agent from a DEB package to a 64-bit operating system for the Arm architecture,
# apt-get install ./klnagent64_<build number>_arm64.deb
Network Agent for Linux is installed.
Local installation of the application management plug-in

To install the application management plug-in:
On a device with Administration Console installed, run the klcfginst.exe executable le, which is included in the
application distribution package.
The klcfginst.exe le is included in all applications that can be managed through Kaspersky Security Center.
Installation is facilitated by the Wizard and requires no manual con guration of settings.
Installing applications in silent mode

To install an application in silent mode:
1. Open the main window of Kaspersky Security Center.
2. In the Remote installation folder of the console tree, in the Installation packages subfolder select the
installation package of the relevant application or create a new one for that application.
The installation package will be stored on the Administration Server in the Packages service folder that is in
the shared folder. A separate subfolder corresponds to each installation package.
3. Open the folder storing the required installation package in one of the following ways:
195
By copying the folder corresponding to the relevant installation package from the Administration Server to
the client device. Then open the copied folder on the client device.
By opening from the client device the shared folder that corresponds to the requisite installation package
on the Administration Server.
If the shared folder is located on a device that has Microsoft Windows Vista installed, you must set the
Disabled value for the User account control: Run all administrators in Admin Approval Mode setting
(Start → Control Panel → Administration → Local security policy → Security settings).
4. Depending on the selected application, do the following:
For Kaspersky Anti-Virus for Windows Workstations, Kaspersky Anti-Virus for Windows Servers, and
Kaspersky Security Center, navigate to the exec subfolder and run the executable le (the le with the .exe
extension) with the /s key.
For other Kaspersky applications, run the executable le (a le with the .exe extension) with the /s key from
the open folder.
Running the executable le with the EULA=1 and PRIVACYPOLICY=1 keys means that you have fully read,
understand and accept the terms of the End User License Agreement and the Privacy Policy, respectively.
You are also aware that your data will be handled and transmitted (including to third countries) as described
in the Privacy Policy. The text of the License Agreement and the Privacy Policy is included in the Kaspersky
Security Center distribution kit. Accepting the terms of the License Agreement and the Privacy Policy is
necessary for installing the application or upgrading a previous version of the application.
Installing applications by using stand-alone packages

Kaspersky Security Center lets you create stand-alone installation packages for applications. A stand-alone
installation package is an executable le that can be located on the Web Server, sent by email, or transferred to a
client device by another method. The received le can be run locally on the client device to install an application
without involving Kaspersky Security Center.
To install an application using a stand-alone installation package:
1. Connect to the necessary Administration Server.
2. In the Remote installation folder of the console tree, select the Installation packages subfolder.
3. In the workspace, select the installation package of the required application.
4. Start the process of creating a stand-alone installation package in one of the following ways:
By selecting Create stand-alone installation package in the context menu of the installation package.
By clicking the Create stand-alone installation package link in the workspace of the installation package.
The Stand-alone Installation Package Creation Wizard starts. Follow the instructions of the Wizard.
At the nal step of the Wizard, select a method for transferring the stand-alone installation package to the
client device.
196
5. Transfer the stand-alone installation package to the client device.
6. Run the stand-alone installation package on the client device.
The application is now installed on the client device with the settings speci ed in the stand-alone package.
When you create a stand-alone installation package, it is automatically published on Web Server. The link for
downloading the stand-alone package is displayed in the list of created stand-alone installation packages. If
necessary, you can cancel publication of the selected stand-alone package and republish it on the Web Server. By
default, port 8060 is used for downloading stand-alone installation packages.

To con gure a Network Agent installation package:
The Remote installation folder is a subfolder of the Advanced folder by default.
2. In the context menu of the Network Agent installation package, select Properties.
The Network Agent installation package properties window opens.
General
The General section displays general information about the installation package:
Installation package name
Name and version of the application for which the installation package has been created
Installation package size
Installation package creation date
Path to the installation package folder
Settings
This section presents the settings required to ensure proper functioning of Network Agent immediately after it is
installed. The settings in this section are available only on devices running Windows.
In the Destination folder group of settings, you can select the client device folder in which Network Agent will be
installed.
Install in default folder
If this option is selected, Network Agent will be installed in the <Drive>:\Program Files\Kaspersky
Lab\NetworkAgent folder. If this folder does not exist, it will be created automatically.
By default, this option is selected.
Install in speci ed folder

197
If this option is selected, Network Agent will be installed in the folder speci ed in the entry eld.
In the following group of settings, you can set a password for the Network Agent remote uninstallation task:
Use uninstallation password
If this option is enabled, by clicking the Modify button you can enter the uninstall password (only available
for Network Agent on devices running Windows operating systems).
Status
Status of the password: Password set or Password not set.

By default, this password is not installed.
Protect Network Agent service against unauthorized removal or termination, and prevent changes to the
settings
When this option is enabled, after Network Agent is installed on a managed device, the component cannot
be removed or recon gured without required privileges. The Network Agent service cannot be stopped.
This option has no e ect on domain controllers.
Automatically install applicable updates and patches for components that have the Unde ned status
If this option is enabled, all downloaded updates and patches for Administration Server, Network Agent,
Administration Console, Exchange Mobile Device Server, and iOS MDM Server will be installed
automatically.
If this option is disabled, all downloaded updates and patches will only be installed after you change their
status to Approved. Updates and patches with Unde ned status will not be installed.
Connection
In this section, you can con gure connection of Network Agent to the Administration Server. To establish a
connection, you can use the SSL or UDP protocol. For con guring the connection, specify the following settings:
Address of the device with Administration Server installed.
Port
Port number that is used for connection.
198
SSL port
Port number that is used for connection over the SSL protocol.
Use Server certi cate
If this option is enabled, authentication of Network Agent access to the Administration Server will use the
certi cate le that you can specify by clicking the Browse button.
If this option is disabled, the certi cate le will be received from the Administration Server at the rst
connection of Network Agent to the address speci ed in the Server address eld.
We do not recommend to disable this option, because automatic receipt of an Administration Server
certi cate by Network Agent upon connection to the Administration Server is considered insecure.
By default, this check box is selected.
Use SSL
If this option is enabled, connection to the Administration Server is established through a secure port via
SSL.
By default, this option is disabled. We recommend that you do not disable this option so your connection
remains secured.
Use UDP port
If this option is enabled, the Network Agent is connected to Administration Server through a UDP port.
This allows to manage client devices and receive information about them.
The UDP port must be open on managed devices where Network Agent is installed. Therefore, we
recommend that you do not disable this option.
UDP port number
In this eld you can specify the port to connect Administration Server to Network Agent using UDP
protocol.
The default UDP port is 15000.
Open Network Agent ports in Microsoft Windows Firewall
If this option is enabled, UDP ports used by Network Agent are added to the Microsoft Windows Firewall
exclusion list.
Advanced
In the Advanced section, you can con gure how to use the connection gateway. For this purpose, you can do the
following:
199
Use Network Agent as a connection gateway in the demilitarized zone (DMZ) to connect to Administration
Server, communicate with it, and keep data on the Network Agent safe during data transmission.
Connect to Administration Server by using a connection gateway to reduce the number of connections to the
Administration Server. In this case, enter the address of the device that will act as the connection gateway in
the Connection gateway address eld.
Con gure the connection for Virtual Desktop Infrastructure (VDI) if your network includes virtual machines. For
this purpose, do the following:
Enable dynamic mode for VDI
If this option is enabled, dynamic mode for Virtual Desktop Infrastructure (VDI) will be enabled for
Network Agent installed on a virtual machine.
Optimize settings for VDI
If this option is enabled, the following features are disabled in the Network Agent settings:

Additional components
In this section you can select additional components for concurrent installation with Network Agent.
Tags
The Tags section displays a list of keywords (tags) that can be added to client devices after Network Agent
installation. You can add and remove tags from the list, as well as rename them.
If the check box is selected next to a tag, this tag is automatically added to managed devices during Network
Agent installation.
If the check box is cleared next to a tag, the tag will not automatically be added to managed devices during
Network Agent installation. You can manually add this tag to devices.
When removing a tag from the list, it is automatically removed from all devices to which it was added.
Revision history
In this section, you can view the history of the installation package revisions. You can compare revisions, view
revisions, save revisions to a le, and add and edit revision descriptions.
Network Agent installation package settings available to a speci c operating system are given in the table below.
200
Property Windows Mac Linux

section
General
Settings
Connection
(except for the Open Network Agent (except for the Open Network Agent
ports in Microsoft Windows Firewall ports in Microsoft Windows Firewall
and Use only automatic detection of and Use only automatic detection of
proxy server options) proxy server options)
Advanced
Additional
components
Tags
(except for the automatic tagging rules) (except for the automatic tagging
rules)
Revision
history
Viewing the Privacy Policy

The Privacy Policy is available online at https://www.kaspersky.com/products-and-services-privacy-policy ; it is
also available o line. You can read the Privacy Policy, for example, before installing Network Agent.
To read the Privacy Policy o line:
1. Start the installer of Kaspersky Security Center.
2. In the installer window, proceed to the Extract installation packages link.
3. In the list that opens, select Kaspersky Security Center 14 Network Agent, and then click Next.
The privacy_policy.txt le appears on your device, in the folder that you speci ed, in the NetAgent_<current
version> subfolder.
Deploying mobile device management systems

This section describes the deployment of mobile device management systems using Exchange ActiveSync, iOS
MDM, and Kaspersky Endpoint Security protocols.
Deploying a system for management via Exchange ActiveSync protocol

Kaspersky Security Center allows you to manage mobile devices that are connected to the Administration Server
using the Exchange ActiveSync protocol. Exchange ActiveSync (EAS) mobile devices are those connected to an
Exchange Mobile Device Server and managed by Administration Server.
201
The following operating systems support Exchange ActiveSync protocol:
Windows Phone® 8
Windows Phone 8.1
Windows 10 Mobile
Android
iOS
The set of management settings for an Exchange ActiveSync device is dependent on the operating system
under which the mobile device is running. For details on the support features of Exchange ActiveSync
protocol for a speci c operating system, please refer to the documentation enclosed with the operating
system.
Deployment of a mobile device management system using Exchange ActiveSync protocol includes the following
steps:
1. The administrator installs Exchange Mobile Device Server on the selected client device.
2. The administrator creates a management pro le(s) in Administration Console for managing EAS devices and
adds the pro le(s) to the mailboxes of Exchange ActiveSync users.
Management pro le of Exchange ActiveSync mobile devices is an ActiveSync policy used on a Microsoft
Exchange server for managing Exchange ActiveSync mobile devices. Only one EAS device management
pro le can be assigned to a Microsoft Exchange mailbox.
Users of mobile EAS devices connect to their Exchange mailboxes. Any management pro le imposes some
restrictions on mobile devices.
Installing Mobile Device Server for Exchange ActiveSync

An Exchange Mobile Device Server is installed on a client device with a Microsoft Exchange server installed. We
recommend that you install the Exchange Mobile Device Server on a Microsoft Exchange server with the Client
Access role assigned. If several Microsoft Exchange servers with the Client Access role in the same domain are
combined into a Client Access Array, it is recommended to install the Exchange Mobile Device Server on each
Microsoft Exchange server in that array in cluster mode.
To install an Exchange Mobile Device Server on a local device:
1. Run the setup.exe executable le.

2. In the applications selection window, click the Install Exchange Mobile Device Server link to run the Setup
Wizard of Exchange Mobile Device Server.
3. In the Installation settings window, select the type of Exchange Mobile Device Server installation:
202
To install Exchange Mobile Device Server with the default settings, select Standard installation and click the
Next button.
To de ne the settings for installation of the Exchange Mobile Device Server manually, select Custom
installation and click Next. Then do the following:
a. Select destination folder in Destination Folder window. The default folder is <Disk>:\Program
Files\Kaspersky Lab\Mobile Device Management for Exchange. If such a folder does not exist, it is
created automatically during the installation. You can change the destination folder by using the Browse
button.
b. Choose the type of Exchange Mobile Device Server installation in the Installation mode window: normal
mode or cluster mode.
c. In Select Account window, choose an account that will be used to manage mobile devices:
Create account and role group automatically. Account will be created automatically.
Specify an account. The account should be selected manually. Click the Browse button to select the
user whose account will be used and specify the password. The selected user must belong to a group
that has rights to manage mobile devices using ActiveSync.
d. In the IIS settings window, allow or prohibit automatic con guration of the Internet Information Services
(IIS) web server properties.
If you have prohibited automatic con guration of the Internet Information Services (IIS)
properties, enable the "Windows authentication" mechanism manually in the IIS settings for
Microsoft PowerShell Virtual Directory. If "Windows authentication" mechanism is disabled, Exchange
Mobile Device Server will not operate correctly. Please refer to IIS documentation for more
information about con guring IIS.
e. Click Next.
4. In the window that opens, verify the Exchange Mobile Device Server installation properties, and then click
Install.
When the Wizard nishes, the Exchange Mobile Device Server is installed on the local device. The Exchange
Mobile Device Server will be displayed in the Mobile Device Management folder in the console tree.
Connecting mobile devices to an Exchange Mobile Device Server

Before connecting any mobile devices, you must con gure Microsoft Exchange Server in order to allow the devices
to be connected using ActiveSync protocol.
To connect a mobile device to an Exchange Mobile Device Server, the user connects to his or her Microsoft
Exchange mailbox from the mobile device through ActiveSync. When connecting, the user must specify the
connection settings in the ActiveSync client, such as email address and email password.
The user's mobile device, connected to the Microsoft Exchange server, is displayed in the Mobile devices
subfolder contained in the Mobile Device Management folder in the console tree.
After the Exchange ActiveSync mobile device is connected to an Exchange Mobile Device Server, the
administrator can manage the connected Exchange ActiveSync mobile device.
203
Con guring the Internet Information Services web server
When using Microsoft Exchange Server (versions 2010 and 2013), you have to activate the Windows authentication
mechanism for a Windows PowerShell™ virtual directory in the settings of the Internet Information Services (IIS)
web server. This authentication mechanism is activated automatically if the Con gure Microsoft Internet
Information Services (IIS) automatically option is selected in the Exchange Mobile Device Server Installation
Wizard (default option).
Otherwise, you will have to activate the authentication mechanism on your own.
To activate the Windows authentication mechanism for a PowerShell virtual directory manually:
1. In Internet Information Services (IIS) Manager console, open the properties of the PowerShell virtual directory.
2. Go to the Authentication section.
3. Select Microsoft Windows Authentication, and then click the Enable button.
4. Open Advanced Settings.
5. Select the Enable Kernel-mode authentication option.
6. In the Extended protection drop-down list, select Required.
When using Microsoft Exchange Server 2007, the IIS web server requires no con guration.
Local installation of an Exchange Mobile Device Server

For a local installation of an Exchange Mobile Device Server, the administrator must perform the following
operations:
1. Copy the contents of the \Server\Packages\MDM4Exchange\ folder from the Kaspersky Security Center
distribution package to a client device.
Local installation includes two types of installation:
Standard installation is a simpli ed installation that does not require the administrator to de ne any settings; it
is recommended in most cases.
Extended installation is an installation that requires from the administrator to de ne the following settings:
Path for Exchange Mobile Device Server installation.
Exchange Mobile Device Server operation mode: standard mode or cluster mode.
Possibility of specifying the account under which the Exchange Mobile Device Server service will run.
Enabling / disabling automatic con guration of the IIS web server.
The Exchange Mobile Device Server Installation Wizard must be run under an account that has all of the required
rights.
204
Remote installation of an Exchange Mobile Device Server
To con gure the remote installation of Exchange Mobile Device Server, the administrator must perform the
following actions:
1. In the tree of Kaspersky Security Center Administration Console, select the Remote installation folder, then
the Installation packages subfolder.
2. In the Installation packages subfolder, open the properties of the Exchange Mobile Device Server package.
3. Go to the Settings section.

This section contains the same settings as those used for the local installation of the application.
After the remote installation is con gured, you can start installing Exchange Mobile Device Server.
To install Exchange Mobile Device Server:
1. In the tree of Kaspersky Security Center Administration Console, select the Remote installation folder, then
the Installation packages subfolder.
2. In the Installation packages subfolder, select the Exchange Mobile Device Server package.
3. Open the context menu of the package and select Install application.
4. In the Remote Installation Wizard that opens, select a device (or multiple devices for installation in cluster
mode).
5. In the Run application Setup Wizard under speci ed account eld, specify the account under which the
installation process will be run on the remote device.
The account must have the required rights.
Deploying a system for management using iOS MDM protocol

Kaspersky Security Center allows you to manage mobile devices running iOS. iOS MDM mobile devices refer to iOS
mobile devices that are connected to an iOS MDM Server and managed by an Administration Server.
Connection of mobile devices to an iOS MDM Server is performed in the following sequence:
1. The administrator installs iOS MDM Server on the selected client device. Installation of iOS MDM Server is
performed using the standard tools of the operating system.
2. The administrator retrieves an Apple Push Noti cation Service (APNs) certi cate.
The APNs certi cate allows Administration Server to connect to the APNs server to send push noti cations to
iOS MDM mobile devices.
3. The administrator installs the APNs certi cate on the iOS MDM Server.
4. The administrator creates an iOS MDM pro le for the user of the iOS mobile device.
The iOS MDM pro le contains a collection of settings for connecting iOS mobile devices to Administration
Server.
205
5. The administrator issues a shared certi cate to the user.
The shared certi cate is required to con rm that the mobile device is owned by the user.
6. The user clicks the link sent by the administrator and downloads an installation package to the mobile device.
The installation package contains a certi cate and an iOS MDM pro le.
After the iOS MDM pro le is downloaded and the iOS MDM mobile device is synchronized with the
Administration Server, the device is displayed in the Mobile devices folder, which is a subfolder of the Mobile
Device Management folder in the console tree.
7. The administrator adds a con guration pro le on the iOS MDM Server and installs the con guration pro le on
the mobile device after it is connected.
The con guration pro le contains a collection of settings and restrictions for the iOS MDM mobile device, for
example, settings for installation of applications, settings for the use of various features of the device, email
and scheduling settings. A con guration pro le allows you to con gure iOS MDM mobile devices in accordance
with the organization's security policies.
8. If necessary, the administrator adds provisioning pro les on the iOS MDM Server and then installs these
provisioning pro les on mobile devices.
Provisioning pro le is a pro le that is used for managing applications distributed in ways other than through App
Store®. A provisioning pro le contains information about the license; it is linked to a speci c application.
Installing iOS MDM Server

To install iOS MDM Server on a local device:

In the applications selection window, click the Install iOS MDM Server link to run the iOS MDM Server Setup
Wizard.
2. Select a destination folder.

The default destination folder is <Disk>:\Program Files\Kaspersky Lab\Mobile Device Management for iOS. If
such a folder does not exist, it is created automatically during the installation. You can change the destination
folder by using the Browse button.
3. In the Specify the settings for connection to iOS MDM Server window of the Wizard, in the External port for
connection to iOS MDM service eld, specify an external port for connecting mobile devices to the iOS MDM
service.
External port 5223 is used by mobile devices for communication with the APNs server. Make sure that port
5223 is open in the rewall for connection with the address range 17.0.0.0/8.
Port 443 is used for connection to iOS MDM Server by default. If port 443 is already in use by another service
or application, it can be replaced with, for example, port 9443.
The iOS MDM Server uses external port 2197 to send noti cations to the APNs server.
APNs servers run in load-balancing mode. Mobile devices do not always connect to the same IP addresses to
receive noti cations. The 17.0.0.0/8 address range is reserved for Apple, and it is therefore recommended to
specify this entire range as an allowed range in Firewall settings.
4. If you want to con gure interaction ports for application components manually, select the Set up local ports
manually option, and then specify values for the following settings:
206
Port for connection to Network Agent. In this eld, specify a port for connecting the iOS MDM service to
Network Agent. The default port number is 9799.
Local port to connect to iOS MDM service. In this eld, specify a local port for connecting Network Agent
to the iOS MDM service. The default port number is 9899.
It is recommended to use default values.
5. In the External address of Mobile Device Server window of the Wizard, in the Web address for remote
connection to Mobile Device Server eld, specify the address of the client device on which iOS MDM Server
is to be installed.
This address will be used for connecting managed mobile devices to the iOS MDM service. The client device
must be available for connection of iOS MDM devices.
You can specify the address of a client device in any of the following formats:
Device FQDN (such as mdm.example.com)
Device NetBIOS name
Please avoid adding the URL scheme and the port number in the address string: these values will be added
automatically.
When the Wizard nishes, iOS MDM Server is installed on the local device. The iOS MDM Server is displayed in
the Mobile Device Management folder in the console tree.
Installing iOS MDM Server in silent mode

Kaspersky Security Center allows you to install iOS MDM Server on a local device in silent mode, that is, without
the interactive input of installation settings.
To install iOS MDM Server on a local device in silent mode:
2. Run the following command:

.\exec\setup.exe /s /v"DONT_USE_ANSWER_FILE=1 EULA=1 <setup_parameters>"
where setup_parameters is a list of settings and their respective values, separated with spaces
(PROP1=PROP1VAL PROP2=PROP2VAL). The setup.exe le is located in the Server folder, which is part of the
Kaspersky Security Center distribution kit.
The names and possible values for parameters that can be used when installing iOS MDM Server in silent mode are
listed in the table below. Parameters can be speci ed in any convenient order.
Parameters of iOS MDM Server installation in silent mode
Parameter name Parameter description Available values
EULA Acceptance of the terms of the End User

License Agreement. This parameter is
understand and accept the
mandatory.
terms of the End User
License Agreement.
207
Other value or no value—I do
not accept the terms of the
License Agreement
(installation is not
performed).
DONT_USE_ANSWER_FILE Whether or not to use an XML le with

1—Do not use the XML le
iOS MDM Server installation settings.
with parameters.
The XML le is included in the installation
package or stored on the Administration Other value or no value—Use
Server. You do not have to specify an the XML le with parameters.
additional path to the le.
This parameter is mandatory.
INSTALLDIR The iOS MDM Server installation folder. String value, for example,
INSTALLDIR=\"C:\install\"
This parameter is optional.
CONNECTORPORT Local port for connecting the iOS MDM Numerical value.
service to Network Agent.
LOCALSERVERPORT Local port for connecting Network Agent Numerical value.
to the iOS MDM service.

EXTERNALSERVERPORT Port for connecting a device to iOS MDM Numerical value.

Server.
EXTERNAL_SERVER_URL External address of the client device on
Device FQDN (such as
which iOS MDM Server is to be installed.
mdm.example.com)
This address will be used for connecting
managed mobile devices to the iOS MDM
Device NetBIOS name
service. The client device must be
available for connection through iOS
MDM. Device IP address
The address must not include the URL

scheme and number of the port because
these values will be added automatically.
WORKFOLDER Work folder of iOS MDM Server. String value, for example,
WORKFOLDER=\"C:\work\"
If no work folder is speci ed, data will be
written to the default folder.
MTNCY Use of iOS MDM Server by multiple virtual
1—iOS MDM Server will be
Servers.
used by multiple virtual
This parameter is optional. Administration Servers.
Other value or no value—iOS

MDM Server will not be used
208
by multiple virtual
Example:
\exec\setup.exe /s /v"EULA=1 DONT_USE_ANSWER_FILE=1 EXTERNALSERVERPORT=9443
EXTERNAL_SERVER_URL=\"www.test-mdm.com\""
The iOS MDM Server installation parameters are given in detail in section "Installing iOS MDM Server".
iOS MDM Server deployment scenarios

The number of copies of iOS MDM Server to be installed can be selected either based on available hardware or on
the total number of mobile devices covered.
Please keep in mind that the recommended maximum number of mobile devices for a single installation of
Kaspersky Device Management for iOS is 50,000 at most. In order to reduce the load, the entire pool of devices
can be distributed among several servers that have iOS MDM Server installed.
Authentication of iOS MDM devices is performed through user certi cates (any pro le installed on a device
contains the certi cate of the device owner). Thus, two deployment schemes are possible for an iOS MDM Server:
Simpli ed scheme
Simpli ed deployment scheme

When deploying an iOS MDM Server under the simpli ed scheme, mobile devices connect to the iOS MDM web
service directly. In this case, user certi cates issued by Administration Server can only be applied for devices
authentication. Integration with Public Key Infrastructure (PKI) is impossible for user certi cates.

The deployment scheme with Kerberos constrained delegation (KCD) requires the Administration Server and the
iOS MDM Server to be located on the internal network of the organization.
This deployment scheme provides for the following:
Integration with Microsoft Forefront TMG
Use of KCD for authentication of mobile devices
Integration with the PKI for applying user certi cates
When using this deployment scheme, you must do the following:
In Administration Console, in the settings of the iOS MDM web service, select the Ensure compatibility with
Kerberos constrained delegation check box.
As the certi cate for the iOS MDM web service, specify the customized certi cate that was de ned when the
iOS MDM web service was published on TMG.
209
User certi cates for iOS devices must be issued by the Certi cate Authority (CA) of the domain. If the domain
contains multiple root CAs, user certi cates must be issued by the CA that was speci ed when the iOS MDM
web service was published on TMG.
You can ensure that the user certi cate is in compliance with the this CA-issuance requirement by using one of
the following methods:
Specify the user certi cate in the New iOS MDM Pro le Wizard and in the Certi cate Installation Wizard.
Integrate the Administration Server with the domain's PKI and de ne the corresponding setting in the rules
for issuance of certi cates:
1. In the console tree, expand the Mobile Device Management folder and select the Certi cates
subfolder.
2. In the workspace of the Certi cates folder, click the Con gure certi cate issuance rules button to
open the Certi cate issuance rules window.
3. In the Integration with PKI section, con gure integration with the Public Key Infrastructure.
4. In the Issuance of mobile certi cates section, specify the source of certi cates.
Below is an example of setup of Kerberos Constrained Delegation (KCD) with the following assumptions:
The iOS MDM web service is running on port 443.
The name of the device with TMG is tmg.mydom.local.
The name of device with the iOS MDM web service is iosmdm.mydom.local.
The name of external publishing of the iOS MDM web service is iosmdm.mydom.global.
Service Principal Name for http/iosmdm.mydom.local
In the domain, you have to register the service principal name (SPN) for the device with the iOS MDM web service
(iosmdm.mydom.local):
setspn -a http/iosmdm.mydom.local iosmdm
Con guring the domain properties of the device with TMG (tmg.mydom.local)
To delegate tra ic, trust the device with TMG (tmg.mydom.local) to the service that is de ned by the SPN
(http/iosmdm.mydom.local).
To trust the device with TMG to the service de ned by the SPN (http/iosmdm.mydom.local), the administrator
must perform the following actions:
1. In the Microsoft Management Console snap-in named "Active Directory Users and Computers", select the
device with TMG installed (tmg.mydom.local).
2. In the device properties, on the Delegation tab, set the Trust this computer for delegation to speci ed
service only toggle to Use any authentication protocol.
3. Add the SPN (http/iosmdm.mydom.local) to the Services to which this account can present delegated
credentials list.
210
Special (customized) certi cate for the published web service (iosmdm.mydom.global)
You have to issue a special (customized) certi cate for the iOS MDM web service on the FQDN
iosmdm.mydom.global and specify that it replaces the default certi cate in the settings of iOS MDM web service
in Administration Console.
Please note that the certi cate container ( le with the p12 or pfx extension) must also contain a chain of root
certi cates (public keys).
Publishing the iOS MDM web service on TMG
On TMG, for tra ic that goes from a mobile device to port 443 of iosmdm.mydom.global, you have to con gure
KCD on the SPN (http/iosmdm.mydom.local), using the certi cate issued for the FQDN (iosmdm.mydom.global).
Please note that publishing, and the published web service must share the same server certi cate.
Use of iOS MDM Server by multiple virtual Servers

To enable the use of iOS MDM Server by multiple virtual Administration Servers:
1. Open the system registry of the client device with iOS MDM Server installed (for example, locally, using the
regedit command in the Start → Run menu).
2. Go to the following hive:
For 32-bit systems:

HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0
For 64-bit systems:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\Connectors\KLIOSM
3. For the ConnectorFlags (DWORD) key, set the 02102482 value.
For 32-bit systems:

HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1103\1.0.0.0
For 64-bit systems:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1103\1.0.0.0
5. For the ConnInstalled (DWORD) key, set the 00000001 value.
6. Restart the iOS MDM Server service.
Key values must be entered in the speci ed sequence.
Receiving an APNs certi cate
211
If you already have an APNs certi cate, please consider renewing it instead of creating a new one. When you
replace the existing APNs certi cate with a newly created one, the Administration Server loses the ability to
manage the currently connected iOS mobile devices.
When the Certi cate Signing Request (CSR) is created at the rst step of the APNs Certi cate Wizard, its private
key is stored in the RAM of your device. Therefore, all the steps of the Wizard must be completed within a single
session of the application.
To receive an APNs certi cate:
1. In the Mobile Device Management folder of the console tree, select the Mobile Device Servers subfolder.
2. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
3. In the context menu of the iOS MDM Server, select Properties.

This opens the properties window of the iOS MDM Server.
4. In the properties window of the iOS MDM Server, select the Certi cates section.
5. In the Certi cates section, in the Apple Push Noti cation certi cate group of settings, click the Request
new button.
The Receive APNs Certi cate Wizard starts and the Request new window opens.
6. Create a Certi cate Signing Request (hereinafter referred to as CSR). To do this, perform the following actions:
a. Click the Create CSR button.
b. In the Create CSR window that opens, specify a name for your request, the names of your company and
department, your city, region, and country.
c. Click the Save button and specify a name for the le to which your CSR will be saved.
The private key of the certi cate is saved in the device memory.
7. Use your CompanyAccount to send the le with the CSR you have created to Kaspersky to be signed.
Signing of your CSR will only be available after you upload to CompanyAccount portal a key that allows
using Mobile Device Management.
After your online request is processed, you will receive a CSR le signed by Kaspersky.
8. Send the signed CSR le to Apple Inc. website , using a random Apple ID.
We recommend that you avoid using a personal Apple ID. Create a dedicated Apple ID to make it your
corporate ID. After you have created an Apple ID, link it with the organization's mailbox, not a mailbox of an
employee.
After your CSR is processed in Apple Inc., you will receive the public key of the APNs certi cate. Save the
le on disk.
212
9. Export the APNs certi cate together with the private key created when generating the CSR, in PFX le format.
To do this:
a. In the Request new APNs certi cate window, click the Complete CSR button.
b. In the Open window, choose a le with the public key of the certi cate received from Apple Inc. as the result
of CSR processing, and then click the Open button.
The certi cate export process starts.
c. In the next window, enter the private key password and click OK.
This password will be used for the APNs certi cate installation on the iOS MDM Server.
d. In the Save APNs certi cate window, specify a le name for APNs certi cate, choose a folder, and click
Save.
The private and public keys of the certi cate are combined, and the APNs certi cate is saved in PFX format. After
this, you can install the APNs certi cate on the iOS MDM Server.
Renewing an APNs certi cate

To renew an APNs certi cate:

5. In the Certi cates section, in the Apple Push Noti cation certi cate group of settings click the Renew
button.
The APNs Certi cate Renewal Wizard starts, the Renew APNs certi cate window opens.
6. Create a Certi cate Signing Request (hereinafter referred to as CSR). To do this, perform the following actions:
a. Click the Create CSR button.
b. In the Create CSR window that opens, specify a name for your request, the names of your company and
department, your city, region, and country.
c. Click the Save button and specify a name for the le to which your CSR will be saved.
The private key of the certi cate is saved in the device memory.
7. Use your CompanyAccount to send the le with the CSR you have created to Kaspersky to be signed.
Signing of your CSR will only be available after you upload to CompanyAccount portal a key that allows
using Mobile Device Management.
213
After your online request is processed, you will receive a CSR le signed by Kaspersky.
8. Send the signed CSR le to Apple Inc. website , using a random Apple ID.
We recommend that you avoid using a personal Apple ID. Create a dedicated Apple ID to make it your
corporate ID. After you have created an Apple ID, link it with the organization's mailbox, not a mailbox of an
employee.
After your CSR is processed in Apple Inc., you will receive the public key of the APNs certi cate. Save the
le on disk.
9. Request the public key of the certi cate. To do this, perform the following actions:
a. Proceed to Apple Push Certi cates portal . To log in to the portal, use the Apple Id received at the initial
request of the certi cate.
b. In the list of certi cates, select the certi cate whose APSP name (in "APSP: <number>" format) matches the
APSP name of the certi cate used by iOS MDM Server and click the Renew button.
The APNs certi cate is renewed.
c. Save the certi cate created on the portal.
10. Export the APNs certi cate together with the private key created when generating the CSR, in PFX le format.
To do this, perform the following actions:
a. In the Renew APNs certi cate window, click the Complete CSR button.
b. In the Open window, choose a le with the public key of the certi cate, received from Apple Inc. as the
result of CSR processing, and click the Open button.
The certi cate export process will start.
c. In the next window, enter the private key password and click OK.
This password will be used for the APNs certi cate installation on the iOS MDM Server.
d. In the Renew APNs certi cate window that opens, specify a le name for APNs certi cate, choose a folder,
and click Save.
The private and public keys of the certi cate are combined, and the APNs certi cate is saved in PFX format.
Con guring a reserve iOS MDM Server certi cate

The iOS MDM Server functionality enables you to issue a reserve certi cate. This certi cate is intended for use in
iOS MDM pro les, to ensure seamless switching of managed iOS devices after the iOS MDM Server certi cate
expires.
If your iOS MDM Server uses a default certi cate issued by Kaspersky, you can issue a reserve certi cate (or
specify your own custom certi cate as reserve) before the iOS MDM Server certi cate expires. By default, the
reserve certi cate is automatically issued 60 days before the iOS MDM Server certi cate expiration. The reserve
iOS MDM Server certi cate becomes the main certi cate immediately after the iOS MDM Server certi cate
expiration. The public key is distributed to all managed devices through con guration pro les, so you do not have
to transmit it manually.
214
To issue an iOS MDM Server reserve certi cate or specify a custom reserve certi cate:
1. In the console tree, in the Mobile Device Management folder, select the Mobile Device Servers subfolder.
2. In the list of Mobile Device Servers, select the relevant iOS MDM Server, and on the right pane, click the
Con gure iOS MDM Server button.
3. In the iOS MDM Server settings window that opens, select the Certi cates section.
4. In the Reserve certi cate block of settings, do one of the following:
If you plan to continue using a self-signed certi cate (that is, the one issued by Kaspersky):
a. Click the Issue button.
b. In the Activation date window that opens, select one of the two options for the date when the reserve
certi cate must be applied:
If you want to apply the reserve certi cate at the time of expiration of the current certi cate, select
the When current certi cate expires option.
If you want to apply the reserve certi cate before the current certi cate expires, select the After
speci ed period (days) option. In the entry eld next to this option, specify the duration of the
period after which the reserve certi cate must replace the current certi cate.
The validity period of the reserve certi cate that you specify cannot exceed the validity term of the
current iOS MDM Server certi cate.
c. Click the OK button.
The reserve iOS MDM Server certi cate is issued.
If you plan to use a custom certi cate issued by your certi cation authority:
a. Click the Add button.
b. In the File Explorer window that opens, specify a certi cate le in the PEM, PFX, or P12 format, which is
stored on your device, and then click the Open button.
Your custom certi cate is speci ed as the reserve iOS MDM Server certi cate.
You have a reserve iOS MDM Server certi cate speci ed. The details of the reserve certi cate are displayed in the
Reserve certi cate block of settings (certi cate name, issuer name, expiration date, and the date the reserve
certi cate must be applied, if any).
Installing an APNs certi cate on an iOS MDM Server

After you receive the APNs certi cate, you must install it on the iOS MDM Server.
To install the APNs certi cate on the iOS MDM Server:
215

5. In the Certi cates section, in the Apple Push Noti cation certi cate group of settings click the Install
button.
6. Select the PFX le that contains the APNs certi cate.
7. Enter the password of the private key speci ed when exporting the APNs certi cate.
The APNs certi cate will be installed on the iOS MDM Server. The certi cate details will be displayed in the
properties window of the iOS MDM Server, in the Certi cates section.
Con guring access to Apple Push Noti cation service

To ensure a proper functioning of the iOS MDM web service and timely responses of mobile devices to the
administrator's commands, you need to specify an Apple Push Noti cation Service certi cate (hereinafter
referred to as APNs certi cate) in the iOS MDM Server settings.
Interacting with Apple Push Noti cation (hereinafter referred to as APNs), the iOS MDM web service connects to
the external address api.push.apple.com through port 2197 (outbound). Therefore, the iOS MDM web service
requires access to port TCP 2197 for the range of addresses 17.0.0.0/8. From the iOS device side is access to port
TCP 5223 for the range of addresses 17.0.0.0/8.
If you intend to access APNs from the iOS MDM web service side through a proxy server, you must perform the
following actions on the device with the iOS MDM web service installed:
1. Add the following strings to the registry:
For 32-bit operating systems:
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0\Cons
"ApnProxyHost"="<Proxy Host Name>"
"ApnProxyPort"="<Proxy Port>"
"ApnProxyLogin"="<Proxy Login>"
"ApnProxyPwd"="<Proxy Password>"
For 64-bit operating systems:
"ApnProxyHost"="<Proxy Host Name>"
"ApnProxyPort"="<Proxy Port>"
"ApnProxyLogin"="<Proxy Login>"
"ApnProxyPwd"="<Proxy Password>"
2. Restart the iOS MDM web service.

216
Issuing and installing a shared certi cate on a mobile device
To issue a shared certi cate to a user:
1. In the console tree, in the User accounts folder, select a user account.
2. In the context menu of the user account, select Install certi cate.
The Certi cate Installation Wizard starts. Follow the instructions of the Wizard.
When the Wizard nishes, a certi cate will be created and added to the list of the user's certi cates.
The issued certi cate will be downloaded by the user, along with the installation package that contains the iOS
MDM pro le.
After the mobile device is connected to the iOS MDM Server, the iOS MDM pro le settings will be applied on the
user's device. The administrator will be able to manage the device after connection.
The user's mobile device connected to the iOS MDM Server is displayed in the Mobile Devices subfolder within the
Mobile Device Management folder in the console tree.
Adding a KES device to the list of managed devices

To add the KES device of a user to the list of managed devices using a link to Google Play™:
1. In the console tree, select the User accounts folder.

By default, the User accounts folder is a subfolder of the Advanced folder.
2. Select the account of the user whose mobile device you want add to the list of managed devices.
3. In the context menu of the user account, select Add mobile device.
The New Mobile Device Connection Wizard starts. In the Certi cate source window of the Wizard, you have to
specify the method for creating the shared certi cate that Administration Server will use to identify the mobile
device. You can specify a shared certi cate in one of the following ways:
Create a shared certi cate automatically, by means of Administration Server tools, and then deliver the
certi cate to the device.
Specify a shared certi cate le.
4. In the Device type window of the Wizard, select Link to Google Play.
5. In the User noti cation method window of the Wizard, de ne the settings for noti cation of the mobile device
user of certi cate creation (with an SMS message, by email, or by displaying the information when the Wizard
has nished).
6. In the certi cate info window of the Wizard, click the Finish button to close the Wizard.
217
After the Wizard nishes its activities, a link and a QR code will be sent to the mobile device of the user, allowing
the user to download Kaspersky Endpoint Security from Google Play. The user proceeds to Google Play by using
the link or by scanning the QR code. After this, the operating system of the device prompts the user to accept
Kaspersky Endpoint Security for Android installation. After Kaspersky Endpoint Security for Android is
downloaded and installed, the mobile device connects to the Administration Server and downloads a shared
certi cate. After the certi cate is installed on the mobile device, the device is displayed in the Mobile devices
folder, which is a subfolder of the Mobile Device Management folder in the console tree.
If Kaspersky Endpoint Security for Android has already been installed on the device, the user has to receive
the Administration Server connection settings from the administrator and then enter them independently.
After the connection settings are de ned, the mobile device connects to the Administration Server. The
administrator issues a shared certi cate for the device and sends the user an email message or an SMS
message with a login and password for the certi cate download. The user downloads and installs the shared
certi cate. After the certi cate is installed on the mobile device, the device is displayed in the Mobile
devices folder, which is a subfolder of the Mobile Device Management folder in the console tree. In this
case, Kaspersky Endpoint Security for Android will not be downloaded and installed again.

Depending on the method used for connection of devices to the Administration Server, two deployment schemes
are possible for Kaspersky Device Management for iOS for KES devices:
Scheme of deployment with direct connection of devices to the Administration Server
Scheme of deployment involving Forefront® Threat Management Gateway (TMG)

KES devices can connect directly to port 13292 of the Administration Server.
Depending on the method used for authentication, two options are possible for connection of KES devices to the
Administration Server:
Connecting devices with a user certi cate
Connecting devices without a user certi cate
Connecting a device with a user certi cate
When connecting a device with a user certi cate, that device is associated with the user account to which the
corresponding certi cate has been assigned through Administration Server tools.
In this case, two-way SSL authentication (mutual authentication) will be used. Both the Administration Server and
the device will be authenticated with certi cates.
Connecting a device without a user certi cate
218
When connecting a device without a user certi cate, that device is associated with none of the user's accounts
on the Administration Server. However, when the device receives any certi cate, the device will be associated with
the user to which the corresponding certi cate has been assigned through Administration Server tools.
When connecting that device to the Administration Server, one-way SSL authentication will be applied, which
means that only the Administration Server is authenticated with the certi cate. After the device retrieves the user
certi cate, the type of authentication will change to two-way SSL authentication (2-way SSL authentication,
mutual authentication).
Scheme for connecting KES devices to the Server involving Kerberos constrained
delegation (KCD)
The scheme for connecting KES devices to the Administration Server involving Kerberos constrained delegation
(KCD) provides for the following:
Integration with Microsoft Forefront TMG.
Use of Kerberos Constrained Delegation (hereinafter referred to as KCD) for authentication of mobile devices.
Integration with Public Key Infrastructure (hereinafter referred to as PKI) for applying user certi cates.
When using this connection scheme, please note the following:
The type of connection of KES devices to TMG must be "two-way SSL authentication", that is, a device must
connect to TMG through its proprietary user certi cate. To do this, you need to integrate the user certi cate
into the installation package of Kaspersky Endpoint Security for Android, which has been installed on the
device. This KES package must be created by the Administration Server speci cally for this device (user).
You must specify the special (customized) certi cate instead of the default server certi cate for the mobile
protocol:
1. In the Administration Server properties window, in the Settings section, select the Open port for mobile
devices check box and select Add certi cate in the drop-down list.
2. In the window that opens, specify the same certi cate that was set on TMG when the point of access to
the mobile protocol was published on the Administration Server.
User certi cates for KES devices must be issued by the Certi cate Authority (CA) of the domain. Keep in mind
that if the domain includes multiple root CAs, user certi cates must be issued by the CA, which has been set in
the publication on TMG.
You can make sure the user certi cate is in compliance with the above-described requirement, using one of the
following methods:
Specify the special user certi cate in the New Installation Package Wizard and in the Certi cate Installation
Wizard.
subfolder.
219
Point of access to the mobile protocol on the Administration Server is set up on port 13292.
The name of the device with Administration Server is ksc.mydom.local.
Name of the external publishing of the point of access to the mobile protocol is kes4mob.mydom.global.
Domain account for Administration Server
You must create a domain account (for example, KSCMobileSrvcUsr) under which the Administration Server
service will run. You can specify an account for the Administration Server service when installing the Administration
Server or through the klsrvswch utility. The klsrvswch utility is located in the installation folder of Administration
Server. The default installation path: <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.
A domain account must be speci ed by the following reasons:
The feature for management of KES devices is an integral part of Administration Server.
To ensure a proper functioning of Kerberos Constrained Delegation (KCD), the receive side (i.e., the
Administration Server) must run under a domain account.
Service Principal Name for http/kes4mob.mydom.local
In the domain, under the KSCMobileSrvcUsr account, add an SPN for publishing the mobile protocol service on
port 13292 of the device with Administration Server. For the kes4mob.mydom.local device with Administration
Server, this will appear as follows:
setspn -a http/kes4mob.mydom.local:13292 mydom\KSCMobileSrvcUsr
To delegate tra ic, you must trust the device with TMG (tmg.mydom.local) to the service de ned by the SPN
(http/kes4mob.mydom.local:13292).
To trust the device with TMG to the service de ned by the SPN (http/kes4mob.mydom.local:13292), the
administrator must perform the following actions:
3. In the Services to which this account can present delegated credentials list, add the SPN
http/kes4mob.mydom.local:13292.
Special (customized) certi cate for the publishing (kes4mob.mydom.global)
220
To publish the mobile protocol of Administration Server, you must issue a special (customized) certi cate for the
FQDN kes4mob.mydom.global and specify it instead of the default server certi cate in the settings of the mobile
protocol of Administration Server in Administration Console. To do this, in the properties window of the
Administration Server, in the Settings section select the Open port for mobile devices check box and then select
Add certi cate in the drop-down list.
Please note that the server certi cate container ( le with the p12 or pfx extension) must also contain a chain of
root certi cates (public keys).
Con guring publication on TMG
On TMG, for tra ic that goes from the mobile device side to port 13292 of kes4mob.mydom.global, you have to
con gure KCD on the SPN (http/kes4mob.mydom.local:13292), using the server certi cate issued for the FQND
kes4mob.mydom.global. Please note that publishing and the published access point (port 13292 of the
Administration Server) must share the same server certi cate.

To ensure timely responses of KES devices on Android to the administrator's commands, you must enable the use
of Google™ Firebase Cloud Messaging (hereinafter referred to as FCM) in the Administration Server properties.
To enable the use of FCM:
1. In Administration Console, select the Mobile Device Management node, and the Mobile devices folder.
2. In the context menu of the Mobile devices folder, select Properties.
3. In the folder properties, select the Google Firebase Cloud Messaging settings section.
4. In the Sender ID and Server key elds, specify the FCM settings: SENDER_ID and API Key.
FCM service runs in the following address ranges:
From the KES device's side, access is required to ports 443 (HTTPS), 5228 (HTTPS), 5229 (HTTPS), and 5230
(HTTPS) of the following addresses:
google.com
fcm.googleapis.com
android.apis.google.com
All of the IP addresses listed in Google's ASN of 15169
From the Administration Server side, access is required to port 443 (HTTPS) of the following addresses:
fcm.googleapis.com
If the proxy server settings (Advanced / Con guring Internet access) have been speci ed in the Administration
Server properties in Administration Console, they will be used for interaction with FCM.
221
Con guring FCM: retrieving SENDER_ID and API Key
To con gure FCM, the administrator must perform the following actions:
1. Register on Google portal .
2. Go to Developers portal .
3. Create a new project by clicking the Create Project button, specify the project's name, and specify the ID.
4. Wait for the project to be created.

On the rst page of the project, in the upper part of the page, the Project Number eld shows the relevant
SENDER_ID.
5. Go to the APIs & auth / APIs section and enable Google Firebase Cloud Messaging for Android.
6. Go to the APIs & auth / Credentials section and click the Create New Key button.
7. Click the Server key button.
8. Impose restrictions (if any), click the Create button.
9. Retrieve the API Key from the properties of the newly created key (Server key eld).

Integration with Public Key Infrastructure (hereinafter referred to as PKI) is primarily intended for simplifying the
issuance of domain user certi cates by Administration Server.
The administrator can assign a domain certi cate for a user in Administration Console. This can be done using one
of the following methods:
Assign the user a special (customized) certi cate from a le in the New Device Connection Wizard or in the
Certi cate Installation Wizard.
Perform integration with PKI and assign PKI to act as the source of certi cates for a speci c type of
certi cates or for all types of certi cates.
The settings of integration with PKI are available in the workspace of the Mobile Device Management /
Certi cates folder by clicking the Integrate with public key infrastructure link.
General principle of integration with PKI for issuance of domain user certi cates
In Administration Console, click the Integrate with public key infrastructure link in the workspace of the Mobile
Device Management / Certi cates folder to specify a domain account that will be used by Administration Server
to issue domain user certi cates through the domain's CA (hereinafter referred to as the account under which
integration with PKI is performed).
Please note the following:
The settings of integration with PKI provide you the possibility to specify the default template for all types of
certi cates. Note that the rules for issuance of certi cates (available in the workspace of the Mobile Device
222
Management / Certi cates folder by clicking the Con gure certi cate issuance rules button) allow you to
specify an individual template for every type of certi cates.
A special Enrollment Agent (EA) certi cate must be installed on the device with Administration Server, in the
certi cates repository of the account under which integration with PKI is performed. The Enrollment Agent
(EA) certi cate is issued by the administrator of the domain's CA (Certi cate Authority).
The account under which integration with PKI is performed must meet the following criteria:
It is a domain user.
It is a local administrator of the device with Administration Server from which integration with PKI is initiated.
It has the right to Log On As Service.
The device with Administration Server installed must be run at least once under this account to create a
permanent user pro le.

Kaspersky Security Center Web Server (hereinafter referred to as Web Server) is a component of Kaspersky
Security Center. Web Server is designed for publishing stand-alone installation packages, stand-alone installation
packages for mobile devices, iOS MDM pro les, and les from the shared folder.
The iOS MDM pro les and installation packages that have been created are published on Web Server automatically
and then removed after the rst download. The administrator can send the new link to the user in any convenient
way, such as by email.
By clicking the link, the user can download the required information to a mobile device.
Web Server settings
If a ne-tuning of Web Server is required, the properties of Administration Console Web Server provide the
possibility to change ports for HTTP (8060) and HTTPS (8061). In addition to changing ports, you can replace the
server certi cate for HTTPS and change the FQDN of Web Server for HTTP.
Installation of Kaspersky Security Center

This section describes installation of Kaspersky Security Center components. If you want to install the application
locally on only one device, two installation options are available:
Standard. This option is recommended if you want to try out Kaspersky Security Center by, for example,
testing its operation on a small area within your network. During standard installation, you only con gure the
database. You can also install only the default set of management plug-ins for Kaspersky applications. You can
also use standard installation if you already have some experience working with Kaspersky Security Center and
are able to specify all relevant settings after standard installation.
Custom. This option is recommended if you plan to modify the Kaspersky Security Center settings, such as a
path to the shared folder, accounts and ports for connection to the Administration Server, and database
settings. Custom installation enables you to specify which Kaspersky management plug-ins to install. If
necessary, you can start custom installation in silent mode.
223
If at least one Administration Server is installed on the network, Servers can be installed on other devices remotely
through the remote installation task using forced installation. When creating the remote installation task, you
should use the Administration Server installation package: ksc_<version_number>.<build number>_full_<localization
language>.exe.
Use this package if you want to install all the components required for full functionality of Kaspersky Security
Center, or to upgrade the current versions of these components.
If you want to deploy the Kaspersky failover cluster, you need to install Kaspersky Security Center on all nodes of
the cluster.
Preparing for installation

Perform the following actions before launching the installation.
Check the hardware and software requirements
Make sure that the hardware and software on the device meet the requirements for Administration Server and
Select and install the database management system (DBMS)
Kaspersky Security Center stores its information in a database that is managed by a DBMS. Install the DBMS on the
network before Kaspersky Security Center (learn more about how to select a DBMS). If you decide to install
PostgreSQL or Postgres Pro DBMS, specify a password for the superuser. If the password is not speci ed,
Administration Server might not be able to connect to the database.
It is recommended that you install the Administration Server on a dedicated server instead of a domain controller.
However, if you install Kaspersky Security Center on a server that acts as a read-only domain controller (RODC),
Microsoft SQL Server (SQL Express) must not be installed locally (on the same device). In this case, we recommend
that you install Microsoft SQL Server (SQL Express) remotely (on a di erent device), or that you use MySQL,
MariaDB, or PostgreSQL if you need to install the DBMS locally.
Install Administration Server, Network Agent, and Administration Console in folders where case sensitivity is
disabled. Additionally, case sensitivity must be disabled for the Administration Server shared folder and the
Kaspersky Security Center hidden folder (%ALLUSERSPROFILE%\KasperskyLab\adminkit).
The server version of Network Agent is installed on the device together with Administration Server. Administration
Server cannot be installed together with the regular version of Network Agent. If the server version of Network
Agent is already installed on your device, remove it and start installation of Administration Server again. For details
about the server version of Network Agent, refer to Changes in the system after Kaspersky Security Center
installation.
Check accounts
Installation of Kaspersky Security Center requires administrator rights on the device on which the installation is
performed.
Kaspersky Security Center supports managed service accounts and group managed service accounts. If these
types of accounts are used in your domain, and you want to specify one of them as the account for the
Administration Server service, then rst install the account on the same device on which you want to install
Administration Server. For details about installation of managed service accounts on a local device, refer to the
o icial Microsoft documentation.
Accounts for working with the DBMS
224
To install Administration Server and work with it, you need a Windows account under which you will run the
Administration Server installer (hereinafter also referred to as the installer), a Windows account under which you
will start the Administration Server service, and an internal DBMS account to access the DBMS. You can create
new accounts or use existing ones. All these accounts require speci c rights. A set of the required accounts and
their rights depends on the following criteria:
DBMS type:
Microsoft SQL Server (with Windows authentication or SQL Server authentication)
MySQL or MariaDB
DBMS location:
Local DBMS. A local DBMS is a DBMS installed on the same device as Administration Server.
Remote DBMS. A remote DBMS is a DBMS installed on a di erent device.
Method of the Administration Server database creation:
Automatic. During the Administration Server installation, you can automatically create an Administration
Server database (hereinafter also referred to as a Server database) by using the installer.
Manual. You can use a third-party application (for example, SQL Server Management Studio) or a script to
create an empty database. After that, you can specify this database as the Server database during the
Administration Server installation.
Follow the principle of least privilege when you grant rights and permissions to the accounts. This means that the
granted rights should be only enough to perform the required actions.
The tables below contain information about the system rights and DBMS rights that you should grant to the
accounts before you install and start Administration Server.
Microsoft SQL Server with Windows authentication
If you choose SQL Server as a DBMS, you can use Windows authentication to access SQL Server. Con gure
system rights for a Windows account used to run the installer and a Windows account used to start the
Administration Server service. On SQL Server, create logins for both of these Windows accounts. Depending on
the creation method of the Server database, grant the required SQL Server rights to these accounts as described
in the table below. For more information on how to con gure rights of the accounts, see Con guring accounts for
work with SQL Server (Windows authentication).
DBMS: Microsoft SQL Server (including Express Edition) with Windows authentication
Automatic database creation Manual database creation (by the Administrator)

(by the installer)
Remote DBMS: only a domain Remote DBMS: only a domain account of the
account of the remote remote device on which the DBMS is installed.
device on which the DBMS is
Account under
installed. Local DBMS: a local administrator account or a
which the
installer is domain account.
running Local DBMS: a local
administrator account or a
domain account.
225
Rights of the System rights: local System rights: local administrator rights.
account under administrator rights.
which the SQL Server rights:
installer is SQL Server rights:
running Server-level role: public.
Server-level role:
sysadmin. Database role membership for the Server
database: db_owner, public.
Default schema for the Server database: dbo.
Remote DBMS: only a domain Remote DBMS: only a domain account of the
account of the remote remote device on which the DBMS is installed.
device on which the DBMS is
installed. Local DBMS:
A Windows account chosen by the
Local DBMS:
Administration administrator.
Server service A Windows account
account chosen by the An account in the KL-AK-* format that the
administrator. installer automatically creates (in this case, we
do not recommend that you generate a KL-
An account in the KL-AK- AK-* account).
* format that the installer
automatically creates.
System rights: the required System rights: the required rights assigned by the
rights assigned by the installer.
installer.
SQL Server rights:
Rights of the SQL Server rights: the
Administration Server-level role: public.
required rights assigned by
Server service the installer.
account Database role membership for the Server
database: db_owner, public.
Default schema for the Server database: dbo.
Microsoft SQL Server with SQL Server authentication
If you choose SQL Server as a DBMS, you can use SQL Server authentication to access SQL Server. Con gure
system rights for a Windows account used to run the installer and for a Windows account used to start the
Administration Server service. On SQL Server, create a login with a password to use it for authentication. Then,
grant this SQL Server account the required rights listed in the table below. For more information on how to
con gure rights of the accounts, see Con guring accounts for work with SQL Server (SQL Server authentication).
DBMS: Microsoft SQL Server (including Express Edition) with SQL Server authentication
Automatic database creation (by the Manual database creation (by the
installer) Administrator)
Account under which

Remote DBMS: only a domain Remote DBMS: only a domain
the installer is running
account of the remote device on account of the remote device on
which the DBMS is installed. which the DBMS is installed.
226
Local DBMS: a local administrator Local DBMS: a local administrator
account or a domain account. account or a domain account.
Rights of the account System rights: local administrator rights. System rights: local administrator
under which the rights.
installer is running
Remote DBMS: only a domain Remote DBMS: only a domain

account of the remote device on account of the remote device on
which the DBMS is installed. which the DBMS is installed.
Local DBMS: Local DBMS:

Administration Server A Windows account chosen by A Windows user account chosen
service account
the administrator. by the administrator.
An account in the KL-AK-* format An account in the KL-AK-*

that the installer automatically format that the installer
creates. automatically creates.
Rights of the System rights: the required rights System rights: the required rights
Administration Server assigned by the installer. assigned by the installer.
service account
Rights of the login SQL Server rights required to create a SQL Server rights:
used for SQL Server database and install Administration
Server-level role: public.
authentication Server:
Server-level role: public. Database role membership for the
Server database: db_owner.
Database role membership for the
master database: db_owner. Default schema for the Server
database: dbo.
Default schema for the master
database: dbo. Permissions:
CONNECT SQL
Permissions:
CONNECT ANY DATABASE VIEW ANY DATABASE
CONNECT SQL
CREATE ANY DATABASE
VIEW ANY DATABASE
SQL Server rights required to work

with Administration Server:
Database role membership for the

Server database: db_owner.
Default schema for the Server

database: dbo.
Permissions:
227
CONNECT SQL
VIEW ANY DATABASE
Con guring SQL Server rights for Administration Server data recovery
To restore Administration Server data from the backup, run the klbackup utility under the Windows account used
to install Administration Server. Before you start the klbackup utility, on SQL Server, grant the sysadmin server-
level role to the SQL Server login associated with this Windows account.
MySQL and MariaDB
If you choose MySQL or MariaDB as a DBMS, create a DBMS internal account and grant this account the required
rights listed in the table below. The installer and the Administration Server service use this internal DBMS account
to access the DBMS. Note that the database creation method does not a ect the set of required rights. For more
information on how to con gure the account rights, see Con guring accounts for work with MySQL and MariaDB.
DBMS: MySQL and MariaDB
Automatic or manual database creation
Account under which the

Remote DBMS: only a domain account of the remote device with the
installer is running
installed DBMS.
Local DBMS: a local administrator account or a domain account.
Rights of the account under System rights: local administrator rights.

which the installer is running
Remote DBMS: Only a domain account of the remote device with the
service account
installed DBMS.
Local DBMS:
A Windows account chosen by the administrator.
An account in the KL-AK-* format that the installer creates

automatically.
Rights of the Administration System rights: The required rights assigned by the installer.
Server service account
Rights of the DBMS internal Schema privileges:

account
Administration Server database: ALL (excluding GRANT OPTION).
System schemes (mysql and sys): SELECT, SHOW VIEW.
The sys.table_exists stored procedure: EXECUTE (if you use MariaDB 10.5
or earlier as a DBMS, you do not need to grant the EXECUTE privilege).
Global privileges for all schemes: PROCESS, SUPER.
228
Con guring privileges for Administration Server data recovery
Rights that you granted to the internal DBMS account are enough to restore Administration Server data from the
backup. To start the restore, run the klbackup utility under the Windows account used to install Administration
Server.
Con guring accounts for work with SQL Server (Windows authentication)
Prerequisites
Before you assign rights to the accounts, perform the following actions:
1. Make sure that you log in to the system under the local administrator account.
2. Install an environment for working with SQL Server.
3. Make sure that you have a Windows account under which you will install Administration Server.
4. Make sure that you have a Windows account under which you will start the Administration Server service.
5. On SQL Server, create a login for the Windows account used to run the Administration Server installer
(hereinafter also referred to as the installer). Also, create a login for the Windows account used to start the
Administration Server service.
If you use SQL Server Management Studio, on the General page of the login properties window, select the
Windows Authentication option.
If you want to install Administration Server and SQL Server on devices that are located in separate Windows
domains, note that these domains must have two-way trust relationships to ensure the correct operation of
Administration Server, including running tasks and applying policies. For information about the required
accounts for work with various DBMSs and accounts' rights, see Accounts for work with the DBMS.
Con guring the accounts to install Administration Server (automatic creation of the
Administration Server database)
To con gure the accounts for the Administration Server installation:
1. On SQL Server, assign the sysadmin server-level role to the login of the Windows account used to run the
installer.
2. Log in to the system under the Windows account used to run the installer.
3. Run the Administration Server installer.

The Administration Server Setup wizard starts. Follow the instructions of the wizard.
4. Select the custom installation of Administration Server option.
5. Select the Microsoft SQL Server as a DBMS that stores the Administration Server database.
229
6. Select the Microsoft Windows Authentication mode to establish a connection between Administration Server
and SQL Server through a Windows account.
7. Specify the Windows account used to start the Administration Server service.
You can select the Windows user account for which you created an SQL Server login earlier. Alternatively, you
can automatically create a new Windows account in the KL-AK-* format by using the installer. In this case, the
installer automatically creates an SQL Server login for this account. Regardless of the account choice, the
installer assigns the required system rights and SQL Server rights to the Administration Server service account.
After the installation nishes, the Server database is created, and all the required system rights and SQL Server
rights are assigned to the Administration Server service account. Administration Server is ready to use.
Con guring the accounts to install Administration Server (manual creation of the
1. On SQL Server, create an empty database. This database will be used as an Administration Server database
(hereinafter also referred to as a Server database).
2. For both SQL Server logins created for the Windows accounts, specify the public server-level role, and then
con gure the mapping to the created database:
Server-level role: public
Database role membership: db_owner, public
Default schema: dbo
4. Run the Administration Server installer.

7. Specify the name of the created database as the Administration Server database name.
8. Select the Microsoft Windows Authentication mode to establish a connection between Administration Server
and SQL Server through a Windows account.
You can select the Windows user account for which you created an SQL Server login and con gured the login
rights earlier.
We do not recommend that you automatically create a new Windows account in the KL-AK-* format. In this case,
the installer creates a new Windows account for which you have not created and con gured an SQL Server
account. Administration Server cannot use this account to start the Administration Server service. If it is
necessary to create a KL-AK-* Windows account, do not start Administration Console after the installation. Do the
following, instead:
1. Stop the kladminserver service.
230
2. On SQL Server, create an SQL Server login for the created KL-AK-* Windows account.
3. Grant the rights to this SQL Server login and con gure the mapping to the created database:
Database role membership: db_owner, public
Default schema: dbo
4. Restart the kladminserver service, and then run the Administration console.
After the installation nishes, the Administration Server will use the created database to store the Server data.
Administration Server is ready to use.
Con guring accounts for work with SQL Server (SQL Server
authentication)
Prerequisites
2. Install an environment for working with SQL Server.
5. On SQL Server, enable the SQL Server authentication mode.

If you use SQL Server Management Studio, in the SQL Server Properties window, on the Security page, select
the SQL Server and Windows Authentication mode option.
6. On SQL Server, create a login with a password. The Administration Server installer (hereinafter also referred to
as the installer) and the Administration Server service will use this SQL Server account to access SQL Server.
If you use SQL Server Management Studio, on the General page of the login properties window, select the
SQL Server authentication option.
If you want to install Administration Server and SQL Server on devices that are located in separate Windows
domains, note that these domains must have two-way trust relationships to ensure the correct operation of
Administration Server, including running tasks and applying policies. For information about the required
accounts for work with various DBMSs and accounts' rights, see Accounts for work with the DBMS.
Con guring the accounts to install Administration Server (automatic creation of the
231
1. On SQL Server, map the SQL Server account to the default master database. The master database is a
template for the Administration Server database (hereinafter also referred to as a Server database). The
master database is used for mapping until the installer creates a Server database. Grant the following rights
and permissions to the SQL Server account:
Database role membership for the master database: db_owner
Default schema for the master database: dbo
Permissions:
CONNECT ANY DATABASE
CONNECT SQL
CREATE ANY DATABASE
VIEW ANY DATABASE
3. Run the installer.

6. Specify the Administration Server database name.
7. Select the SQL Server Authentication mode to establish a connection between Administration Server and
SQL Server through the created SQL Server account. Then, specify the SQL Server account credentials.
You can select an existing Windows user account or create a new Windows account in the KL-AK-* format by
using the installer. Regardless of the account choice, the installer assigns the required system rights to the
Administration Server service account.
After the installation nishes, the Server database is created and all the required system rights are assigned to the
Administration Server service account. Administration Server is ready to use.
You can cancel the mapping to the master database, because the installer created a Server database and
con gured the mapping to this database during the Administration Server installation.
Since the automatic database creation requires more permissions than normal work with Administration Server,
you can revoke some permissions. On SQL Server, select the SQL Server account, and then grant the following
rights for work with Administration Server:
Database role membership for the Server database: db_owner
Default schema for the Server database: dbo
232
Permissions:
CONNECT SQL
VIEW ANY DATABASE
Con guring the accounts to install Administration Server (manual creation of the
1. On SQL Server, create an empty database. This database will be used as an Administration Server database.
2. On SQL Server, grant the following rights and permissions to the SQL Server account:
Database role membership for the created database: db_owner.
Default schema for the created database: dbo.
Permissions:
CONNECT SQL
VIEW ANY DATABASE

7. Specify the name of the created database as the Administration Server database name.
8. Select the SQL Server Authentication mode to establish a connection between Administration Server and
SQL Server through the created SQL Server account. Then, specify the SQL Server account credentials.
You can select an existing Windows user account or create a new Windows account in the KL-AK-* format by
using the installer. Regardless of the account choice, the installer assigns the required system rights to the
Administration Server service account.
After the installation nishes, the Administration Server will use the created database to store the Administration
Server data. All the required system rights are assigned to the Administration Server service account.
Administration Server is ready to use.
Con guring accounts for work with MySQL and MariaDB
233
Prerequisites
2. Install an environment for working with MySQL or MariaDB.
Con guring the accounts to install Administration Server
1. Run an environment for working with MySQL or MariaDB under the root account that you created when you
installed the DBMS.
2. Create an internal DBMS account with a password. The Administration Server installer (hereinafter also referred
to as the installer) and the Administration Server service will use this internal DBMS account to access DBMS.
Grant the following privileges to this account:
Schema privileges:
Administration Server database: ALL (excluding GRANT OPTION)
System schemes (mysql and sys): SELECT, SHOW VIEW
The sys.table_exists stored procedure: EXECUTE
Global privileges for all schemes: PROCESS, SUPER
To create an internal DBMS account and grant the required privileges to this account, run the script below (in
this script, the DBMS login is KCSAdmin, and the Administration Server database name is kav):
/* Create a user named KSCAdmin */
CREATE USER 'KSCAdmin'
/* Specify a password for KSCAdmin */
IDENTIFIED BY '< password >';
/* Grant privileges to KSCAdmin */
GRANT USAGE ON *.* TO 'KSCAdmin';
GRANT ALL ON kav.* TO 'KSCAdmin';
GRANT SELECT, SHOW VIEW ON mysql.* TO 'KSCAdmin';
GRANT SELECT, SHOW VIEW ON sys.* TO 'KSCAdmin';
GRANT EXECUTE ON PROCEDURE sys.table_exists TO 'KSCAdmin';
GRANT PROCESS ON *.* TO 'KSCAdmin';
GRANT SUPER ON *.* TO 'KSCAdmin';
234
If you use MariaDB 10.5 or earlier as a DBMS, you do not need to grant the EXECUTE privilege. In this case,
exclude the following command from the script: GRANT EXECUTE ON PROCEDURE sys.table_exists
TO 'KSCAdmin'.
3. To view the list of privileges granted to the DBMS account, run the following script:
SHOW grants for 'KSCAdmin';
4. To create an Administration Server database manually, run the following script (in this script, the Administration
Server database name is kav):
CREATE DATABASE kav
DEFAULT CHARACTER SET utf8
DEFAULT COLLATE utf8_general_ci;
Use the same database name that you specify in the script that creates the DBMS account.

8. Select the MySQL or MariaDB as a DBMS that stores the Administration Server database.
9. Specify the Administration Server database name. Use the same database name that you specify in the script.
10. Specify the credentials of the DBMS account that you created by the script.
You can select an existing Windows user account or automatically create a new Windows account in the KL-AK-
* format by using the installer. Regardless of the account choice, the installer assigns the required system rights
to the Administration Server service account.
After the installation nishes, the Administration Server database is created and Administration Server is ready to
use.
Scenario: Authenticating Microsoft SQL Server
Information in this section is only applicable to con gurations in which Kaspersky Security Center uses
Microsoft SQL Server as a database management system.
To protect Kaspersky Security Center data transferred to or from the database and data stored in the database
from unauthorized access, you must secure communication between Kaspersky Security Center and SQL Server.
The most reliable way to provide secure communication is to install Kaspersky Security Center and SQL Server on
the same device and use the shared memory mechanism for both applications. In all other cases, we recommend
that you use a SSL or TLS certi cate to authenticate the SQL Server instance. You can use a certi cate from a
trusted certi cation authority (CA) or a self-signed certi cate. We recommend that you use a certi cate from a
trusted CA because a self-signed certi cate provides only limited protection.
SQL Server authentication proceeds in stages:

235
1 Generating a self-signed SSL or TLS certi cate for SQL Server according to the certi cate requirements
If you already have a certi cate for SQL Server, skip this step.
An SSL certi cate is only applicable to SQL Server versions earlier than 2016 (13.x). In SQL Server 2016 (13.x) and
later versions, use a TLS certi cate.
For example, to generate a TLS certi cate, enter the following command in PowerShell:
New-SelfSignedCertificate -DnsName SQL_HOST_NAME -CertStoreLocation cert:\LocalMachine

-KeySpec KeyExchange
In the command, instead of SQL_HOST_NAME you must type the SQL Server host name if the host is
included in the domain or type the fully quali ed domain name (FQDN) of the host if the host is not included
in the domain. The same name—host name or FQDN—must be speci ed as an SQL Server instance name in
the Administration Server Setup Wizard.
2 Adding the certi cate on the SQL Server instance
The instructions for this stage depend on the platform on which SQL Server is running. Refer to the o icial
documentation for details:
Windows
Linux
Amazon Relational Database Service
Windows Azure
To use the certi cate on a failover cluster, you must install the certi cate on each node of the failover cluster.
For details, refer to the Microsoft documentation .
3 Assigning the service account permissions
Ensure that the service account under which the SQL Server service is run has the Full control permission to
access private keys. For details, refer to the Microsoft documentation .
4 Adding the certi cate to the list of trusted certi cates for Kaspersky Security Center
On the Administration Server device, add the certi cate to the list of trusted certi cates. For details, refer to
the Microsoft documentation .
5 Enabling encrypted connections between the SQL Server instance and Kaspersky Security Center
On the Administration Server device, set value 1 to the environment variable KLDBADO_UseEncryption. For
example, in Windows Server 2012 R2, you can change environment variables by clicking Environment Variables on
the Advanced tab of the System Properties window. Add a new variable, name it KLDBADO_UseEncryption,
and then set value 1.
6 Additional con guration to use TLS 1.2 protocol
If you use the TLS 1.2 protocol, then additionally do the following:
Ensure that the installed version of SQL Server is a 64-bit application.
Install Microsoft OLE DB Driver on the Administration Server device. For details, refer to the Microsoft
documentation .
On the Administration Server device, set value 1 to the environment variable KLDBADO_UseMSOLEDBSQL. For
example, in Windows Server 2012 R2, you can change environment variables by clicking Environment
236
Variables on the Advanced tab of the System Properties window. Add a new variable, name it
KLDBADO_UseMSOLEDBSQL, and then set value 1.
7 Enabling usage of TCP/IP protocol on a named instance of SQL Server
If you use a named instance of SQL Server, then additionally enable usage of TCP/IP protocol and assign a
TCP/IP port number to the SQL Server Database Engine. When you con gure SQL Server connection in the
Administration Server Setup Wizard, specify the SQL Server host name and the port number in the SQL Server
instance name eld.

This section contains recommendations on how to install Administration Server. This section also provides
scenarios for using a shared folder on the Administration Server device in order to deploy Network Agent on client
devices.
Creating accounts for the Administration Server services on a failover

cluster
By default, the installer automatically creates non-privileged accounts for services of Administration Server. This
behavior is the most convenient for Administration Server installation on an ordinary device.
However, installation of Administration Server on a failover cluster requires a di erent scenario:
1. Create non-privileged domain accounts for services of Administration Server and make them members of a
global domain security group named KLAdmins.
2. In the Administration Server Installer, specify the domain accounts that have been created for the services.
De ning a shared folder

When installing Administration Server, you can specify the location of the shared folder. You can also specify the
location of the shared folder after installation, in the Administration Server properties. By default, the shared
folder will be created on the device with Administration Server (with read rights for the Everyone subgroup).
However, in some cases (such as high load or a need for access from an isolated network), it is useful to locate the
shared folder on a dedicated le resource.
The shared folder is used occasionally in Network Agent deployment.
Case sensitivity for the shared folder must be disabled.
Remote installation with Administration Server tools through Active

Directory group policies
237
If the target devices are located within a Windows domain (no workgroups), initial deployment (installation of
Network Agent and the security application on devices that are not yet managed) has to be performed through
group policies of Active Directory. Deployment is performed by using the standard task for remote installation of
Kaspersky Security Center. If the network is large-scale, it is useful to locate the shared folder on a dedicated le
resource to reduce the load on the disk subsystem of the Administration Server device.
Remote installation through delivery of the UNC path to a stand-alone

package
If the users of networked devices in the organization have local administrator rights, another method of initial
deployment is to create a stand-alone Network Agent package (or even a "coupled" Network Agent package
together with the security application). After you create a stand-alone package, send users a link to that package,
which is stored in the shared folder. Installation starts when users click the link.
Updating from the Administration Server shared folder

In the Anti-Virus update task, you can con gure updating from the shared folder of Administration Server. If the
task has been assigned to a large number of devices, it is useful to locate the shared folder on a dedicated le
resource.

Operating system images are always installed through the shared folder: devices read operating system images
from the shared folder. If deployment of images is planned on a large number of corporate devices, it is useful to
locate the shared folder on a dedicated le resource.

When installing Administration Server, you can specify the address of the Administration Server. This address will
be used as the default address when creating installation packages of Network Agent.
As the Administration Server address, you can specify the following:
NetBIOS name of the Administration Server, which is speci ed by default
Fully quali ed domain name (FQDN) of the Administration Server if the Domain Name System (DNS) on the
organization's network has been con gured and is functioning properly
External address if the Administration Server is installed in the demilitarized zone (DMZ)
After that, you will be able to change the address of the Administration Server by using Administration Console
tools; the address will not change automatically in Network Agent installation packages that have been already
created.
Standard installation
238
Standard installation is an Administration Server installation that uses the default paths for application les, installs
the default set of plug-ins, and does not enable Mobile Device Management.
To install Kaspersky Security Center Administration Server on a local device:
Run the ksc_<version number>.<build number>_full_<localization language>.exe executable le.
A window opens prompting you to select Kaspersky applications to install. In the application selection window, click
the Install Kaspersky Security Center 14 Administration Server link to start the Administration Server Setup
Wizard. Follow the instructions of the Wizard.

At this step of the Setup Wizard, you must read the License Agreement, which is to be concluded between you
and Kaspersky, as well as the Privacy Policy.
You may also be prompted to view the License Agreements and Privacy Policies for application management plug-
ins that are available in the Kaspersky Security Center distribution kit.
Please carefully read the License Agreement and Privacy Policy. If you agree with all the terms of the License
Agreement and the Privacy Policy, select the following check boxes in the I con rm I have fully read, understood,
and accept the following section:
The terms and conditions of this EULA
Privacy Policy describing the handling of data
Installation of the application on your device will continue after you select both check boxes.
If you do not accept the License Agreement or the Privacy Policy, cancel installation by clicking the Cancel button.

In the installation type selection window, select Standard.
Standard installation is recommended if you want to try out Kaspersky Security Center by, for example, testing its
operation on a small area within your enterprise network. During standard installation, you only con gure the
database. You do not specify any Administration Server settings: their respective default values are used instead.
Standard installation does not allow you to select management plug-ins to install; only the default set of plug-ins is
installed. During standard installation, no installation packages for mobile devices are created. However, you can
create them later in Administration Console.
This step is displayed only if you are using a 64-bit operating system. Otherwise, this step is not displayed,
because Kaspersky Security Center Web Console does not work with 32-bit operating systems.
By default, both Kaspersky Security Center Web Console and MMC-based Administration Console will be
installed.
239
If you want to install only Kaspersky Security Center Web Console:
1. Select Install only this one.
2. Choose Web-based console in the drop-down list.
Installation of Kaspersky Security Center Web Console starts automatically after completion of
If you want to install only the MMC-based console:
2. Choose MMC-based console in the drop-down list.

Specify the size of the network on which Kaspersky Security Center is to be installed. Depending on the number of
devices on the network, the Wizard con gures the installation and appearance of the application interface so that
they match.
The following table lists the application installation settings and interface appearance settings, which are adjusted
based on various network sizes.
Dependence of installation settings on the network scale selected
Settings 1—100 101— 1001— More

devices 1000 5000 than
devices devices 5000
devices
Display with the node for secondary and virtual Administration Not Not Available Available
Servers, and all settings related to the secondary and virtual available available
Administration Servers in the console tree
Display with the Security sections in the properties windows Not Not Available Available
of the Administration Server and administration groups available available
Random distribution of startup time for the update task on Not Over an Over an Over an
client devices available interval interval interval
of 5 of 10 of 10
minutes minutes minutes
If you connect Administration Server to a MySQL 5.7 or SQL Express database server, it is not recommended
using the application to manage more than 10,000 devices. For the MariaDB database management system,
the maximum recommended number of managed devices is 20,000.

At this step of the Wizard, select one of the following options that will be used to store the Administration Server
database management system (DBMS):
240
Microsoft SQL Server (SQL Server Express).
MySQL. If you want to install MySQL or MariaDB, select this option. You can con gure any of these DMBS in
the next step of the Wizard.
It is recommended to install the Administration Server on a dedicated server instead of a domain controller.
However, if you install Kaspersky Security Center on a server that acts as a read-only domain controller
(RODC), Microsoft SQL Server (SQL Express) must not be installed locally (on the same device). In this case,
we recommend that you install Microsoft SQL Server (SQL Express) remotely (on a di erent device), or that
you use MySQL or MariaDB, if you need to install the DBMS locally.
The Administration Server database structure is provided in the klakdb.chm le, which is located in the Kaspersky
Security Center installation folder (this le is also available in an archive on the Kaspersky portal: klakdb.zip ).

At this step of the Wizard, you con gure SQL Server.
Depending on the database that you have selected, specify the following settings:
If you selected Microsoft SQL Server (SQL Server Express) in the previous step:
In the SQL Server instance name eld, specify the name of the SQL Server on the network. To view a list of
all SQL Servers that are on the network, click the Browse button. This eld is blank by default.
If you connect to the SQL Server through a custom port, then together with the SQL Server host name
specify the port number separated with a comma, for example:
SQL_Server_host_name,1433
If you secure communication between the Administration Server and SQL Server by means of a certi cate,
specify in the SQL Server instance name eld the same host name that was used at the certi cate
generating. If you use a named instance of SQL Server, then together with the SQL Server host name
SQL_Server_name,1433
If you use several instances of SQL Server on the same host, then additionally specify the instance name
separated with a backslash, for example:
SQL_Server_name\SQL_Server_instance_name,1433
If a SQL Server on the enterprise network has the Always On feature enabled, specify the name of the
availability group listener in the SQL Server instance name eld. Note that Administration Server supports
only the synchronous-commit availability mode when the Always On feature is enabled.
In the Database name eld, specify the name of the database that has been created to store
Administration Server data. The default value is KAV.
If at this stage you want to install SQL Server on the device from which you are installing Kaspersky Security
Center, you must stop installation and restart it after SQL Server is installed. The supported SQL Server
versions are listed in the system requirements.
If you want to install SQL Server on a remote device, you do not have to interrupt the Kaspersky Security
Center Setup Wizard. Install SQL Server and resume installation of Kaspersky Security Center.
If you selected MySQL in the previous step:
241
In the SQL Server instance name eld, specify the name of the SQL Server instance. By default, the name
is the IP address of the device on which Kaspersky Security Center is to be installed.
In the Port eld, specify the port for Administration Server connection to the SQL Server database. The
default port number is 3306.

Determine the authentication mode that will be used when Administration Server connects to the SQL Server.
Depending on the database that is selected, you can choose from the following authentication modes:
For SQL Express or Microsoft SQL Server select one of the following options:
Microsoft Windows Authentication mode. Veri cation of rights uses the account used for starting
SQL Server Authentication mode. If you select this option, the account speci ed in the window is used to
verify access rights. Fill in the Account and Password elds.
To see the entered password, click and hold the Show button.
For both authentication modes, the application checks if the database is available. If the database is not
available, an error message is displayed, and you have to provide correct credentials.
If the Administration Server database is stored on another device and the Administration Server account
does not have access to the database server, you must use SQL Server authentication mode when
installing or upgrading Administration Server. This may occur when the device that stores the database is
outside the domain or when Administration Server is installed under a LocalSystem account.
For the MySQL server or MariaDB server, specify the account and password.

After the installation of Kaspersky Security Center components is con gured, you can start installing les on the
hard drive.
If installation requires additional programs, the Setup Wizard will notify you, on the Installing Prerequisites page,
before installation of Kaspersky Security Center begins. The required programs are installed automatically after
you click the Next button.
On the last page, you can select which console to start for work with Kaspersky Security Center:
Start MMC-based Administration Console
Start Kaspersky Security Center Web Console
242
This option is available only if you opted to install Kaspersky Security Center Web Console in one of the
previous steps.
You can also click Finish to close the Wizard without starting work with Kaspersky Security Center. You can start
the work later at any time.
At the rst startup of Administration Console or Kaspersky Security Center Web Console, you can perform the
initial setup of the application.
When the Setup Wizard nishes, the following application components are installed on the hard drive on which the
operating system was installed:
Administration Server (together with the server version of Network Agent)
Microsoft Management Console-based Administration Console
Kaspersky Security Center Web Console (if you chose to install it)
Application management plug-ins available in the distribution kit
Additionally, Microsoft Windows Installer 4.5 will be installed if it was not installed previously.
Custom installation
Custom installation is an Administration Server installation during which you are prompted to select components
to install and specify the folder in which the application must be installed.
Using this type of installation, you can con gure the database and Administration Server, as well as install
components that are not included in standard installation or management plug-ins for various Kaspersky security
applications. You can also enable Mobile Device Management.
To install Kaspersky Security Center Administration Server on a local device:

243

In the installation type selection window, specify Custom.
Custom installation allows you to modify the Kaspersky Security Center settings, such as the path to the shared
folder, accounts and ports for connection to the Administration Server, and database settings. Custom installation
allows you to specify which Kaspersky management plug-ins to install. During custom installation, you can create
installation packages for mobile devices by enabling the corresponding option.

Select the components of Kaspersky Security Center Administration Server that you want to install:
Mobile Device Management. Select this check box if you must create installation packages for mobile devices
when the Kaspersky Security Center Setup Wizard is running. You can also create installation packages for
mobile devices manually, after Administration Server installation, by using Administration Console tools.
SNMP agent. This component receives statistical information for the Administration Server over the SNMP
protocol. The component is available if the application is installed on a device with SNMP installed.
After Kaspersky Security Center is installed, the .mib les required for receiving statistics are located in the
SNMP subfolder of the application installation folder.
Network Agent and Administration Console are not displayed in the component list. These components are
installed automatically and you cannot cancel their installation.
At this step you must specify a folder for installation of Administration Server components. By default, the
components are installed to <Disk>:\Program Files\Kaspersky Lab\Kaspersky Security Center. If no such folder
exists, this folder is created automatically during installation. You can change the destination folder by using the
Browse button.
This step is displayed only if you are using a 64-bit operating system. Otherwise, this step is not displayed,
because Kaspersky Security Center Web Console does not work with 32-bit operating systems.
By default, both Kaspersky Security Center Web Console and MMC-based Administration Console will be
installed.
If you want to install only Kaspersky Security Center Web Console:

244
2. Choose Web-based console in the drop-down list.
Installation of Kaspersky Security Center Web Console starts automatically after completion of
If you want to install only the MMC-based console:
2. Choose MMC-based console in the drop-down list.

they match.

devices
of 5 of 10 of 10


245

246


Select the account that will be used to start Administration Server as a service.
Generate the account automatically. The application creates an account named KL-AK-*, under which the
kladminserver service will run.
You can select this option if you plan to locate the shared folder and the DBMS on the same device as
Select an account. The Administration Server service (kladminserver) will run under the account that you
selected.
You will have to select a domain account if, for example, you plan to use as the DBMS a SQL Server instance of
any version, including SQL Express, that is located on another device, and/or you plan to locate the shared
folder on another device.
Kaspersky Security Center supports managed service accounts (MSA) and group managed service accounts
(gMSA). If these types of accounts are used in your domain, you can select one of them as the account for the
247
Before specifying MSA or gMSA, you must install the account on the same device on which you want to install
Administration Server. If the account is not installed yet, then cancel the Administration Server installation,
install the account, and then restart the Administration Server installation. For details about installation of
managed service accounts on a local device, refer to the o icial Microsoft documentation.
To specify MSA or gMSA:
1. Click the Browse button.
2. In the window that opens, click the Object type button.
3. Select the Account for services type and click OK.
4. Select the relevant account and click OK.
The account that you selected must have di erent permissions, depending on the DBMS that you plan for use.
For security reasons, please do not assign the privileged status to the account under which you run
If later you decide to change the Administration Server account, you can use the utility for Administration Server
account switching (klsrvswch).
Step 10. Selecting the account for running the Kaspersky Security Center
services
Select the account under which the services of Kaspersky Security Center will run on this device:
Generate the account automatically. Kaspersky Security Center creates a local account named KlScSvc on
this device in the kladmins group. The services of Kaspersky Security Center will be run under the account that
has been created.
Select an account. The Kaspersky Security Center services will be run under the account that you selected.
You will have to select a domain account if, for example, you intend to save reports to a folder located on a
di erent device or if this is required by your organization's security policy. You may also have to select a domain
account if you install Administration Server on a failover cluster.
For security reasons, do not grant privileged status to the account under which the services are run.
The KSN proxy service (ksnproxy), Kaspersky activation proxy service (klactprx), and Kaspersky authentication
portal service (klwebsrv) will be run under the selected account.

De ne the location and name of the shared folder that will be used to do the following:
Store the les necessary for remote installation of applications (these les are copied to Administration Server
during creation of installation packages).
248
Store updates that have been downloaded from an update source to Administration Server.
File sharing (read-only) will be enabled for all users.
You can select either of the following options:
Create a shared folder. Create a new folder. In the text box, specify the path to the folder.
Select an existing shared folder. Select a shared folder that already exists.
The shared folder can be a local folder on the device that is used for installation or a remote directory on any client
device on the corporate network. You can click the Browse button to select the shared folder, or specify the
shared folder manually by entering its UNC path (for example, \\server\Share) in the corresponding eld.
By default, the installer creates a local Share subfolder in the application folder that contains the components of
You can de ne a shared folder later if needed.

Con gure the connection to Administration Server:
Port
The number of the port used to connect to the Administration Server.

SSL port
Secure Sockets Layer (SSL) port number used to securely connect to the Administration Server via SSL.
Encryption key length
Select the length of the encryption key: 1024 bit or 2048 bit.
A 1024-bit encryption key places a smaller load on the CPU, but it is considered obsolete because it cannot
provide reliable encryption due to its technical speci cations. Also, the existing hardware probably will turn
out to be incompatible with SSL certi cates featuring 1024-bit keys.
A 2048-bit encryption key meets all state-of-the-art encryption standards. However, use of a 2048-bit
encryption key may add to the load on a CPU.
By default, 2048 bit (best security) is selected.
If Administration Server is installed on a device running Microsoft Windows XP Service Pack 2, the built-in
system Firewall blocks TCP ports 13000 and 14000. Therefore, to allow access to Administration Server on the
device after installation, these ports must be opened manually.
249
Specify the Administration Server address in one of the following ways:
DNS domain name. You can use this method if the network includes a DNS server and client devices can use it
to receive the Administration Server address.
NetBIOS name. You can use this method if client devices receive the Administration Server address using the
NetBIOS protocol or if a WINS server is available on the network.
IP address. You can use this method if Administration Server has a static IP address that will not be
subsequently changed.
If you install Kaspersky Security Center on the active node of the Kaspersky failover cluster, and you have created
a secondary network adapter when preparing the cluster nodes, specify the IP address of this adapter. Otherwise,
enter the IP address of the third-party load balancer that you use.
This Setup Wizard step is available if you have selected Mobile Device Management for installation.
In the Address for connection of mobile devices window, specify the external address of the Administration
Server for connection of mobile devices that are outside of the local network. You can specify the IP address or
Domain Name System (DNS) of the Administration Server.
Step 15. Selecting application management plug-ins

Select the application management plug-ins that need to be installed with Kaspersky Security Center.
For ease of search, plug-ins are divided into groups depending on the type of secured objects.

hard drive.
250
previous steps.

This section contains both general information about the Kaspersky failover cluster, and instructions on the
preparation and deployment of the Kaspersky failover cluster in your network.
Scenario: Deployment of a Kaspersky failover cluster

A Kaspersky failover cluster provides high availability of Kaspersky Security Center and minimizes downtime of
Administration Server in case of a failure. The failover cluster is based on two identical instances of Kaspersky
Security Center installed on two computers. One of the instances works as an active node and the other one is a
passive node. The active node manages protection of the client devices, while the passive one is prepared to take
all of the functions of the active node in case the active node fails. When a failure occurs, the passive node
becomes active and the active node becomes passive.
Prerequisites
You have hardware that meets the requirements for the failover cluster.
Stages
Kaspersky applications deployment proceeds in stages:
1 Creating an account for Kaspersky Security Center services
Create a new domain group (in this scenario the name 'KLAdmins' is used for this group), and then grant the local
administrator's permissions to the group on both nodes and on the le server. Then create two new domain user
accounts, (in this scenario the names 'ksc' and 'rightless' are used for these accounts), and add the accounts to
the KLAdmins domain group.
Add the user account, under which Kaspersky Security Center will be installed, to the previously created
KLAdmins domain group.
2 File server preparation
Prepare the le server to work as a component of the Kaspersky failover cluster. Make sure that the le server
meets the hardware and software requirements, create two shared folders for Kaspersky Security Center data,
and con gure permissions to access the shared folders.
How-to instructions: Preparing a le server for the Kaspersky failover cluster
3 Preparation of active and passive nodes
Prepare two computers with identical hardware and software to work as the active and passive nodes.
251
How-to instructions: Preparing nodes for the Kaspersky failover cluster
4 Database Management System (DBMS) installation
Select any of the supported DBMS, and then install the DBMS on a dedicated computer.
5 Kaspersky Security Center installation
Install Kaspersky Security Center in the failover cluster mode on both nodes. You must rst install Kaspersky
Security Center on the active node, and then install it on the passive one.
Additionally, you can install Kaspersky Security Center Web Console on a separate device that is not a cluster
node.
How-to instructions: Installing Kaspersky Security Center on the Kaspersky failover cluster nodes
6 Testing the failover cluster
Check that you con gured the failover cluster correctly and that it works properly. For example, you can stop
one of the Kaspersky Security Center services on the active node: kladminserver, klnagent, ksnproxy, klactprx, or
klwebsrv. After the service is stopped, the protection management must be automatically switched to the
passive node.
Results
The Kaspersky failover cluster is deployed. Please familiarize yourself with the events that lead to the switch
between the active and passive nodes.
About the Kaspersky failover cluster

A Kaspersky failover cluster provides high availability of Kaspersky Security Center and minimizes downtime of
Administration Server in case of a failure. The failover cluster is based on two identical instances of Kaspersky
Security Center installed on two computers. One of the instances works as an active node and the other one is a
passive node. The active node manages protection of the client devices, while the passive one is prepared to take
all of the functions of the active node in case the active node fails. When a failure occurs, the passive node
becomes active and the active node becomes passive.
To deploy a Kaspersky failover cluster, you must have the following hardware:
Two computers with identical hardware and software. These computers will act as the active and passive
nodes.
A le server that supports the CIFS/SMB protocol, version 2.0 or later. You must provide a dedicated computer
that will act as a le server.
Make sure you have provided high network bandwidth between the le server, and the active and passive
nodes.
A computer with Database Management System (DBMS).
252
Switch conditions
The failover cluster switches protection management of the client devices from the active node to the passive
node if any of the following events occurs on the active node:
The active node is broken due to a software or hardware failure.
The active node was temporarily stopped for maintenance activities.
At least one of the Kaspersky Security Center services (or processes) failed or was deliberately terminated by
user. The Kaspersky Security Center services are the following ones: kladminserver, klnagent, klactprx, and
klwebsrv.
The network connection between the active node and the storage on the le server was interrupted or
terminated.
Preparing a le server for a Kaspersky failover cluster

A le server works as a required component of a Kaspersky failover cluster.
To prepare a le server:
1. Make sure that the le server meets the hardware and software requirements.
2. Make sure that the le server and both nodes (active and passive) are included in the same domain or the le
server is the domain controller.
3. On the le server, create two shared folders. One of them is used to keep information about the failover cluster
state. The other one is used to store the data and settings of Kaspersky Security Center. You will specify paths
to the shared folders while con guring the installation of Kaspersky Security Center.
4. Grant full access permissions (both share permissions and NTFS permissions) to the created shared folders for
the following user accounts and groups:
Domain group KLAdmins.
User accounts $<node1> and $<node2>. Here, <node1> and <node2> are the computer names of the active
and passive nodes.
The le server is prepared. To deploy the Kaspersky failover cluster, follow the further instructions in this
scenario.
Preparing nodes for a Kaspersky failover cluster

Prepare two computers to work as active and passive nodes for a Kaspersky failover cluster.
To prepare nodes for a Kaspersky failover cluster:
1. Make sure that you have two computers that meet the hardware and software requirements. These computers
will act as the active and passive nodes of the failover cluster.
253
2. Make sure that the le server and both nodes are included in the same domain.
3. Do one of the following:
On each of the nodes, con gure a secondary network adapter.

A secondary network adapter can be physical or virtual. If you want to use a physical network adapter,
connect and con gure it with standard operating system tools. If you want to use a virtual network adapter,
create it by using third-party software.
Ensure that the following conditions are met:
The secondary network adapters are disabled.

You can create the secondary network adapters in the disabled state or disable them after creation.
The secondary network adapters on both nodes have the same IP address.
Use a third-party load balancer. For example, you can use an nginx server. In this case, do the following:
a. Provide a dedicated Linux-based computer with nginx installed.
b. Con gure load balancing. Set the active node as the main server and the passive node as the backup
server.
c. On the nginx server, open all of the Administration Server ports: TCP 13000, UDP 13000, TCP 13291, TCP
13299, and TCP 17000.
4. Restart both nodes and the le server.
5. Map the two shared folders, that you created during the le server preparation step, to each of the nodes. You
must map the shared folders as network drives. When mapping the folders, you can select any vacant drive
letters. To access the shared folders, use the credentials of the user account that you created during step 1 of
the scenario.
The nodes are prepared. To deploy the Kaspersky failover cluster, follow the further instructions of the scenario.
Installing Kaspersky Security Center on the Kaspersky failover cluster nodes

Kaspersky Security Center is installed on both nodes of the Kaspersky failover cluster separately. First, you install
the application on the active node, then on the passive one. When installing, you choose which node will be active
and which will be passive.
Only a user from the KLAdmins domain group can install Kaspersky Security Center on every node.
To install Kaspersky Security Center on the active node of the Kaspersky failover cluster:
1. Run the ksc_14_<build number>_full_<language>.exe executable le.

A window opens and prompts you to select the Kaspersky applications to install. In the application selection
window, click the Install Kaspersky Security Center 14 Administration Server link to start the Administration
Server Setup Wizard. Follow the instructions of the Wizard.
2. Please carefully read the License Agreement and Privacy Policy. If you agree with all the terms of the License
Agreement and the Privacy Policy, select the following check boxes in the I con rm I have fully read,
254
understood, and accept the following section:
If you do not accept the License Agreement or the Privacy Policy, cancel installation by clicking the Cancel
button.
3. Select Primary node of Kaspersky Failover cluster to install the application on the active node.
4. In the Shared folder window, do the following:
In the State share and Data share elds, specify the paths to the shared folders that you created on the
le server during its preparation.
In the State share drive and Data share drive elds, select the network drives to which you mapped the
shared folders during preparation of the nodes.
Select the cluster connectivity mode: via a secondary network adapter or a third-party load balancer.
5. Perform other steps of custom installation, starting with step 3.
In step 13, specify the IP address of a secondary network adapter if you have created an adapter when
preparing the cluster nodes. Otherwise, enter the IP address of the third-party load balancer that you use.
Kaspersky Security Center is installed on the active node.
To install Kaspersky Security Center on the passive node of the Kaspersky failover cluster:
1. Run the ksc_14_<build number>_full_<language>.exe executable le.

A window opens and prompts you to select the Kaspersky applications to install. In the application selection
window, click the Install Kaspersky Security Center 14 Administration Server link to start the Administration
Server Setup Wizard. Follow the instructions of the Wizard.
2. Please carefully read the License Agreement and Privacy Policy. If you agree with all the terms of the License
Agreement and the Privacy Policy, select the following check boxes in the I con rm I have fully read,
understood, and accept the following section:
If you do not accept the License Agreement or the Privacy Policy, cancel installation by clicking the Cancel
button.
3. Select Secondary node of Kaspersky Failover cluster to install the application on the passive node.
4. In the Shared folder window, in the State share eld, specify a path to the shared folder with information
about the cluster state that you created on the le server during its preparation.
5. Click the Install button. When installation is over, click the Finish button.
255
Kaspersky Security Center is installed on the passive node. Now, you can test the Kaspersky failover cluster to
make sure that you con gured it correctly and that the cluster works properly.
Starting and stopping cluster nodes manually

You may need to stop the entire Kaspersky failover cluster or temporarily detach one of the nodes of the cluster
for maintenance. If this is the case, follow the instructions in this section. Do not try to start or stop the services or
processes related to the failover cluster by using any other means. This may cause data loss.
Starting and stopping the entire failover cluster for maintenance
To start or stop the entire failover cluster:
1. On the active node, go to <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.
2. Open the command line, and then run one of the following commands:
To stop the cluster, run: klfoc -stopcluster --stp klfoc
To start the cluster, run: klfoc -startcluster --stp klfoc
The failover cluster is started or stopped, depending on the command that you run.
Maintaining one of the nodes
To maintain one of the nodes:
1. On the active node, stop the failover cluster by using the klfoc -stopcluster --stp klfoc command.
2. On the node that you want to maintain, go to <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security
Center.
3. Open command line, and then detach the node from the cluster by running the detach_node.cmd command.
4. On the active node, start the failover cluster by using the klfoc -startcluster --stp klfoc command.
5. Perform maintenance activities.
6. On the active node, stop the failover cluster by using the klfoc -stopcluster --stp klfoc command.
7. On the node that was maintained, go to <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.
8. Open command line, and then attach the node to the cluster by running the attach_node.cmd command.
9. On the active node, start the failover cluster by using the klfoc -startcluster --stp klfoc command.
The node is maintained and attached to the failover cluster.
256
Installing Administration Server on a Microsoft failover cluster
The procedure of installing Administration Server on a failover cluster di ers from both standard and custom
installation on a stand-alone device.
Perform the procedure described in this section on the node that contains a common data storage of the cluster.
To install Kaspersky Security Center Administration Server on a cluster:

Step 2. Selecting the type of installation on a cluster

Select the type of installation on the cluster:
Cluster (install on all cluster nodes)

This is the recommended option. If you select this option, Administration Server will be installed on all nodes of
the cluster simultaneously.
257
At the step of selecting the Administration Console for installation, you will need to select the console that
will be installed on the current cluster node. If you install a console only on the cluster node, in case of node
failure, you will lose access to Administration Server. We recommend that during this step, you select the
MMC-based console for installation on all cluster nodes. After you install Administration Server, install
Kaspersky Security Center Web Console on a separate device that is not a cluster node. This allows you to
manage Administration Server by using Kaspersky Security Center Web Console if the cluster node fails.
Locally (install on this device only)

If you select this option, Administration Server will be installed only on the current node, as if on a stand-alone
server, and Administration Server will not work as a cluster-aware application. For example, you may want to
choose this option to save shared storage space if fault tolerance is not needed for Administration Server. In
case of the current node failure, you will have to install Administration Server on another node and restore the
Administration Server state from a backup.
Further steps are the same as when you use the standard or custom installation method, starting from the
installation method selection step.
Step 3. Specifying the name of the virtual Administration Server

Specify the network name of the new virtual Administration Server. You will be able to use this name to connect
Administration Console or Kaspersky Security Center Web Console to Administration Server.
The name that you specify must di er from the cluster name.
Step 4. Specifying the network details of the virtual Administration Server

To specify the network details of the new virtual Administration Server instance:
1. In Network to use, select the domain network to which the current cluster node is connected.
2. Do either of the following:
If DHCP is used in the selected network to assign IP addresses, select the Use DHCP option.
If DHCP is not used in the selected network, specify the required IP address.
The IP address that you specify must di er from the cluster IP address.
3. Click Add to apply the speci ed settings.
You will be able to use the automatically assigned or the speci ed IP address to connect Administration Console
or Kaspersky Security Center Web Console to Administration Server.
Step 5. Specifying a cluster group

A cluster group is a special failover cluster role that contains common resources for all nodes. You have two
options:
258
Creating a new cluster group.
This option is recommended in most cases. The new cluster group will contain all common resources that relate
to the Administration Server instance.
Selecting an existing cluster group.

Select this option if you want to use a common resource that is already associated with an existing cluster
group. For example, you may want to use this option if you want to use a storage associated with an existing
cluster group and if there are no other available storage for a new cluster group.
Step 6. Selecting a cluster data storage

To select a cluster data storage:
1. In Available repositories, select the data storage to which the common resources of the virtual Administration
Server instance will be installed.
2. If the selected data storage contains several volumes, under Available sections on disk drive, select the
required volume.
3. In Installation path, enter the path on the common data storage to which the resources of the virtual
Administration Server instance will be installed.
The data storage is selected.
Step 7. Specifying an account for remote installation

Specify the user name and password that will be used for remote installation of the virtual Administration Server
instance on a passive node of the cluster.
The account that you specify must be granted administrative privileges on all nodes of the cluster.

Select the components of Kaspersky Security Center Administration Server that you want to install:
Mobile Device Management. Select this check box if you must create installation packages for mobile devices
when the Kaspersky Security Center Setup Wizard is running. You can also create installation packages for
mobile devices manually, after Administration Server installation, by using Administration Console tools.
SNMP agent. This component receives statistical information for the Administration Server over the SNMP
protocol. The component is available if the application is installed on a device with SNMP installed.
After Kaspersky Security Center is installed, the .mib les required for receiving statistics are located in the
SNMP subfolder of the application installation folder.
Network Agent and Administration Console are not displayed in the component list. These components are
installed automatically and you cannot cancel their installation.
259
At this step you must specify a folder for installation of Administration Server components. By default, the
components are installed to <Disk>:\Program Files\Kaspersky Lab\Kaspersky Security Center. If no such folder
exists, this folder is created automatically during installation. You can change the destination folder by using the
Browse button.

they match.

devices
of 5 of 10 of 10

260

261
In the Database name eld, specify the name of the database that has been created to store Administration
Server data. The default value is KAV.


Select the account that will be used to start Administration Server as a service.
Generate the account automatically. The application creates an account named KL-AK-*, under which the
kladminserver service will run.
You can select this option if you plan to locate the shared folder and the DBMS on the same device as
Select an account. The Administration Server service (kladminserver) will run under the account that you
selected.
You will have to select a domain account if, for example, you plan to use as the DBMS a SQL Server instance of
any version, including SQL Express, that is located on another device, and/or you plan to locate the shared
folder on another device.
Kaspersky Security Center supports managed service accounts (MSA) and group managed service accounts
(gMSA). If these types of accounts are used in your domain, you can select one of them as the account for the
Before specifying MSA or gMSA, you must install the account on the same device on which you want to install
Administration Server. If the account is not installed yet, then cancel the Administration Server installation,
install the account, and then restart the Administration Server installation. For details about installation of
managed service accounts on a local device, refer to the o icial Microsoft documentation.
262
To specify MSA or gMSA:
2. In the window that opens, click the Object type button.
3. Select the Account for services type and click OK.
4. Select the relevant account and click OK.
The account that you selected must have di erent permissions, depending on the DBMS that you plan for use.
For security reasons, please do not assign the privileged status to the account under which you run
If later you decide to change the Administration Server account, you can use the utility for Administration Server
account switching (klsrvswch).
Step 14. Selecting the account for running the Kaspersky Security Center
services
Select the account under which the services of Kaspersky Security Center will run on this device:
Generate the account automatically. Kaspersky Security Center creates a local account named KlScSvc on
this device in the kladmins group. The services of Kaspersky Security Center will be run under the account that
has been created.
Select an account. The Kaspersky Security Center services will be run under the account that you selected.
You will have to select a domain account if, for example, you intend to save reports to a folder located on a
di erent device or if this is required by your organization's security policy. You may also have to select a domain
account if you install Administration Server on a failover cluster.
For security reasons, do not grant privileged status to the account under which the services are run.
The KSN proxy service (ksnproxy), Kaspersky activation proxy service (klactprx), and Kaspersky authentication
portal service (klwebsrv) will be run under the selected account.

De ne the location and name of the shared folder that will be used to do the following:
Store the les necessary for remote installation of applications (these les are copied to Administration Server
during creation of installation packages).
Store updates that have been downloaded from an update source to Administration Server.
File sharing (read-only) will be enabled for all users.
263
You can select either of the following options:
Create a shared folder. Create a new folder. In the text box, specify the path to the folder.
Select an existing shared folder. Select a shared folder that already exists.
The shared folder can be a local folder on the device that is used for installation or a remote directory on any client
device on the corporate network. You can click the Browse button to select the shared folder, or specify the
shared folder manually by entering its UNC path (for example, \\server\Share) in the corresponding eld.
By default, the installer creates a local Share subfolder in the application folder that contains the components of
You can de ne a shared folder later if needed.

Con gure the connection to Administration Server:
Port
The number of the port used to connect to the Administration Server.

SSL port
Secure Sockets Layer (SSL) port number used to securely connect to the Administration Server via SSL.
Encryption key length
Select the length of the encryption key: 1024 bit or 2048 bit.
A 1024-bit encryption key places a smaller load on the CPU, but it is considered obsolete because it cannot
provide reliable encryption due to its technical speci cations. Also, the existing hardware probably will turn
out to be incompatible with SSL certi cates featuring 1024-bit keys.
A 2048-bit encryption key meets all state-of-the-art encryption standards. However, use of a 2048-bit
encryption key may add to the load on a CPU.
By default, 2048 bit (best security) is selected.
If Administration Server is installed on a device running Microsoft Windows XP Service Pack 2, the built-in
system Firewall blocks TCP ports 13000 and 14000. Therefore, to allow access to Administration Server on the
device after installation, these ports must be opened manually.
264
Specify the Administration Server address. You can select one of the following options:
DNS domain name. You can use this method if the network includes a DNS server and client devices can use it
to receive the Administration Server address.
NetBIOS name. You can use this method if client devices receive the Administration Server address using the
NetBIOS protocol or if a WINS server is available on the network.
IP address. You can use this method if Administration Server has a static IP address that will not be
subsequently changed.
This Setup Wizard step is available if you have selected Mobile Device Management for installation.
In the Address for connection of mobile devices window, specify the external address of the Administration
Server for connection of mobile devices that are outside of the local network. You can specify the IP address or
Domain Name System (DNS) of the Administration Server.

hard drive.

previous steps.
Installing Administration Server in silent mode

Administration Server can be installed in silent mode, that is, without the interactive input of installation settings.
To install Administration Server on a local device in silent mode:
265
2. Read the Privacy Policy. Use the command below only if you understand and agree that your data will be
handled and transmitted (including to third countries) as described in the Privacy Policy.
3. Run the command

setup.exe /s /v"DONT_USE_ANSWER_FILE=1 EULA=1 PRIVACYPOLICY=1 <setup_parameters>"
where setup_parameters is a list of parameters and their respective values, separated with spaces
(PARAM1=PARAM1VAL PARAM2=PARAM2VAL). The setup.exe le is located in the Server folder, which is part of the
The names and possible values for parameters that can be used when installing Administration Server in silent
mode are listed in the table below.
Parameter name Parameter description Available values

1—I have fully read, understand
Agreement.
and accept the terms of the
End User License Agreement.

License Agreement
PRIVACYPOLICY Acceptance of the terms of the Privacy

1—I am aware and agree that
Policy.
my data will be handled and
transmitted (including to third
countries) as described in the
Privacy Policy. I con rm that I
have fully read and
understand the Privacy Policy.

Privacy Policy (installation is
not performed).

Standard—Standard
installation.
installation.
Custom—Custom installation.
INSTALLDIR Path to the Administration Server String value.

installation folder.
ADDLOCAL List of Administration Server CSAdminKitServer, NAgent,

components (separated with commas) CSAdminKitConsole, NSAC,
to be installed. MobileSupport, KSNProxy,
SNMPAgent, GdiPlusRedist,
266
Minimum list of components
su icient for proper
Administration Server installation:
CSAdminKitConsole,
KSNProxy,
NETRANGETYPE Network size (number of devices on the

NRT_1_100—From 1 to 100
network).
devices.
NRT_100_1000—From 101 to
1000 devices.
NRT_GREATER_1000—More
than 1000 devices.
SRV_ACCOUNT_TYPE Mode for specifying the account under

SrvAccountDefault —The
which Administration Server will be run as
account is created
a service.
automatically.
SrvAccountUser —The
account is speci ed manually.
In this case, you must specify
values for the
SERVERACCOUNTNAME and
SERVERACCOUNTPWD
parameters.
SERVERACCOUNTNAME Name of the account under which String value.

Administration Server will be run as a
service. You must specify a value for the
parameter if
SRV_ACCOUNT_TYPE=SrvAccountUser.
SERVERACCOUNTPWD Password of the account that will be String value.

used to start Administration Server as
a service. You must specify a value for
the parameter if
SRV_ACCOUNT_TYPE=SrvAccountUser.
SERVERCER Size of the key for the Administration

Server certi cate (bits).
certi cate is 2048 bits.
No value —The size of the key

for the Administration Server
certi cate is 1024 bits.
DBTYPE Type of database that will be used to

MySQL—A MySQL or
store the Administration Server
MariaDB database will be
database.
used; in this case, you must
267
This parameter is mandatory. specify values for the
MYSQLSERVERNAME,
MYSQLSERVERPORT,
MYSQLDBNAME,
MYSQLACCOUNTNAME, and
MYSQLACCOUNTPWD
parameters.
MSSQL —A Microsoft SQL

Server (SQL Express)
database will be used. In this
case, you must specify values
for the MSSQLSERVERNAME,
MSSQLDBNAME, and
MSSQLAUTHTYPE
parameters.
MYSQLSERVERNAME Full name of the SQL Server. You must String value.
specify a value for the parameter if
DBTYPE=MySQL.
MYSQLSERVERPORT Number of the port for connecting to Numerical value.

the SQL Server. You must specify a value
for the parameter if DBTYPE=MySQL.
MYSQLDBNAME Name of the database that will be String value.

created to store Administration Server
data. You must specify a value for the
parameter if DBTYPE=MySQL.
MYSQLACCOUNTNAME Name of the account for connection to String value.

the database. You must specify a value
for the parameter if DBTYPE=MySQL.
MYSQLACCOUNTPWD Password of the account for connecting String value.

to the database. You must specify a
value for the parameter if
DBTYPE=MySQL.
MSSQLSERVERNAME Full name of the SQL Server. You must String value.
specify a value for the parameter
if DBTYPE=MSSQL.
MSSQLDBNAME Name of the database. You must specify String value.

a value for the parameter
if DBTYPE=MSSQL.
MSSQLAUTHTYPE Type of authorization when connecting

Windows—Microsoft Windows
to the SQL Server. You must specify a
Authentication mode.
DBTYPE=MSSQL SQLServer—SQL Server
Authentication mode. In this
case, you must specify values
for the
MSSQLACCOUNTNAME and
MSSQLACCOUNTPWD
parameters.
MSSQLACCOUNTNAME Name of the account for connection to String value.

the SQL Server. You must specify a value
268
for the parameter if
MSSQLAUTHTYPE=SQLServer.
MSSQLACCOUNTPWD Password of the account for connection String value.

to the SQL Server. You must specify a
MSSQLAUTHTYPE=SQLServer.
CREATE_SHARE_TYPE Method of specifying the shared folder.

Create—Create a new shared
folder. In this case, you must
specify values for the
SHARELOCALPATH and
SHAREFOLDERNAME
parameters.
ChooseExisting—Select an
existing folder. In this case,
you must specify a value for
the
EXISTSHAREFOLDERNAME
parameter.
SHARELOCALPATH Full path to a local folder. You must String value.

specify a value for the parameter if
CREATE_SHARE_TYPE=Create
SHAREFOLDERNAME Network name of a shared folder. You String value.

must specify a value for the parameter if
CREATE_SHARE_TYPE=Create.
EXISTSHAREFOLDERNAME Full path to an existing shared folder. String value.

You must specify a value for the
parameter if
CREATE_SHARE_TYPE=ChooseExisting.


using SSL protocol.
SERVERADDRESS Administration Server address. String value.
MOBILESERVERADDRESS Administration Server address for String value.

connection of mobile devices.
For a detailed description of the Administration Server setup parameters, please refer to the Custom installation
section.
Installing Administration Console on the administrator's workstation

You can install Administration Console on the administrator's workstation separately and manage Administration
Server over the network using that Console.
To install Administration Console on the administrator's workstation:
269
2. In the application selection window, click the Install only Kaspersky Security Center 14 Administration
Console link to run the Administration Console Setup Wizard. Follow the instructions of the Wizard.
3. Select a destination folder. By default, this will be <Disk>:\Program Files\Kaspersky Lab\Kaspersky Security
Center Console. If such a folder does not exist, it is created automatically during the installation. You can
change the destination folder by using the Browse button.
4. On the last page of the Setup Wizard click the Start button to start installation of Administration Console.
When the Wizard completes, Administration Console will be installed on the administrator's workstation.
To install Administration Console on the administrator's workstation in silent mode:
2. In the Distrib\Console folder of the Kaspersky Security Center distribution kit, run the setup.exe le by
using the following command:
setup.exe /s /v"EULA=1"
If you want to install all management plug-ins from the Distrib\Console\Plugins folder together with the
Administration Console, run the following command:
setup.exe /s /v"EULA=1" /pALL
If you want to specify which management plug-ins to install from the Distrib\Console\Plugins folder
together with the Administration Console, specify the plug-ins after the "/p" key and separate them with a
semicolon:
setup.exe /s /v"EULA=1" /pP1;P2;P3
where P1, P2, P3 are plug-in names that correspond to the plug-in folder names in the
Distrib\Console\Plugins folder. For example:
setup.exe /s /v"EULA=1" /pKES4Mac;KESS;MDM4IOS
Administration Console and the management plug-ins (if any) will be installed on the administrator's workstation.
After installing Administration Console, you must connect to the Administration Server. To do this, run
Administration Console and, in the window that opens, specify the name or the IP address of the device on which
Administration Server is installed, as well as the settings of the account used to connect to it. After connection to
Administration Server is established, you can manage the anti-virus protection system using this Administration
Console.
You can remove Administration Console with standard Microsoft Windows add / remove tools.
Changes in the system after Kaspersky Security Center installation
Administration Console icon
After Administration Console is installed on your device, its icon appears, allowing you to start Administration
Console. You can nd Administration Console in the Start → Programs → Kaspersky Security Center menu.
270
Administration Server and Network Agent services
Administration Server and Network Agent are installed on the device as services with the properties listed below.
The table also contains the attributes of other services that apply on the device after Administration Server
installation.
Properties of Kaspersky Security Center services
Component Service name Displayed Account

service name
Administration Server kladminserver Kaspersky User-de ned or dedicated

Security non-privileged account in
Center KL-AK-* format created
Administration during installation
Server
Network Agent klnagent Kaspersky Local system

Security
Center
Network
Agent
Web Server for accessing Kaspersky klwebsrv Kaspersky web Dedicated unprivileged
Security Center Web Console and server KlScSvc account
administering the organization's intranet
Activation proxy server klactprx Kaspersky Dedicated unprivileged

activation KlScSvc account
proxy server
KSN proxy server ksnproxy Kaspersky Dedicated unprivileged

Security KlScSvc account
Network proxy
server
Kaspersky Security Center Web Console services
If you install Kaspersky Security Center Web Console on the device, then the following services are deployed (see
the table below):
Kaspersky Security Center Web Console services
Displayed service name Account
Kaspersky Security Center Service Web Console NT Service/KSCSvcWebConsole
Kaspersky Security Center Web Console Network service
Kaspersky Security Center Product Plugins Server NT Service/KSCWebConsolePlugin
Kaspersky Security Center Web Console Management Local system

Service
Kaspersky Security Center Web Console Message Queue NT

Service/KSCWebConsoleMessageQueue
271
Network Agent server version
The server version of Network Agent will be installed on the device together with Administration Server. The server
version of Network Agent is part of Administration Server, is installed and removed together with Administration
Server, and can only interact with a locally installed Administration Server. You do not have to con gure the
connection of Network Agent to Administration Server: con guration is implemented programmatically because
the components are installed on the same device. The server version of Network Agent is installed with the same
properties as the standard Network Agent and performs the same application management functions. This version
will be managed by the policy of the administration group to which the client device of Administration Server
belongs. For the server version of Network Agent all tasks are created from the scope of those provided for
Administration Server, except for the Server change task.
Network Agent cannot be installed separately on a device that already has Administration Server installed.
You can view the properties of each service of Administration Server and Network Agent, as well as monitor their
operation using standard Microsoft Windows management tools: Computer management\Services. Information
about the activity of the Kaspersky Administration Server service is stored in the Microsoft Windows system log in
a separate Kaspersky Event Log branch on the device where the Administration Server is installed.
We recommend that you avoid starting and stopping services manually and leave service accounts in the
service settings unchanged. If necessary, you can modify the Administration Server service account using the
klsrvswch utility.
User accounts and user groups
The Administration Server Installer creates the following accounts by default:
KL-AK-*: Administration Server service account
KlScSvc: Account for other services from the Administration Server pool
KlPxeUser: Account for deployment of operating systems
If you selected other accounts for the Administration Server service and other services while running the Installer,
the speci ed accounts are used.
Local security groups named KLAdmins and KLOperators with their respective sets of rights are also created
automatically on the device that has Administration Server installed.
It is not recommended to install the Administration Server on a domain controller; however, if you install
Administration Server on the domain controller, you must start the installer with the domain administrator rights. In
this case, the installer automatically creates domain security groups named KLAdmins and KLOperators. If you
install Administration Server on a computer that is not the domain controller, you must start the installer with the
local administrator rights instead. In this case, the installer automatically creates local security groups named
KLAdmins and KLOperators.
When con guring email noti cations, you may have to create an account on the mail server for ESMTP
authentication.
272
Removing the application
You can remove Kaspersky Security Center with standard Microsoft Windows add/remove tools. Removing the
application requires starting a wizard that removes all application components from the device (including plug-ins).
The wizard makes your default browser open a web page with a poll where you can tell us why you chose to stop
using Kaspersky Security Center. If you have not selected removal of the shared folder (Share) during the wizard
operation, you can delete it manually after completion of all related tasks.
After the application is removed, some of its les may remain in the system's temporary folder.
The Application Removal Wizard will suggest that you store a backup copy of Administration Server.
When the application is removed from Microsoft Windows 7 and Microsoft Windows 2008, premature
termination of the Removal Wizard might occur. This can be avoided by disabling the User Account Control
(UAC) in the operating system and restarting application removal.
About upgrading Kaspersky Security Center

This section contains information on how to upgrade Kaspersky Security Center from a previous version. You can
upgrade Kaspersky Security Center in di erent ways, depending on whether Kaspersky Security Center was
installed locally or on the Kaspersky failover cluster nodes.
During the upgrade, concurrent use of the DBMS by Administration Server and another application is strictly
forbidden.
When you upgrade Kaspersky Security Center from a previous version, all the installed plug-ins of supported
Kaspersky applications are kept. The Administration Server plug-in and Network Agent plug-in are upgraded
automatically (both for the Administration Console and Kaspersky Security Center Web Console).
Upgrading Kaspersky Security Center from a previous version

The following topic describes recommended preparation steps for the upgrade: Upgrading Kaspersky Security
Center and managed security applications.
You can install version 14 of Administration Server on a device that has an earlier version of Administration Server
installed (starting from version 11 (11.0.0.1131b)). When upgrading to version 14, all data and settings from the previous
version of Administration Server are preserved.
If problems occur during Administration Server installation, you can restore the previous version of Administration
Server using the backup copy of the Administration Server data created before the upgrade.
If at least one Administration Server of the new version has been installed on the network, you can upgrade other
Administration Servers on the network using the remote installation task that uses the Administration Server
installation package.
273
If you deployed the Kaspersky failover cluster, you can also upgrade Kaspersky Security Center on its nodes.
To upgrade an earlier version of Administration Server to version 14:
1. Run the ksc_14_<build number>_full_<language>.exe installation le for version 14 (you can download this le
from the Kaspersky website).
2. In the window that opens, click the Install Kaspersky Security Center 14 link to start the Administration Server
Setup Wizard. Follow the instructions of the Wizard.
3. Read the License Agreement and Privacy Policy. If you agree with all the terms of the License Agreement and
the Privacy Policy, select the following check boxes in the I con rm I have fully read, understood, and accept
the following section:
Installation of the application on your device will continue after you select both check boxes. The Setup Wizard
prompts you to create a backup of the Administration Server data for the earlier version.
Kaspersky Security Center supports data recovery from a backup created with an older version of
4. If you want to create a backup of the Administration Server data, specify this in the Administration Server
backup window that opens.
A backup is created by the klbackup utility. This utility is included in the distribution kit, and is located at the root
of the Kaspersky Security Center installation folder.
5. Install Administration Server version 14 by following the Setup Wizard.

If a message appears that the Kaspersky Security Center Web Console service is busy, click the Ignore button
in the Wizard window.
We recommend that you avoid terminating the Setup Wizard. If you cancel the upgrade at the step of
Administration Server installation may cause the upgraded version of Kaspersky Security Center to fail.
6. For devices on which the earlier version of Network Agent was installed, create and run the task for remote
installation of the new version of Network Agent.
We recommend that you upgrade the Network Agent for Linux to the same version as Kaspersky Security
Center.
After completion of the remote installation task, the Network Agent version is upgraded.
Upgrading Kaspersky Security Center on the Kaspersky failover cluster

nodes
274
You can install Administration Server version 14 on every Kaspersky failover cluster node where the Administration
Server with an earlier version is installed (starting from version 13.2). When upgrading to version 14, all data and
settings from the previous version of Administration Server are preserved.
If you previously installed Kaspersky Security Center on devices locally, you can also upgrade Kaspersky
Security Center on these devices.
To upgrade Kaspersky Security Center on the Kaspersky failover cluster nodes:
1. Stop the cluster.
2. Perform the following actions on the active node of the cluster:
a. Run the ksc_14_<build number>_full_<language>.exe executable le.

A window opens and prompts you to select the Kaspersky applications to upgrade. In the application
selection window, click the Install Kaspersky Security Center 14 Administration Server link to start the
Administration Server Setup Wizard. Follow the instructions of the Wizard.
b. Read the License Agreement and Privacy Policy. If you agree with all the terms of the License Agreement
and the Privacy Policy, select the following check boxes in the I con rm I have fully read, understood, and
accept the following section:
If you do not accept the License Agreement or Privacy Policy, click the Cancel button to cancel the
upgrade.
c. In the Type of installation on cluster window, select the node on which you are upgrading.
Next, the installer con gures and nishes upgrading the Administration Server. During the upgrade, you
cannot change the Administration Server settings that were adjusted before the upgrade.
3. Perform the same actions on the passive node of the Kaspersky failover cluster as on the active node. If you
chose the Microsoft Failover cluster (install on all cluster nodes) option in the Type of installation on cluster
window, you do not need to run the installer and perform the current step.
4. Start the cluster.
As a result, you installed the Administration Server of the latest version on the Kaspersky failover cluster nodes.
Initial setup of Kaspersky Security Center

This section describes steps you must take after the Kaspersky Security Center installation to perform its initial
setup.
Administration Server Quick Start Wizard

This section provides information about the Administration Server Quick Start Wizard.
275
About Quick Start Wizard
Administration Server Quick Start Wizard allows you to create a minimum of necessary tasks and policies, adjust a
minimum of settings, download and install plug-ins for managed Kaspersky applications, and create installation
packages of managed Kaspersky applications. When the Wizard is running, you can make the following changes to
the application:
Download and install plug-ins for managed applications. After the Quick Start Wizard has nished, the list of
installed management plug-ins is displayed in the Advanced → Details of application management plug-ins
installed section of the Administration Server properties window.
Create installation packages of managed Kaspersky applications. After the Quick Start Wizard has nished,
installation packages of Network Agent for Windows and managed Kaspersky applications are displayed in the
Administration Server → Advanced → Remote installation → Installation packages list.
Add key les or enter activation codes that can be automatically distributed to devices within administration
groups. After the Quick Start Wizard has nished, information about license keys is displayed in the
Administration Server → Kaspersky Licenses list and in the License keys section of the Administration
Server properties window.
Con gure interaction with Kaspersky Security Network (KSN) .
Set up email delivery of noti cations of events that occur during operation of Administration Server and
managed applications (successful noti cation delivery requires that the Messenger service run on the
Administration Server and all recipient devices). After the Quick Start Wizard has nished, the email
noti cations settings are displayed in the Noti cation section of the Administration Server properties window.
Adjust the update settings and vulnerability x settings for applications installed on devices.
Create a protection policy for workstations and servers, as well as virus scan tasks, update download tasks, and
data backup tasks, for the top level of the hierarchy of managed devices. After the Quick Start Wizard has
nished, the created tasks are displayed in the Administration Server → Tasks list, the policies corresponding
to the plug-ins for managed applications are displayed in the Administration Server → Policies list.
The Quick Start Wizard creates policies for managed applications, such as Kaspersky Endpoint Security for
Windows, unless such policies are already created for the Managed devices group. The Quick Start Wizard
creates tasks if tasks with the same names do not exist for the Managed devices group.
In Administration Console, Kaspersky Security Center automatically prompts you to run the Quick Start Wizard
after you have started it for the rst time. You can also start the Quick Start Wizard manually at any time.
Starting Administration Server Quick Start Wizard

The application automatically prompts you to run the Quick Start Wizard after Administration Server installation,
at the rst connection to it. You can also start the Quick Start Wizard manually at any time.
To start the Quick Start Wizard manually:
1. In the console tree, select the Administration Server node.
2. In the context menu of the node, select All Tasks → Administration Server Quick Start Wizard.
276
The Wizard prompts you to perform initial con guration of the Administration Server. Follow the instructions of
the Wizard.
If you start the Quick Start Wizard again, tasks and policies created at the previous run of the Wizard cannot be
created again.
Step 1. Con guring a proxy server

Specify the internet access settings for Administration Server. You must con gure internet access to use
Kaspersky Security Network and to download updates of anti-virus databases for Kaspersky Security Center and
managed Kaspersky applications.
Select the Use proxy server option if you want to use a proxy server when connecting to the internet. If this
option is selected, the elds are available for entering settings. Specify the following settings for a proxy server
connection:
Address
Address of the proxy server used for Kaspersky Security Center connection to the internet.
Port number
Number of the port through which Kaspersky Security Center proxy connection will be established.
Bypass proxy server for local addresses
No proxy server will be used to connect to devices in the local network.
Proxy server authentication
If this check box is selected, in the entry elds you can specify the credentials for proxy server
authentication.
This entry eld is available if the Use proxy server check box is selected.
User name
User account under which connection to the proxy server is established (this eld is available if the Proxy
server authentication check box is selected).
Password
Password set by the user under whose account the proxy server connection is established (this eld is
available if the Proxy server authentication check box is selected).
To see the entered password, click and hold the Show button for as long as you require.
You can con gure internet access later, separately from the Quick Start Wizard.
To specify the internet access settings for Administration Server:

277
2. In the context menu of the Administration Server, select Properties.
3. In the Administration Server properties window, go to Advanced → Con guring internet access.
4. Specify the settings for a proxy server connection.

Select one of the following Kaspersky Security Center activation options:
By inserting your activation code
Activation code is a unique sequence of 20 alphanumeric characters. You enter an activation code to add a
key that activates Kaspersky Security Center. You receive the activation code through the email address
that you speci ed after purchasing Kaspersky Security Center.
To activate the application with an activation code, you need Internet access to establish connection with
Kaspersky activation servers.
If you have selected this activation option, you can enable the Automatically distribute license key to
managed devices option.
If this option is enabled, the license key will be deployed automatically to managed devices.
If this option is disabled, you can deploy license key to managed devices later, in the Kaspersky Licenses
node of the Administration Console tree.
By specifying a key le
Key le is a le with the .key extension provided to you by Kaspersky. A key le is intended for adding a key
that activates the application.
You receive your key le through the email address that you speci ed after purchasing Kaspersky Security
Center.
To activate the application using a key le, you do not have to connect to Kaspersky activation servers.
By postponing the application activation
The application will operate with basic functionality, without Mobile Device Management and without
Vulnerability and Patch Management.
If you choose to postpone application activation, you can add a license key later at any time.
278
Step 3. Selecting the protection scopes and platforms
Select the protection scopes and platforms that are in use on your network. When you select these options, you
specify the lters for application management plug-ins and distribution packages on Kaspersky servers that you
can download to install on client devices on your network. Select the options:
Areas
You can select the following protection areas:

Workstations. Select this option if you want to protect workstations in your network. By default, the
Workstation option is selected.
File Servers and Storage. Select this option if you want to protect le servers in your network.
Mobile devices. Select this option if you want to protect mobile devices owned by the company or
by the company employees. If you select this option but you have not provided a license with the
Mobile Device Management feature, a message is displayed informing you about necessity to provide
a license with the Mobile Device Management feature. If you do not provide a license, you cannot use
the Mobile device feature.
Virtualization. Select this option if you want to protect virtual machines in your network.
Kaspersky Anti-Spam. Select this option if you want to protect mail servers in your organization
from spam, fraud, and malware delivery.
Embedded Systems. Select this option if you want to protect Windows-based embedded systems,
such as Automated Teller Machine (ATM).
Industrial networks. Select this option if you want to monitor security data across your industrial
network and from network endpoints that are protected by Kaspersky applications.
Industrial endpoints. Select this option if you want to protect individual nodes within an industrial
network.
Platform
You can select the following platforms:

Microsoft Windows
macOS
Android
Linux
Other
For information about supported operating systems, refer to Hardware and software requirements for
279
You can select the Kaspersky application packages from the list of available packages later, separately from the
Quick Start Wizard. To simplify the search for the required packages, you can lter the list of available packages by
the following criteria:
Protection area
Type of downloaded software (distribution package, utility, plug-in, or web plug-in)
Version of the Kaspersky application
Localization language of the Kaspersky application
Step 4. Selecting plug-ins for managed applications

Select plug-ins for managed applications to install. A list of plug-ins located on Kaspersky servers is displayed. The
list is ltered according to the options selected on the previous step of the Wizard. By default, a full list includes
plug-ins of all languages. To display only plug-in of speci c language, select the language from Show the
Administration Console localization language or drop-down list. The list of plug-ins includes the following
columns:
Application name
The plug-ins depending of the protection areas and platforms that you have selected on the previous step
are selected.
Application version
The list includes plug-ins of all the versions placed on Kaspersky servers. By default, the plug-ins of the
latest versions are selected.
Localization language
By default, the localization language of a plug-in is de ned by the Kaspersky Security Center language that
you have selected at installation. You can specify other languages in Show the Administration Console
localization language or drop-down list.
After the plug-ins are selected, their installation starts automatically in a separate window. To install some plug-ins,
you must accept the terms of the EULA. Read the text of EULA, select the I accept the terms of the License
Agreement option and click the Install button. If you do not accept the terms of the EULA, the plug-in is not
installed.
After the installation completes, close the installation window.
You can also select the management plug-ins later, separately from the Quick Start Wizard.
Step 5. Downloading distribution packages and creating installation

packages
280
Kaspersky Endpoint Security for Windows includes encryption tool for the information stored on client devices. To
download a distribution package of Kaspersky Endpoint Security for Windows valid for the needs of your
organization, consult the legislation of the country where the client devices of your organization are located. In the
Encryption type window, select one of the following encryption types:
Strong encryption (AES256). This encryption type uses 256-bit key length.
Lite encryption (AES56). This encryption type uses 56-bit key length.
The Encryption type window is displayed only if you have selected Workstations as a protection scope and
Microsoft Windows as a platform.
After you have selected an encryption type, a list of distribution packages of both encryption types is displayed. A
distribution package with the selected encryption type is selected in the list. The distribution package language
corresponds to the Kaspersky Security Center language. If a distribution package of Kaspersky Endpoint Security
for Windows for the Kaspersky Security Center language does not exist, the English distribution package is
selected.
In the list, you can select distribution package languages by means Show the Administration Console localization
language or drop-down list.
Distributives of managed applications may require a speci c minimum version of Kaspersky Security Center to
be installed.
In the list, you can select distribution packages of any encryption type, di erent of that you have selected in the
Encryption type window. After you have selected a distribution package for Kaspersky Endpoint Security for
Windows, downloading of the distribution packages, corresponding to the components and platforms, starts. You
can monitor the downloading progress in the Download status column. After the Quick Start Wizard has nished,
installation packages of Network Agent for Windows and managed Kaspersky applications are displayed in the
Administration Server → Advanced → Remote installation → Installation packages list.
To nish downloading of some distribution packages you must accept EULA. When you click the Accept button,
the text of EULA is displayed. To proceed to the next step of the Wizard, you must accept the terms and
conditions of the EULA and the terms and conditions of Kaspersky Privacy Policy. Select the options related to the
EULA and Kaspersky Privacy Policy, and then click the Accept all button. If you do not accept the terms and
conditions, the downloading of the package is canceled.
After you have accepted the terms and conditions of the EULA and the terms and conditions of Kaspersky Privacy
Policy, the downloading of the distribution packages continues. When the downloading is nished, the Installation
package is created status is displayed. Later, you can use installation packages to deploy Kaspersky applications
on client devices.
If you prefer not to run the Wizard, you can create installation packages manually by going to Administration
Server → Advanced → Remote installation → Installation packages in the Administration Console tree.
Step 6. Con guring Kaspersky Security Network usage

You can obtain access to the reputation databases of Kaspersky Security Network to ensure faster responses by
Kaspersky applications to threats, improve the e ectiveness of some protection components, and reduce the risk
of false positives.
281
Read the KSN Statement, which is displayed in the window. Specify the settings for relaying information about
Kaspersky Security Center operations to the Kaspersky Security Network knowledge base. Select one of the
following options:
I agree to use Kaspersky Security Network
Kaspersky Security Center and managed applications installed on client devices will automatically transfer
their operation details to Kaspersky Security Network. Participation in Kaspersky Security Network
ensures faster updates of databases containing information about viruses and other threats, which
ensures a faster response to emergent security threats.
I do not agree to use Kaspersky Security Network
Kaspersky Security Center and managed applications will provide no information to Kaspersky Security
Network.
If you select this option, the use of Kaspersky Security Network will be disabled.
If you downloaded the Kaspersky Endpoint Security for Windows plug-in, both KSN statements—the KSN
Statement for Kaspersky Security Center and the KSN Statement for Kaspersky Endpoint Security for Windows—
are displayed. KSN statements for other managed Kaspersky applications whose plug-ins were downloaded are
displayed in separate windows and you must accept (or not accept) each of the statements separately.
You can also set up Administration Server access to Kaspersky Security Network (KSN) later in the Administration
Server properties window of Administration Console.

Con gure the sending of noti cations about events registered during the operation of Kaspersky applications on
managed devices. These settings are used as the default settings for Administration Server.
To con gure the delivery of noti cations about events occurring in Kaspersky applications, use the following
settings:
Recipients (email addresses)
The email addresses of users to whom the application will send noti cations. You can enter one or more
addresses; if you enter more than one address, separate them with a semicolon.
SMTP servers
The address or addresses of your organization's mail servers.

If you enter more than one address, separate them with a semicolon. You can use the following values:
IPv4 or IPv6 address
Windows network name (NetBIOS name) of the device
DNS name of the SMTP server
SMTP server port
282
Communication port number of the SMTP server. If you use several SMTP servers, the connection to them
is established through the speci ed communication port. The default port number is 25.
Use ESMTP authentication
Enables support of ESMTP authentication. When the check box is selected, in the User name and
Password elds you can specify the ESMTP authentication settings. By default, this check box is cleared.
Settings
Specify the following settings:

Subject (subject of an email message)
Sender email address
TLS settings for SMTP server

You can specify TLS settings for SMTP server:
You can disable usage of TLS, use TLS if the SMTP server supports this protocol, or you can force usage
of TLS only. If you choose to use only TLS, specify a certi cate for authentication of the SMTP server and
choose whether you want to enable communication through any version of TLS or only through TLS 1.2 or
later versions. Also, if you choose to use only TLS, you can specify a certi cate for client authentication on
the SMTP server.
Browse for an SMTP server certi cate le:
You can receive a le with the list of certi cates from a trusted certi cation authority and upload the le
to Administration Server. Kaspersky Security Center checks whether the certi cate of an SMTP server is
also signed by a trusted certi cation authority. Kaspersky Security Center cannot connect to an SMTP
server if the certi cate of the SMTP server is not received from a trusted certi cation authority.
Browse for a client certi cate le:
You can use a certi cate that you received from any source, for example, from any trusted certi cation
authority. You must specify the certi cate and its private key by using one of the following certi cate
types:
X-509 certi cate:
Specify the le with the certi cate and the le with the private key. You can upload these les in any order.
When both les are uploaded, specify the password to decrypt the private key. The password can have an
empty value if the private key is not encrypted.
pkcs12 container:
You must upload a single le that contains the certi cate and its private key. When the le is loaded, you
must then specify the password for decoding the private key. The password can have an empty value if the
private key is not encoded.
You can test the new email noti cation settings by clicking the Send test message button.
You can also con gure event noti cations later, separately from the Quick Start Wizard.
283
Step 8. Con guring update management
Con gure the settings for managing updates of applications installed on client devices.
You can con gure these settings only if you have provided a license key with the Vulnerabilities and Patch
management option.
In the Search for updates and install them group of settings, you can select a mode of Kaspersky Security
Center update search and installation:
Search for required updates
The Find vulnerabilities and required updates task is created.

This option is selected by default.
Find and install required updates
The Find vulnerabilities and required updates and Install required updates and x vulnerabilities tasks are
created automatically, if you do not have ones.
In the Windows Server Update Services group of settings, you can select the update synchronization source:
Use update sources de ned in the domain policy
Client devices will download Windows Update updates according to your domain policy settings. Network
Agent policy is created automatically, if you do not have one.
Use Administration Server as a WSUS server
Client devices will download Windows Update updates from the Administration Server. The Perform
Windows Update synchronization task and Network Agent policy are created automatically, if you do not
have ones.
If you prefer not to run the Quick Start Wizard, create the Find vulnerabilities and required updates and Install
required updates and x vulnerabilities tasks later. To use Administration Server as the WSUS server, create the
Perform Windows Update synchronization task, and then select the Use Administration Server as a WSUS server
option in the Network Agent policy.
Step 9. Creating an initial protection con guration

The Con gure initial protection window displays a list of policies and tasks that are created automatically. The
following policies and tasks are created:
Kaspersky Security Center Network Agent policy
Policies for managed Kaspersky applications whose management plug-ins were installed earlier
Administration Server maintenance task

284
Backup of Administration Server data task
Download updates to the Administration Server repository task
Find vulnerabilities and required updates task
Install update task
Wait for the creation of policies and tasks to complete before proceeding to the next step of the Wizard.
If you have downloaded and installed the plug-in for Kaspersky Endpoint Security for Windows 10 Service Pack 1
and later till the 11.0.1, during the creation of policies and tasks, a window opens for initial con guration of the
trusted zone of Kaspersky Endpoint Security for Windows. The application will prompt you to add vendors veri ed
by Kaspersky to the trusted zone for the purposes of excluding their applications from scans to prevent them
from being accidentally blocked. You can create recommended exclusions now or create a list of exclusions later by
selecting the following in the console tree: Policies → Kaspersky Endpoint Security properties menu → Advanced
Threat Protection → Trusted zone → Settings → Add. The list of scan exclusions is available for editing at any
time when using the application.
Operations on the trusted zone are performed by using tools integrated into Kaspersky Endpoint Security for
Windows. For detailed instructions on how to perform operations and a description of encryption features
please refer to Kaspersky Endpoint Security for Windows Online Help .
To nish initial con guration of the trusted zone and return to the Wizard, click OK.
Click Next. This button becomes available after all necessary policies and tasks have been created.
You can also create the required tasks and policies later, separately from the Quick Start Wizard.
Step 10. Connecting mobile devices

If you previously enabled the Mobile devices protection scope in the Wizard settings, specify the settings for
connecting the enterprise mobile devices of the managed organization. If you did not enable Mobile devices
protection scope, this step is skipped.
At this step of the Wizard, do the following:
Con gure ports for connection of mobile devices
Con gure Administration Server authentication
Create or manage certi cates
Set up issuance, automatic updating, and encryption of general-type certi cates
Create a moving rule for mobile devices
To set up the ports for connection of mobile devices:
1. Click the Con gure button to the right of the Mobile device connection eld.
2. In the drop-down list, select Con gure ports.

The Administration Server properties window opens, displaying the Additional ports section.
285
3. In the Additional ports section, you can specify the mobile device connection settings:
SSL port for the activation proxy server
The number of an SSL port for connection of Kaspersky Endpoint Security for Windows to activation
servers of Kaspersky.
Open port for mobile devices
A port opens for mobile devices to connect to the Licensing Server. You can de ne the port number
and other settings in the elds below.
Port for mobile device synchronization
Number of the port through which mobile devices connect to the Administration Server and exchange
data with it. The default port number is 13292.
You can assign a di erent port if port 13292 is being used for other purposes.
Port for mobile device activation
The port for connection of Kaspersky Endpoint Security for Android to activation servers of Kaspersky.
Open port for UEFI protection devices and KasperskyOS devices
UEFI protection devices can connect to the Administration Server.
Port for UEFI protection devices and KasperskyOS devices
You can change the port number if the Open port for UEFI protection devices and KasperskyOS
devices option is enabled. The default port number is 13294.
4. Click OK to save changes and return to the Quick Start Wizard.
You will have to con gure authentication of the Administration Server by mobile devices and authentication of
mobile devices by the Administration Server. If you want, you can con gure authentication later, separately from
the Quick Start Wizard.
To con gure Administration Server authentication by mobile devices:
1. Click the Con gure button to the right of the Mobile device connection eld.
2. In the drop-down list, select Con gure authentication.

The Administration Server properties window opens, displaying the Certi cates section.
286
3. Select the authentication option for mobile devices in the Administration Server authentication by mobile
devices group of settings, and select the authentication option for UEFI protection devices in the
Administration Server authentication by UEFI protection devices group of settings.
When Administration Server exchanges data with client devices, it is authenticated through the use of a
certi cate.
By default, Administration Server uses the certi cate that was created during Administration Server
installation. If you want, you can add a new certi cate.
To add a new certi cate (optional):
1. Select Other certi cate.

The Browse button appears.
3. In the window that opens, specify the certi cate settings:
Certi cate type
In the drop-down list, you can select a certi cate type:

X.509 certi cate. If this option is selected, you should specify the private key of a certi cate and
an open certi cate:
Private key (.prk, .pem). In this eld, click the Browse button to specify the private key of a
certi cate in PKCS #8 (*.prk) format.
Public key (.cer). In this eld, click the Browse button to specify a public key in PEM (*.cer)
format.
PKCS #12 container. If you select this option, you can specify a certi cate le in P12 or PFX
format by clicking the Browse button and lling in the Certi cate le eld.
Activation time:
Immediately
The current certi cate will be immediately replaced with the new one after you click OK.
Previously connected mobile devices will not be able to connect to Administration Server.
After this period expires, days
If you select this option, a reserve certi cate will be generated. The current certi cate will be
replaced with the new one in the speci ed number of days. The e ective date of the reserve
certi cate is displayed in the Certi cates section.
It is recommended that you plan the reissue in advance. The reserve certi cate must be downloaded
to the mobile devices before the speci ed period expires. After the current certi cate is replaced
with the new one, previously connected mobile devices that do not have the reserve certi cate will
not be able to connect to Administration Server.
4. Click the Properties button to view the settings of the selected Administration Server certi cate.
287
To reissue a certi cate issued through Administration Server:
1. Select Certi cate issued through Administration Server.
2. Click the Reissue button.
3. In the window that opens, specify the following settings:
Connection address:
Use old connection address
The address of the Administration Server to which mobile devices connect remains unchanged.
Change connection address to
If you want mobile devices to connect to a di erent address, specify the relevant address in this
eld.
If the address for mobile device connection has changed, a new certi cate must be issued. The old
certi cate becomes invalid on all mobile devices connected. Previously connected devices will not
be able to connect to Administration Server so they will become unmanaged.
Activation time:
Immediately
The current certi cate will be immediately replaced with the new one after you click OK.
Previously connected mobile devices will not be able to connect to Administration Server.
After this period expires, days
If you select this option, a reserve certi cate will be generated. The current certi cate will be
replaced with the new one in the speci ed number of days. The e ective date of the reserve
certi cate is displayed in the Certi cates section.
It is recommended that you plan the reissue in advance. The reserve certi cate must be downloaded
to the mobile devices before the speci ed period expires. After the current certi cate is replaced
with the new one, previously connected mobile devices that do not have the reserve certi cate will
not be able to connect to Administration Server.
4. Click OK to save changes and return to the Certi cates window.
5. Click OK to save changes and return to the Quick Start Wizard.
To set up issuance, automatic updating, and encryption of general-type certi cates for identi cation of mobile
devices by Administration Server:
1. Click the Con gure button on the right of the Mobile device authentication eld.
The Certi cate issuance rules window opens, displaying the Issuance of mobile certi cates section.
2. If necessary, specify the following settings in the Issuance settings section:

288
Certi cate lifetime, days
Certi cate lifetime period in days. The default lifetime of a certi cate is 365 days. When this period
expires, the mobile device will not be able to connect to the Administration Server.
Certi cate source
Select the source of general-type certi cates for mobile devices: certi cates are issued by
Administration Server, or they are speci ed manually.
You can modify the certi cate templates if integration with the public key infrastructure (PKI) has been
con gured in the Integration with PKI section. In this case, the following template selection elds are
available:
Default template
Use a certi cate issued by an external certi cate source – Certi cation Center – under the default
template.
Other template
Select a template used to issue certi cates. You can specify certi cate templates in the domain. The
Refresh list button updates the list of certi cate templates.
3. If necessary, specify the following settings for automatic issuance of certi cates in the Automatic Updates
settings section:
Renew when certi cate is to expire in (days)
The number of days remaining until the current certi cate's expiration during which Administration
Server should issue a new certi cate. For example, if the value of the eld is 4, Administration Server
issues a new certi cate four days before the current certi cate expires. The default value is 7.
Reissue certi cate automatically if possible
Select this option to reissue a certi cate automatically for the number of days speci ed in the Renew
when certi cate is to expire in (days) eld. If a certi cate was manually de ned, it cannot be
automatically renewed, and the enabled option will not work.
Certi cates are automatically reissued by a Certi cation Authority.
4. If necessary, in the Password protection settings section, specify the settings for decrypting certi cates
during installation.
Select the Prompt for password during certi cate installation option to prompt the user for password when
the certi cate is installed on a mobile device. The password is used only once—during installation of the
certi cate on the mobile device.
289
The password will be automatically generated by Administration Server and sent to the email address that you
speci ed. You can specify the user's email address, or your own email address if you want to use another
method to forward the password to the user.
You can use the slider to specify the number of characters in the certi cate decryption password.
The password prompting option is required, for example, to protect a shared certi cate in a stand-alone
Kaspersky Endpoint Security for Android installation package. Password protection will prevent an intruder
from obtaining access to the shared certi cate through theft of the stand-alone installation package from
Kaspersky Security Center Web Server.
If this option is disabled, the certi cate is automatically decrypted during installation and the user will not be
prompted for a password. By default, this option is disabled.
5. Click OK to save changes and return to the Quick Start Wizard window.
Click the Cancel button to return to the Quick Start Wizard without saving any changes made.
To enable the function for moving mobile devices to an administration group that you choose,
In the Automatic moving of mobile devices eld, select the Create a moving rule for mobile devices option.
If the Create a moving rule for mobile devices option is selected, the application automatically creates a moving
rule that moves devices running Android and iOS to the Managed devices group:
With Android operating systems on which a Kaspersky Endpoint Security for Android and a mobile certi cate
are installed
With iOS operating systems on which the iOS MDM pro le with a shared certi cate is installed
If such a rule already exists, the application does not create it again.
Kaspersky no longer supports Kaspersky Safe Browser.
Step 11. Downloading updates

Updates for anti-virus databases for Kaspersky Security Center and managed Kaspersky applications are
downloaded automatically. The updates are downloaded from Kaspersky servers.
To download updates separately from the Quick Start Wizard, create and con gure the Download updates to the
repository of the Administration Server task.
Step 12. Device discovery

The Network poll window displays information about the status of network polling performed by the
You can view network devices detected by Administration Server and receive help on working with the Device
discovery window by clicking the links in the lower part of the window.
290
You can poll your network later. If you prefer not to run the Quick Start Wizard, use Administration Console to
con gure the polling of Windows domains, Active Directory, and IP ranges by the distribution point.

In the Quick Start Wizard completion window, select the Run the Remote Installation Wizard option if you want to
start automatic installation of anti-virus applications and/or Network Agent on devices on your network.
To complete the Wizard, click the Finish button.
Con guring the connection of Administration Console to Administration

Server
Administration Console is connected to Administration Server through SSL port TCP 13291. The same port can be
used by klakaut automation objects.
Port TCP 14000 can be used for connecting Administration Console, distribution points, secondary Administration
Servers, and klakaut automation objects, as well as for receiving data from client devices.
Normally, SSL port TCP 13000 can only be used by Network Agent, a secondary Administration Server, and the
primary Administration Server in DMZ. In some cases, Administration Console may have to be connected through
SSL port 13000:
If a single SSL port is likely to be used both for Administration Console and for other activities (receiving data
from client devices, connecting distribution points, connecting secondary Administration Servers).
If a klakaut automation object is not connected to Administration Server directly but through a distribution
point in the DMZ.
To allow the connection of Administration Console over port 13000:
1. Open the system registry of the device on which Administration Server is installed (for example, locally, using
the regedit command in the Start → Run menu).
For 32-bit systems:

HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\.core\.independent\KLLIM
For 64-bit systems:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\.core\.independent\
3. For the LP_ConsoleMustUsePort13291 (DWORD) key, set 00000000 as the value.

The default value speci ed for this key is 1.
4. Restart the Administration Server service.
You will now be able to connect Administration Console to Administration Server over port 13000.
291
This section describes how to connect out-of-o ice devices (that is, managed devices that are located outside of
the main network) to Administration Server.

This scenario describes how to connect managed devices that are located outside of the main network to
Prerequisites
The scenario has the following prerequisites:
A demilitarized zone (DMZ) is organized in your organization's network.
Kaspersky Security Center Administration Server is deployed on the corporate network.
Stages
This scenario proceeds in stages:
1 Selecting a client device in the DMZ
This device will be used as a connection gateway. The device that you select must meet the requirements for
connection gateways.
2 Installing Network Agent in the connection gateway role
We recommend that you use a local installation to install Network Agent on the selected device.
By default, the installation le is located at: \\<server name>\KLSHARE\PkgInst\NetAgent_<version number>
In the Connection gateway window of the Network Agent Setup Wizard, select Use Network Agent as a
connection gateway in DMZ. This mode simultaneously activates the connection gateway role and tells Network
Agent to wait for connections from Administration Server, rather than establish connections to Administration
Server.
Alternatively, you can install Network Agent on a Linux device and con gure Network Agent to work as a
connection gateway, but pay attention to the list of limitations of Network Agent running on Linux devices.
3 Allowing connections in rewalls on the connection gateway
To make sure that Administration Server can actually connect to the connection gateway in the DMZ, allow
connections to TCP port 13000 in all rewalls between Administration Server and the connection gateway.
If the connection gateway has no real IP address on the internet, but instead is located behind Network Address
Translation (NAT), con gure a rule to forward connections through NAT.
4 Creating an administration group for external devices
Create a new group under the Managed devices group. This new group will contain external managed devices.
292
5 Connecting the connection gateway to Administration Server
The connection gateway that you have con gured is waiting for a connection from Administration Server.
However, Administration Server does not list the device with the connection gateway among managed devices.
This is because the connection gateway has not tried to establish a connection to Administration Server.
Therefore, you need a special procedure to ensure that Administration Server initiates a connection to the
connection gateway.
Do the following:
1. Add the connection gateway as a distribution point.
2. Move the connection gateway from the Unassigned devices group to the group that you have created for
external devices.
The connection gateway is connected and con gured.
6 Connecting external desktop computers to Administration Server
Usually, external desktop computers are not moved inside the perimeter. Therefore, you need to con gure them
to connect to Administration Server through the gateway when installing Network Agent.
7 Setting up updates for external desktop computers
If updates of security applications are con gured to be downloaded from Administration Server, external
computers download updates through the connection gateway. This has two disadvantages:
This is unnecessary tra ic, which takes up bandwidth of the company's internet communication channel.
This is not necessarily the quickest way to get updates. It is very likely that it would be cheaper and faster for
external computers to receive updates from Kaspersky update servers.
Do the following:
1. Move all external computers to the separate administration group that you created earlier.
2. Exclude the group with external devices from the update task.
3. Create a separate update task for the group with external devices.
8 Connecting traveling laptops to Administration Server
Traveling laptops are within the network sometimes and outside the network at other times. For e ective
management, you need them to connect to Administration Server di erently depending on their location. For
e icient use of tra ic, they also need to receive updates from di erent sources, depending on their location.
You need to con gure rules for out-of-o ice users: connection pro les and network location descriptions. Each
rule de nes the Administration Server instance to which traveling laptops must connect, depending on their
location and the Administration Server instance from which they must receive updates.
Scenario: Connecting out-of-o ice devices through a secondary

Administration Server in DMZ
If you want to connect managed devices that are located outside of the main network to Administration Server,
you can do it by using a secondary Administration Server located in the demilitarized zone (DMZ).
Prerequisites
293
Before you start, make sure that you have done the following:
A DMZ is organized in your organization's network.
Kaspersky Security Center Administration Server is deployed on the internal network of the organization.
Stages
In the DMZ, select a client device that will be used as a secondary Administration Server.
2 Installing Kaspersky Security Center Administration Server
Install Kaspersky Security Center Administration Server on this client device.
3 Creating a hierarchy of Administration Servers
If you place a secondary Administration Server in the DMZ, the secondary Administration Server must receive a
connection from the primary Administration Server. To do this, add a new Administration Server as secondary so
that the primary Administration Server connects to the secondary Administration Server through port 13000.
Administration Servers. Administration Console connects to an Administration Server through port 13291.
4 Connecting out-of-o ice managed devices to the secondary Administration Server
You can connect out-of-o ice devices to the Administration Server in the DMZ in the same way that the
connection is established between Administration Server and managed devices that are located in the main
network. Out-of-o ice managed devices initiate the connection through port 13000.

Some managed devices are always located outside of the main network (for example, computers in a company's
regional branches; kiosks, ATMs, and terminals installed at various points of sale; computers in the home o ices of
employees). Some devices travel outside the perimeter from time to time (for example, laptops of users who visit
regional branches or a customer's o ice).
You still need to monitor and manage the protection of out-of-o ice devices—receive actual information about
their protection status and keep the security applications on them in the up-to-date state. This is necessary
because, for example, if such a device is compromised while being away from the main network, it could become a
platform for propagating threats as soon as it connects to the main network. To connect out-of-o ice devices to
Administration Server, you can use two methods:
Connection gateway in the demilitarized zone (DMZ)

See the data tra ic scheme: Administration Server on LAN, managed devices on the Internet, connection
gateway in use

See the data tra ic scheme: Administration Server in DMZ, managed devices on Internet
A connection gateway in the DMZ
294
A recommended method for connecting out-of-o ice devices to Administration Server is organizing a DMZ in the
organization's network and installing a connection gateway in the DMZ. External devices will connect to the
connection gateway, and Administration Server inside the network will initiate a connection to the devices via the
connection gateway.
As compared to the other method, this one is more secure:
You do not need to open access to Administration Server from outside the network.
A compromised connection gateway does not pose a high risk to the safety of the network devices. A
connection gateway does not actually manage anything itself and does not establish any connections.
Also, a connection gateway does not require many hardware resources.
However, this method has a more complicated con guration process:
To act a device as a connection gateway in the DMZ, you need to install Network Agent and connect it to
Administration Server in a speci c way.
You will not be able to use the same address for connecting to Administration Server for all situations. From
outside the perimeter, you will need to use not just a di erent address (connection gateway address), but also a
di erent connection mode: through a connection gateway.
You also need to de ne di erent connection settings for laptops in di erent locations.
To add a connection gateway to a previously con gured network:
1. Install the Network Agent in the connection gateway mode.
2. Reinstall the Network Agent on devices that you want to connect to the newly added connection gateway.
Administration Server in the DMZ
Another method is installing a single Administration Server in the DMZ.
This con guration is less secure than the other method. To manage external laptops in this case, Administration
Server must accept connections from any address on the internet. It will still manage all devices in the internal
network, but from the DMZ. Therefore, a compromised Server could cause an enormous amount of damage,
despite the low likelihood of such an event.
The risk gets signi cantly lower if Administration Server in the DMZ does not manage devices in the internal
network. Such a con guration can be used, for example, by a service provider to manage the devices of customers.
You might want to use this method in the following cases:
If you are familiar with installing and con guring Administration Server, and do not want to perform another
procedure to install and con gure a connection gateway.
If you need to manage more devices. The maximum capacity of Administration Server is 100,000 devices, while
a connection gateway can support up to 10,000 devices.
This solution also has possible di iculties:
Administration Server requires more hardware resources and one more database.
295
Information about devices will be stored in two unrelated databases (for Administration Server inside the
network and another one in the DMZ), which complicates monitoring.
To manage all devices, Administration Server needs to be joined into a hierarchy, which complicates not only
monitoring but also management. A secondary Administration Server instance imposes limitations on the
possible structures of administration groups. You have to decide how and which tasks and policies to distribute
to a secondary Administration Server instance.
Con guring external devices to use Administration Server in the DMZ from the outside and to use the primary
Administration Server from the inside is not simpler than to just con gure them to use a conditional connection
through a gateway.
High security risks. A compromised Administration Server instance makes it easier to compromise its managed
laptops. If this happens, the hackers just need to wait for one of the laptops to return to the corporate network
so that they can continue their attack on the local area network.

Desktop computers that are always outside of the main network (for example, computers in the company's
employees) cannot be connected to Administration Server directly. They must be connected to Administration
Server via a connection gateway that is installed in the demilitarized zone (DMZ). This con guration is made when
installing Network Agent on those computers.
To connect external desktop computers to Administration Server:
1. Create a new installation package for Network Agent.
2. Open the properties of the created installation package and go to the Advanced section, and then select the
Connect to Administration Server by using a connection gateway option.
The Connect to Administration Server by using a connection gateway setting is incompatible with the
Use Network Agent as a connection gateway in DMZ setting. You cannot enable both of these settings
at the same time.
3. In Connection gateway address, specify the public address of the connection gateway.
If the connection gateway is located behind Network Address Translation (NAT) and does not have its own
public address, con gure a NAT gateway rule for forwarding connections from the public address to the internal
address of the connection gateway.
4. Create a stand-alone installation package based on the created installation package.
5. Deliver the stand-alone installation package to the target computers, either electronically or on a removable
drive.
6. Install Network Agent from the stand-alone package.
External desktop computers are connected to Administration Server.
296
Out-of-o ice users of laptops (hereinafter also referred to as "devices") may need to change the method of
connecting to an Administration Server or switch between Administration Servers depending on the current
location of the device on the enterprise network.
Connection pro les are supported only for devices running Windows and macOS.
Using di erent addresses of a single Administration Server
Devices with Network Agent installed can connect to the Administration Server either from the organization's
intranet or from the internet. This situation may require Network Agent to use di erent addresses for connection
to Administration Server: the external Administration Server address for the Internet connection and the internal
Administration Server address for the internal network connection.
To do this, you must add a pro le (for connection to Administration Server from the Internet) to the Network
Agent policy. Add the pro le in the policy properties (Connectivity section, Connection pro les subsection). In
the pro le creation window, you must disable the Use to receive updates only option and select the Synchronize
connection settings with the Administration Server settings speci ed in this pro le option. If you use a
connection gateway to access Administration Server (for example, in a Kaspersky Security Center con guration as
that described in Internet access: Network Agent as connection gateway in DMZ), you must specify the address of
the connection gateway in the corresponding eld of the connection pro le.
Switching between Administration Servers depending on the current network
If the organization has multiple o ices with di erent Administration Servers and some of the devices with Network
Agent installed move between them, you need Network Agent to connect to the Administration Server of the local
network in the o ice where the device is currently located.
In this case, you must create a pro le for connection to Administration Server in the properties of the policy of
Network Agent for each of the o ices, except for the home o ice where the original home Administration Server
is located. You must specify the addresses of Administration Servers in connection pro les and enable or disable
the Use to receive updates only option:
Select the option if you need Network Agent to be synchronized with the home Administration Server, while
using the local Server for downloading updates only.
Disable this option if it is necessary for Network Agent to be managed completely by the local Administration
Server.
After that, you must set up the conditions of switching to the newly created pro les: at least one condition for
each of the o ices, except for the home o ice. Every condition's purpose consists in detection of items that are
speci c for an o ice's network environment. If a condition is true, the corresponding pro le gets activated. If none
of the conditions is true, Network Agent switches to the home Administration Server.
An Administration Server connection pro le is available only on devices running Windows and macOS.
To create a pro le for connecting Network Agent to Administration Server for out-of-o ice users:
297
1. In the console tree, select the administration group containing the client devices for which you need to create a
pro le for connecting Network Agent to the Administration Server.
If you want to create a connection pro le for all devices in the group, select a Network Agent policy in the
group workspace, on the Policies tab. Open the properties window of the selected policy.
If you want to create a connection pro le for a device in a group, select that device in the group workspace,
on the Devices tab, and perform the following actions:
a. Open the properties window of the selected device.
b. In the Applications section of the device properties window, select Network Agent.
c. Open the Network Agent properties window.
3. In the properties window, in the Connectivity section, select the Connection pro les subsection.
4. In the Administration Server connection pro les settings group, click the Add button.
By default, the list of connection pro les contains the <O line mode> and <Home Administration Server>
pro les. Pro les cannot be edited or removed.
The <O line mode> pro le does not specify any Server for connection. Therefore, Network Agent, when
switched to that pro le, does not attempt to connect to any Administration Server while applications installed
on client devices run under out-of-o ice work policies. The <O line mode> pro le can be used if devices are
disconnected from the network.
The <Home Administration Server> pro le speci es the connection for Administration Server that was selected
during Network Agent installation. The <Home Administration Server> pro le is applied when a device is
reconnected to the home Administration Server after it was running on an external network for some time.
5. In the New pro le window that opens, con gure the connection pro le:
Pro le name
In the entry eld you can view or change the connection pro le name.
Address of the Administration Server to which the client device must connect during pro le activation.
Port
SSL port
Port number for connection if using the SSL protocol.
Use SSL
298
If this option is enabled, the connection is established through a secure port, by using SSL protocol.
By default, this option is enabled. We recommend that you do not disable this option so your
connection remains secured.
Click the Con gure connection through proxy server link to con gure connection through a proxy server.
option is selected, elds are available for entering settings. Specify the following settings for a proxy server
connection:
Proxy server address
Port number
authentication.
User name (this eld is available if the Proxy server authentication option is selected)
User account under which connection to the proxy server is established (this eld is available if the
Proxy server authentication check box is selected).
Password (this eld is available if the Proxy server authentication option is selected)
Password set by the user under whose account the proxy server connection is established (this eld
is available if the Proxy server authentication check box is selected).
Connection gateway settings
Address of the gateway through which client devices connect to the Administration Server.
Enable out-of-o ice mode
If this option is enabled, in case of connection through this pro le, applications installed on the client
device use policy pro les for devices in out-of-o ice mode, as well as out-of-o ice policies. If no out-
of-o ice policy has been de ned for the application, the active policy will be used.
If this option is disabled, applications will use active policies.
299
Use to receive updates only
If this option is enabled, the pro le will only be used for downloading updates by applications installed
on the client device. For other operations, connection to the Administration Server will be established
with the initial connection settings de ned during Network Agent installation.
Synchronize connection settings with the Administration Server settings speci ed in this pro le
If this option is enabled, Network Agent connects to Administration Server using the settings speci ed
in the pro le properties.
If this option is disabled, Network Agent connects to Administration Server using the original settings
that have been speci ed during installation.
This option is available if the Use to receive updates only option is disabled.
6. Select the Enable out-of-o ice mode when Administration Server is not available option to allow the
applications installed on a client device to use policy pro les for devices in out-of-o ice mode, as well as out-
of-o ice policies, at any connection attempt if the Administration Server is not available. If no out-of-o ice
policy has been de ned for the application, the active policy will be used.
A pro le for connecting Network Agent to Administration Server is created for out-of-o ice users. When
Network Agent connects to Administration Server by using this pro le, applications installed on the client device
will use policies for devices in out-of-o ice mode or out-of-o ice policies.

The initial settings of the Network Agent connection to Administration Server are de ned when installing the
Network Agent. To switch the Network Agent to other Administration Servers, you can use the switching rules. This
feature is supported only for Network Agents installed on devices running Windows or macOS.
The switching rules can trigger on changing the following network parameters:
Default gateway address.
IP address of the Dynamic Host Con guration Protocol (DHCP) server.
DNS su ix of the subnet.
IP address of the network DNS server.
Windows domain accessibility. This parameter is available only for devices running Windows.
Subnet address and mask.
IP address of the network WINS server. This parameter is available only for devices running Windows.
DNS or NetBIOS name of the client device.
SSL connection address accessibility.
300
If rules for switching the Network Agent to other Administration Servers have been created, the Network Agent
responds to changes in the network parameters as follows:
If the network settings comply with one of the rules created, Network Agent connects to the Administration
Server speci ed in this rule. Applications installed on client devices switch to out-of-o ice policies, provided
such behavior is enabled by a rule.
If none of the rules apply, Network Agent reverts to the default settings of connection to the Administration
Server speci ed during the installation. Applications installed on client devices switch back to active policies.
If the Administration Server is not accessible, Network Agent uses out-of-o ice policies.
Network Agent switches to the out-of-o ice policy only if the Enable out-of-o ice mode when
Administration Server is not available option is enabled in the Network Agent policy settings.
The settings of Network Agent connection to Administration Server are saved in a connection pro le. In the
connection pro le, you can create rules for switching client devices to out-of-o ice policies, and you can
con gure the pro le so that it could only be used for downloading updates.
Network Agent-switching by network location is available only on devices running Windows and macOS.
To create a rule for Network Agent switching from one Administration Server to another if network settings
change:
1. In the console tree, select the administration group containing the devices for which you need to create a
Network Agent switching rule by the network location description.
If you want to create a rule for all devices in the group, go to the group workspace and select a Network
Agent policy on the Policies tab. Open the properties window of the selected policy.
If you want to create a rule for a device selected from a group, go to the group workspace, select the device
on the Devices tab, and perform the following actions:
a. Open the properties window of the selected device.
b. In the Applications section of the device properties window, select Network Agent.
c. Open the Network Agent properties window.
3. In the Properties window that opens, in the Connectivity section, select the Connection pro les subsection.
4. In the Network location settings section, click the Add button.
5. In the New description window that opens, con gure the network location description and switching rule.
Specify the following network location description settings:
Network location description name

301
The name of a network location description cannot be longer than 255 characters nor contain special
symbols, such as ("*<>?\/:|).
Use connection pro le
In the drop-down list you can specify the connection pro le that Network Agent uses to connect to
the Administration Server. This pro le will be used when the network location description conditions are
met. The connection pro le contains the settings for Network Agent connection to the Administration
Server; it also de nes when client devices must switch to out-of-o ice policies. The pro le is used only
for downloading updates.
6. In the Switch conditions section, click the Add button to create a list of network location description
conditions.
The conditions in a rule are combined by using the logical AND operator. To trigger a switching rule by the
network location description, all of the rule switching conditions must be met.
7. In the drop-down list, select the value that corresponds to the change in characteristics of the network to
which the client device is connected:
Default connection gateway address—The address of the main network gateway has changed.
DHCP server address—The IP address of the network Dynamic Host Con guration Protocol (DHCP) server
has changed.
DNS domain—The DNS su ix of the subnet has changed.
DNS server address—The IP address of the network DNS server has changed.
Windows domain accessibility (Windows only)—Changes the status of the Windows domain to which the
client device is connected. Use this setting only for devices running Windows.
Subnet—Changes the subnet address and mask.
WINS server address (Windows only)—The IP address of the network WINS server has changed. Use this
setting only for devices running Windows.
Name resolvability—The DNS or NetBIOS name of the client device has changed.
SSL connection address accessibility—The client device can or cannot (depending on the option that you
select) establish an SSL connection with a speci ed Server (name:port). For each server, you can
additionally specify an SSL certi cate. In this case, the Network Agent veri es the Server certi cate in
addition to checking the capability of an SSL connection. If the certi cate does not match, the connection
fails.
8. In the window that opens, specify the condition for Network Agent to be switched to another Administration
Server. The name of the window depends on the value selected during the previous step. Specify the following
settings of the switching condition:
Value
In the eld, you can add one or several values for the condition being created.
Matches at least one value from the list
302
If this option is selected, the condition will be met regardless of any value speci ed in the Value list.
Does not match any of the values in the list
If this option is selected, the condition is met if its value is not in the Value list.
9. In the New description window, select the Description enabled option to enable the use of the new network
location description.
A new switching rule by the network location description is created; any time its conditions are met, the Network
Agent uses the connection pro le speci ed in the rule to connect to the Administration Server.
The network location descriptions are checked for a match to the network layout in the order of their
appearance in the list. If a network matches several descriptions, the rst one will be used. You can change the
order of rules on the list using the Up button ( ) and Down button ( ).
Encrypt communication with TLS

To x vulnerabilities on your organization's corporate network, you can enable tra ic encryption by using the TLS
protocol. You can enable TLS encryption protocols and supported cipher suites on Administration Server and iOS
MDM Server. Kaspersky Security Center supports the TLS protocol versions 1.0, 1.1, and 1.2. You can select the
required encryption protocol and cipher suites.
Kaspersky Security Center uses a self-signed certi cates. Additional con guration of the iOS devices is not
required. You can also use your own certi cates. Kaspersky specialists recommend to use certi cates issued by
trusted certi cate authorities.
To con gure allowed encryption protocols and cipher suites on the Administration Server:
1. Run the Windows command prompt by using administrator rights, and then change your current directory to
the directory with the klsc ag utility. The klsc ag utility is located in the folder where Administration Server is
installed. The default installation path is <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.
2. Use the SrvUseStrictSslSettings ag to con gure allowed encryption protocols and cipher suites on
Administration Server. Enter the following command at the Windows command prompt:
klscflag -fset -pv ".core/.independent" -s Transport -n SrvUseStrictSslSettings -
v <value> -t d
Specify the <value> parameter of the SrvUseStrictSslSettings ag:
4—only the TLS 1.2 protocol is enabled. Also cipher suites with TLS_RSA_WITH_AES_256_GCM_SHA384
are enabled (this cipher suites are needed for backward compatibility with Kaspersky Security Center 11).
This is default value.
Cipher suites supported for the TLS 1.2 protocol:
303
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-CHACHA20-POLY1305
AES256-GCM-SHA384 (cipher suite with TLS_RSA_WITH_AES_256_GCM_SHA384)
5—only the TLS 1.2 protocol is enabled. For the TLS 1.2 protocol, the speci c cipher suites listed below are
supported.
Cipher suites supported for the TLS 1.2 protocol:
ECDHE-RSA-CHACHA20-POLY1305
We do not recommend using 0, 1, 2, or 3 as the parameter value of the SrvUseStrictSslSettings ag. These
parameter values correspond to insecure TLS protocol versions (the TLS 1.0 and TLS 1.1 protocols) and
insecure cipher suites and are used only for backward compatibility with earlier Kaspersky Security Center
versions.
3. Restart the following Kaspersky Security Center 14 services:
Web Server
Activation Proxy
iOS MDM Server
The connection between the iOS devices and the iOS MDM Server is encrypted default.
To con gure allowed encryption protocols and cipher suites on the iOS MDM Server:
1. Open the system registry of the client device with iOS MDM Server installed (for example, locally, using the
For 32-bit systems:

HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0\Con
304
For 64-bit systems:
3. Create a key with the StrictSslSettings name.
4. Specify DWORD as the key type.
5. Set the key value:
2—the TLS 1.0, TLS 1.1, and TLS 1.2 protocols are enabled.
3—only the TLS 1.2 protocol is enabled (default value).
6. Restart the Kaspersky Security Center iOS MDM Server service.
Noti cations of events

This section describes how to select a method for delivering administrator noti cations about events on client
devices, and how to con gure event noti cation settings.
It also describes how to test the distribution of event noti cations by using the Eicar test virus.

Kaspersky Security Center allows you to select a method of notifying the administrator of events on client devices
and to con gure noti cation:
Email. When an event occurs, the application sends a noti cation to email addresses speci ed. You can edit the
text of the noti cation.
SMS. When an event occurs, the application sends a noti cation to the phone numbers speci ed. You can
con gure SMS noti cations to be sent through the mail gateway.
Executable le. When an event occurs on a device, the executable le is started on the administrator's
workstation. Using the executable le, the administrator can receive the parameters of any event that has
occurred.
To con gure noti cation of events occurring on client devices:
1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Events tab.
3. Click the Con gure noti cations and event export link and select the Con gure noti cations value in the
drop-down list.
This opens the Properties: Events window.
4. In the Noti cation section, select a noti cation method (by email, by SMS, or by running an executable le) and
de ne the noti cation settings:
305
Email
306
The Email tab allows you to con gure email noti cations for events.
In the Recipients (email addresses) eld, specify the email addresses to which the application will send
noti cations. You can specify multiple addresses in this eld, by separating them with semicolons.
In the SMTP servers eld, specify mail server addresses, separating them with semicolons. You can use
the following values:

In the SMTP server port eld, specify the number of an SMTP server communication port. The default
port number is 25.
If you enable the Use DNS MX lookup option, you can use several MX records of the IP addresses for
the same DNS name of the SMTP server. The same DNS name may have several MX records with
di erent values of priority of receiving email messages. Administration Server attempts to send email
noti cations to the SMTP server in ascending order of MX records priority. By default, this option is
disabled.
If you enable the Use DNS MX lookup option and do not enable usage of TLS settings, we
recommend that you use the DNSSEC settings on your server device as an additional measure of
protection for sending email noti cations.
Click the Settings link to de ne additional noti cation settings:

Subject name (subject name of an email message)
ESMTP authentication settings

You have to specify an account for authentication on an SMTP server if the ESMTP authentication
option is enabled for the SMTP server.
TLS settings for the SMTP server:
Do not use TLS
You can select this option if you want to disable encryption of email messages.
Use TLS if supported by SMTP server
You can select this option if you want to use a TLS connection to an SMTP server. If the SMTP
server does not support TLS, Administration Server connects the SMTP server without using
TLS.
Always use TLS, check the server certi cate for validity
You can select this option if you want to use TLS authentication settings. If the SMTP server does
not support TLS, Administration Server cannot connect the SMTP server.
We recommend that you use this option for better protection of the connection with an SMTP
server. If you select this option, you can set authentication settings for a TLS connection.
307
If you choose Always use TLS, check the server certi cate for validity value, you can specify a
certi cate for authentication of the SMTP server and choose whether you want to enable
communication through any version of TLS or only through TLS 1.2 or later versions. Also, you can
specify a certi cate for client authentication on the SMTP server.
You can specify TLS settings for an SMTP server:
You can receive a le with the list of certi cates from a trusted certi cation authority and upload the
le to Administration Server. Kaspersky Security Center checks whether the certi cate of an SMTP
server is also signed by a trusted certi cation authority. Kaspersky Security Center cannot connect to
an SMTP server if the certi cate of the SMTP server is not received from a trusted certi cation
authority.
types:
X-509 certi cate:
You must specify a le with the certi cate and a le with the private key. Both les do not depend on
each other and the order of loading of the les is not signi cant. When both les are loaded, you must
specify the password for decoding the private key. The password can have an empty value if the private
key is not encoded.
pkcs12 container:
must then specify the password for decoding the private key. The password can have an empty value if
the private key is not encoded.
The Noti cation message eld contains standard text with information about the event that the
application sends when an event occurs. This text includes substitute parameters, such as event name,
device name, and domain name. You can edit the message text by adding other substitute parameters
with more relevant details of the event. The list of substitute parameters is available by clicking the
button to the right of the eld.
If the noti cation text contains a percent sign (%), you have to type it twice in a row to allow message
sending. For example, "CPU load is 100%%".
Click the Con gure numeric limit of noti cations link to specify the maximum number of noti cations
that the application can send during the speci ed time interval.
Click the Send test message button to check if you have con gured noti cations properly. The
application should send a test noti cation to the email addresses that you speci ed.
SMS
308
The SMS tab allows you to con gure the transmission of SMS noti cations of various events to a cell
phone. SMS messages are sent through a mail gateway.
noti cations. You can specify multiple addresses in this eld, by separating them with semicolons. The
noti cations will be delivered to the phone numbers associated with the speci ed email addresses.

port number is 25.

If necessary, you can specify an account for authentication on an SMTP server if the option of ESMTP
authentication is enabled for the SMTP server.
TLS settings for an SMTP server
You can disable usage of TLS, use TLS if the SMTP server supports this protocol, or you can force
usage of TLS only. If you choose to use only TLS, you can specify a certi cate for authentication of the
SMTP server and choose whether you want to enable communication through any version of TLS or
only through TLS 1.2 or later versions. Also, if you choose to use only TLS, you can specify a certi cate
for client authentication on the SMTP server.
Browse for an SMTP server certi cate le
le to Kaspersky Security Center. Kaspersky Security Center checks whether the certi cate of the
SMTP server is also signed by a trusted certi cation authority. Kaspersky Security Center cannot
connect to the SMTP server if the certi cate of the SMTP server is not received from a trusted
certi cation authority.
the private key is not encoded.The Noti cation message eld contains standard text with information
about the event that the application sends when an event occurs. This text includes substitute
parameters, such as event name, device name, and domain name. You can edit the message text by
adding other substitute parameters with more relevant details of the event. The list of substitute
parameters is available by clicking the button to the right of the eld.
Click the Send test message button to check whether you con gured noti cations properly. The
application should send a test noti cation to the recipient that you speci ed.
Executable le to be run
309
If this noti cation method is selected, in the entry eld you can specify the application that will start
when an event occurs.
Clicking the Con gure numeric limit of noti cations link allows you to specify the maximum number of
noti cations that the application can send during the speci ed time interval.
Clicking the Send test message button allows you to check whether you con gured noti cations
properly: the application sends a test noti cation to the email addresses that you speci ed.
5. In the Noti cation message eld, enter the text that the application will send when an event occurs.
You can use the drop-down list to the right of the text eld to add substitution settings with event details (for
example, event description, or time of occurrence).
If the noti cation text contains a percent (%), you must specify it twice in succession to allow message
6. Click the Send test message button to check whether noti cation has been con gured correctly.
The application sends a test noti cation to the speci ed user.
7. Click OK to save the changes.
The re-adjusted noti cation settings are applied to all events that occur on client devices.
You can override noti cation settings for certain events in the Event con guration section of the Administration
Server settings, of a policy settings, or of an application settings.
Testing noti cations

To check whether event noti cations are sent, the application uses the noti cation of the EICAR test "virus"
detection on client devices.
To verify sending of event noti cations:
1. Stop the real-time le system protection task on a client device and copy the EICAR test "virus" to that client
device. Now re-enable real-time protection of the le system.
2. Run a scan task for client devices in an administration group or for speci c devices, including one with the
EICAR "virus".
If the scan task is con gured correctly, the test "virus" will be detected. If noti cations are con gured correctly,
you are noti ed that a virus has been detected.
In the workspace of the Administration Server node, on the Events tab, the Recent events selection displays
a record of detection of a "virus".
The EICAR test "virus" contains no code that can do harm to your device. However, most manufacturers'
security applications identify this le as virus. You can download the test "virus" from the o icial EICAR
website .
310
Kaspersky Security Center can notify the administrator about events on client devices by running an executable
le. The executable le must contain another executable le with placeholders of the event to be relayed to the
administrator.
Placeholders for describing an event
Placeholder Placeholder description
%SEVERITY% Event importance level
%COMPUTER% Name of the device where the event occurred
%DOMAIN% Domain
%EVENT% Event
%DESCR% Event description
%RISE_TIME% Time created
%KLCSAK_EVENT_TASK_DISPLAY_NAME% Task name
%KL_PRODUCT% Kaspersky Security Center Network Agent
%KL_VERSION% Network Agent version number
%HOST_IP% IP address
%HOST_CONN_IP% Connection IP address
Example:
Event noti cations are sent by an executable le (such as script1.bat) inside which another executable le
(such as script2.bat) with the %COMPUTER% placeholder is launched. When an event occurs, the script1.bat
le is run on the administrator's device, which, in turn, runs the script2.bat le with the %COMPUTER%
placeholder. The administrator then receives the name of the device where the event occurred.

You can con gure the Kaspersky Security Center interface:
Show and hide objects in the console tree, workspace, and properties windows of objects (folders, sections),
depending on the features being used.
Show and hide elements of the main window (for example, console tree or standard menus such as Actions and
View).
To con gure the Kaspersky Security Center interface in accordance with the currently used set of features:
2. On the menu bar of the main application window, select View → Con gure interface.
3. In the Con gure interface window that opens, con gure the display of interface elements using the following
check boxes:
311
Display Vulnerability and Patch Management
If this option is enabled, the Remote installation folder displays the Deploy device images subfolder,
and the Repositories folder displays the Hardware subfolder.
This option is disabled by default if the Quick Start Wizard has not nished. This option is enabled by
default after the Quick Start Wizard has nished.
Display data encryption and protection
If this option is enabled, the console tree displays the Data encryption and protection folder.
Display endpoint control settings
If this option is enabled, the following subsections are displayed in the Security Controls section of the
properties window of the Kaspersky Endpoint Security for Windows policy:
Application Control
Device Control
Web Control
Adaptive Anomaly Control

If this option is disabled, these subsections are not displayed in the Security Controls section.
Display Mobile Device Management
If this option is enabled, the Mobile Device Management feature is available. After you restart the
application, the console tree displays the Mobile devices folder.
Display secondary Administration Servers
If the check box is selected, the console tree displays the nodes of secondary and virtual
Administration Servers within administration groups. The features connected with secondary and
virtual Administration Servers—for example, creation of tasks for remote installation of applications on
secondary Administration Servers—are available at that.
By default, this check box is cleared.
Display security settings sections
If this option is enabled, the Security section is displayed in the properties window of Administration
Server, administration groups and other objects. This option allows you to give users and user groups
custom permissions for working with objects.
4. Click OK.
312
To apply some of the changes, you have to close the main application window and then open it again.
To con gure the display of elements in the main application window:
1. On the menu bar of the main application window, select View → Con gure.
2. In the Con gure view window that opens, con gure the display of main window elements by using check boxes.
3. Click OK.

This section describes steps you must take after the Kaspersky Security Center installation.

You must perform device discovery before installation of the security applications. When all networked devices are
discovered, you can receive information about them and manage them through policies. Regular network polls are
needed to discover if there are any new devices and whether previously discovered devices are still on the
network.
Before you start network polling, make sure that the SMB protocol is enabled. Otherwise, Kaspersky Security
Center cannot discover devices in the polled network. To enable the SMB protocol, follow the instructions for
your operating system.
Discovery of networked devices proceeds in stages:
1 Initial device discovery
The Quick Start Wizard guides you through initial device discovery, and helps you nd networked devices such
as computers, tablets, and mobile phones. You can also perform device discovery manually.
2 Con guring future polls
Decide which type(s) of discovery you want to use regularly. Make sure that this type is enabled and that the poll
schedule meets the needs of your organization. When con guring the poll schedule, use the recommendations
for network polling frequency.
3 Setting up rules for adding discovered devices to administration groups (optional)
If new devices appear on your network, they are discovered during regular polls and are automatically included in
the Unassigned devices group. If you want, you can set up the rules for automatically moving these devices to
the Managed devices group. You can also establish retention rules.
If you skip this rule-setting stage, all the newly discovered devices go to the Unassigned devices group and stay
there. If you want, you can move these devices to the Managed devices group manually. If you move the devices
to the Managed devices group manually, you can analyze information about each device and decide whether
you want to move it to an administration group, and, if so, to which group.
Results
313
Completion of the scenario yields the following:
Kaspersky Security Center Administration Server discovers the devices that are on the network and provides
you with information about them.
Future polls are set up and are conducted according to the speci ed schedule.
The newly discovered devices are arranged according to the con gured rules. (Or, if no rules are con gured, the
devices stay in the Unassigned devices group).
Unassigned devices
This section provides information about how to manage devices on an enterprise network if they are not included
in an administration group.
Device discovery
This section describes the types of device discovery available in Kaspersky Security Center and provides
information using each type.
The Administration Server receives information about the structure of the network and devices on this network
through regular polling. The information is recorded to the Administration Server database. Administration Server
can use the following types of polling:
Windows network polling. The Administration Server can perform two kinds of Windows network poll: quick
and full. During a quick poll, the Administration Server only retrieves information from the list of the NetBIOS
names of devices in all network domains and workgroups. During a full poll, more information is requested from
each client device, such as operating system name, IP address, DNS name, and NetBIOS name. By default, both
quick poll and full poll are enabled. Windows network polling may fail to discover devices, for example, if the
ports UDP 137, UDP 138, TCP 139 are closed on the router or by the rewall.
Active Directory polling. The Administration Server retrieves information about the Active Directory unit
structure and about DNS names of the devices from Active Directory groups. By default, this type of polling is
enabled. We recommend that you use Active Directory polling if you use Active Directory; otherwise, the
Administration Server does not discover any devices. If you use Active Directory but some of the networked
devices are not listed as members, these devices cannot be discovered by Active Directory polling.
IP range polling. The Administration Server polls the speci ed IP ranges using ICMP packets or the NBNS
protocol and compiles a complete set of data on devices within those IP ranges. By default, this type of polling
is disabled. It is not recommended to use this type of polling if you use Windows network polling and/or Active
Directory polling.
Zeroconf polling. A distribution point that polls the IPv6 network by using zero-con guration networking (also
referred to as Zeroconf). By default, this type of polling is disabled. You can use Zeroconf polling if the
distribution point runs Linux.
If you set up and enabled device moving rules, the newly discovered devices are automatically included in the
Managed devices group. If no moving rules have been enabled, the newly discovered devices are automatically
included in the Unassigned devices group.
You can modify device discovery settings for each type. For example, you may want to modify the polling schedule
or to set whether to poll the entire Active Directory forest or only a speci c domain.
314
About Windows network polling
During a quick poll, the Administration Server only retrieves information from the list of the NetBIOS names of
devices in all network domains and workgroups. During a full poll, the following information is requested from each
client device:
Operating system name
IP address
DNS name
NetBIOS name
Both quick polls and full polls require the following:
Ports UDP 137/138, TCP 139, UDP 445, TCP 445 must be available in the network.
The SMB protocol is enabled.
The Microsoft Computer Browser service must be used, and the primary browser computer must be enabled
on the client devices:
On at least one device, if the number of networked devices does not exceed 32.
On at least one device for each 32 networked devices.
The full poll can run only if the quick poll has run at least once.
Viewing and modifying the settings for Windows network polling
To modify the settings for the Windows network polling:
1. In the console tree, in the Device discovery folder, select the Domains subfolder.
You can proceed from the Unassigned devices folder to the Device discovery folder by clicking the Poll now
button.
In the workspace of the Domains subfolder, the list of the devices is displayed.
2. Click Poll now.

The domain properties window opens. If you want, modify the settings of Windows network polling:
315
Enable Windows network polling
This option is selected by default. If you do not want to perform Windows network poll (for example, if
you think that Active Directory polling is enough), you can unselect this option.
Set quick polling schedule
The default period is 15 minutes.

During a quick poll, the Administration Server only retrieves information from the list of the NetBIOS
names of devices in all network domains and workgroups.
The data received at the next polling completely replaces the old data.
The following polling schedule options are available:
Every N days
The polling runs regularly, with the speci ed interval in days, starting from the speci ed date
and time.
By default, the polling runs every day, starting from the current system date and time.
Every N minutes
The polling runs regularly, with the speci ed interval in minutes, starting from the speci ed
time.
By default, the polling runs every ve minutes, starting from the current system time.
By days of week
The polling runs regularly, on the speci ed days of week, and at the speci ed time.
By default, the polling runs every Friday at 6:00:00 PM.
Every month on speci ed days of selected weeks
The polling runs regularly, on the speci ed days of each month, and at the speci ed time.
By default, no days of month are selected; the default start time is 6:00:00 PM.
Run missed tasks
If the Administration Server is switched o or unavailable during the time for which the poll is
scheduled, the Administration Server can either start the poll immediately after it is switched
on, or wait for the next time for which the poll scheduled.
If this option is enabled, the Administration Server starts polling immediately after it is
switched on.
If this option is disabled, the Administration Server waits for the next time for which the
polling is scheduled.
Set full polling schedule

316
The default period is one hour. The data received at the next polling completely replaces the old data.
Every N days
and time.
Every N minutes
time.
By days of week
Run missed tasks
switched on.
If you want to perform the poll immediately, click Poll now. Both types of polls will start.
On the virtual Administration Server you can view and edit the polling settings of the Windows network in the
properties window of the distribution point, in the Device discovery section.
317
Use Active Directory polling if you use Active Directory; otherwise, it is recommended to use other poll types. If
you use Active Directory but some of the networked devices are not listed as members, these devices cannot be
discovered by Active Directory polling.
Viewing and modifying the settings for Active Directory polling
To view and modify the settings for polling Active Directory groups:
1. In the console tree, in the Device discovery folder, select the Active Directory subfolder.
Alternatively, you can proceed from the Unassigned devices folder to the Device discovery folder by clicking
the Poll now button.
2. Click Con gure polling.

The Active Directory properties window opens. If you want, modify the settings of Active Directory group
polling:
Enable Active Directory polling
This option is selected by default. However, if you do not use Active Directory, the poll does not retrieve
any results. In this case, you can unselect this option.
Set polling schedule
318
Every N days
and time.
Every N minutes
time.
By days of week
Run missed tasks
switched on.
Advanced
319
You can select which Active Directory domains to poll:
Active Directory domain to which the Kaspersky Security Center belongs.
Domain forest to which the Kaspersky Security Center belongs.
Speci ed list of Active Directory domains.

If you select this option, you can add domains to the polling scope:
Click the Add button.
In the corresponding elds, specify the address of the domain controller, the name and
password of the account for accessing it.
Click OK to save changes.
You can select the domain controller address on the list and click the Modify or Remove buttons
to modify or remove it.
Click OK to save changes.
If you want to perform the poll immediately, click the Poll now button.
On the virtual Administration Server, you can view and edit the polling settings of Active Directory groups in
the properties window of the distribution point, in the Device discovery section.
IP range polling
The Administration Server polls the speci ed IP ranges using ICMP packets or the NBNS protocol and compiles a
complete set of data on devices within those IP ranges. By default, this type of polling is disabled. It is not
recommended to use this type of polling if you use Windows network polling and/or Active Directory polling.
Viewing and modifying the settings for IP range polling
To view and modify the settings for polling IP range groups:
1. In the console tree, in the Device discovery folder, select the IP ranges subfolder.
You can proceed from the Unassigned devices folder to the Device discovery folder by clicking Poll now.
2. If you want, in the IP ranges subfolder click Add subnet to add an IP range for polling, and then click OK.

The IP ranges properties window opens. If you want, you can modify the settings of IP range polling:
320
Enable IP range polling
This option is not selected by default. It is not recommended to use this type of polling if you use
Windows network polling and/or Active Directory polling.
Set polling schedule
The default period is 420 minutes. The data received at the next polling completely replaces the old
data.
Every N days
and time.
Every N minutes
time.
By days of week
Run missed tasks
switched on.
If you want to perform the poll immediately, click Poll now. This button is only available if you selected Enable IP
range polling.
321
On the virtual Administration Server, you can view and edit the settings for IP range polling in the distribution
point properties window, in the Device discovery section. Client devices discovered during the poll of IP
ranges are displayed in the Domains folder of the virtual Administration Server.
Zeroconf polling
This polling type is supported only for Linux-based distribution points.
A distribution point can poll networks that have devices with IPv6 addresses. In this case, IP ranges are not
speci ed and the distribution point polls the whole network by using zero-con guration networking (referred to as
Zeroconf). To start using Zeroconf, you must install the avahi-browse utility on the distribution point.
To enable Zeroconf polling:
You can proceed from the Unassigned devices folder to the Device discovery folder by clicking Poll now.
3. In the IP ranges properties window that opens, select Enable polling with Zeroconf technology.
After that, the distribution point starts to poll your network. In this case, the speci ed IP ranges are ignored.
Working with Windows domains. Viewing and changing the domain settings
To modify the domain settings:
1. In the console tree, in the Device discovery folder, select the Domains subfolder.
2. Select a domain and open its properties window in one of the following ways:
By selecting Properties in the context menu of the domain.
By clicking the Show group properties link.
The Properties: <Domain name> window opens where you can con gure the selected domain.

After Windows network polling is complete, the found devices are placed into subgroups of the Unassigned
devices administration group. This administration group can be found at Advanced → Device discovery →
Domains. The Domains folder is the parent group. It contains child groups named after the corresponding domains
and workgroups that have been found during the network polling. The parent group may also contain the
administration group of mobile devices. You can con gure the retention rules of the unassigned devices for the
parent group and for each of the child groups. The retention rules do not depend on the network polling settings
and work even if the network polling is disabled.
322
To con gure retention rules for unassigned devices:
1. In the console tree, in the Device discovery folder, do one of the following:
To con gure settings of the parent group, right-click the Domains subfolder and select Properties.
The parent group properties window opens.
To con gure settings of a child group, right-click its name and select Properties.
The child group properties window opens.
2. In the Devices section, specify the following settings:
Remove the device from the group if it has been inactive for longer than (days)
If this option is enabled, you can specify the time interval after which the device is automatically
removed from the group. By default, this option is also distributed to the child groups. The default time
interval is 7 days.
Inherit from parent group
If this option is enabled, the retention period for the devices in the current group is inherited from the
parent group and cannot be changed.
This option is available only for child groups.
Force inheritance in child groups
The setting values will be distributed to child groups but in the properties of the child groups these
settings are locked.
Your changes are saved and applied.
Working with IP ranges

You can customize existing IP ranges and create new ones.
Creating an IP range
To create an IP range:
2. In the context menu of the folder, select New → IP range.

323
3. In the New IP range window that opens, set up the new IP range.
The new IP range appears in the IP ranges folder.
Viewing and changing the IP range settings

To modify the IP range settings:
1. In the console tree, in the Device discovery folder select the IP ranges subfolder.
2. Select an IP range and open its properties window in one of the following ways:
By selecting Properties in the context menu of the IP range.
The Properties: <IP range name> window opens where you can con gure the properties of the selected IP
range.
Working with the Active Directory groups. Viewing and modifying group
settings
To modify the settings for the Active Director group:
1. In the console tree, in the Device discovery folder, select the Active Directory subfolder.
2. Select an Active Directory group and open its properties window in one of the following ways:
By selecting Properties in the context menu of the IP range.
The Properties: <Active Directory group name> window opens where you can con gure the selected Active
Directory group.
Creating rules for moving devices to administration groups automatically

You can con gure devices to be moved automatically to administration groups after they are discovered during a
poll on an enterprise network.
To con gure rules for moving devices to administration groups automatically:
1. In the console tree, select the Unassigned devices folder.
2. In the workspace of this folder, click Con gure rules.
324
This opens the Properties: Unassigned devices window. In the Move devices section, con gure the rules to
move devices to administration groups automatically.
The rst applicable rule in the list (from the top to the bottom of the list) will be applied to a device.
Using VDI dynamic mode on client devices

A virtual infrastructure can be deployed on a corporate network using temporary virtual machines. Kaspersky
Security Center detects temporary virtual machines and adds information about them to the Administration
Server database. After a user nishes using a temporary virtual machine, the machine is removed from the virtual
infrastructure. However, a record about the removed virtual machine can be saved in the database of the
Administration Server. Also, nonexistent virtual machines can be displayed in Administration Console.
To prevent information about nonexistent virtual machines from being saved, Kaspersky Security Center supports
dynamic mode for Virtual Desktop Infrastructure (VDI). The administrator can enable support of dynamic mode for
VDI in the properties of the installation package of Network Agent to be installed on the temporary virtual
machine.
When a temporary virtual machine is disabled, Network Agent noti es the Administration Server that the machine
has been disabled. If the virtual machine has been disabled successfully, it is removed from the list of devices
connected to the Administration Server. If the virtual machine is disabled with errors and Network Agent does not
send a noti cation about the disabled virtual machine to the Administration Server, a backup scenario is used. In
this scenario, the virtual machine is removed from the list of devices connected to the Administration Server after
three unsuccessful attempts to synchronize with the Administration Server.
Enabling VDI dynamic mode in the properties of an installation package for Network Agent
To enable VDI dynamic mode:
2. In the context menu of the Network Agent installation package, select Properties.
The Properties: Kaspersky Security Center Network Agent window opens.
3. In the Properties: Kaspersky Security Center Network Agent window, select the Advanced section.
4. In the Advanced section, select the Enable dynamic mode for VDI option.
The device on which Network Agent is to be installed will be a part of VDI.
Searching for devices that are part of VDI

To nd devices that make up part of VDI:
1. Select Search from the context menu of the Unassigned devices folder.
2. In the Find devices window, on the Virtual machines tab, in the This is a virtual machine drop-down list, select
Yes.
325
3. Click the Find now button.
The application search for devices that make up part of Virtual Desktop Infrastructure.
Moving devices from VDI to an administration group

To move devices that are part of VDI to an administration group:
1. In the workspace of the Unassigned devices folder, click Con gure rules.
This opens the properties window of the Unassigned devices folder.
2. In the properties window of the Unassigned devices folder, in the Move devices section, click the Add button.
The New rule window opens.
3. In the New rule window, select the Virtual machines section.
4. In the This is a virtual machine drop-down list, select Yes.
A rule will be created for device relocation to an administration group.
Equipment inventory
The hardware list (Repositories → Hardware) that you use to inventory equipment is populated in two ways:
automatically and manually. After each network polling, all detected computers are added to the list automatically;
however, you can also add computers manually if you do not want to poll the network. You can add other devices
to the list manually, for example, routers, printers, or computer hardware.
In the properties of a device, you can view and edit detailed information about that device.
The hardware list may contain the following types of devices:
Computers
Mobile devices
Network devices
Virtual devices
OEM components
Computer peripherals
Connected devices
VoIP phones
Network repositories
326
The administrator can assign the Enterprise equipment attribute to detected devices. This attribute can be
assigned manually in the properties of a device, or the administrator can specify criteria for the attribute to be
assigned automatically. In this case, the Enterprise equipment attribute is assigned by device type.
Kaspersky Security Center allows writing o equipment. To do this, select the Device is written o option in the
properties of a device. The device is not displayed on the equipment list.
An administrator can manage the list of programmable logic controllers (PLC) in the Hardware folder. Detailed
information on managing the PLC list is provided in the Kaspersky Industrial CyberSecurity for Nodes User Guide.
Adding information about new devices

To add information about new devices on the network:
1. In the Repositories folder of the console tree, select the Hardware subfolder.
2. In the workspace of the Hardware folder, click the Add device button to open the New device window.
The New device window opens.
3. In the New device window, in the Type drop-down list select a device type that you want to add.
4. Click OK.
The device properties window opens on the General section.
5. In the General section, ll in the entry elds with data on the device. The General section lists the following
settings:
Enterprise device. Select the check box if you want to assign the Enterprise attribute to the device. Using
this attribute, you can search for devices in the Hardware folder.
Device is written o . Select the check box if you do not want the device to be displayed in the list of
devices in the Hardware folder.
6. Click Apply.
The new device will be displayed in the workspace of the Hardware folder.
Con guring criteria used to de ne enterprise devices

To con gure criteria of detection for enterprise devices:
2. In the workspace of the Hardware folder, click the Additional actions button and select Set up rule for
Enterprise devices in the drop-down list.
The hardware properties window opens.
3. In the hardware properties window, in the Enterprise devices section, select a method for assigning the
Enterprise attribute to the device:
327
Set the Enterprise device attribute manually for the device. The Enterprise hardware attribute is assigned
to the device manually in the device properties window, in the General section.
Set the Enterprise device attribute automatically for the device. In the By device type block of settings,
specify device types to which the application will automatically assign the Enterprise attribute.
This option a ects only the devices that were added through network polling. For the devices added
manually, set the Enterprise attribute manually.
4. Click OK.
The criteria of detection for enterprise devices are con gured.
Con guring custom elds

To con gure custom elds of devices:
2. In the workspace of the Hardware folder, click the Additional actions button and select Con gure custom
data elds in the drop-down list.
The hardware properties window opens.
3. In the hardware properties window, select the Custom elds section and click the Add button.
The Add eld window opens.
4. In the Add eld window, specify the name of the custom eld that will be displayed in the hardware properties.
You can create multiple custom elds with unique names.
5. Click OK.
The custom elds that have been added are displayed in the Custom elds section of the hardware properties.
You can use custom elds to provide speci c information about devices. For example, this could be the internal
order number for a hardware purchase.
Licensing
This section provides information about general concepts related to Kaspersky Security Center 14 licensing.
Events of the licensing limit exceeded

Kaspersky Security Center allows you to get information about events when some licensing limits are exceeded by
Kaspersky applications installed on client devices.
328
The importance level of such events when a licensing restriction is exceeded is de ned according to the following
rules:
If the currently used units covered by a single license constitute 90% to 100% of the total number of units
covered by the license, the event is published with the Info importance level.
If the currently used units covered by a single license constitute 100% to 110% of the total number of units
covered by the license, the event is published with the Warning importance level.
If the number of currently used units covered by a single license exceeds 110% of the total number of units
covered by the license, the event is published with the Critical event importance level.
About licensing
This section contains information about the licensing of Kaspersky applications managed via Kaspersky Security
Center.
About the license

A license is a time-limited right to use Kaspersky Security Center, granted under the terms of the signed License
Contract (End User License Agreement).
The scope of services and validity period depend on the license under which the application is used.
The following license types are provided:
Trial
A free license intended for trying out the application. A trial license usually has a short term.
When a trial license expires, all Kaspersky Security Center features become disabled. To continue using the
application, you need to purchase a commercial license.
You can use the application under a trial license for only one trial period.
Commercial
A paid license.
When a commercial license expires, key features of the application become disabled. To continue using
Kaspersky Security Center, you must renew your commercial license. After a commercial license expires, you
cannot continue using the application and must remove it from your device.
We recommend renewing your license before it expires, to ensure uninterrupted protection against all security
threats.
About the End User License Agreement

The End User License Agreement (License Agreement or EULA) is a binding agreement between you and AO
Kaspersky Lab stipulating the terms under which you may use the application.
329
Please carefully read the License Agreement before you start using the application.
Kaspersky Security Center and its components, for example, Network Agent, have their own EULA.
You can view the terms of the End User License Agreement for Kaspersky Security Center using the following
methods:
During installation of Kaspersky Security Center.
By reading the license.txt document included in the Kaspersky Security Center distribution kit.
By reading the license.txt document in the Kaspersky Security Center installation folder.
By downloading the license.txt le from the Kaspersky website .
You can view the terms of the End User License Agreement for Network Agent for Windows, Network Agent for
Mac, Network Agent for Linux using the following methods:
During downloading of Network Agent distribution package from the Kaspersky web servers.
During installation of Network Agent for Windows, Network Agent for Mac, Network Agent for Linux.
Please note that when you install Network Agent for Linux, the End User License Agreement for Network
Agent is displayed in English language. You can check the End User License Agreement for Network Agent in
other languages in /opt/kaspersky/klnagent64/share/license folder before accepting the terms of the End
User License Agreement during installation.
By reading the license.txt document included in the Network Agent for Windows, Network Agent for Mac,
Network Agent for Linux distribution package.
By reading the license.txt document in the Network Agent for Windows, Network Agent for Mac, Network
Agent for Linux installation folder.
By downloading the license.txt le from the Kaspersky website .
You accept the terms of the End User License Agreement by con rming that you agree with the End User License
Agreement when installing the application. If you do not accept the terms of the License Agreement, cancel the
application installation and do not use the application.
About the license certi cate

A license certi cate is a document that you receive along with a key le or an activation code.
A license certi cate contains the following information about the license provided:
License key or order number
Information about the user who has been granted the license
Information about the application that can be activated under the license provided
330
Limit of the number of licensing units (e.g., devices on which the application can be used under the license
provided)
License validity start date
License expiration date or license term
License type
About the license key

A license key is a sequence of bits that you can apply to activate and then use the application in accordance with
the terms of the End User License Agreement. License keys are generated by Kaspersky specialists.
You can add a license key to the application using one of the following methods: by applying a key le or by entering
an activation code. The license key is displayed in the application interface as a unique alphanumeric sequence
after you add it to the application.
The license key may be blocked by Kaspersky in case the terms of the License Agreement have been violated. If
the license key has been blocked, you need to add another one if you want to use the application.
A license key may be active or additional (or reserve).
An active license key is a license key that is currently used by the application. An active license key can be added
for a trial or commercial license. The application cannot have more than one active license key.
An additional (or reserve) license key is a license key that entitles the user to use the application, but is not
currently in use. The additional license key automatically becomes active when the license associated with the
current active license key expires. An additional license key can be added only if an active license key has already
been added.
A license key for a trial license can be added as an active license key. A license key for a trial license cannot be
added as an additional license key.
About the key le

A key le is a le with the .key extension provided to you by Kaspersky. Key les are designed to activate the
application by adding a license key.
You receive a key le at the email address that you provided when you bought Kaspersky Security Center or
ordered the trial version of Kaspersky Security Center.
You do not need to connect to Kaspersky activation servers in order to activate the application with a key le.
You can restore a key le if it has been accidentally deleted. You may need a key le to register a Kaspersky
CompanyAccount, for example.
To restore your key le, perform any of the following actions:
Contact the license seller.
Receive a key le through Kaspersky website by using your available activation code.
331
About the subscription
Subscription to Kaspersky Security Center is an order for use of the application under the selected settings
(subscription expiration date, number of protected devices). You can register your subscription to Kaspersky
Security Center with your service provider (for example, your internet provider). A subscription can be renewed
manually or in automatic mode; also, you can cancel it.
A subscription can be limited (for example, one-year) or unlimited (with no expiration date). To continue using
Kaspersky Security Center after a limited subscription expires, you must renew it. An unlimited subscription is
renewed automatically if it has been prepaid to the service provider in due dates.
When a limited subscription expires, you may be provided a grace period for renewal during which the application
continues to function. The availability and duration of the grace period is de ned by the service provider.
To use Kaspersky Security Center under subscription, you must apply the activation code received from the
service provider.
You can apply a di erent activation code for Kaspersky Security Center only after your subscription expires or
when you cancel it.
Depending on the service provider, the set of possible actions for subscription management may vary. The service
provider might not provide a grace period for subscription renewal and so the application loses its functionality.
Activation codes purchased under subscription cannot be used for activating earlier versions of Kaspersky
Security Center.
When the application is used under subscription, Kaspersky Security Center automatically attempts to access the
activation server at speci ed time intervals until the subscription expires. This ensures that the information about
the subscription is synchronized with the activation server. You can renew your subscription on the service
provider's website.
You can update the information about the subscription manually, without waiting for Kaspersky Security Center to
access the activation server. For example, this might be useful when you change the subscription settings.
To update the information about the subscription manually:
1. In the console tree, select the Kaspersky Licenses folder.
2. Click Additional actions, and from the drop-down list select Synchronize subscription settings with
Licensing server.
The information about the subscription is updated on the activation server.
About the activation code

Activation code is a unique sequence of 20 alphanumeric characters. You enter an activation code to add a license
key that activates Kaspersky Security Center. You receive the activation code through the email address that you
speci ed after purchasing Kaspersky Security Center or after ordering the trial version of Kaspersky Security
Center.
To activate the application with an activation code, you need internet access to establish connection with
332
If the application was activated with an activation code, the application in some cases sends regular requests to
Kaspersky activation servers in order to check the current status of the license key. You must provide the
application internet access to make it possible to send requests.
If you have lost your activation code after installing the application, contact the Kaspersky partner from whom you
purchased the license.
You cannot use key les for activating managed applications; only activation codes are accepted.

If you decide to stop protection of your client devices, you can uninstall managed Kaspersky applications and
revoke your End User License Agreement (EULA) for these applications.
To revoke a EULA for managed Kaspersky applications:
1. In the console tree, select Administration Server → Advanced → Accepted EULAs.

A list of EULAs—accepted upon creation of installation packages, at the seamless installation of updates, or
upon deployment of Kaspersky Security for Mobile—is displayed.
2. In the list, select the EULA that you want to revoke.

You can view the following properties of the EULA:
Date when the EULA was accepted.
The name of the user who accepted the EULA.
Link to the terms of the EULA.
List of the objects that are connected to the EULA: names of installation packages, names of seamless
updates, names of mobile apps.
3. Click the Revoke EULA button.

In the window that opens, you are informed that you must uninstall Kaspersky application corresponding to the
EULA.
4. Click the button to con rm revocation.

Kaspersky Security Center checks whether the installation packages (corresponding to the managed
Kaspersky application whose EULA you want to revoke) are deleted.
You can revoke only the EULA for a managed Kaspersky application, whose installation packages are deleted.
The EULA is revoked. It is not displayed in the list of EULAs in the Administration Server → Advanced →
Accepted EULAs section. You cannot protect client devices using a Kaspersky application whose EULA you
have revoked.
About data provision
333
Data transferred to third parties
When using the mobile device management functionality of the Software, for the purpose of timely delivery of
commands to devices running the Android operating system through the push noti cation mechanism the Google
Firebase Cloud Messaging service is used. If the User has con gured the usage of the Google Firebase Cloud
Messaging service, the User accepts to provide the following information to the Google Firebase Cloud Messaging
service in automatic mode: installation IDs of the Kaspersky Endpoint Security for Android applications to which
push noti cations must be sent.
To block exchange of information with the Google Firebase Cloud Messaging service, the User must roll back the
usage settings of the Google Firebase Cloud Messaging service to their factory values.
When using the mobile device management functionality of the Software, for the purpose of timely delivery of
commands to devices running the iOS operating system through the push noti cation mechanism the Apple Push
Noti cation Service (APNs) is used. If the User has installed an APNs certi cate on an iOS MDM Server, created an
iOS MDM pro le with a collection of settings for connection of iOS mobile devices to the Software, and installed
this pro le on mobile devices, the User agrees to provide the following information to APNs in automatic mode:
Token—Push token of the device. The server uses this token when sending push noti cations to the device.
PushMagic—String that must be included in the push noti cation. The string value is generated by the device.
Data processed locally
Kaspersky Security Center is designed for centralized execution of basic administration and maintenance tasks on
an organization's network. Kaspersky Security Center provides the administrator with access to detailed
information about the organization's network security level; Kaspersky Security Center lets the administrator
con gure all the components of protection based on Kaspersky applications. Kaspersky Security Center performs
the following main functions:
Detecting devices and their users on the organization's network
Creating a hierarchy of administration groups for device management
Installing Kaspersky applications on devices
Managing the settings and tasks of installed applications
Managing the updates for Kaspersky and third-party applications, and nding and xing vulnerabilities
Activating Kaspersky applications on devices
Viewing information about the operation of Kaspersky applications on devices
Viewing reports
To perform its main functions Kaspersky Security Center can receive, store, and process the following information:
Information about the devices on the organization's network received as a result of device discovery on the
Active Directory network or Windows network, or through scanning of IP intervals. Administration Server gets
data independently or receives data from Network Agent.
334
Information about the Active Directory organizational units, domains, users, and groups received as a result of
device discovery on the Active Directory network. Administration Server gets data independently or receives
data from Network Agent.
Details of managed devices. Network Agent transfers the data listed below from the device to Administration
Server. The User enters the display name and description of the device in the Administration Console interface
or Kaspersky Security Center Web Console interface:
Technical speci cations of the managed device and its components required for device identi cation:
device display name and description, Windows domain name and type, device name in Windows
environment, DNS domain and DNS name, IPv4 address, IPv6 address, network location, MAC address,
operating system type, whether the device is a virtual machine together with hypervisor type, and whether
the device is a dynamic virtual machine as part of VDI.
Other speci cations of managed devices and their components required for audit of managed devices and
for making decisions about whether speci c patches and updates are applicable: Windows Update Agent
(WUA) status, operating system architecture, operating system vendor, operating system build number,
operating system release ID, operating system location folder, if the device is a virtual machine—the virtual
machine type; the name of the virtual Administration Server that manages the device; cloud device data
(cloud region, VPC, cloud availability zone, cloud subnet, cloud placement zone).
Details of actions on managed devices: date and time of the last update, time the device was last visible on
the network, restart waiting status, and time the device was turned on.
Details of device user accounts and their work sessions.
Distribution point operation statistics if the device is a distribution point. Network Agent transfers data from
the device to Administration Server.
Distribution point settings entered by the User in the Administration Console or Kaspersky Security Center
Web Console.
Data necessary for the connection of mobile devices to the Administration Server: certi cate, mobile
connection port, Administration Server connection address. The User enters the data in the Administration
Console or in Kaspersky Security Center Web Console.
Details of mobile devices transferred by using the Exchange ActiveSync protocol. The data listed below are
transferred from the mobile device to Administration Server:
Technical speci cations of the mobile device and its components required for device identi cation: device
name, model, operating system name, IMEI number, and phone number.
Speci cations of the mobile device and its components: device management status, support of SMS,
permission to send SMS messages, support of FCM, support of user commands, operating system storage
folder, and device name.
Details of actions on mobile devices: device location (through the Locate command), time of last
synchronization, time of last connection to the Administration Server, and synchronization support details.
Details of mobile devices transferred by using the iOS MDM protocol. The data listed below are transferred
from the mobile device to Administration Server:
Technical speci cations of the mobile device and its components required for device identi cation: device
name, model, operating system name and build number, device model number, IMEI number, UDID, MEID, serial
number, amount of memory, modem rmware version, Bluetooth MAC address, Wi-Fi MAC address, and SIM
card details (ICCID as part of the SIM card ID).
335
Details of the mobile network used by the managed device: mobile network type, name of the currently used
mobile network, name of the home mobile network, version of the mobile network operator settings, voice
roaming and data roaming status, country code of the home network, residence country code, country
code of the currently used network, and encryption level.
Security settings of the mobile device: use of a password and its compliance with the policy settings, list of
con guration pro les and provisioning pro les used for installation of third-party applications.
Date of last synchronization with Administration Server and device management status.
Details of Kaspersky applications installed on the device. The managed application transfers data from the
device to Administration Server through Network Agent:
Settings of Kaspersky applications installed on the managed device: Kaspersky application name and
version, status, real-time protection status, last device scan date and time, number of threats detected,
number of objects that failed to be disinfected, availability and status of the application components,
details of Kaspersky application settings and tasks, information about the active and reserve license keys,
application installation date and ID.
Application operation statistics: events related to the changes in the status of Kaspersky application
components on the managed device and to the performance of tasks initiated by the application
components.
Device status de ned by the Kaspersky application.
Tags assigned by the Kaspersky application.
Set of installed and applicable updates for the Kaspersky application.
Data contained in events from Kaspersky Security Center components and Kaspersky managed applications.
Network Agent transfers data from the device to Administration Server.
Data necessary for the integration of Kaspersky Security Center with a SIEM system for event export. The User
enters the data in the Administration Console or in Kaspersky Security Center Web Console.
Settings of Kaspersky Security Center components and Kaspersky managed applications presented in policies
and policy pro les. The User enters data in the Administration Console or Kaspersky Security Center Web
Console interface.
Task settings of Kaspersky Security Center components and Kaspersky managed applications. The User enters
data in the Administration Console or Kaspersky Security Center Web Console interface.
Data processed by the Vulnerability and Patch Management feature. Network Agent transfers the data listed
below from the device to Administration Server:
Details of applications and patches installed on managed devices (Applications registry).
Information about the hardware detected on managed devices (Hardware registry).
Details of vulnerabilities in third-party software detected on managed devices.
Details of updates available for third-party applications installed on managed devices.
Details of Microsoft updates found by the WSUS feature.
List of Microsoft updates found by the WSUS feature that must be installed on the device.
336
Data required to download updates on isolated Administration Server to x third-party software vulnerabilities
on managed devices. The User enters and transmits data by using the Administration Server klsc ag utility.
Data necessary for work of Kaspersky Security Center with the cloud environments (Amazon Web Services,
Microsoft Azure, Google Cloud, Yandex Cloud). The User enters the data in the Administration Console or in
User categories of applications. The User enters data in the Administration Console or Kaspersky Security
Center Web Console interface.
Details of executable les detected on managed devices by the Application Control feature. The User enters
data in the Administration Console or Kaspersky Security Center Web Console interface. A complete list of
data is provided in the Help les of the corresponding application.
Details of les placed in Backup. The managed application transfers data from the device to Administration
Server through Network Agent. A complete list of data is provided in the Help les of the corresponding
application.
Details of les placed in Quarantine. The managed application transfers data from the device to Administration
Server through Network Agent. A complete list of data is provided in the Help les of the corresponding
application.
Details of les requested by Kaspersky specialists for detailed analysis. The managed application transfers data
from the device to Administration Server through Network Agent. A complete list of data is provided in the
Help les of the corresponding application.
Details of the status and triggering of Adaptive Anomaly Control rules. The managed application transfers data
from the device to Administration Server through Network Agent. A complete list of data is provided in the
Help les of the corresponding application.
Details of external devices (memory units, information transfer tools, information hardcopy tools, and
connection buses) installed or connected to the managed device and detected by the Device Control feature.
The managed application transfers data from the device to Administration Server through Network Agent. A
complete list of data is provided in the Help les of the corresponding application.
Information about encrypted devices and the encryption status. The managed application transfers data from
the device to Administration Server through Network Agent.
Details of data encryption errors on devices performed using the Data encryption feature of Kaspersky
applications. The managed application transfers data from the device to Administration Server through
Network Agent. A complete list of data is provided in the Help les of the corresponding application.
List of managed programmable logic controllers (PLCs). The managed application transfers data from the
device to Administration Server through Network Agent. A complete list of data is provided in the Help les of
the corresponding application.
Data required for creation of a threat development chain. The managed application transfers data from the
device to Administration Server through Network Agent. A complete list of data is provided in the Help les of
the corresponding application.
Data required for Kaspersky Security Center integration with the Kaspersky Managed Detection and Response
service (the dedicated plug-in must be installed for Kaspersky Security Center Web Console): integration
initiation token, integration token, and user session token. The User enters the integration initiation token in the
Kaspersky Security Center Web Console interface. The Kaspersky MDR service transfers the integration token
and the user session token through the dedicated plug-in.
Details of the entered activation codes or speci ed key les. The User enters data in the Administration
Console or Kaspersky Security Center Web Console interface.
337
User accounts: name, description, full name, email address, main phone number, password, secret key generated
by Administration Server, and one-time password for two-step veri cation. The User enters data in the
Administration Console or Kaspersky Security Center Web Console interface.
Data that Identity and Access Manager needs for centralized authentication and for providing Single Sign-on
(SSO) between Kaspersky applications integrated with Kaspersky Security Center: installation and
con guration settings of Identity and Access Manager, Identity and Access Manager user session, Identity and
Access Manager tokens, client application statuses and resource server statuses. The User enters data in the
Revision history of management objects. The User enters data in the Administration Console or Kaspersky
Security Center Web Console interface.
Registry of deleted management objects. The User enters data in the Administration Console or Kaspersky
Security Center Web Console interface.
Installation packages created from the le, as well as installation settings. The User enters data in the
Data required for the display of announcements from Kaspersky in Kaspersky Security Center Web Console.
The User enters data in the Administration Console or Kaspersky Security Center Web Console interface.
Data required for the functioning of plug-ins of managed applications in Kaspersky Security Center Web
Console and saved by the plug-ins in the Administration Server database during their routine operation. The
description and ways of providing the data are provided in the Help les of the corresponding application.
Kaspersky Security Center Web Console user settings: localization language and theme of the interface,
Monitoring panel display settings, information about the status of noti cations (Already read / Not yet read),
status of columns in spreadsheets (Show / Hide), Training mode progress. The User enters data in the
Kaspersky Security Center Web Console interface.
Kaspersky Event Log for Kaspersky Security Center components and Kaspersky managed applications.
Kaspersky Event Log is stored on each device and is never transferred to Administration Server.
Certi cate for secure connection of managed devices to the Kaspersky Security Center components. The
User enters data in the Administration Console or Kaspersky Security Center Web Console interface.
Data required for the Kaspersky Security Center operation in cloud environments, such as Amazon Web
Services (AWS), Microsoft Azure, Google Cloud, and Yandex.Cloud. Administration Server receives the data
from the virtual machine on which it runs.
Information about the User's acceptance of the terms and conditions of legal agreements with Kaspersky.
The Administration Server data that the User enters in the following components:
Command-line terminal when using the klsc ag utility
Components interacting with the Administration Server via klakaut automation objects and Kaspersky
Security Center OpenAPI
Any data that the User enters in the Administration Console or Kaspersky Security Center Web Console
interface.
338
The data listed above can be present in Kaspersky Security Center if one of the following methods is applied:
The User enters data in the interface of the following components:
Command-line terminal when using the klsc ag utility
Components interacting with the Administration Server via klakaut automation objects and Kaspersky
Security Center OpenAPI
Network Agent automatically receives data from the device and transfers it to Administration Server.
Network Agent receives data retrieved by the Kaspersky managed application and transfers it to
Administration Server. The lists of data processed by Kaspersky managed applications are provided in the Help
les for the corresponding applications.
Administration Server and Network Agent assigned a distribution point receive information about the
networked devices.
Data is transferred from the mobile device to Administration Server by using the Exchange ActiveSync or iOS
MDM protocol.
The listed data is stored in the Administration Server database. User names and passwords are stored in encrypted
form.
All data listed above can be transferred to Kaspersky only through dump les, trace les, or log les of Kaspersky
Security Center components, including log les created by installers and utilities.
Dump les, trace les, and log les of Kaspersky Security Center components contain random data of
Administration Server, Network Agent, Administration Console, iOS MDM Server, Exchange Mobile Device Server,
and Kaspersky Security Center Web Console. These les can contain personal and sensitive data. Dump les,
trace les, and log les are stored on the device in non-encrypted form. Dump les, trace les, and log les are not
transferred to Kaspersky automatically; however, the administrator can transfer data to Kaspersky manually upon
request by Technical Support to resolve issues in the Kaspersky Security Center operation.
Following the links in the Administration Console or Kaspersky Security Center Web Console, the User agrees to
the automatic transfer of the following data:
Kaspersky Security Center code
Kaspersky Security Center version
Kaspersky Security Center localization
License ID
License type
Whether the license was purchased through a partner
The list of data provided via each link depends on the purpose and location of the link.
339
Kaspersky uses the received data in anonymized form and for general statistics only. Summary statistics are
generated automatically from the originally received information and do not contain any personal or con dential
data. As soon as new data is accumulated, the previous data is wiped (once a year). Summary statistics are stored
inde nitely.
Kaspersky protects any information received in accordance with law and applicable Kaspersky rules. Data is
transmitted over a secure channel.
Kaspersky Security Center licensing options

Kaspersky Security Center can work in the following modes:
Basic functionality of Administration Console

Kaspersky Security Center works in this mode before the application is activated or after the commercial
license expires. Kaspersky Security Center with support of the basic functionality of Administration Console is
delivered as a part of Kaspersky applications for protection of corporate networks. You can also download it
from Kaspersky website.
Commercial license
If you need additional functionality which is not included in the basic functionality of Administration Console,
you must purchase a commercial license.
When adding a license key in the Administration Server properties window, ensure that you add a license key
that lets you use Kaspersky Security Center. You can nd this information at the Kaspersky website. Each
solution webpage contains the list of applications included in this solution. Administration Server may accept
unsupported license keys, for example a license key for Kaspersky Endpoint Security Cloud, but such license
keys provide no new features in addition to the basic functionality of Administration Console.
Feature or property Kaspersky Security

Center operation mode
No Commercial
license license
Basic functionality of Administration Console
340
The following functions are available:
Creation of virtual Administration Servers that are used to administer a

network of remote o ices or client organizations.
Creation of a hierarchy of administration groups to manage speci c

devices as a single entity.
Remote installation of applications.
Centralized con guration of applications installed on client devices.
Control of the anti-virus security status of an organization.
Management of user roles.
Statistics and reports on the application's operation, as well as

noti cations about critical events.
Centralized operations with les that were moved to Quarantine or

Backup and les whose processing was postponed.
Encryption and data protection management.
Viewing and editing existing licensed applications groups.
Viewing and manual editing of the list of hardware components detected

by polling the network.
Viewing the list of operating system images available for remote

installation.
Vulnerability and Patch Management: basic functionality
The following tasks do not require a commercial license:
The Find vulnerabilities and required updates task

Through this task, Kaspersky Security Center receives the lists of
detected vulnerabilities and required updates for the third-party
software installed on the managed devices.
The Install Windows Update updates task

This task can be used to install Windows Update updates only. To use this
task, you must manually specify the required updates in the task settings.
The Fix vulnerabilities task

The Fix vulnerabilities task uses recommended xes for Microsoft
software and user xes for third-party software. To use this task, you
must manually specify user xes for vulnerabilities in the task settings.
Vulnerability and Patch Management: advanced functionality
341
Remote installation of software updates and xing of vulnerabilities

automatically, according to the rules that you de ne.
Usage of Administration Server as the Windows Server Update Services

(WSUS) server to provide updates to Windows Update services on
devices in centralized mode and with the set frequency.
Mobile Device Management feature in MMC-based Administration Console

(A license key
The Mobile Device Management feature is used to manage Exchange must be
ActiveSync (EAS) and iOS MDM mobile devices. added to the
Administration
The following functions are available for Exchange ActiveSync mobile Server
devices: properties.)
Adding new devices under management of Kaspersky Security Center.
Creation and editing of mobile device management pro les, assignment

of pro les to users' mailboxes.
Con guration of mobile devices (email synchronization, apps usage, user

password, data encryption, connection of removable drives).
Installation of certi cates on mobile devices.
The following functions are available for iOS MDM devices:
Creating and editing con guration pro les, and installing con guration
pro les on mobile devices.
Installing applications on mobile devices through App Store® or using

manifest les (.plist).
Locking mobile devices, resetting the mobile device password, and

deleting all data from the mobile device.
The following functions are available for Android devices:
Managing Kaspersky Endpoint Security for Android through policy.
In addition, Mobile Devices Management allows executing commands

provided by relevant protocols.
The management unit for Mobile Devices Management is a mobile device. A

mobile device is considered to be managed after it is connected to the
Mobile Devices Server.
Mobile device protection in Kaspersky Security Center Web Console

342
(A license key
Kaspersky Security Center Web Console provides you with the following must be
features to manage Android and iOS mobile devices: added on
each mobile
Adding new devices under management of Kaspersky Security Center. device.)
Managing Kaspersky Endpoint Security for Android and Kaspersky

Security for iOS through policies.
Sending commands to the mobile devices through relevant protocols and

executing the commands.
Systems management
Installation of operating systems and applications.

Kaspersky Security Center allows you to create operating system images
and deploy them on client devices on the network, as well as perform
remote installation of applications by Kaspersky or other vendors. You can
capture operating system images from devices and transfer those images
to the Administration Server. Such images of operating systems are
stored on the Administration Server in a dedicated folder. The operating
system image of a reference device is captured and then created through
an installation package creation task. You can use the images received for
deployment on new networked devices on which no operating system has
been installed yet. A technology named Preboot eXecution Environment
(PXE) is used in this case.
Licensed applications group management.
Remote permission of connection to client devices through a component

of Microsoft® Windows® named Remote Desktop Connection.
Remote connection to client devices through Windows Desktop Sharing.
Integration with cloud environments
Kaspersky Security Center not only works with on-premises devices, but also
provides special features for working in a cloud environment, such as Cloud
Environment Con guration Wizard. Kaspersky Security Center works with
the following virtual machines:
Amazon EC2 instances
Microsoft Azure virtual machines
Google Cloud virtual machines instances
Yandex.Cloud virtual machines
Exporting events to SIEM systems: using the Syslog protocol
343
Using the Syslog protocol, you can relay any events that occur on the
Kaspersky Security Center Administration Server and in Kaspersky
applications that are installed on managed devices. The Syslog protocol is a
standard message-logging protocol. You can use it to export events to any
SIEM system.
Exporting events to SIEM systems: QRadar by IBM and ArcSight by Micro Focus
Event export can be used within centralized systems that deal with security
issues on an organizational and technical level, provide security monitoring
services, and consolidate information from di erent solutions. These are
SIEM systems, which provide real-time analysis of security alerts and events
generated by network hardware and applications, or Security Operation
Centers (SOCs).
Under a special license, you can use the CEF and LEEF protocols to export
to SIEM systems general events, as well as the events transferred by
Kaspersky applications to the Administration Server.
LEEF (Log Event Extended Format) is a customized event format for IBM
Security QRadar SIEM. QRadar can integrate, identify, and process LEEF
events. LEEF events must use UTF-8 character encoding. You can nd
detailed information on LEEF protocol in IBM Knowledge Center.
CEF (Common Event Format) is an open log management standard that

improves the interoperability of security-related information from di erent
security and network devices and applications. CEF enables you to use a
common event log format so that data can easily be integrated and
aggregated for analysis by an enterprise management system. ArcSight and
Splunk SIEM systems use this protocol.
Licensing features of Kaspersky Security Center and managed applications

Licensing of Administration Server and managed applications involves the following:
You can add license key or valid activation code to an Administration Server to activate Vulnerability and Patch
Management, Mobile Device Management, or Integration with the SIEM systems. Some features of Kaspersky
Security Center are only accessible depending on active key les or valid activation codes added to the
You can add multiple activation codes and key les for managed applications to the Administration Server
repository.
About Kaspersky Security Center licensing
If you activated one of the licensed features (for example, Mobile Device Management) using a key le, but you also
want to use another licensed feature (for example, Vulnerability and Patch Management), you must purchase from
your service provider a key le that activates both these features and you must activate Administration Server by
using this key le.
344
Licensing features of managed applications
For licensing of managed applications, an activation code or key le can be deployed automatically or in any other
convenient way. The following methods can be applied to deploy an activation code or key le:
Automatic deployment
If you use di erent managed applications and you have to deploy a speci c key le or activation code to
devices, opt for other ways of deploying that activation code or key le.
Kaspersky Security Center allows you to automatically deploy available license keys to devices. For example,
three license keys are stored in the Administration Server repository. You have selected the Automatically
distribute license key to managed devices check box for all three license keys. A Kaspersky security
application—for example, Kaspersky Endpoint Security for Windows—is installed on the organization's devices.
A new device is discovered to which a license key must be deployed. The application determines, for instance,
that two of the license keys from the repository can be applied to the device: license key named Key_1 and
license key named Key_2. One of these license keys is deployed to the device. In this case, it cannot be
predicted which of the two license keys will be deployed to the device because automatic deployment of
license keys does not provide for any administrator activity.
When a license key is deployed, the devices are recounted for that license key. You must make sure that the
number of devices to which the license key was deployed does not exceed the license limit. If the number of
devices exceeds the license limit, all devices that were not covered by the license will be assigned Critical
status.
Adding a key le or activation code to the installation package of a managed application

If you install a managed application using an installation package, you can specify an activation code or key le
in this installation package or in the policy of the application. The license key will be deployed to managed
devices at the next synchronization of the device with the Administration Server.
Deployment through the add license key task for a managed application
If you opt for using the add license key task for a managed application, you can select the license key that must
be deployed to devices and select the devices in any convenient way—for example, by selecting an
administration group or a device selection.
Adding an activation code or a key le manually to the devices
Kaspersky applications. Centralized deployment

This section describes the methods for remote installation of Kaspersky applications and their removal from
networked devices.
Before deploying applications on client devices, make sure that the hardware and software of client devices
meets the applicable requirements.
Network Agent is a component that provides for Administration Server connection with client devices. Therefore,
it must be installed on each client device to be connected to the remote centralized control system. The device on
which the Administration Server is installed can only use the server version of Network Agent. This version is
included in Administration Server as a part that is installed and removed together with it. There is no need to install
Network Agent on that device.
345
Network Agent can be installed remotely or locally like any application. During centralized deployment of security
applications through Administration Console, you can install Network Agent jointly with security applications.
Network Agents can di er depending upon the Kaspersky applications with which they work. In some cases,
Network Agent can be installed locally only (for details please refer to the documentation for the corresponding
applications). You only have to install Network Agent on a client device once.
Kaspersky applications are managed through Administration Console by using management plug-ins. Therefore, to
access the application management interface through Kaspersky Security Center, the corresponding
management plug-in must be installed on the administrator's workstation.
You can perform remote installation of applications from the administrator's workstation in the Kaspersky Security
Center main window.
To install software remotely, you must create a remote installation task.
The created task for remote installation will start according to its schedule. You can interrupt the installation
procedure by stopping the task manually.
If remote installation of an application returns an error, you can nd the cause of this error and x it using the
remote installation preparation utility.
You can track the progress of remote installation of Kaspersky applications on a network using the deployment
report.
For details about management of the listed applications in Kaspersky Security Center, please refer to the
documentation for the corresponding applications.

Installation of Kaspersky security applications through Kaspersky Security Center may require removal of third-
party software incompatible with the application being installed. Kaspersky Security Center provides several ways
of removing the third-party applications.
Removing incompatible applications by using the installer
This option is available in Microsoft Management Console-based Administration Console only.
The installer method of removing incompatible applications is supported by various types of installation. Before
the security application installation, all incompatible applications are removed automatically if the properties
window of the installation package of this security application (Incompatible applications section) has the
Uninstall incompatible applications automatically option selected.
Removing incompatible applications when con guring remote installation of an application
346
You can enable the Uninstall incompatible applications automatically option when you con gure remote
installation of a security application. In Microsoft Management Console (MMC) based Administration Console, this
option is available in the Remote Installation Wizard. In Kaspersky Security Center Web Console, you can nd this
option in the Protection Deployment Wizard. When this option is enabled, Kaspersky Security Center removes
incompatible applications before installing a security application on a managed device.
How-to instructions:
Administration Console: Installing applications using Remote Installation Wizard
Kaspersky Security Center Web Console: Removing incompatible applications before installation
Removing incompatible applications through a dedicated task
To remove incompatible applications, use the Uninstall application remotely task. This task should be run on
devices before the security application installation task. For example, in the installation task you can select On
completing another task as the schedule type where the other task is Uninstall application remotely.
This method of uninstallation is useful when the security application installer cannot properly remove an
incompatible application.
How-to instructions for Administration Console: Creating a task.

Kaspersky Security Center allows you to install applications on devices remotely, using remote installation tasks.
Those tasks are created and assigned to devices through a dedicated Wizard. To assign a task to devices more
quickly and easily, you can specify devices in the Wizard window in one of the following ways:
Select networked devices detected by Administration Server. In this case, the task is assigned to speci c
devices. The speci c devices can include devices in administration groups as well as unassigned devices.
Specify device addresses manually or import addresses from a list. You can specify NetBIOS names, DNS
names, IP addresses, and IP subnets of devices to which you want to assign the task.
Assign task to a device selection. In this case, the task is assigned to devices included in a selection created
earlier. You can specify the default selection or a custom one that you created.
Assign task to an administration group. In this case, the task is assigned to devices included in an
administration group created earlier.
For correct remote installation on a device with no Network Agent installed, the following ports must be
opened: a) TCP 139 and 445; b) UDP 137 and 138. By default, these ports are opened on all devices included in
the domain. They are opened automatically by the remote installation preparation utility.
Installing an application on selected devices

To install an application on selected devices:
1. In the console tree, select the Tasks folder.

347
2. Run the task creation by clicking the Create a task button.
The Add Task Wizard starts. Follow the instructions of the Wizard.
In the Select the task type window of the Add Task Wizard, in the Kaspersky Security Center 14
Administration Server node select Install application remotely as the task type.
The Add Task Wizard creates a task of remote installation of the selected application for speci c devices. The
newly created task is displayed in the workspace of the Tasks folder.
3. Run the task manually or wait for it to launch according to the schedule speci ed by you in the task settings.
On completion of the remote installation task, the selected application will be installed on the selected devices.
Installing an application on client devices in an administration group

To install an application on client devices in an administration group:
1. Establish a connection with the Administration Server that controls the relevant administration group.
2. Select an administration group in the console tree.
3. In the group workspace, select the Tasks tab.

Administration Server node select Install application remotely as the task type.
The Add Task Wizard creates a group task of remote installation of the selected application. The new task
appears in the workspace of the administration group on the Tasks tab.
On completion of the remote installation task, the selected application will be installed on client devices in the
administration group.

Kaspersky Security Center allows you to install Kaspersky applications on managed devices by using Active
You can install applications by using Active Directory group policies only from installation packages that
include Network Agent.
To install an application using Active Directory group policies:
1. Start con guring the application installation by using Remote Installation Wizard.
2. In the De ning remote installation task settings window of the Remote Installation Wizard, select the Assign
package installation in Active Directory group policies option.
3. In the Select accounts to access devices window of the Remote Installation Wizard, select the Account
required (Network Agent is not used) option.
348
4. Add the account with administrator privileges on the device where Kaspersky Security Center is installed or the
account included in the Group Policy Creator Owners domain group.
5. Grant the permissions to the selected account:
a. Go to Control Panel → Administrative Tools and open Group Policy Management.
b. Click the node with the required domain.
c. Click the Delegation section.
d. In the Permission drop-down list, select Link GPOs.
e. Click Add.
f. In the Select User, Computer, or Group window that opens, select the necessary account.
g. Click OK to close the Select User, Computer, or Group window.
h. In the Groups and users list, select the account that you have just added, and then click Advanced →
Advanced.
i. In the Permission entries list, double-click the account that you have just added.
j. Grant the following permissions:
Create Group objects
Delete Group objects
Create group Policy Container objects
Delete group Policy Container objects
k. Click OK to save the changes.
6. De ne other settings by following the instructions of the Wizard.
7. Run the created remote installation task manually or wait for its scheduled start.
The following remote installation sequence starts:
1. When the task is running, the following objects are created in each domain that includes any client devices from
the speci ed set:
Group policy object (GPO) under the name Kaspersky_AK{GUID}.
A security group that corresponds to the GPO. This security group includes client devices covered by the
task. The content of the security group de nes the scope of the GPO.
2. Kaspersky Security Center installs the selected Kaspersky applications on client devices directly from Share,
that is, the shared network folder of the application. In the Kaspersky Security Center installation folder, an
auxiliary subfolder will be created that contains the .msi le for the application to be installed.
3. When new devices are added to the task scope, they are added to the security group after the next start of
the task. If the Run missed tasks option is selected in the task schedule, devices are added to the security
349
group immediately.
4. When devices are deleted from the task scope, they are deleted from the security group after the next start of
the task.
5. When a task is deleted from Active Directory, the GPO, the link to the GPO, and the corresponding security
group are deleted, too.
If you want to apply another installation schema using Active Directory, you can con gure the required settings
manually. For example, this may be required in the following cases:
When the anti-virus protection administrator does not have rights to make changes to the Active Directory of
certain domains
When the original installation package has to be stored on a separate network resource
When it is necessary to link a GPO to speci c Active Directory units
The following options for using an alternative installation scheme through Active Directory are available:
If installation is to be performed directly from the Kaspersky Security Center shared folder, in the GPO
properties you must specify the .msi le located in the exec subfolder of the installation package folder for the
required application.
If the installation package has to be located on another network resource, you must copy the whole exec folder
content to it, because in addition to the le with .msi extension the folder contains con guration les
generated when the package was created. To install the license key with the application, copy the key le to this
folder as well.

To install an application on secondary Administration Servers:
1. Establish a connection with the Administration Server that controls the relevant secondary Administration
Servers.
2. Make sure that the installation package corresponding to the application being installed is available on each of
the selected secondary Administration Servers. If the installation package cannot be found on any of the
secondary Servers, distribute it by using the installation package distribution task.
3. Create the task of application installation on secondary Administration Servers in one of the following ways:
If you want to create a task for secondary Administration Servers in the selected administration group,
create a group task of remote installation for this group.
If you want to create a task for speci c secondary Administration Serves, create a task of remote
installation for speci c devices.
The Deployment Task Creation Wizard starts to guide you through creation of the remote installation task.
Follow the instructions of the Wizard.
Administration Server section open the Advanced folder and select Install application on secondary
Administration Servers remotely as the task type.
350
The Add Task Wizard will create the task of remote installation of the selected application on speci c
secondary Administration Servers.
On completion of the remote installation task, the selected application will be installed on secondary
Installing applications using Remote Installation Wizard

To install Kaspersky applications, you can use the Remote Installation Wizard. The Remote Installation Wizard allows
remote installation of applications either through specially created installation packages or directly from a
distribution package.
For proper operation of the Remote installation task on a client device that does not have Network Agent
installed, the following ports must be open: TCP 139 and 445; UDP 137 and 138. By default, these ports are
open for all devices included in the domain. They are opened automatically by the remote installation
preparation utility.
To install the application on selected devices by using the Remote Installation Wizard:
1. In the console tree, locate the Remote installation folder and select the Installation packages subfolder.
2. In the workspace of the folder, select the installation package of the application that you have to install.
3. In the context menu of the installation package, select Install application.

The Remote Installation Wizard starts.
4. In the Select devices for installation window, you can create a list of devices on which the application will be
installed:
Install on a group of managed devices
If this option is selected, the remote installation task is created for a group of devices.
Select devices for installation
If this option is selected, the remote installation task is created for speci c devices. Those speci c
devices can include both managed and unassigned ones.
5. In the De ning remote installation task settings window, specify the settings for remote installation of the
application.
In the Force installation package download settings group, specify how les that are required for the
application installation are distributed to client devices:
Using Network Agent
351
If this option is enabled, installation packages are delivered to client devices by Network Agent installed
on those client devices.
If this option is disabled, installation packages are delivered using the operating system tools of client
devices.
We recommend that you enable this option if the task has been assigned to devices with Network
Agents installed.
Using operating system resources through Administration Server
If this option is enabled, les are transmitted to client devices by using operating system tools of client
devices through the Administration Server. You can enable this option if no Network Agent is installed
on the client device, but the client device is in the same network as the Administration Server.
Using operating system resources through distribution points
If this option is enabled, installation packages are transmitted to client devices using operating system
tools through distribution points. You can select this option if there is at least one distribution point on
the network.
If the Using Network Agent option is enabled, the les are delivered using operating system tools only
if Network Agent tools are unavailable.
By default, this option is enabled for remote installation tasks that have been created on a virtual
Number of attempts to install
If, when running the Remote installation task, Kaspersky Security Center fails to install an application on
a managed device within the number of installer runs speci ed by the parameter, Kaspersky Security
Center stops delivering the installation package to this managed device and does not start the installer
on the device anymore.
The Number of attempts to install option allows you to save the resources of the managed
device, as well as reduce tra ic (uninstallation, MSI le run, and error messages).
Recurring task start attempts may indicate a problem on the device that prevents installation. The
administrator should resolve the problem within the speci ed number of installation attempts (for
example, by allocating su icient disk space, removing incompatible applications, or modifying the
settings of other applications that prevent installation) and to restart the task (manually or by a
schedule).
If installation is not achieved eventually, the problem is considered unresolvable and any further task
starts are seen as costly in terms of unnecessary consumption of resources and tra ic.
When the task is created, the counter of attempts is set to 0. Each run of the installer that returns an
error on the device increments the counter reading.
If the number of attempts speci ed in the parameter has been exceeded and the device is ready for
application installation, you can increase the value of the Number of attempts to install
parameter and start the task to install the application. Alternatively, you can create a new Remote
installation task.
352
De ne what to do with client devices managed by another Administration Server:
Install on all devices
The application will be installed even on devices managed by other Administration Servers.
This option is selected by default. You do not have to change this setting if you have only one
Administration Server in your network.
Install only on devices managed through this Administration Server
The application will be installed only on devices managed by this Administration Server. Select this
option if you have more than one Administration Server in your network and want to avoid con icts
between them.
De ne the additional settings:
Do not re-install application if it is already installed
If this option is enabled, the selected application will not be re-installed if it has already been installed
on this client device.
If this option is disabled, the application will be installed anyway.
Assign package installation in Active Directory group policies
If this option is enabled, an installation package is installed by using the Active Directory group policies.
This option is available if the Network Agent installation package is selected.
6. In the Selecting a license key window, select a license key and a method for its distribution:
Do not place license key in installation package (recommended)
The key is automatically distributed to all devices with which it is compatible:

If automatic distribution has been enabled in the key properties.
If the Add key task has been created.
Place license key in installation package
The key is distributed to devices together with the installation package.
We do not recommend that you distribute the key using this method because the shared Read
access rights are enabled to the repository of installation packages.
The Selecting a license key window is displayed if the installation package does not include a license key.
353
If the installation package includes a license key, the License key properties window is displayed, containing the
license key details.
7. In the Selecting an operating system restart option window, specify whether the devices must be restarted if
the operating system has to be restarted during installation of applications on them:
Do not restart the device
If this option is selected, the device will not be restarted after the security application installation.
Restart the device
If this option is selected, the device will be restarted after the security application installation.
Prompt user for action
If this option is selected, after the security application installation, a noti cation is displayed to the user,
informing that the device needs to be restarted. By using the Modify link you can modify message text,
the period of message display, and the time of automatic restart.
Force closure of applications in blocked sessions
If this option is enabled, applications on blocked devices are forced to close before the restart.
8. In the Select accounts to access devices window, you can add the accounts that will be used to start the
Remote installation task:
No account required (Network Agent installed)
If this option is selected, you do not have to specify the account under which the application installer
will be run. The task will run under the account under which the Administration Server service is running.
If Network Agent has not been installed on client devices, this option is not available.
Account required (Network Agent is not used)
Select this option if Network Agent is not installed on the devices for which you assign the remote
installation task. In this case, you can specify a user account to install the application.
To specify the user account under which the application installer will be run, click the Add button, select
Local Account, and then specify the user account credentials.
You can specify multiple user accounts if, for example, none of them have all the required rights on all
devices for which you assign the task. In this case, all added accounts are used for running the task, in
consecutive order, top-down.
9. In the Starting installation window, click the Next button to create and start a Remote installation task on the
selected devices.
354
If the Starting installation window has the Do not run the task after the Remote Installation Wizard nishes
option selected, the remote installation task will not start. You can start this task manually later. The task name
corresponds to the name of the installation package for the application: Installation of <Installation package
name>.
To install the application on devices in an administration group by using the Remote Installation Wizard:
3. In the workspace of the group, click the Perform action button and select Install application in the drop-down
list.
This will start the Remote Installation Wizard. Follow the instructions of the Wizard.
4. At the nal step of the Wizard, click Next to create and run a remote installation task on the selected devices.
When the Remote Installation Wizard nishes, Kaspersky Security Center performs the following actions:
Creates an installation package for application installation (if it was not created earlier). The installation package
is located in the Remote installation folder, in the Installation packages subfolder, under a name that
corresponds to the application name and version. You can use this installation package for the application
installation in the future.
Creates and runs a remote installation task for speci c devices or for an administration group. The newly
created remote installation task is stored in the Tasks folder or added to the tasks of the administration group
for which it has been created. You can later launch this task manually. The task name corresponds to the name
of the installation package for the application: Installation of <Installation package name>.
Viewing a protection deployment report

You can use the protection deployment report to monitor the progress of network protection deployment.
To view a protection deployment report:
2. In the workspace of the node, select the Reports tab.
3. In the workspace of the Reports folder, select the report template named Report on protection deployment.
The workspace displays a report containing information about protection deployment on all networked devices.
You can generate a new protection deployment report and specify the type of data that it should include:
For an administration group
For speci c devices
For a device selection
For all devices
355
Kaspersky Security Center assumes that protection is deployed on a device if a security application is
installed and real-time protection enabled.
Remote removal of applications

Kaspersky Security Center allows you to uninstall applications from devices remotely through remote uninstallation
tasks. Those tasks are created and assigned to devices through a dedicated Wizard. To assign a task to devices
more quickly and easily, you can specify devices in the Wizard window in one of the following ways:
Remote removal of an application from client devices of the administration

group
To remove an application remotely from client devices of the administration group:

Administration Server node, in the Advanced folder select Uninstall application remotely as the task type.
The Add Task Wizard creates a group task of remote removal of the selected application. The new task appears
in the workspace of the administration group on the Tasks tab.
On completion of the remote removal task, the selected application will be removed from client devices in the
Remote removal of an application from selected devices

To remove an application remotely from selected devices:
356
2. Run task creation by clicking New task.

Administration Server node, in the Advanced folder select Uninstall application remotely as the task type.
The Add Task Wizard creates a task of remote removal of the selected application from speci c devices. The
newly created task is displayed in the workspace of the Tasks folder.
Upon completion of the remote removal task, the selected application will be removed from the selected
devices.
Working with installation packages

When creating remote installation tasks, the system uses installation packages containing sets of parameters
necessary for software installation.
Installation packages can contain a key le. It is recommended that you avoid sharing access to installation
packages that contain a key le.
You can use a single installation package several times.
Installation packages created for Administration Server are moved to the console tree and located in the Remote
installation folder, in the Installation packages subfolder. Installation packages are stored on the Administration
Server, in a service subfolder named Packages, within the speci ed shared folder.

To create an installation package, do the following:
1. Connect to the necessary Administration Server.
2. In the console tree, in the Remote installation folder select the Installation packages subfolder.
3. Start creation of an installation package in one of the following ways:
By selecting New → Installation package in the context menu of the Installation packages folder.
By selecting Create → Installation package in the context menu of the list of installation packages.
By clicking the Create installation package link in the installation packages list management section.
This will start the New Package Wizard. Follow the instructions of the Wizard.
357
When creating an installation package for the Kaspersky application, you may be prompted to view the License
Agreement and the Privacy Policy for this application. Please carefully read the License Agreement and Privacy
Policy. If you agree with all the terms of the License Agreement and the Privacy Policy, select the following
options in the I con rm that I have fully read, understand, and accept the terms and conditions of the
following section:
Installation of the application on your device will continue after you select both options. Creation of the
installation package then resumes. The path to the License Agreement and Privacy Policy le is speci ed in a
KUD or KPD le included in the distribution kit of the application for which the installation package is to be
created.
When you create an installation package for Kaspersky Endpoint Security for Mac, you can select the
language of the License Agreement and Privacy Policy.
During creation of an installation package for an application from the Kaspersky database of applications, you
can enable automatic installation of system components (prerequisites) required for installation of the
application. The New Package Wizard displays a list of all available system components for the selected
application. If a patch installation package is created (incomplete distribution package), the list contains all
system prerequisites for deployment of the patch, up to the full distribution package. You can nd this list at any
time in the installation package properties.
Updates of managed applications may require a speci c minimum version of Kaspersky Security Center to
be installed. If this version is later than your current version, these updates are displayed but cannot be
approved. Also, no installation packages can be created from such updates until you upgrade Kaspersky
Security Center. You are prompted to upgrade your Kaspersky Security Center instance to the required
minimum version.
After the New Package Wizard nishes, the new installation package appears in the workspace of the
Installation packages folder, in the console tree.
You do not have to manually create an installation package for remote installation of Network Agent. It is created
automatically during Kaspersky Security Center installation and is stored in the Installation packages folder. If the
package for remote installation of the Network Agent has been deleted, to re-create it you select the nagent.kud
le in the NetAgent folder of the Kaspersky Security Center distribution package.
When an installation package for Administration Server is created, select the sc.kud le in the root folder of the
Kaspersky Security Center distribution package as the description le.
358
You and device users in your organization can use stand-alone installation packages to install applications on
devices manually.
A stand-alone installation package is an executable le (installer.exe) that you can store on Web Server, in a shared
folder, or transfer to a client device by another method. You can also send a link to the stand-alone installation
package by email. On the client device, the user can run the received le locally to install an application without
involving Kaspersky Security Center.
Be sure that the stand-alone installation package is not available for unauthorized persons.
You can create stand-alone installation packages for Kaspersky applications and for third-party applications for
Windows, macOS, and Linux platforms. To create a stand-alone installation package for a third-party application,
you must create a custom installation package rst.
The source to create stand-alone installation packages are installation packages in the list of created on the
To create a stand-alone installation package:
1. In the console tree, select the Administration Server → Advanced → Remote installation → Installation
packages.
A list of installation packages available on Administration Server is displayed.
2. In the list of installation packages, select an installation package for which you want to create a stand-alone
package.
3. In the context menu, select Create stand-alone installation package.

Stand-alone Installation Package Creation Wizard starts. Proceed through the Wizard by using the Next button.
4. On the rst page of the Wizard, if you have selected an installation package for the Kaspersky application and
you want to install Network Agent together with the selected application, make sure that the Install Network
Agent together with this application option is enabled.
By default, this option is enabled. We recommend enabling this option if you are not sure whether Network
Agent is installed on the device. If Network Agent is already installed on the device, after the stand-alone
installation package with Network Agent is installed, Network Agent will be updated to the newer version.
If you disable this option, Network Agent will not be installed on the device and the device will be unmanaged.
If a stand-alone installation package for the selected application already exists on Administration Server, the
Wizard informs you about this fact. In this case, you must select one of the following actions:
Create stand-alone installation package. Select this option if, for example, you want to create a stand-
alone installation package for a new application version and also want to retain a stand-alone installation
package that you created for a previous application version. The new stand-alone installation package is
placed in another folder.
Use existing stand-alone installation package. Select this option if you want to use an existing stand-alone
installation package. The process of package creation will not be started.
Rebuild existing stand-alone installation package. Select this option if you want to create a stand-alone
installation package for the same application again. The stand-alone installation package is placed in the
same folder.
5. On the next page of the Wizard, select the Move unassigned devices to this group option and specify an
administration group to which you want to move the client device after Network Agent installation.
By default, the device is moved to the Managed devices group.
359
If you do not want to move the client device to an administration group after Network Agent installation, select
the Do not move devices option.
6. On the next page of the Wizard, when the process of the stand-alone installation package creation is nished, a
result of the stand-alone package creation and a path to the stand-alone package are displayed.
You can click the links and do any of the following:
Open the folder with the stand-alone installation package.
Email the link to the created stand-alone installation package. To perform this action, you must have an email
application launched.
Sample HTML code for publishing the link on a website. A TXT le is created and opened in an application
that is associated with a TXT format. In the le, the <a> HTML tag with attributes is displayed.
7. On the next page of the Wizard, if you want to open the list of stand-alone installation packages, enable the
Open the list of stand-alone packages option.
8. Click the FINISH button.

The Stand-alone Installation Package Creation Wizard closes.
The stand-alone installation package is created and placed in the PkgInst subfolder of the Administration Server
shared folder. You can view the list of stand-alone packages by clicking the View the list of stand-alone
packages button above the list of installation packages.

You can use custom installation packages to do the following:
To install any application (for example, a text editor) on a client device, for example, by means of a task.
To create a stand-alone installation package.
A custom installation package is a folder with a set of les. The source to create a custom installation package is an
archive le. The archive le contains a le or les that must be included in the custom installation package.
Creating a custom installation package, you can specify command-line parameters, for example, to install the
application in a silent mode.
To create a custom installation package:
packages.
2. Above the list of installation packages, click the Create installation package button.
The New Package Wizard starts. Proceed through the Wizard by using the Next button.
3. On the rst page of the Wizard, select Create an installation package for the speci ed executable le.
4. On the next page of the Wizard, specify the custom installation package name.
360
5. On the next page of the Wizard, click the Browse button and, in a standard Windows Open window, choose an
archive le located on the available disks to create a custom installation package.
You can upload a ZIP, CAB, TAR, or TAR.GZ archive. It is not possible to create an installation package from an
SFX (self-extracting archive) le.
Files are downloaded to the Kaspersky Security Center Administration Server.
6. On the next page of the Wizard, specify the command-line parameters of an executable le.
You can specify command-line parameters to install the application from the installation package in a silent
mode. Specifying command-line parameters is optional.
If you want, con gure the following options:
Copy entire folder to the installation package
Select this option if the executable le is accompanied with additional les required for the application
installation. Before you enable this option, make sure that all of the required les are stored in the same
folder. If this option is enabled, the application adds the entire contents of the folder, including the
speci ed executable le, to the installation package.
Convert settings to recommended values for applications recognized by Kaspersky Security Center 14
The application will be installed with the recommended settings, if information about the speci ed
application is contained in the Kaspersky database.
If you entered parameters in the Executable le command line eld, they are rewritten with the
recommended settings.
The Kaspersky database is created and maintained by Kaspersky analysts. For each application that is
added to the database, Kaspersky analysts de ne optimal installation settings. The settings are de ned
to ensure successful remote installation of an application to a client device. The database is updated on
the Administration Server automatically when you run the Download updates to the repository of the
Administration Server task.
The process to create the custom installation package starts.

The Wizard informs you when the process is nished.
If the custom installation package is not created, an appropriate message is displayed.
7. Click the Finish button to close the Wizard.
The installation package that you created is downloaded to the Packages subfolder of the Administration Server
shared folder. After downloading, the custom installation package appears in the list of installation packages.
In the list of installation packages on Administration Server, you can view and edit custom installation package
properties.
Viewing and editing properties of custom installation packages

After you created a custom installation package, you can view general information about the installation package
and specify the installation settings in the properties window.
To view and edit properties of a custom installation package:
361
packages.
2. In the context menu of an installation package, select Properties.

The properties window of the selected installation package opens.
3. View the following information:
Application name packed into the custom installation package
Application version
Installation package creation date
Path to the custom installation package on the Administration Server
Executable le command line
4. Specify the following settings:
Install required general system components
If this option is enabled, before installing an update the application automatically installs all general
system components (prerequisites) that are required to install the update. For example, these
prerequisites can be operating system updates
If this option is disabled, you may have to install the prerequisites manually.
This option is only available when the application added to the installation package is recognized by
If the application requires additional parameters for a silent installation, specify them in this eld. Refer
to the vendor's documentation for details.
You can also enter other parameters.
This option is only available for packages that are not created on the basis of Kaspersky applications.
5. Click the OK or Apply button to save the changes, if any.
The new settings are saved.
362
Obtaining the Network Agent installation package from the Kaspersky
Security Center distribution kit
You can obtain the Network Agent installation package from the Kaspersky Security Center distribution kit,
without needing to install Kaspersky Security Center. You can then use the installation package to install Network
Agent on the client devices.
To obtain the Network Agent installation package from the Kaspersky Security Center distribution kit:
1. Run the ksc_<version number>.<build number>_full_<localization language>.exe executable le from the

2. In the window that opens, click the Extract installation packages link.
3. In the list of installation packages, select the check box next to the Network Agent installation package, and
then click the Next button.
4. If necessary, click the Browse button to change the displayed folder to extract the installation package to.
5. Click the Extract button.

The application extracts the Network Agent installation package.
6. When the process is complete, click the Close button.
The Network Agent installation package is extracted to the selected folder.
You can use the installation package to install Network Agent by one of the following methods:
Locally by running the setup.exe le from the extracted folder
Via silent installation
By using group policies of Microsoft Windows

To distribute installation packages to secondary Administration Servers:
Servers.
2. Create a task of installation package distribution to secondary Administration Servers in one of the following
ways:
If you want to create a task for secondary Administration Servers in the selected administration group,
launch the creation of a group task for this group.
If you want to create a task for speci c secondary Administration Servers, launch the creation of a task for
speci c devices.
363
In the Select the task type window of the New Task Wizard, in the Kaspersky Security Center 14
Administration Server node, in the Advanced folder select Distribute installation package as the task type.
The Add Task Wizard will create the task of distributing the selected installation packages to speci c
3. Run the task manually or wait for it to launch according to the schedule you speci ed in the task settings.
The selected installation packages will be copied to the speci c secondary Administration Servers.
Distributing installation packages through distribution points

You can use distribution points to distribute installation packages within an administration group.
After the installation packages are received from the Administration Server, distribution points automatically
distribute them to client devices through IP multicasting. IP multicasting of new installation packages within an
administration group occurs once. If a client device has been disconnected from the corporate network at the
time of distribution, Network Agent (on the client device) automatically downloads the necessary installation
package from a distribution point when the installation task is started.
Transferring application installation results to Kaspersky Security Center

After you have created the application installation package, you can con gure it so that all diagnostic information
about the results of the application installation is transferred to Kaspersky Security Center. For installation
packages of Kaspersky applications, transfer of diagnostic information about the application installation results is
con gured by default, and no additional con guration is required.
To con gure the transfer of diagnostic information about the results of application installation to Kaspersky
Security Center:
1. Navigate to the folder of the installation package created by using Kaspersky Security Center for the selected
application. The folder can be found in the shared folder speci ed during Kaspersky Security Center
installation.
2. Open the le with the .kpd or .kud extension for editing (for example, in the Microsoft Windows Notepad editor).
The le has the format of a regular con guration .ini le.
3. Add the following lines to the le:

Wait=1
This command con gures Kaspersky Security Center to wait for setup completion for the application, for
which the installation package is created, and to analyze the installer return code. If you have to disable the
transfer of diagnostic data, set the value of the Wait key to 0.
4. Add the description of return codes for a successful installation. To do this, add the following lines to the le:
<return code>=[<description>]
<return code 1>=[<description>]
…
364
Square brackets contain optional keys.
Syntax for the lines:
<return code>. Any number corresponding to the installer return code. The number of return codes can
be arbitrary.
<description>. Text description of the installation result. The description can be omitted.
5. Add the description of return codes for a failed installation. To do this, add the following lines to the le:
<return code>=[<description>]
<return code 1>=[<description>]
…
The syntax of these lines is identical to the syntax for the lines containing successful setup return codes.
6. Close the .kpd or .kud le by saving all changes.
Finally, the results of installation of the user-de ned application will be registered in the logs of Kaspersky
Security Center and then shown in the list of events, in reports, and in task run logs.
De ning the KSN proxy server address for installation packages

In case the address or the domain of the Administration Server changes, you can de ne the KSN proxy server
address for the installation package.
To de ne the KSN proxy server address for the installation package:
1. In the console tree, in the Remote installation folder, double-click the Installation packages subfolder.
2. In the menu that opens, select Properties.
3. In the properties window that opens, select the General subsection.
4. In the General subsection of the properties window, enter the address of the KSN proxy server.
The installation packages will use this address as default.
Receiving up-to-date versions of applications

Kaspersky Security Center allows you to receive up-to-date versions of corporate applications stored on
Kaspersky servers.
To receive up-to-date versions of Kaspersky corporate applications:
In the console tree select the node the with the name of the required Administration Server, make sure the
Monitoring tab is selected, and in the Deployment section click the There are new versions of Kaspersky
applications available link.
365
The There are new versions of Kaspersky applications available link becomes visible when
Administration Server nds a new version of a corporate application on a Kaspersky server.
In the console tree, select Advanced → Remote installation → Installation packages, and in the workspace
click Additional actions and from the drop-down list select View current versions of Kaspersky
applications.
The list of the current version of Kaspersky applications is displayed.
2. You can lter the list of Kaspersky applications to simplify the search for the required application.
At the top of the Current application versions window, click the Filter link to lter the application list by the
following criteria:
Components. Use this criterion to lter the Kaspersky application list by the protection areas that are in use
on your network.
Type of downloaded software. Use this criterion to lter the Kaspersky application list by the application
type.
Software products and updates to display. Use this criterion to display available Kaspersky applications by
speci c versions.
Displayed languages for software and updates. Use this criterion to display Kaspersky applications with a
speci c localization language.
Click the Apply button to apply the selected lters.
3. Select the required application from the list.
4. Download the application distribution package by clicking the link in the Distribution package web address
string.
minimum version.
If the Download applications and create installation packages button is displayed for the application selected,
you can click this button to download the application distribution package and create an installation package
automatically. Kaspersky Security Center downloads the application distribution package to Administration Server,
to the shared folder speci ed during installation of Kaspersky Security Center. The automatically created
installation package is displayed in the Remote installation folder in the console tree, in the Installation packages
subfolder.
After the Current application versions window is closed, the There are new versions of Kaspersky
applications available link disappears from the Deployment section.
You can create installation packages for new versions of applications and manage newly created installation
packages in the Remote installation folder in the console tree, in the Installation packages subfolder.
366
You can also open the Current application versions window by clicking the View current versions of Kaspersky
applications link in the workspace of the Installation packages folder.
Preparing a Windows device for remote installation. Riprep utility

Remote installation of the application on the client device may return an error for the following reasons:
The task has already been successfully performed on this device. In this case, the task does not have to be
performed again.
When a task was started, the device was shut down. In this case, turn on the device and restart the task.
There is no connection between the Administration Server and the Network Agent installed on the client
device. To determine the cause of the problem, use the utility designed for remote diagnostics of client devices
(klactgui).
If Network Agent is not installed on the device, the following problems may occur during remote installation:
The client device has Disable simple le sharing enabled.
The Server service is not running on the client device.
The required ports are closed on the client device.
The account that is used to perform the task has insu icient privileges.
To solve problems that occur during installation of the application on a client device without Network Agent
installed, you can use the utility designed to prepare devices for remote installation (riprep).
Use the riprep utility to prepare Windows a device for remote installation. The utility is located in the Kaspersky
Security Center installation folder on the device on which Administration Server is installed.
The utility used to prepare a device for remote installation does not run on Microsoft Windows XP Home
Edition.
Preparing a Windows device for remote installation in interactive mode

To prepare a Windows device for remote installation in interactive mode:
1. Run the riprep.exe le on a client device.
2. In the main window of the remote installation preparation utility, select the following options:
Disable simple le sharing
Start the Administration Server service
Open ports
367
Add an account
Disable User Account Control (UAC) (only available for devices running Microsoft Windows Vista,
Microsoft Windows 7, or Microsoft Windows Server 2008)
3. Click the Start button.
The stages of device preparation for remote installation are shown in the lower part of the utility's main window.
If you selected the Add an account option, when an account is created you will be prompted to enter the account
name and password. This will create a local account belonging to the local administrators' group.
If you selected the Disable User Account Control (UAC) option, an attempt to disable User Account Control will
be made even if UAC was disabled before the utility was started. After UAC is disabled, you will be prompted to
restart the device.
Preparing a Windows device for remote installation in silent mode

To prepare a Windows device for remote installation in silent mode:
Run the riprep.exe le on the client device from the command line with the requisite set of keys.
Utility command line syntax:
riprep.exe [-silent] [-cfg CONFIG_FILE] [-tl traceLevel]
Descriptions of the keys:
-silent—Starts the utility in silent mode.
-cfg CONFIG_FILE—De nes the utility con guration, where CONFIG_FILE is the path to the con guration
le (a le with the .ini extension).
-tl traceLevel—De nes the trace level, where traceLevel is a number from 0 to 5. If no key is speci ed,
the value 0 is used.
You can perform the following tasks by starting the utility in silent mode:
Disabling the simple sharing of les
Starting the Server service on the client device
Opening the ports
Creating a local account
Disabling User Account Control (UAC)
You can specify the parameters for device preparation for remote installation in the con guration le speci ed in
the -cfg key. To de ne these parameters, add the following information to the con guration le:
In the Common section, specify the tasks to be performed:
368
DisableSFS—Disable the simple sharing of les (0 —the task is disabled; 1 —the task is enabled).
StartServer—Start the Server service (0 —the task is disabled; 1 —the task is enabled).
OpenFirewallPorts—Open the necessary ports (0 —the task is disabled; 1 —the task is enabled).
DisableUAC—Disable User Account Control (UAC) (0 —the task is disabled; 1 —the task is enabled).
RebootType—De ne behavior if restart of device is required when UAC is disabled. You can use the
following values:
0—Never restart the device.
1—Restart the device, if UAC was enabled before starting the utility.
2—Force restart, if UAC was enabled before starting the utility.
4—Always restart the device.
5—Always restart the device with force.
In the UserAccount section, specify the account name (user) and its password (Pwd).
Sample context of the con guration le:
[Common]
DisableSFS=0
StartServer=1
OpenFirewallPorts=1
[UserAccount]
user=Admin
Pwd=Pass123
After the utility completes, the following les will be created in the utility start folder:
riprep.txt—Operation report, in which phases of the utility operation are listed with reasons for these
operations.
riprep.log—Trace le (created if the tracing level is set above 0).
Preparing a Linux device for remote installation of Network Agent

To prepare a device running Linux for remote installation of Network Agent:
1. Make sure that the following software is installed on the target Linux device:
Sudo
Perl language interpreter version 5.10 or later
2. Test the device con guration:
a. Check whether you can connect to the device through an SSH client (such as PuTTY).
369
If you cannot connect to the device, open the /etc/ssh/sshd_con g le and make sure that the following
settings have the respective values listed below:
PasswordAuthentication no
ChallengeResponseAuthentication yes
Save the le (if necessary) and restart the SSH service by using the sudo service ssh restart
command.
b. Disable the sudo password for the user account under which the device is to be connected.
c. Use the visudo command in sudo to open the sudoers con guration le.
In the le you have opened, nd the line that starts with %sudo (or with %wheel if you are using the CentOS
operating system). Under this line, specify the following: <username > ALL = (ALL) NOPASSWD: ALL. In
this case, < username > is the user account which is to be used for the device connection using SSH. If you
are using the Astra Linux operating system, in the /etc/sudoers le add the last line with the following text:
%astra-admin ALL=(ALL:ALL) NOPASSWD: ALL
d. Save the sudoers le and then close it.
e. Connect to the device again through SSH and make sure that the Sudo service does not prompt you to
enter a password; you can do this using the sudo whoami command.
3. Open the /etc/systemd/logind.conf le, and then do one of the following:
Specify 'no' as a value for the KillUserProcesses setting: KillUserProcesses=no.
For the KillExcludeUsers setting, type the user name of the account under which the remote installation is to
be performed, for example, KillExcludeUsers=root.
If the target device is running Astra Linux, add export

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin string in the
/home/<username>/.bashrc le, where < username > is the user account which is to be used for the device
connection using SSH.
To apply the changed setting, restart the Linux device or execute the following command:
$ sudo systemctl restart systemd-logind.service
4. If you want to install Network Agent on devices with the SUSE Linux Enterprise Server 15 operating system,
5. Download and create an installation package:
a. Before installing the package on the device, make sure that it already has all the dependencies (programs
and libraries) installed for this package.
You can view the dependencies for each package on your own, using utilities that are speci c for the Linux
distribution on which the package is to be installed. For more details about utilities, refer to your operating
system documentation.
b. Download the Network Agent installation package.
c. To create a remote installation package, use the following les:
klnagent.kpd
akinstall.sh
370
.deb or .rpm package of Network Agent
6. Create a remote installation task with the following settings:
On the Settings page of the Add Task Wizard, select the Using operating system resources through
Administration Server check box. Clear all other check boxes.
On the Selecting an account to run the task page, to run the task specify the settings of the user account
that is used for device connection through SSH.
7. Run the remote installation task. Use the option for the su command to preserve the environment: -m, -p, -
-preserve-environment.
An error may be returned if you install Network Agent with SSH on devices running Fedora versions earlier than
version 20. In this case, for successful installation of Network Agent, comment out the Defaults requiretty option
(enclose it in comment syntax to remove it from parsed code) in the /etc/sudoers le. For a detailed description of
the condition of the Defaults requiretty option that may cause problems during SSH connection, please refer to
the Bugzilla bugtracker website .
Preparing a device running SUSE Linux Enterprise Server 15 for installation of

Network Agent
To install Network Agent on a device with the SUSE Linux Enterprise Server 15 operating system,
Before the Network Agent installation, run the following command:
$ sudo zypper install insserv-compat
This enables you to install the insserv-compat package and con gure Network Agent properly.
Run the rpm -q insserv-compat command to check whether the package is already installed.
If your network includes a lot of devices running SUSE Linux Enterprise Server 15, you can use the special software
for con guring and managing the company infrastructure. By using this software, you can automatically install the
insserv-compat package on all necessary devices at once. For example, you can use Puppet, Ansible, Chef, or you
can make your own script—use any method that is convenient for you.
If the device does not have the GPG signing keys for SUSE Linux Enterprise, you may encounter the following
warning: Package header is not signed! Select the i option to ignore the warning.
Besides the insserv-compat package installation, make sure that you have completely prepared your Linux devices.
After that, deploy and install Network Agent.
Preparing a macOS device for remote installation of Network Agent

To prepare a device running macOS for remote installation of Network Agent:
1. Make sure that sudo is installed on the target macOS device.
2. Test the device con guration:
371
a. Make sure port 22 is open on the client device. To do this, in the System Preferences, open the Sharing
pane, and then make sure the Remote Login check box is selected.
You can connect to the client device via Secure Shell (SSH) only through port 22. You cannot change the
port number.
You can use the ssh <device_name> command to log in to the macOS device remotely. In the Sharing
pane, you can use the Allow access for option to set the scope of users who are allowed access to the
macOS device.
b. Disable the sudo password for the user account under which the device is to be connected.
Use the sudo visudo command in the Terminal to open the sudoers con guration le. In the le that you
have opened, in the User privilege specification entry specify the following: username ALL =
(ALL) NOPASSWD: ALL. In this case, username stands for the user account, which is to be used for the
device connection using SSH.
c. Save the sudoers le and then close it.
d. Connect to the device again via SSH and make sure that the Sudo service does not prompt you to enter a
password; you can do this using the sudo whoami command.
3. Download and create an installation package:
a. Download the Network Agent installation package using one of the following methods:
In the console tree, by opening the context menu on Remote installation → Installation packages and
selecting Show current application versions to choose from available packages
By downloading the relevant version of Network Agent from Technical Support website at
https://support.kaspersky.com/
By requesting the installation package from Technical Support specialists
b. To create a remote installation package, use the following les:
klnagent.kud
install.sh
klnagentmac.dmg
4. Create a remote installation task with the following settings:
On the Settings page of the Add Task Wizard, select the Using operating system resources through
Administration Server check box. Clear all other check boxes.
On the Selecting an account to run the task page, to run the task specify the settings of the user account
that is used for device connection via SSH.
The client device is ready for remote installation of Network Agent through the corresponding task that you have
created.

This section describes the features of Kaspersky Security Center related to working with the license keys of
372
Kaspersky Security Center allows you to perform centralized distribution of license keys for Kaspersky applications
on client devices, monitor their use, and renew licenses.
When adding a license key using Kaspersky Security Center, the settings of the license key are saved on the
Administration Server. Based on this information, the application generates a license key usage report and noti es
the administrator of license expirations and violation of license restrictions that are set in the properties of license
keys. You can con gure noti cations of the use of license keys within the Administration Server settings.

The Kaspersky applications installed on managed devices must be licensed by applying a key le or activation code
to each of the applications. A key le or activation code can be deployed in the following ways:
The installation package of a managed application
The Add license key task for a managed application
Manual activation of a managed application
You can add a new active or reserve license key by any of the methods listed above. A Kaspersky application uses
an active key at the current moment and stores a reserve key to apply after the active key expires. The application
for which you add a license key de nes whether the key is active or reserve. The key de nition does not depend on
the method that you use to add a new license key.
Kaspersky Security Center allows you to automatically deploy available license keys to devices. For example, three
license keys are stored in the Administration Server repository. You have selected the Automatically distribute
license key to managed devices check box for all three license keys. A Kaspersky security application—for
example, Kaspersky Endpoint Security for Windows—is installed on the organization's devices. A new device is
discovered to which a license key must be deployed. The application determines, for instance, that two of the
license keys from the repository can be deployed to the device: license key named Key_1 and license key named
Key_2. One of these license keys is deployed to the device. In this case, it cannot be predicted which of the two
license keys will be deployed to the device because automatic deployment of license keys does not provide for any
administrator activity.
devices exceeds the license limit, all devices that were not covered by the license will be assigned Critical status.
Before deployment, the key le or activation code must be added to the Administration Server repository.
Administration Console:

373
or
Kaspersky Security Center Web Console:
For security reasons, this option is not recommended. A key le or activation code added to an installation
package may be compromised.
If you install a managed application using an installation package, you can specify an activation code or key le in
this installation package or in the policy of the application. The license key will be deployed to managed devices at
the next synchronization of the device with the Administration Server.
or
Kaspersky Security Center Web Console: Adding a license key to an installation package
Deployment through the Add license key task for a managed application
If you opt for using the Add license key task for a managed application, you can select the license key that must be
deployed to devices and select the devices in any convenient way—for example, by selecting an administration
group or a device selection.
or
374
You can activate the installed Kaspersky application locally, by using the tools provided in the application interface.
Please refer to the documentation of the installed application.

To view information about license keys in use,
In the console tree, select the Kaspersky Licenses folder.
The workspace of the folder displays a list of license keys used on client devices.
Next to each of the license keys an icon is displayed, corresponding to the type of use:
—Information about the currently used license key is received from a client device connected to the
Administration Server. The le of this license key is stored outside of the Administration Server.
—The license key is stored in the Administration Server repository. Automatic distribution is disabled for this
license key.
—The license key is stored in the Administration Server repository. Automatic distribution is enabled for this
license key.
You can view information about which license keys are used for activation of the application on a client device by
opening the Applications section of the client device properties window.
To de ne the up-to-date settings of virtual Administration Server license keys, the Administration Server
sends a request to Kaspersky activation servers at least once per day. If access to the servers using system
DNS is not possible, the application uses public DNS servers.

To add a license key to the Administration Server repository:
2. Start the license key adding task in one of the following ways:
Select Add activation code or key le in the context menu of the list of license keys.
Click the Add activation code or key le link in the workspace of the list of license keys.
Click the Add activation code or key le button.
375
The Add License Key Wizard starts.
3. Select how you want to activate Administration Server: by using an activation code or by using a key le.
4. Specify your activation code or a key le.
5. Select the Automatically distribute license key to managed devices option if you want to distribute a relevant
license key on your network immediately. If you do not select this option, you can manually distribute a license
key later.
As a result, the key le is downloaded and the Add License Key Wizard is nished. You can now see the added
license key in the list of Kaspersky licenses.
Deleting an Administration Server license key

To delete an Administration Server license key:
2. In the Administration Server properties window that opens, select the License keys section.
3. Delete the license key by clicking the Remove button.
This deletes the license key.
If a reserve license key has been added, the reserve license key automatically becomes the active license key after
the former active license key is deleted.
After the active license key of Administration Server is deleted, Vulnerability and Patch Management and Mobile
Device Management become unavailable. You can add a deleted license key again or add a new license key.

Kaspersky Security Center allows you to distribute a license key to client devices through the license key
distribution task.
Before deployment, add the license key to the Administration Server repository.
To distribute a license key to client devices:
2. In the workspace of the list of license keys, click the Automatically distribute license key to managed devices
button.
The Application Activation Task Creation Wizard starts. Proceed through the wizard by using the Next
button.
3. In the list of applications, select the application for which you want to create a task.
376
4. At the Add key step of the wizard, add the license key by using one of the following options:
Activation code.
a. Select the Activation code option to add an activation code from the Kaspersky Security Center
repository, and then click Select.
b. In the List of activation codes in Kaspersky Security Center repository window that opens, select the
activation code, and then click OK.
Key le or key.
a. Select the Key le or key option if you want to add a key le, and then click Select.
b. In the list that opens, select the way you want to add a license key:
Select the Key from folder option to upload a key le from your computer. In the Select key le
window that opens, select a key le, and then click Open.
Select the Key from the Kaspersky Security Center repository options to add a key from the
repository. In the List of keys in Kaspersky Security Center repository window that opens, select
the license key, and then click OK.
5. [Optional] At the Add key step of the wizard, select the Add this key as a reserve key option.
In this case, a reserve key is applied after the active key expires.
6. Check the license key information, and then click Next.
7. At this step of the wizard, select the devices to which you want to assign the add key task. You can specify
devices in one of the following ways:
Assign task to a device selection. In this case, the task is assigned to devices included in a selection
created earlier. You can specify the default selection or a custom one that you created.
Assign task to an administration group. In this case, the task is assigned to devices included in the
8. At the Con gure task schedule step of the wizard, create a schedule for task start:
Scheduled start:
Once
The task runs once, on the speci ed date and time.
Manually
377
The task does not run automatically. You can only start it manually.
When new updates are downloaded to the repository
The task runs after updates are downloaded to the repository. For example, you may want to use
this schedule for the nd vulnerabilities and required updates task.
On virus outbreak
The task runs after a Virus outbreak event occurs. Select application types that will monitor virus
outbreaks. The following application types are available:
Anti-virus for workstations and le servers
Anti-virus for perimeter defense
Anti-virus for mail systems

By default, all application types are selected.
You may want to run di erent tasks depending on the anti-virus application type that reports a virus
outbreak. In this case, remove the selection of the application types that you do not need.
On completing another task
The current task starts after another task completes. You can select how the previous task must
complete (successfully or with error) to trigger the start of the current task. For example, you may
want to run the Manage devices task with the Turn on the device option and, after it completes, run
the Virus scan task.
Run missed tasks
This option determines the behavior of a task if a client device is not visible on the network when the
task is about to start.
If this option is enabled, the system attempts to start the task the next time the Kaspersky application
is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started
immediately after the device becomes visible on the network or immediately after the device is
included in the task scope.
If this option is disabled, only scheduled tasks run on client devices; for Manually, Once and
Immediately, tasks run only on those client devices that are visible on the network. For example, you
may want to disable this option for a resource-consuming task that you want to run only outside of
business hours.
Use automatically randomized delay for task starts
378
If this option is enabled, the task is started on client devices randomly within a speci ed time interval,
that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous
requests by client devices to the Administration Server when a scheduled task is running.
The distributed start time is calculated automatically when a task is created, depending on the number
of client devices to which the task is assigned. Later, the task is always started on the calculated start
time. However, when task settings are edited or the task is started manually, the calculated value of the
task start time changes.
If this option is disabled, the task starts on client devices according to the schedule.
Use randomized delay for task starts within an interval of (min)
If this option is enabled, the task is started on client devices randomly within the speci ed time interval.
A distributed task start helps to avoid a large number of simultaneous requests by client devices to the
Administration Server when a scheduled task is running.
By default, this option is disabled. The default time interval is one minute.
9. At the De ne the task name step of the wizard, specify the name for the task. A task name cannot be more
than 100 characters long and cannot include any special characters ("*<>?\:|).
10. On the Finish task creation step of the wizard, click the Finish button to close the wizard.
If you want the task to start as soon as the wizard nishes, select the Run the task after the Wizard nishes
check box.
The Application Activation Task Creation Wizard starts. Follow the instructions of the Wizard.
Tasks created through the Application Activation Task Creation Wizard are tasks for speci c devices stored in the
Tasks folder of the console tree.
You can also create a group or local license key distribution task through the Task Creation Wizard for an
administration group and for a client device.

Kaspersky Security Center allows automatic distribution of license keys to managed devices if they are located in
the license keys repository on the Administration Server.
To distribute a license key to managed devices automatically:
2. In the workspace of the folder, select the license key that you want to distribute to devices automatically.
3. Open the properties window of the selected license key in one of the following ways:
By selecting Properties in the context menu of the license key.
By clicking the View license key properties link in the information box for the selected license key.
379
4. In the license key properties window that opens, select the Automatically distribute license key to managed
devices check box. Close the license key properties window.
The license key will be automatically distributed to all compatible devices.
License key distribution is performed by means of Network Agent. No license key distribution tasks are created for
the application.
During automatic distribution of a license key, the licensing limit on the number of devices is taken into account.
(The licensing limit is set in the properties of the license key.) If the licensing limit is reached, distribution of this
license key on devices ceases automatically.
If you select the Automatically distribute license key to managed devices check box in the license key properties
window, a license key is distributed on your network immediately. If you do not select this option, you can manually
distribute a license key later.
Creating and viewing a license key usage report

To create a report on usage of license keys on client devices:
3. Select the report template named License key usage report, or create a new report template of the same
type.
The workspace of the license key usage report displays information about active and reserve license keys used on
the client devices. The report also contains information about devices on which the license keys are used, and
about restrictions speci ed in the properties of those license keys.
Viewing information about the application license keys

To learn what license keys are in use for a Kaspersky application:
1. In the Kaspersky Security Center console tree, select the Managed devices node and go to the Devices tab.
2. Right-click to open the context menu of the relevant device and select Properties.
3. In the device properties window that opens, select the Applications section.
4. In the list of applications that appears, select the application whose license keys you want to view, and then
click the Properties button.
5. In the application properties window that opens, select the License keys section.
The information is displayed in the workspace of this section.

380
This section contains information about manual con guration of policies and tasks, about user roles, about building
an administration group structure and hierarchy of tasks.

The Quick Start Wizard creates policies and tasks with the default settings. These settings may turn out to be
sub-optimal or even disallowed by the organization. Therefore, we recommend that you ne-tune these policies
and tasks and create other policies and tasks, if they are necessary for your network.
Prerequisites
Installed Kaspersky Security Center Administration Server
Installed Kaspersky Security Center Web Console
Completed the Kaspersky Security Center main installation scenario
Completed the Quick Start Wizard or manually created the following policies and tasks in the Managed
devices administration group:
Policy of Kaspersky Endpoint Security
Group task for updating Kaspersky Endpoint Security
Policy of Network Agent
Con guring network protection proceeds in stages:
1 Setup and propagation of Kaspersky application policies and policy pro les
To con gure and propagate settings for Kaspersky applications installed on the managed devices, you can use
two di erent security management approaches—device-centric or user-centric. These two approaches can
also be combined.
2 Con guring tasks for remote management of Kaspersky applications
Check the tasks created with the Quick Start Wizard and ne-tune them, if necessary.
How-to instructions: Setting up the group task for updating Kaspersky Endpoint Security.
If necessary, create additional tasks to manage the Kaspersky applications installed on the client devices.
3 Evaluating and limiting the event load on the database
Information about events during the operation of managed applications is transferred from a client device and
registered in the Administration Server database. To reduce the load on the Administration Server, evaluate and
limit the maximum number of events that can be stored in the database.
How-to instructions: Setting the maximum number of events.
Results
381
Upon completion of this scenario, your network will be protected by con guration of Kaspersky applications, tasks,
and events received by the Administration Server:
The Kaspersky applications are con gured according to the policies and policy pro les.
The applications are managed through a set of tasks.
The maximum number of events that can be stored in the database is set.
When the network protection con guration is complete, you can proceed to con guring regular updates to
Kaspersky databases and applications.

When you complete this scenario, the applications will be con gured on all of the managed devices in accordance
with the application policies and policy pro les that you de ne.
Prerequisites
Before you start, make sure that you have installed Kaspersky Security Center Administration Server and
Kaspersky Security Center Web Console (optional). If you installed Kaspersky Security Center Web Console, you
might also want to consider user-centric security management as an alternative or additional option to the device-
centric approach.
Stages
The scenario of device-centric management of Kaspersky applications consists of the following steps:
1 Con guring application policies
Con gure settings for Kaspersky applications installed on the managed devices by creating a policy for each
application. The set of policies will be propagated to the client devices.
When you con gure the protection of your network in Quick Start Wizard, Kaspersky Security Center creates
the default policy for the following applications:
Kaspersky Endpoint Security for Windows—for Windows-based client devices
Kaspersky Endpoint Security for Linux—for Linux-based client devices
If you completed the con guration process by using this Wizard, you do not have to create a new policy for this
application. Proceed to the manual setup of Kaspersky Endpoint Security policy.
If you have a hierarchical structure of several Administration Servers and/or administration groups, the
secondary Administration Servers and child administration groups inherit the policies from the primary
Administration Server by default. You can force the inheritance by the child groups and secondary
Administration Servers to prohibit any modi cations of the settings con gured in the upstream policy. If you
want only part of the settings to be forcibly inherited, you can lock them in the upstream policy. The rest
unlocked settings will be available for modi cation in the downstream policies. The created hierarchy of policies
will allow you to e ectively manage devices in the administration groups.
Administration Console: Creating a policy
382
Kaspersky Security Center Web Console: Creating a policy
2 Creating policy pro les (optional)
If you want devices within a single administration group to run under di erent policy settings, create policy
pro les for those devices. A policy pro le is a named subset of policy settings. This subset is distributed on
target devices together with the policy, supplementing it under a speci c condition called the pro le activation
condition. Pro les only contain settings that di er from the "basic" policy, which is active on the managed device.
By using pro le activation conditions, you can apply di erent policy pro les, for example, to the devices located
in a speci c unit or security group of Active Directory, having a speci c hardware con guration, or marked with
speci c tags. Use tags to lter devices that meet speci c criteria. For example, you can create a tag called
Windows, mark all devices running Windows operating system with this tag, and then specify this tag as an
activation condition for a policy pro le. As a result, Kaspersky applications installed on all devices running
Windows will be managed by their own policy pro le.
3 Propagating policies and policy pro les to the managed devices
By default, the Administration Server automatically synchronizes with managed devices every 15 minutes. You
can circumvent auto-synchronization and run the synchronization manually by using the Force synchronization
command. Also the synchronization is forced after you create or change a policy or a policy pro le. During the
synchronization, the new or changed policies and policy pro les are propagated to the managed devices.
If you use Kaspersky Security Center Web Console, you can check whether the policies and policy pro les were
delivered to a device. Kaspersky Security Center speci es the delivery date and time in the properties of the
device.
Administration Console: Forced synchronization
Kaspersky Security Center Web Console: Forced synchronization
Results
When the device-centric scenario is complete, the Kaspersky applications are con gured according to the
settings speci ed and propagated through the hierarchy of policies.
The con gured application policies and policy pro les will be applied automatically to the new devices added to the
383
You can manage security settings from the standpoint of device features and from the standpoint of user roles.
The rst approach is called device-centric security management and the second is called user-centric security
management. To apply di erent application settings to di erent devices you can use either or both types of
management in combination. To implement device-centric security management, you can use tools provided in
Microsoft Management Console-based Administration Console or Kaspersky Security Center Web Console. User-
centric security management can be implemented through Kaspersky Security Center Web Console only.
Device-centric security management enables you to apply di erent security application settings to managed
devices depending on device-speci c features. For example, you can apply di erent settings to devices allocated
in di erent administration groups. You can also di erentiate the devices by usage of those devices in Active
Directory, or their hardware speci cations.
User-centric security management enables you to apply di erent security application settings to di erent user
roles. You can create several user roles, assign an appropriate user role to each user, and de ne di erent
application settings to the devices owned by users with di erent roles. For example, you may want to apply
di erent application settings to devices of accountants and human resources (HR) specialists. As a result, when
user-centric security management is implemented, each department—accounts department and HR department—
has its own settings con guration for Kaspersky applications. A settings con guration de nes which application
settings can be changed by users and which are forcibly set and locked by the administrator.
By using user-centric security management you can apply speci c application settings to individual users. This
may be required when an employee has a unique role in the company or when you want to monitor security
incidents related to devices of a speci c person. Depending on the role of this employee in the company, you can
expand or limit the rights of this person to change application settings. For example, you might want to expand the
rights of a system administrator who manages client devices in a local o ice.
You can also combine the device-centric and user-centric security management approaches. For example, you can
con gure a speci c application policy for each administration group and then create policy pro les for one or
several user roles of your enterprise. In this case, the policies and policy pro les are applied in the following order:
1. The policies created for device-centric security management are applied.
2. They are modi ed by the policy pro les according to the policy pro le priorities.
3. The policies are modi ed by the policy pro les associated with user roles.

This section provides recommendations on how to con gure the Kaspersky Endpoint Security policy, which is
created by the Quick Start Wizard. You can perform the setup in the policy properties window.
When editing a setting, please keep in mind that you must click the lock icon above the relevant setting in order to
allow using its value on a workstation.
For a full description of the settings in this section, please refer to the Kaspersky Endpoint Security for
Windows documentation.
384
In the Advanced Threat Protection section, you can con gure the use of Kaspersky Security Network for
Kaspersky Endpoint Security for Windows. You can also con gure Kaspersky Endpoint Security for Windows
modules, such as Behavior Detection, Exploit Prevention, Host Intrusion Prevention, and Remediation Engine.
In the Kaspersky Security Network subsection, we recommend that you enable the Use KSN Proxy option. Using
this option helps to redistribute and optimize tra ic on the network. If the Use KSN Proxy option is disabled, you
can enable direct use of KSN servers.
In the Essential Threat Protection section of the policy properties window, we recommend that you specify
additional settings in the Firewall and File Threat Protection subsections.
The Firewall subsection contains settings that allow you to control the network activity of applications on the
client devices. A client device uses a network to which one of the following statuses is assigned: public, local, or
trusted. Depending on the network status, Kaspersky Endpoint Security can allow or deny network activity on a
device. When you add a new network to your organization, you must assign an appropriate network status to it. For
example, if the client device is a laptop, we recommend that this device use the public or trusted network, because
the laptop is not always connected to the local network. In the Firewall subsection, you can check whether you
correctly assigned statuses to the networks used in your organization.
To check the list of networks:
1. In the policy properties, go to Essential Threat Protection → Firewall.
2. In the Available networks section, click the Settings button.
3. In the Firewall window that opens, go to the Networks tab to view the list of networks.
In the File Threat Protection subsection, you can disable the scanning of network drives. Scanning network drives
can place a signi cant load on network drives. It is more convenient to perform indirect scanning, on le servers.
To disable scanning of network drives:
1. In the policy properties, go to Essential Threat Protection → File Threat Protection.
2. In the Security level section, click the Settings button.
3. In the File Threat Protection window that opens, on the General tab clear the All network drives check box.
385
In the General Settings section of the policy properties window, we recommend that you specify additional
settings in the Reports and Storage and Interface subsections.
In the Reports and Storage subsection, go to the Data transfer to Administration Server section. The About
started application check box speci es whether the Administration Server database saves information about all
versions of all software modules on the networked devices. If this check box is selected, the saved information may
require a signi cant amount of disk space in the Kaspersky Security Center database (dozens of gigabytes). Clear
the About started applications check box if it is selected in the top-level policy.
If Administration Console manages the Anti-Virus protection on the organization's network in centralized mode,
disable the display of the Kaspersky Endpoint Security for Windows user interface on workstations. To do this, in
the Interface subsection, go to the Interaction with user section, and then select Do not display option.
To enable password protection on workstations, in the Interface subsection, go to the Password protection
section, click the Settings button, and then select the Enable password protection check box.

In the Event con guration section, you should disable the saving of any events on Administration Server, except
for the following ones:
On the Critical event tab:
Application autorun is disabled
Access denied
Application startup prohibited
Disinfection not possible
License Agreement violated
Could not load encryption module
Cannot start two tasks at the same time
Active threat detected. Start Advanced Disinfection
Network attack detected
Not all components were updated
Activation error
Error enabling portable mode
Error in interaction with Kaspersky Security Center
Error disabling portable mode
Error changing application components
Error applying le encryption / decryption rules

386
Policy cannot be applied
Process terminated
Network activity blocked
On the Functional failure tab: Invalid task settings. Settings not applied
On the Warning tab:
Self-Defense is disabled
Incorrect reserve key
User has opted out of the encryption policy
On the Info tab: Application startup prohibited in test mode
The optimal and recommended schedule option for Kaspersky Endpoint Security versions 10 and later is When
new updates are downloaded to the repository when the Use automatically randomized delay for task starts
check box is selected.
Manual setup of the group task for scanning a device with Kaspersky
Endpoint Security
The Quick Start Wizard creates a group task for scanning a device. By default, the task is assigned a Run on
Fridays at 7:00 PM schedule with automatic randomization, and the Run missed tasks check box is cleared.
This means that if devices in an organization are shut down on Fridays, for example, at 6:30 PM, the device scan
task will never run. You must set up the most convenient schedule for this task based on the workplace rules
adopted in the organization.

The Quick Start Wizard creates the Find vulnerabilities and required updates task for Network Agent. By default,
the task is assigned a Run on Tuesdays at 7:00 PM schedule with automatic randomization, and the Run missed
tasks check box is selected.
If the organization's workplace rules provide for shutting down all devices at this time, the Find vulnerabilities and
required updates task will run after the devices are turned on again, that is, on Wednesday morning. Such activity
may be undesirable because a vulnerability scan may increase the load on CPUs and disk subsystems. You must set
up the most convenient schedule for the task based on the workplace rules adopted in the organization.
387
The Quick Start Wizard creates a group task for updates installation and vulnerabilities x for Network Agent. By
default, the task is set up to run every day at 01:00 AM, with automatic randomization, and the Run missed tasks
option is not enabled.
If the organization's workplace rules provide for shutting down devices overnight, the update installation will never
run. You must set up the most convenient schedule for the vulnerability scan task based on the workplace rules
adopted in the organization. It is also important to keep in mind that installation of updates may require restarting
the device.

In the Events repository section of the Administration Server properties window, you can edit the settings of
events storage in the Administration Server database by limiting the number of event records and record storage
term. When you specify the maximum number of events, the application calculates an approximate amount of
storage space required for the speci ed number. You can use this approximate calculation to evaluate whether you
have enough free space on the disk to avoid database over ow. The default capacity of the Administration Server
database is 400,000 events. The maximum recommended capacity of the database is 45 million events.
The application checks the database every 10 minutes. If the number of events reaches the speci ed maximum
value plus 10,000, the application deletes the oldest events so that only the speci ed maximum number of events
remains.
When the Administration Server deletes old events, it cannot save new events to the database. During this period
of time, information about events that were rejected is written to the Kaspersky Event Log. The new events are
queued and then saved to the database after the deletion operation is complete.
To limit the number of events that can be stored in the events repository on the Administration Server:
1. Right-click the Administration Server, and then select Properties.

The Administration Server properties window opens.
2. In the workspace of the Events repository section, specify the maximum number of events stored in the
database.
3. Click OK.
Additionally, you can change the settings of any task to save events related to the task progress, or save only task
execution results. In doing so, you will reduce the number of events in the database, increase the speed of
execution of scenarios associated with analysis of the event table in the database, and lower the risk that critical
events will be overwritten by a large number of events.
Setting the maximum storage period for the information about xed
vulnerabilities
To set the maximum storage period in the database for the information about the vulnerabilities that have already
been xed on managed devices:
388
1. Right-click the Administration Server, and then select Properties.
2. In the workspace of the Events repository section, specify the maximum storage period for the information
about the xed vulnerabilities in the database.
By default, the storage period is 90 days.
3. Click OK.
The maximum storage period for the information about the xed vulnerabilities is limited to the speci ed number
of days. After that, the Administration Server maintenance task will delete the outdated information from the
database.
Managing tasks
Kaspersky Security Center manages applications installed on devices, by creating and running various tasks. Tasks
are required for installing, launching, and stopping applications, scanning les, updating databases and software
modules, and performing other actions on applications.
Tasks are subdivided into the following types:
Group tasks. Tasks that are performed on the devices of the selected administration group.
Administration Server tasks. Tasks that are performed on the Administration Server.
Tasks for speci c devices. Tasks that are performed on selected devices, regardless of whether they are
included in any administration groups.
Local tasks. Tasks that are performed on a speci c device.
An application task can only be created if the management plug-in for that application is installed on the
administrator's workstation.
You can compile a list of devices for which a task will be created by in one of the following ways:
By selecting networked devices discovered by Administration Server.
By specifying a list of devices manually. You can use an IP address (or IP range), NetBIOS name, or DNS name as
the device address.
Import a list of devices from a .txt le containing the addresses of devices to be added (each address must be
placed in an individual line).
If you import a list of devices from a le or create one manually, and devices are identi ed by their names, the
database when those devices were connected or during device discovery.
For each application, you can create any number of group tasks, tasks for speci c devices, or local tasks.
The exchange of task information between an application installed on a device and the Kaspersky Security Center
database is carried out when Network Agent is connected to Administration Server.
tasks.
389
Tasks are started on a device only if the application for which the task was created is running. When the
application is not running, all running tasks are canceled.
Results of completed tasks are saved in the event logs of Microsoft Windows and Kaspersky Security Center, both
Details of managing tasks for applications with multitenancy support
A group task for an application with multitenancy support is applied to the application depending on the hierarchy
of Administration Servers and client devices. The virtual Administration Server from which the task is created must
be in the same or a lower-level administration group than the client device on which the application is installed.
In events that correspond to task execution results, a service provider administrator is shown the information
about the device on which the task executed. By contrast, a tenant administration is shown Multi-tenant node.
Creating a task
In Administration Console, you can create tasks directly in the folder of the administration group for which a group
task is to be created, or in the workspace of the Tasks folder.
To create a group task in the folder of an administration group:
1. In the console tree, select the administration group for which you want to create a task.
To create a task in the workspace of the Tasks folder:
2. Run the task creation by clicking the Finish button.
Creating the Administration Server task
390
The Administration Server performs the following tasks:
On a virtual Administration Server, only the automatic report delivery task and the installation package
creation task based on the reference device OS image are available. The repository of the virtual
Administration Server displays updates downloaded to the primary Administration Server. Backup of virtual
Administration Server data is performed together with backup of primary Administration Server data.
To create the Administration Server task:
2. Start creation of the task in one of the following ways:
By selecting New → Task in the context menu of the Tasks folder in the console tree.
By clicking the Create a task button in the workspace of the Tasks folder.
The Download updates to the repository of the Administration Server, Perform Windows Update
synchronization, Database maintenance, and Backup of Administration Server data tasks can be created only
once. If the Download updates to the repository of the Administration Server, Database maintenance, Backup
of Administration Server data, and Perform Windows Update synchronization tasks have already been created
for the Administration Server, they will not be displayed in the task type selection window of the Add Task
Wizard.
Creating a task for speci c devices

In Kaspersky Security Center, you can create tasks for speci c devices. Devices that are in a set can be included in
various administration groups or remain outside any administration groups. Kaspersky Security Center can perform
the following main tasks for speci c devices:
Install an application remotely
Send message to user
Change the Administration Server
391
Manage devices
Verify updates
Distribute installation packages
Install application on secondary Administration Servers remotely
Uninstall an application remotely
To create a task for speci c devices:
By clicking the Create a task button in the workspace of the Tasks folder.
Creating a local task

To create a local task for a device:
1. Select the Devices tab in the workspace of the group that includes the device.
2. From the list of devices on the Devices tab, select the device for which a local task must be created.
3. Start creating the task for the selected device in one of the following ways:
Click the Perform action button and select Create a task in the drop-down list.
Click the Create a task link in the workspace of the device.
Use the device properties as follows:
a. In the context menu of the device, select Properties.
b. In the device properties window that opens, select the Tasks section and click Add.
Detailed instructions on how to create and con gure local tasks are provided in the Guides for the respective
Displaying an inherited group task in the workspace of a nested group

To enable the display of inherited tasks of a nested group in the workspace:
392
1. Select the Tasks tab in the workspace of a nested group.
2. In the workspace of the Tasks tab, click the Show inherited tasks button.
Inherited tasks are displayed in the list of tasks with one of the following icons:
—If they were inherited from a group created on the primary Administration Server.
—If they were inherited from a top-level group.
If the inheritance mode is enabled, inherited tasks can only be edited in the group in which they have been
created. Inherited tasks cannot be edited in the group which inherits the tasks.
Automatically turning on devices before starting a task

Kaspersky Security Center doesn't run tasks on devices that are turned o . You can con gure Kaspersky Security
Center to turn on these devices automatically before starting a task, by using the Wake-on-LAN function.
To con gure the automatic turning on of devices before starting a task:
1. In the task properties window, select the Schedule section.
2. To con gure actions on devices, click the Advanced link.
3. In the Advanced window that opens, select the Turn on devices by using the Wake-on-Lan function before
starting the task (min) check box, and then specify the time interval in minutes.
As a result, for the speci ed number of minutes before starting the task, Kaspersky Security Center turns on the
devices and loads the operating system on them by using the Wake-on-LAN function. After the task is completed,
the devices are automatically shut down if device users don't log in to the system. Note that Kaspersky Security
Center automatically shuts down only the devices that are turned on by using the Wake-on-LAN function.
Kaspersky Security Center can start operating systems automatically only on the devices that support the
Wake-on-LAN (WoL) standard.
Automatically turning o a device after a task is completed

Kaspersky Security Center allows you to con gure a task in such a way that the devices to which it is distributed
are automatically turned o after the task completes.
To automatically turn o a device after a task is complete:
2. Click the Advanced link to open the window for con guring actions on devices.
3. In the Advanced window that opens, select the Shut down the devices after completing the task check box.
393
Limiting task run time
To limit the time during which a task is run on devices:
2. Open the window intended for con guration of actions on client devices, by clicking Advanced.
3. In the Advanced window that opens, select the Stop the task if it runs longer than (min) check box and
specify the time interval in minutes.
If the task is not yet complete on the device when the speci ed time interval expires, Kaspersky Security Center
stops the task automatically.
Exporting a task
You can export group tasks and tasks for speci c devices to a le. Administration Server tasks and local tasks are
not available for export.
To export a task:
1. In the context menu of the task, select All tasks → Export.
2. In the Save as window that opens, specify the le name path.
3. Click the Save button.
The rights of local users are not exported.
Importing a task
You can import group tasks and tasks for speci c devices. Administration Server tasks and local tasks are not
available for import.
To import a task:
1. Select the list to which the task must be imported:
If you want to import the task to the list of group tasks, in the workspace of the relevant administration
group select the Tasks tab.
If you want to import a task to the list of tasks for speci c devices, select the Tasks folder in the console
tree.
2. Select one of the following options to import the task:
394
In the context menu of the list of tasks, select All tasks → Import.
Click the Import task from le link in the task list management block.
3. In the window that opens, specify the path to the le from which you want to import a task.
4. Click the Open button.
The task is displayed in the list of tasks.
If the newly imported task has an identical name to an existing task, the name of the imported task is
expanded with the (<next sequence number>) index, for example: (1), (2).
Converting tasks
You can use Kaspersky Security Center to convert tasks from earlier versions of Kaspersky applications into those
from up-to-date versions of the applications.
Conversion is available for tasks of the following applications:
Kaspersky Anti-Virus 6.0 for Windows Workstations MP4
Kaspersky Endpoint Security 8 for Windows
Kaspersky Endpoint Security 10 for Windows
To convert tasks:
1. In the console tree, select an Administration Server for which you want to convert tasks.
2. In the Administration Server context menu, select All Tasks → Policies and Tasks Batch Conversion Wizard.
The Policies and Tasks Batch Conversion Wizard starts. Follow the instructions of the Wizard.
After the Wizard completes its operation, new tasks are created that use the settings of tasks from earlier
versions of the applications.
Starting and stopping a task manually

You can start and stop tasks manually using either of the following methods: through the context menu of the task,
or through the properties window of the client device to which that task has been assigned.
Starting group tasks from the context menu of the device is only allowed to users included in the KLAdmins
group.
To start or stop a task from the context menu or the properties window of the task:
395
1. In the list of tasks, select a task.
2. Start or stop the task in one of the following ways:
By selecting Start or Stop in the context menu of the task.
By clicking Start or Stop in the General section of the task properties window.
To start or stop a task from the context menu or the properties window of the client device:
1. In the list of devices, select the device.
2. Start or stop the task in one of the following ways:
By selecting All tasks → Run Task in the context menu of the device. Select the relevant task from the list
of tasks.
The list of devices to which the task is assigned will be replaced with the device that you have selected. The
task starts.
By clicking the start button ( ) or stop button ( ) in the Tasks section of the device properties window.
Pausing and resuming a task manually

To pause or resume a running task manually:
1. In the list of tasks, select a task.
2. Pause or resume the task in one of the following ways:
By selecting Pause or Resume in the context menu of the task.
By selecting the General section in the task properties window and clicking Pause or Resume.
Monitoring task execution

To monitor task execution,
in the task properties window, select the General section.
In the middle part of the General section, the current task status is displayed.
Viewing task run results stored on the Administration Server

Kaspersky Security Center allows you to view the results for group tasks, tasks for speci c devices, and
Administration Server tasks. No run results can be viewed for local tasks.
To view the task results:

396
1. In the task properties window, select the General section.
2. Click the Results link to open the Task results window.
Con guring ltering of information about task run results

Kaspersky Security Center allows you to lter information about results for group tasks, tasks for speci c devices,
and Administration Server tasks. No ltering is available for local tasks.
To set up the ltering of information about task run results:
1. In the task properties window, select the General section.
2. Click the Results link to open the Task results window.

The upper table contains a list of all devices for which the task is assigned. The lower table displays the results
of the task performed on the selected device.
3. Right-click the relevant table to open the context menu and select Filter.
4. In the Set lter window that opens, de ne the lter settings in the Events, Devices, and Time sections. Click
OK.
The Task results window displays information that meets the settings speci ed in the lter.
Modifying a task. Rolling back changes

To modify a task:
2. In the workspace of the Tasks folder, select a task and proceed to the task properties window using the
context menu.
3. Make the relevant changes.
In the Exclusions from task scope section, you can set up the list of subgroups to which the task is not
applied.
4. Click Apply.
The changes made to the task will be saved in the task properties window, in the Revision history section.
You can roll back changes made to a task, if necessary.
To roll back changes made to a task:
397
2. Select the task in which changes must be rolled back, and proceed to the task properties window using the
context menu.
3. In the task properties window, select the Revision history section.
4. In the list of task revisions, select the number of the revision to which you need to roll back changes.
5. Click the Advanced button and select the Roll back value in the drop-down list.
Comparing tasks
You can compare tasks of the same type: for example, you can compare two virus scan tasks, but you cannot
compare a virus scan task and an update installation task. After the comparison, you have a report that displays
which settings of the tasks match and which settings di er. You can print the task comparison report or save it as
a le. You may need task comparison when di erent units within a company are assigned various tasks of the same
type. For example, employees at the accounting department have a task of virus scanning only local disks on their
computers, while employees at the sales department communicate with customers so they have a task of
scanning both local disks and email. You do not have to view all the task settings to quickly notice such di erence;
you can simply compare the tasks instead.
Only tasks of the same type can be compared.
Tasks can only be compared in pairs.
You can compare tasks in one of following ways: by selecting one task and comparing it to another, or by
comparing any two tasks from the list of tasks.
To select one task and compare it to another:
2. In the workspace of the Tasks folder, select the task that you want to compare to another.
3. In the context menu of the task, select All tasks → Compare to another task.
4. In the Select a task window, select the task for comparison.
5. Click OK.
A report in HTML format that compares the two tasks is displayed.
To compare any two tasks from the list of tasks:
2. In the Tasks folder, in the list of tasks, press the Shift or Ctrl key to select two tasks of the same type.
3. In the context menu, select Compare.
A report in HTML format that compares the selected tasks is displayed.
398
When tasks are compared, if the passwords di er, asterisks (******) are displayed in the task comparison report.
If the password has been changed in the task properties, asterisks (******) are displayed in the revision comparison
report (******).
Accounts to start tasks

You can specify an account under which the task should be run.
For example, to perform an on-demand scan task, you must have access rights to the object being scanned, and to
perform an update task, you need authorized proxy server user rights. The capability to specify an account for the
task run allows you to avoid problems with on-demand scan tasks and update tasks in case the user running a task
does not have the required access rights.
During the execution of remote installation/uninstallation tasks, the speci ed account is used to download to
client devices the les required to install/uninstall an application in case Network Agent is not installed or
unavailable. If Network Agent is installed and available, the account is used if in accordance with task settings, le
delivery is performed only by using Microsoft Windows utilities from the shared folder. In this case, the account
must have the following rights on the device:
Right to start applications remotely.
Rights to use the Admin$ resource.
Right to Log On As Service.
If the les are delivered to devices through Network Agent, the account will not be used. All le copying and
installation operations are then performed by the Network Agent (LocalSystem account).
Change Tasks Password Wizard

For a non-local task, you can specify an account under which the task must be run. You can specify the account
during task creation or in the properties of an existing task. If the speci ed account is used in accordance with
security instructions of the organization, these instructions might require changing the account password from
time to time. When the account password expires and you set a new one, the tasks will not start until you specify
the new valid password in the task properties.
The Change Tasks Password Wizard enables you to automatically replace the old password with the new one in all
tasks in which the account is speci ed. Alternatively, you can do it manually in the properties of each task.
To start the Change Tasks Password Wizard:
1. In the console tree, select the Tasks node.
2. In the context menu of the node, select Change Tasks Password Wizard.

399
In the Account and Password elds, specify new credentials that are currently valid in your system (for example, in
Active Directory). When you switch to the next step of the wizard, Kaspersky Security Center checks if the
speci ed account name matches the account name in the properties of each non-local task. If the account names
match, the password in the task properties will be automatically replaced with the new one.
If you ll in the Old password (optional) eld, Kaspersky Security Center replaces the password only for those
tasks in which both the account name and the old password are found. The replacement is performed
automatically. In all other cases you have to choose an action to take in the next step of the wizard.

If you have not speci ed the old password on the rst step of the Wizard or the speci ed old password has not
matched the passwords in the tasks, you need to choose an action to take for the found tasks.
For each task that has the Approval required status, decide whether you want to remove the password in the task
properties or replace it with the new one. If you choose to remove the password, the task is switched to run under
the default account.

On the last step of the Wizard, view the results for each of the found task. To complete the Wizard, click the Finish
button.
Creating a hierarchy of administration groups subordinate to a virtual

After the virtual Administration Server is created, it contains by default an administration group named Managed
devices.
The procedure for creating a hierarchy of administration groups subordinate to a virtual Administration Server is
the same as the procedure for creating a hierarchy of administration groups subordinate to the physical
You cannot add secondary and virtual Administration Servers to administration groups subordinate to a virtual
Administration Server. This is due to limitations of virtual Administration Servers.

In Kaspersky Security Center Web Console, you can create policies for Kaspersky applications. This section
describes policies and policy pro les, and provides instructions for creating and modifying them.
400
This section provides information about how to apply policies to devices in administration groups. This section also
provides information about policy pro les.
In Kaspersky Security Center, you use policies for de ning a single collection of settings to multiple devices. For
example, the policy scope of application P de ned for administration group G includes managed devices with
application P installed that have been deployed in group G and all of its subgroups, except for subgroups where the
Inherit from parent group check box is cleared in the properties.
A policy di ers from any local setting by lock icons ( ) next to its settings. If a setting (or a group of settings) is
locked in the policy properties, you must, rst, use this setting (or group of settings) when creating e ective
settings and, second, you must write the settings or group of settings to the downstream policy.
Creation of the e ective settings on a device can be described as follows: the values of all settings that have not
been locked are taken from the policy, then they are overwritten with the values of local settings, and then the
resulting collection is overwritten with the values of locked settings taken from the policy.
Policies of the same application a ect each other through the hierarchy of administration groups: Locked settings
from the upstream policy overwrite the same settings from the downstream policy.
There is a special policy for out-of-o ice users. This policy takes e ect on a device when the device switches into
out-of-o ice mode. Out-of-o ice policies do not a ect other policies through the hierarchy of administration
groups.
The out-of-o ice policy will not be supported in further versions of Kaspersky Security Center. Policy pro les
will be used instead of out-of-o ice policies.
Policy pro les

Applying policies to devices only through the hierarchy of administration groups may be inconvenient in many
circumstances. It may be necessary to create several instances of a single policy that di er in one or two settings
for di erent administration groups, and synchronize the contents of those policies in the future.
To help you avoid such problems, Kaspersky Security Center supports policy pro les. A policy pro le is a named
subset of policy settings. This subset is distributed on target devices together with the policy, supplementing it
under a speci c condition called the pro le activation condition. Pro les only contain settings that di er from the
"basic" policy, which is active on the client device (computer or mobile device). Activation of a pro le modi es the
policy settings that were active on the device before the pro le was activated. Those settings take values that
The following restrictions are currently imposed on policy pro les:
A policy can include a maximum 100 pro les.
A policy pro le cannot contain other pro les.
A policy pro le cannot contain noti cation settings.
Contents of a pro le
401
A policy pro le contains the following constituent parts:
Name Pro les with identical names a ect each other through the hierarchy of administration groups with
common rules.
Subset of policy settings. Unlike the policy, which contains all the settings, a pro le only contains settings that
are actually required (locked settings).
Activation condition is a logical expression with the device properties. A pro le is active (supplements the
policy) only when the pro le activation condition becomes true. In all other cases, the pro le is inactive and
ignored. The following device properties can be included in that logical expression:
Status of out-of-o ice mode.
Properties of network environment—Name of the active rule for Network Agent connection.
Presence or absence of speci ed tags on the device.
Device location in Active Directory unit: explicit (the device is right in the speci ed OU), or implicit (the
device is in an OU, which is within the speci ed OU at any nesting level).
Device's membership in an Active Directory security group (explicit or implicit).
Device owner's membership in an Active Directory security group (explicit or implicit).
Pro le disabling check box. Disabled pro les are always ignored and their respective activation conditions are
not veri ed.
Pro le priority. The activation conditions of di erent pro les are independent, so several pro les can be
activated simultaneously. If active pro les contain non-overlapping collections of settings, no problems will
arise. However, if two active pro les contain di erent values of the same setting, an ambiguity will occur. This
ambiguity is to be avoided through pro le priorities: The value of the ambiguous variable will be taken from the
pro le that has the higher priority (the one that is rated higher in the list of pro les).
Behavior of pro les when policies a ect each other through the hierarchy
Pro les with the same name are merged according to the policy merge rules. Pro les of an upstream policy have a
higher priority than pro les of a downstream policy. If editing settings is prohibited in the upstream policy (it is
locked), the downstream policy uses the pro le activation conditions from the upstream one. If editing settings is
allowed in the upstream policy, the pro le activation conditions from the downstream policy are used.
Since a policy pro le may contain the Device is o line property in its activation condition, pro les completely
replace the feature of policies for out-of-o ice users, which will no longer be supported.
A policy for out-of-o ice users may contain pro les, but its pro les can only be activated after the device
switches into out-of-o ice mode.
Inheritance of policy settings

A policy is speci ed for an administration group. Policy settings can be inherited, that is, received in the subgroups
(child groups) of the administration group for which they were set. Hereinafter, a policy for a parent group is also
referred to as a parent policy.
You can enable or disable two options of inheritance: Inherit settings from parent policy and Force inheritance
of settings in child policies:
402
If you enable Inherit settings from parent policy for a child policy and lock some settings in the parent policy,
then you cannot change these settings for the child group. You can, however, change the settings that are not
locked in the parent policy.
If you disable Inherit settings from parent policy for a child policy, then you can change all the settings in the
child group, even if some settings are locked in the parent policy.
If you enable Force inheritance of settings in child policies in the parent group, this enables the Inherit
settings from parent policy for each child policy. In this case, you cannot disable this option for any child policy.
All the settings that are locked in the parent policy are forcibly inherited in the child groups, and you cannot
change these settings in the child groups.
In policies for the Managed devices group, the Inherit settings from parent policy does not a ect any
settings, because the Managed devices group does not have any upstream groups and therefore does not
inherit any policies.
By default, the Inherit settings from parent policy option is enabled for a new policy.
If a policy has pro les, all the child policies inherit these pro les.
Managing policies
The applications installed on client devices are centrally con gured by de ning policies.
Policies created for applications in an administration group are displayed in the workspace, on the Policies tab.
Before the name of each policy, an icon with its status is displayed.
After a policy is deleted or revoked, the application continues working with the settings speci ed in the policy.
Those settings subsequently can be modi ed manually.
A policy is applied as follows: if a device is running resident tasks (real-time protection tasks), they keep running
with the new setting values. Any periodic tasks (on-demand scan, update of application databases) that are
started keep running with the values unchanged. Next time, they will be run with the new setting values.
Policies for applications with multitenancy support are inherited to lower-level administration groups as well as to
upper-level administration groups: the policy is propagated to all client devices on which the application is installed.
If Administration Servers are structured hierarchically, secondary Administration Servers receive policies from the
primary Administration Server and distribute them to client devices. When inheritance is enabled, policy settings
can be modi ed on the primary Administration Server. After this, any changes made to the policy settings are
propagated to inherited policies on secondary Administration Servers.
If the connection is terminated between the primary and secondary Administration Servers, the policy on the
secondary Server continues, using the applied settings. Policy settings modi ed on the primary Administration
Server are distributed to a secondary Administration Server after the connection is re-established.
If inheritance is disabled, policy settings can be modi ed on a secondary Administration Server independently from
the primary Administration Server.
If the connection between Administration Server and a client device is interrupted, the client device starts running
under the out-of-o ice policy (if it is de ned), or the policy keeps running under the applied settings until the
connection is re-established.
The results of policy distribution to the secondary Administration Server are displayed in the policy properties
window of the console on the primary Administration Server.
403
The results of policy distribution to client devices are displayed in the policy properties window of the
Administration Server to which they are connected.
Do not use private data in policy settings. For example, avoid specifying the domain administrator password.
Creating a policy
In Administration Console, you can create policies directly in the folder of the administration group for which a
policy is to be created, or in the workspace of the Policies folder.
To create a policy in the folder of an administration group:
1. In the console tree, select an administration group for which you want to create a policy.
2. In the workspace of the group, select the Policies tab.
3. Run the New Policy Wizard by clicking the New policy button.
The New Policy Wizard starts. Follow the instructions of the Wizard.
To create a policy in the workspace of the Policies folder:
1. In the console tree, select the Policies folder.
2. Run the New Policy Wizard by clicking the New policy button.
The New Policy Wizard starts. Follow the instructions of the Wizard.
You can create several policies for one application from the group, but only one policy can be active at a time.
When you create a new active policy, the previous active policy becomes inactive.
When creating a policy, you can specify a minimum set of parameters required for the application to function
properly. All other values are set to the default values applied during the local installation of the application. You
can change the policy after it is created.
Do not use private data in policy settings. For example, avoid specifying the domain administrator password.
Settings of Kaspersky applications that are changed after policies are applied are described in detail in their
respective Guides.
After the policy is created, the settings locked from editing (marked with the lock icon ( )) take e ect on
client devices regardless of which settings were previously speci ed for the application.
Displaying inherited policy in a subgroup
404
To enable the display of inherited policies for a nested administration group:
1. In the console tree, select the administration group for which inherited policies have to be displayed.
2. In the workspace of the selected group, select the Policies tab.
3. In the context menu of the list of policies, select View → Inherited policies.
Inherited policies are displayed in the list of policies with the following icon:
—If they were inherited from a group created on the primary Administration Server.
—If they were inherited from a top-level group.
When the settings inheritance mode is enabled, inherited policies are only available for modi cation in the group
in which they were created. Modi cation of inherited policies is not available in the group that inherits them.
Activating a policy
To make a policy active for the selected group:
1. In the workspace of the group, on the Policies tab select the policy that you have to make active.
2. To activate the policy, perform one of the following actions:
In the context menu of the policy, select Active policy.
In the policy properties window open the General section and select Active policy from the Policy status
settings group.
The policy becomes active for the selected administration group.
When a policy is applied to a large number of client devices, both the load on the Administration Server and
the network tra ic increase signi cantly for some time.

To make a policy perform automatic activation at a Virus outbreak event:
1. In the Administration Server properties window, open the Virus outbreak section.
2. Open the Policy activation window by clicking the Con gure policies to activate when a Virus outbreak
event occurs link and add the policy to the selected list of policies that are activated when a virus outbreak is
detected.
If a policy has been activated on the Virus outbreak event, you can return to the previous policy only by
using the manual mode.
405
Applying an out-of-o ice policy
The out-of-o ice policy takes e ect on a device if it is disconnected from the corporate network.
To apply an out-of-o ice policy:
In the policy properties window, open the General section and in the Policy status settings group, select Out-
of-o ice policy.
The out-of-o ice policy will be applied to the devices if they are disconnected from the corporate network.
Modifying a policy. Rolling back changes

To modify a policy:
2. In the workspace of the Policies folder, select a policy and proceed to the policy properties window using the
context menu.
3. Make the relevant changes.
4. Click Apply.
The changes made to the policy will be saved in the policy properties, in the Revision history section.
You can roll back changes made to the policy, if necessary.
To roll back changes made to the policy:
2. Select the policy in which changes must to be rolled back, and proceed to the policy properties window using
the context menu.
3. In the policy properties window, select the Revision history section.
4. In the list of policy revisions, select the number of the revision to which you need to roll back changes.
Comparing policies
You can compare two policies for a single managed application. After the comparison, you have a report that
displays which policy settings match and which settings di er. For example, you may have to compare policies if
di erent administrators in their respective o ices have created multiple policies for a single managed application,
or if a single top-level policy has been inherited by all local o ices and modi ed for each o ice. You can compare
policies in one of the following ways: by selecting one policy and comparing it to another, or by comparing any two
policies from the list of policies.
406
To compare one policy to another:
2. In the workspace of the Policies folder, select the policy that you require to compare to another.
3. In the context menu of the policy, select Compare policy to another policy.
4. In the Select policy window, select the policy to which your policy must be compared.
5. Click OK.
A report in HTML format is displayed for the comparison of the two policies for the same application.
To compare any two policies from the list of policies:
1. In the Policies folder, in the list of policies, use the Shift or Ctrl key to select two policies for a single
managed application.
2. In the context menu, select Compare.
A report in HTML format is displayed for the comparison of the two policies for the same application.
The report on comparison of policy settings for Kaspersky Endpoint Security for Windows also provides details
of the comparison of policy pro les. You can minimize the results of policy pro le comparison. To minimize the
section, click the arrow icon ( ) next to the section name.
Deleting a policy
To delete a policy:
1. In the workspace of an administration group, on the Policies tab, select the policy that you want to delete.
2. Delete the policy in one of the following ways:
By selecting Delete in the context menu of the policy.
By clicking the Delete policy link in the information box for the selected policy.
Copying a policy
To copy a policy:
1. In the workspace of the required group, on the Policies tab select a policy.
2. In the context menu of the policy, select Copy.
3. In the console tree, select a group to which you want to add the policy.
You can add a policy to the group from which it was copied.
4. From the context menu of the list of policies for the selected group, on the Policies tab select Paste.
407
The policy is copied with all its settings and is applied to the devices within the group to which it was copied. If
you paste the policy into the same group from which it has been copied, the (<next sequence number>) index is
automatically added to the policy name, for example: (1), (2).
An active policy becomes inactive while it is copied. If necessary, you can make it active.
Exporting a policy
To export a policy:
1. Export a policy in one of the following ways:
By selecting All tasks → Export in the context menu of the policy.
By clicking the Export policy to le link in the information box for the selected policy.
2. In the Save as window that opens, specify the policy le name and path. Click the Save button.
Importing a policy
To import a policy:
1. In the workspace of the relevant group, on the Policies tab select one of the following ways of importing
policies:
By selecting All tasks → Import in the context menu of the list of policies.
By clicking the Import policy from le button in the management block for policy list.
2. In the window that opens, specify the path to the le from which you want to import a policy. Click the Open
button.
The imported policy is displayed in the policy list. The settings and pro les of the policy are also imported.
Regardless of the policy status that was selected during the export, the imported policy is inactive. You can change
the policy status in the policy properties.
If the newly imported policy has a name identical to that of an existing policy, the name of the imported policy
is expanded with the (<next sequence number>) index, for example: (1), (2).
Converting policies
Kaspersky Security Center can convert policies from earlier versions of managed Kaspersky applications to the
up-to-date versions of the same applications. Converted policies keep the current administrator's settings
speci ed before the update, as well as include new settings from the up-to-date versions of the applications.
Management plug-ins for Kaspersky applications determine whether conversion is available for the policies of
these applications. For information about converting policies for each supported Kaspersky application, refer to
the relevant Help from the following list:
408
Kaspersky applications for workstations:
Kaspersky Endpoint Security for Linux Elbrus Edition
Kaspersky Endpoint Security for Linux ARM Edition
Kaspersky Endpoint Agent
Kaspersky Embedded Systems Security for Windows
Kaspersky Industrial CyberSecurity:
Kaspersky Industrial CyberSecurity for Nodes
Kaspersky Industrial CyberSecurity for Linux Nodes
Kaspersky Industrial CyberSecurity for Networks (centralized deployment is not supported)
Kaspersky applications for mobile devices:
Kaspersky Endpoint Security for Android
Kaspersky Security for iOS
Kaspersky applications for le servers:
Kaspersky applications for virtual machines:
Kaspersky Security for Virtualization Light Agent
Kaspersky Security for Virtualization Agentless
Kaspersky applications for mail systems and SharePoint / collaboration servers:
Kaspersky Security for Linux Mail Server
Kaspersky Secure Mail Gateway
Kaspersky Security for Microsoft Exchange Servers
Kaspersky applications for detection of targeted attacks:
Kaspersky Sandbox
409
Kaspersky Endpoint Detection and Response Optimum
Kaspersky Managed Detection and Response
Kaspersky applications for KasperskyOS devices:
Kaspersky IoT Secure Gateway
Kaspersky Security Management Suite (plug-in for Kaspersky Thin Client)
To convert policies:
1. In the console tree, select the Administration Server for which you want to convert policies.
2. In the Administration Server context menu, select All Tasks → Policies and Tasks Batch Conversion Wizard.
The Policies and tasks batch conversion wizard starts. Follow the instructions of the wizard.
After the wizard completes, new policies are created that use the current administrator's settings of policies and
the new settings from the up-to-date versions of Kaspersky applications.

This section describes managing policy pro les and provides information about viewing the pro les of a policy,
changing a policy pro le priority, creating a policy pro le, modifying a policy pro le, copying a policy pro le, creating
a policy pro le activation rule, and deleting a policy pro le.
About the policy pro le

Policy pro le is a named collection of settings of a policy that is activated on a client device (computer or mobile
device) when the device satis es speci ed activation rules. Activation of a pro le modi es the policy settings that
were active on the device before the pro le was activated. Those settings take values that have been speci ed in
the pro le.
Policy pro les are necessary for devices within a single administration group to run under di erent policy settings.
For example, a situation may occur when policy settings have to be modi ed for some devices in an administration
group. In this case, you can con gure policy pro les for such a policy, which allows you to edit policy settings for
selected devices in the administration group. For example, the policy prohibits running any GPS navigation
software on all devices in the Users administration group. GPS navigation software is necessary only on a single
device in the Users administration group—the device owned by the user employed as a courier. You can tag that
device as simply "Courier" and recon gure the policy pro le so that it allows GPS navigation software to run only
on the device tagged as "Courier", while preserving all the remaining policy settings. In this case, if a device tagged
as "Courier" appears in the Users administration group, it will be allowed to run GPS navigation software. Running
GPS navigation software will still be prohibited on other devices in the Users administration group unless they are
tagged as "Courier", too.
Pro les are only supported by the following policies:
Policies of Kaspersky Endpoint Security for Windows
Policies of Kaspersky Endpoint Security for Mac
410
Policies of the Kaspersky Mobile Device Management plug-in ranging from version 10 Service Pack 1 to version
10 Service Pack 3 Maintenance Release 1
Policies of the Kaspersky Device Management for iOS plug-in
Policies of Kaspersky Security for Virtualization 5.1 Light Agent for Windows
Policies of Kaspersky Security for Virtualization 5.1 Light Agent for Linux
Policy pro les simplify the management of the client devices that the policies apply to:
The policy pro le settings may di er from the policy settings.
You do not have to maintain and manually apply several instances of a single policy that di er only by a few
settings.
You do not have to allocate a separate policy for out-of-o ice users.
You can export and import policy pro les, as well as create new policy pro les based on existing ones.
A single policy can have multiple active policy pro les. Only pro les that meet the activation rules e ective on
the device will be applied to that device.
Pro les are subject to the policy hierarchy. An inherited policy includes all pro les of the higher-level policy.
Priorities of pro les
Pro les that have been created for a policy are sorted in descending order of priority. For example, if pro le X is
higher in the list of pro les than pro le Y, then X has a higher priority than the latter. Multiple pro les can be
simultaneously applied to a single device. If values of a setting vary in di erent pro les, the value from the highest-
priority pro le will be applied on the device.
Pro le activation rules
A policy pro le is activated on a client device when an activation rule is triggered. Activation rules are a set of
conditions that, when met, start the policy pro le on a device. An activation rule can contain the following
conditions:
Network Agent on a client device connects to the Administration Server that has a speci ed set of connection
settings, such as Administration Server address, port number, and so forth.
The client device is o line.
The client device has been assigned speci ed tags.
The client device is explicitly (the device is immediately located in the speci ed unit) or implicitly (the device is
located in a unit that is in the speci ed unit at any nesting level) located in a speci c unit of Active Directory®,
the device or its owner is located in a security group of Active Directory.
The client device belongs to a speci ed owner, or the owner of the device is included in an internal security
group of Kaspersky Security Center.
The owner of the client device has been assigned a speci ed role.
411
Policies in the hierarchy of administration groups
If you are creating a policy in a low-level administration group, this new policy inherits all pro les of the active policy
from the higher-level group. Pro les with identical names are merged. Policy pro les for the higher-level group have
the higher priority. For example, in administration group A, policy P(A) has pro les X1, X2, and X3 (in descending
order of priority). In administration group B, which is a subgroup of group A, policy P(B) has been created with
pro les X2, X4, X5. Then policy P(B) will be modi ed with policy P(A) so that the list of pro les in policy P(B) will
appear as follows: X1, X2, X3, X4, X5 (in descending order of priority). The priority of pro le X2 will depend on the
initial state of X2 of policy P(B) and X2 of policy P(A). After the policy P(B) is created, the policy P(A) is no longer
displayed in subgroup B.
The active policy is recalculated every time you run Network Agent, enable and disable o line mode, or edit the list
of tags assigned to the client device. For example, the RAM size has been increased on the device, which, in turn,
has activated the policy pro le that is applied on devices with large RAM size.
Properties and restrictions of policy pro les
Pro les have the following properties:
Pro les of an inactive policy have no impact on client devices.
If a policy is set to the Out-of-o ice policy status, pro les of the policy will also be applied when a device is
disconnected from the corporate network.
Pro les do not support static analysis of access to executable les.
A policy pro le cannot contain any settings of event noti cations.
If UDP port 15000 is used for connecting a device to Administration Server, the corresponding policy pro le is
activated within one minute after you assign a tag to the device.
You can use rules for Network Agent connection to the Administration Server, when you create policy pro le
activation rules.

Pro le creation is available only for the policies of the following applications:
Kaspersky Endpoint Security 10 Service Pack 1 for Windows and later versions
Kaspersky Endpoint Security 10 Service Pack 1 for Mac
Kaspersky Mobile Device Management plug-in versions 10 Service Pack 1 to 10 Service Pack 3 Maintenance
Release 1
Kaspersky Device Management for iOS plug-in
Kaspersky Security for Virtualization 5.1 Light Agent for Windows and Linux
To create a policy pro le:
1. In the console tree, select the administration group for whose policy you have to create a policy pro le.
412
2. In the workspace of the administration group, select the Policies tab.
3. Select a policy and switch to the policy properties window using the context menu.
4. Open the Policy pro les section in the policy properties window and click the Add button.
The New Policy Pro le Wizard starts.
5. In the Policy pro le name window of the Wizard, specify the following:
a. Name of the policy pro le

The pro le name cannot include more than 100 characters.
b. Policy pro le status (Enabled or Disabled)

We recommend that you create and enable inactive policy pro les only after you are completely nished
with the settings and conditions of policy pro le activation.
6. Select the After closing the New Policy Pro le Wizard, proceed to con guring the policy pro le activation
rule check box to start the New Policy Pro le Activation Rule Wizard. Follow the Wizard steps.
7. Edit the policy pro le settings in the policy pro le properties window, in the way you require.
8. Save the changes by clicking OK.

The pro le is saved. The pro le will be activated on devices that meet the activation rules.
You can create multiple pro les for a single policy. Pro les that have been created for a policy are displayed in the
policy properties, in the Policy pro les section. You can modify a policy pro le and change the pro le priority, as
well as remove the pro le.
Editing the settings of a policy pro le
The capability to edit a policy pro le is only available for policies of Kaspersky Endpoint Security for Windows.
To modify a policy pro le:
1. In the console tree, select the administration group for which the policy pro le has to be modi ed.
4. Open the Policy pro les section in the policy properties.

This section contains a list of pro les that have been created for the policy. Pro les are displayed in the list in
accordance with their priorities.
5. Select a policy pro le and click the Properties button.
6. Con gure the pro le in the properties window:
413
If necessary, in the General section, change the pro le name and enable or disable the pro le using the
Enable pro le check box.
In the Activation rules section, edit the pro le activation rules.
Edit the policy settings in the corresponding sections.
7. Click OK.
The modi ed settings will take e ect either after the device is synchronized with the Administration Server (if the
policy pro le is active), or after an activation rule is triggered (if the policy pro le is inactive).
Changing the priority of a policy pro le
The priorities of policy pro les de ne the activation order of pro les on a client device. Priorities are used if
identical activation rules are set for di erent policy pro les.
For example, two policy pro les have been created: Pro le 1 and Pro le 2 that di er by the respective values of a
single setting (Value 1 and Value 2). The priority of Pro le 1 is higher than that of Pro le 2. Moreover, there are also
pro les with priorities that are lower than that of Pro le 2. The activation rules for those pro les are identical.
When an activation rule is triggered, Pro le 1 will be activated. The setting on the device will take Value 1. If you
remove Pro le 1, then Pro le 2 will have the highest priority, so the setting will take Value 2.
On the list of policy pro les, pro les are displayed in accordance with their respective priorities. The pro le with the
highest priority is ranked rst. You can change the priority of a pro le by using the up arrow and the down
arrow buttons.

To delete a policy pro le:
1. In the console tree, select the administration group whose policy pro le you want to delete.
2. In the workspace of the administration group, select the Policies tab.
4. Open the Policy pro les section in the properties of the policy of Kaspersky Endpoint Security.
5. Select the policy pro le that you want to delete and click the Delete button.
The policy pro le will be deleted. The active status will pass either to another policy pro le whose activation rules
are triggered on the device, or to the policy.

To create a policy pro le activation rule:
1. In the console tree, select the administration group for which you have to create a policy pro le activation rule.
414
4. Select the Policy pro les section in the policy properties window.
5. Select the policy pro le for which you need to create an activation rule, and click the Properties button.
The policy pro le properties window opens.
If the list of policy pro les is empty, you can create a policy pro le.
6. Select the Activation rules section, and click the Add button.
The New Policy Pro le Activation Rule Wizard starts.
7. In the Policy pro le activation rules window, select the check boxes next to the conditions that must a ect
activation of the policy pro le that you are creating:
General rules for policy pro le activation
Select this check box to set up policy pro le activation rules on the device depending on the status of
the device o line mode, rule for connection to Administration Server, and tags assigned to the device.
Rules for Active Directory usage
Select this check box to set up rules for policy pro le activation on the device depending on the
presence of the device in an Active Directory organizational unit (OU), or on membership of the device
(or its owner) in an Active Directory security group.
Rules for a speci c device owner
Select this check box to set up rules for policy pro le activation on the device depending on the device
owner.
Rules for hardware speci cations
memory volume and the number of logical processors.
The number of additional windows of the Wizard depends on the settings that you select at this step. You can
modify policy pro le activation rules later.
8. In the General conditions window, specify the following settings:
In the Device is o line eld, in the drop-down list specify the condition for device presence on the network:
Yes
The device is in an external network, which means that the Administration Server is not available.
No
The device is on the network, so the Administration Server is available.
415
No value is selected
The criterion will not be applied.
In the The device is in the speci ed network location box, use the drop-down lists to set up the policy
pro le activation if the Administration Server connection rule is executed / not executed on this device:
Executed / Not executed
Condition of policy pro le activation (whether the rule is executed or not).
Rule name
Network location description of the device for connection to the Administration Server, whose
conditions must be met (or must not be met) for activation of the policy pro le.
A network location description of devices for connection to an Administration Server can be
created or con gured in a Network Agent switching rule.
The General conditions window is displayed if the General rules for policy pro le activation check box is
selected.
9. In the Conditions using tags window, specify the following settings:
Tag list
In the list of tags, specify the rule for device inclusion in the policy pro le by selecting the check boxes
next to the relevant tags.
You can add new tags to the list by entering them in the eld over the list and clicking the Add button.
The policy pro le includes devices with descriptions containing all the selected tags. If check boxes are
cleared, the criterion is not applied. By default, these check boxes are cleared.
Apply to devices without the speci ed tags
Enable this option if you have to invert your selection of tags.

If this option is enabled, the policy pro le includes devices with descriptions that contain none of the
selected tags. If this option is disabled, the criterion is not applied.
The Conditions using tags window is displayed if the General rules for policy pro le activation check box is
selected.
10. In the Conditions using Active Directory window, specify the following settings:
Device owner's membership in Active Directory security group
If this option is enabled, the policy pro le is activated on the device whose owner is a member of the
speci ed security group. If this option is disabled, the pro le activation criterion is not applied. By
default, this option is disabled.
416
Device membership in Active Directory security group
If this option is enabled, the policy pro le is activated on the device. If this option is disabled, the pro le
activation criterion is not applied. By default, this option is disabled.
Device allocation in Active Directory organizational unit
If this option is enabled, the policy pro le is activated on the device which is included in the speci ed
Active Directory organizational unit (OU). If this option is disabled, the pro le activation criterion is not
applied.
The Conditions using Active Directory window is displayed if the Rules for Active Directory usage check box
is selected.
11. In the Conditions using the device owner window, specify the following settings:
Device owner
Enable this option to con gure and enable the rule for pro le activation on the device according to its
owner. In the drop-down list under the check box, you can select a criterion for the pro le activation:
The device belongs to the speci ed owner ("=" sign).
The device does not belong to the speci ed owner ("#" sign).
If this option is enabled, the pro le is activated on the device in accordance with the criterion
con gured. You can specify the device owner when the option is enabled. If this option is disabled,
the pro le activation criterion is not applied. By default, this option is disabled.
The device owner is included in an internal security group
Enable this option to con gure and enable the rule of pro le activation on the device by the owner's
membership in an internal security group of Kaspersky Security Center. In the drop-down list under the
check box, you can select a criterion for the pro le activation:
The device owner is a member of the speci ed security group ("=" sign).
The device owner is not a member of the speci ed security group ("#" sign).
con gured. You can specify a security group of Kaspersky Security Center. If this option is disabled,
Activate policy pro le by speci c role of device owner
Select this option to con gure and enable the rule of pro le activation on the device depending on the
owner's role. Add the role manually from the list of existing roles.
con gured.
417
The Conditions using the device owner window is displayed if the Rules for a speci c device owner check
box is selected.
12. In the Conditions using equipment speci cations window, specify the following settings:
RAM size, in MB
Enable this option to con gure and enable the rule of pro le activation on the device by the RAM
volume available on that device. In the drop-down list under the check box, you can select a criterion for
the pro le activation:
The device RAM size is less than the speci ed value ("<" sign).
The device RAM size is greater than the speci ed value (">" sign).
con gured. You can specify the RAM volume on the device. If this option is disabled, the pro le
Number of logical processors
Enable this option to con gure and enable the rule of pro le activation on the device by the number of
logical processors on that device. In the drop-down list under the check box, you can select a criterion
for the pro le activation:
The number of logical processors on the device is less than or equal to the speci ed value ("<"
sign).
The number of logical processors on the device is greater than or equal to the speci ed value (">"
sign).
con gured. You can specify the number of logical processors on the device. If this option is disabled,
The Conditions using equipment speci cations window is displayed if the Rules for hardware speci cations
check box is selected.
13. In the Name of policy pro le activation rule window, in the Rule name eld, specify a name for the rule.
The pro le will be saved. The pro le will be activated on the device when activation rules are triggered.
Policy pro le activation rules created for the pro le are displayed in the policy pro le properties in the Activation
rules section. You can modify or remove any policy pro le activation rule.
Multiple activation rules can be triggered simultaneously.
Device moving rules

We recommend that you automate the allocation of devices to administration groups by using device moving rules.
A device moving rule consists of three main parts: a name, an execution condition (a logical expression with the
device attributes), and a target administration group. A rule moves a device to the target administration group if
the device attributes meet the rule execution condition.
418
All device moving rules have priorities. The Administration Server checks whether the device attributes meet the
execution condition of each rule, in ascending order of priority. If the device attributes meet the execution
condition of a rule, the device is moved to the target group, so the rule processing is complete for this device. If
the device attributes meet the conditions of multiple rules, the device is moved to the target group of the rule with
the highest priority (that is, has the highest rank in the list of rules).
Device moving rules can be created implicitly. For example, in the properties of an installation package or a remote
installation task, you can specify the administration group to which the device must be moved after Network
Agent is installed on it. Also, device moving rules can be created explicitly by the administrator of Kaspersky
Security Center, in the list of moving rules. The list is located in Administration Console, in the properties of the
Unassigned devices group.
By default, a device moving rule is intended for a one-time initial allocation of devices to administration groups. The
rule moves devices from the Unassigned devices group only once. If a device once was moved by this rule, the rule
will never move it again, even if you return the device to the Unassigned devices group manually. This is the
recommended way of applying moving rules.
You can move devices that have already been allocated to some of the administration groups. To do this, in the
properties of a rule, clear the Move only devices that do not belong to an administration group check box.
Applying moving rules to devices that have already been allocated to some of the administration groups
signi cantly increases the load on the Administration Server.
The Move only devices that do not belong to an administration group check box is locked in the properties
of automatically created moving rules. Such rules are created when you add the Install application remotely
task or create a stand-alone installation package.
You can create a moving rule that would a ect a single device repeatedly.
We strongly recommend that you avoid moving a single device from one group to another repeatedly (for
example, in order to apply a special policy to that device, run a special group task, or update the device
through a speci c distribution point).
Such scenarios are not supported because they increase the load on Administration Server and network tra ic to
an extreme degree. These scenarios also con ict with the operating principles of Kaspersky Security Center
(particularly in the area of access rights, events, and reports). Another solution must be found, for example,
through the use of policy pro les, tasks for device selections, assignment of Network Agents according to the
standard scenario, and so on.
Cloning device moving rules

When you have to create multiple device-moving rules with similar settings, you can clone an existing rule and then
change the settings of the cloned rule. For example, this is useful when you must have several identical device-
moving rules with di erent IP ranges and target groups.
To clone a device moving rule:
1. Open the main application window.
2. In the Unassigned devices folder, click Con gure rules.
419
The Properties: Unassigned devices window opens.
3. In the Move devices section, select the device moving rule that you want to clone.
4. Click Clone rule.
A clone of the selected device moving rule will be added at the end of the list.
A new rule is created in the disabled state. You can edit and enable the rule at any time.
The main tool for monitoring the running of applications are Kaspersky categories (hereinafter also referred to as
KL categories). KL categories help Kaspersky Security Center administrators to simplify the support of software
categorization and minimize tra ic going to managed devices.
User categories must only be created for applications that cannot be classi ed in any of the existing KL
categories (for example, for custom-made software). User categories are created on the basis of an
application installation package (MSI) or a folder with installation packages.
If a large collection of software is available, which has not been categorized through KL categories, it may be useful
to create an automatically updated category. The checksums of executable les will be automatically added to this
category on every modi cation of the folder containing distribution packages.
Do not create automatically updated categories of software for the folders My Documents, %windir%,
%ProgramFiles%, and %ProgramFiles(x86)%. The pool of les in these folders is subject to frequent changes,
which leads to an increased load on Administration Server and increased network tra ic. You must create a
dedicated folder with the collection of software and periodically add new items to it.
Prerequisites for installing applications on devices of a client organization

The process of remote installation of applications on devices of a client organization is identical to the remote
installation process within an enterprise.
To install applications on devices of a client organization, the following actions must be performed:
Before installing applications on devices of the client organization for the rst time, install Network Agent on
them.
When con guring the Network Agent installation package by the service provider, in Kaspersky Security
Center, adjust the following settings in the properties window of the installation package:
In the Connection section, in the Administration Server string, specify the address of the same virtual
Administration Server that was speci ed during local installation of Network Agent on the distribution point.
In the Advanced section, select the Connect to Administration Server by using a connection gateway
check box. In the Connection gateway address string, specify the distribution point address. You can use
either the device IP address or device name in the Windows network.
420
Select Using operating system resources through distribution points as the download method for the
Network Agent installation package. You can select the download method as follows:
If you install application by using the remote installation task, you can specify the download method in one
of the following ways:
When creating a remote installation task in the Settings window
In the remote installation task properties window, through the Settings section
If you install applications using the Remote Installation Wizard, you can select the download method in the
Settings window of this Wizard.
The account used by the distribution point for authorization must have access to the Admin$ resource on all
client devices.
Viewing and editing local application settings

The Kaspersky Security Center administration system allows you to remotely manage local application settings on
devices through Administration Console.
Local application settings are the settings of an application that are speci c for a device. You can use Kaspersky
Security Center to set local application settings for devices included in administration groups.
Detailed descriptions of settings of Kaspersky applications are provided in respective Guides.
To view or change the local settings of an application:
1. In the workspace of the group to which the relevant device belongs, select the Devices tab.
2. In the device properties window, in the Applications section, select the relevant application.
3. Open the application properties window by double-clicking the application name or by clicking the Properties
button.
The local settings window of the selected application opens so that you can view and edit those settings.
You can change the values of settings that have not been barred from modi cation by a group policy (that is,
those not marked with the lock icon ( ) in a policy).
Updating Kaspersky Security Center and managed applications

This section describes steps you must take to update Kaspersky Security Center and managed applications.
421
This section provides a scenario for regular updating of Kaspersky databases, software modules, and applications.
After you complete the Con guring network protection scenario, you must maintain the reliability of the
protection system to make sure that the Administration Servers and managed devices are kept protected against
various threats, including viruses, network attacks, and phishing attacks.
Network protection is kept up-to-date by regular updates of the following:
Kaspersky databases and software modules
Installed Kaspersky applications, including Kaspersky Security Center components and security applications
When you complete this scenario, you can be sure of the following:
Your network is protected by the most recent Kaspersky software, including Kaspersky Security Center
components and security applications.
The anti-virus databases and other Kaspersky databases critical for the network safety are always up-to-date.
Prerequisites
The managed devices must have a connection to the Administration Server. If they do not have a connection,
consider updating Kaspersky databases, software modules, and applications manually or directly from the
Kaspersky update servers .
Administration Server must have a connection to the internet.
1. Deployed the Kaspersky security applications to the managed devices according to the scenario of deploying
Kaspersky applications through Kaspersky Security Center Web Console.
2. Created and con gured all required policies, policy pro les, and tasks according to the scenario of con guring
network protection.
3. Assigned an appropriate amount of distribution points in accordance with the number of managed devices and
the network topology.
Updating Kaspersky databases and applications proceeds in stages:
1 Choosing an update scheme
There are several schemes that you can use to install updates to Kaspersky Security Center components and
security applications. Choose the scheme or several schemes that meet the requirements of your network best.
2 Creating the task for downloading updates to the repository of the Administration Server
This task is created automatically by the Kaspersky Security Center Quick Start Wizard. If you did not run the
Wizard, create the task now.
This task is required to download updates from Kaspersky update servers to the repository of the Administration
Server, as well as to update Kaspersky databases and software modules for Kaspersky Security Center. After
the updates are downloaded, they can be propagated to the managed devices.
If your network has assigned distribution points, the updates are automatically downloaded from the
Administration Server repository to the repositories of the distribution points. In this case the managed devices
included in the scope of a distribution point download the updates from the repository of the distribution point
instead of the Administration Server repository.
422
Administration Console: Creating the task for downloading updates to the repository of the Administration
Server
Kaspersky Security Center Web Console: Creating the task for downloading updates to the repository of the
3 Creating the task for downloading updates to the repositories of distribution points (optional)
By default, the updates are downloaded to the distribution points from the Administration server. You can
con gure Kaspersky Security Center to download the updates to the distribution points directly from Kaspersky
update servers. Download to the repositories of distribution points is preferable if the tra ic between the
Administration Server and the distribution points is more expensive than the tra ic between the distribution
points and Kaspersky update servers, or if your Administration Server does not have internet access.
When your network has assigned distribution points and the Download updates to the repositories of
distribution points task is created, the distribution points download updates from Kaspersky update servers, and
not from the Administration Server repository.
Administration Console: Creating the task for downloading updates to the repositories of distribution points
Kaspersky Security Center Web Console: Creating the task for downloading updates to the repositories of
distribution points
4 Con guring distribution points
When your network has assigned distribution points, make sure that the Deploy updates option is enabled in the
properties of all required distribution points. When this option is disabled for a distribution point, the devices
included in the scope of the distribution point download updates from the repository of the Administration
Server.
If you want the managed devices to receive updates only from the distribution points, enable the Distribute les
through distribution points only option in the Network Agent policy.
5 Optimizing the update process by using the o line model of update download or di les (optional)
You can optimize the update process by using the o line model of update download (enabled by default) or by
using di les. For each network segment, you have to choose which of these two features to enable, because
they cannot work simultaneously.
When the o line model of update download is enabled, Network Agent downloads the required updates to the
managed device once the updates are downloaded to the Administration Server repository, before the security
application requests the updates. This enhances the reliability of the update process. To use this feature, enable
the Download updates and anti-virus databases from Administration Server in advance (recommended)
If you do not use the o line model of update download, you can optimize tra ic between the Administration
Server and the managed devices by using di les. When this feature is enabled, the Administration Server or a
distribution point downloads di les instead of entire les of Kaspersky databases or software modules. A di
le describes the di erences between two versions of a le of a database or software module. Therefore, a di
le occupies less space than an entire le. This results in decrease in the tra ic between the Administration
Server or distribution points and the managed devices. To use this feature, enable the Download di les option
in the properties of the Download updates to the Administration Server repository task and/or the Download
updates to the repositories of distribution points task.
Using di les for updating Kaspersky databases and software modules
Administration Console: Enabling and disabling the o line model of update download
Kaspersky Security Center Web Console: Enabling and disabling the o line model of update download
423
6 Verifying downloaded updates (optional)
Before installing the downloaded updates, you can verify the updates through the Update veri cation task. This
task sequentially runs the device update tasks and virus scan tasks con gured through settings for the speci ed
collection of test devices. Upon obtaining the task results, the Administration Server starts or blocks the update
propagation to the remaining devices.
The Update veri cation task can be performed as part of the Download updates to the repository of the
Administration Server task. In the properties of the Download updates to the repository of the Administration
Server task, enable the Verify updates before distributing option in the Administration Console or the Run
update veri cation option in Kaspersky Security Center Web Console.
Administration Console: Verifying downloaded updates
Kaspersky Security Center Web Console: Verifying downloaded updates
7 Approving and declining software updates
By default, the downloaded software updates have the Unde ned status. You can change the status to
Approved or Declined. The approved updates are always installed. If an update requires reviewing and accepting
the terms of the End User License Agreement, then you rst need to accept the terms. After that the update
can be propagated to the managed devices. The unde ned updates can only be installed on Network Agent and
other Kaspersky Security Center components in accordance with the Network Agent policy settings. The
updates for which you set Declined status will not be installed on devices. If a declined update for a security
application was previously installed, Kaspersky Security Center will try to uninstall the update from all devices.
Updates for Kaspersky Security Center components cannot be uninstalled.
Administration Console: Approving and declining software updates
Kaspersky Security Center Web Console: Approving and declining software updates
8 Con guring automatic installation of updates and patches for Kaspersky Security Center components
The downloaded updates and patches for Network Agent and other Kaspersky Security Center components are
installed automatically. If you have left the Automatically install applicable updates and patches for
components that have the Unde ned status option enabled in the Network Agent properties, then all updates
will be installed automatically after they are downloaded to the repository (or several repositories). If this option
is disabled, Kaspersky patches that have been downloaded and tagged with the Unde ned status will be installed
only after you change their status to Approved.
Administration Console: Enabling and disabling automatic updating and patching for Kaspersky Security
Center components
Kaspersky Security Center Web Console: Enabling and disabling automatic updating and patching for
Kaspersky Security Center components
9 Installation of updates for the Administration Server
Software updates for the Administration Server do not depend on the update statuses. They are not installed
automatically and must be preliminarily approved by the administrator on the Monitoring tab in the
Administration Console (Administration Server <server name> → Monitoring) or on the NOTIFICATIONS
section in Kaspersky Security Center Web Console (MONITORING & REPORTING → NOTIFICATIONS). After
that, the administrator must explicitly run installation of the updates.
10 Con guring automatic installation of updates for the security applications
424
Create the Update tasks for the managed applications to provide timely updates to the applications, software
modules and Kaspersky databases, including anti-virus databases. To ensure timely updates, we recommend that
you select the When new updates are downloaded to the repository option when con guring the task
schedule.
If your network includes IPv6-only devices and you want to regularly update the security applications installed on
these devices, make sure that the Administration Server (version no earlier than 13.2) and the Network Agent
(version no earlier than 13.2) are installed on managed devices.
By default, updates for Kaspersky Endpoint Security for Windows and Kaspersky Endpoint Security for Linux are
installed only after you change the update status to Approved. You can change the update settings in the
Update task.
If an update requires reviewing and accepting the terms of the End User License Agreement, then you rst need
to accept the terms. After that the update can be propagated to the managed devices.
Administration Console: Automatic installation of Kaspersky Endpoint Security updates on devices
Kaspersky Security Center Web Console: Automatic installation of Kaspersky Endpoint Security updates on
devices
Results
Upon completion of the scenario, Kaspersky Security Center is con gured to update Kaspersky databases and
installed Kaspersky applications after the updates are downloaded to the repository of the Administration Server
or to the repositories of distribution points. You can then proceed to monitoring the network status.

To be sure that the protection of your Administration Servers and managed devices is up-to-date, you must
provide timely updates of the following:
Before downloading Kaspersky databases and software modules, Kaspersky Security Center checks if
Kaspersky servers are accessible. If access to the servers using system DNS is not possible, the application
uses public DNS. This is necessary to make sure anti-virus databases are updated and the level of security
is maintained for the managed devices.
Depending on the con guration of your network, you can use the following schemes of downloading and
distributing the required updates to the managed devices:
By using a single task: Download updates to the Administration Server repository
By using two tasks:
The Download updates to the Administration Server repository task
The Download updates to the repositories of distribution points task
425
Manually through a local folder, a shared folder, or an FTP server
Directly from Kaspersky update servers to Kaspersky Endpoint Security on the managed devices
Through a local or network folder if Administration Server has no internet connection
Using the Download updates to the Administration Server repository task
In this scheme, Kaspersky Security Center downloads updates through the Download updates to the
Administration Server repository task. In small networks that contain less than 300 managed devices in a single
network segment or less than 10 managed devices in each network segment, the updates are distributed to the
managed devices directly from the Administration Server repository (see gure below).
Updating by using the Download updates to the Administration Server repository task without distribution points
By default, the Administration Server communicates with Kaspersky update servers and downloads updates
by using the HTTPS protocol. You can con gure the Administration Server to use the HTTP protocol instead
of HTTPS.
If your network contains more than 300 managed devices in a single network segment or if your network consists
of several network segments with more than 9 managed devices in each network segment, we recommend that
you use distribution points to propagate the updates to the managed devices (see gure below). Distribution
points reduce the load on the Administration Server and optimize tra ic between the Administration Server and
the managed devices. You can calculate the number and con guration of distribution points required for your
network.
In this scheme, the updates are automatically downloaded from the Administration Server repository to the
repositories of the distribution points. The managed devices included in the scope of a distribution point download
the updates from the repository of the distribution point instead of the Administration Server repository.
Updating by using the Download updates to the Administration Server repository task with distribution points
426
When the Download updates to the Administration Server repository task is complete, the following updates are
downloaded to the Administration Server repository:
Kaspersky databases and software modules for Kaspersky Security Center

These updates are installed automatically.
Kaspersky databases and software modules for the security applications on the managed devices
These updates are installed through the Update task for Kaspersky Endpoint Security for Windows.
Updates for the Administration Server

These updates are not installed automatically. The administrator must explicitly approve and run installation of
the updates.
Local administrator rights are required for installing patches on the Administration Server.
Updates for the components of Kaspersky Security Center

By default, these updates are installed automatically. You can change the settings in the Network Agent policy.
Updates for the security applications

By default, Kaspersky Endpoint Security for Windows installs only those updates that you approve. (You can
approve updates via the Administration Console or via Kaspersky Security Center Web Console). The updates
are installed through the Update task and can be con gured in the properties of this task.
The Download updates to the repository of the Administration Server task is not available on virtual
Administration Servers. The repository of the virtual Administration Server displays updates downloaded to
You can con gure the updates to be veri ed for operability and errors on a set of test devices. If the veri cation is
successful, the updates are distributed to other managed devices.
Each Kaspersky application requests required updates from Administration Server. Administration Server
aggregates these requests and downloads only those updates that are requested by any application. This ensures
that the same updates are not downloaded multiple times and that unnecessary updates are not downloaded at
all. When running the Download updates to the Administration Server repository task, Administration Server sends
the following information to Kaspersky update servers automatically in order to ensure the downloading of relevant
versions of Kaspersky databases and software modules:
Application ID and version
Application installation ID
Active key ID
Download updates to the repository of the Administration Server task run ID
None of the transmitted information contains personal or other con dential data. AO Kaspersky Lab protects
information in accordance with requirements established by law.
Using two tasks: the Download updates to the Administration Server repository task and the
Download updates to the repositories of distribution points task
427
You can download updates to the repositories of distribution points directly from the Kaspersky update servers
instead of the Administration Server repository, and then distribute the updates to the managed devices (see
gure below). Download to the repositories of distribution points is preferable if the tra ic between the
Updating by using the Download updates to the Administration Server repository task and the Download updates to the repositories of distribution
points task
By default, the Administration Server and distribution points communicate with Kaspersky update servers and
download updates by using the HTTPS protocol. You can con gure the Administration Server and/or
distribution points to use the HTTP protocol instead of HTTPS.
To implement this scheme, create the Download updates to the repositories of distribution points task in addition
to the Download updates to the Administration Server repository task. After that the distribution points will
download updates from Kaspersky update servers, and not from the Administration Server repository.
distribution points task, the task completes with the Failed status, even if it has successfully completed on all
Windows devices.
The Download updates to the Administration Server repository task is also required for this scheme, because this
task is used to download Kaspersky databases and software modules for Kaspersky Security Center.
If the client devices do not have a connection to the Administration Server, you can use a local folder or a shared
resource as a source for updating Kaspersky databases, software modules, and applications. In this scheme, you
need to copy required updates from the Administration Server repository to a removable drive, then copy the
updates to the local folder or the shared resource speci ed as an update source in the settings of Kaspersky
Endpoint Security (see gure below).
428
Updating through a local folder, a shared folder, or an FTP server
For more information about sources of updates in Kaspersky Endpoint Security, see the following Helps:
Kaspersky Endpoint Security for Windows Help
Kaspersky Endpoint Security for Linux Help
Directly from Kaspersky update servers to Kaspersky Endpoint Security on the managed
devices
On the managed devices, you can con gure Kaspersky Endpoint Security to receive updates directly from
Kaspersky update servers (see gure below).
Updating security applications directly from Kaspersky update servers
In this scheme, the security application does not use the repositories provided by Kaspersky Security Center. To
receive updates directly from Kaspersky update servers, specify Kaspersky update servers as an update source in
the interface of the security application. For more information about these settings, see the following Helps:
If Administration Server has no internet connection, you can con gure the Download updates to the
Administration Server repository task to download updates from a local or network folder. In this case, you must
copy the required update les to the speci ed folder from time to time. For example, you can copy the required
update les from one of the following sources:
Administration Server that has an internet connection (see the gure below)
429
Because an Administration Server downloads only the updates that are requested by the security applications,
the sets of security applications managed by the Administration Servers—the one that has an internet
connection and the one that does not—must match.
If the Administration Server that you use to download updates has version 13.2 or earlier, open properties of the
Download updates to the Administration Server repository task, and then enable the Download updates by
using the old scheme option.
Updating through a local or network folder if Administration Server has no internet connection
Kaspersky Update Utility

Because this utility uses the old scheme to download updates, open properties of the Download updates to
the Administration Server repository task, and then enable the Download updates by using the old scheme
option.
About using di les for updating Kaspersky databases and software

modules
When Kaspersky Security Center downloads updates from Kaspersky update servers, it optimizes tra ic by using
di les. You can also enable the usage of di les by devices (Administration Servers, distribution points, and
client devices) that take updates from other devices on your network.
About the Downloading di les feature
A di le describes the di erences between two versions of a le of a database or software module. The usage of
di les saves tra ic inside your company's network because di les occupy less space than entire les of
databases and software modules. If the Downloading di les feature is enabled on Administration Server or a
distribution point, the di les are saved on this Administration Server or distribution point. As a result, devices
that take updates from this Administration Server or distribution point can use the saved di les to update their
databases and software modules.
To optimize the usage of di les, we recommend that you synchronize the update schedule of devices with the
update schedule of the Administration Server or distribution point from which the devices take updates. However,
the tra ic can be saved even if devices are updated several times less often than are the Administration Server or
distribution point from which the devices take updates.
430
The Downloading di les feature can be enabled only on Administration Servers and distribution points of
versions starting from version 11. To save di les on Administration Servers and distribution points of earlier
versions, upgrade them to version 11 or later.
The Downloading di les feature is incompatible with the o line model of update download. This means that
Network Agents that use the o line model of update download do not download di les even if the
Downloading di les feature is enabled on the Administration Server or distribution point that delivers
updates to these Network Agents.
Distribution points do not use IP multicasting for automatic distribution of di les.
Enabling the Downloading di les feature: scenario
Prerequisites
Prerequisites for the scenario are as follows:
Administration Servers and distribution points are upgraded to version 11 or later.
O line model of update download is disabled in the settings of the Network Agent policy.
Stages
1 Enabling the feature on Administration Server
Enable the feature in the settings of a Download updates to the repository of the Administration Server task.
2 Enabling the feature for a distribution point
Enable the feature for a distribution point that receives updates by means of a Download updates to the
repositories of distribution points task.
Then enable the feature for a distribution point that receives updates from Administration Server.
The feature is enabled in the Network Agent policy settings and—if the distribution points are assigned manually
and if you want to override policy settings—in the Distribution points section of the Administration Server
properties.
To check that the Downloading di les feature is successfully enabled, you can measure the internal tra ic
before and after you perform the scenario.
Creating the task for downloading updates to the repository of the

431
The Download updates to the repository of the Administration Server task of the Administration Server is created
automatically by the Kaspersky Security Center Quick Start Wizard. You can create only one Download updates to
the repository of the Administration Server task. Therefore, you can create a Download updates to the repository
of the Administration Server task only if this task was removed from the Administration Server tasks list.
To create a Download updates to the repository of the Administration Server task:
In the context menu of the Tasks folder in the console tree, select New → Task.
In the workspace of the Tasks folder, click the Create a task button.
The Add Task Wizard starts. Follow the steps of the Wizard.
3. On the Select the task type page of the Wizard, select Download updates to the Administration Server
repository.
4. On the Settings page of the Wizard, specify the task settings as follows:
Sources of updates
The following resources can be used as a source of updates for the Administration Server:

HTTP(S) servers at Kaspersky from which Kaspersky applications download database and
application module updates. By default, the Administration Server communicates with Kaspersky
update servers and downloads updates by using the HTTPS protocol. You can con gure the
Administration Server to use the HTTP protocol instead of HTTPS.
Selected by default.
Primary Administration Server

This resource applies to tasks created for a secondary or virtual Administration Server.
Local or network folder

A local or network folder that contains the latest updates. A network folder can be an FTP or HTTP
server, or an SMB share. If a network folder requires authentication, only the SMB protocol is
supported. When selecting a local folder, you must specify a folder on the device that has
Administration Server installed.
An FTP or HTTP server or a network folder used by an update source must contain a folders
structure (with updates) that matches the structure created when using Kaspersky update
servers.
If you enable the Do not use proxy server option for the Kaspersky update servers or Local or network
folder sources of update, an Administration Server does not use a proxy server for downloading
updates.
Other settings:
Force update of secondary Administration Servers
432
If this option is enabled, the Administration Server starts the update tasks on the secondary
Administration Servers as soon as new updates are downloaded. Otherwise, the update tasks on the
secondary Administration Servers start according to their schedules.
Copy downloaded updates to additional folders
After the Administration Server receives updates, it copies them to the speci ed folders. Use this
option if you want to manually manage the distribution of updates on your network.
For example, you may want to use this option in the following situation: the network of your
organization consists of several independent subnets, and devices from each of the subnets do not
have access to other subnets. However devices in all of the subnets have access to a common
network share. In this case, you set Administration Server in one of the subnets to download
updates from Kaspersky update servers, enable this option, and then specify this network share. In
downloaded updates to the repository tasks for other Administration Servers, specify the same
network share as the update source.
Do not force updating of devices and secondary Administration Servers unless copying is complete
The tasks of downloading updates to client devices and secondary Administration Servers start
only after those updates are copied from the main update folder to additional update folders.
This option must be enabled if client devices and secondary Administration Servers download
updates from additional network folders.
Download updates by using the old scheme
Starting from version 14, Kaspersky Security Center downloads updates of databases and software
modules by using the new scheme. For the application to download updates by using the new
scheme, the update source must contain update les with metadata that is compatible with the new
scheme. If the update source contains update les with metadata that is compatible with the old
scheme only, enable the Download updates by using the old scheme option. Otherwise, the update
download task will fail.
For example, you must enable this option when a local or network folder is speci ed as an update
source, and the update les in this folder were downloaded by one of the following applications:
This utility downloads updates by using the old scheme.
Kaspersky Security Center 13.2 or earlier version

For example, your Administration Server 1 does not have an internet connection. In this case,
you may download updates by using an Administration Server 2 that has an internet
connection, and then place the updates to a local or network folder to use it as an update
source for the Administration Server 1. If the Administration Server 2 has version 13.2 or earlier,
enable the Download updates by using the old scheme option in the task for the
Administration Server 1.
433
5. On the Con gure task schedule page of the Wizard, you can create a schedule for task start. If necessary,
specify the following settings:
Scheduled start:
Select the schedule according to which the task runs, and con gure the selected schedule.
Every N hours
The task runs regularly, with the speci ed interval in hours, starting from the speci ed date and time.
By default, the task runs every six hours, starting from the current system date and time.
Every N days
The task runs regularly, with the speci ed interval in days. Additionally, you can specify a date and
time of the rst task run. These additional options become available, if they are supported by the
application for which you create the task.
By default, the task runs every day, starting from the current system date and time.
Every N weeks
The task runs regularly, with the speci ed interval in weeks, on the speci ed day of week and at the
speci ed time.
By default, the task runs every Monday at the current system time.
Every N minutes
The task runs regularly, with the speci ed interval in minutes, starting from the speci ed time on the
day that the task is created.
By default, the task runs every 30 minutes, starting from the current system time.
Daily (daylight saving time is not supported)
The task runs regularly, with the speci ed interval in days. This schedule does not support
observance of daylight saving time (DST). It means that when clocks jump one hour forward or
backward at the beginning or ending of DST, the actual task start time does not change.
We do not recommend that you use this schedule. It is needed for backward compatibility of
By default, the task starts every day at the current system time.
Weekly
The task runs every week on the speci ed day and at the speci ed time.
By days of week
434
The task runs regularly, on the speci ed days of week, at the speci ed time.
By default, the task runs every Friday at 6:00:00 PM.
Monthly
The task runs regularly, on the speci ed day of the month, at the speci ed time.
In months that lack the speci ed day, the task runs on the last day.
By default, the task runs on the rst day of each month, at the current system time.
Manually
The task runs regularly, on the speci ed days of each month, at the speci ed time.
On virus outbreak

Run missed tasks
435
business hours.
6. On the De ne the task name page of the Wizard, specify the name for the task that you are creating. A task
name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
7. On the Finish task creation page of the Wizard, click the Finish button to close the Wizard.
If you want the task to start as soon as the Wizard nishes, select the Run the task after the Wizard nishes
check box.
After the Wizard nishes, Download updates to the Administration Server repository appears in the list of
Administration Server tasks in the workspace.
In addition to the settings that you specify during task creation, you can change other properties of a created
task.
When Administration Server performs the Download updates to the repository of the Administration Server task,
updates to databases and software modules are downloaded from the updates source and stored in the shared
folder of Administration Server. If you create this task for an administration group, it will only be applied to Network
Agents included in the speci ed administration group.
436
Updates are distributed to client devices and secondary Administration Servers from the shared folder of
Creating the Download updates to the repositories of distribution points

task
Windows devices.
You can create the Download updates to the repositories of distribution points task for an administration group.
This task will run for distribution points included in the speci ed administration group.
You can use this task, for example, if the tra ic between the Administration Server and the distribution point(s) is
more expensive than the tra ic between the distribution point(s) and Kaspersky update servers, or if your
Administration Server does not have internet access.
To create the Download updates to the repositories of distribution points task for a selected administration group:
2. In the workspace of this folder, click the New task button.

3. On the Select the task type page of the Wizard, select the Kaspersky Security Center 14 Administration
Server node, expand the Advanced folder, and then select the Download updates to the repositories of
distribution points task.
Sources of updates
437
The following resources can be used as a source of updates for the distribution point:

application module updates.


servers.
folder sources of update, a distribution point does not use a proxy server for downloading updates,
even if you enabled the option Use proxy server of the Network Agent policy settings for the
distribution point.
Folder for storing updates
The path to the speci ed folder for storing saved updates. You can copy the speci ed folder path to a
clipboard. You cannot change the path to a speci ed folder for a group task.
modules by using the new scheme. For the application to download updates by using the new scheme,
the update source must contain the update les with the metadata compatible with the new scheme. If
the update source contains the update les with the metadata compatible with the old scheme only,
enable the Download updates by using the old scheme option. Otherwise, the update download task
will fail.
source and the update les in this folder were downloaded by one of the following applications:

For example, a distribution point is con gured to take the updates from a local or network folder.
In this case, you may download updates by using an Administration Server that has an internet
connection, and then place the updates to the local folder on the distribution point. If the
Administration Server has version 13.2 or earlier, enable the Download updates by using the old
scheme option in the Download updates to the repositories of distribution points task.
438
5. On the Select Administration group page of the Wizard, click Browse and select the administration group to
which the task applies.
Scheduled start:
Every N hours
Every N days
Every N weeks
speci ed time.
Every N minutes
Weekly
By days of week
439
Monthly
Manually
On virus outbreak

Run missed tasks
440
business hours.
check box.
When the Wizard completes its operation, Download updates to the repositories of distribution points
appears in the list of Network Agent tasks in the target administration group and in the Tasks workspace of the
console.
task.
When the Download updates to the repositories of distribution points task is performed, updates for databases
and software modules are downloaded from the update source and stored in the shared folder. Downloaded
updates will only be used by distribution points that are included in the speci ed administration group and that
have no update download task explicitly set for them.
441
In the Administration Server properties window, in the Sections pane select Distribution points. In the properties
of each distribution point, in the Update source section you can specify the update source (Retrieve from
Administration Server or Use task for forced download of updates). By default, Retrieve from Administration
Server is selected for a distribution point that is assigned manually or automatically. These distribution points will
use the results of the Download updates to the repositories of distribution points task.
The properties of each distribution point specify the network folder that has been set up for that distribution
point individually. The names of folders may vary for di erent distribution points. For this reason, we do not
recommend that you change the network folder in the task properties if the task is created for a group of devices.
You can change the network folder with updates in the properties of the Download updates to the repositories of
distribution points task if you are creating a local task for a device.
Con guring the Download updates to the repository of the Administration

Server task
To con gure the Download updates to the repository of the Administration Server task:
1. In the workspace of the Tasks console tree folder, select Download updates to the Administration Server
repository in the task list.
2. Open the task properties window in one of the following ways:
By selecting Properties in the context menu of the task.
By clicking the Con gure task link in the information box for the selected task.
The Download updates to the repository of the Administration Server task properties window opens. In this
window, you can con gure how the updates are downloaded to the Administration Server repository.

Before installing updates to the managed devices, you can rst check the updates for operability and errors
through the Update veri cation task. The Update veri cation task is performed automatically as part of the
Download updates to the Administration Server repository task. The Administration Server downloads updates
from the source, saves them in the temporary repository, and runs the Update veri cation task. If the task
completes successfully, the updates are copied from the temporary repository to the Administration Server
shared folder (<Kaspersky Security Center installation folder>\Share\Updates). They are distributed to all client
devices for which the Administration Server is the source of updates.
If, as a result of the Update veri cation task, updates located in the temporary repository are incorrect or if the
Update veri cation task completes with an error, such updates are not copied to the shared folder. The
Administration Server retains the previous set of updates. Also, the tasks that have the When new updates are
downloaded to the repository schedule type are not started then. These operations are performed at the next
start of the Download updates to the Administration Server repository task if scanning of the new updates
completes successfully.
A set of updates is considered invalid if any of the following conditions is met on at least one test device:
An update task error occurred.
442
The real-time protection status of the security application changed after the updates were applied.
An infected object was detected during running of the on-demand scan task.
A runtime error of a Kaspersky application occurred.
If none of the listed conditions is true for any test device, the set of updates is considered valid, and the Update
veri cation task is considered to have completed successfully.
Before you start to create the Update veri cation task, perform the prerequisites:
1. Create an administration group with several test devices. You will need this group to verify updates on it.
We recommend using devices with the most reliable protection and the most popular application con guration
across the network. This approach increases the quality and probability of virus detection during scans, and
minimizes the risk of false positives. If viruses are detected on test devices, the Update veri cation task is
considered unsuccessful.
2. Create the Update and Virus Scan tasks for an application supported by Kaspersky Security Center, for
example, Kaspersky Endpoint Security for Windows or Kaspersky Security for Windows Server. When creating
the Update and Virus Scan tasks, specify the administration group with the test devices.
The Update veri cation task sequentially runs the Update and Virus Scan tasks on test devices to check that all
updates are valid. In addition, when creating the Update veri cation task, you need to specify the Update and
Virus Scan tasks.
3. Create the Download updates to the Administration Server repository task.
To make Kaspersky Security Center verify downloaded updates before distributing them to client devices:
1. In the workspace of the Tasks folder, select the Download updates to the Administration Server repository task
in the list of tasks.
2. Open the task properties window in one of the following ways:
By clicking the Con gure task link in the information box for the selected task.
3. If the Update veri cation task exists, click the Browse button. In the window that opens, select the Update
veri cation task in the administration group with test devices.
4. If you did not create the Update veri cation task earlier, click the Create button.
The Update Veri cation Task Wizard starts. Follow the instructions of the Wizard.
5. Click OK to close the properties window of the Download updates to the repository of the Administration
Server task.
The automatic update veri cation is enabled. Now, you can run the Download updates to the Administration Server
repository task and it will start from update veri cation.
Con guring test policies and auxiliary tasks

When creating an Update veri cation task, the Administration Server generates test policies, auxiliary group
update tasks, and on-demand scan tasks.
443
Auxiliary group update and on-demand scan tasks take some time. These tasks are performed when the
Update veri cation task is executed. The Update veri cation task is performed during execution of the
Download updates to the repository task. The duration of the Download updates to the repository task
includes auxiliary group update and on-demand scan tasks.
You can change the settings of test policies and auxiliary tasks.
To change settings of a test policy or an auxiliary task:
1. In the console tree, select a group for which the Update veri cation task is created.
2. In the group workspace, select one of the following tabs:
Policies, if you want to edit the test policy settings.
Tasks, if you want to change auxiliary task settings.
3. In the tab workspace, select a policy or a task, whose settings you want to change.
4. Open the policy (task) properties window in one of the following ways:
By selecting Properties in the context menu of the policy (task).
By clicking the Con gure policy (Con gure task) link in the information box for the selected policy (task).
To verify updates correctly, set the following restrictions on the modi cation of test policies and auxiliary tasks:
In the auxiliary task settings:
Save all tasks with the Critical event and Functional failure importance levels on Administration Server.
Using the events of these types, the Administration Server analyzes the operation of applications.
Use Administration Server as the source of updates.
Specify the task schedule type: Manually.
In the settings of test policies:
Disable the iChecker and iSwift scanning acceleration technologies (Essential Threat Protection → File
Threat Protection → Settings → Additional → Scan technologies).
Select actions on infected objects: Disinfect; delete if disinfection fails / Disinfect; block if disinfection
fails / Block. (Essential Threat Protection → File Threat Protection → Action on threat detection).
In the settings of test policies and auxiliary tasks:

If the device requires a restart after installation of updates for software modules, it must be performed
immediately. If the device is not restarted, it is not possible to test this type of updates. For some applications,
installation of updates that require a restart may be prohibited or con gured to prompt the user for
con rmation rst. These restrictions should be disabled in the settings of test policies and auxiliary tasks.
444
To view the list of downloaded updates,
In the console tree, in the Repositories folder, select the Updates for Kaspersky databases and software
modules subfolder.
The workspace of the Updates for Kaspersky databases and software modules folder shows the list of
updates that have been saved on the Administration Server.
Automatic installation of Kaspersky Endpoint Security updates on devices

You can con gure automatic updates of databases and software modules of Kaspersky Endpoint Security on
client devices.
To con gure download and automatic installation of Kaspersky Endpoint Security updates on devices:
2. Create an Update task in one of the following ways:
By clicking the New task button in the workspace of the Tasks folder.
3. On the Select the task type page of the Wizard, select Kaspersky Endpoint Security as the task type, and
then select Update as the task subtype.
4. Follow the rest of the Wizard instructions.

After the Wizard nishes, an update task for Kaspersky Endpoint Security is created. The newly created task is
displayed in the list of tasks in the workspace of the Tasks folder.
5. In the workspace of the Tasks folder, select the update task that you have created.
6. In the context menu of the task, select Properties.
7. In the task properties window that opens, in the Sections pane select Options.
In the Options section, you can de ne the update task settings in local or mobile mode:
Update settings for local mode: Connection is established between the device and the Administration
Server.
Update settings for mobile mode: No connection is established between Kaspersky Security Center and
the device (for example, when the device is not connected to the internet).
8. Click the Settings button to select the update source.
9. Select the Download updates of application modules option to download and install software module updates
together with the application databases.
If the check box is selected, Kaspersky Endpoint Security noti es the user about available software module
updates and includes software module updates in the update package when running the update task. Con gure
the use of update modules:
445
Install critical and approved updates. If any updates are available for software modules, Kaspersky
Endpoint Security automatically installs those that have Critical status; the remaining updates will be
installed after you approve them.
Install approved updates only. If any software module updates are available, Kaspersky Endpoint Security
installs them after their installation is approved; they will be installed locally through the application interface
or through Kaspersky Security Center.
If updating the software module requires reviewing and accepting the terms of the License Agreement and
Privacy Policy, the application installs updates after the terms of the License Agreement and Privacy Policy
have been accepted by the user.
10. Select the Copy updates to folder option in order for the application to save downloaded updates to a folder,
and then click the Browse button to specify the folder.
11. Click OK.
When the Update task is running, the application sends requests to Kaspersky update servers.
Some updates require installation of the latest versions of management plug-ins.
O line model of update download

Network Agent on managed devices may sometimes not connect to the Administration Server to receive updates.
For example, Network Agent may have been installed on a laptop that sometimes has no internet connection and
no local network access. Moreover, the administrator may limit the time for connecting devices to the network. In
such cases, devices with Network Agent installed cannot receive updates from the Administration Server
according to the existing schedule. If you have con gured the updating of managed applications (such as
Kaspersky Endpoint Security) using Network Agent, each update requires a connection to the Administration
Server. When no connection is established between Network Agent and the Administration Server, updating is not
possible. You can con gure the connection between Network Agent and the Administration Server so that
Network Agent connects to the Administration Server at speci ed time intervals. At worst, if the speci ed
connection intervals are overlaid with periods when no connection is available, the databases will never be updated.
In addition, issues may occur when multiple managed applications simultaneously attempt to access the
Administration Server to receive updates. In this case, the Administration Server may stop responding to requests
(similarly to a DDoS attack).
To avoid such problems as those described above, an o line model for downloading updates and modules of
managed applications is implemented in Kaspersky Security Center. This model provides a mechanism for
distribution of updates, regardless of temporary problems caused by inaccessibility of Administration Server
communication channels. The model also reduces load on the Administration Server.
How the o line model of update download works
When the Administration Server receives updates, it noti es Network Agent (on devices where it is installed) of
the updates that will be required for managed applications. When Network Agent receives information about
these updates, it downloads the relevant les from the Administration Server in advance. At the rst connection
with Network Agent, the Administration Server initiates an update download. After Network Agent downloads all
the updates to a client device, the updates become available for applications on that device.
446
When a managed application on a client device attempts to access Network Agent for updates, Network Agent
checks whether it has all required updates. If the updates are received from the Administration Server not more
than 25 hours before they were requested by the managed application, Network Agent does not connect to the
Administration Server but supplies the managed application with updates from the local cache instead.
Connection with the Administration Server may not be established when Network Agent provides updates to
applications on client devices, but connection is not required for updating.
To distribute the load on the Administration Server, Network Agent on a device connects to the Administration
Server and download updates in random order during the time interval speci ed by the Administration Server. This
time interval depends on the number of devices with Network Agent installed that download updates and on the
size of those updates. To reduce the load on the Administration Server, you can use Network Agent as distribution
points.
If the o line model of update download is disabled, updates are distributed according to the schedule of the
update download task.
By default, the o line model of update download is enabled.
The o line model of update download is only used with managed devices on which the task for retrieving updates
by managed applications has When new updates are downloaded to the repository selected as the schedule
type. For other managed devices, the standard scheme is used for retrieving updates from the Administration
Server in real-time mode.
We recommend that you disable the o line model of update download by using the settings of the Network Agent
policies of relevant administration groups in these cases: if managed applications have the retrieval of updates set
not from the Administration Server, but from Kaspersky servers or a network folder, and if the update download
task has When new updates are downloaded to the repository selected as the schedule type.
We recommend that you avoid disabling the o line model of update download. Disabling it may cause failures
in update delivery to devices. In certain cases, a Kaspersky Technical Support specialist may recommend that
you clear the Download updates and anti-virus databases from Administration Server in advance check
box. Then, you will have to make sure that the task for receiving updates for Kaspersky applications has been
set up.
To enable or disable the o line model of update download for an administration group:
1. In the console tree, select the administration group for which you need to enable the o line model of update
download.
2. In the group workspace, open the Policies tab.
3. On the Policies tab, select the Network Agent policy.
4. In the context menu of the policy, select Properties.

Open the properties window of the Network Agent policy.
5. In the policy properties window, select the Manage patches and updates section.
6. Select or clear the Download updates and anti-virus databases from Administration Server in advance
(recommended) check box to enable or disable, respectively, the o line model of update download.
447
The o line model of update download will be enabled or disabled.
Automatic updating and patching for Kaspersky Security Center

components
By default, any updates and patches that have been downloaded are installed automatically for the following
application components:
Network Agent for Windows
iOS MDM Server
Automatic updating and patching for Kaspersky Security Center components is available only for devices running
Windows. You can disable automatic updating and patching for these components. In this case, any updates and
patches that have been downloaded will be installed only after you change their status to Approved. Updates and
patches with Unde ned status will not be installed.
Enabling and disabling automatic updating and patching for Kaspersky

Security Center components
Automatic installation of updates and patches for Kaspersky Security Center components is enabled by default
during Network Agent installation on the device. You can disable it during Network Agent installation, or disable it
later by using a policy.
To disable automatic updating and patching for Kaspersky Security Center components during local installation of
Network Agent on a device:
1. Start local installation of Network Agent on the device.
2. At the Advanced settings step, clear the Automatically install applicable updates and patches for
components that have Unde ned status check box.
3. Follow the instructions of the Wizard.
Network Agent with disabled automatic updating and patching for Kaspersky Security Center components will be
installed on the device. You can enable automatic updating and patching later by using a policy.
To disable automatic updating and patching for Kaspersky Security Center components during Network Agent
installation on the device through an installation package:
1. In the console tree, select the Remote installation → Installation packages folder.
2. In the context menu of the Kaspersky Security Center Network Agent <version number> package, select
Properties.
448
3. In the installation package properties, in the Settings section clear the Automatically install applicable
updates and patches for components that have the Unde ned status check box.
Network Agent with disabled automatic updating and patching for Kaspersky Security Center components will be
installed from this package. You can enable automatic updating and patching later by using a policy.
If this check box was selected (or cleared) during Network Agent installation on the device, you can subsequently
enable (or disable) automatic updating by using the Network Agent policy.
To enable or disable automatic updating and patching for Kaspersky Security Center components by using the
Network Agent policy:
1. In the console tree, select the administration group for which you have to enable or disable automatic updating
and patching.
3. On the Policies tab, select the Network Agent policy.

Open the properties window of the Network Agent policy.
5. In the policy properties window, select the Manage patches and updates section.
6. Select or clear the Automatically install applicable updates and patches for components that have the
Unde ned status check box to enable or disable, respectively, automatic updating and patching.
7. Set the lock for this check box.
The policy will be applied to the selected devices, and automatic updating and patching for Kaspersky Security
Center components will be enabled (or disabled) on these devices.
Automatic distribution of updates

Kaspersky Security Center allows automatic distribution and installation of updates on client devices and
Distributing updates to client devices automatically

To distribute updates of the selected application to client devices automatically immediately after they are
1. Connect to the Administration Server, which manages the client devices.
2. Create an update deployment task for the selected client devices in one of the following ways:
If you need to distribute updates to client devices that belong to a selected administration group, create a
task for the selected group.
If you need to distribute updates to client devices that belong to di erent administration groups or belong
to none of the administration groups, create a task for speci c devices.
449
The Add Task Wizard starts. Follow its instructions and perform the following actions:
a. In the Task type Wizard window, in the node of the required application select the updates deployment task.
The name of the updates deployment task displayed in the Task type window depends on the
application for which you create this task. For detailed information about names of update tasks for the
selected Kaspersky applications, see the corresponding Guides.
b. In the Schedule Wizard window, in the Scheduled start eld, select When new updates are downloaded to
the repository.
The newly created update distribution task will start for the selected devices every time any updates are
downloaded to the Administration Server repository.
If an update distribution task for the required application has already been created for the selected devices, to
automatically distribute updates to client devices, in the task properties window, in the Schedule section, select
When new updates are downloaded to the repository as the start option in the Scheduled start eld.
Distributing updates to secondary Administration Servers automatically

To distribute the updates of the selected application to secondary Administration Servers immediately after the
updates are downloaded to the primary Administration Server repository:
1. In the console tree, in the primary Administration Server node, select the Tasks folder.
2. In the list of tasks in the workspace, select the Download updates to the repository of the Administration
Server task of the Administration Server.
3. Open the Settings section of the selected task in one of the following ways:
By clicking the Edit settings link in the information box for the selected task.
4. In the Settings section of the task properties window, select the Other settings subsection, and then click the
Con gure link.
5. In the Other settings window that opens, select the Force update of secondary Administration Servers
check box.
In the settings of the updates download task of the Administration Server, on the Settings tab of the task
properties window, select the Force update of secondary Administration Servers check box.
After the primary Administration Server retrieves updates, the update download tasks automatically start on
secondary Administration Servers regardless of their schedule.
450
We recommend that you assign distribution points automatically. Kaspersky Security Center will then select on its
own which devices must be assigned distribution points.
To assign distribution points automatically:
2. In the console tree, select the node with the name of the Administration Server for which you want to assign
distribution points automatically.
3. In the context menu of the Administration Server, click Properties.
4. In the Administration Server properties window, in the Sections pane select Distribution points.
5. In the right part of the window, select the Automatically assign distribution points option.
If automatic assignment of devices as distribution points is enabled, you cannot con gure distribution
points manually or edit the list of distribution points.
6. Click OK.
Administration Server assigns and con gures distribution points automatically.
Assigning a device a distribution point manually

Kaspersky Security Center allows you to assign devices to act as distribution points.
We recommend that you assign distribution points automatically. In this case, Kaspersky Security Center will select
on its own which devices must be assigned distribution points. However, if you have to opt out of assigning
distribution points automatically for any reason (for example, if you want to use exclusively assigned servers), you
can assign distribution points manually after you calculate their number and con guration.
To manually assign a device to act as distribution point:
3. In the Administration Server properties window, select the Distribution points section and click the Add
button. This button is available if Manually assign distribution points has been selected.
The Add distribution point window opens.
4. In the Add distribution point window, perform the following actions:
a. Select a device that will act as distribution point (select one in an administration group, or specify the IP
address of a device). When selecting a device, keep in mind the operation features of distribution points and
the requirements set for the device that acts as distribution point.
451
b. Indicate the speci c devices to which the distribution point will distribute updates. You can specify an
administration group or a network location description.
5. Click OK.
The distribution point that you have added will be displayed in the list of distribution points, in the Distribution
points section.
6. Select the newly added distribution point in the list and click the Properties button to open its properties
window.
7. Con gure the distribution point in the properties window:
The General section contains the settings of interaction between the distribution point and client devices.
SSL port
The number of the SSL port for encrypted connection between client devices and the distribution
point using SSL.
By default, port 13000 is used.
Use multicast
If this option is enabled, IP multicasting will be used for automatic distribution of installation
packages to client devices within the group.
IP multicasting decreases the time required to install an application from an installation package to a
group of client devices, but increases the installation time when you install an application to a single
client device.
IP multicast address
IP address that will be used for multicasting. You can de ne an IP address in the range of 224.0.0.0 –
239.255.255.255
By default, Kaspersky Security Center automatically assigns a unique IP multicast address within the
given range.
IP multicast port number
Number of the port for IP multicasting.

By default, the port number is 15001. If the device with Administration Server installed is speci ed as
the distribution point, port 13001 is used for SSL connection by default.
Deploy updates
452
Updates are distributed to managed devices from the following sources:
This distribution point, if this option is enabled.
Other distribution points, Administration Server, or Kaspersky update servers, if this option is
disabled.
If you use distribution points to deploy updates, you can save tra ic because you reduce the
number of downloads. Also, you can relieve the load on the Administration Server and relocate the
load between the distribution points. You can calculate the number of distribution points for your
network to optimize the tra ic and load.
If you disable this option, the number of update downloads and load on the Administration Server
may increase. By default, this option is enabled.
Deploy installation packages
Installation packages are distributed to managed devices from the following sources:
disabled.
If you use distribution points to deploy installation packages, you can save tra ic because you
reduce the number of downloads. Also, you can relieve the load on the Administration Server and
relocate the load between the distribution points. You can calculate the number of distribution
points for your network to optimize the tra ic and load.
If you disable this option, the number of installation package downloads and load on the
Administration Server may increase. By default, this option is enabled.
Use this distribution point as a push server
In Kaspersky Security Center, a distribution point can work as a push server for the devices
managed through the mobile protocol. For example, a push server must be enabled if you want to be
able to force synchronization of KasperskyOS devices with Administration Server. A push server has
the same scope of managed devices as the distribution point on which the push server is enabled. If
you have several distribution points assigned for the same administration group, you can enable
push server on each of the distribution points. In this case, Administration Server balances the load
between the distribution points.
If you manage devices with KasperskyOS installed, or plan to do so, you must use a distribution point
as a push server. You can also use a distribution point as a push server if you want to send push
noti cations to client devices.
Push server port
The port on the distribution point that client devices will use for connection. By default, port 13295 is
used.
In the Scope section, specify the scope to which the distribution point will distribute updates
(administration groups and / or network location).
In the KSN Proxy section, you can con gure the application to use the distribution point to forward KSN
requests from the managed devices.
453
Enable KSN Proxy on distribution point side
The KSN proxy service is run on the device that is used as a distribution point. Use this feature to
redistribute and optimize tra ic on the network.
The distribution point sends the KSN statistics, which are listed in the Kaspersky Security Network
statement, to Kaspersky. By default, the KSN statement is located in %ProgramFiles%\Kaspersky
Lab\Kaspersky Security Center\ksneula.
By default, this option is disabled. Enabling this option takes e ect only if the Use Administration
Server as a proxy server and I agree to use Kaspersky Security Network options are enabled in
the Administration Server properties window.
You can assign a node of an active-passive cluster to a distribution point and enable KSN proxy
server on this node.
Forward KSN requests to Administration Server
The distribution point forwards KSN requests from the managed devices to the Administration
Server.
Access KSN Cloud / Private KSN directly over Internet
The distribution point forwards KSN requests from managed devices to the KSN Cloud or Private
KSN. The KSN requests generated on the distribution point itself are also sent directly to the KSN
Cloud or Private KSN.
The distribution points that have Network Agent version 11 (or earlier) installed cannot access
Private KSN directly. If you want to recon gure the distribution points to send KSN requests to
Private KSN, enable the Forward KSN requests to Administration Server option for each
distribution point.
The distribution points that have Network Agent version 12 (or later) installed can access Private
KSN directly.
Ignore proxy server settings when connecting to Private KSN
Enable this option, if you have the proxy server settings con gured in the distribution point
properties or in the Network Agent policy, but your network architecture requires that you use
Private KSN directly. Otherwise, requests from the managed applications cannot reach Private KSN.
This option is available if you select the Access KSN Cloud/Private KSN directly over the internet
option.
TCP port
The number of the TCP port that the managed devices will use to connect to KSN proxy server. The
UDP port
If you need the managed devices to connect to KSN proxy server through a UDP port, enable the
Use UDP port option and specify a UDP port number. By default, this option is enabled. The default
UDP port to connect to the KSN proxy server is 15111.
454
In the Device discovery section, con gure the polling of Windows domains, Active Directory, and IP ranges
by the distribution point.
Windows domains
You can enable device discovery for Windows domains and set the schedule for the discovery.
Active Directory
You can enable network polling for Active Directory and set the schedule for the poll.
If you select the Enable Active Directory polling check box, you can select one of the following
options:
Poll current Active Directory domain.
Poll Active Directory domain forest.
Poll selected Active Directory domains only. If you select this option, add one or more Active
Directory domains to the list.
IP ranges
You can enable device discovery for IPv4 ranges and IPv6 networks.
If you enable the Enable range polling option, you can add scanned ranges and set the schedule for
them. You can add IP ranges to the list of scanned ranges.
If you enable the Use Zeroconf to poll IPv6 networks option, the distribution point automatically
polls the IPv6 network by using zero-con guration networking (also referred to as Zeroconf). In this
case, the speci ed IP ranges are ignored because the distribution point polls the whole network. The
Use Zeroconf to poll IPv6 networks option is available if the distribution point runs Linux. To use
Zerocong IPv6 polling, you must install the avahi-browse utility on the distribution point.
In the Advanced section, specify the folder that the distribution point must use to store distributed data.
Use default folder
If you select this option, the application uses the Network Agent installation folder on the
distribution point.
Use speci ed folder
If you select this option, in the eld below, you can specify the path to the folder. It can be a local
folder on the distribution point, or it can be a folder on any device on the corporate network.
The user account used on the distribution point to run Network Agent must have read/write access
to the speci ed folder.
The selected devices act as distribution points.
Only devices running a Windows operating system can determine their network location. Network location
cannot be determined for devices running other operating systems.
455
Removing a device from the list of distribution points
To remove a device from the list of distribution points:
3. In the Administration Server properties window, in the Distribution points section, select the device that acts
as distribution point, and click the Remove button.
The device will be removed from the list of distribution points and will stop acting as distribution point.
You cannot remove a device from the list of distribution points if it was assigned by the Administration Server
automatically.
Downloading updates by distribution points

Kaspersky Security Center allows distribution points to receive updates from the Administration Server, Kaspersky
servers, or from a local or network folder.
To con gure update download for a distribution point:
3. In the Administration Server properties window, in the Distribution points section, select the distribution point
through which updates will be delivered to client devices in the group.
4. Click the Properties button to open the properties window of the selected distribution point.
5. In the distribution point properties window, select the Sources of updates section.
6. Select an update source for the distribution point:
To allow the distribution point to receive updates from the Administration Server, select Retrieve from
Download di les
This option enables the downloading di les feature.
To allow the distribution point to receive updates by using a task, select Use task for forced download of
updates:
456
Click the Browse button if such a task already exists on the device, and select the task in the list that
appears.
Click the New task button to create a task if no such task yet exists on the device. The Add Task Wizard
starts. Follow the instructions of the Wizard.
The Download updates to the repositories of distribution points task is a local task. You have to create a
new task for each device that acts as distribution point.
The distribution point will receive updates from the speci ed source.
Deleting software updates from the repository

To delete software updates from the Administration Server repository:
1. In the Advanced → Application management folder in the console tree, select the Software updates
subfolder.
2. In the workspace of the Software updates folder, select the update that you want to delete.
3. In the context menu of the update, select Delete update les.
Software updates will be deleted from the Administration Server repository.
Patch installation for a Kaspersky application in cluster mode

Kaspersky Security Center only supports manual installation of patches for Kaspersky applications in cluster
mode.
To install a patch for a Kaspersky application:
1. Download the patch to each node of the cluster.
2. Run patch installation on the active node.
3. Wait for the patch to be successfully installed.
4. Run the patch on all subnodes of the cluster consecutively.

If you are running the patch from the command line, use the -CLUSTER_SECONDARY_NODE key.
The patch is now installed on all nodes of the cluster.
5. Run the Kaspersky cluster services manually.
Every node of the cluster is displayed in Administration Console as a device with Network Agent installed.
For information about installed patches, see the Software updates folder or the report on the versions of
updates for software modules of Kaspersky applications.
457
Kaspersky Security Center allows you to manage applications by Kaspersky and other vendors installed on client
devices.
The administrator can perform the following actions:
Create application categories based on speci ed criteria.
Manage application categories using specially created rules.
Manage applications run on devices.
Perform inventories and maintain a registry of software installed on devices.
Fix vulnerabilities in software installed on devices.
Install updates from Windows Update and other software makers on devices.
Monitor the use of license keys for licensed applications groups.

Kaspersky Security Center allows you to manage updates of software installed on client devices and x
vulnerabilities in Microsoft applications and other software makers' products through installing required updates.
Kaspersky Security Center searches for updates through the update search task and downloads them to the
updates repository. After completing the search of updates, the application provides the administrator with
information about available updates and vulnerabilities in applications that can be xed using those updates.
Information about available updates for Microsoft Windows is provided by Windows Update service.
Administration Server can be used as Windows Server Update Services (WSUS) server. To use Administration
Server as WSUS server, you should con gure synchronization of updates with Windows Update. After you have
con gured data synchronization with Windows Update, Administration Server provides updates to Windows
Update services on devices in centralized mode and with the set frequency.
You can also manage software updates through a Network Agent policy. To do this, you should create a Network
Agent policy and con gure software updating in the corresponding windows of the New Policy Wizard.
The administrator can view a list of available updates in the Software updates subfolder included in the
Application management folder. This folder contains a list of updates for Microsoft applications and other
software makers' products retrieved by Administration Server that can be distributed to devices. After viewing
information about available updates, the administrator can install them to devices.
Kaspersky Security Center updates some applications by removing the previous version of the application
and installing the new one.
458
A user interaction may be required when you update a third-party application or x a vulnerability in a third-
party application on a managed device. For example, the user may be prompted to close the third-party
application if it's currently open.
Ensure that the Display Vulnerability and Patch Management option is enabled in the Con gure interface
window for the primary and secondary Administration Servers. Otherwise, the update search task handles
only WSUS updates.
For security reasons, any third-party software updates that you install by using the Vulnerability and Patch
Management feature are automatically scanned for malware by Kaspersky technologies. These technologies are
used for automatic le check and include anti-virus scan, static analysis, dynamic analysis, behavior analysis in the
sandbox environment, and machine learning.
Kaspersky experts do not perform manual analysis of third-party software updates that can be installed by using
the Vulnerability and Patch Management feature. In addition, Kaspersky experts do not search for vulnerabilities
(known or unknown) or undocumented features in such updates, as well as do not perform other types of analysis
of the updates other than the speci ed in the paragraph above.
Before installing the updates to all of the devices, you can perform a test installation to make sure installed
updates will cause no failures to the operation of applications on the devices.
You can nd the details of third-party software that can be updated through Kaspersky Security Center by visiting
the Technical Support website, on the Kaspersky Security Center page, in the Server Management section.

This section provides a scenario for updating third-party software installed on the client devices. The third-party
software includes applications from Microsoft and other software vendors. Updates for Microsoft applications are
provided by the Windows Update service.
Prerequisites
Administration Server must have a connection to the internet to install updates of third-part software other than
Microsoft software.
By default, internet connection is not required for Administration Server to install Microsoft software updates on
the managed devices. For example, the managed devices can download the Microsoft software updates directly
from Microsoft Update servers or from Windows Server with Microsoft Windows Server Update Services (WSUS)
deployed in your organization's network. Administration Server must be connected to the internet when you use
Administration Server as WSUS server.
Stages
Updating third-party software proceeds in stages:
1 Searching for required updates
459
To nd the third-party software updates required for the managed devices, run the Find vulnerabilities and
required updates task. When this task is complete, Kaspersky Security Center receives the lists of detected
vulnerabilities and required updates for the third-party software installed on the devices that you speci ed in
the task properties.
The Find vulnerabilities and required updates task is created automatically by the Administration Server Quick
Start Wizard. If you did not run the Wizard, create the task or run the Quick Start Wizard now.
Administration Console: Scanning applications for vulnerabilities, Scheduling the Find vulnerabilities and
required updates task
Kaspersky Security Center Web Console: Creating the Find vulnerabilities and required updates task, Find
vulnerabilities and required updates task settings
2 Analyzing the list of found updates
View the SOFTWARE UPDATES list and decide which updates you want to install. To view detailed information
about each update, click the update name in the list. For each update in the list, you can also view the statistics
on the update installation on client devices.
Administration Console: Viewing information about available updates
Kaspersky Security Center Web Console: Viewing information about available third-party software updates
3 Con guring installation of updates
When Kaspersky Security Center received the list of the third-party software updates, you can install them on
client devices by using the Install required updates and x vulnerabilities task or the Install Windows Update
updates task. Create one of these tasks. You can create these tasks on the TASKS tab or by using the
SOFTWARE UPDATES list.
The Install required updates and x vulnerabilities task is used to install updates for Microsoft applications,
including the updates provided by the Windows Update service, and updates of other vendors' products. Note
that this task can be created only if you have the license for the Vulnerability and Patch Management feature.
The Install Windows Update updates task does not require a license, but it can be used to install Windows
Update updates only.
To install some software updates you must accept the End User License Agreement (EULA) for the installation
software. If you decline the EULA, the software update will not be installed.
You can start an update installation task by schedule. When specifying the task schedule, make sure that the
update installation task starts after the Find vulnerabilities and required updates task is complete.
Administration Console: Fixing vulnerabilities in applications, Viewing information about available updates
Kaspersky Security Center Web Console: Creating the Install required updates and x vulnerabilities task,
Creating the Install Windows Update updates task, Viewing information about available third-party software
updates
4 Scheduling the tasks
To be sure that the update list is always up-to-date, schedule the Find vulnerabilities and required updates task
to run the task automatically from time to time. The default frequency is once a week.
If you have created the Install required updates and x vulnerabilities task, you can schedule it to run with the
same frequency as the Find vulnerabilities and required updates task or less often. When scheduling the Install
Windows Update updates task, note that for this task you must de ne the list of updates every time before
starting this task.
460
When scheduling the tasks, make sure that an update installation task starts after the Find vulnerabilities and
required updates task is complete.
5 Approving and declining software updates (optional)
If you have created the Install required updates and x vulnerabilities task, you can specify rules for update
installation in the task properties. If you have created the Install Windows Update updates task, skip this step.
For each rule, you can de ne the updates to install depending on the update status: Unde ned, Approved or
Declined. For example, you may want to create a speci c task for servers and set a rule for this task to allow
installation of only Windows Update updates and only those ones that have Approved status. After that you
manually set the Approved status for those updates that you want to install. In this case the Windows Update
updates that have the Unde ned or Declined status will not be installed on the servers that you speci ed in the
task.
The usage of the Approved status to manage update installation is e icient for a small amount of updates. To
install multiple updates, use the rules that you can con gure in the Install required updates and x vulnerabilities
task. We recommend that you set the Approved status for only those speci c updates that do not meet the
criteria speci ed in the rules. When you manually approve a large amount of updates, performance of
Administration Server decreases and may lead to Administration Server overload.
Approved or Declined in the SOFTWARE UPDATES list (OPERATIONS → PATCH MANAGEMENT →
SOFTWARE UPDATES).
Kaspersky Security Center Web Console: Approving and declining third-party software updates
6 Con guring Administration Server to work as Windows Server Update Services (WSUS) server (optional)
By default, Windows Update updates are downloaded to the managed devices from Microsoft servers. You can
change this setting to use the Administration Server as WSUS server. In this case, the Administration Server
synchronizes the update data with Windows Update at the speci ed frequency and provides updates in
centralized mode to Windows Update on networked devices.
To use the Administration Server as WSUS server, create the Perform Windows Update synchronization task and
select the Use Administration Server as WSUS server check box in the Network Agent policy.
Administration Console: Synchronizing updates from Windows Update with Administration Server,
Kaspersky Security Center Web Console: Creating the Perform Windows Update synchronization task
7 Running an update installation task
Start the Install required updates and x vulnerabilities task or the Install Windows Update updates task. When
you start these tasks, updates are downloaded and installed on managed devices. After the task is complete,
make sure that it has the Completed successfully status in the task list.
8 Create the report on results of update installation of third-party software (optional)
To view detailed statistics on the update installation, create the Report on results of installation of third-party
software updates.
Administration Console: Creating and viewing a report
Kaspersky Security Center Web Console: Generating and viewing a report
461
Results
If you have created and con gured the Install required updates and x vulnerabilities task, the updates are installed
on the managed devices automatically. When new updates are downloaded to the Administration Server
repository, Kaspersky Security Center checks whether they meet the criteria speci ed in the update rules. All new
updates that meet the criteria will be installed automatically at the next task run.
If you have created the Install Windows Update updates task, only those updates speci ed in the Install Windows
Update updates task properties are installed. In future, if you want to install new updates downloaded to the
Administration Server repository, you must add the required updates to the list of updates in the existing task or
create a new Install Windows Update updates task.
Viewing information about available updates for third-party applications

To view a list of available updates for third-party applications installed on client devices,
In the Advanced → Application management folder in the console tree, select the Software updates
subfolder.
In the workspace of the folder, you can view a list of available updates for applications installed on devices.
To view the properties of an update,
In the workspace of the Software updates folder, in the context menu of the update, select Properties.
The following information is available for viewing in the properties window of the update:
On the General section you can view the Update approval status:
Unde ned—the update is available in the list of updates, but is not approved for installation.
Approved—the update is available in the list of updates and approved for installation.
Declined—the update is declined for installation.
On the Attributes section you can view the values of the Installed automatically eld:
The Automatically value is displayed if the Install required updates and x vulnerabilities task can install
updates for the application. The task automatically installs new updates from the web address provided by
the vendor of third-party software.
The Manually value is displayed if Kaspersky Security Center cannot install updates for the application
automatically. You can install updates manually.
The Installed automatically eld is not displayed for Windows application updates.
List of client devices for which the update is intended.
List of system components (prerequisites) that have to be installed before the update (if any).
Software vulnerabilities that the update will x.

462
The settings of an update installation task may require approval of updates that are to be installed. You can
approve updates that must be installed and decline updates that must not be installed.
For example, you may want to rst check the installation of updates in a test environment and make sure that they
do not interfere with the operation of devices, and only then allow the installation of these updates on client
devices.
The usage of the Approved status to manage third-party update installation is e icient for a small amount of
updates. To install multiple third-party updates, use the rules that you can con gure in the Install required updates
and x vulnerabilities task. We recommend that you set the Approved status for only those speci c updates that
do not meet the criteria speci ed in the rules. When you manually approve a large amount of updates,
performance of Administration Server decreases and may lead to Administration Server overload.
To approve or decline one or several updates:
1. In the console tree, select the Advanced → Application management → Software updates node.
2. In the workspace of the Software updates folder, click the Refresh button in the upper right corner. A list of
updates appears.
3. Select the updates that you want to approve or decline.

The information box for the selected objects appears on the right side of the workspace.
4. In the Update approval status drop-down list, select Approved to approve the selected updates or Declined
to decline the selected updates.
The default value is Unde ned.
The updates for which you set the Approved status are placed in a queue for installation.
The updates for which you set the Declined status are uninstalled (if possible) from all devices on which they were
previously installed. Also, they will not be installed on other devices in future.
Some updates for Kaspersky applications cannot be uninstalled. If you set the Declined status for them,
Kaspersky Security Center will not uninstall these updates from the devices on which they were previously
installed. However, these updates will never be installed on other devices in future. If an update for Kaspersky
applications cannot be uninstalled, this property is displayed in the update properties window: in the Sections
pane select General, and in the workspace the property will appear under Installation requirements. If you
set the Declined status for third-party software updates, these updates will not be installed on devices for
which they were planned but have not yet been installed. Updates will still remain on devices on which they
were already installed. If you have to delete them, you can manually delete them locally.
Synchronizing updates from Windows Update with Administration Server

If you have selected Use Administration Server as a WSUS server in the Update management settings window
of the Quick Start Wizard, the Windows Update synchronization task is created automatically. You can run the task
in the Tasks folder. The functionality of a Microsoft software update is only available after the Perform Windows
Update synchronization task is successfully completed.
463
Microsoft software updates may exceed 10 GB. Ensure that the Administration Server database is capable of
accommodating such volumes; otherwise, the Perform Windows Update synchronization task will fail. The
Microsoft SQL Express database is not supported for the Perform Windows Update synchronization task.
The Perform Windows Update synchronization task only downloads metadata from Microsoft servers. If the
network does not use a WSUS server, each client device downloads Microsoft updates from external servers
independently.
To create a task for synchronizing Windows Updates with Administration Server:
subfolder.
2. Click the Additional actions button and select Con gure Windows Update synchronization in the drop-down
list.
The Wizard creates the Perform Windows Update synchronization task displayed in the Tasks folder.
The Windows Update Center Data Retrieval Task Creation Wizard starts. Follow the instructions of the Wizard.
You can also create the Windows Update synchronization task in the Tasks folder by clicking Create a task.
Microsoft regularly deletes outdated updates from the company's servers so the number of current updates is
always between 200,000 and 300,000. To reduce disk space usage and database size, Kaspersky Security Center
deletes the outdated updates that are no longer present on Microsoft update servers.
When running the Perform Windows Update synchronization task, the application receives a list of current
updates from a Microsoft update server. Next, Kaspersky Security Center compiles a list of updates that have
become outdated. At the next start of the Find vulnerabilities and required updates task, Kaspersky Security
Center ags all outdated updates and sets the deletion time for them. At the next start of the Perform Windows
Update synchronization task, all updates agged for deletion 30 days ago are deleted. Kaspersky Security Center
also checks for outdated updates that were agged for deletion more than 180 days ago, and then deletes those
older updates.
When the Perform Windows Update synchronization task completes and outdated updates are deleted, the
database may still have the hash codes pertaining to the les of deleted updates, as well as corresponding les in
the %AllUsersPro le%\Application Data\KasperskyLab\adminkit\1093\.working\wus les les (if they were
downloaded earlier). You can run the Administration Server maintenance task to delete these outdated records
from the database and corresponding les.
Step 1. De ning whether to reduce tra ic

When Kaspersky Security Center synchronizes updates with Microsoft Windows Update Servers, information
about all les is saved in the Administration Server database. All les required for an update are also downloaded
to the drive during interaction with the Windows Update Agent. In particular, Kaspersky Security Center saves
information about express update les to the database and downloads them when necessary. Downloading
express update les leads to decreased free space on the drive.
To avoid a decrease in disk space volume and to reduce tra ic, you can disable the Download express installation
les option.
If this option is selected, express update les are downloaded when running the task. By default, this option is not
selected.
464
Step 2. Applications
In this section you can select applications for which updates will be downloaded.
If the All applications check box is selected, updates will be downloaded for all existing applications, and for all
applications that may be released in the future.
By default, the All applications check box is selected.
Step 3. Update categories

In this section, you can select categories of updates that will be downloaded to the Administration Server.
If the All categories check box is selected, updates will be downloaded for all existing updates categories, and for
all categories that may appear in the future.
By default, the All categories check box is selected.
Step 4. Updates languages

In this window you can select localization languages of updates that will be downloaded to Administration Server.
Select one of the following options for downloading localization languages of updates:
Download all languages, including new ones
If this option is selected, all the available localization languages of updates will be downloaded to
Administration Server. By default, this option is selected.
Download selected languages
If this option is selected, you can select from the list localization languages of updates that should be
downloaded to Administration Server.

In the Selecting an account to run the task window, you can specify which account to use when running the task.
Select one of the following options:
Default account
The task will be run under the same account as the application that performs this task.
Specify account
465
Fill in the Account and Password elds to specify the details of an account under which the task is run.
The account must have su icient rights for this task.
Account
Account under which the task is run.
Password
Password of the account under which the task will be run.
Step 6. Con guring a task start schedule

On the Con gure task schedule Wizard page, you can create a schedule for task start. If necessary, specify the
following settings:
Scheduled start:
Every N hours
Every N days
The task runs regularly, with the speci ed interval in days. Additionally, you can specify a date and time
of the rst task run. These additional options become available, if they are supported by the application
for which you create the task.
Every N weeks
speci ed time.
Every N minutes
The task runs regularly, with the speci ed interval in minutes, starting from the speci ed time on the day
that the task is created.

466
The task runs regularly, with the speci ed interval in days. This schedule does not support observance
of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the
beginning or ending of DST, the actual task start time does not change.
We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky
Security Center.
Weekly
By days of week
Monthly
Manually
Once
The task runs once, on the speci ed date and time.
On virus outbreak
467

complete (successfully or with error) to trigger the start of the current task. For example, you may want
to run the Manage devices task with the Turn on the device option and, after it completes, run the
Virus scan task.
Run missed tasks
This option determines the behavior of a task if a client device is not visible on the network when the task
is about to start.
If this option is enabled, the system attempts to start the task the next time the Kaspersky application is
run on the client device. If the task schedule is Manually, Once or Immediately, the task is started
immediately after the device becomes visible on the network or immediately after the device is included in
the task scope.
If this option is disabled, only scheduled tasks run on client devices; for Manually, Once and Immediately,
tasks run only on those client devices that are visible on the network. For example, you may want to disable
this option for a resource-consuming task that you want to run only outside of business hours.
If this option is enabled, the task is started on client devices randomly within a speci ed time interval, that
is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by
client devices to the Administration Server when a scheduled task is running.
The distributed start time is calculated automatically when a task is created, depending on the number of
client devices to which the task is assigned. Later, the task is always started on the calculated start time.
However, when task settings are edited or the task is started manually, the calculated value of the task
start time changes.
468
If this option is enabled, the task is started on client devices randomly within the speci ed time interval. A
distributed task start helps to avoid a large number of simultaneous requests by client devices to the

In the De ne the task name window, specify the name for the task that you are creating. A task name cannot be
more than 100 characters long and cannot include any special characters ("*<>?\:|).The default value is Perform
Windows Update synchronization.

In the Finish task creation window, click the Finish button to nish the wizard.
check box.
The newly created Windows Update synchronization task will appear in the list of tasks in the Tasks folder of the
console tree.
Installing updates on devices manually

If you have selected Find and install required updates on the Update management settings page of the Quick
Start Wizard, the install required updates and x vulnerabilities task is created automatically. You can run or stop
the task in the Managed devices folder on the Tasks tab.
If you have selected Search for required updates in the Quick Start Wizard, you can install software updates on
client devices through the Install required updates and x vulnerabilities task.
You can do any of the following:
Create a task for installing updates.
Add a rule for installing an update to an existing update installation task.
In the settings of an existing update installation task, con gure a test installation of updates.
Installing updates by creating an installation task
469
Create a task for installing certain updates.
Select an update and create a task for installing it and similar updates.
To install speci c updates:
subfolder.
2. In the workspace, select the updates that you want to install.
3. Do any of the following:
Right-click one of the selected updates in the list, and then select Install update → New task.
Click the Install update (create task) link in the information box for the selected updates.
4. Make your choice in the displayed prompt about installing all previous application updates. Click Yes if you agree
to the installation of successive application versions incrementally if this is required for installing the selected
updates. Click No if you want to update applications in a straightforward fashion, without installing successive
versions. If installing the selected updates is not possible without installing previous versions of applications,
the updating of the application fails.
The Updates Installation and Vulnerabilities Fix Task Creation Wizard starts. Follow the steps of the Wizard.
5. On the Selecting an operating system restart option page of the Wizard, select the action to perform when
the operating system on client devices must be restarted after the operation:
Client devices are not restarted automatically after the operation. To complete the operation, you must
restart a device (for example, manually or through a device management task). Information about the
required restart is saved in the task results and in the device status. This option is suitable for tasks on
servers and other devices where continuous operation is critical.
Restart the device
Client devices are always restarted automatically if a restart is required for completion of the
operation. This option is useful for tasks on devices that provide for regular pauses in their operation
(shutdown or restart).
The restart reminder is displayed on the screen of the client device, prompting the user to restart it
manually. Some advanced settings can be de ned for this option: text of the message for the user, the
message display frequency, and the time interval after which a restart will be forced (without the user's
con rmation). This option is most suitable for workstations where users must be able to select the
most convenient time for a restart.
Repeat prompt every (min)
470
If this option is enabled, the application prompts the user to restart the operating system with the
speci ed frequency.
By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and
1440 minutes.
If this option is disabled, the prompt is displayed only once.
Restart after (min)
After prompting the user, the application forces restart of the operating system upon expiration of
the speci ed time interval.
By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and
1440 minutes.
Running applications may prevent a restart of the client device. For example, if a document is being
edited in a word processing application and is not saved, the application does not allow the device to
restart.
If this option is enabled, such applications on a locked device are forced to close before the device
restart. As a result, users may lose their unsaved changes.
If this option is disabled, a locked device is not restarted. The task status on this device states that a
device restart is required. Users have to manually close all applications running on locked devices and
restart these devices.
Scheduled start:
Every N hours
Every N days
Every N weeks
471
speci ed time.
Every N minutes
Weekly
By days of week
Monthly
Manually
On virus outbreak
472

Run missed tasks
business hours.
473
check box.
After the Wizard completes its operation, Install required updates and x vulnerabilities appears in the Tasks
folder.
You can enable automatic installation of system components (prerequisites) prior to installation of an update in the
Install required updates and x vulnerabilities task properties. When this option is enabled, all required system
components are installed before the update. A list of the required components can be found in properties of the
update.
In the properties of Install required updates and x vulnerabilities task, you can allow installation of updates that
upgrade application to a new version.
If the task settings provide rules for installation of third-party updates, the Administration Server downloads all
relevant updates from their vendors' websites. Updates are saved to the Administration Server repository and then
distributed and installed on devices where they are applicable.
If the task settings provide rules for installation of Microsoft updates and the Administration Server acts as a
WSUS server, the Administration Server downloads all relevant updates to the repository and then distributes
them to managed devices. If the network does not use a WSUS server, each client device downloads
Microsoft updates from external servers independently.
To install a certain update and similar ones:
subfolder.
2. In the workspace, select the update that you want to install.
3. Click the Run Update Installation Wizard button.

The Update Installation Wizard starts.
The Update Installation Wizard features are only available under the Vulnerability and Patch Management
license.
Follow the steps of the Wizard.
4. On the Search for existing update installation tasks page, specify the following settings:
Search for tasks that install this update
474
If this option is enabled, the Update Installation Wizard searches for existing tasks that install the
selected update.
If this option is disabled or if the search retrieves no applicable tasks, the Update Installation Wizard
prompts you to create a rule or task for installing the update.
Approve update installation
The selected update will be approved for installation. Enable this option if some applied rules of update
installation allow installation of approved updates only.
5. If you choose to search for existing update installation tasks and if the search retrieves some tasks, you can
view properties of these tasks or start them manually. No further actions are required.
Otherwise, click the New update installation task button.
6. Select the type of the installation rule to be added to the new task, and then click the Finish button.
Restart the device
475
speci ed frequency.
1440 minutes.
Restart after (min)
1440 minutes.
restart.
9. On the Select devices to which the task will be assigned page of the Wizard, select one of the following
options:
Select networked devices detected by Administration Server
The task is assigned to speci c devices. The speci c devices can include devices in administration
groups as well as unassigned devices.
For example, you may want to use this option in a task of installing Network Agent on unassigned
devices.
Specify device addresses manually or import addresses from a list
476
You can specify NetBIOS names, DNS names, IP addresses, and IP subnets of devices to which you
want to assign the task.
You may want to use this option to execute a task for a speci c subnet. For example, you may want to
install a certain application on devices of accountants or to scan devices in a subnet that is probably
infected.
Assign task to a device selection
The task is assigned to devices included in a device selection. You can specify one of the existing
selections.
For example, you may want to use this option to run a task on devices with a speci c operating system
version.
Assign task to an administration group
The task is assigned to devices included in an administration group. You can specify one of the existing
groups or create a new one.
For example, you may want to use this option to run a task of sending a message to users if the
message is speci c for devices included in a speci c administration group.
Scheduled start:
Every N hours
Every N days
Every N weeks
speci ed time.
Every N minutes
477
Weekly
By days of week
Monthly
Manually (selected by default)
On virus outbreak
478

Run missed tasks
business hours.
479
check box.
When the Wizard nishes, the Install required updates and x vulnerabilities task is created and displayed in
the Tasks folder.
task.
Upgrading to a new version of the application may cause a malfunction of dependent applications on devices.
Installing an update by adding a rule to an existing installation task
To install an update by adding a rule to an existing installation task:
subfolder.
2. In the workspace, select the update that you want to install.

The Update Installation Wizard starts.
The Update Installation Wizard features are only available under the Vulnerability and Patch Management
license.
4. On the Search for existing update installation tasks page, specify the following settings:
Search for tasks that install this update
480
If this option is enabled, the Update Installation Wizard searches for existing tasks that install the
selected update.
If this option is disabled or if the search retrieves no applicable tasks, the Update Installation Wizard
prompts you to create a rule or task for installing the update.
Approve update installation
The selected update will be approved for installation. Enable this option if some applied rules of update
installation allow installation of approved updates only.
5. If you choose to search for existing update installation tasks and if the search retrieves some tasks, you can
view properties of these tasks or start them manually. No further actions are required.
Otherwise, click the Add an update installation rule button.
6. Select the task to which you want to add a rule, and then click the Add rule button.
Also, you can view properties of the existing tasks, start them manually, or create a new task.
7. Select the type of the rule to be added to the selected task, and then click the Finish button.
A new rule for installing the update is added to the existing Install required updates and x vulnerabilities task.
Con guring a test installation of updates
To con gure a test installation of updates:
1. In the console tree, select the Install required updates and x vulnerabilities task in the Managed devices
folder on the Tasks tab.
2. In the context menu of the task, select Properties.

The properties window of the Install required updates and x vulnerabilities task opens.
3. In the properties window of the task, in the Test installation section select one of the available options for test
installation:
Do not scan. Select this option if you do not want to perform a test installation of updates.
Run scan on selected devices. Select this option if you want to test updates installation on selected
devices. Click the Add button and select devices on which you need to perform test installation of updates.
Run scan on devices in the speci ed group. Select this option if you want to test updates installation on a
group of devices. In the Specify a test group eld, specify a group of devices on which you want to perform
a test installation.
481
Run scan on speci ed percentage of devices. Select this option if you want to test updates installation on
some portion of devices. In the Percentage of test devices out of all target devices eld, specify the
percentage of devices on which you want to perform a test installation of updates.
4. Upon selecting any option except Do not scan, in the Amount of time to make the decision if the installation
is to be continued, in hours eld specify the number of hours that must elapse from the test installation of
updates until the start of installation of the updates on all devices.

To con gure Windows Updates in a Network Agent policy:
1. In the console tree, select Managed devices.
2. In the workspace, select the Policies tab.
3. Select a Network Agent policy.

The properties window for the Network Agent policy opens.
5. In the Sections pane, select Software updates and vulnerabilities.
6. Select the Use Administration Server as a WSUS server option to download Windows updates to the
Administration Server and then distribute them to client devices through Network Agent.
If this option is not selected, Windows updates are not downloaded to the Administration Server. In this case,
client devices receive Windows updates directly from Microsoft servers.
7. Select the set of updates that the users can install on their devices manually by using Windows Update.
On devices running Windows 10, if Windows Update has already found updates for the device, the new
option that you select under Allow users to manage installation of Windows Update updates will be
applied only after the updates found are installed.
Select an item in the drop-down list:
Allow users to install all applicable Windows Update updates
Users can install all of the Microsoft Windows Update updates that are applicable to their devices.
Select this option if you do not want to interfere in the installation of updates.
When the user installs Microsoft Windows Update updates manually, the updates may be
downloaded from Microsoft servers rather than from Administration Server. This is possible if
Administration Server has not yet downloaded these updates. Downloading updates from
Microsoft servers results in extra tra ic.
Allow users to install only approved Windows Update updates
482
Users can install all of the Microsoft Windows Update updates that are applicable to their devices and
that are approved by you.
For example, you may want to rst check the installation of updates in a test environment and make
sure that they do not interfere with the operation of devices, and only then allow the installation of
these approved updates on client devices.
Do not allow users to install Windows Update updates
Users cannot install Microsoft Windows Update updates on their devices manually. All of the applicable
updates are installed as con gured by you.
Select this option if you want to manage the installation of updates centrally.
For example, you may want to optimize the update schedule so that the network does not become
overloaded. You can schedule after-hours updates, so that they do not interfere with user productivity.
8. Select the Windows Update search mode:
Active
If this option is selected, Administration Server with support from Network Agent initiates a request
from Windows Update Agent on the client device to the update source: Windows Update Servers or
WSUS. Next, Network Agent passes information received from Windows Update Agent to
The option takes e ect only if Connect to the update server to update data option of the Find
vulnerabilities and required updates task is selected.
Passive
If you select this option, Network Agent periodically passes Administration Server information about
updates retrieved at the last synchronization of Windows Update Agent with the update source. If no
synchronization of Windows Update Agent with an update source is performed, information about
updates on Administration Server becomes out-of-date.
Select this option if you want to get updates from the memory cache of the update source.
Disabled
If this option is selected, Administration Server does not request any information about updates.
Select this option if, for example, you want to test the updates on your local device rst.
9. Select the Scan executable les for vulnerabilities when running them option if you want to scan executable
les for vulnerabilities while the les are being run.
483
10. Make sure that editing is locked for all the settings that you have changed. Otherwise, the changes do not
apply.
11. Click Apply.

This section describes the features of Kaspersky Security Center that relate to xing vulnerabilities in the
software installed on managed devices.

This section provides a scenario for nding and xing vulnerabilities on the managed devices running Windows. You
can nd and x software vulnerabilities in the operating system and in third-party software, including Microsoft
software.
Prerequisites
Kaspersky Security Center is deployed in your organization.
There are managed devices running Windows in your organization.
Stages
Finding and xing software vulnerabilities proceeds in stages:
1 Scanning for vulnerabilities in the software installed on the managed devices
To nd vulnerabilities in the software installed on the managed devices, run the Find vulnerabilities and required
updates task. When this task is complete, Kaspersky Security Center receives the lists of detected
The Find vulnerabilities and required updates task is created automatically by Kaspersky Security Center Quick
Start Wizard. If you did not run the Wizard, start it now or create the task manually.
484
2 Analyzing the list of detected software vulnerabilities
View the Software vulnerabilities list and decide which vulnerabilities are to be xed. To view detailed
information about each vulnerability, click the vulnerability name in the list. For each vulnerability in the list, you
can also view the statistics on the vulnerability on managed devices.
Administration Console: Viewing information about software vulnerabilities, Viewing statistics of

vulnerabilities on managed devices
Kaspersky Security Center Web Console: Viewing information about software vulnerabilities, Viewing
statistics of vulnerabilities on managed devices
3 Con guring vulnerabilities x
When the software vulnerabilities are detected, you can x the software vulnerabilities on the managed devices
by using the Install required updates and x vulnerabilities task or the Fix vulnerabilities task.
The Install required updates and x vulnerabilities task is used to update and x vulnerabilities in third-party
software, including Microsoft software, installed on the managed devices. This task allows you to install multiple
updates and x multiple vulnerabilities according to certain rules. Note that this task can be created only if you
have the license for the Vulnerability and Patch Management feature. To x software vulnerabilities the Install
required updates and x vulnerabilities task uses recommended software updates.
The Fix vulnerabilities task does not require the license option for the Vulnerability and Patch Management
feature. To use this task, you must manually specify user xes for vulnerabilities in third-party software listed in
the task settings. The Fix vulnerabilities task uses recommended xes for Microsoft software and user xes for
third-party software.
You can start Vulnerabilities Fix Wizard that creates one of these tasks automatically, or you can create one of
these tasks manually.
Administration Console: Selecting user xes for vulnerabilities in third-party software, Fixing vulnerabilities in
applications
Kaspersky Security Center Web Console: Selecting user xes for vulnerabilities in third-party software, Fixing
vulnerabilities in third-party software, Creating the Install required updates and x vulnerabilities task
To be sure that the vulnerabilities list is always up-to-date, schedule the Find vulnerabilities and required updates
task to run it automatically from time to time. The recommended average frequency is once a week.
same frequency as the Find vulnerabilities and required updates task or less often. When scheduling the Fix
vulnerabilities task, note that you have to select xes for Microsoft software or specify user xes for third-party
software every time before starting the task.
When scheduling the tasks, make sure that a task to x vulnerability starts after the Find vulnerabilities and
5 Ignoring software vulnerabilities (optional)
If you want, you can ignore software vulnerabilities to be xed on all managed devices or only on the selected
managed devices.
Administration Console: Ignoring software vulnerabilities
Kaspersky Security Center Web Console: Ignoring software vulnerabilities
485
6 Running a vulnerability x task
Start the Install required updates and x vulnerabilities task or the Fix vulnerability task. When the task is
complete, make sure that it has the Completed successfully status in the task list.
7 Create the report on results of xing software vulnerabilities (optional)
To view detailed statistics on the vulnerabilities x, generate the Report on vulnerabilities. The report displays
information about software vulnerabilities that are not xed. Thus you can have an idea about nding and xing
vulnerabilities in third-party software, including Microsoft software, in your organization.
8 Checking con guration of nding and xing vulnerabilities in third-party software
Be sure that you have done the following:
Obtained and reviewed the list of software vulnerabilities on managed devices
Ignored software vulnerabilities if you wanted
Con gured the task to x vulnerabilities
Scheduled the tasks to nd and to x software vulnerabilities so that they start sequentially
Checked that the task to x software vulnerabilities was run
Results
If you have created and con gured the Install required updates and x vulnerabilities task, the vulnerabilities are
xed on the managed devices automatically. When the task is run, it correlates the list of available software
updates to the rules speci ed in the task settings. All software updates that meet the criteria in the rules will be
downloaded to the Administration Server repository and will be installed to x software vulnerabilities.
If you have created the Fix vulnerabilities task, only software vulnerabilities in Microsoft software are xed.

Kaspersky Security Center detects and xes software vulnerabilities on managed devices running Microsoft
Windows families operating systems. Vulnerabilities are detected in the operating system and in third-party
software, including Microsoft software.
Finding software vulnerabilities
To nd software vulnerabilities, Kaspersky Security Center uses characteristics from the database of known
vulnerabilities. This database is created by Kaspersky specialists. It contains information about vulnerabilities, such
as vulnerability description, vulnerability detect date, vulnerability severity level. You can nd the details of
software vulnerabilities on Kaspersky website .
Kaspersky Security Center uses the Find vulnerabilities and required updates task to nd software vulnerabilities.
486
Fixing software vulnerabilities
To x software vulnerabilities Kaspersky Security Center uses software updates issued by the software vendors.
The software updates metadata is downloaded to the Administration Server repository as a result of the following
tasks run:
Download updates to the Administration Server repository. This task is intended to download updates
metadata for Kaspersky and third-party software. This task is created automatically by the Kaspersky Security
Center Quick Start Wizard. You can create the Download updates to the Administration Server repository task
manually.
Perform Windows Update synchronization. This task is intended to download updates metadata for Microsoft
software.
Software updates to x vulnerabilities can be represented as full distribution packages or patches. Software
updates that x software vulnerabilities are named xes. Recommended xes are those that are recommended for
installation by Kaspersky specialists. User xes are those that are manually speci ed for installation by users. To
install a user x, you have to create an installation package containing this x.
If you have the Kaspersky Security Center license with the Vulnerability and Patch Management feature, to x
software vulnerabilities you can use Install required updates and x vulnerabilities task. This task automatically xes
multiple vulnerabilities installing recommended xes. For this task, you can manually con gure certain rules to x
multiple vulnerabilities.
If you do not have the Kaspersky Security Center license with the Vulnerability and Patch Management feature, to
x software vulnerabilities, you can use the Fix vulnerabilities task. By means of this task, you can x vulnerabilities
by installing recommended xes for Microsoft software and user xes for other third-party software.
To x some software vulnerabilities, you must accept the End User License Agreement (EULA) for installing the
software if EULA acceptance is requested. If you decline the EULA, the software vulnerability is not xed.
Viewing information about software vulnerabilities

To view a list of vulnerabilities detected on client devices,
In the Advanced → Application management folder in the console tree, select the Software vulnerabilities
subfolder.
487
The page displays a list of vulnerabilities in applications detected on managed devices.
To obtain information about a selected vulnerability,
Select Properties from the context menu of the vulnerability.
The properties window of the vulnerability opens, displaying the following information:
Application in which the vulnerability has been detected.
List of devices on which the vulnerability has been detected.
Information on whether the vulnerability has been xed.
To view the report on all detected vulnerabilities,
In the Software vulnerabilities folder, click the View report on vulnerabilities link.
A report on vulnerabilities in applications installed on devices will be generated. You can view this report in the
node with the name of the relevant Administration Server, by opening the Reports tab.

You can view statistics for each software vulnerability on managed devices. Statistics is represented as a diagram.
The diagram displays the number of devices with the following statuses:
Ignored on: <number of devices>. The status is assigned if, in the vulnerability properties, you have manually set
the option to ignore the vulnerability.
Fixed on: <number of devices>. The status is assigned if the task to x the vulnerability has successfully
completed.
Fix scheduled on: <number of devices>. The status is assigned if you have created the task to x the
vulnerability but the task is not performed yet.
Patch applied on: <number of devices>. The status is assigned if you have manually selected a software update
to x the vulnerability but this software updated has not xed the vulnerability.
Fix required on: <number of devices>. The status is assigned if the vulnerability was xed only on the part of
managed devices, and it is required to be xed on the rest part of managed devices.
To view the statistics of a vulnerability on managed devices:
1. In the Advanced → Application management folder in the console tree, select the Software vulnerabilities
subfolder.
2. Select a vulnerability for which you want to view the statistics.

In the block for working with a selected object, a diagram of the vulnerability statuses is displayed. Clicking a
status opens a list of devices on which the vulnerability has the selected status.
488
Scanning applications for vulnerabilities
If you have con gured the application through the Quick Start Wizard, the Vulnerability scan task is created
automatically. You can view the task in the Managed devices folder, on the Tasks tab.
To create a task for vulnerability scanning in applications installed on client devices:
1. In the console tree, select Advanced → Application management, and then select the Software
vulnerabilities subfolder.
2. In the workspace, select Additional actions → Con gure vulnerability scan.

If a task for vulnerability scanning already exists, the Tasks tab of the Managed devices folder is displayed, with
the existing task selected. Otherwise, the Find Vulnerabilities and Required Updates Task Creation Wizard
starts. Follow the steps of the Wizard.
3. In the Select the task type window, select Find vulnerabilities and required updates.
Search for vulnerabilities and updates listed by Microsoft
When searching for vulnerabilities and updates, Kaspersky Security Center uses the information about
applicable Microsoft updates from the source of Microsoft updates, which are available at the present
moment.
For example, you may want to disable this option if you have di erent tasks with di erent settings for
Microsoft updates and updates of third-party applications.
Connect to the update server to update data
489
Windows Update Agent on a managed device connects to the source of Microsoft updates. The
following servers can act as a source of Microsoft updates:
Kaspersky Security Center Administration Server (see the settings of Network Agent policy)
Windows Server with Microsoft Windows Server Update Services (WSUS) deployed in your
organization's network
Microsoft Updates servers

If this option is enabled, Windows Update Agent on a managed device connects to the source of
Microsoft updates to refresh the information about applicable Microsoft Windows updates.
If this option is disabled, Windows Update Agent on a managed device uses the information about
applicable Microsoft Windows updates that was received from the source of Microsoft updates
earlier and that is stored in the device's cache.
Connecting to the source of Microsoft updates can be resource-consuming. You might want to
disable this option if you set regular connection to this source of updates in another task or in the
properties of Network Agent policy, in the section Software updates and vulnerabilities. If you do
not want to disable this option, then, to reduce the Server overload, you can con gure the task
schedule to randomize delay for task starts within 360 minutes.
Combination of the following options of the settings of Network Agent policy de nes the mode of
getting updates:
Windows Update Agent on a managed device connects to the Update Server to get updates
only if the Connect to the update server to update data option is enabled and the Active
option, in the Windows Update search mode settings group, is selected.
Windows Update Agent on a managed device uses the information about applicable Microsoft
Windows updates that was received from the source of Microsoft updates earlier and that is
stored in the device's cache, if the Connect to the update server to update data option is
enabled and the Passive option, in the Windows Update search mode settings group, is
selected, or if the Connect to the update server to update data option is disabled and the
Active option, in the Windows Update search mode settings group, is selected.
Irrespective of the Connect to the update server to update data option's status (enabled or
disabled), if Disabled option, in the Windows Update search mode settings group is selected,
Kaspersky Security Center does not request any information about updates.
Search for third-party vulnerabilities and updates listed by Kaspersky
If this option is enabled, Kaspersky Security Center searches for vulnerabilities and required updates
for third-party applications (applications made by software vendors other than Kaspersky and
Microsoft) in Windows Registry and in the folders speci ed under Specify paths for advanced search
of applications in le system. The full list of supported third-party applications is managed by
Kaspersky.
If this option is disabled, Kaspersky Security Center does not search for vulnerabilities and required
updates for third-party applications. For example, you may want to disable this option if you have
di erent tasks with di erent settings for Microsoft Windows updates and updates of third-party
applications.
Specify paths for advanced search of applications in le system
490
The folders in which Kaspersky Security Center searches for third-party applications that require
vulnerability x and update installation. You can use system variables.
Specify the folders to which applications are installed. By default, the list contains system folders to
which most of the applications are installed.
Enable advanced diagnostics
If this feature is enabled, Network Agent writes traces even if tracing is disabled for Network Agent in
Kaspersky Security Center Remote Diagnostics Utility. Traces are written to two les in turn; the total
size of both les is determined by the Maximum size, in MB, of advanced diagnostics les value. When
both les are full, Network Agent starts writing to them again. The les with traces are stored in the
%WINDIR%\Temp folder. These les are accessible in the remote diagnostics utility, you can download
or delete them there.
If this feature is disabled, Network Agent writes traces according to the settings in Kaspersky Security
Center Remote Diagnostics Utility. No additional traces are written.
When creating a task, you do not have to enable advanced diagnostics. You may want to use this
feature later if, for example, a task run fails on some of the devices and you want to get additional
information during another task run.
Maximum size, in MB, of advanced diagnostics les
The default value is 100 MB, and available values are between 1 MB and 2048 MB. You may be asked to
change the default value by Kaspersky Technical Support specialists when information in the advanced
diagnostics les sent by you is not enough to troubleshoot the problem.
Scheduled start:
Every N hours
Every N days
Every N weeks
491
speci ed time.
Every N minutes
Weekly
By days of week
Monthly
Manually

492
On virus outbreak

Run missed tasks
business hours.

493
check box.
After the Wizard completes its operation, the Find vulnerabilities and required updates task appears in the list of
tasks in the Managed devices folder, on the Tasks tab.
task.
When the Find vulnerabilities and required updates task is complete, Administration Server displays a list of
vulnerabilities found in applications installed on the device; it also displays all software updates required to x the
vulnerabilities detected.
If the task results contain the 0x80240033 "Windows Update Agent error 80240033 ("License terms could
not be downloaded.")" error, you can resolve this issue through the Windows Registry.
Administration Server does not display the list of required software updates when you sequentially run two
tasks—the Perform Windows Update synchronization task that has the Download express installation les
option disabled, and then the Find vulnerabilities and required updates task. In order to view the list of required
software updates, you must run the Find vulnerabilities and required updates task again.
Network Agent receives information about any available Windows updates and other Microsoft product updates
from Windows Update or the Administration Server, if the Administration Server acts as the WSUS server.
Information is transmitted when applications are started (if this is provided for by the policy) and at each routine
run of the Find vulnerabilities and required updates task on client devices.
You can nd the details of third-party software that can be updated through Kaspersky Security Center by visiting
the Technical Support website, on the Kaspersky Security Center page, in the Server Management section.
Fixing vulnerabilities in applications

If you have selected Find and install required updates on the Update management settings page of the Quick
Start Wizard, the Install required updates and x vulnerabilities task is created automatically. The task is
displayed in the workspace of the Managed devices folder, on the Tasks tab.
Otherwise, you can do any of the following:
Create a task for xing vulnerabilities by installing available updates.

494
Add a rule for xing a vulnerability to an existing vulnerability x task.
Fixing vulnerabilities by creating a vulnerability x task
Create a task for xing multiple vulnerabilities that meet certain rules.
Select a vulnerability and create a task for xing it and similar vulnerabilities.
To x vulnerabilities that meet certain rules:
1. In the console tree, select Administration Server on devices for which you want to x vulnerabilities.
2. In the View menu of the main application window, select Con gure interface.
3. In the window that opens, select the Display Vulnerability and Patch Management check box, and then click
OK.
4. In the window with the application message, click OK.
5. Restart the Administration Console, so the changes take e ect.
6. In the console tree, select the Managed devices folder.
7. In the workspace, select the Tasks tab.
8. Click the Create a task button to run the Add Task Wizard. Follow the steps of the Wizard.
9. On the Select the task type page of the Wizard, select the Install required updates and x vulnerabilities task.
If the task is not displayed, check whether your account has the Read, Modify, and Execute rights for the
System management: Vulnerability and patch management functional area. You cannot create and con gure
the Install required updates and x vulnerabilities task without these access rights.
Specify rules for installing updates
These rules are applied to installation of updates on client devices. If rules are not speci ed, the task
has nothing to perform. For information about operations with rules, refer to Rules for update
installation.
Start installation at device restart or shutdown
495
If this option is enabled, updates are installed when the device is restarted or shut down. Otherwise,
updates are installed according to a schedule.
Use this option if installing the updates might a ect the device performance.
Allow installation of new application versions during updates
If this option is enabled, updates are allowed when they result in installation of a new version of a
software application.
If this option is disabled, the software is not upgraded. You can then install new versions of the software
manually or through another task. For example, you may use this option if your company infrastructure
is not supported by a new software version or if you want to check an upgrade in a test infrastructure.
Upgrading an application may cause malfunction of dependent applications installed on client

devices.
Download updates to the device without installing them
If this option is enabled, the application downloads updates to the device but does not install them
automatically. You can then Install downloaded updates manually.
Microsoft updates are downloaded to the system Windows storage. Updates of third-party
applications (applications made by software vendors other than Kaspersky and Microsoft) are
downloaded to the folder speci ed in the Folder for downloading updates eld.
If this option is disabled, the updates are installed to the device automatically.
Folder for downloading updates
This folder is used to download updates of third-party applications (applications made by software
vendors other than Kaspersky and Microsoft).
496
The default value is 100 MB, and available values are between 1 MB and 2048 MB. You may be asked
to change the default value by Kaspersky Technical Support specialists when information in the
advanced diagnostics les sent by you is not enough to troubleshoot the problem.
Restart the device
497
speci ed frequency.
1440 minutes.
Restart after (min)
1440 minutes.
restart.
Scheduled start:
Every N hours
Every N days
Every N weeks
498
speci ed time.
Every N minutes
Weekly
By days of week
Monthly
Manually
On virus outbreak
499

Run missed tasks
business hours.
500
check box.
After the Wizard completes its operation, the Install required updates and x vulnerabilities task is created
and displayed in the Tasks folder.
task.
If the task results contain the 0x80240033 "Windows Update Agent error 80240033 ("License terms could
not be downloaded.")" error, you can resolve this issue through the Windows Registry.
To x a speci c vulnerability and similar ones:
subfolder.
2. Select the vulnerability that you want to x.
3. Click the Run Vulnerability Fix Wizard button.

The Vulnerability Fix Wizard starts.
The Vulnerability Fix Wizard features are only available under the Vulnerability and Patch Management
license.
4. In the Search for existing vulnerability x tasks window, specify the following parameters:
Show only tasks that x this vulnerability
If this option is enabled, the Vulnerability Fix Wizard searches for existing tasks that x the selected
vulnerability.
If this option is disabled or if the search yields no applicable tasks, the Vulnerability Fix Wizard prompts
you to create a rule or task for xing the vulnerability.
Approve updates that x this vulnerability
501
Updates that x a vulnerability will be approved for installation. Enable this option if some applied rules
of update installation only allow the installation of approved updates.
5. If you choose to search for existing vulnerability x tasks and if the search retrieves some tasks, you can view
properties of these tasks or start them manually. No further actions are required.
Otherwise, click the New vulnerability x task button.
6. Select the type of the vulnerability x rule to be added to the new task, and then click the Finish button.
Restart the device
speci ed frequency.
1440 minutes.
502
Restart after (min)
1440 minutes.
restart.
9. On the Select devices to which the task will be assigned page of the Wizard, select one of the following
options:
devices.
infected.
selections.
version.
503
Scheduled start:
Every N hours
Every N days
Every N weeks
speci ed time.
Every N minutes
Weekly
504
By days of week
Monthly
Manually
On virus outbreak

Run missed tasks
505
business hours.
check box.
When the Wizard completes, the Install required updates and x vulnerabilities task is created and displayed in
the Tasks folder.
task.
Fixing a vulnerability by adding a rule to an existing vulnerability x task
To x a vulnerability by adding a rule to an existing vulnerability x task:
506
subfolder.
2. Select the vulnerability that you want to x.

The Vulnerability Fix Wizard starts.
The Vulnerability Fix Wizard features are only available under the Vulnerability and Patch Management
license.
4. In the Search for existing vulnerability x tasks window, specify the following parameters:
Show only tasks that x this vulnerability
If this option is enabled, the Vulnerability Fix Wizard searches for existing tasks that x the selected
vulnerability.
If this option is disabled or if the search yields no applicable tasks, the Vulnerability Fix Wizard prompts
you to create a rule or task for xing the vulnerability.
Updates that x a vulnerability will be approved for installation. Enable this option if some applied rules
of update installation only allow the installation of approved updates.
5. If you choose to search for existing vulnerability x tasks and if the search retrieves some tasks, you can view
properties of these tasks or start them manually. No further actions are required.
Otherwise, click the Add vulnerability x rule to existing task button.
6. Select the task to which you want to add a rule, and then click the Add rule button.
Also, you can view properties of the existing tasks, start them manually, or create a new task.
7. Select the type of rule to be added to the selected task, and then click the Finish button.
A new rule for xing the vulnerability is added to the existing Install required updates and x vulnerabilities
task.
Fixing vulnerabilities in an isolated network

507
This section describes the steps that you can take to x third-party software vulnerabilities on managed devices
connected to Administration Servers that do not have internet access.
Scenario: Fixing third-party software vulnerabilities in an isolated network

You can install updates and x vulnerabilities of the third-party software installed on managed devices in an
isolated network. Such networks include Administration Servers and managed devices connected to them that
have no internet access. To x vulnerabilities in this kind of network, you need an Administration Server connected
to the internet. Then, you will be able to download patches (required updates) by using the Administration Server
with internet access, and then transmit the patches to isolated Administration Servers.
You can download the third-party software updates issued by software vendors, but you cannot download
updates for Microsoft software on isolated Administration Servers by using Kaspersky Security Center.
To nd out how the process of xing vulnerabilities in an isolated network works, see the description and scheme
of this process.
Prerequisites
Before you start, do the following:
1. Allocate one device for connecting to the internet and downloading patches. This device will be counted as the
Administration Server with internet access.
2. Install Kaspersky Security Center, no earlier than version 14, on the following devices:
Allocated device, which will act as the Administration Server with internet access
Isolated devices, which will act as the Administration Servers isolated from the internet (hereinafter referred
to as isolated Administration Servers)
3. Make sure that every Administration Server has enough disk space for downloading and storing updates and
patches.
Stages
Installing updates and xing third-party software vulnerabilities on managed devices of isolated Administration
Servers has the following stages:
1 Con guring the Administration Server with internet access
Prepare your Administration Server with internet access to handle requests on required third-party software
updates and to download patches.
2 Con guring isolated Administration Servers
Prepare your isolated Administration Servers so they can regularly form lists of required updates and handle
patches downloaded by the Administration Server with internet access. After con guring, isolated
Administration Servers do not try to download patches from the internet anymore. Instead, they get updates
through patches.
3 Transmitting patches and installing updates on isolated Administration Servers
508
After you nished con guring Administration Servers, you can transmit the required updates lists and patches
between the Administration Server with internet access and isolated Administration Servers. Next, updates from
patches will be installed on managed devices by using the Install required updates and x vulnerabilities task.
Results
Thus, the third-party software updates are transmitted to isolated Administration Servers and installed on
connected managed devices by using Kaspersky Security Center. It is enough to con gure Administration Servers
once, and after that you can get updates as often as you need, for example, once or several times per day.
About xing third-party software vulnerabilities in an isolated network

The process of xing third-party software vulnerabilities in an isolated network is shown in the gure and described
below. You can repeat this process periodically.
The process of transmitting patches and the list of required updates between the Administration Server with internet access and isolated Administration
Servers
Every Administration Server isolated from the internet (hereinafter referred to as an isolated Administration
Server) generates a list of updates that are required to be installed on managed devices connected to this
Administration Server. The list of required updates is stored in a speci c folder and presents a set of binary les.
Each le has a name that contains the ID of the patch with the required update. As a result, every le in the list
points to a speci c patch.
509
By using an external device, you transfer the list of required updates from the isolated Administration Server to the
allocated Administration Server with internet access. After that, the allocated Administration Server downloads
patches from the internet and puts them in a separate folder.
When all patches are downloaded and located in the special folder for them, you move the patches to every
isolated Administration Server from which you took a list of required updates. You save patches to the folder
created especially for them on the isolated Administration Server. As a result, the Install required updates and x
vulnerabilities task runs patches and installs updates on managed devices of the isolated Administration Servers.
Con guring the Administration Server with internet access to x vulnerabilities in an

isolated network
To prepare for xing vulnerabilities and transmitting patches in an isolated network, rst con gure an
Administration Server with internet access, and then con gure the isolated Administration Servers.
To con gure an Administration Server with internet access:
1. Create two folders on a disk where Administration Server is installed:
Folder for the list of required updates
Folder for patches
You can name these folders whatever you like.
2. Grant the Modify access rights to the KLAdmins group in the created folders, by using the standard
administrative tools of the operating system.
3. Use the klsc ag utility to write the paths to the folders in the Administration Server properties.
Run the Windows command prompt by using administrator rights, and then change your current directory to
4. Enter the following commands at the Windows command prompt:
To set the path to the folder for patches:

klscflag -fset -pv klserver -n VAPM_DATA_EXPORT_PATH -t s -v "<path to the
folder>"
To set the path to the folder for the list of required updates:
klscflag -fset -pv klserver -n VAPM_REQ_IMPORT_PATH -t s -v "<path to the folder>"
Example: klscflag -fset -pv klserver -n VAPM_DATA_EXPORT_PATH -t s -v

"C:\FolderForPatches"
5. [Optional] Use the klsc ag utility to specify how often the Administration Server should check for new patch
requests:
klscflag -fset -pv klserver -n VAPM_DATA_EXPORT_PERIOD_SEC -t d -v <value in seconds>
The default value is 120 seconds.
Example: klscflag -fset -pv klserver -n VAPM_DATA_EXPORT_PERIOD_SEC -t d -v 150
510
Now, the Administration Server with internet access is ready to download and transmit updates to isolated
Administration Servers. Before you start xing vulnerabilities, con gure the isolated Administration Servers.
Con guring isolated Administration Servers to x vulnerabilities in an isolated network

After you nished con guring the Administration Server with internet access, prepare every isolated
Administration Server in your network, so you can x vulnerabilities and install updates on managed devices
connected to isolated Administration Servers.
To con gure isolated Administration Servers, perform the following actions on every Administration Server:
1. Activate a license key for the Vulnerability and Patch Management (VAPM) feature.
2. Create two folders on a disk where Administration Server is installed:
Folder where the list of required updates will appear
Folder for patches
You can name these folders whatever you like.
3. Grant the Modify permission to the KLAdmins group in the created folders, by using the standard
administrative tools of the operating system.
4. Use the klsc ag utility to write the paths to the folders in the Administration Server properties.
5. Enter the following commands at the Windows command prompt:
To set the path to the folder for patches:

klscflag -fset -pv klserver -n VAPM_DATA_IMPORT_PATH -t s -v "<path to the
folder>"
To set the path to the folder for the list of required updates:
klscflag -fset -pv klserver -n VAPM_REQ_EXPORT_PATH -t s -v "<path to the folder>"
Example: klscflag -fset -pv klserver -n VAPM_DATA_IMPORT_PATH -t s -v

"C:\FolderForPatches"
6. [Optional] Use the klsc ag utility to specify how often the isolated Administration Server should check for new
patches:
klscflag -fset -pv klserver -n VAPM_DATA_IMPORT_PERIOD_SEC -t d -v <value in seconds>
Example: klscflag -fset -pv klserver -n VAPM_DATA_IMPORT_PERIOD_SEC -t d -v 150
7. [Optional] Use the klsc ag utility to calculate the SHA-256 hashes of patches:
klscflag -fset -pv klserver -n VAPM_DATA_IMPORT_VERIFY_HASH -t d -v 1
If you enter this command, you can make sure that the patches have not been modi ed during their transfer to
the isolated Administration Server and that you have received the correct patches containing the required
updates.
511
By default, Kaspersky Security Center does not calculate the SHA-256 hashes of patches. If you enable this
option, after the isolated Administration Server receives patches, Kaspersky Security Center computes their
hashes and compares the acquired values with the hashes stored in the Administration Server database. If the
calculated hash does not match the hash in the database, an error occurs and you have to replace the incorrect
patches.
8. Create the Find vulnerabilities and required updates task and set the task schedule. Run the task if you want it
to run earlier than it is speci ed in the task schedule.
After con guring all Administration Servers, you can move patches and lists of required updates, and x third-
party software vulnerabilities on managed devices in the isolated network.
Transmitting patches and installing updates in an isolated network

After you have nished con guring Administration Servers, you can transfer patches containing the required
updates from the Administration Server with internet access to isolated Administration Servers. You can transmit
and install updates as often as you need, for example, once or several times per day.
You need an external device, such as a removable drive, to transfer patches and the list of required updates
between Administration Servers. Therefore, make sure that the external device has enough disk space for
downloading and storing patches.
The process of transmitting patches and the list of required updates is shown in the gure and described below:
512
The process of transmitting patches and the list of required updates between the Administration Server with internet access and isolated Administration
Servers
To install updates and x vulnerabilities on managed devices connected to isolated Administration Servers:
1. Start the Install required updates and x vulnerabilities task if it is not yet running.
2. Connect an external device to any isolated Administration Server.
3. Create two folders on the external device: one for the list of required updates and one for patches. You can
name these folders whatever you like.
If you created these folders earlier, clear them.
4. Copy the list of required updates from every isolated Administration Server and paste this list into the folder
for the list of required updates on the external device.
As a result, you unite all lists acquired from all isolated Administration Servers into one folder. This folder
contains binary les with the IDs of patches required for all isolated Administration Servers.
5. Connect the external device to the Administration Server with internet access.
6. Copy the list of required updates from the external device and paste this list into the folder for the list of
required updates on the Administration Server with internet access.
All required patches are automatically downloaded from the internet to the folder for patches on the
Administration Server. This can take several hours.
513
7. Make sure that all required patches are downloaded. For this purpose, you can do one of the following:
Check the folder for patches on the Administration Server with internet access. All patches that were
speci ed in the list of required updates should be downloaded to the necessary folder. This is more
convenient if a small number of patches is required.
Prepare a special script, for example, a shell script. If you get a large number of patches, this will be di icult
to check on your own that all patches have been downloaded. In such cases, it is better to automate the
check.
8. Copy the patches from the Administration Server with internet access and paste them into the corresponding
folder on your external device.
9. Transfer the patches to every isolated Administration Server. Put the patches into a speci c folder for them.
As a result, every isolated Administration Server creates an actual list of updates that are required for managed
devices connected to the current Administration Server. After the Administration Server with internet access
receives the list of required updates, the Administration Server downloads patches from the internet. When these
patches appear on isolated Administration Servers, the Install required updates and x vulnerabilities task handles
the patches. Thus, updates are installed on managed devices and third-party software vulnerabilities are xed.
When the Install required updates and x vulnerabilities task is running, do not reboot the Administration
Server device and do not run the Backup of Administration Server data task (it will also cause a reboot). As a
result, the Install required updates and x vulnerabilities task is interrupted, and updates are not installed. In
this case, you have to restart this task manually or wait for the task to start according to the con gured
schedule.
Disabling the option to transmit patches and install updates in an isolated network
You can disable transmitting patches on isolated Administration Servers, for example, if you decided to take one or
more Administration Servers out of an isolated network. Thus, you can reduce the number of patches and time to
download them.
To disable the option to transmit patches on isolated Administration Servers:
1. If you want to take all Administration Servers out of isolation, in the properties of the Administration Server with
internet access, delete the paths to the folders for patches and the list of required updates. If you want to keep
some Administration Servers in an isolated network, skip this step.
Enter the following commands at the command prompt:
To delete the path to the folder for patches:

klscflag -fset -pv klserver -n VAPM_DATA_EXPORT_PATH -t s -v ""
To delete the path to the folder for the list of required updates:
klscflag -fset -pv klserver -n VAPM_REQ_IMPORT_PATH -t s -v ""
2. Restart the Administration Server service if you deleted the paths to the folders on this Administration Server.
3. In the properties of every Administration Server that you want to take out of isolation, delete the paths to the
folders for patches and the list of required updates.
514
Enter the following commands at the Windows command prompt, using administrator rights:
To delete the path to the folder for patches:

klscflag -fset -pv klserver -n VAPM_DATA_IMPORT_PATH -t s -v ""
To delete the path to the folder for the list of required updates:
klscflag -fset -pv klserver -n VAPM_REQ_EXPORT_PATH -t s -v ""
4. Restart the service of every Administration Server on which you deleted the paths to the folders.
As a result, if you recon gured the Administration Server with internet access, you will no longer receive patches
through Kaspersky Security Center. If you recon gured only some isolated Administration Servers, for example,
taking some of them out of the isolated network, you will get patches only for the remaining isolated
If you want to start xing vulnerabilities on disabled isolated Administration Servers in the future, you have to
con gure these Administration Servers and the Administration Server with internet access once again.

You can ignore software vulnerabilities to be xed. The reasons to ignore software vulnerabilities might be, for
example, the following:
You do not consider the software vulnerability critical to your organization.
You understand that the software vulnerability x can damage data related to the software that required the
vulnerability x.
You are sure that the software vulnerability is not dangerous for your organization's network because you use
other measures to protect your managed devices.
You can ignore a software vulnerability on all managed devices or only on selected managed devices.
To ignore a software vulnerability on all managed devices:
subfolder.
The workspace of the folder displays a list of vulnerabilities in applications detected on devices by the Network
Agent installed on them.
2. Select the vulnerability you want to ignore.
3. Select Properties from the context menu of the vulnerability.

The properties window of the vulnerability opens.
4. On the General section, select the Ignore vulnerability option.
5. Click OK.
The software vulnerability properties window is closed.
The software vulnerability is ignored on all managed devices.
515
To ignore a software vulnerability on the selected managed device:
1. Open the properties window of the selected managed device and select the Software vulnerabilities section.
2. Select a software vulnerability.
3. Ignore selected vulnerability.
The software vulnerability is ignored on the selected device.
The ignored software vulnerability will not be xed after completion of the Fix vulnerabilities task or Install required
updates and x vulnerabilities task. You can exclude ignored software vulnerabilities from the list of vulnerabilities
by means of the lter.

To use the Fix vulnerabilities task, you must manually specify the software updates to x the vulnerabilities in third-
party software listed in the task settings. The Fix vulnerabilities task uses recommended xes for Microsoft
software and user xes for other third-party software. User xes are software updates to x vulnerabilities that
the administrator manually speci es for installation.
To select user xes for vulnerabilities in third-party software:
subfolder.
The workspace of the folder displays a list of vulnerabilities in applications detected on devices by the Network
Agent installed on them.
2. Select the vulnerability for which you want to specify a user x.
3. Select Properties from the context menu of the vulnerability.

4. In the User xes and other xes section, click the Add button.
The list of available installation packages is displayed. The list of displayed installation packages corresponds to
the Remote installation → Installation packages list. If you have not created an installation package containing
a user x for selected vulnerability, you can create the package now by starting the New Package Wizard.
5. Select an installation package (or packages) containing a user x (or user xes) for the vulnerability in third-
party software.
6. Click OK.
The installation packages containing user xes for the software vulnerability are speci ed. When the Fix
vulnerabilities task is started, the installation package will be installed, and the software vulnerability will be xed.
Rules for update installation
516
When xing vulnerabilities in applications, you must specify rules for update installation. These rules determine
updates to install and vulnerabilities to x.
The exact settings depend on whether you create a rule for updates of Microsoft applications, of third-party
applications (applications made by software vendors other than Kaspersky and Microsoft), or of all applications.
When creating a rule for Microsoft applications or third-party applications, you can select speci c applications
and application versions for which you want to install updates. When creating a rule for all applications, you can
select speci c updates that you want to install and vulnerabilities that you want to x by means of installing
updates.
To create a new rule for updates of all applications:
1. On the Settings page of the Add Task Wizard, click the Add button.
The Rule Creation Wizard starts. Follow the steps of the Wizard.
2. On the Rule type page, select Rule for all updates.
3. On the General criteria page, use the drop-down lists to specify the following settings:
Set of updates to install
Select the updates that must be installed on client devices:

Install approved updates only. This installs only approved updates.
Install all updates (except declined). This installs updates with the Approved or Unde ned
approval status.
Install all updates (including declined). This installs all updates, regardless of their approval
status. Select this option with caution. For example, use this option if you want to check
installation of some declined updates in a test infrastructure.
Fix vulnerabilities with a severity level equal to or higher than
Sometimes software updates may impair the user experience with the software. In such cases, you may
decide to install only those updates that are critical for the software operation and to skip other
updates.
If this option is enabled, the updates x only those vulnerabilities for which the severity level set by
Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical).
Vulnerabilities with a severity level lower than the selected value are not xed.
If this option is disabled, the updates x all vulnerabilities regardless of their severity level.
4. On the Updates page, select the updates to be installed:
Install all suitable updates
Install all software updates that meet the criteria speci ed on the General criteria page of the Wizard.
Install only updates from the list
517
Install only software updates that you select manually from the list. This list contains all available
software updates.
For example, you may want to select speci c updates in the following cases: to check their installation
in a test environment, to update only critical applications, or to update only speci c applications.
Automatically install all previous application updates that are required to install the selected updates
Keep this option enabled if you agree with the installation of interim application versions when this is
required for installing the selected updates.
If this option is disabled, only the selected versions of applications are installed. Disable this option if
you want to update applications in a straightforward manner, without attempting to install
successive versions incrementally. If installing the selected updates is not possible without installing
previous versions of applications, the updating of the application fails.
For example, you have version 3 of an application installed on a device and you want to update it to
version 5, but version 5 of this application can be installed only over version 4. If this option is
enabled, the software rst installs version 4, and then installs version 5. If this option is disabled, the
software fails to update the application.
5. On the Vulnerabilities page, select vulnerabilities that will be xed by installing the selected updates:
Fix all vulnerabilities that match other criteria
Fix all vulnerabilities that meet the criteria speci ed on the General criteria page of the Wizard.
Fix only vulnerabilities from the list
Fix only vulnerabilities that you select manually from the list. This list contains all detected
vulnerabilities.
For example, you may want to select speci c vulnerabilities in the following cases: to check their x in a
test environment, to x vulnerabilities only in critical applications, or to x vulnerabilities only in speci c
applications.
6. On the Name page, specify the name for the rule that you are creating. You can later change this name in the
Settings section of the properties window of the created task.
After the Rule Creation Wizard completes its operation, the new rule is created and displayed in the Specify
rules for installing updates eld of the Add Task Wizard.
To create a new rule for updates of Microsoft applications:
2. On the Rule type page, select Rule for Windows Update.
3. On the General criteria page, specify the following settings:
518
approval status.
updates.
Fix vulnerabilities with an MSRC severity level equal to or higher than
updates.
Microsoft Security Response Center (MSRC) is equal to or higher than the value selected in the list
(Low, Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are
not xed.
4. On the Applications page, select the applications and application versions for which you want to install
updates. By default, all applications are selected.
5. On the Categories of updates page, select the categories of updates to be installed. These categories are the
same as in Microsoft Update Catalog. By default, all categories are selected.
To create a new rule for updates of third-party applications:
519
2. On the Rule type page, select Rule for third-party updates.

approval status.
updates.
Groups of applications
This section describes how to manage groups of applications installed on devices.
Creating application categories
Kaspersky Security Center allows you to create categories of applications installed on devices.
Application categories can be created in one of the following ways:
The administrator speci es a folder in which executable les have been included in the selected category.
The administrator speci es a device from which executable les are to be included in the selected category.
520
The administrator sets criteria to be used to include applications in the selected category.
When an application category is created, the administrator can set rules for the application category. Rules de ne
the behavior of applications included in the speci ed category. For example, you can block or allow startup of
applications included in the category.
Managing applications run on devices
Kaspersky Security Center allows you to manage startup of applications on devices in Allowlist mode. For detailed
description see Kaspersky Endpoint Security for Windows Online Help . While in Allowlist mode, on selected
devices you can only start applications included in the speci ed categories. The administrator can view results of
static analysis applied to rules of applications run on devices for each user.
Inventory of software installed on devices
Kaspersky Security Center allows you to perform inventory of software on devices running Windows. Network
Agent retrieves information about all applications installed on devices. Information retrieved during inventory is
displayed in the workspace of the Applications registry folder. The administrator can view detailed information
about any application, including its version and manufacturer.
The number of executable les received from a single device cannot exceed 150,000. Having reached this limit,
Kaspersky Security Center cannot receive any new les.
Licensed applications group management
Kaspersky Security Center allows you to create licensed applications groups. A licensed applications group
includes applications that meet criteria set by the administrator. The administrator can specify the following
criteria for licensed applications groups:
Application name
Application version
Manufacturer
Application tag
Applications that meet one or several criteria are automatically included in a group. To create a licensed
applications group, you must set at least one criterion for including applications in this group.
Each licensed applications group has its own license key. The license key of a licensed applications group de nes
the maximum allowed number of installations for applications included in this group. If the number of installations
has exceeded the limit set by the license key, an informational event is logged on Administration Server. The
administrator can specify an expiration date for the license key. When this date arrives, an informational event is
logged on Administration Server.
Kaspersky Security Center retrieves all information about executable les that have been run on devices since the
operating system was installed on them. Information about executable les is displayed in the main application
window, in the workspace of the Executable les folder.
521
You can manage applications startup on user devices. You can allow or block applications to be run on managed
devices. This functionality is realized by the Application Control component. You can manage applications installed
on Windows or Linux devices.
For Linux-based operating systems, Application Control component is available starting from Kaspersky
Endpoint Security 11.2 for Linux.
Prerequisites
The policy of Kaspersky Endpoint Security for Windows or Kaspersky Endpoint Security for Linux is created
and is active.
Stages
The Application Control usage scenario proceeds in stages:
1 Forming and viewing the list of applications on client devices
This stage helps you nd out what applications are installed on managed devices. You can view the list of
applications and decide which applications you want to allow and which you want to prohibit, according to your
organization's security policies. The restrictions can be related to the information security polices in your
organization. You can skip this stage if you know exactly what applications are installed on managed devices.
Administration Console: Viewing application registry
Kaspersky Security Center Web Console: Obtaining and viewing a list of applications installed on client
devices
2 Forming and viewing the list of executable les on client devices
This stage helps you nd out what executable les are found on managed devices. View the list of executable
les and compare it with the lists of allowed and prohibited executable les. The restrictions on executable les
usage can be related to the information security polices in your organization. You can skip this stage if you know
exactly what executable les are installed on managed devices.
Administration Console: Inventory of executable les
Kaspersky Security Center Web Console: Obtaining and viewing a list of executable les stored on client
devices
3 Creating application categories for the applications used in your organization
Analyze the lists of applications and executable les stored on managed devices. Basing on the analysis, create
application categories. It is recommended to create a "Work applications" category that covers the standard set
of applications that are used at your organization. If di erent user groups use di erent sets of applications in
their work, a separate application category can be created for each user group.
522
Depending the set of criteria to create an application category, you can create application categories of three
types.
Administration Console: Creating an application category with content added manually, Creating an
application category that includes executable les from selected devices, Creating application category that
includes executable les from a speci c folder.
Kaspersky Security Center Web Console: Creating application category with content added manually,
Creating application category that includes executable les from selected devices, Creating application
category that includes executable les from a speci c folder.
4 Con guring Application Control in the Kaspersky Endpoint Security policy
Con gure the Application Control component in the Kaspersky Endpoint Security policy using the application
categories you have created on the previous stage.
Administration Console: Con guring application startup management on client devices
Kaspersky Security Center Web Console: Con guring Application Control in the Kaspersky Endpoint
Security for Windows policy
5 Turning on Application Control component in test mode
To ensure that Application Control rules do not block applications required for user's work, it is recommended to
enable testing of Application Control rules and analyze their operation after creating new rules. When testing is
enabled, Kaspersky Endpoint Security for Windows will not block applications whose startup is forbidden by
Application Control rules, but will instead send noti cations about their startup to the Administration Server.
When testing Application Control rules, it is recommended to perform the following actions:
Determine the testing period. Testing period can vary from several days to two months.
Examine the events resulting from testing the operation of Application Control.
How-to instructions for Kaspersky Security Center Web Console: Con guring Application Control component in
the Kaspersky Endpoint Security for Windows policy. Follow this instruction and enable the Test Mode option in
con guration process.
6 Changing the application categories settings of Application Control component
If necessary, make changes to the Application Control settings. Based on the test results, you can add
executable les related to events of the Application Control component to an application category with content
added manually.
Administration Console: Adding event-related executable les to the application category
Kaspersky Security Center Web Console: Adding event-related executable les to the application category
7 Applying the rules of Application Control in operation mode
After Application Control rules are tested and con guration of application categories is complete, you can apply
the rules of Application Control in operation mode.
the Kaspersky Endpoint Security for Windows policy. Follow this instruction and disable the Test Mode option in
523
8 Verifying Application Control con guration
Created application categories.
Con gured Application Control using the application categories.
Applied the rules of Application Control in operation mode.
Results
When the scenario is complete, applications startup on managed devices is controlled. The users can start only
those applications that are allowed in your organization and cannot start applications that are prohibited in your
organization.
For detailed information about Application Control, refer to Kaspersky Endpoint Security for Windows Online
Help and to the Kaspersky Security for Virtualization Light Agent .
Creating application categories for Kaspersky Endpoint Security for

Windows policies
You can create application categories for Kaspersky Endpoint Security for Windows policies from the Application
categories folder and from the Properties window of a Kaspersky Endpoint Security for Windows policy.
To create an application category for a Kaspersky Endpoint Security policy from the Application categories
folder:
1. In the console tree, select Advanced → Application management → Application categories.
2. In the workspace of the Application categories folder, click the New category button.
The New Category Wizard starts.
3. On the Category type page, select the type of user category:
Category with content added manually. Specify the criteria that will be used to assign executable les to
the category that is being created.
Category that includes executable les from selected devices. Specify a device whose executable les
must be automatically assigned to the category.
Category that includes executable les from a speci c folder. Specify a folder whose executable les
When the Wizard nishes, a custom application category is created. You can view newly created categories by
using the list of categories in the workspace of the Application categories folder.
You can also create an application category from the Policies folder.
To create an application category from the Properties window of a Kaspersky Endpoint Security for Windows
policy:
524
2. In the workspace of the Policies folder, select a Kaspersky Endpoint Security policy for which you want to
create a category.
3. Right-click and select Properties.
4. In the Properties window that opens, in the left Sections pane select Security Controls → Application
control.
5. In the Application control section, in the Control mode and Action drop-down lists make selections for the
Allowlist or Denylist, and then click the Add button.
The Application Control rule window containing a list of categories opens.
6. Click the Create new button.
7. Enter the name of the new category and click OK.

The New Category Wizard starts.
8. On the Category type page, select the type of user category:
Category with content added manually. Specify the criteria that will be used to assign executable les to
the category that is being created.
Category that includes executable les from selected devices. Specify a device whose executable les
Category that includes executable les from a speci c folder. Specify a folder whose executable les
When the Wizard nishes, a custom application category is created. You can view newly created categories in
the list of categories.
Application categories are used by the Application Control component included in Kaspersky Endpoint Security
for Windows. Application Control allows the administrator to impose restrictions on the startup of applications on
client devices—for example, restricting the startups to applications in a speci ed category.
Creating an application category with content added manually

To create an application category with content added manually:
1. In the console tree, in the Advanced → Application management folder select the Application categories
subfolder.
2. Click the New category button.

The New Category Wizard starts. Proceed through the wizard by using the Next button.
3. On the Category type wizard page, select Category with content added manually as the user category type.
4. On the Enter the application category name wizard page, enter the new application category name.
525
5. On the Con guring conditions for inclusion of applications in categories page, click the Add button.
6. In the drop-down list, specify the relevant settings:
From the list of executable les
If this option is selected, you can use the list of executable les on the client device to select and add
applications to the category.
From le properties
If this option is selected, you can specify the detailed data for the executable les that will be added to
the user application category.
Metadata from les in folder
Specify a folder on the client device that contains executable les. The metadata in the executable les
that are included in the speci ed folder will be sent to Administration Server. Executable les that
contain the same metadata will be added to the user application category.
Checksums of the les in the folder
If this option is selected, you can select or create a folder on the client device. The MD5 hash of the
les in a speci ed folder will be sent to Administration Server. The applications that have the same hash
as the les in the speci ed folder are added to the user application category.
Certi cates for the les from the folder
If this option is selected, you can specify the folder on the client device, which contains executable les
signed with certi cates. Certi cates of executable les are read and added to the category's
conditions. Executable les that have been signed in accordance with the speci ed certi cates will be
added to the user category.
MSI installer les metadata
If this option is selected, you can specify an MSI installer le as the condition of adding applications to
the user category. The application installer metadata will be sent to Administration Server. The
applications for which the installer metadata is the same as for the speci ed MSI installer are added to
Checksums of the les from the MSI installer of the application
If this option is selected, you can specify an MSI installer le as the condition of adding applications to
the user category. The hash of the application installer les will be sent to Administration Server. The
applications for which the hash of MSI installer les is identical to the speci ed hash are added to the
user application category.
From KL category
526
If this option is selected, you can specify a Kaspersky application category as the condition of adding
applications to the user category. The applications from the speci ed Kaspersky category will be added
to the user application category.
Specify path to application (masks supported)
If this option is selected, you can specify the path to the folder on the client device containing the
executable les that are to be added to the user application category.
Select certi cate from repository
If this option is selected, you can specify certi cates from the storage. Executable les that have been
signed in accordance with the speci ed certi cates will be added to the user category.
Drive type
If this option is selected, you can specify the type of the medium (any drive or removable drive) on
which the application is run. Applications that have been run on the selected drive type are added to
7. On the Creating the application category wizard page, click the Finish button.
Kaspersky Security Center only handles metadata from digitally signed les. No category can be created
on the basis of metadata from les that do not contain a digital signature.
When the Wizard has completed, a user application category is created, with content added manually. You can
view the newly created category using the list of categories in the workspace of the Application categories
folder.
Creating an application category that includes executable les from

selected devices
You can use executable les from selected devices as a template of executable les that you want to allow or
block. Based on executable les from selected devices, you can create an application category and use it in the
Application Control component con guration.
To create application category that includes executable les from selected devices:
subfolder.

3. On the Category type wizard page, select Category that includes executable les from selected devices as
the user category type.
527
5. On the Settings wizard page, click the Add button.
6. Select a device or devices whose executable les will be used to create the application category.
Hash value computing algorithm
Depending on the version of the security application installed on devices on your network, you must
select an algorithm for hash value computing by Kaspersky Security Center for les in this category.
Information about computed hash values is stored in the Administration Server database. Storage of
hash values does not increase the database size signi cantly.
SHA-256 is a cryptographic hash function: no vulnerabilities have been found in its algorithm, and so it is
considered the most reliable cryptographic function nowadays. Kaspersky Endpoint Security 10 Service
Pack 2 for Windows and later versions support SHA-256 computing. Computing of the MD5 hash
function is supported by all versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for
Windows.
Select either of the options of hash value computing by Kaspersky Security Center for les in the
category:
If all instances of security applications installed on your network are Kaspersky Endpoint Security
10 Service Pack 2 for Windows or later versions, select the SHA-256 check box. We do not
recommend that you add any categories created according to the criterion of the SHA-256 hash
of an executable le for versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for
Windows. This may result in failures in the security application operation. In this case, you can use
the MD5 cryptographic hash function for les of the category.
If any versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows are
installed on your network, select the MD5 hash. You cannot add a category that was created
based on the criterion of the MD5 checksum of an executable le for Kaspersky Endpoint
Security 10 Service Pack 2 for Windows or later versions. In this case, you can use the SHA-256
cryptographic hash function for les of the category.
If di erent devices on your network use both earlier and later versions of Kaspersky Endpoint Security
10, select both the SHA-256 check box and the MD5 hash check box.
The Calculate SHA-256 for les in this category (supported by Kaspersky Endpoint Security 10
Service Pack 2 for Windows and any later versions) check box is selected by default.
The Calculate MD5 for les in this category (supported by versions earlier than Kaspersky
Endpoint Security 10 Service Pack 2 for Windows) is cleared by default.
Synchronize data with Administration Server repository
Select this option if you want that Administration Server periodically to check changes in the speci ed
folder (or folders).
If you enable this option, specify the period (in hours) to check changes in the speci ed folder (folders).
By default, scan interval is 24 hours.
8. On the Filter wizard page, specify the following settings:
File type
528
In this section, you can specify le type that is used to create the application category.
All les. All les are taken into consideration when creating the category. By default, this option is
selected.
Only les outside the application categories. Only les outside the application categories are taken
into consideration when creating the category.
Folders
In this section you can specify which folders from the selected device (devices) contain les that are
used to create the application category.
All folders. All folders are taken into consideration for the creating category. By default, this option is
selected.
Speci ed folder. Only speci ed folder is taken into consideration for the creating category. If you
select this option you must specify path to the folder.
When the wizard has completed, a user application category is created. You can view the newly created
category using the list of categories in the workspace of the Application categories folder.
Creating an application category that includes executable les from a

speci c folder
You can use executable les from a selected folder as a standard of executable les that you want to allow or block
in your organization. On the basis of executable les from the selected folder, you can create an application
category and use it in the Application Control component con guration.
To create an application category that includes executable les from a speci c folder:
subfolder.

3. On the Category type wizard page, select Category that includes executable les from speci c folder as
the user category type.
5. On the Repository folder wizard page, click the Browse button.
6. Specify the folder whose executable les will be used to create the application category.
7. De ne the following settings:
Include dynamic-link libraries (DLL) in this category
529
The application category includes dynamic-link libraries ( les in DLL format), and the Application
Control component logs the actions of such libraries running in the system. Including DLL les in the
category may lower the performance of Kaspersky Security Center.
Include script data in this category
The application category includes data on scripts, and scripts are not blocked by Web Threat
Protection. Including the script data in the category may lower the performance of Kaspersky Security
Center.
Hash value computing algorithm : Calculate SHA-256 for les in this category (supported by Kaspersky
Endpoint Security 10 Service Pack 2 for Windows and later versions) / Calculate MD5 for les in this
category (supported by versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for
Windows)
Windows.
category:
Force folder scan for changes
530
If this option is enabled, the application regularly checks the folder of category content addition for
changes. You can specify the frequency of checks (in hours) in the entry eld next to the check box. By
default, the time interval between forced checks is 24 hours.
If this option is disabled, the application does not force any checks of the folder. The Server attempts
to access les if they have been modi ed, added, or deleted.
When the wizard has completed, a user application category is created. You can view the newly created
category using the list of categories in the workspace of the Application categories folder.

You can add executable les related to the Application startup prohibited and Application startup prohibited in
test mode events to an existing application category with content added manually or to a new application
category.
To add executable les related to Application Control events to the application category:
3. On the Events tab, select the required events.
4. In the context menu of one of the selected events, select Add to category.
5. In the Action on executable le related to the event window that opens, specify the relevant settings:
Select one of the following:
Add to a new application category
Select this option if you want to create a new application category.

Click the OK button to start the Create User Category Wizard. When the Wizard completes, the
category with the speci ed settings is created.
By default, this option is not selected.
Add to an existing application category
Select this option if you have to add rules to an existing application category. Select the relevant
category in the list of application categories.
In the Rule type section, select one of the following settings:
Add to category
531
Select this option if you have to add rules to the conditions of the application category.
Rules for adding to exclusions
Select this option if you want to add rules to the exclusions of the application category.
In the File info type section, select one of the following settings:
Certi cate details (or SHA-256 hashes for les without certi cate)
Files may be signed with a certi cate. Multiple les may be signed with the same certi cate. For
example, di erent versions of the same application may be signed with the same certi cate, or several
di erent applications from the same vendor may be signed with the same certi cate. When you select
a certi cate, several versions of an application or several applications from the same vendor may end
up in the category.
Each le has its own unique SHA-256 hash function. When you select an SHA-256 hash function, only
one corresponding le, for example, the de ned application version, ends up in the category.
Select this option if you want to add to the category rules the certi cate details of an executable le
(or the SHA-256 hash function for les without a certi cate).
Certi cate details ( les without a certi cate will be skipped)
example, di erent versions of the same application may be signed with the same certi cate, or several
di erent applications from the same vendor may be signed with the same certi cate. When you select
a certi cate, several versions of an application or several applications from the same vendor may end
up in the category.
Select this option if you want to add the certi cate details of an executable le to the category rules. If
the executable le has no certi cate, this le will be skipped. No information about this le will be added
to the category.
Only SHA-256 ( les without hash will be skipped)
Each le has its own unique SHA-256 hash function. When you select an SHA-256 hash function, only
one corresponding le, for example, the de ned application version, ends up in the category.
Select this option if you want to add only the details of the SHA-256 hash function of the executable
le.
Only MD5 (discontinued mode, only for Kaspersky Endpoint Security 10 Service Pack 1 version)
Each le has its own unique MD5 hash function. When you select an MD5 hash function, only one
corresponding le, for example, the de ned application version, ends up in the category.
Select this option if you want to add only the details of the MD5 hash function of the executable le.
Computing of the MD5 hash function is supported by Kaspersky Endpoint Security 10 Service Pack 1
for Windows and all earlier versions.
532
6. Click OK.
Con guring application startup management on client devices

Categorization of applications allows you to optimize management of application runs on devices. You can create
an application category and con gure Application Control for a policy so only applications from the speci ed
category will be started on devices to which that policy is applied. For example, you have created a category that
includes applications named Application_1 and Application_2. After you add this category to a policy, only two
applications are allowed to start on devices to which that policy is applied: Application_1 and Application_2. If a
user attempts to start an application that has not been included in that category, for example, Application_3, this
application is blocked from being started. The user is shown a noti cation stating that Application_3 is blocked
from starting, in accordance with an Application Control rule. You can create a category with content added
automatically based on various criteria from a speci c folder. In this case, les are automatically added to the
category from the speci ed folder. Executable les of applications are copied to the speci ed folder and
processed automatically; their metrics are added to the category.
To con gure the applications run management on client devices:
1. In the Advanced → Application management folder in the console tree, select the Application categories
subfolder.
2. In the workspace of the Application categories folder, create a category of applications that you want to
manage while they are being started.
3. In the Managed devices folder, on the Policies tab click the New policy button to create a new policy for
Kaspersky Endpoint Security for Windows, and follow the instructions of the Wizard.
If such a policy already exists, you can skip this step. You can con gure management of the startup of
applications in a speci ed category through the settings of this policy. The newly created policy is displayed in
the Managed devices folder on the Policies tab.
4. Select Properties from the context menu of the policy for Kaspersky Endpoint Security for Windows.
The properties window of the policy for Kaspersky Endpoint Security for Windows opens.
5. In the properties window of the Kaspersky Endpoint Security for Windows policy, in the Security Controls →
Application Control section, select the Application Control check box.
6. Click the Add button.

The Application Control rule window opens.
7. In the Application Control rule window, in the Category drop-down list select the application category that
the startup rule will cover. Con gure the startup rule for the selected application category.
For Kaspersky Endpoint Security 10 Service Pack 2 and later, no categories are displayed if they were created
upon the criterion of the MD5 hash of an executable le.
We do not recommend that you add any categories created according to the criterion of the SHA-256 hash of
an executable le for versions earlier than Kaspersky Endpoint Security 10 Service Pack 2. This may result in
application failures.
Detailed instructions on con guring control rules are provided in the Kaspersky Endpoint Security for Windows
Online Help .
8. Click OK.
533
Applications will be run on devices included in the speci ed category according to the rule that you created. The
newly created rule is displayed in the properties window of the Kaspersky Endpoint Security for Windows policy,
in the Application Control section.
Viewing the results of static analysis of startup rules applied to executable

les
To view information about which executable les are prohibited for users to run:
1. In the Managed devices folder in the console tree, select the Policies tab.
2. Select Properties from the context menu of the policy for Kaspersky Endpoint Security for Windows.
The properties window of the application policy opens.
3. In the Sections pane, select Security Controls and then select the Application Control subsection.
4. Click the Static analysis button.

The Analysis of the access rights list window opens. In the left part of the window a user list based on Active
Directory data is displayed.
5. Select a user from the list.

The right part of the window displays categories of applications assigned to this user.
6. To view executable les that the user is not allowed to run, in the Analysis of the access rights list window click
the View les button.
A window opens, displaying a list of prohibited executable les.
7. To view a list of executable les included in a category, select the application category and click the View les
in category button.
A window opens, displaying a list of executable les included in the application category.
Viewing the applications registry

Kaspersky Security Center inventories all software installed on managed devices.
Network Agent compiles a list of applications installed on a device, and then transmits this list to Administration
Server. Network Agent automatically receives information about installed applications from the Windows registry.
Retrieval of information about installed applications is only available for devices running Microsoft Windows.
To view the registry of applications installed on client devices,
In the Advanced → Application management folder in the console tree, select the Applications registry
subfolder.
The workspace of the Applications registry folder displays a list of applications installed on client devices and
534
You can view the details of any application by opening its context menu and selecting Properties. The application
properties window displays the application details and information about its executable les, as well as a list of
devices on which the application is installed.
In the context menu of any application in the list you can:
Add this application to an application category.
Assign a tag to the application.
Export the list of applications to a CSV le or TXT le.
View the application properties, for example, vendor name, version number, list of executable les, list of
devices on which the application is installed, list of available software updates, or list of detected software
vulnerabilities.
To view applications that meet speci c criteria, you can use ltering elds in the workspace of the Applications
registry folder.
In the properties window of the selected device, in the Applications registry section, you can view the list of
applications installed on the device.
Generating a report on installed applications
In the Applications registry workspace, you can also click the View report on installed applications button to
generate a report containing detailed statistics on the installed applications, including the number of devices on
which each application is installed. This report, which opens on the Report on Installed applications page, contains
information about both the Kaspersky applications and third-party software. If you want information only on
Kaspersky applications installed on client devices, in the Summary list, select AO Kaspersky Lab.
Information about Kaspersky applications and third-party software installed on devices that are connected to
secondary and virtual Administration Servers is also stored in the applications registry of the primary
Administration Server. After you add data from secondary and virtual Administration Servers, click the View
report on installed applications button, and on the Report on installed applications page that opens, you can
view this information.
To add information from secondary and virtual Administration Servers to the report on installed applications:
3. On the Reports tab, select Report on installed applications.
4. Select Properties from the context menu of the report.

The Properties: Report on installed applications window opens.
5. In the Hierarchy of Administration Servers section, select the Include data from secondary and virtual
Administration Servers check box.
6. Click OK.
Information from secondary and virtual Administration Servers will be included in the Report on installed
applications.
535
Changing the software inventory start time
Kaspersky Security Center inventories all software installed on managed client devices running Windows.
Network Agent compiles a list of applications installed on a device, and then transmits this list to Administration
To save the device resources, Network Agent by default starts receiving information about installed
applications 10 minutes after the Network Agent service starts.
To change the software inventory start time, which elapses after the Network Agent service runs on a device:
1. Open the system registry of the device on which Network Agent is installed (for example, locally, using the
For 32-bit systems:

HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1103\1.0.0.0\NagentFlags
For 64-bit systems:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1103\1.0.0.0\NagentF
3. For the KLINV_INV_COLLECTOR_START_DELAY_SEC key, set the required value in seconds.

4. Restart the Network Agent service.
The software inventory start time, which elapses after the Network Agent service runs, is changed.
About license key management of third-party applications

Kaspersky Security Center allows you to track license key usage for third-party applications installed on the
managed devices. The list of applications for which you can track license key usage is taken from the applications
registry. For each license key, you can specify and track violation of the following restrictions:
Maximum number of devices on which the application using this license key can be installed
Expiration date of the license key
Kaspersky Security Center does not check whether or not you specify a real license key. You can only track the
restrictions that you specify. If one of the restrictions that you impose on a license key is violated, Administration
Server registers an informational, warning, or functional failure event.
536
License keys are bound to applications groups. An applications group is a group of third-party applications that
you combine on a basis of a criterion or several criteria. You can de ne applications by the name of the application,
its version, vendor, and tag. An application is added to the group if at least one of the criteria is met. To each
applications group, you can bind several license keys, but each license key can be bound to a single applications
group only.
One more tool that you can use to track license key usage is Report on status of licensed applications groups. This
report provides information about the current status of licensed applications groups, including:
Number of installations of license keys on each applications group
Number of license keys in use and vacant license keys
Detailed list of licensed applications installed on managed devices
The tools for license key management of third-party applications are located in the Third-party licenses usage
subfolder (Advanced → Application management → Third-party licenses usage). In this subfolder, you can
create applications groups, add license keys, and generate the Report on statuses on licensed application groups.
The tools for license key management of third-party applications are available only if you enabled Vulnerability and
Patch Management option in the Con gure interface window.
Creating licensed applications groups

To create a licensed applications group:
1. In the Advanced → Application management folder in the console tree, select the Third-party licenses usage
subfolder.
2. Click the Add a licensed applications group button to run Licensed Application Group Addition Wizard.
Licensed Application Group Addition Wizard starts.
3. On the Details of licensed applications group step, specify which applications you want to include into the
applications group:
Name of licensed applications group
Track violated restrictions
If one of the restrictions that you impose on a license key of the applications group is violated,
Administration Server registers an informational, warning, or functional failure event:
Informational event: Limit of installations will soon be exceeded (more than 95% is used up) for
one of the licensed applications groups
Warning event: Limit of installations will soon be exceeded for one of the licensed applications
groups
Functional failure event: Limit of installations has been exceeded for one of the licensed
applications groups
An event is registered only once, when the stated condition is met. Next time, the same event can be
registered only when the number of installations is returned to a normal level, and then the event
happens again. An event cannot be registered more than once per hour.
537
Criteria for adding detected applications to this licensed applications group
Specify criteria to de ne which applications you want to include into the applications group. You can
de ne applications by the name of the application, its version, vendor, and tag. You must specify at
least one criterion. An application is added to the group if at least one of the criteria is met.
4. On the Enter data about existing license keys step, specify the license keys that you want to track. Select the
Control if license limit is exceeded option, and then add the license keys:
a. Click the Add button.
b. Select the license key that you want to add, and then click the OK button. If the required license key is not
listed, click the Add button, and then specify the license key properties.
5. On the Add licensed applications group step, click the Finish button.
A licensed applications group is created and displayed in the Third-party licenses usage folder.
Managing license keys for licensed applications groups

To create a license key for a licensed applications group:
subfolder.
2. In the workspace of the Third-party licenses usage folder, click the Manage license keys of licensed
applications button.
The License Key Management in licensed applications window opens.
3. In the License Key Management in licensed applications window, click the Add button.
The License key window opens.
4. In the License key window, specify the properties of the license key and restrictions that the license key
imposes on the licensed applications group.
Name. The name of the license key.
Comment. Notes on the selected license key.
Restriction. The number of devices on which the application using this license key can be installed.
Expires. The expiration date of the license key.
Created license keys are displayed in the License Key Management in licensed applications window.
To apply a license key to a licensed applications group:
subfolder.
538
2. In the Third-party licenses usage folder, select a licensed applications group to which you want to apply a
license key.
3. Select Properties from the context menu of the licensed applications group.
This opens the properties window of the licensed applications group.
4. In the properties window of the licensed applications group, in the License keys section, select Control if
license limit is exceeded.

The Selecting a license key window opens.
6. In the Selecting a license key window, select a license key that you want to apply to a licensed applications
group.
7. Click OK.
Restrictions imposed on a licensed applications group and speci ed in the license key will also apply to the
selected licensed applications group.
Inventory of executable les

You can use an inventory task to inventory executable les on client devices. Kaspersky Endpoint Security for
Windows provides the feature of inventorying executable les.
The number of executable les received from a single device cannot exceed 150,000. Having reached this limit,
Kaspersky Security Center cannot receive any new les.
You can reduce load on the database while obtaining information about the installed applications. To do this,
we recommend that you run an inventory task on reference devices on which a standard set of software is
installed.
Before you begin, enable noti cations about the applications startup in the Kaspersky Endpoint Security policy
and the Network Agent policy, so you can transfer data to Administration Server.
To enable noti cations about applications startup:
Open the Kaspersky Endpoint Security policy settings and do the following:
1. Go to General settings → Reports and Storage.
2. In the Data transfer to Administration Server section, select the About started applications check box.
3. Save your changes.
Open the Network Agent policy settings and do the following:
1. Go to the Repositories section.
2. Select the Details of installed applications check box.

539
To create an inventory task for executable les on client devices:
2. Click the New task button in the workspace of the Tasks folder.
The Add Task Wizard starts.
3. In the Select the task type window of the Wizard, select Kaspersky Endpoint Security as the task type, and
then select Inventory as the task subtype, and click Next.
After the Wizard is done, an inventory task for Kaspersky Endpoint Security is created. The newly created task is
displayed in the list of tasks in the workspace of the Tasks folder.
A list of executable les that have been detected on devices during inventory is displayed in the workspace of the
Executable les folder.
During inventory, the application detects executable les of the following formats: MZ, COM, PE, NE, SYS, CMD,
BAT, PS1, JS, VBS, REG, MSI, CPL, DLL, JAR, and HTML les.

To view a list of all executable les detected on client devices,
In the Application management folder of the console tree, select the Executable les subfolder.
The workspace of the Executable les folder displays a list of executable les that have been run on devices
since the installation of the operating system or have been detected while running the inventory task of
Kaspersky Endpoint Security for Windows.
To view details of executable les that match speci c criteria, you can use ltering.
To view the properties of an executable le,
From the context menu of the le, select Properties.
A window opens displaying information about the executable le and a list of devices on which this executable
le can be found.

This section describes the monitoring and reporting capabilities of Kaspersky Security Center. These capabilities
give you an overview of your infrastructure, protection statuses, and statistics.
540
After Kaspersky Security Center deployment or during the operation, you can con gure the monitoring and
reporting features to best suit your needs.
Tra ic lights
Administration Console allows you to quickly assess the current status of Kaspersky Security Center and managed
devices by checking tra ic lights.
Statistics
Statistics on the status of the protection system and managed devices are displayed in information panels that can
be customized.
Reports
The Reports feature allows you to get detailed numerical information about the security of your organization's
network, save this information to a le, send it by email, and print it.
Events
Event selections provide an onscreen view of named sets of events that are selected from the Administration
Server database. These sets of events are grouped according to the following categories:
By importance level—Critical events, Functional failures, Warnings, and Info events
By time—Recent events
By type—User requests and Audit events
You can create and view user-de ned event selections based on the settings available, in the Kaspersky Security
Center Web Console interface, for con guration.

This section provides a scenario for con guring the monitoring and reporting feature in Kaspersky Security Center.
Prerequisites
After you deploy Kaspersky Security Center in an organization's network you can start to monitor it and generate
reports on its functioning.
Stages
Monitoring and reporting in an organization's network proceeds in stages:
1 Con guring the switching of device statuses
Get acquainted with the settings that de ne the assignment of device statuses depending on speci c
conditions. By changing these settings, you can change the number of events with Critical or Warning
importance levels.
When con guring the switching of device statuses, be sure that the new settings do not con ict with the
information security policies of your organization and that you are able to react to important security events in
your organization's network in a timely manner.
2 Con guring noti cations about events on client devices

541
Con gure noti cation (by email, by SMS, or by running an executable le) of events on client devices in
accordance with your organization's needs.
3 Changing the response of your security network to the Virus outbreak event
To adjust the network's response to new events, you can change the speci c thresholds in the Administration
Server properties. You can also create a stricter policy that will be activated, or create a task that will be run at
the occurrence of this event.
4 Managing statistics
Con gure the display of statistics in accordance with your organization's needs.
5 Reviewing the security status of your organization's network
To review the security status of your organization's network, you can do any of the following:
In the workspace of the Administration Server node, on the Statistics tab open the Protection status
second-level tab (page) and review the Real-time protection status information panel
Generate and review the Report on protection status
Generate and review the Report on errors
6 Locating client devices that are not protected
To locate client devices that are not protected, go the workspace of the Administration Server node, on the
Statistics tab open the Protection status second-level tab (page), and review the History of discovery of new
networked devices information panel. You can also generate and review the Report on protection deployment.
7 Checking protection of client devices
To check protection of client devices, go to the workspace of the Administration Server node, on the Statistics
tab open the Deployment or Threat statistics second-level tab (page), and review the relevant information
panels. You can also start and review the Critical events event selection.
Information about events that occur during operation of managed applications is transferred from a client
device and registered in the Administration Server database. To reduce the load on the Administration Server,
evaluate and limit the maximum number of events that can be stored in the database.
To evaluate the event load on the database, calculate the database space. You can also limit the maximum
number of events to avoid database over ow.
9 Reviewing license information
To review license information, go to the workspace of the Administration Server node, on the Statistics tab
open the Deployment second-level tab (page), and review the License key usage information panel. You can
also generate and review the Report on usage of license keys.
Results
Upon completion of the scenario, you are informed about protection of your organization's network and, thus, can
plan actions for further protection.
542
devices by checking tra ic lights. The tra ic lights are shown in the workspace of the Administration Server node,
on the Monitoring tab. The tab provides six information panels with tra ic lights and logged events. A tra ic light
is a colored vertical bar on the left side of a panel. Each panel with a tra ic light corresponds to a speci c
functional scope of Kaspersky Security Center (see the table below).
Scopes covered by tra ic lights in Administration Console
Panel name Tra ic light scope
Deployment Installing Network Agent and security applications on devices on an organization's

network
Management Structure of administration groups. Network scanning. Device moving rules

scheme
Protection settings Security application functionality: protection status, virus scanning
Update Updates and patches
Monitoring Protection status
Administration Administration Server features and properties

Server
Each tra ic light can be any of these ve colors (see the table below). The color of a tra ic light depends on the
current status of Kaspersky Security Center and on events that were logged.
Color codes of tra ic lights
Status Tra ic light Tra ic light color meaning

color
Informational Green Administrator's intervention is not required.
Warning Yellow Administrator's intervention is required.
Critical Red Serious problems have been encountered. Administrator's intervention is

required to solve them.
Informational Light blue Events have been logged that are unrelated to potential or actual threats to
the security of managed devices.
The administrator's goal is to keep tra ic lights on all of the information panels on the Monitoring tab green.
The information panels also show logged events that a ect tra ic lights and the status of Kaspersky Security
Center (see the table below).
Name, description, and tra ic light colors of logged events
Tra ic Event type Event type Desc

light display name
color
Red License IDS_AK_STATUS_LIC_EXPAIRED Events o

expired on %1 type occ
device(s) the com
license h
expired.
543
Once a d
Kaspers
Security
checks w
the licen
expired o
devices.
When th
commer
license e
Kaspers
Security
provides
basic
function
To conti
Kaspers
Security
renew yo
commer
license.
Red Security IDS_AK_STATUS_AV_NOT_RUNNING Events o

application is type occ
not running the secu
on: %1 applicat
device(s) installed
device is
running.
Make su
Kaspers
Endpoin
is runnin
device.
Red Protection is IDS_AK_STATUS_RTP_NOT_RUNNING Events o

disabled on: type occ
%1 device(s) the secu
applicat
device h
disabled
than the
time inte
Check t
status o
protecti
device a
sure tha
protecti
compon
you nee
enabled
Red A software IDS_AK_STATUS_VULNERABILITIES_FOUND Events o

vulnerability type occ
has been the Find
detected on vulnerab
devices required
task has
544
vulnerab
the seve
speci e
applicat
installed
device.
Check t
available
in the So
updates
included
Applicat
manage
folder. T
contains
updates
Microso
applicat
other so
vendors
retrieved
Administ
Server, w
be distri
devices.
After vie
informat
available
install th
device.
Red Critical events IDS_AK_STATUS_EVENTS_OCCURED Events o

have been type occ
registered on Administ
the Server c
Administration events a
Server detecte
Check t
events s
the Adm
Server, a
x the c
events o
one.
Red Errors have IDS_AK_STATUS_ERROR_EVENTS_OCCURED Events o

been logged in type occ
events on the unexpec
Administration are logg
Server Administ
Server s
Check t
events s
the Adm
Server, a
x the e
by one.
Red Lost IDS_AK_STATUS_ADM_LOST_CONTROL1 Events o
545
connection to type occ
%1 device(s) the conn
between
Administ
Server a
device is
View the
disconne
devices
reconne
Red %1 device (s) IDS_AK_STATUS_ADM_NOT_CONNECTED1 Events o
have not type occ
connected to the devi
the connect
Administration Administ
Server in a Server w
long time speci e
interval,
the devi
turned o
Make su
the devi
turned o
that Net
Agent is
Red %1 device(s) IDS_AK_STATUS_HOST_NOT_OK Events o

have a status type occ
other than OK the OK s
the devi
connect
Administ
Server c
Critical o
Warning
You can
troubles
problem
the Kasp
Security
remote
diagnost
Red Databases are IDS_AK_STATUS_UPD_HOSTS_NOT_UPDATED Events o

outdated on: type occ
%1 device(s) the anti-
databas
not been
on the d
within th
speci e
interval.
Follow t
instructi
update K
databas
Red Device(s) IDS_AK_STATUS_WUA_DATA_OBSOLETE Events o

where check type occ
546
for Windows the Perf
Update Window
updates has synchro
not been task has
performed in a run with
long time: %1 speci e
interval.
Follow t
instructi
synchro
updates
Window
with
Administ
Server.
Red %1 plug-in(s) IDS_AK_STATUS_PLUGINS_REQUIRED2 Events o
for Kaspersky type occ
Security you nee
Center 14 addition
must be for Kasp
installed applicat
Downloa
install th
manage
plug-ins
Kaspers
applicat
the Kasp
Technica
webpag
Red Active threats IDS_AK_STATUS_NONCURED_FOUND Events o

are detected type occ
on %1 active th
device(s) detecte
manage
View inf
about th
detecte
and then
the thre
accordin
recomm
Red Task %1 has IDS_AK_STATUS_TASK_FAILED Events o

completed type occ
with an error task exe
complet
error.
Check t
properti
task, and
recon g
task.
Red Too many IDS_AK_STATUS_TOO_MANY_THREATS Events o

viruses have type occ
been detected viruses a
547
on: %1 detecte
device(s) manage
View inf
about th
detecte
and then
the thre
accordin
recomm
Red Virus IDS_AK_STATUS_VIRUS_OUTBREAK Events o
outbreak type occ
the num
maliciou
detecte
several m
devices
the thre
within a
period o
View inf
about th
detecte
and then
the thre
accordin
recomm
Red Databases in IDS_AK_STATUS_UPD_SERVER_NOT_UPTODATE Events o

the repository type occ
have not been the anti-
updated in a databas
long time not been
on the d
two day
Check t
frequen
updating
virus dat
and then
the anti-
databas
Yellow Databases in IDS_AK_STATUS_UPD_SERVER_NOT_UPTODATE Events o

long time not been
on the d
more tha
but less
days.
Check t
frequen
updating
virus dat
and then
the anti-
databas
548
Yellow Con ict of IDS_AK_STATUS_ADM_NAME_CONFLICT Events o
NetBIOS type occ
names has the devi
been detected the sam
on devices names.
Rename
devices.
Yellow On %s IDS_AK_STATUS_ENCRYPTION_FAULTS_FOUND Events o
device(s), data type occ
encryption data enc
has switched fails on m
to the status devices.
speci ed in
the device
status
detection
criteria
Yellow License %1 IDS_AK_STATUS_LIC_EXPAIRING Events o

expires in %2 type occ
days the licen
device e
speci e
of days.
To conti
Kaspers
Security
renew yo
commer
license.
Yellow Unassigned IDS_AK_STATUS_NAGENTS_IN_UNASSIGNED Events o

devices that type occ
have Network new dev
Agent discover
installed: %1 network
Move th
with Net
Agent to
groups o
manage
Yellow Network IDS_AK_STATUS_NAGENTS_NOT_RUNNING_UNTIL_REBOOT Events o

Agents on %1 type occ
device(s) Network
cannot run not runn
until restart. devices.
For the
Restart
previous time,
devices.
this status
was %2
Yellow Detected les IDS_AK_STATUS_NEW_APS_FILE_APPEARED Events o

must be sent type occ
to Kaspersky les that
for further probably
analysis with viru
detecte
549
moved t
Quarant
Send th
Kaspers
further a
Yellow Managed IDS_AK_STATUS_NO_AV Events o
device(s): %1. type occ
Security Kaspers
application is Endpoin
installed on: is not ins
%2 device(s) all mana
devices.
Install Ka
Endpoin
on all ma
devices.
Yellow Installation IDS_AK_STATUS_RI_NEED_REBOOT Events o

task %1 has type occ
completed Kaspers
successfully Endpoin
on %2 has just
device(s); installed
restart is manage
required on
Reboot
%3 device(s)
devices
Kaspers
Endpoin
is installe
Yellow Malware scan IDS_AK_STATUS_SCAN_LATE Events o

has not been type occ
performed in a you nee
long time on: perform
%1 device(s) scan on
devices.
Run a vir
Yellow Device(s) with IDS_AK_STATUS_VULNERABLE_HOSTS_FOUND Events o

software type occ
vulnerabilities vulnerab
detected: %1 detecte
manage
View inf
about de
vulnerab
x them
Green Managed IDS_AK_STATUS_ADM_OK1 Events o

Unassigned new dev
device(s) detecte
detected: %1 administ
groups.
Green Security IDS_AK_STATUS_DEPLOYMENT_OK Events o

installed on all Kaspers
Endpoin
550
managed is installe
devices manage
Green Kaspersky IDS_AK_STATUS_GENERAL_OK Events o

Security type occ
Center is Kaspers
functioning Security
properly function
properly
Green Real-time IDS_AK_STATUS_RTP_NA Events o

protection type occ
application is the anti-
not installed applicat
installed
manage
Green Protection is IDS_AK_STATUS_RTP_OK Events o

enabled type occ
the real-
protecti
enabled
manage
Green Security IDS_AK_STATUS_SCAN_NA Events o

not installed the anti-
applicat
installed
manage
Green Malware scan IDS_AK_STATUS_SCAN_OK Events o

is running on type occ
schedule the Malw
task is ru
schedule
Green Updates IDS_AK_STATUS_UPD_OK Events o

repository has type occ
been last the upda
updated: %1 reposito
updated
Light Databases in IDS_AK_STATUS_UPD_SERVER_NOT_UPTODATE Events o

blue the repository type occ
long time updated
the day.
Light The accepted IDS_AK_STATUS_ACCEPTED_KSN_AGREEMENT_OBSOLETE Events o

blue Kaspersky type occ
Security Kaspers
Network Security
Statement is Stateme
obsolete become
date.
Light Kaspersky IDS_AK_STATUS_APPLICABLE_KL_PATCHES_NOT_APPROVED Events o

blue software type occ
updates have the adm
not been has not
approved approve
551
applicab
patches
manage
Kaspers
product
Light Kaspersky IDS_AK_STATUS_APPLICABLE_KL_PATCHES_REVOKED Events o

blue application type occ
been revoked has not
declined
revoked
Light End User IDS_AK_STATUS_KL_MOBILE_EULAS_NOT_ACCEPTED Events o

blue License type occ
Agreement for the adm
Kaspersky has not
mobile accepte
software has User Lic
not been Agreem
accepted Kaspers
software
Light End User IDS_AK_STATUS_KL_PATCHES_EULAS_NOT_ACCEPTED Events o

Kaspersky has not
software accepte
updates has User Lic
not been Agreem
accepted Kaspers
software
Light KSN End User IDS_AK_STATUS_KL_PATCHES_KSN_AGREEMENTS_NOT_ACCEPTED Events o

Kaspersky has not
software accepte
updates has End Use
not been Agreem
accepted Kaspers
software
Light You must IDS_AK_STATUS_NEED_ACCEPT_EULA Events o

blue accept the type occ
License new upd
Agreement to available
install updates installati
the adm
has not
accepte
License
Agreem
Light New versions IDS_AK_STATUS_NEW_DISTRIBUTIVES_AVAILABLE Events o

blue of Kaspersky type occ
applications new vers
are available Kaspers
applicat
available
installati
manage
552
Light Updates are IDS_AK_STATUS_NEW_KSC_VERSIONS_AVAILABLE Events o
blue available for type occ
Kaspersky updates
Security available
Center Kaspers
components Security
compon
Light Updates are IDS_AK_STATUS_NEW_VERSIONS_AVAILABLE Events o

Kaspersky updates
applications available
Kaspers
applicat
Light Application IDS_AK_STATUS_RI_FAILED Events o

blue installation type occ
task %1 has the App
completed installati
successfully has insta
on %2 software
device(s), some de
failed on %3 the spec
device(s)
Light Running IDS_AK_STATUS_RI_RUNNING Events o

blue deployment type occ
task - %1 the Dep
(%2%%) task is ru
manage
Light Full scan has IDS_AK_STATUS_SCAN_NOT_SCANNED Events o

blue never been type occ
performed on full scan
%1 device(s) been pe
on the s
number
devices.
Light Running the IDS_AK_STATUS_UPD_SRV_UPDATE_IN_PROGRESS Events o

blue update type occ
download task the Upd
(progress: %1 downloa
%%) running
manage
Working with reports, statistics, and noti cations

This section provides information about how to work with reports, statistics, and selections of events and devices
in Kaspersky Security Center, as well as how to con gure Administration Server noti cations.
Working with reports
553
Reports in Kaspersky Security Center contain information about the status of managed devices. Reports are
generated based on information stored on Administration Server. You can create reports for the following types of
objects:
For device selections created according to speci c settings.
For administration groups.
For speci c devices from di erent administration groups.
For all devices on the network (in the deployment report).
The application has a selection of standard report templates. It is also possible to create custom report templates.
Reports are displayed in the main application window, in the Administration Server folder in the console tree.

To create a report template:
3. Click the New report template button.
The New Report Template Wizard starts. Follow the instructions of the Wizard.
After the Wizard nishes its operation, the newly created report template is added to the selected Administration
Server folder in the console tree. You can use this template for generating and viewing reports.

You can view and edit basic properties of a report template, for example, the report template name or the elds
displayed in the report.
To view and edit properties of a report template:
3. In the list of report templates, select the required report template.
4. In the context menu of the selected report template, select Properties.

As an alternative, you can rst generate the report, and then click either the Open report template properties
button or the Con gure report columns button.
5. In the window that opens, edit the report template properties. Properties of each report may contain only
some of the sections described below.
General section:
554
Report template name
Maximum number of entries to display
If this option is enabled, the number of entries displayed in the table with detailed report data does
not exceed the speci ed value.
Report entries are rst sorted according to the rules speci ed in the Fields → Details elds section
of the report template properties, and then only the rst of the resulting entries are kept. The
heading of the table with detailed report data shows the displayed number of entries and the total
available number of entries that match other report template settings.
If this option is disabled, the table with detailed report data displays all available entries. We do not
recommend that you disable this option. Limiting the number of displayed report entries reduces
the load on the database management system (DBMS) and reduces the time required for generating
and exporting the report. Some of the reports contain too many entries. If this is the case, you may
nd it di icult to read and analyze them all. Also, your device may run out of memory while
generating such a report and, consequently, you will not be able to view the report.
By default, this option is enabled. The default value is 1000.
Print version
The report output is optimized for printing: space characters are added between some values for
better visibility.
Fields section.
Select the elds that will be displayed in the report, and the order of these elds, and con gure whether the
information in the report must be sorted and ltered by each of the elds.
Time interval section.

Modify the report period. Available values are as follows:
Between the two speci ed dates
From the speci ed date to the report creation date
From the report creation date, minus the speci ed number of days, to the report creation date
Group, Device selection, or Devices section.

Change the set of client devices for which the report creates. Only one of these sections may be present,
depending on the settings speci ed during the report template creation.
Settings section.
Change the settings of the report. The exact set of settings depends on the speci c report.
Security section. Inherit settings from Administration Server
If this option is enabled, security settings of the report are inherited from the Administration Server.
If this option is disabled, you can con gure security settings for the report. You can assign a role to a
user or a group of users or assign permissions to a user or a group of users, as applied to the report.
555
The Security section is available if the Display security settings sections check box is selected in the
interface settings window.
Hierarchy of Administration Servers section:
Include data from secondary and virtual Administration Servers
If this option is enabled, the report includes the information from the secondary and virtual
Administration Servers that are subordinate to the Administration Server for which the report
template is created.
Disable this option if you want to view data only from the current Administration Server.
Up to nesting level
The report includes data from secondary and virtual Administration Servers that are located under
the current Administration Server on a nesting level that is less than or equal to the speci ed value.
The default value is 1. You may want to change this value if you have to retrieve information from
secondary Administration Servers located at lower levels in the tree.
Data wait interval (min)
Before generating the report, the Administration Server for which the report template is created
waits for data from secondary Administration Servers during the speci ed number of minutes. If no
data is received from a secondary Administration Server at the end of this period, the report runs
anyway. Instead of the actual data, the report shows data taken from the cache (if the Cache data
from secondary Administration Servers option is enabled), or N/A (not available) otherwise.
The default value is 5 (minutes).
Cache data from secondary Administration Servers
Secondary Administration Servers regularly transfer data to the Administration Server for which the
report template is created. There, the transferred data is stored in the cache.
If the current Administration Server cannot receive data from a secondary Administration Server
while generating the report, the report shows data taken from the cache. The date when the data
was transferred to the cache is also displayed.
Enabling this option allows you to view the information from secondary Administration Servers even
if the up-to-date data cannot be retrieved. However, the displayed data can be obsolete.
Cache update frequency (h)
Secondary Administration Servers at regular intervals transfer data to the Administration Server for
which the report template is created. You can specify this period in hours. If you specify 0 hours,
data is transferred only when the report is generated.
The default value is 0.
Transfer detailed information from secondary Administration Servers

556
In the generated report, the table with detailed report data includes data from secondary
Administration Servers of the Administration Server for which the report template is created.
Enabling this option slows the report generation and increases tra ic between Administration
Servers. However, you can view all data in one report.
Instead of enabling this option, you may want to analyze detailed report data to detect a faulty
secondary Administration Server, and then generate the same report only for that faulty
Extended lter format in report templates

In Kaspersky Security Center 14, you can apply the extended lter format to a report template. The extended lter
format provides more exibility in comparison with the default format. You can create complex ltering conditions
by using a set of lters, which will be applied to the report by means of the OR logical operator during report
creation, as shown below:
Filter[1](Field[1] AND Field[2]... AND Field[n]) OR Filter[2](Field[1] AND Field[2]... AND Field[n]) OR... Filter[n](Field[1]
AND Field[2]... AND Field[n])
Additionally, with the extended lter format you can set a time interval value in a relative time format (for example,
by using a "For last N days" condition) for speci c elds in a lter. The availability and the set of time interval
conditions depend on the type of the report template.
Converting the lter into the extended format
The extended lter format for report templates is supported only in Kaspersky Security Center 12 and later
versions. After conversion of the default lter into the extended format, the report template becomes
incompatible with Administration Servers on your network that have earlier versions of Kaspersky Security
Center installed. Information from these Administration Servers will not be received for the report.
To convert the report template default lter into the extended format:
3. In the list of report templates, select the required report template.
5. In the properties window that opens, select the Fields section.
6. In the Details elds tab click the Convert lter link.
7. In the window that opens, click the OK button.
Conversion into the extended lter format is irreversible for the report template to which it is applied. If
you clicked the Convert lter link accidentally, you can cancel the changes by clicking the Cancel button in
the report template properties window.
557
8. To apply the changes, close the report template properties window by clicking the OK button.
When the report template properties window opens again, the newly available Filters section is displayed. In
this section you can con gure the extended lter.
Con guring the extended lter

To con gure the extended lter in the report template properties:
3. In the list of report templates, select the report template that was previously converted to extended lter
format.
5. In the properties window that opens, select the Filters section.

The Filters section is not displayed if the report template was not previously converted to extended lter
format.
In the Filters section of the report template properties window you can review and modify the list of lters
applied to the report. Each lter in the list has a unique name and represents a set of lters for corresponding
elds in the report.
6. Open the lter settings window in one of the following ways:
To create a new lter, click the Add button.
To modify the existing lter, select the required lter and click the Modify button.
7. In the window that opens, select and specify the values of the required elds of the lter.
8. Click the OK button to save changes and close the window.

If you are creating a new lter, the lter name must be speci ed in the Filter name eld before clicking the OK
button.
9. Close the report template properties window by clicking the OK button.

The extended lter in the report template is con gured. Now you can create reports by using this report
template.
Creating and viewing a report

To create and view a report:
3. In the list of report templates, double-click the report template that you need.
A report for the selected template is displayed.
The report displays the following data:
558
The name and type of report, a brief description and the reporting period, as well as information about the
group of devices for which the report is generated.
Graph chart showing the most representative report data.
Consolidated table with calculated report indicators.
Table with detailed report data.
Saving a report
To save a created report:
3. In the list of report templates, select the report template that you need.
4. In the context menu of the selected report template, select Save.
The Report Saving Wizard starts. Follow the instructions of the Wizard.
After the Wizard nishes, the folder opens to which you have saved the report le.
When you save a report as an XLS le, all related images, such as the logo and datagram, are saved as
separate les.

Reports can be emailed. Delivery of reports in Kaspersky Security Center is carried out using the report delivery
task.
To create a delivery task for a single report:
3. In the list of report templates, select the report template that you need.
4. In the context menu of the selected report template, select Deliver reports.
The Report Delivery Task Creation Wizard starts. Follow the instructions of the Wizard.
To create a delivery task for multiple reports:
1. In the console tree, under the node with the name of the required Administration Server, select the Tasks
folder.
559
2. In the workspace of the Tasks folder, click the Create a task button.
The newly created report delivery task is displayed in the Tasks folder in the console tree.
The report delivery task is created automatically if the email settings were speci ed during Kaspersky
Security Center installation.
Step 1. Selecting the task type

In the Select the task type window, in the list of tasks select Deliver reports as the task type.
Click Next to proceed to the next step.

Step 2. Selecting the report type
In the Select report type window, in the list of task creation templates, select the type of report.

Step 3. Actions on a report
In the Action to apply to reports window, specify the following settings:
Send reports by email
If this option is enabled, the application sends generated reports by email.

You can con gure the report sending by email by clicking the Email noti cation settings link. The link is
available if this option is enabled.
If this option is disabled, the application saves reports in the speci ed folder to store them.
Save reports to shared folder
If this option is enabled, the application saves reports to the folder that is speci ed in the eld under the
check box. To save reports to a shared folder, specify the UNC path to the folder. In this case, in the
Selecting an account to run the task window, you must specify the user account and password for
accessing this folder.
If this option is disabled, the application does not save reports to the folder and sends them by email
instead.
Overwrite older reports of the same type
If this option is enabled, the new report le at each task startup overwrites the le that was saved in the
reports folder at the previous task startup.
If this option is disabled, report les will not be overwritten. A new report le is stored in the reports folder
at each task run.
The check box is available, if the Save report to folder is selected.
560
Specify account for access to shared folder
If this option is enabled, you can specify the account under which the report will be saved to the folder. If a
UNC path to a shared folder is speci ed as the Save report to folder setting in the Action to be applied
to report window, you must specify the user account and password for accessing this folder.
If this option is disabled, the report is saved to the folder under the account of Administration Server.
The check box is available, if the Save report to folder is selected.
When you save or send a report as an XLS le, all related images, such as the logo and datagram, are saved as
separate les.

In the Selecting an account to run the task window, you can specify which account to use when running the task.
Default account
Specify account
Account
Password

Step 5. Con guring a task schedule
On the Con gure task schedule Wizard page, you can create a schedule for task start. If necessary, de ne the
following settings:
Scheduled start:
Every N hours
561
Every N days
The task runs regularly, with the speci ed interval in days. Additionally, you can specify a date and time
of the rst task run. These additional options become available, if they are supported by the application
for which you create the task.
Every N weeks
speci ed time.
Every N minutes
The task runs regularly, with the speci ed interval in minutes, starting from the speci ed time on the day
that the task is created.
The task runs regularly, with the speci ed interval in days. This schedule does not support observance
of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the
beginning or ending of DST, the actual task start time does not change.
We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky
Security Center.
Weekly
By days of week
Monthly
562
Manually
On virus outbreak

complete (successfully or with error) to trigger the start of the current task. For example, you may want
to run the Manage devices task with the Turn on the device option and, after it completes, run the
Virus scan task.
Run missed tasks
This option determines the behavior of a task if a client device is not visible on the network when the task
is about to start.
If this option is enabled, the system attempts to start the task the next time the Kaspersky application is
run on the client device. If the task schedule is Manually, Once or Immediately, the task is started
immediately after the device becomes visible on the network or immediately after the device is included in
the task scope.
If this option is disabled, only scheduled tasks run on client devices; for Manually, Once and Immediately,
tasks run only on those client devices that are visible on the network. For example, you may want to disable
this option for a resource-consuming task that you want to run only outside of business hours.
563
If this option is enabled, the task is started on client devices randomly within a speci ed time interval, that
is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by
client devices to the Administration Server when a scheduled task is running.
The distributed start time is calculated automatically when a task is created, depending on the number of
client devices to which the task is assigned. Later, the task is always started on the calculated start time.
However, when task settings are edited or the task is started manually, the calculated value of the task
start time changes.
If this option is enabled, the task is started on client devices randomly within the speci ed time interval. A
distributed task start helps to avoid a large number of simultaneous requests by client devices to the

In the De ne the task name window, specify the name for the task that you are creating. A task name cannot be
more than 100 characters long and cannot include any special characters ("*<>?\:|).

In the Finish task creation window, click the Finish button to nish the wizard.
check box.
Managing statistics
Statistics on the status of the protection system and managed devices are displayed in information panels that
can be customized. Statistics are displayed in the workspace of the Administration Server node on the Statistics
tab. The tab contains some second-level tabs (pages). Each tabbed page displays information panels with
statistics, as well as links to corporate news and other materials from Kaspersky. The statistical information is
displayed in information panels as a table or chart (pie or bar). The data in the information panels is updated while
the application is running and re ects the current state of the protection application.
You can modify the set of second-level tabs on the Statistics tab, the number of information panels on each
tabbed page, and the data display mode in information panels.
To add a new second-level tab with information panels on the Statistics tab:
1. Click the Customize view button in the upper right corner of the Statistics tab.
The statistics properties window opens. This window contains a list of tabbed pages that are currently shown
on the Statistics tab. In this window, you can change the display order for the pages on the tab, add and
remove pages, and proceed to con guration of page properties by clicking the Properties button.

This opens the properties window of a new page.
564
3. Con gure the new page:
In the General section, specify the page name.
In the Information panels section, click the Add button to add information panels that must be displayed on
the page.
Click the Properties button in the Information panels section to set up the properties of information
panels that you added: name, type, and appearance of the chart in the panel, as well as data required to plot
the chart.
4. Click OK.
The tabbed page with information panels that you have added appears on the Statistics tab. Click the settings
icon ( ) to proceed instantly to con guration of the page or a selected information panel on that page.

Kaspersky Security Center allows you to select a method of notifying the administrator of events on client devices
and to con gure noti cation:
Email. When an event occurs, the application sends a noti cation to email addresses speci ed. You can edit the
text of the noti cation.
SMS. When an event occurs, the application sends a noti cation to the phone numbers speci ed. You can
con gure SMS noti cations to be sent through the mail gateway.
Executable le. When an event occurs on a device, the executable le is started on the administrator's
workstation. Using the executable le, the administrator can receive the parameters of any event that has
occurred.
To con gure noti cation of events occurring on client devices:
drop-down list.
This opens the Properties: Events window.
4. In the Noti cation section, select a noti cation method (by email, by SMS, or by running an executable le) and
de ne the noti cation settings:
Email
565
The Email tab allows you to con gure email noti cations for events.

port number is 25.
noti cations to the SMTP server in ascending order of MX records priority. By default, this option is
disabled.


You have to specify an account for authentication on an SMTP server if the ESMTP authentication
option is enabled for the SMTP server.
TLS settings for the SMTP server:
Do not use TLS
Use TLS if supported by SMTP server
You can select this option if you want to use a TLS connection to an SMTP server. If the SMTP
server does not support TLS, Administration Server connects the SMTP server without using
TLS.
Always use TLS, check the server certi cate for validity
You can select this option if you want to use TLS authentication settings. If the SMTP server does
not support TLS, Administration Server cannot connect the SMTP server.
566
If you choose Always use TLS, check the server certi cate for validity value, you can specify a
certi cate for authentication of the SMTP server and choose whether you want to enable
communication through any version of TLS or only through TLS 1.2 or later versions. Also, you can
specify a certi cate for client authentication on the SMTP server.
You can specify TLS settings for an SMTP server:
authority.
types:
X-509 certi cate:
key is not encoded.
pkcs12 container:
with more relevant details of the event. The list of substitute parameters is available by clicking the
button to the right of the eld.
Click the Send test message button to check if you have con gured noti cations properly. The
application should send a test noti cation to the email addresses that you speci ed.
SMS
567
The SMS tab allows you to con gure the transmission of SMS noti cations of various events to a cell
phone. SMS messages are sent through a mail gateway.

port number is 25.

If necessary, you can specify an account for authentication on an SMTP server if the option of ESMTP
authentication is enabled for the SMTP server.
TLS settings for an SMTP server
You can disable usage of TLS, use TLS if the SMTP server supports this protocol, or you can force
usage of TLS only. If you choose to use only TLS, you can specify a certi cate for authentication of the
SMTP server and choose whether you want to enable communication through any version of TLS or
only through TLS 1.2 or later versions. Also, if you choose to use only TLS, you can specify a certi cate
for client authentication on the SMTP server.
Browse for an SMTP server certi cate le
le to Kaspersky Security Center. Kaspersky Security Center checks whether the certi cate of the
SMTP server is also signed by a trusted certi cation authority. Kaspersky Security Center cannot
connect to the SMTP server if the certi cate of the SMTP server is not received from a trusted
certi cation authority.
the private key is not encoded.The Noti cation message eld contains standard text with information
about the event that the application sends when an event occurs. This text includes substitute
parameters, such as event name, device name, and domain name. You can edit the message text by
adding other substitute parameters with more relevant details of the event. The list of substitute
parameters is available by clicking the button to the right of the eld.
Click the Send test message button to check whether you con gured noti cations properly. The
application should send a test noti cation to the recipient that you speci ed.
568
5. In the Noti cation message eld, enter the text that the application will send when an event occurs.
You can use the drop-down list to the right of the text eld to add substitution settings with event details (for
example, event description, or time of occurrence).
If the noti cation text contains a percent (%), you must specify it twice in succession to allow message
6. Click the Send test message button to check whether noti cation has been con gured correctly.
The application sends a test noti cation to the speci ed user.
The re-adjusted noti cation settings are applied to all events that occur on client devices.
You can override noti cation settings for certain events in the Event con guration section of the Administration
Server settings, of a policy settings, or of an application settings.
Creating a certi cate for an SMTP server

To create a certi cate for an SMTP server:
drop-down list.
The event properties window opens.
4. On the Email tab, click the Settings link to open the Settings window.
5. In the Settings window click the Specify certi cate link to open the Certi cate for signing window.
6. In the Certi cate for signing window, click the Browse button.
The Certi cate window opens.
7. In the Certi cate type drop-down list, specify the public or private type of certi cate:
If the private type of certi cate (PKCS #12 container) is selected, specify the certi cate le and the
password.
569
If the public type of certi cate (X.509 certi cate) is selected:
a. Specify the private key le (one with the *.prk or *.pem extension).
b. Specify the private key password.
c. Specify the public key le (one with the *.cer extension).
8. Click OK.
The certi cate for the SMTP server is issued.
Event selections
Information about events in the operation of Kaspersky Security Center and managed applications is saved both in
the Administration Server database and in the Microsoft Windows system log. You can view information from the
Administration Server database in the workspace of the Administration Server node, on the Events tab.
Information on the Events tab is represented as a list of event selections. Each selection includes events of a
speci c type only. For example, the "Device status is Critical" selection contains only records about changes of
device statuses to "Critical". After application installation, the Events tab contains some standard event
selections. You can create additional (custom) event selections or export event information to a le.
Viewing an event selection

To view the event selection:
3. In the Event selections drop-down list, select the relevant event selection.
If you want events from this selection to be continuously displayed in the workspace, click the star icon ( )
next to the selection.
The workspace will display a list of events, stored on the Administration Server, of the selected type.
You can sort information in the list of events in ascending or descending order in any column.
Customizing an event selection

To customize an event selection:
3. Open the relevant event selection on the Events tab.
4. Click the Selection properties button.

570
In the event selection properties window that opens you can con gure the event selection.

To create an event selection:
3. Click the Create a selection button.
4. In the New event selection window that opens, enter the name of the new selection and click OK.
A selection with the name that you speci ed is created in the Event selections drop-down list.
By default, a created event selection contains all events stored on the Administration Server. To cause a selection
to display only the events you want, you must customize the selection.
Exporting an event selection to a text le

To export an event selection to a text le:
3. Click the Import/Export button.
4. In the drop-down list, select Export events to le.
The Events Export Wizard starts. Follow the instructions of the Wizard.
Deleting events from a selection

To delete events from a selection:
1. In the console tree, select the node with the name of the relevant Administration Server.
3. Select the events that you want to delete by using a mouse, the Shift key, or the Ctrl key.
4. Delete the selected events in one of the following ways:
By selecting Delete in the context menu of any of the selected events.

If you select the Delete All item from the context menu, all displayed events will be deleted from the
selection, regardless of your choice of events to delete.
571
By clicking the Delete event link (if one event is selected) or the Delete events link (if several events are
selected) in the information box for these events.
The selected events are deleted.
Adding applications to exclusions by user requests

When you receive user requests to unblock erroneously blocked applications, you can create an exclusion from the
Adaptive Security rules for these applications. Consequently, the applications will no longer be blocked on users'
devices. You can track the number of user requests on the Monitoring tab of Administration Server.
To add applications blocked by Kaspersky Endpoint Security to exclusions by user requests:
3. In the Event selections drop-down list, select User requests.
4. Right-click the user request (or several user requests) containing applications that you want to add to
exclusions, and then select Add exclusion.
This starts the Add Exclusion Wizard. Follow its instructions.
The selected applications will be excluded from the Triggering of rules in Smart Training state list (under
Repositories in the console tree) after the next synchronization of the client device with the Administration
Server, and will no longer appear in the list.
Device selections
Information about the status of devices is displayed in the Device selections folder in the console tree.
Information in the Device selections folder is displayed as a list of device selections. Each selection contains
devices that meet speci c conditions. For example, the Devices with Critical status selection contains only
devices with the Critical status. After application installation, the Device selections folder contains some standard
selections. You can create additional (custom) device selections, export selection settings to le, or create
selections with settings imported from another le.
Viewing a device selection

To view a device selection:
1. In the console tree, select the Device selections folder.
2. In the workspace of the folder, in the Devices in this selection list, select the relevant device selection.
3. Click the Run selection button.
4. Click the Selection results tab.
572
The workspace will display a list of devices that meet the selection criteria.
You can sort the information in the list of devices in ascending or descending order, in any column.

To con gure a device selection:
2. In the workspace, click the Selection tab, and then click the relevant device selection in the list of user
selections.
3. Click the Selection properties button.
4. In the properties window that opens, specify the following settings:
General selection properties.
Conditions that must be met for including devices in this selection. You can con gure the conditions after
selecting a condition name and clicking the Properties button.
Security settings.
5. Click OK.
The settings are applied and saved.
Below are descriptions of the conditions for assigning devices to a selection. Conditions are combined by using
the OR logical operator: the selection will contain devices that comply with at least one of the listed conditions.
General
In the General section, you can change the name of the selection condition and specify whether that condition
must be inverted:
Invert selection condition
If this option is enabled, the speci ed selection condition will be inverted. The selection will include all devices
that do not meet the condition.
Network
In the Network section, you can specify the criteria that will be used to include devices in the selection according
to their network data:
Device name or IP address
Windows network name (NetBIOS name) of the device, or the IPv4 or IPv6 address.
573
Windows domain
Displays all devices included in the speci ed Windows domain.
Displays devices included in the speci ed administration group.
Description
Text in the device properties window: In the Description eld of the General section.
To describe text in the Description eld, you can use the following characters:
Within a word:
*. Replaces any string with any number of characters.
Example:
To describe words such as Server or Server's, you can enter Server*.
?. Replaces any single character.
Example:
To describe words such as Window or Windows, you can enter Windo?.
Asterisk (*) or question mark (?) cannot be used as the rst character in the query.
To nd several words:
Space. Displays all the devices whose descriptions contain any of the listed words.
Example:
To nd a phrase that contains Secondary or Virtual words, you can include Secondary Virtual line in
your query.
+. When a plus sign precedes a word, all search results will contain this word.
Example:
To nd a phrase that contains both Secondary and Virtual, enter the +Secondary+Virtual query.
-. When a minus sign precedes a word, no search results will contain this word.
Example:
To nd a phrase that contains Secondary and does not contain Virtual, enter the +Secondary-
Virtual query.
"<some text>". Text enclosed in quotation marks must be present in the text.
Example:
To nd a phrase that contains Secondary Server word combination, you can enter "Secondary
Server" in the query.
574
IP range
If this option is enabled, you can enter the initial and nal IP addresses of the IP range in which the relevant
devices must be included.
Tags
In the Tags section, you can con gure criteria for including devices into a selection based on key words (tags) that
were previously added to the descriptions of managed devices:
Apply if at least one speci ed tag matches
If this option is enabled, the search results will show devices with descriptions that contain at least one of
the selected tags.
If this option is disabled, the search results will only show devices with descriptions that contain all the
selected tags.
Tag must be included
If this option is selected, the search results will display the devices whose descriptions contain the
selected tag. To nd devices, you can use the asterisk, which stands for any string with any number of
characters.
Tag must be excluded
If this option is selected, the search results will display the devices whose descriptions do not contain the
characters.
Active Directory
In the Active Directory section, you can con gure criteria for including devices into a selection based on their
Active Directory data:
Device is in an Active Directory organizational unit
If this option is enabled, the selection includes devices from the Active Directory unit speci ed in the entry
eld.
Include child organizational units
575
If this option is enabled, the selection includes devices from all child organizational units of the speci ed
Active Directory organizational unit.
This device is a member of an Active Directory group
If this option is enabled, the selection includes devices from the Active Directory group speci ed in the
entry eld.
Network activity
In the Network activity section, you can specify the criteria that will be used to include devices in the selection
according to their network activity:
This device is a distribution point
In the drop-down list, you can set up the criterion for including devices in the selection when performing
search:
Yes. The selection includes devices that act as distribution points.
No. Devices that act as distribution points are not included in the selection.
No value is selected. The criterion will not be applied.
Do not disconnect from the Administration Server
search:
Enabled. The selection will include devices on which the Do not disconnect from the Administration
Server check box is selected.
Disabled. The selection will include devices on which the Do not disconnect from the
Administration Server check box is cleared.
Connection pro le switched
search:
Yes. The selection will include devices that connected to the Administration Server after the
connection pro le was switched.
No. The selection will not include devices that connected to the Administration Server after the
576
Last connected to Administration Server
You can use this check box to set a search criterion for devices according to the time they last connected
to the Administration Server.
If this check box is selected, in the entry elds you can specify the time interval (date and time) during
which the last connection was established between Network Agent installed on the client device and the
Administration Server. The selection will include devices that fall within the speci ed interval.
If this check box is cleared, the criterion will not be applied.
New devices detected by network poll
Searches for new devices that have been detected by network polling over the last few days.
If this option is enabled, the selection only includes new devices that have been detected by device
discovery over the number of days speci ed in the Detection period (days) eld.
If this option is disabled, the selection includes all devices that have been detected by device discovery.
Device is visible
search:
Yes. The application includes in the selection devices that are currently visible in the network.
No. The application includes in the selection devices that are currently invisible in the network.
Application
In the Application section, you can con gure criteria for including devices in a selection based on the selected
managed application:
Application name
In the drop-down list, you can set a criterion for including devices in a selection when search is performed
by the name of a Kaspersky application.
The list provides only the names of applications with management plug-ins installed on the administrator's
workstation.
If no application is selected, the criterion will not be applied.
Application version
In the entry eld, you can set a criterion for including devices in a selection when search is performed by
the version number of a Kaspersky application.
If no version number is speci ed, the criterion will not be applied.
577
Critical update name
application name or by update package number.
If the eld is left blank, the criterion will not be applied.
Modules last updated
You can use this option to set a criterion for searching devices by time of the last update of modules of
applications installed on those devices.
which the last update of modules of applications installed on those devices was performed.
Device is managed through Kaspersky Security Center 14
In the drop-down list, you can include in the selection the devices managed through Kaspersky Security
Center:
Yes. The application includes in the selection devices managed through Kaspersky Security Center.
No. The application includes devices in the selection if they are not managed through Kaspersky
Security Center.
Security application is installed
In the drop-down list, you can include in the selection all devices with the security application installed:
Yes. The application includes in the selection all devices with the security application installed.
No. The application includes in the selection all devices with no security application installed.
Operating system
In the Operating system section, you can specify the criteria that will be used to include devices in the selection
according to their operating system type.
Operating system version
If the check box is selected, you can select an operating system from the list. Devices with the speci ed
operating systems installed are included in the search results.
Operating system bit size
578
In the drop-down list, you can select the architecture for the operating system, which will determine how
the moving rule is applied to the device (Unknown, x86, AMD64, or IA64). By default, no option is selected
in the list so that the operating system's architecture is not de ned.
Operating system service pack version
In this eld, you can specify the package version of the operating system (in the X.Y format), which will
determine how the moving rule is applied to the device. By default, no version value is speci ed.
Operating system build
This setting is applicable to Windows operating systems only.
The build number of the operating system. You can specify whether the selected operating system must
have an equal, earlier, or later build number. You can also con gure searching for all build numbers except
the speci ed one.
Operating system release ID
The release identi er (ID) of the operating system. You can specify whether the selected operating system
must have an equal, earlier, or later release ID. You can also con gure searching for all release ID numbers
except the speci ed one.
Device status
In the Device status section, you can con gure criteria for including devices into a selection based on the
description of the devices status from a managed application:
Device status
Drop-down list in which you can select one of the device statuses: OK, Critical, or Warning.
Device status description
In this eld, you can select the check boxes next to conditions that, if met, assign one of the following
statuses to the device: OK, Critical, or Warning.
Device status de ned by application
Drop-down list, in which you can select the real-time protection status. Devices with the speci ed real-
time protection status are included in the selection.
579
Protection components
In the Protection components section, you can set up the criteria for including devices in a selection based on
their protection status:
Databases released
If this option is selected, you can search for client devices by anti-virus database release date. In the entry
elds you can set the time interval, on the basis of which the search is performed.
Last scanned
If this check option is enabled, you can search for client devices by time of the last virus scan. In the entry
elds you can specify the time period within which the last virus scan was performed.
Total number of threats detected
If this option is enabled, you can search for client devices by number of viruses detected. In the entry elds
you can set the lower and upper threshold values for the number of viruses found.
Applications registry
In the Applications registry section, you can set up the criteria to search for devices according to applications
installed on them:
Application name
Drop-down list in which you can select an application. Devices on which the speci ed application is
installed, are included in the selection.
Application version
Entry eld in which you can specify the version of selected application.
Vendor
Drop-down list in which you can select the manufacturer of an application installed on the device.
Application status
A drop-down list in which you can select the status of an application (Installed, Not installed). Devices on
which the speci ed application is installed or not installed, depending on the selected status, will be
included in the selection.
Find by update
580
If this option is enabled, search will be performed using the details of updates for applications installed on
the relevant devices. After you select the check box, the Application name, Application version, and
Application status elds change to Update name, Update version, and Status respectively.
Incompatible security application name
Drop-down list in which you can select third-party security applications. During the search, devices on
which the speci ed application is installed, are included in the selection.
Application tag
In the drop-down list, you can select the application tag. All devices that have installed applications with
the selected tag in the description are included in the device selection.
If this option is enabled, the selection includes devices with descriptions that contain none of the selected
tags.
If this option is disabled, the criterion is not applied.

Hardware registry
In the Hardware registry section, you can con gure criteria for including devices into a selection based on their
installed hardware:
Device
In the drop-down list, you can select a unit type. All devices with this unit are included in the search results.
The eld supports the full-text search.
Vendor
In the drop-down list, you can select the name of a unit manufacturer. All devices with this unit are included
in the search results.
Device name
Name of the device in the Windows network. The device with the speci ed name is included in the
selection.
Description
581
Description of the device or hardware unit. Devices with the description speci ed in this eld are included
in the selection.
A device's description in any format can be entered in the properties window of that device. The eld
supports the full-text search.
Device vendor
Name of the device manufacturer. Devices produced by the manufacturer speci ed in this eld are
You can enter the manufacturer's name in the properties window of a device.
Serial number
All hardware units with the serial number speci ed in this eld will be included in the selection.
Inventory number
Equipment with the inventory number speci ed in this eld will be included in the selection.
User
All hardware units of the user speci ed in this eld will be included in the selection.
Location
Location of the device or hardware unit (for example, at the HQ or a branch o ice). Computers or other
devices that are deployed at the location speci ed in this eld will be included in the selection.
You can describe the location of a device in any format in the properties window of that device.
CPU frequency, in MHz
The frequency range of a CPU. Devices with CPUs that match the frequency range in these elds
(inclusive) will be included in the selection.
Virtual CPU cores
Range of the number of virtual cores in a CPU. Devices with CPUs that match the range in these elds
Hard drive volume, in GB
Range of values for the size of the hard drive on the device. Devices with hard drives that match the range
in these entry elds (inclusive) will be included in the selection.
RAM size, in MB
582
Range of values for the size of the device RAM. Devices with RAMs that match the range in these entry
elds (inclusive) will be included in the selection.
Virtual machines
In the Virtual machines section, you can set up the criteria to include devices in the selection according to
whether these are virtual machines or part of virtual desktop infrastructure (VDI):
This is a virtual machine
In the drop-down list, you can select the following options:

Not important.
No. Find devices that are not virtual machines.
Yes. Find devices that are virtual machines.
Virtual machine type
In the drop-down list, you can select the virtual machine manufacturer.
This drop-down list is available if the Yes or Not important value is selected in the This is a virtual machine
drop-down list.
Part of Virtual Desktop Infrastructure

Not important.
No. Find devices that are not part of Virtual Desktop Infrastructure.
Yes. Find devices that are part of the Virtual Desktop Infrastructure (VDI).
Vulnerabilities and updates
In the Vulnerabilities and updates section, you can specify the criteria that will be used to include devices in the
selection according to their Windows Update source:
WUA is switched to Administration Server
You can select one of the following search options from the drop-down list:
Yes. If this option is selected, the search results will include devices that receive updates through
Windows Update from the Administration Server.
No. If this option is selected, the results will include devices that receive updates through Windows
Update from another sources.
583
Users
In the Users section, you can set up the criteria to include devices in the selection according to the accounts of
users who have logged in to the operating system.
Last user who logged in to the system
If this option is enabled, click the Browse button to specify a user account. The search results include
devices on which the speci ed user performed the last login to the system.
User who logged in to the system at least once
devices on which the speci ed user logged in to the system at least once.
Status-a ecting problems in managed applications
In the Status-a ecting problems in managed applications section, you can specify the criteria that will be used
to include devices in the selection according to the list of possible problems detected by a managed application. If
at least one problem that you select exists on a device, the device will be included in the selection. When you
select a problem listed for several applications, you have the option to select this problem in all of the lists
automatically.
You can select check boxes for descriptions of statuses from the managed application; upon receipt of these
statuses, the devices will be included in the selection. When you select a status listed for several applications,
you have the option to select this status in all of the lists automatically.
Statuses of components in managed applications
In the Statuses of components in managed applications section, you can con gure criteria for including devices
in a selection according to the statuses of components in managed applications:
Data Leakage Prevention status
Search for devices by the status of Data Leakage Prevention (No data from device, Stopped, Starting,
Paused, Running, Failed).
Collaboration servers protection status
Search for devices by the status of server collaboration protection (No data from device, Stopped,
Starting, Paused, Running, Failed).
Anti-virus protection status of mail servers
Search for devices by the status of Mail Server protection (No data from device, Stopped, Starting,
584
Endpoint Sensor status
Search for devices by the status of the Endpoint Sensor component (No data from device, Stopped,
Encryption
Encryption algorithm
Advanced Encryption Standard (AES) symmetrical block cipher algorithm. In the drop-down list, you can select
the encryption key size (56-bit, 128-bit, 192-bit, or 256-bit).
Available values: AES56, AES128, AES192, and AES256.
Cloud segments
In the Cloud segments section, you can con gure criteria for including devices in a selection according to their
respective cloud segments:
Device is in a cloud segment
If this option is enabled, you can click the Browse button to specify the segment to search.
If the Include child objects option is also enabled, the search is run on all child objects of the speci ed
segment.
Search results include only devices from the selected segment.
Device discovered by using the API
In the drop-down list, you can select whether a device is detected by API tools:
AWS. The device is discovered by using the AWS API, that is, the device is de nitely in the AWS cloud
environment.
Azure. The device is discovered by using the Azure API, that is, the device is de nitely in the Azure
cloud environment.
Google Cloud. The device is discovered by using the Google API, that is, the device is de nitely in the
Google Cloud environment.
No. The device cannot be detected by using the AWS, Azure, or Google API, that is, it is either
outside the cloud environment or it is in the cloud environment but it cannot be detected by using an
API.
No value. This condition does not apply.
Application components
585
This section contains the list of components of those applications that have corresponding management
plug-ins installed in Administration Console.
In the Application components section, you can specify criteria for including devices in a selection according to
the statuses and version numbers of the components that refer to the application that you select:
Status
Search for devices according to the component status sent by an application to the Administration Server.
You can select one of the following statuses: No data from device, Stopped, Starting, Paused, Running,
Malfunction, or Not installed. If the selected component of the application installed on a managed device
has the speci ed status, the device is included in the device selection.
Statuses sent by applications:
Starting—The component is currently in the process of initialization.
Running—The component is enabled and working properly.
Paused—The component is suspended, for example, after the user has paused protection in the
Malfunction—An error has occurred during the component operation.
Stopped—The component is disabled and not working at the moment.
Not installed—The user did not select the component for installation when con guring custom
installation of the application.
Unlike other statuses, the No data from device status is not sent by applications. This option shows that
the applications have no information about the selected component status. For example, this can happen
when the selected component does not belong to any of the applications installed on the device, or when
the device is turned o .
Version
Search for devices according to the version number of the component that you select in the list. You can
type a version number, for example 3.4.1.0, and then specify whether the selected component must
have an equal, earlier, or later version. You can also con gure searching for all versions except the speci ed
one.
Exporting the settings of a device selection to a le

To export the settings of a device selection to a text le:
2. In the workspace, on the Selection tab, click the relevant device selection in the list of user selections.
Settings can be exported only from the device selections created by a user.
586
3. Click the Run selection button.
4. On the Selection results tab, click the Export settings button.
5. In the Save as window that opens, specify a name for the selection settings export le, select a folder to save
it to, and click the Save button.
The settings of the device selection will be saved to the speci ed le.

To create a device selection:
2. In the workspace of the folder, click Advanced and select the Create a selection in the drop-down list.
3. In the New device selection window that opens, enter the name of the new selection and click OK.
A new folder with the name you entered will appear in the console tree in the Device selections folder. By
default, the new device selection contains all devices included in administration groups of the Administration
Server on which the selection was created. To cause a selection to display only the devices you are particularly
interested in, con gure the selection by clicking the Selection properties button.
Creating a device selection according to imported settings

To create a device selection according to imported settings:
2. In the workspace of the folder, click the Advanced button and select Import selection from le in the drop-
down list.
3. In the window that opens, specify the path to the le from which you want to import the selection settings.
Click the Open button.
A New selection entry is created in the Device selections folder. The settings of the new selection are
imported from the le that you speci ed.
If a selection named New selection already exists in the Device selections folder, an index in (<next sequence
number>) format is added to the name of the created selection, for example: (1), (2).

When working with a device selection, you can remove devices from administration groups right in this selection,
without switching to the administration groups from which these devices must be removed.
To remove devices from administration groups:
587
2. Select the devices that you want to remove by using the Shift or Ctrl keys.
3. Remove the selected devices from administration groups in one of the following ways:
Select Delete in the context menu of any of the selected devices.
Click the Perform action button and select Remove from group in the drop-down list.
The selected devices are removed from their respective administration groups.
Monitoring of applications installation and uninstallation

You can monitor installation and uninstallation of speci c applications on managed devices (for example, a speci c
browser). To use this function, you can add applications from the Application registry to the list of monitored
applications. When a monitored application is installed or uninstalled, Network Agent publishes respective events:
Monitored application has been installed or Monitored application has been uninstalled. You can monitor these
events using, for example, event selections or reports.
You can monitor these events only if they are stored in Administration Server database.
To add an application to the list of monitored applications:
1. In the Advanced → Application management folder in the console tree, select the Applications registry
subfolder.
2. Above the list of application, that is displayed, click the Show applications registry properties window button.
3. In the Monitored Applications window, that is displayed, click the Add button.
4. In the Select application name window, that is displayed, select the applications from the Application registry
whose installation or uninstallation you want to monitor.
5. In the Select application name window, click the OK button.
After you have con gured the list of monitored applications, and a monitored application is installed or
uninstalled on managed devices in your organization, you can monitor the respective events, for example using
the Recent events event selection.
Event types
Each Kaspersky Security Center component has its own set of event types. This section lists types of events that
occur in Kaspersky Security Center Administration Server, Network Agent, iOS MDM Server, and Exchange Mobile
Device Server. Types of events that occur in Kaspersky applications are not listed in this section.

For each event type, its display name, identi er (ID), alphabetic code, description, and the default storage term are
provided.
588
Event type display name. This text is displayed in Kaspersky Security Center when you con gure events and
when they occur.
Event type ID. This numerical code is used when you process events by using third-party tools for event
analysis.
Event type (alphabetic code). This code is used when you browse and process events by using public views
that are provided in the Kaspersky Security Center database and when events are exported to a SIEM system.
Description. This text contains the situations when an event occurs and what you can do in such a case.
Default storage term. This is the number of days during which the event is stored in the Administration Server
database and is displayed in the list of events on Administration Server. After this period elapses, the event is
deleted. If the event storage term value is 0, such events are detected but are not displayed in the list of events
on Administration Server. If you con gured to save such events to the operating system event log, you can nd
them there.
You can change the storage term for events:
Administration Console: Setting the storage term for an event
Kaspersky Security Center Web Console: Setting the storage term for an event
Other data may include the following elds:
event_id: unique number of the event in the database, generated and assigned automatically; not to be
confused with Event type ID.
task_id: the ID of the task that caused the event (if any)
severity: one of the following severity levels (in the ascending order of severity):
0) Invalid severity level
1) Info
2) Warning
3) Error
4) Critical

This section contains information about the events related to the Administration Server.

The table below shows the event types of Kaspersky Security Center Administration Server that have the Critical
importance level.
Event type Event type Event type Description Default

display name ID storage
term
License limit 4099 KLSRV_EV_LICENSE_CHECK_MORE_110 Once a day 180

589
has been Kaspersky Security days
exceeded Center checks
whether a licensing
restriction is
exceeded.
Events of this type
occur when
Administration
Server detects that
some licensing limits
are exceeded by
Kaspersky
applications installed
on client devices and
if the number of
currently used
licensing units
covered by a single
license exceeds 110%
of the total number
of units covered by
the license.
Even when this event
occurs, client
devices are
protected.
You can respond to
the event in the
following ways:
Look through the
managed devices
list. Delete
devices that are
not in use.
Provide a license
for more devices
(add a valid
activation code
or a key le to
Administration
Server).
Kaspersky Security
Center determines
the rules to generate
events when a
licensing restriction
is exceeded.
Virus 26 (for File GNRL_EV_VIRUS_OUTBREAK Events of this type 180

outbreak Threat occur when the days
Protection) number of malicious
objects detected on
several managed
devices exceeds the
threshold within a
short period of time.
590
You can respond to
the event in the
following ways:
Con gure the
threshold in the
Administration
Server
properties.
Create a stricter
policy that will be
activated, or
create a task that
will be run, at the
occurrence of
this event.
Virus 27 (for Mail GNRL_EV_VIRUS_OUTBREAK Events of this type 180

objects detected on
several managed
devices exceeds the
threshold within a
You can respond to
the event in the
following ways:
Con gure the
threshold in the
Administration
Server
properties.
Create a stricter
policy that will be
activated, or
create a task that
will be run, at the
occurrence of
this event.
Virus 28 (for GNRL_EV_VIRUS_OUTBREAK Events of this type 180

outbreak rewall) occur when the days
number of malicious
objects detected on
several managed
devices exceeds the
threshold within a
You can respond to
the event in the
following ways:
Con gure the
threshold in the
Administration
591
Server
properties.
Create a stricter
policy that will be
activated, or
create a task that
will be run, at the
occurrence of
this event.
Device has 4111 KLSRV_HOST_OUT_CONTROL Events of this type 180

become occur if a managed days
unmanaged device is visible on
the network but has
not connected to
Administration
Server for a speci c
period of time.
Find out what
prevents the proper
functioning of
Network Agent on
the device. Possible
causes include
network issues and
removal of Network
Agent from the
device.
Device 4113 KLSRV_HOST_STATUS_CRITICAL Events of this type 180

status is occur when a days
Critical managed device is
assigned the Critical
status. You can
con gure the
conditions under
which the device
status is changed to
Critical.
The key le 4124 KLSRV_LICENSE_BLACKLISTED Events of this type 180
has been occur when days
added to the Kaspersky has added
denylist the activation code
or key le that you
use to the denylist.
Contact Technical
Support for more
details.
Limited 4130 KLSRV_EV_LICENSE_SRV_LIMITED_MODE Events of this type 180

functionality occur when days
mode Kaspersky Security
Center starts to
operate with basic
functionality, without
Vulnerability and
Patch Management
592
and without Mobile
Device Management
features.
Following are causes
of, and appropriate
responses to, the
event:
License term has
expired. Provide a
license to use the
full functionality
mode of
Kaspersky
Security Center
(add a valid
activation code
or a key le to
Administration
Server).
Administration
Server manages
more devices
than speci ed by
the license limit.
Move devices
from the
administration
groups of an
Administration
Server to those
of another
Administration
Server (if the
license limit of
the other
Administration
Server allows).
License 4129 KLSRV_EV_LICENSE_SRV_EXPIRE_SOON Events of this type 180

expires soon occur when the days
commercial license
expiration date is
approaching.
593
Once a day
Kaspersky Security
Center checks
whether a license
expiration date is
approaching. Events
of this type are
published 30 days, 15
days, 5 days and 1
day before the
license expiration
date. You cannot
change the number
of days. If the
Administration
Server is turned o
on the speci ed day
before the license
expiration date, the
event will not be
published until the
next day.
When the
commercial license
expires, Kaspersky
Security Center
provides only basic
functionality.
You can respond to
the event in the
following ways:
Make sure that a
reserve license
key is added to
Administration
Server.
If you use a
subscription,
make sure to
renew it. An
unlimited
subscription is
renewed
automatically if it
has been prepaid
to the service
provider by the
due date.
Certi cate 4132 KLSRV_CERTIFICATE_EXPIRED Events of this type 180

has expired occur when the days
Administration
Server certi cate for
Mobile Device
Management expires.
594
You need to update
the expired
certi cate.
You can con gure
automatic updates
of certi cates by
selecting the
Reissue certi cate
automatically if
possible check box
in the certi cate
issuance settings.
Updates for 4142 KLSRV_SEAMLESS_UPDATE_REVOKED Events of this type 180

Kaspersky occur if seamless days
software updates have been
modules revoked (Revoked
have been status is displayed
revoked for these updates)
by Kaspersky
technical specialists;
for example, they
must be updated to
a newer version. The
event concerns
Kaspersky Security
Center patches and
does not concern
modules of managed
Kaspersky
applications. The
event provides the
reason that the
seamless updates
are not installed.

The table below shows the event types of Kaspersky Security Center Administration Server that have the
Functional failure importance level.
For each event that can be generated by an application, you can specify noti cation settings and storage settings
on the Event con guration tab in the application policy. For Administration Server, you can additionally view and
con gure the event list in the Administration Server properties. If you want to con gure noti cation settings for all
the events at once, con gure general noti cation settings in the Administration Server properties.
Event type Event Event type Description Default

display name type storage
ID term
Runtime error 4125 KLSRV_RUNTIME_ERROR Events of this type occur 180

because of unknown days
issues.
595
Most often these are
DBMS issues, network
issues, and other
software and hardware
issues.
Details of the event can
be found in the event
description.
Limit of 4126 KLSRV_INVLICPROD_EXCEDED Administration Server 180

installations generates events of this days
has been type periodically (every
exceeded for hour). Events of this type
one of the occur if in Kaspersky
licensed Security Center you
applications manage license keys of
groups third-party applications
and if the number of
installations has
exceeded the limit set by
the license key of the
third-party application.
You can respond to the
event in the following
ways:
Look through the
managed devices list.
Delete the third-party
application from
devices on which the
application is not in
use.
Use a third-party
license for more
devices.
You can manage license

keys of third-party
applications using the
functionality of licensed
applications groups. A
licensed applications
group includes third-
party applications that
meet criteria set by you.
Failed to poll 4143 KLSRV_KLCLOUD_SCAN_ERROR Events of this type occur Not

the cloud when Administration stored
segment Server fails to poll a
network segment in a
cloud environment. Read
the details in the event
description and respond
accordingly.
Failed to copy 4123 KLSRV_UPD_REPL_FAIL Events of this type occur 180

the updates to when software updates days
are copied to an
596
the speci ed additional shared
folder folder(s).
ways:
Check whether the
user account that is
employed to gain
access to the
folder(s) has write
permission.
Check whether a user

name and/or a
password to the
folder(s) changed.
Check the internet

connection, as it
might be the cause of
the event. Follow the
instructions to update
databases and
software modules.
No free disk 4107 KLSRV_DISK_FULL Events of this type occur 180

space when the hard drive of days
the device on which
Administration Server is
installed runs out of free
space.
Free up disk space on the
device.
Shared folder 4108 KLSRV_SHARED_FOLDER_UNAVAILABLE Events of this type occur 180

is not available if the shared folder of days
not available.
ways:
Check whether the
(where the shared
folder is located) is
turned on and
available.

name and/or a
password to the
folder is/are changed.
Check the network

connection.
597
The 4109 KLSRV_DATABASE_UNAVAILABLE Events of this type occur 180
Administration if the Administration days
Server Server database
database is becomes unavailable.
unavailable
ways:
Check whether the
remote server that
has SQL Server
installed is available.
View the DBMS logs

to discover the
reason for
database
unavailability. For
example, because of
preventive
maintenance a remote
server with SQL
Server installed might
be unavailable.
No free space 4110 KLSRV_DATABASE_FULL Events of this type occur 180

in the when there is no free days
Administration space in the
Server Administration Server
database database.
does not function when
its database has reached
its capacity and when
further recording to the
database is not possible.
Following are the causes
of this event, depending
on the DBMS that you
use, and appropriate
responses to the event:
You use the SQL
Server Express
Edition DBMS:
In the SQL Server
Express
documentation,
review the database
size limit for the
version you use.
Probably your
database has
exceeded the
database size limit.
598
Limit the number of
events to store in the
database.
In the Administration
Server database
there are too many
events sent by the
Application Control
component. You can
change the settings
of the Kaspersky
Endpoint Security for
Windows policy
relating to Application
Control event storage
in the Administration
Server database.
You use a DBMS other

than SQL Server
Express Edition:
Do not limit the
number of events to
store in the
database.
Reduce the list of
database.
Review the
information on DBMS
selection.

The table below shows the events of Kaspersky Security Center Administration Server that have the Warning
importance level.

ID term
A frequent KLSRV_EVENT_SPAM_EVENTS_DETECTED Events of this type 90

event has occur when days
been detected Administration Server
detects a frequent
event on a managed
device. Refer to the
599
following section for
details: Blocking
frequent events.
License limit 4098 KLSRV_EV_LICENSE_CHECK_100_110 Once a day Kaspersky 90

has been Security Center checks days
exceeded whether a licensing
restriction is exceeded.
Events of this type
occur when
detects that some
licensing limits are
exceeded by Kaspersky
on client devices and if
the number of
currently used licensing
units covered by a
single license
constitute 100% to
110% of the total
number of units
covered by the license.
occurs, client devices
are protected.
ways:
Look through the
managed devices
list. Delete devices
that are not in use.
Provide a license for

more devices (add a
valid activation
code or a key le to
Administration
Server).
Kaspersky Security
Center determines the
rules to generate
events when a licensing
Device has 4103 KLSRV_EVENT_HOSTS_NOT_VISIBLE Events of this type 90

remained occur when a managed days
inactive on the device shows inactivity
network for a for some time.
long time Most often, this
happens when a
managed device is
decommissioned.
600
ways:
Manually remove
the device from the
list of managed
devices.
Specify the time

interval after which
the Device has
remained inactive
on the network for
a long time event is
created by using
Administration
Console or by using
Kaspersky Security
Center Web
Console.
Specify the time

the device is
automatically
removed from the
group by using
Administration
Console or by using
Kaspersky Security
Center Web
Console.
Con ict of 4102 KLSRV_EVENT_HOSTS_CONFLICT Events of this type 90

device names occur when days
considers two or more
managed devices as a
single device.
Most often this
happens when a cloned
hard drive was used for
software deployment
on managed devices
and without switching
the Network Agent to
the dedicated disk
cloning mode on a
reference device.
To avoid this issue,
switch Network Agent
to the disk cloning
mode on a reference
device before cloning
the hard drive of this
device.
Device status 4114 KLSRV_HOST_STATUS_WARNING Events of this type 90

601
is Warning occur when a managed days
device is assigned the
Warning status. You
can con gure the
conditions under which
the device status is
changed to Warning.
Limit of 4127 KLSRV_INVLICPROD_FILLED Events of this type 90

installations occur when the number days
will soon be of installations for
exceeded for third-party applications
one of the included in a licensed
licensed applications group
applications reaches 90% of the
groups maximum allowed value
speci ed in the license
key properties.
ways:
If the third-party
use on some of the
managed devices,
delete the
application from
these devices.
If you expect that

the number of
installations for the
third-party
application will
exceed the allowed
maximum in the near
future, consider
obtaining a third-
party license for a
greater number of
devices in advance.

keys of third-party
functionality of
groups.
Certi cate 4133 KLSRV_CERTIFICATE_REQUESTED Events of this type 90

has been occur when a days
requested certi cate for Mobile
Device Management
fails to be
automatically reissued.
Following might be the
causes and appropriate
602
Automatic reissue
was initiated for a
certi cate for which
the Reissue
certi cate
automatically if
possible option is
disabled. This might
be due to an error
that occurred
during creation of
the certi cate.
Manual reissue of
the certi cate
might be required.
If you use an
integration with a
public key
infrastructure, the
cause might be a
missing SAM-
Account-Name
attribute of the
account used for
integration with PKI
and for issuance of
the certi cate.
Review the account
properties.
Certi cate 4134 KLSRV_CERTIFICATE_REMOVED Events of this type 90

has been occur when an days
removed administrator removes
any type of certi cate
(General, Mail, VPN) for
Mobile Device
Management.
After removing a
certi cate, mobile
devices connected via
this certi cate will fail
to connect to
This event might be
helpful when
investigating
malfunctions
associated with the
management of mobile
devices.
APNs 4135 KLSRV_APN_CERTIFICATE_EXPIRED Events of this type Not

certi cate has occur when an APNs stored
expired certi cate expires.
603
You need to manually
renew the APNs
certi cate and install it
on an iOS MDM Server.
APNs 4136 KLSRV_APN_CERTIFICATE_EXPIRES_SOON Events of this type Not

certi cate occur when there are stored
expires soon fewer than 14 days left
before the APNs
certi cate expires.
When the APNs
certi cate expires, you
need to manually renew
the APNs certi cate
and install it on an iOS
MDM Server.
We recommend that
you schedule the APNs
certi cate renewal in
advance of the
expiration date.
Failed to send 4138 KLSRV_GCM_DEVICE_ERROR Events of this type 90

the FCM occur when Mobile days
message to Device Management is
the mobile con gured to use
device Google Firebase Cloud
Messaging (FCM) for
connecting to
managed mobile
devices with an
Android operating
system and FCM
Server fails to handle
some of the requests
received from
It means that some of
the managed mobile
devices will not receive
a push noti cation.
Read the HTTP code in
the details of the event
description and
respond accordingly.
For more information
on the HTTP codes
received from FCM
Server and related
errors, please refer to
the Google Firebase
service documentation
(see chapter
"Downstream message
error response codes").
HTTP error 4139 KLSRV_GCM_HTTP_ERROR Events of this type 90

sending the occur when Mobile days
FCM message Device Management is
con gured to use
604
to the FCM Google Firebase Cloud
server Messaging (FCM) for
connecting managed
mobile devices with the
Android operating
system and FCM
Server reverts to the
Administration Server a
request with a HTTP
code other than 200
(OK).
Problems on the
FCM server side.
Read the HTTP
code in the details
of the event
description and
respond
accordingly. For
more information on
the HTTP codes
received from FCM
Server and related
errors, please refer
to the Google
Firebase service
documentation (see
chapter
"Downstream
message error
response codes").
Problems on the
proxy server side (if
you use proxy
server). Read the
HTTP code in the
details of the event
description and
respond
accordingly.
Failed to send 4140 KLSRV_GCM_GENERAL_ERROR Events of this type 90

the FCM occur due to days
message to unexpected errors on
the FCM the Administration
server Server side when
working with the
Google Firebase Cloud
Messaging HTTP
protocol.
Read the details in the
event description and
605
If you cannot nd the
solution to an issue on
your own, we
recommend that you
contact Kaspersky
Technical Support.
Little free 4105 KLSRV_NO_SPACE_ON_VOLUMES Events of this type 90

space on the occur when the hard days
hard drive drive of the device on
which Administration
Server is installed
almost runs out of free
space.
Free up disk space on
the device.
Little free 4106 KLSRV_NO_SPACE_IN_DATABASE Events of this type 90

space in the occur if space in the days
Administration Administration Server
Server database is too limited.
database If you do not remedy
the situation, soon the
database will reach its
capacity and
will not function.
Following are the
causes of this event,
depending on the
DBMS that you use,
and the appropriate
responses to the event.
You use the SQL
Server Express Edition
DBMS:
In the SQL Server
Express
documentation,
review the database
size limit for the
version you use.
Probably your
Administration
Server database is
about to reach the
Limit the number of

events to store in
the Administration
Server database.
In the
Administration
Server database
there are too many
events sent by the
606
Application Control
component. You can
change the settings
of the Kaspersky
Endpoint Security
for Windows policy
relating to
Application Control
event storage in the
Administration
Server database.
You use a DBMS
other than SQL
Server Express
Edition:
Do not limit the

number of events to
store in the
Administration
Server database
Reduce the list of

events to store in
the Administration
Server database
Review the information

on DBMS selection.
Connection to 4116 KLSRV_EV_SLAVE_SRV_DISCONNECTED Events of this type 90

the secondary occur when a days
Administration connection to the
Server has secondary
been Administration Server
interrupted is interrupted.
Read the Kaspersky
Event Log on the
device where the
secondary
is installed and respond
accordingly.
Connection to 4118 KLSRV_EV_MASTER_SRV_DISCONNECTED Events of this type 90

the primary occur when a days
Server has primary Administration
been Server is interrupted.
interrupted Read the Kaspersky
Event Log on the
device where the
primary Administration
Server is installed and
New updates 4141 KLSRV_SEAMLESS_UPDATE_REGISTERED Events of this type 90

for Kaspersky occur when days
software Administration Server
modules have registers new updates
607
been for the Kaspersky
registered software installed on
managed devices that
require approval to be
installed.
Approve or decline the
updates by using
or using Kaspersky
Security Center Web
Console.
The limit on 4145 KLSRV_EVP_DB_TRUNCATING Events of this type Not

the number of occur when deletion of stored
events in the old events from the
database is Administration Server
exceeded, database has started
deletion of after the
events has Administration Server
started database capacity is
reached.
ways:
Change the
maximum number of
events stored in the
Administration
Server database
Reduce the list of

events to store in
the Administration
Server database
The limit on 4146 KLSRV_EVP_DB_TRUNCATED Events of this type Not

the number of occur when old events stored
events in the have been deleted
database is from the
exceeded, the Administration Server
events have database after the
been deleted Administration Server
database capacity is
reached.
ways:
Change the allowed
maximum number of
events to be stored
in the
Administration
Server database
Reduce the list of

events to store in
608
the Administration
Server database

The table below shows the events of Kaspersky Security Center Administration Server that have the Info
importance level.
Event type display Event Event type Default Remarks

name type storage
ID term
Over 90% of the 4097 KLSRV_EV_LICENSE_CHECK_90 30

license key is used days
up
New device has been 4100 KLSRV_EVENT_HOSTS_NEW_DETECTED 30

detected days
Device has been 4101 KLSRV_EVENT_HOSTS_NEW_REDIRECTED 30

automatically added days
to the group
Device has been 4104 KLSRV_INVISIBLE_HOSTS_REMOVED 30

removed from the days
group: inactive on
the network for a
long time
Limit of installations 4128 KLSRV_INVLICPROD_EXPIRED_SOON 30

will soon be days
exceeded (more
than 95% is used up)
for one of the
groups
Files have been 4131 KLSRV_APS_FILE_APPEARED 30

found to send to days
Kaspersky for
analysis
FCM Instance ID has 4137 KLSRV_GCM_DEVICE_REGID_CHANGED 30

changed on this days
mobile device
Updates have been 4122 KLSRV_UPD_REPL_OK 30

successfully copied days
to the speci ed
folder
Connection to the 4115 KLSRV_EV_SLAVE_SRV_CONNECTED 30

secondary days
Administration
Server has been
established
Connection to the 4117 KLSRV_EV_MASTER_SRV_CONNECTED 30

primary days
609
Administration
Server has been
established
Databases have 4144 KLSRV_UPD_BASES_UPDATED 30

been updated days
Audit: Connection to 4147 KLAUD_EV_SERVERCONNECT 30

the Administration days
Server has been
established
Audit: Object has 4148 KLAUD_EV_OBJECTMODIFY 30 This event tracks

been modi ed days changes in the
following objects:
Administration
group
Security
group
User
Package
Task
Policy
Server
Virtual server
Audit: Object status 4150 KLAUD_EV_TASK_STATE_CHANGED 30 For example, this

has changed days event occurs
when a task has
failed with an
error.
Audit: Group 4149 KLAUD_EV_ADMGROUP_CHANGED 30

settings have been days
modi ed
Audit: Connection to 4151 KLAUD_EV_SERVERDISCONNECT 30

Administration days
Server has been
terminated
Audit: Object 4152 KLAUD_EV_OBJECTPROPMODIFIED 30 This event tracks

properties have days changes in the
been modi ed following
properties:
User
License
Server
Virtual server
610
Audit: User 4153 KLAUD_EV_OBJECTACLMODIFIED 30
permissions have days
been modi ed

This section contains information about the events related to Network Agent.

The table below shows the event types of Kaspersky Security Center Network Agent that have the Functional
failure severity level.

display type storage
name ID term
Update 7702 KLNAG_EV_PATCH_INSTALL_ERROR Events of this type occur if 30

installation automatic updating and days
error patching for Kaspersky
was not successful. The
event does not concern
updates of the managed
Read the event description.
A Windows issue on the
Administration Server might
be a reason for this event. If
the description mentions any
issue of Windows
con guration, resolve this
issue.
Failed to 7697 KLNAG_EV_3P_PATCH_INSTALL_ERROR Events of this type occur if 30

install the Vulnerability and Patch days
third-party Management and Mobile
software Device Management
update features are in use, and if
update of third-party
software was not successful.
Check whether the link to
the third-party software is
valid. Read the event
description.
Failed to 7717 KLNAG_EV_WUA_INSTALL_ERROR Events of this type occur if 30

install the Windows Updates were not days
Windows successful. Con gure
Update Windows Updates in a
updates Network Agent policy.
611
Look for the error in the
Microsoft Knowledge Base.
Contact Microsoft Technical
Support if you cannot
resolve the issue yourself.

The table below shows the events of Kaspersky Security Center Network Agent that have the Warning severity
level.
on the Event con guration tab in the application policy. If you want to con gure noti cation settings for all the
events at once, con gure general noti cation settings in the Administration Server properties.
Event type display name Event Event type Default

type ID storage
term
Warning has been returned during 7701 KLNAG_EV_PATCH_INSTALL_WARNING 30

installation of the software module days
update
Third-party software update 7696 KLNAG_EV_3P_PATCH_INSTALL_WARNING 30

installation has completed with a days
warning
Third-party software update 7698 KLNAG_EV_3P_PATCH_INSTALL_SLIPPED 30

installation has been postponed days
Incident has occurred 549 GNRL_EV_APP_INCIDENT_OCCURED 30

days
KSN Proxy has started. Failed to 7718 KSNPROXY_STARTED_CON_CHK_FAILED 30

check KSN for availability days

The table below shows the events of Kaspersky Security Center Network Agent that have the Info severity level.

type storage
ID term
Update for software modules 7699 KLNAG_EV_PATCH_INSTALLED_SUCCESSFULLY 30

has been installed days
successfully
Installation of the software 7700 KLNAG_EV_PATCH_INSTALL_STARTING 30
612
module update has started days
Application has been 7703 KLNAG_EV_INV_APP_INSTALLED 30

installed days
Application has been 7704 KLNAG_EV_INV_APP_UNINSTALLED 30

uninstalled days
Monitored application has 7705 KLNAG_EV_INV_OBS_APP_INSTALLED 30

been installed days
Monitored application has 7706 KLNAG_EV_INV_OBS_APP_UNINSTALLED 30

been uninstalled days
Third-party application has 7707 KLNAG_EV_INV_CMPTR_APP_INSTALLED 30

been installed days
New device has been added 7708 KLNAG_EV_DEVICE_ARRIVAL 30

days
Device has been removed 7709 KLNAG_EV_DEVICE_REMOVE 30

days
New device has been 7710 KLNAG_EV_NAC_DEVICE_DISCOVERED 30

detected days
Device has been authorized 7711 KLNAG_EV_NAC_HOST_AUTHORIZED 30

days
Windows Desktop Sharing: 7712 KLUSRLOG_EV_FILE_READ 30

File has been read days
Windows Desktop Sharing: 7713 KLUSRLOG_EV_FILE_MODIFIED 30

File has been modi ed days
Windows Desktop Sharing: 7714 KLUSRLOG_EV_PROCESS_LAUNCHED 30

Application has been started days
Windows Desktop Sharing: 7715 KLUSRLOG_EV_WDS_BEGIN 30

Started days
Windows Desktop Sharing: 7716 KLUSRLOG_EV_WDS_END 30

Stopped days
Third-party software update 7694 KLNAG_EV_3P_PATCH_INSTALLED_SUCCESSFULLY 30

successfully
Third-party software update 7695 KLNAG_EV_3P_PATCH_INSTALL_STARTING 30

installation has started days
KSN Proxy has started. KSN 7719 KSNPROXY_STARTED_CON_CHK_OK 30

availability check has days
completed successfully
KSN Proxy has stopped 7720 KSNPROXY_STOPPED 30

days

This section contains information about the events related to iOS MDM Server.
613
The table below shows the events of Kaspersky Security Center iOS MDM Server that have the Functional failure
severity level.
Event type display name Event type Default

storage
term
Failed to request the list of pro le PROFILELIST_COMMAND_FAILED 30

days
Failed to install the pro le INSTALLPROFILE_COMMAND_FAILED 30

days
Failed to remove the pro le REMOVEPROFILE_COMMAND_FAILED 30

days
Failed to request the list of PROVISIONINGPROFILELIST_COMMAND_FAILED 30

provisioning pro les days
Failed to install provisioning pro le INSTALLPROVISIONINGPROFILE_COMMAND_FAILED 30

days
Failed to remove the provisioning REMOVEPROVISIONINGPROFILE_COMMAND_FAILED 30

pro le days
Failed to request the list of digital CERTIFICATELIST_COMMAND_FAILED 30

certi cates days
Failed to request the list of installed INSTALLEDAPPLICATIONLIST_COMMAND_FAILED 30

applications days
Failed to request general information DEVICEINFORMATION_COMMAND_FAILED 30

about the mobile device days
Failed to request security information SECURITYINFO_COMMAND_FAILED 30

days
Failed to lock the mobile device DEVICELOCK_COMMAND_FAILED 30

days
Failed to reset the password CLEARPASSCODE_COMMAND_FAILED 30

days
Failed to wipe data from the mobile ERASEDEVICE_COMMAND_FAILED 30

device days
Failed to install the app INSTALLAPPLICATION_COMMAND_FAILED 30

days
Failed to set the redemption code for APPLYREDEMPTIONCODE_COMMAND_FAILED 30

the app days
Failed to request the list of managed MANAGEDAPPLICATIONLIST_COMMAND_FAILED 30

apps days
Failed to remove the managed app REMOVEAPPLICATION_COMMAND_FAILED 30

614
days
Roaming settings have been rejected SETROAMINGSETTINGS_COMMAND_FAILED 30

days
Error has occurred in the app PRODUCT_FAILURE 30

operation days
Command result contains invalid data MALFORMED_COMMAND 30

days
Failed to send the push noti cation SEND_PUSH_NOTIFICATION_FAILED 30

days
Failed to send the command SEND_COMMAND_FAILED 30

days
Device not found DEVICE_NOT_FOUND 30

days

The table below shows the events of Kaspersky Security Center iOS MDM Server that have the Warning severity
level.

storage
term
Attempt to connect a locked mobile device has INACTICE_DEVICE_TRY_CONNECTED 30 days

been detected
Pro le has been removed MDM_PROFILE_WAS_REMOVED 30 days
Attempt to re-use a client certi cate has been CLIENT_CERT_ALREADY_IN_USE 30 days

detected
Inactive device has been detected FOUND_INACTIVE_DEVICE 30 days
Redemption code is required NEED_REDEMPTION_CODE 30 days
Pro le has been included in a policy removed from UMDM_PROFILE_WAS_REMOVED 30 days

the device

The table below shows the events of Kaspersky Security Center iOS MDM Server that have the Info severity level.
615

storage
term
New mobile device has been NEW_DEVICE_CONNECTED 30

connected days
List of pro les has been PROFILELIST_COMMAND_SUCCESSFULL 30

successfully requested days
Pro le has been successfully INSTALLPROFILE_COMMAND_SUCCESSFULL 30

installed days
Pro le has been successfully REMOVEPROFILE_COMMAND_SUCCESSFULL 30

removed days
List of provisioning pro les PROVISIONINGPROFILELIST_COMMAND_SUCCESSFULL 30

has been successfully days
requested
Provisioning pro le has been INSTALLPROVISIONINGPROFILE_COMMAND_SUCCESSFULL 30

successfully installed days
Provisioning pro le has been REMOVEPROVISIONINGPROFILE_COMMAND_SUCCESSFULL 30

successfully removed days
List of digital certi cates has CERTIFICATELIST_COMMAND_SUCCESSFULL 30

been successfully requested days
List of installed applications INSTALLEDAPPLICATIONLIST_COMMAND_SUCCESSFULL 30

requested
General information about DEVICEINFORMATION_COMMAND_SUCCESSFULL 30

the mobile device has been days
successfully requested
Security information has SECURITYINFO_COMMAND_SUCCESSFULL 30

Mobile device has been DEVICELOCK_COMMAND_SUCCESSFULL 30

successfully locked days
The password has been CLEARPASSCODE_COMMAND_SUCCESSFULL 30

successfully reset days
Data has been wiped from the ERASEDEVICE_COMMAND_SUCCESSFULL 30

mobile device days
App has been successfully INSTALLAPPLICATION_COMMAND_SUCCESSFULL 30

installed days
Redemption code has been APPLYREDEMPTIONCODE_COMMAND_SUCCESSFULL 30

successfully set for the app days
The list of managed apps has MANAGEDAPPLICATIONLIST_COMMAND_SUCCESSFULL 30

Managed app has been REMOVEAPPLICATION_COMMAND_SUCCESSFULL 30

removed successfully days
Roaming settings have been SETROAMINGSETTINGS_COMMAND_SUCCESSFUL 30

successfully applied days
616
This section contains information about the events related to an Exchange Mobile Device Server.

The table below shows the events of Kaspersky Security Center Exchange Mobile Device Server that have the
Functional failure severity level.

storage
term
Failed to wipe data from the mobile device WIPE_FAILED 30

days
Cannot delete information about mobile device DEVICE_REMOVE_FAILED 30

connection to mailbox days
Failed to apply the ActiveSync policy to the POLICY_APPLY_FAILED 30

mailbox days
Application operation error PRODUCT_FAILURE 30

days
Failed to modify the state of ActiveSync CHANGE_ACTIVE_SYNC_STATE_FAILED 30

functionality days

The table below shows the events of Kaspersky Security Center Exchange Mobile Device Server that have the Info
severity level.
Event type display name Event type Default storage term
New mobile device has connected NEW_DEVICE_CONNECTED 30 days
Data has been wiped from the mobile device WIPE_SUCCESSFULL 30 days

617
This section provides information about managing frequent events blocking, about removing blocking of frequent
events, and about exporting the list of frequent events to a le.

A managed application, for example, Kaspersky Endpoint Security for Windows, installed on a single or several
managed devices can send a lot of events of the same type to the Administration Server. Receiving frequent
events may overload the Administration Server database and overwrite other events. Administration Server starts
blocking the most frequent events when the number of all the received events exceeds the speci ed limit for the
database.
Administration Server blocks the frequent events from receiving automatically. You cannot block the frequent
events yourself, or choose which events to block.
If you want to nd out if an event is blocked, you can check if this event is present in the Blocking frequent events
section of the Administration Server properties. If the event is blocked, you can do the following:
If you want to prevent overwriting the database, you can continue blocking such type of events from receiving.
If you want, for example, to nd the reason of sending the frequent events to the Administration Server, you
can unblock frequent events and continue receiving the events of this type anyway.
If you want to continue receiving the frequent events until they become blocked again, you can remove from
blocking the frequent events.

Administration Server automatically blocks the receiving of frequent events, but you can stop blocking and
continue to receive frequent events. You can also block receiving frequent events that you unblocked before.
To manage frequent events blocking:
1. In the Kaspersky Security Center console tree, open the context menu of the Administration Server folder,
and then select Properties.
2. In the Administration Server properties window, go to the Sections pane, and then select Blocking frequent
events.
3. In the Blocking frequent events section:
Select the Event type options of the events that you want to block from being received.
Unselect the Event type options of the events that you want to continue receiving.
4. Click the Apply button.
5. Click the OK button.
Administration Server receives the frequent events for which you unselected the option Event type and blocks
receiving frequent events for which you selected the option Event type.
618
You can remove blocking for frequent events and start receiving them until Administration Server blocks this type
of frequent events again.
To remove blocking of frequent events:
events.
3. In the Blocking frequent events section, click the row of the frequent event for which you want to remove
blocking.
4. Click the Delete button.
The frequent event is removed from the list of the frequent events. Administration Server will receive events of
this type.
Exporting a list of frequent events to a le

To export a list of frequent events to a le:
events.
3. Click the Export to le button.
4. In the Save as window that opens, specify the path to the le to which you want to save the list.
All the records on the frequent events list are exported to a le.
Controlling changes in the status of virtual machines

Administration Server stores information about the status of managed devices, such as the hardware registry and
the list of installed applications, and the settings of managed applications, tasks and policies. If a virtual machine
functions as a managed device, the user can restore its status at any time using a previously created snapshot of
the virtual machine. Information about the status of the virtual machine on Administration Server may become
outdated.
619
For example, the administrator had created a protection policy on Administration Server at 12:00 PM, which started
to run on virtual machine VM_1 at 12:01 PM. At 12:30 PM, the user of virtual machine VM_1 changed its status by
restoring it from a snapshot made at 11:00 AM. The protection policy stops running on the virtual machine.
However, outdated information stored on Administration Server states that the protection policy on virtual
machine VM_1 continues.
Kaspersky Security Center allows you to monitor changes in the status of virtual machines.
After each synchronization with a device, the Administration Server generates a unique ID that is stored on the
device and on the Administration Server. Before starting the next synchronization, Administration Server compares
the values of those IDs on both sides. If the values of the IDs do not match, Administration Server recognizes the
virtual machine as restored from a snapshot. Administration Server resets all the settings of policies and tasks that
are active for the virtual machine and sends it the up-to-date policies and the list of group tasks.
Monitoring the anti-virus protection status using information from the

system registry
To monitor the anti-virus protection status on a client device using information logged by Network Agent,
depending on the operating system of the device:
On the devices running Windows:
1. Open the system registry of the client device (for example, locally, using the regedit command in the
Start → Run menu).
For 32-bit systems:

HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1103\1.0.0.0\Statistics\AVState
For 64-bit systems:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1103\1.0.0.0\Stati
The system registry displays information about the anti-virus protection status of the client device.
On the devices running Linux:
Information is enclosed in separate text les, one for each type of data, located at
/var/opt/kaspersky/klnagent/1103/1.0.0.0/Statistics/AVState/.
On the devices running macOS:
Information is enclosed in separate text les, one for each type of data, located at /Library/Application
Support/Kaspersky Lab/klnagent/Data/1103/1.0.0.0/Statistics/AVState/.
The anti-virus protection status corresponds to the values of the keys described in the table below.
Registry keys and their possible values
Key (data type) Value Description
Protection_LastConnected DD-MM-YYYY HH- Date and time (in UTC format) of the last
(REG_SZ) MM-SS connection to the Administration Server
Protection_AdmServer IP, DNS name, or Name of the Administration Server that
620
(REG_SZ) NetBIOS name manages the device
Protection_NagentVersion a.b.c.d Build number of the Network Agent installed on

(REG_SZ) the device
Protection_NagentFullVersion a.b.c.d (patch1; Full number of the Network Agent version (with
(REG_SZ) patch2; ...; patchN) patches) installed on the device
Protection_HostId (REG_SZ) Device ID ID of the device
Protection_DynamicVM 0 — no The Network Agent is installed in the dynamic

(REG_DWORD) VDI mode
1 — yes
Protection_AvInstalled 0 — no A security application is installed on the device

(REG_DWORD) 1 — yes
Protection_AvRunning 0 — no Real-time protection is enabled on the device

Protection_HasRtp 0 — no A real-time protection component is installed

Protection_RtpState Real-time protection status:

(REG_DWORD)
0 Unknown
1 Disabled
2 Paused
3 Starting
4 Enabled
5 Enabled with the high protection level

(maximum protection)
6 Enabled with the low protection level (maximum

speed)
7 Enabled with the default (recommended)

settings
8 Enabled with custom settings
9 Operation failure
Protection_LastFscan DD-MM-YYYY HH- Date and time (in UTC format) of the last full
(REG_SZ) MM-SS scan
Protection_BasesDate DD-MM-YYYY HH- Date and time (in UTC format) of the
(REG_SZ) MM-SS application databases release
If client devices within a group are inactive, you can get noti cations about it. You can also automatically delete
such devices.
To view or con gure the actions when the devices in the group show inactivity:
1. In the console tree, right-click the name of the required administration group.
621
2. In the context menu, select Properties.
This opens the administration group properties window.
3. In the Properties window, go to the Devices section.
4. If needed, enable or disable the following options:
Notify the administrator if the device has been inactive for longer than (days)
If this option is enabled, the administrator receives noti cations about inactive devices. You can specify
the time interval after which the Device has remained inactive on the network in a long time event is
created. The default time interval is 7 days.
removed from the group. The default time interval is 60 days.
The settings in this section will be inherited from the parent group in which the client device is included.
If this option is enabled, the settings under Device activity on the network are locked from any
changes.
This option is available only if the administration group has a parent group.
5. Click OK.

In Kaspersky Security Center Web Console, the Kaspersky announcements section (MONITORING &
REPORTING → Kaspersky announcements) keeps you informed by providing information related to your version
of Kaspersky Security Center and the managed applications installed on managed devices. If you do not want to
receive Kaspersky announcements, you can disable this feature.
622
The Kaspersky announcements include two types of information: security-related announcements and marketing
announcements. You can disable the announcements of each type separately.
To disable security-related announcements:
1. In the console tree, select the Administration Server for which you want to disable security-related
announcements.
2. Right-click and in the context menu that appears, select Properties.
3. In the Administration Server properties window that opens, in the Kaspersky announcements section, disable
the Enable the display of Kaspersky announcements in Kaspersky Security Center 14 Web Console option.
4. Click OK.
Kaspersky announcements are disabled.
Marketing announcements are disabled by default. You receive marketing announcements only if you enabled
Kaspersky Security Network (KSN). You can disable this type of announcement by disabling KSN.

A structure of administration groups in Kaspersky Security Center performs the following functions:
Sets the scope of policies

There is an alternate way of applying relevant settings on devices, by using policy pro les. In this case, you set
the scope of policies with tags, device locations in Active Directory organizational units, or membership in
Active Directory security groups.
Sets the scope of group tasks

There is an approach to de ning the scope of group tasks that is not based on a hierarchy of administration
groups: use of tasks for device selections and tasks for speci c devices.
Sets access rights to devices, virtual Administration Servers, and secondary Administration Servers
Assigns distribution points
When building the structure of administration groups, you must take into account the topology of the
organization's network for the optimum assignment of distribution points. The optimum distribution of distribution
points allows you to save tra ic on the organization's network.
Depending on the organizational schema and network topology, the following standard con gurations can be
applied to the structure of administration groups:
Single o ice
Multiple small remote o ices
623
In a standard "single-o ice" con guration, all devices are on the organization's network so they can "see" each
other. The organization's network may consist of a few separate parts (networks or network segments) linked by
narrow channels.
The following methods of building the structure of administration groups are possible:
Building the structure of administration groups taking into account the network topology. The structure of
administration groups may not re ect the network topology with absolute precision. A match between the
separate parts of the network and certain administration groups would be enough. You can use automatic
assignment of distribution points or assign them manually.
Building the structure of administration groups, without taking the network topology into account. In this case,
you must disable automatic assignment of distribution points, and then assign one or several devices to act as
distribution points for a root administration group in each of the separate parts of the network, for example, for
the Managed devices group. All distribution points will be at the same level and will feature the same scope
spanning all devices on the organization's network. In this case, each Network Agent will connect to the
distribution point that has the shortest route. The route to a distribution point can be traced with the tracert
utility.

This standard con guration provides for a number of small remote o ices, which may communicate with the head
o ice over the internet. Each remote o ice is located behind the NAT, that is, connection from one remote o ice
to another is not possible because o ices are isolated from one another.
The con guration must be re ected in the structure of administration groups: a separate administration group
must be created for each remote o ice (groups O ice 1 and O ice 2 in the gure below).
Remote o ices are included in the administration group structure
One or multiple distribution points must be assigned to each administration group that correspond to an o ice.
Distribution points must be devices at the remote o ice that have a su icient amount of free disk space. Devices
deployed in the O ice 1 group, for example, will access distribution points assigned to the O ice 1 administration
group.
If some users move between o ices physically, with their laptops, you must select two or more devices (in addition
to the existing distribution points) in each remote o ice and assign them to act as distribution points for a top-
level administration group (Root group for o ices in the gure above).
624
Example: A laptop is deployed in the O ice 1 administration group and then is moved physically to the o ice that
corresponds to the O ice 2 administration group. After the laptop is moved, Network Agent attempts to access
the distribution points assigned to the O ice 1 group, but those distribution points are unavailable. Then, Network
Agent starts attempting to access the distribution points that have been assigned to the Root group for o ices.
Because remote o ices are isolated from one another, attempts to access distribution points assigned to the
Root group for o ices administration group will only be successful when Network Agent attempts to access
distribution points in the O ice 2 group. That is, the laptop will remain in the administration group that corresponds
to the initial o ice, but the laptop will use the distribution point of the o ice where it is physically located at the
moment.
Assigning a managed device to act as a distribution point

You can manually assign a device to act as a distribution point for an administration group and con gure it as a
connection gateway in Administration Console.
To assign a device as distribution point of an administration group:
2. In the context menu of Administration Server, select Properties.
3. In the Administration Server properties window, select the Distribution points section.
4. In the right part of the window, select the Manually assign distribution points option.
Assign a distribution point manually
625
This opens the Add distribution point window.
a. Under Device to act as distribution point, click the down arrow ( ) on the Select split button and select
the Add device from group option.
b. In the Select devices window that opens, select the device to act as a distribution point.
c. Under Distribution point scope, click the down arrow ( ) on the Select split button.
d. Indicate the speci c devices to which the distribution point will distribute updates. You can specify an
e. Click OK to close the Add distribution point window.
Selecting distribution point scope
points section.
The rst device with Network Agent installed that connects to the virtual Administration Server will be
automatically assigned to act as distribution point and con gured as connection gateway.
Connecting a Linux device as a gateway in the demilitarized zone

626
To connect a Linux device as a gateway in the demilitarized zone (DMZ):
1. Download and install Network Agent on the Linux device.
2. Run the post-install script and follow the Wizard in order to setup the local environment con guration. In the
command prompt, run the following command:
$ sudo /opt/kaspersky/klnagent64/lib/bin/setup/postinstall.pl
3. On the step asking for the Network Agent mode, choose the Use as connection gateway option.
4. In the Administration Server properties window that opens, select the Distribution points section.
5. In the Distribution points window that opens, in the right part of the window:
a. Select the Manually assign distribution points option.
b. Click the Add button.
a. Under Device to act as distribution point, click the down arrow ( ) on the Select split button, and then
select the Add connection gateway in DMZ by address option.
b. Under Distribution point scope, click the down arrow ( ) on the Select split button.
c. Indicate the speci c devices to which the distribution point will distribute updates. You can specify an
d. Click OK to close the Add distribution point window.
7. The distribution point that you have added will be displayed in the list of distribution points, in the Distribution
points section.
8. Run the klnagchk utility in order to check whether a connection to Kaspersky Security Center has been
successfully con gured. In the command prompt, run:
$ sudo /opt/kaspersky/klnagent64/bin/klnagchk
9. In the main menu, go to Kaspersky Security Center and discover the device.
10. In the window that opens, click the <Device name>.
11. In the drop-down list, select the Move to Group link.
12. In the Select group window that opens, click the Distribution points link.
13. Click OK.
14. Restart the Network Agent service on the Linux client by executing the following command in the command
prompt:
$ sudo /opt/kaspersky/klnagent64/bin/klnagchk -restart
Connecting a Linux device as a gateway in the DMZ is completed.
627
After that, you can connect a Linux device to the Administration Server through the con gured connection
gateway. Follow these procedures only after you have completed the main installation scenario.
Connecting a Linux device to the Administration Server via a connection

gateway
A connection gateway allows you to connect client devices from the demilitarized zone (DMZ) to Administration
Server. Windows-based and Linux-based devices can act as a connection gateway. After you have connected and
con gured the connection gateway, you can use this gateway to connect a Linux device to the Administration
Server. Follow the procedure below only after you have completed the main installation scenario.
To connect a Linux device to the Administration Server via a connection gateway, perform the following actions on
this device:
1. Download and install Network Agent on the Linux device.
2. Run the Network Agent post-install script by executing the following command in the command prompt:
$ sudo /opt/kaspersky/klnagent64/lib/bin/setup/postinstall.pl
3. On the step asking for the Network Agent mode, choose the Connect to server using connection gateway
option and enter the address of connection gateway.
4. Check the connection with Kaspersky Security Center and the connection gateway, by using the following
command in the command prompt:
$ sudo /opt/kaspersky/klnagent64/bin/klnagchk
The address of connection gateway is displayed in the output.
Connecting a Linux device to the Administration Server via a connection gateway is completed. You can use this
device to update distribution, for remote installation of applications, and to retrieve information about networked
devices.
Adding a connection gateway in the DMZ as a distribution point

A connection gateway waits for connections from Administration Server, rather than establishes connections to
Administration Server. It means that right after a connection gateway is installed on a device in the DMZ,
Administration Server does not list the device among managed devices. Therefore, you need a special procedure
to ensure that Administration Server initiates a connection to the connection gateway.
To add a device with a connection gateway as a distribution point:
2. In the context menu of Administration Server, select Properties.
4. In the right part of the window, select the Manually assign distribution points option.

628
a. Under Device to act as distribution point, click the down arrow ( ) on the Select split button, and then
select the Add connection gateway in DMZ by address option.
b. In the Enter connection gateway address window that opens, enter the IP address of the connection
gateway (or enter the name if the connection gateway is accessible by name).
c. Under Distribution point scope, click the down arrow ( ) on the Select split button.
d. Indicate the speci c devices to which the distribution point will distribute updates. You can specify an
We recommend that you have a separate group for external managed devices.
After you perform these actions, the list of distribution points contains a new entry named Temporary entry for
connection gateway.
Administration Server almost immediately attempts to connect to the connection gateway at the address that
you speci ed. If it succeeds, the entry name changes to the name of the connection gateway device. This
process takes up to ve minutes.
While the temporary entry for the connection gateway is being converted to a named entry, the connection
gateway also appears in the Unassigned devices group.
To add a connection gateway to a previously con gured network, reinstall the Network Agent on devices that
you want to connect to the newly added connection gateway.

We recommend that you assign distribution points automatically. Kaspersky Security Center will then select on its
own which devices must be assigned distribution points.
2. In the console tree, select the node with the name of the Administration Server for which you want to assign
distribution points automatically.
3. In the context menu of the Administration Server, click Properties.
4. In the Administration Server properties window, in the Sections pane select Distribution points.
5. In the right part of the window, select the Automatically assign distribution points option.
6. Click OK.
629
About local installation of Network Agent on a device selected as

distribution point
To allow the device selected as the distribution point to directly communicate with the virtual Administration
Server in order to act as connection gateway, the Network Agent must be installed locally on this device.
The procedure of local installation of Network Agent on the device de ned as distribution point is the same as
local installation of Network Agent on any network device.
The following conditions must be met for a device selected as a distribution point:
During local installation of Network Agent, specify the address of a virtual Administration Server that manages
the device in the Server Address eld in the Administration Server window of the Setup Wizard. You can use
either the device IP address or device name in the Windows network.
The following format is used for the virtual Administration Server address: <Full address of the physical
Administration Server to which the virtual Server is subordinate>/<Name of virtual Administration Server>.
So that it can act as connection gateway, open all ports of the device that are necessary for communication
with the Administration Server.
After Network Agent with speci ed settings is installed on a device, Kaspersky Security Center performs the
following actions automatically:
Includes this device in the Managed devices group of the virtual Administration Server.
Assigns this device as the distribution point of the Managed devices group of the virtual Administration Server.
It is necessary and su icient to install Network Agent locally on the device that is assigned as the distribution
point for the Managed devices group on the organization's network. You can install Network Agent remotely
on devices that act as distribution points in the nested administration groups. To do this, use the distribution
point of the Managed devices group as connection gateway.
About using a distribution point as connection gateway

If the Administration Server is outside the demilitarized zone (DMZ), Network Agents from this zone cannot
connect to the Administration Server.
When connecting the Administration Server with Network Agents, you can use a distribution point as the
connection gateway. The distribution point opens a port to Administration Server for the connection to be
created. When the Administration Server is started, it connects to that distribution point and maintains this
connection during the entire session.
Upon receiving a signal from the Administration Server, the distribution point sends a UDP signal to the Network
Agents in order to allow connection to the Administration Server. When the Network Agents receive that signal,
they connect to the distribution point, which transfers information between the Network Agents and the
Administration Server. Information exchange can occur over an IPv4 or IPv6 network.
630
We recommend that you use a specially assigned device as the connection gateway and cover a maximum of
10,000 client devices (including mobile devices) with this connection gateway.
Adding IP ranges to the scanned ranges list of a distribution point

You can add IP ranges to the list of scanned ranges of a distribution point.
To add an IP range to the list of scanned ranges:
2. In the context menu of the node, select Properties.
4. In the list, select the necessary distribution point, and then click Properties.
5. In the distribution point properties window that opens, in the left Sections pane, select Device discovery → IP
ranges.
6. Select the Enable range polling check box.

The Add button is active only if you select the Enable range polling check box.
The IP range window opens.
8. In the IP range window, enter the name of the new IP range (the default name is New range).
Specify the IP range using the start and end IP addresses.
Specify the IP range using the address and subnet mask.
Click Browse and add a subnet from the global list of subnets.
11. Click OK.
12. Click OK to add the new range with the speci ed name.
The new range will appear in the list of scanned ranges.
Using a distribution point as a push server

631
In Kaspersky Security Center, a distribution point can work as a push server for the devices managed through the
mobile protocol and for the devices managed by Network Agent. For example, a push server must be enabled if
you want to be able to force synchronization of KasperskyOS devices with Administration Server. A push server
has the same scope of managed devices as the distribution point on which the push server is enabled. If you have
several distribution points assigned for the same administration group, you can enable push server on each of the
distribution points. In this case, Administration Server balances the load between the distribution points.
A push server supports the load of up to 50,000 simultaneous connections.
You might want to use distribution points as push servers to make sure that there is continuous connectivity
between a managed device and the Administration Server. Continuous connectivity is needed for some
operations, such as running and stopping local tasks, receiving statistics for a managed application, or creating a
tunnel. If you use a distribution point as a push server, you do not have to use the Do not disconnect from the
Administration Server option on managed devices or send packets to the UDP port of the Network Agent.
To use a distribution point as a push server:
2. In the context menu of the node, select Properties.
4. In the list, select the necessary distribution point, and then click Properties.
5. In the distribution point properties window that opens, in the General section of the left Sections pane, select
the Use this distribution point as a push server option.
6. Specify the push server port number, that is, the port on the distribution point that client devices will use for
connection.
7. Click the OK button to exit the distribution point properties window.
8. Open the Network Agent policy settings window.
9. In the Connectivity section, go to the Network subsection.
10. In the Network subsection, select the Use distribution point to force connection to the Administration
Server option.
11. Click the OK button to exit the window.
The distribution point starts acting as a push server. It can now send push noti cations to client devices.
If you manage devices with KasperskyOS installed, or plan to do so, you must use a distribution point as a push
server. You can also use a distribution point as a push server if you want to send push noti cations to client
devices.
Other routine work

632
This section provides recommendations on routine work with Kaspersky Security Center.
Managing Administration Servers

This section provides information about working with Administration Servers and con guring them.
Creating a hierarchy of Administration Servers: adding a secondary

You can add an Administration Server as a secondary Administration Server, thus establishing a
"primary/secondary" hierarchy. Adding a secondary Administration Server is possible regardless of whether the
Administration Server that you intend to use as secondary is available for connection through Administration
Console.
Administration Servers. Port 13291 is required to receive connections from Administration Console to the
Connecting an Administration Server as secondary in reference to the primary Administration

Server
You can add an Administration Server as secondary by connecting it to the primary Administration Server via port
13000. You will need a device that has Administration Console installed from which TCP ports 13291 can be
accessed on both Administration Servers: supposed primary Administration Server and supposed secondary
To add as secondary an Administration Server that is available for connection through Administration Console:
1. Make sure that port 13000 of the supposed primary Administration Server is available for receipt of
connections from secondary Administration Servers.
2. Use Administration Console to connect to the supposed primary Administration Server.
3. Select the administration group to which you intend to add the secondary Administration Server.
4. In the workspace of the Administration Servers node of the selected group, click the Add secondary
Administration Server link.
The Add Secondary Administration Server Wizard starts.
5. At the rst step of the Wizard (entering the address of the Administration Server being added to the group),
enter the network name of the supposed secondary Administration Server.
The "primary/secondary" hierarchy is built. The primary Administration Server will receive connection from the
secondary Administration Server.
633
If you do not have a device that has Administration Console installed from which TCP ports 13291 can be accessed
on both Administration Servers (if, for example, the supposed secondary Administration Server is located at a
remote o ice and the system administrator of that o ice cannot open internet access to port 13291 for security
reasons), you will still be able to add a secondary Administration Server.
To add as secondary an Administration Server that is not available for connection through Administration Console:
1. Make sure that port 13000 of the supposed primary Administration Server is available for connection from
2. Write the certi cate le of the supposed primary Administration Server to an external device, such as a ash
drive, or send it to the system administrator of the remote o ice where the Administration Server is located.
The certi cate le of the Administration Server is on the same Administration Server, at
%ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\1093\cert\klserver.cer.
3. Write the certi cate le of the supposed secondary Administration Server to an external device, such as a
ash drive. If the supposed secondary Administration Server is located at a remote o ice, contact the system
administrator of that o ice to prompt him or her to send you the certi cate.
The certi cate le of the Administration Server is on the same Administration Server, at
6. In the workspace of the Administration Servers node, click the Add secondary Administration Server link.
7. At the rst step of the Wizard (entering the address), leave the Secondary Administration Server address
(optional) eld blank.
8. In the Secondary Administration Server certi cate le window, click the Browse button and select the
certi cate le of the secondary Administration Server that you saved.
9. When the Wizard is complete, use a di erent instance of Administration Console to connect to the supposed
secondary Administration Server. If this Administration Server is located at a remote o ice, contact the system
administrator of that o ice to prompt him or her to connect to the supposed secondary Administration Server
and perform further due steps.
10. In the context menu of the Administration Server node, select Properties.
11. In the Administration Server properties, proceed to the Advanced section and then to the Hierarchy of
Administration Servers subsection.
12. Select the This Administration Server is secondary in the hierarchy check box.
The entry elds become available for data input and editing.
13. In the Primary Administration Server address eld, enter the network name of the supposed primary
14. Select the previously saved le with the certi cate of the supposed primary Administration Server by clicking
the Browse button.
15. Click OK.
634
The "primary/secondary" hierarchy is built. You can connect to the secondary Administration Server through
Administration Console. The primary Administration Server will receive connection from the secondary
Connecting the primary Administration Server to a secondary Administration Server
You can add a new Administration Server as secondary so that the primary Administration Server connects to the
secondary Administration Server via port 13000. This is advisable if, for example, you place a secondary
Administration Server in DMZ.
You will need a device that has Administration Console installed from which TCP ports 13291 can be accessed on
both Administration Servers: supposed primary Administration Server and supposed secondary Administration
Server.
To add a new Administration Server as secondary and connect the primary Administration Server via port 13000:
1. Make sure that port 13000 of the supposed secondary Administration Server is available for receipt of
connections from the primary Administration Server.
4. In the workspace of the Administration Servers node of the relevant administration group, click the Add
secondary Administration Server link.
5. At the rst step of the Wizard (entering the address of the Administration Server to be added to the group),
enter the network name of the supposed secondary Administration Server and select the Connect primary
Administration Server to secondary Administration Server in DMZ check box.
6. If you connect to the supposed secondary Administration Server by using a proxy server, at the rst step of
the Wizard select the Use proxy server check box and specify the connection settings.
The hierarchy of Administration Servers is created. The secondary Administration Server will receive connection
from the primary Administration Server.
Connecting to an Administration Server and switching between

Administration Servers
After Kaspersky Security Center is started, it attempts to connect to an Administration Server. If several
Administration Servers are available on the network, the application requests the server to which it was connected
during the previous session of Kaspersky Security Center.
When the application is started for the rst time after installation, it attempts to connect to the
Administration Server that was speci ed during Kaspersky Security Center installation.
After connection to an Administration Server is established, the folders tree of that Server is displayed in the
console tree.
635
If several Administration Servers have been added to the console tree, you can switch between them.
Administration Console is required for work with each Administration Server. Before the rst connection to a new
Administration Server, make sure that port 13291, which receives connections from Administration Console, is open,
as well as all the remaining ports required for communication between Administration Server and other Kaspersky
Security Center components.
To switch to another Administration Server:
2. In the context menu of the node, select Connect to Administration Server.
3. In the Connection settings window that opens, in the Administration Server address eld specify the name
of the Administration Server to which you want to connect. You can specify an IP address or the name of a
device on a Windows network as the name of the Administration Server. You can click the Advanced button to
con gure the connection to the Administration Server (see gure below).
To connect to the Administration Server through a di erent port than the default port, enter a value in the
Administration Server address eld in <Administration Server name>:<Port> format.
Users who do not have Read rights will be denied access to Administration Server.
Connecting to Administration Server
4. Click OK to complete the switch between Servers.
After the Administration Server is connected, the folders tree of the corresponding node in the console tree is
updated.
Access rights to Administration Server and its objects
636
The KLAdmins and KLOperators groups are created automatically during Kaspersky Security Center installation.
These groups are granted permissions to connect to the Administration Server and to process Administration
Server objects.
Depending on the type of account that is used for installation of Kaspersky Security Center, the KLAdmins and
KLOperators groups are created as follows:
If the application is installed under a user account included in a domain, the groups are created on the
Administration Server and in the domain that includes the Administration Server.
If the application is installed under a system account, the groups are created on the Administration Server only.
You can view the KLAdmins and KLOperators groups and modify the access privileges of the users that belong to
the KLAdmins and KLOperators groups by using the standard administrative tools of the operating system.
The KLAdmins group is granted all access rights; the KLOperators group is granted only Read and Execute rights.
The rights granted to the KLAdmins group are locked.
Users that belong to the KLAdmins group are called Kaspersky Security Center administrators, while users from
the KLOperators group are called Kaspersky Security Center operators.
In addition to users included in the KLAdmins group, administrator rights for Kaspersky Security Center are also
provided to the local administrators of devices on which Administration Server is installed.
You can exclude local administrators from the list of users who have Kaspersky Security Center administrator
rights.
All operations started by the administrators of Kaspersky Security Center are performed using the rights of the
Administration Server account.
An individual KLAdmins group can be created for each Administration Server from the network; the group will have
the necessary rights for that Administration Server only.
If devices belonging to the same domain are included in the administration groups of di erent Administration
Servers, the domain administrator is the Kaspersky Security Center administrator for all the groups. The KLAdmins
group is the same for those administration groups; it is created during installation of the rst Administration Server.
All operations initiated by a Kaspersky Security Center administrator are performed using the account rights of
the Administration Server for which these operations have been started.
After the application is installed, an administrator of Kaspersky Security Center can do the following:
Modify the rights granted to the KLOperators groups.
Grant rights—to access Kaspersky Security Center functionality—to other user groups and individual users who
are registered on the administrator's workstation.
Assign user access rights within each administration group.
The Kaspersky Security Center administrator can assign access rights to each administration group or to other
objects of Administration Server in the Security section in the properties window of the selected object.
You can track user activity by using the records of events in the Administration Server operation. Event records
are displayed in the Administration Server node on the Events tab. These events have the importance level Info
events and the event types begin with "Audit".
637
Conditions of connection to an Administration Server over the internet
If an Administration Server is remotely located outside a corporate network, client devices can connect to it over
the internet.
For devices to connect to an Administration Server over the internet, the following conditions must be met:
The remote Administration Server must have an external IP address and the incoming port 13000 must remain
open (for connection of Network Agents). We recommend that you also open UDP port 13000 (for receiving
noti cations of device shut down).
Network Agents must be installed on the devices.
When installing Network Agent on devices, you must specify the external IP address of the remote
Administration Server. If an installation package is used for installation, specify the external IP address manually
in the properties of the installation package, in the Settings section.
To use the remote Administration Server to manage applications and tasks for a device, in the properties
window of the device, in the General section select the Do not disconnect from the Administration Server
check box. After the check box is selected, wait until the Administration Server is synchronized with the remote
device. The number of client devices maintaining a continuous connection with an Administration Server cannot
exceed 300.
To speed up the performance of tasks initiated by a remote Administration Server, you can open port 15000 on a
device. In this case, to run a task, the Administration Server sends a special packet to Network Agent over port
15000 without waiting until completion of synchronization with the device.
Encrypted connection to an Administration Server

Data exchange between client devices and Administration Server, as well as Administration Console connection to
Administration Server, can be performed using the TLS (Transport Layer Security) protocol. The TLS protocol can
identify the interacting parties, encrypt the data that is transferred, and protect data against modi cation during
transfer. The TLS protocol uses public keys to authenticate the interacting parties and encrypt data.
Authenticating Administration Server when a device is connected

When a client device connects to Administration Server for the rst time, Network Agent on the device downloads
a copy of the Administration Server certi cate and stores it locally.
If you install Network Agent on a device locally, you can select the Administration Server certi cate manually.
The downloaded copy of the certi cate is used to verify Administration Server rights and permissions during
subsequent connections.
During future sessions, Network Agent requests the Administration Server certi cate at each connection of the
device to Administration Server and compares it with the local copy. If the copies do not match, the device is not
allowed access to Administration Server.
638
Administration Server authentication during Administration Console connection
At the rst connection to Administration Server, Administration Console requests the Administration Server
certi cate and saves it locally on the administrator's workstation. After that, each time when Administration
Console tries to connect to this Administration Server, the Administration Server is identi ed based on the
certi cate copy.
If the Administration Server certi cate does not match the copy stored on the administrator's workstation,
Administration Console prompts you to con rm connection to the Administration Server with the speci ed name
and download a new certi cate. After the connection is established, Administration Console saves a copy of the
new Administration Server certi cate, which will be used to identify the Administration Server in the future.
Con guring an allowlist of IP addresses to connect to Administration Server

By default, users can log in to Kaspersky Security Center under any device where they can open Kaspersky
Security Center Web Console (hereinafter referred to as Web Console) or where MMC-based Administration
Console is installed. However, you can con gure Administration Server so that users can connect to it only from
devices with allowed IP addresses. In this case, even if an intruder steals a Kaspersky Security Center account, he
or she will not be able to log in to Kaspersky Security Center because the IP address of the intruder's device is not
in the allowlist.
The IP address is veri ed when a user logs in to Kaspersky Security Center or runs an application that interacts
with Administration Server via Kaspersky Security Center OpenAPI. At this moment, a user's device tries to
establish a connection with Administration Server. If the IP address of the device is not in the allowlist, an
authentication error occurs and the KLAUD_EV_SERVERCONNECT event noti es you that a connection with
Administration Server has not been established.
Requirements for an allowlist of IP addresses
IP addresses are veri ed only when the following applications try to connect to Administration Server:
Web Console Server

If you sign in to Web Console on one device and the Web Console Server is installed on another device, you can
con gure a rewall on the device where the Web Console Server is installed by using the standard means of the
operating system. Then, if someone tries to log in to Web Console, a rewall helps prevent intruders from
interfering.
Applications interacting with Administration Server via klakaut automation objects
Applications interacting with Administration Server via OpenAPI, such as Kaspersky Anti Targeted Attack
Platform or Kaspersky Security for Virtualization
Therefore, specify addresses of the devices on which the applications listed above are installed.
You can set IPv4 and IPv6 addresses. You cannot specify ranges of IP addresses.
How to establish an allowlist of IP addresses
If you have not set an allowlist earlier, follow the instructions below.
639
To establish an allowlist of IP addresses to log in to Kaspersky Security Center:
1. On the Administration Server device, run the command prompt under an account with administrator rights.
2. Change your current directory to the Kaspersky Security Center installation folder (usually, <Disk>:\Program
Files (x86)\Kaspersky Lab\Kaspersky Security Center).
3. Enter the following command, using administrator rights:

klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "<IP
addresses>" -t s
Specify IP addresses that meet the requirements listed above. Several IP addresses must be separated by a
semicolon.
Example of how to allow only one device to connect to Administration Server:
klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "192.0.2.0" -
t s
Example of how to allow multiple devices to connect to Administration Server:
klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "192.0.2.0;
198.51.100.0; 203.0.113.0" -t s
You can nd out whether you have successfully con gured the allowlist of IP addresses in Kaspersky Event Log on
How to change an allowlist of IP addresses
You can change an allowlist just as you did when you rst established it. For this purpose, run the same command
and specify a new allowlist:
klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "<IP

addresses>" -t s
If you want to delete some IP addresses from the allowlist, rewrite it. For example, your allowlist includes the
following IP addresses: 192.0.2.0; 198.51.100.0; 203.0.113.0. You want to delete the 198.51.100.0 IP address. To do this,
enter the following command at the command prompt:
klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "192.0.2.0;

203.0.113.0" -t s
Do not forget to restart the Administration Server service.
How to reset a con gured allowlist of IP addresses
To reset an already con gured allowlist of IP addresses:
1. Enter the following command at the command prompt, using administrator rights:
klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "" -t s
After that, IP addresses are not veri ed any more.
640
Using the klsc ag utility to close port 13291
Port 13291 on the Administration Server is used for receiving connections from Administration Consoles. This port
is open by default. If you do not want to use the MMC-based Administration Console or the klakaut utility, you can
close this port by using the klsc ag utility. This utility changes the value of the
KLSRV_SP_SERVER_SSL_PORT_GUI_OPEN parameter.
To close port 13291:
2. Execute the following command in the command line:

klscflag -ssvset -pv klserver -s 87 -n KLSRV_SP_SERVER_SSL_PORT_GUI_OPEN -sv false -
svt BOOL_T -ss "|ss_type = \"SS_SETTINGS\";"
3. Restart the Kaspersky Security Center Administration Server service.
Port 13291 is closed.
To check if port 13291 has been successfully closed:
Execute the following command in the command line:
klscflag -ssvget -pv klserver -s 87 -n KLSRV_SP_SERVER_SSL_PORT_GUI_OPEN -svt BOOL_T -

ss "|ss_type = \"SS_SETTINGS\";"
This command returns the following result:
+--- (PARAMS_T)
+---KLSRV_SP_SERVER_SSL_PORT_GUI_OPEN = (BOOL_T)false
The false value means that the port is closed. Otherwise, the true value is displayed.
Disconnecting from an Administration Server

To disconnect from an Administration Server:
1. In the console tree select the node corresponding to the Administration Server that you want to disconnect.
2. In the context menu of the node select Disconnect from Administration Server.
Adding an Administration Server to the console tree

To add an Administration Server to the console tree:
1. In the Kaspersky Security Center main window, in the console tree select the Kaspersky Security Center 14
node.
641
2. In the context menu of the node, select New → Administration Server.
A node named Administration Server - <Device name> (Not connected) is created in the console tree from
which you will be able to connect to any of the Administration Servers installed on the network.
Removing an Administration Server from the console tree

To remove an Administration Server from the console tree:
1. In the console tree select the node corresponding to the Administration Server that you want to remove.
2. In the context menu of the node select Remove.
Adding a virtual Administration Server to the console tree

To add a virtual Administration Server to the console tree:
1. In the console tree, select the node with the name of the Administration Server for which you need to create a
virtual Administration Server.
2. In the Administration Server node, select the Administration Servers folder.
3. In the workspace of the Administration Servers folder, click the Add virtual Administration Server link.
The New Virtual Administration Server Wizard starts.
4. In the Name of virtual Administration Server window, specify the name of the virtual Administration Server to
be created.
The name of a virtual Administration Server cannot be more than 255 characters long and cannot include any
special characters (such as "*<>?\:|).
5. In the Enter address for device connection to virtual Administration Server window, specify the device
connection address
The connection address of a virtual Administration Server is the network address through which devices will
connect to that Server. The connection address has two parts: the network address of a physical
Administration Server and the name of a virtual Administration Server, separated with a slash. The name of the
virtual Administration Server will be substituted automatically. The speci ed address will be used on the virtual
Administration Server as the default address in Network Agent installation packages.
6. In the Create the virtual Administration Server administrator account window, assign a user from the list to
act as virtual Server administrator, or add a new administrator account by clicking the Create button.
You can specify multiple accounts.
A node named Administration Server <Name of virtual Administration Server> is created in the console tree.
Changing an Administration Server service account. Utility tool klsrvswch

If you have to change the Administration Server service account that was set during installation of Kaspersky
Security Center, you can use a utility named klsrvswch that is designed for changing the Administration Server
account.
642
When Kaspersky Security Center is installed, the utility is automatically copied to the application installation folder.
The number of launches of the utility is essentially unlimited.
The klsrvswch utility allows you to change the account type. For example, if you use a local account, you can
change it to a domain account or to a managed service account (and vice versa). The klsrvswch utility does not
allow you to change the account type to group managed service account (gMSA).
Windows Vista and later Windows versions do not allow the use of a LocalSystem account for the
Administration Server. In these Windows versions, the LocalSystem account option is inactive.
To change an Administration Server service account to a domain account:
1. Launch the klsrvswch utility from the installation folder of Kaspersky Security Center. The default installation
path: <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.
This action also launches the Wizard for modi cation of Administration Server service account. Follow the
instructions of the Wizard.
2. In the Administration Server service account window, select LocalSystem account.
After the Wizard nishes, the Administration Server account is changed. The Administration Server service will
start under the LocalSystem Account and use its credentials.
Correct operation of Kaspersky Security Center requires that the account used to start the Administration
Server service has administrator rights to the resource where the Administration Server database is hosted.
To change an Administration Server service account to a user account or a managed service account:
1. Launch the klsrvswch utility from the installation folder of Kaspersky Security Center. The default installation
path: <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.
This action also launches the Wizard for modi cation of Administration Server service account. Follow the
instructions of the Wizard.
2. In the Administration Server service account window, select Custom account.
3. Click the Find now button.

The Select User window opens.
4. In the Select User window, click the Object Types button.
5. In the object types list, select Users (if you want a user account) or Service Accounts (if you want a managed
service account) and click OK.
6. In the object name eld, enter the name of the account, or a part of the name, and click Check Names.
7. In the list of the matching names, select the necessary name, and then click OK.
8. If you selected Service Accounts, in the Account password window, leave the Password and Con rm
password elds blank. If you selected Users, enter a new password for the user and con rm it.
The Administration Server service account will be changed to the account that you selected.
643
When Microsoft SQL Server is used in a mode that presupposes authenticating user accounts with Windows
tools, access to the database must be granted. The user account must have the status of owner of the
Kaspersky Security Center database. The dbo schema is used by default.
Changing DBMS credentials

Sometimes, you may need to change DBMS credentials, for example, in order to perform a credential rotation for
security purposes.
To change DBMS credentials in a Windows environment by using klsrvswch.exe:
1. Launch the klsrvswch utility that is located in the installation folder of Kaspersky Security Center. The default
installation path: <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.
2. Click the Next button of the Wizard until you reach the Change DBMS access credentials step.
3. At the Change DBMS access credentials step of the Wizard, perform the following:
Select the Apply new credentials option.
Specify a new account name in the Account eld.
Specify a new password for an account in the Password eld.
Specify the new password in the Con rm password eld.
You should specify credentials of an account that exists in the DBMS.
4. Click the Next button.
After the Wizard nishes, the DBMS credentials are changed.
Resolving issues with Administration Server nodes

The console tree in the left pane of Administration Console contains nodes of Administration Servers. You can add
as many Administration Servers as you need to the console tree.
The list of Administration Server nodes in the console tree is stored in a shadow copy of a .msc le by means of
Microsoft Management Console. The shadow copy of this le is located in the
%USERPROFILE%\AppData\Roaming\Microsoft\MMC\ folder on the device where the Administration Console is
installed. For each Administration Server node, the le contains the following information:
Administration Server address
Port number
Whether TLS is in use

This parameter depends on the port number used to connect Administration Console to the Administration
Server.
644
User name
Troubleshooting
When Administration Console connects to the Administration Server, the certi cate stored locally is compared to
the Administration Server certi cate. If the certi cates do not match, Administration Console generates an error.
For example, a certi cate mismatch may occur when you replace the Administration Server certi cate. In this case,
recreate the Administration Server node in the console.
To recreate an Administration Server node:
1. Close the Kaspersky Security Center Administration Console window.
2. Delete the Kaspersky Security Center 14 le at %USERPROFILE%\AppData\Roaming\Microsoft\MMC\.
3. Run Kaspersky Security Center Administration Console.

You will be prompted to connect to the Administration Server and accept its existing certi cate.
Accept the existing certi cate by clicking the Yes button.
To specify your certi cate, click the No button, and then browse to the certi cate le to be used to
authenticate the Administration Server.
The certi cate issue is resolved. You can use Administration Console to connect to the Administration Server.
Viewing and modifying the settings of an Administration Server

You can adjust the settings of an Administration Server in the properties window of this Server.
To open the Properties: Administration Server window,
Select Properties in the context menu of the Administration Server node in the console tree.
Adjusting the general settings of Administration Server

You can adjust the general settings of Administration Server in the General, Administration Server connection
settings, Events repository, and Security sections of the Administration Server properties window.
The Security section is not displayed in the Administration Server properties window if the display has been
disabled in the Administration Console interface.
To enable the display of the Security section in Administration Console:
1. In the console tree, select the Administration Server that you want.
645
3. In the Con gure interface window that opens, select the Display security settings sections check box and
click OK.
The Security section will be displayed in the Administration Server properties window.
Administration Console interface settings

You can adjust the interface settings of Administration Console to display or hide the user interface controls
related to the following features:
Vulnerability and Patch Management
Endpoint control settings
Secondary Administration Servers
Security Settings sections
To con gure the Administration Console interface settings:
1. In the console tree, select the Administration Server that you want.
3. In the Con gure interface window that opens, select the check boxes next to the features that you want
displayed and click OK.
The selected features will be displayed in the Administration Console interface.
Event processing and storage on the Administration Server

Information about events during the operation of the application and managed devices is saved in the
Administration Server database. Each event is attributed to a certain type and level of severity (Critical event,
Functional failure, Warning, or Info). Depending on the conditions under which an event occurred, the application
can assign di erent levels of severity to events of the same type.
You can view types and levels of severity assigned to events in the Event con guration section of the
Administration Server properties window. In the Event con guration section, you can also con gure processing of
every event by the Administration Server:
Registration of events on the Administration Server and in event logs of the operating system on a device and
Method used for notifying the administrator of an event (for example, an SMS or email message).
646
remains.
You can change the settings of any task to save events related to the task progress, or save only task execution
results. In doing so, you will reduce the number of events in the database, increase the speed of execution of
scenarios associated with analysis of the event table in the database, and lower the risk that critical events will be
overwritten by a large number of events.

The history of connections and attempts to connect to the Administration Server during its operation can be
saved to a log le. The information in the le allows you to track not only connections on your network
infrastructure, but unauthorized attempts to access the Administration Server as well.
To log events of connection to the Administration Server:
1. In the console tree, select the Administration Server for which you want to enable connection event logging.
3. In the properties window that opens, in the Administration Server connection settings section, select the
Connection ports subsection.
4. Enable the Log Administration Server connection events option.
5. Click the OK button to close the Administration Server properties window.
All further events of inbound connections to the Administration Server, authentication results, and SSL errors
will be saved to the le %ProgramData%\KasperskyLab\adminkit\logs\sc.syslog.
Control of virus outbreaks

Kaspersky Security Center allows you to quickly respond to emerging threats of virus outbreaks. Risks of virus
outbreaks are assessed by monitoring virus activity on devices.
You can con gure assessment rules for threats of virus outbreaks and actions to take in case one emerges; to do
this, use the Virus outbreak section of the properties window of Administration Server.
You can specify the noti cation procedure for the Virus outbreak event in the Event con guration section of the
Administration Server properties window, in the Virus outbreak event properties window.
647
The Virus outbreak event is generated upon detection of Malicious object detected events during the operation of
security applications. Therefore, you must save information about all Malicious object detected events on
Administration Server in order to recognize virus outbreaks.
You can specify the settings for saving information about any Malicious object detected event in the policies of
the security applications.
When Malicious object detected events are counted, only information from the devices of the primary
Administration Server is taken into account. The information from secondary Administration Servers is not
taken into account. For each secondary Server, the Virus outbreak event is con gured individually.
Limiting tra ic
To reduce tra ic volumes within a network, the application provides the option to limit the speed of data transfer
to an Administration Server from speci ed IP ranges and IP subnets.
You can create and con gure tra ic-limiting rules in the Tra ic section of the Administration Server properties
window.
To create a tra ic-limiting rule:
1. In the console tree, select the node with the name of the Administration Server for which you want to create a
tra ic-limiting rule.
3. In the Administration Server properties window, select the Tra ic section.
5. In the New rule window, specify the following settings:

In the IP range to limit tra ic section, select the method that will be used to de ne the subnet or range for
which the data transfer rate will be limited, and then enter the values of the settings for the selected method.
Select one of the following methods:
Specify the range by using address and network mask
Tra ic is limited based on subnet settings. Specify the subnet address and the subnet mask for
determining the range in which tra ic will be limited.
You can also click Browse to add subnets from the global list of subnets.
Specify the range by using start and end addresses
Tra ic is limited based on a range of IP addresses. Specify the range of IP addresses in the Start and
End entry elds.
In the Tra ic limit section, you can adjust the following restrictive settings for the data transfer rate:
Time interval
648
Time interval during which the tra ic restriction will be in force. You can specify the boundaries of the
time interval in the entry elds.
Limit (KB/s)
Maximum total transfer speed of incoming and outgoing data of the Administration Server. Tra ic
restriction will only be e ective within the interval speci ed in the Time interval eld.
Limit tra ic for the remaining time (KB/s)
Tra ic will be limited not only within the interval speci ed in the Time interval eld, but also at other
times.
By default, this check box is cleared. The value of this eld may not match the value of the Limit (KB/s)
eld.
Primarily, tra ic limiting rules a ect the transfer of les. These rules do not apply to the tra ic generated by
synchronization between Administration Server and Network Agent, or between primary and secondary
Con guring Web Server

Web Server is designed for publishing stand-alone installation packages, iOS MDM pro les, and les from a shared
folder.
You can de ne the settings for Web Server connection to the Administration Server and set the Web Server
certi cate in the Web Server section of the Administration Server properties window.
Working with internal users

The accounts of internal users are used to work with virtual Administration Servers. Kaspersky Security Center
grants the rights of real users to internal users of the application.
The accounts of internal users are created and used only within Kaspersky Security Center. No data on internal
users is transferred to the operating system. Kaspersky Security Center authenticates internal users.
You can con gure accounts of internal users in the User accounts folder of the console tree.

Backup of the settings of Administration Server and its database is performed through the backup task and
klbackup utility. A backup copy includes all the main settings and objects pertaining to the Administration Server,
such as certi cates, primary keys for encryption of drives on managed devices, keys for various licenses, structure
of administration groups with all of its contents, tasks, policies, etc. With a backup copy you can recover the
operation of an Administration Server as soon as possible, spending from a dozen minutes to a couple of hours on
this.
649
If no backup copy is available, a failure may lead to an irrevocable loss of certi cates and all Administration
Server settings. This will necessitate recon guring Kaspersky Security Center from scratch, and performing
initial deployment of Network Agent on the organization's network again. All primary keys for encryption of
drives on managed devices will also be lost, risking irrevocable loss of encrypted data on devices with
Kaspersky Endpoint Security. Therefore, do not neglect regular backups of Administration Server using the
standard backup task.
The Quick Start Wizard creates the backup task for Administration Server settings and sets it to run daily, at 4:00
AM. Backup copies are saved by default in the folder %ALLUSERSPROFILE%\Application Data\KasperskySC.
If an instance of Microsoft SQL Server installed on another device is used as the DBMS, you must modify the
backup task by specifying a UNC path, which is available for write by both the Administration Server service and
the SQL Server service, as the folder to store backup copies. This requirement, which is not obvious, derives from
a special feature of backup in the Microsoft SQL Server DBMS.
If a local instance of Microsoft SQL Server is used as the DBMS, we also recommend to save backup copies on a
dedicated medium in order to secure them against damage together with Administration Server.
Because a backup copy contains important data, the backup task and klbackup utility provide for password
protection of backup copies. By default, the backup task is created with a blank password. You must set a
password in the properties of the backup task. Neglecting this requirement causes a situation where all keys of
Administration Server certi cates, keys for licenses, and primary keys for encryption of drives on managed devices
remain unencrypted.
In addition to the regular backup, you must also create a backup copy prior to every signi cant change, including
installation of Administration Server upgrades and patches.
If you use Microsoft SQL Server as the DBMS, you can minimize the size of backup copies. To do this, enable the
Compress backup option in the SQL Server settings.
Restoration from a backup copy is performed with the utility klbackup on an operable instance of Administration
Server that has just been installed and has the same version (or later) for which the backup copy was created.
The instance of Administration Server on which the restoration is to be performed, must use a DBMS of the same
type (for example, the same SQL Server or MariaDB) and the same or later version. The version of Administration
Server can be the same (with an identical or later patch), or later.
This section describes standard scenarios for restoring settings and objects of Administration Server.
Using a le system snapshot to reduce the backup duration

In Kaspersky Security Center 14, the idle time of Administration Server during backup has been reduced as
compared to earlier versions. Moreover, the Use le system snapshot for data backup feature has been added to
the task settings. This feature provides additional idle reduction by using the klbackup utility, which creates a
shadow copy of the disk during backup (this takes a few seconds) and simultaneously copies the database (this
takes a few minutes at longest). When klbackup creates a shadow copy of the disk and a copy of the database, the
utility makes the Administration Server connectible again.
You can use the le system snapshotting feature only if these two conditions are met:
The Administration Server shared folder and the %ALLUSERSPROFILE%\KasperskyLab folder are located on
the same logical disk and are local in reference to the Administration Server.
650
The %ALLUSERSPROFILE%\KasperskyLab folder does not contain any symbolic links that have been created
manually.
Do not use the feature if either of these conditions cannot be met. In this case, the application would return an
error message in response to any attempt to create a le system snapshot.
To use the feature, you must have an account that has been granted the permission to create snapshots of the
logical disk storing the %ALLUSERSPROFILE% folder. Note that the Administration Server service account has no
such permission.
To use the le system snapshotting feature in order to reduce the backup duration:
1. In the Tasks section, select the backup task.
3. In the task properties window that opens, select the Settings section.
4. Select the Use le system snapshot for data backup check box.
5. In the User name and Password elds, enter the name and password of an account that has the permission to
create snapshots of the logical disk storing the %ALLUSERSPROFILE% folder.
6. Click Apply.
At any further startup of the backup task, the klbackup utility will create le system snapshots thus reducing the
Administration Server idle time during the task run.

If a device with Administration Server is inoperable due to a failure, you are recommended to perform the following
actions:
The new Administration Server must be assigned the same address: NetBIOS name, FQDN, or static
IP (depending on which of them was set when Network Agents were deployed).
Install Administration Server, using a DBMS of the same type, of the same (or later) version. You can install the
same version of Server with the same (or later) patch, or a later version. After installation, do not perform the
initial setup through the Wizard.
In the Start menu, run the klbackup utility and perform restoration.

If Administration Server is inoperable due to corrupted settings or database (e.g., after a power surge), you are
recommended to use the following restoration scenario:
1. Scan the le system on the damaged device.
2. Uninstall the inoperable version of Administration Server.
3. Reinstall Administration Server, using a DBMS of the same type and of the same (or later) version. You can
install the same version of Server with the same (or later) patch, or a later version. After installation, do not
perform the initial setup through the Wizard.
651
4. In the Start menu, run the utility klbackup and perform restoration.
It is prohibited to restore Administration Server in any way other than through the klbackup utility.
Any attempts to restore Administration Server through third-party software will inevitably lead to
desynchronization of data on nodes of the distributed application Kaspersky Security Center and, consequently,
to improper functioning of the application.

Data backup allows you to move Administration Server from one device to another without data loss. Through
backup, you can restore data when moving the Administration Server database to another device, or when
upgrading to a newer version of Kaspersky Security Center.
Note that the installed management plug-ins are not backed up. After you restore Administration Server data
from a backup copy, you need to download and reinstall plug-ins for managed applications.
Before you back up the Administration Server data, check whether a virtual Administration Server is added to
the administration group. If a virtual Administration Server is added, make sure that an administrator is
assigned to this virtual Administration Server before the backup. You cannot grant the administrator access
rights to the virtual Administration Server after the backup. Note that if the administrator account credentials
are lost, you will not be able to assign a new administrator to the virtual Administrator Server.
You can create a backup copy of Administration Server data in one of the following ways:
By creating and running a data backup task through Administration Console.
By running the klbackup utility on the device that has Administration Server installed. This utility is included in
the Kaspersky Security Center distribution kit. After the installation of Administration Server, the utility is
located in the root of the destination folder speci ed at the application installation.
The following data is saved in the backup copy of Administration Server:
Database of Administration Server (policies, tasks, application settings, events saved on the Administration
Server).
Con guration details of the structure of administration groups and client devices.
Repository of distribution packages of applications for remote installation.
Administration Server certi cate.
Recovery of Administration Server data is only possible using the klbackup utility.
652
Backup tasks are Administration Server tasks; they are created through the Quick Start Wizard. If a backup task
created by the Quick Start Wizard has been deleted, you can create one manually.
To create an Administration Server data backup task:
By clicking the Create a task button in the workspace.
The Add Task Wizard starts. Follow the instructions of the Wizard. In the Select the task type window of the
Wizard select the task type named Backup of Administration Server data.
The Backup of Administration Server data task can only be created in a single copy. If the Administration
Server data backup task has already been created for the Administration Server, it is not displayed in the task
type selection window of the Backup Task Creation Wizard.
Data backup and recovery utility (klbackup)

You can copy Administration Server data for backup and future recovery using the klbackup utility, which is part of
the Kaspersky Security Center distribution kit.
The klbackup utility can run in either of the two following modes:
Interactive
Silent
Data backup and recovery in interactive mode

To create a backup copy of Administration Server data in interactive mode:
1. Run the klbackup utility located in the Kaspersky Security Center installation folder.
The Backup and Restore Wizard starts.
2. In the rst window of the Wizard, select Perform backup of Administration Server data.
If you select the Restore or back up Administration Server certi cate only option, only a backup copy of the
Administration Server certi cate will be saved.
Click Next.
3. In the next window of the Wizard, specify the following options:
Destination folder for the backup
Migrate to MySQL/MariaDB format
653
Enable this option if you currently use SQL Server as a DBMS for Administration Server and you want
to migrate the data from SQL Server to MySQL or MariaDB DBMS. Kaspersky Security Center will
create a backup compatible with MySQL and MariaDB. After that, you can restore the data from the
backup into MySQL or MariaDB.
Migrate to Azure format
Enable this option if you currently use SQL Server as a DBMS for Administration Server and you want
to migrate the data from SQL Server to Azure SQL DBMS. Kaspersky Security Center will create a
backup compatible with Azure SQL. After that, you can restore the data from the backup into Azure
SQL.
Include current date and time in the name of the backup destination folder
Password for the backup
4. Click the Next button to start backup.
5. If you are working with a database in a cloud environment such as Amazon Web Services (AWS) or Microsoft
Azure, in the Sign In to Online Storage window, ll in the following elds:
For AWS:
S3 bucket name
The name of the S3 bucket that you created for the Backup.
Access key ID
You received the key ID (sequence of alphanumeric characters) when you created the IAM user
account for working with S3 bucket storage instance.
The eld is available if you selected RDS database on an S3 bucket.
Secret key
The secret key that you received with the access key ID when you created the IAM user account.
The characters of the secret key are displayed as asterisks. After you begin entering the secret key,
the Show button is displayed. Click and hold this button for the necessary amount of time to view
the characters you entered.
The eld is available if you selected an AWS IAM access key for authorization instead of an IAM role.
For Microsoft Azure:
Azure storage account name
You created the name of the Azure storage account for working with Kaspersky Security Center.
Azure Subscription ID
654
You created the subscription on the Azure portal.
Azure password
You received the password of the Application ID when you created the Application ID.
The characters of the password are displayed as asterisks. After you begin entering the password,
the Show button becomes available. Click and hold this button to view the characters you entered.
Azure Application ID
You created this application ID on the Azure portal.

You can provide only one Azure Application ID for polling and other purposes. If you want to poll
another Azure segment, you must rst delete the existing Azure connection.
Azure SQL server name
The name and the resource group are available in your Azure SQL Server properties.
Azure SQL server resource group
Azure storage access key
Available in the properties of your storage account, in the Access Keys section. You can use any of
the keys (key1 or key2).
To recover Administration Server data in interactive mode:
1. Run the klbackup utility located in the Kaspersky Security Center installation folder. Start the utility under the
same account that you used to install Administration Server.
2. In the rst window of the Wizard, select Restore Administration Server data.
If you select the Restore or back up Administration Server certi cate only option, the Administration Server
certi cate will only be recovered.
Click Next.
3. In the Restore settings window of the Wizard:
Specify the folder that contains a backup copy of Administration Server data.
If you are working in a cloud environment such as AWS or Azure, specify the address of the storage. Also,
make sure that the le is named backup.zip.
Specify the password that was entered during data backup.
655
When restoring data, you must specify the same password that was entered during backup. If the path to a
shared folder changed after backup, check the operation of tasks that use restored data (restore tasks and
remote installation tasks). If necessary, edit the settings of these tasks. While data is being restored from a
backup le, no one must access the shared folder of Administration Server. The account under which the
klbackup utility is started must have full access to the shared folder.
4. Click the Next button to restore data.
Data backup and recovery in silent mode

To create a backup copy or recover Administration Server data in silent mode,
Run klbackup with the required set of keys from the command line of the device that has Administration Server
installed.
klbackup -path BACKUP_PATH [-logfile LOGFILE] [-use_ts]|[-restore] [-password PASSWORD]

[-online]
If no password is speci ed in the command line of the klbackup utility, the utility prompts you to enter the
password interactively.
-path BACKUP_PATH—Save information in the BACKUP_PATH folder, or use data from the BACKUP_PATH
folder for recovery (mandatory parameter).
-logfile LOGFILE—Save a report about Administration Server data backup and recovery.
The database server account and the klbackup utility should be granted permissions for changing data in the
folder BACKUP_PATH.
-use_ts—When saving data, copy information to the BACKUP_PATH folder, to the subfolder with a name
containing the current system date and operation time in klbackup YYYY-MM-DD # HH-MM-SS format. If no
key is speci ed, information is saved in the root of the folder BACKUP_PATH.
During attempts to save information in a folder that already stores a backup copy, an error message appears.
No information will be updated.
Availability of the -use_ts key allows an Administration Server data archive to be maintained. For example, if
the -path key indicates the folder C:\KLBackups, the folder klbackup 2022/6/19 # 11-30-18 then
stores information about the status of the Administration Server as of June 19, 2022, at 11:30:18 AM.
-restore—Recover Administration Server data. Data recovery is performed based on information contained in
the BACKUP_PATH folder. If no key is available, data is backed up in the BACKUP_PATH folder.
-password PASSWORD—Save or recover the Administration Server certi cate; to encrypt and decrypt the
certi cate, use the password speci ed by the PASSWORD parameter.
A forgotten password cannot be recovered. There are no password requirements. The password length is
unlimited and zero length (no password) is also possible.
656
When restoring data, you must specify the same password that was entered during backup. If the path to a
shared folder changed after backup, check the operation of tasks that use restored data (restore tasks and
remote installation tasks). If necessary, edit the settings of these tasks. While data is being restored from a
backup le, no one must access the shared folder of Administration Server. The account under which the
klbackup utility is started must have full access to the shared folder. We recommend that you run the utility on
a newly installed Administration Server.
-online—Back up Administration Server data by creating a volume snapshot to minimize the o line time of
the Administration Server. When you use the utility to recover data, this option is ignored.
Moving Administration Server and a database server to another device

If you need to use Administration Server on a new device, you can move it in one of the following ways:
Move Administration Server and the database server to a new device.
Keep the database server on the previous device and move only Administration Server to a new device.
To move Administration Server and the database server to a new device:
1. On the previous device, create a backup of Administration Server data.

To do this, you can run the data backup task through Administration Console or run the klbackup utility.
If you use SQL Server as a DBMS for Administration Server, you can migrate the data from SQL Server to
MySQL or MariaDB DBMS. To do this, run the klbackup utility in interactive mode to create a data backup.
Enable the Migrate to MySQL/MariaDB format option in the Backup settings window of the Backup and
Restore Wizard. Kaspersky Security Center will create a backup compatible with MySQL and MariaDB.
After that, you can restore the data from the backup into MySQL or MariaDB.
You can also enable the Migrate to Azure format option to if you want to migrate the data from SQL
Server to Azure SQL DBMS.
2. Select a new device on which to install the Administration Server. Make sure that the hardware and software on
the selected device meet the requirements for Administration Server, Administration Console, and Network
Agent. Also, check that ports used on Administration Server are available.
3. On the new device, install the database management system (DBMS) that the Administration Server will use.
When you select a DBMS, consider the number of devices covered by the Administration Server.
4. Run the custom installation of the Administration Server on the new device.
5. Install Administration Server components into the same folder where the Administration Server is installed on
the previous device. Click the Browse button to specify the le path.
657
The Custom installation window
6. Con gure the database server connection settings.
Example of the Connection settings window for Microsoft SQL Server
Depending on where you need to locate the database server, do one of the following:
Move the database server to the new device
1. Click the Browse button next to the SQL Server instance name eld, and then select the new
device name in the list that appears.
2. Enter the new database name in the Database name eld.

Note that the new database name must match the name of database from the previous device. The
names of databases must be identical, so that you can use the Administration Server backup. The
default database name is KAV.
Keep the database server on the previous device
658
1. Click the Browse button next to the SQL Server instance name eld, and then select the previous
Note that the previous device must be available for connection with the new Administration Server.
2. Enter the previous database name in the Database name eld.
7. After the installation is complete, recover Administration Server data on the new device by using the klbackup
utility.
If you use SQL Server as a DBMS on the previous and new devices, note that the version of SQL Server
installed on the new device must be the same or later than the version of SQL Server installed on the
previous device. Otherwise, you cannot recover Administration Server data on the new device.
8. Open Administration Console and connect to the Administration Server.
9. Verify that all the client devices are connected to the Administration Server.
10. Uninstall the Administration Server and the database server from the previous device.
You can also use Kaspersky Security Center Web Console to move Administration Server and a database
server to another device.
Avoiding con icts between multiple Administration Servers

If you have more than one Administration Server on your network, they can see the same client devices. This may
result, for example, in remote installation of the same application to one and the same device from more than one
Server and other con icts. To avoid such a situation, Kaspersky Security Center 14 allows you to prevent an
application from being installed on a device managed by another Administration Server.
You can also use the Managed by a di erent Administration Server property as a criterion for the following
purposes:
Searching for devices
Device selections
Device moving rules
Auto-tagging rules
Kaspersky Security Center 14 uses heuristics to determine whether a client device is managed by the
Administration Server you are working with or by a di erent Administration Server.

This section describes how you can use two-step veri cation to reduce the risk of unauthorized access to
Administration Console or Kaspersky Security Center Web Console.
659
When two-step veri cation is enabled for an account, a single-use security code is required, in addition to the user
name and password, to log in to Administration Console or Kaspersky Security Center Web Console. With domain
authentication enabled, the user only needs to enter the single-use security code.
To use two-step veri cation, install an authenticator application that generates single-use security codes on your
mobile device or computer. You can use any application that supports the Time-based One-time Password
algorithm (TOTP), such as:
Google Authenticator
Microsoft Authenticator
Bitrix24 OTP
Yandex Key
We highly recommend that you install an authenticator application on more than one device. Save the secret
key or QR code and keep it in a safe place. This will help you to restore access to Kaspersky Security Center
Web Console in case you lose access to your mobile device.
To secure the usage of Kaspersky Security Center, you can enable two-step veri cation for your own account and
enable two-step veri cation for all users.
You can exclude accounts from two-step veri cation. This can be necessary for service accounts that cannot
receive a security code for authentication.
Rules and Limitations
To be able to activate two-step veri cation for all users and deactivate two-step veri cation for particular users:
Ensure your account has the Modify object ACLs right in the General features: User permissions functional
area.
Enable two-step veri cation for your account.
To be able to deactivate two-step veri cation for all users:
area.
Log in to Kaspersky Security Center Web Console by using two-step veri cation.
If two-step veri cation is enabled for a user account on Kaspersky Security Center Administration Server
version 13 or later, the user will not be able to log in to the Kaspersky Security Center Web Console versions
12, 12.1 or 12.2.
660
Reissuing the secret key
Any user can reissue the secret key used for two-step veri cation. When a user logs in to the Administration
Server with the reissued secret key, the new secret key is saved for the user account. If the user enters the new
secret key incorrectly, the new secret key is not saved, and the current secret key remains valid.
A security code has an identi er referred to as issuer name. The security code issuer name is used as an identi er
of the Administration Server in the authenticator application. The security code issuer name has a default value
that is the same as the name of the Administration Server. You can change the name of the security code issuer
name. If you change the security code issuer name, you must issue a new secret key and pass it to the
authenticator application.
Scenario: con guring two-step veri cation for all users

This scenario describes how to enable two-step veri cation for all users and how to exclude user accounts from
two-step veri cation. If you did not enable two-step veri cation for your account before you enable it for other
users, the application opens the window for enabling two-step veri cation for your account, rst. This scenario
also describes how to enable two-step veri cation for your own account.
If you enabled two-step veri cation for your account, you may proceed to the stage of enabling of two-step
veri cation for all users.
Prerequisites
Before you start:
Make sure that your user account has the Modify object ACLs right of the General features: User permissions
functional area for modifying security settings for other users' accounts.
Make sure that the other users of Administration Server install an authenticator application on their devices.
Stages
Enabling two-step veri cation for all users proceeds in stages:
1 Installing an authenticator application on a device

You can install any application that supports the Time-based One-time Password algorithm (TOTP), such as:
Bitrix24 OTP
Yandex Key
2 Synchronizing the authenticator application time with the time of the device on which Administration
Server is installed
Ensure that the time set in the authenticator application is synchronized with the time of Administration Server.
661
3 Enabling two-step veri cation for your account and receiving the secret key for your account
For MMC-based Administration Console: Enabling two-step veri cation for your own account
For Kaspersky Security Center Web Console: Enabling two-step veri cation for your own account
After you enable two-step veri cation for your account, you can enable two-step veri cation for all users.
4 Enabling two-step veri cation for all users
Users with two-step veri cation enabled must use it to log in to Administration Server.
For MMC-based Administration Console: Enabling two-step veri cation for all users
For Kaspersky Security Center Web Console: Enabling two-step veri cation for all users
5 Editing the name of a security code issuer
If you have several Administration Servers with similar names, you may have to change the security code issuer
names for better recognition of di erent Administration Servers.
For MMC-based Administration Console: Editing the name of a security code issuer
For Kaspersky Security Center Web Console: Editing the name of a security code issuer
6 Excluding user accounts for which you do not need to enable two-step veri cation
If required, you can exclude users from two-step veri cation. Users with excluded accounts do not have to use
two-step veri cation to log in to Administration Server.
For MMC-based Administration Console: Excluding accounts from two-step veri cation
For Kaspersky Security Center Web Console: Excluding accounts from two-step veri cation
Results
Upon completion of this scenario:
Two-step veri cation is enabled for your account.
Two-step veri cation is enabled for all user accounts of the Administration Server, except for user accounts
that were excluded.
Before you enable two-step veri cation for your account, ensure that an authenticator application is installed
on your mobile device. Ensure that the time set in the authenticator application is synchronized with the time
of Administration Server.
662
To enable two-step veri cation for your account:
2. In the Administration Server properties window, go to the Sections pane and select Advanced, and then Two-
step veri cation.
3. In the Two-step veri cation section, click the Set up button.

In the two-step veri cation properties window that opens, the secret key is displayed.
4. Enter the secret key in the authenticator application to receive one-time security code. You can specify the
secret key into the authenticator application manually or scan the QR code by the authenticator application on
your mobile device.
5. Specify the security code generated by the authenticator application, and then click the OK button to exit the
two-step veri cation properties window.
Two-step veri cation is enabled for your own account.
You can enable two-step veri cation for all users of Administration Server if your account has the Modify
object ACLs right in the General features: User permissions functional area and if you are authenticated by
using two-step veri cation.
To enable two-step veri cation for all users:
2. In the Administration Server properties window, in the Sections pane, select Advanced, and then Two-step
veri cation.
3. Click the Set as required button to enable two-step veri cation for all users.
4. If you did not enable two-step veri cation for your account, the application opens the window for enabling
two-step veri cation for your own account.
a. Enter the secret key in the authenticator application to receive one-time security code. You can specify the
secret key into the authenticator application manually or scan the QR code by the authenticator application
on your mobile device to receive one-time security code.
b. Specify the security code generated by the authenticator application, and then click the OK button to exit
the two-step veri cation properties window.
5. In the Two-step veri cation section, click the Apply button, and then click the OK button.
663
Two-step veri cation is enabled for all users. From now on, all users of Administration Server, including the users
that were added after enabling this option, have to con gure two-step veri cation for their accounts, except for
the users whose accounts are excluded from two-step veri cation.

To disable two-step veri cation for your own account:
veri cation.
3. In the Two-step veri cation section, click the Disable button.
Two-step veri cation is disabled for your account.
You can disable two-step veri cation of other users' accounts. This provides protection in case, for example, a user
loses or breaks a mobile device.
You can disable two-step veri cation of another user's account only if you have the Modify object ACLs right
in the General features: User permissions functional area. Following the steps below, you can disable two-
step veri cation for your own account as well.
To disable two-step veri cation for any user account:
1. In the console tree, open the User accounts folder.

The User accounts folder is a subfolder of the Advanced folder by default.
2. In the workspace, double-click the user account for which you want to disable two-step veri cation.
3. In the Properties: <user name> window that opens, select the Two-step veri cation section.
4. In the Two-step veri cation section, select the following options:
If you want to disable two-step veri cation for a user account, click the Disable button.
If you want to exclude this user account from two-step veri cation, select the User can pass
authentication by using user name and password only option.
Two-step veri cation for a user account is disabled.
664
You can disable two-step veri cation for all users of the Administration Server if you have Modify object
ACLs right in the General features: User permissions functional area and if you are authenticated by using
two-step veri cation.
To disable two-step veri cation for all users:
veri cation.
3. Click the Set as optional button to disable two-step veri cation for all the users.
4. Click the Apply button in the Two-step veri cation section.
5. Click the OK button in the Two-step veri cation section.
Two-step veri cation is disabled for all users.

You can exclude an account from two-step veri cation if your account has the Modify object ACLs right in the
General features: User permissions functional area.
If a user account is excluded from two-step veri cation, that user can log in to Administration Console or
Kaspersky Security Center Web Console without using two-step veri cation.
Excluding accounts from two-step veri cation can be necessary for service accounts that cannot pass the
security code during authentication.
To exclude a user account from two-step veri cation:
1. If you want to exclude an Active Directory account, perform Active Directory polling to refresh the list of
Administration Server users.

3. In the workspace, double-click the user account that you want to exclude from two-step veri cation
4. In the Properties: <user name> window that opens, select the Two-step veri cation section.
5. In the opened section, select the User can pass authentication by using user name and password only
option.
6. In the Two-step veri cation section, click the Apply button, and then click the OK button.
665
This user account is excluded from two-step veri cation. You can check the excluded accounts in the list of user
accounts.

You can have several identi ers (they are called issuers) for di erent Administration Servers. You can change the
name of a security code issuer in case, for example, the Administration Server already uses a similar name of
security code issuer for another Administration Server. By default, the name of a security code issuer is the same
as the name of the Administration Server.
After you change the security code issuer name you have to reissue a new secret key and pass it to the
To specify a new name of a security code issuer:
veri cation.
3. Specify a new security code issuer name in the Security code issuer eld.
4. Click the Apply button in the Two-step veri cation section.
5. Click the OK button in the Two-step veri cation section.
A new security code issuer name is speci ed for the Administration Server.
Changing the Administration Server shared folder

The Administration Server shared folder is speci ed during installation of the Administration Server. You can
change the location of the shared folder in the Administration Server properties.
To change the shared folder:
1. Assign full control rights for the Everyone subgroup for the folder that you want to use as shared.
2. In the Kaspersky Security Center console tree, open the context menu of the Administration Server folder
and select Properties.
3. In the Administration Server properties window, in the Sections pane, select Advanced, and then select
Administration Server shared folder.
4. In the Administration Server shared folder section, click the Change button.
5. Select the folder that you want to use as shared.
666
7. Assign read rights for the Everyone subgroup for the folder that you selected as shared.
Managing administration groups

This section provides information about how to manage administration groups.
You can perform the following actions on administration groups:
Add any number of nested groups at any level of hierarchy to administration groups.
Add devices to administration groups.
Change the hierarchy of administration groups by moving individual devices and entire groups to other groups.
Remove nested groups and devices from administration groups.
Add secondary and virtual Administration Servers to administration groups.
Move devices from the administration groups of an Administration Server to those of another Server.
De ne which Kaspersky applications will be automatically installed on devices included in a group.
You can perform these actions only if you have the Modify permission in the Management of administration
groups area for the administration groups you want to manage (or for the Administration Server to which these
groups belong).

The hierarchy of administration groups is created in the main application window of Kaspersky Security Center in
the Managed devices folder. Administration groups are displayed as folders in the console tree (see the gure
below).
Immediately after Kaspersky Security Center installation, the Managed devices folder contains only an empty
Administration Servers folder.
The user interface settings determine whether the Administration Servers folder appears in the console
tree. To display this folder, on the menu bar select View → Con gure interface and in the Con gure
interface window that opens select the Display secondary Administration Servers check box.
When creating a hierarchy of administration groups, you can add devices and virtual machines to the Managed
devices folder, and add nested groups. You can add secondary and virtual Administration Servers to the
Administration Servers folder.
Just like the Managed devices folder, each created group initially only contains an empty Administration Servers
folder intended to work with secondary and virtual Administration Servers of this group. Information about policies
and tasks for this group, and information about devices included into this group, is displayed on the tabs with
corresponding names in the workspace of this group.
667
Viewing administration groups hierarchy
To create an administration group:
1. In the console tree, expand the Managed devices folder.
2. If you want to create a subgroup in an existing administration group, in the Managed devices folder select a
subfolder corresponding to the group that is to include the new administration group.
If you create a new top-level administration group, you can skip this step.
3. Start the administration group creation in one of the following ways:
By using the New → Group command in the context menu.
By clicking the New group button located in the workspace of the main application window, on the Devices
tab.
4. In the Group name window that opens, enter a name for the group and click OK.
A new administration group folder with the speci ed name appears in the console tree.
The application allows creating a hierarchy of administration groups based on the structure of Active Directory or
the domain network's structure. Also, you can create a structure of groups from a text le.
To create a structure of administration groups:
2. In the context menu of the Managed devices folder, select All Tasks → New group structure.
The New Administration Group Structure Wizard starts. Follow the instructions of the Wizard.
Moving administration groups

You can move nested administration groups within the groups hierarchy.
An administration group is moved together with all nested groups, secondary Administration Servers, devices,
group policies, and tasks. The system will apply to the group all the settings that correspond to its new position in
the hierarchy of administration groups.
The name of the group must be unique within one level of the hierarchy. If a group with the same name already
exists in the folder into which you move the administration group, you should change the name of the latter. If you
have not changed the name of the moved group, an index in (<next sequence number>) format is automatically
added to its name when it is moved, for example: (1), (2).
668
You cannot rename the Managed devices group because it is a built-in element of Administration Console.
To move a group to another folder in the console tree:
1. Select a group to move in the console tree.
Move the group by using the context menu:
1. Select Cut from the context menu of the group.
2. Select Paste from the context menu of the administration group to which you want to move the
selected group.
Move the group using the main application menu:
a. In the main menu, select Action → Cut.
b. Select the administration group to which you have to move the selected group in the console tree.
c. In the main menu, select Action → Paste.
Move the group to another in the console tree using the mouse.
Deleting administration groups

You can delete an administration group if it contains no secondary Administration Servers, nested groups, or client
devices, and if no group tasks or policies have been created for it.
Before deleting an administration group, you must delete all secondary Administration Servers, nested groups, and
client devices from that group.
To delete a group:
Select Delete from the context menu of the group.
In the main application menu, select Action → Delete.
Press the DELETE key.
Automatic creation of a structure of administration groups

Kaspersky Security Center allows you to create a structure of administration groups using the Groups Hierarchy
Creation Wizard.
669
The Wizard creates a structure of administration groups based on the following data:
Structures of Windows domains and workgroups
Structures of Active Directory groups
Contents of a text le created by the administrator manually
When the text le is generated, the following requirements must be met:
The name of each new group must begin with a new line; the delimiter must begin with a line break. Blank lines
are ignored.
Example:
O ice 1
O ice 2
O ice 3
Three groups of the rst hierarchy level will be created in the target group.
The name of the nested group must be entered with a slash mark (/).
Example:
O ice 1/Division 1/Department 1/Group 1
Four subgroups nested inside each other will be created in the target group.
To create several nested groups of the same hierarchy level, you must specify the "full path to the group".
Example:
O ice 1/Division 1/Department 1
One group of the rst hierarchy level O ice 1 will be created in the destination group; this group will include
four nested groups of the same hierarchy level: "Division 1", "Division 2", "Division 3", and "Division 4". Each of
these groups will include the "Department 1" group.
Creating the hierarchy of administration groups through the Wizard does not a ect the network integrity: instead
of existing groups being replaced, new groups are added. A client device cannot be included in an administration
group a second time because the device is removed from the Unassigned devices group when it is moved to the
If, during creation of the administration group structure, a device was not included in the Unassigned devices
group for some reason (it was shut down or disconnected from the network), the device will not be
automatically moved to the administration group. You can add devices to administration groups manually after
the Wizard completes.
To launch the automatic creation of a structure of administration groups:
1. Select the Managed devices folder in the console tree.
2. In the context menu of the Managed devices folder, select All Tasks → New group structure.
670
Automatic installation of applications on devices in an administration group

You can specify which installation packages must be used for automatic remote installation of Kaspersky
applications to client devices that have recently been added to a group.
To con gure automatic installation of applications on new devices in an administration group:
1. In the console tree, select the required administration group.
2. Open the properties window of this administration group.
3. In the Sections pane, select Automatic installation, and in the workspace select the installation packages of
the applications to be installed on new devices.
4. Click OK.
Group tasks are created. These tasks are run on the client devices immediately after they are added to the
If some installation packages of one application are selected for automatic installation, the installation task is
created for the most recent application version only.

This section contains information about working with client devices.
Connecting client devices to the Administration Server

The connection of the client device to Administration Server is established by the Network Agent installed on the
client device.
When a client device connects to Administration Server, the following operations are performed:
Automatic data synchronization:
Synchronization of the list of applications installed on the client device.
Synchronization of policies, application settings, tasks, and task settings.
Retrieval of up-to-date information about the condition of applications, execution of tasks, and applications'
operation statistics by Administration Server.
Delivery of the event information to Administration Server that is for processing.
671
Automatic data synchronization is performed regularly in accordance with the Network Agent settings (for
example, every 15 minutes). You can specify the connection interval manually.
Information about an event is delivered to Administration Server as soon as it occurs.
If an Administration Server is remotely located outside a corporate network, client devices can connect to it
over the internet.
For devices to connect to an Administration Server over the internet, the following conditions must be met:
The remote Administration Server must have an external IP address and the incoming port 13000 must remain
open (for connection of Network Agents). We recommend that you also open UDP port 13000 (for receiving
noti cations of device shut down).
Network Agents must be installed on the devices.
When installing Network Agent on devices, you must specify the external IP address of the remote
Administration Server. If an installation package is used for installation, specify the external IP address manually
in the properties of the installation package, in the Settings section.
To use the remote Administration Server to manage applications and tasks for a device, in the properties
window of the device, in the General section select the Do not disconnect from the Administration Server
check box. After the check box is selected, wait until the Administration Server is synchronized with the remote
device. The number of client devices maintaining a continuous connection with an Administration Server cannot
exceed 300.
To speed up the performance of tasks initiated by a remote Administration Server, you can open port 15000 on a
device. In this case, to run a task, the Administration Server sends a special packet to Network Agent over port
15000 without waiting until completion of synchronization with the device.
Kaspersky Security Center allows you to con gure connection between a client device and Administration Server
so that the connection remains active after all operations are completed. Uninterrupted connection is necessary in
cases when real-time monitoring of application status is required and Administration Server is unable to establish a
connection to the client for some reason (for example, connection is protected by a rewall, opening of ports on
the client device is not allowed, or the client device IP address is unknown). You can establish an uninterrupted
connection between a client device and Administration Server in the device properties window in the General
section.
We recommend that you establish an uninterrupted connection with the most important devices. The total
number of connections simultaneously maintained by the Administration Server is limited to 300.
When synchronized manually, the system uses an auxiliary connection method that allows connection initiated by
Administration Server. Before establishing the connection on a client device, you must open the UDP port.
Administration Server sends a connection request to the UDP port of the client device. In response, the
Administration Server's certi cate is veri ed. If the Administration Server certi cate matches the certi cate copy
stored on the client device, the connection is established.
The manual launch of synchronization is also used for obtaining up-to-date information about the condition of
applications, execution of tasks, and operation statistics of applications.
Manually connecting a client device to the Administration Server. Klmover

utility
672
If you have to manually connect a client device to the Administration Server, you can use the klmover utility on the
client device.
When Network Agent is installed on a client device, the utility is automatically copied to the Network Agent
To manually connect a client device to the Administration Server by using the klmover utility:
On the device, start the klmover utility from the command line.
When started from the command line, the klmover utility can perform the following actions (depending on which
keys are in use):
Connects Network Agent to Administration Server with the speci ed settings;
Records the operation results in the event log le or displays them on the screen.
klmover [-logfile <file name>] [-address <server address>] [-pn <port number>] [-ps
<SSL port number>] [-nossl] [-cert <path to certificate file>] [-silent] [-dupfix] [-
virtserv] [-cloningmode]
The administrator rights are required to run the utility.
-logfile <file name>—Record the utility run results in a log le.

By default, information is saved in the standard output stream (stdout). If the key is not in use, results and error
messages are displayed on the screen.
-address <server address>—Address of the Administration Server for connection.

You can specify an IP address, the NetBIOS name, or the DNS name of a device as its address.
-pn <port number>—Number of the port through which non-encrypted connection to the Administration
Server is established.
-ps <SSL port number>—Number of the SSL port through which encrypted connection to the
Administration Server is established using SSL.
-nossl—Use non-encrypted connection to the Administration Server.

If the key is not in use, Network Agent is connected to Administration Server by using encrypted SSL protocol.
-cert <path to certificate file>—Use the speci ed certi cate le for authentication of access to
If the key is not in use, Network Agent receives a certi cate at the rst connection to Administration Server.
-silent—Run the utility in silent mode.

Using the key may be useful if, for example, the utility is started from the logon script at the user's registration.
673
-dupfix—The key is used if Network Agent has been installed using a method that di ers from the usual one
(with the distribution package)—for example, by recovering it from an ISO disk image.
-virtserv—Name of the virtual Administration Server.
-cloningmode—Network Agent disk cloning mode.

Use one of the following parameters to con gure the disk cloning mode:
-cloningmode—Request the status of the disk cloning mode.
-cloningmode 1—Enable the disk cloning mode.
-cloningmode 0—Disable the disk cloning mode.
For example, to connect Network Agent to Administration Server, run the following command:
klmover -address kscserver.mycompany.com -logfile klmover.log
Tunneling the connection between a client device and the Administration

Server
Kaspersky Security Center allows tunneling TCP connections from Administration Console via the Administration
Server and then via Network Agent to a speci ed port on a managed device. Tunneling is designed for connecting
a client application on a device with Administration Console installed to a TCP port on a managed device—if no
direct connection is possible between Administration Console and the target device.
For example, tunneling is used for connections to a remote desktop, both for connecting to an existing session,
and for creating a new remote session.
Tunneling can also be enabled by using external tools. For example, the administrator can run the putty utility, the
VNC client, and other tools in this way.
Connection tunneling between a remote client device and Administration Server is required if the port used for
connection to Administration Server is not available on the device. The port on the device may be unavailable in
the following cases:
The remote device is connected to a local network that uses the NAT mechanism.
The remote device is part of the local network of Administration Server, but its port is closed by a rewall.
To tunnel the connection between a client device and Administration Server:
1. In the console tree, select the folder of the group that contains the client device.
2. On the Devices tab, select the device.
3. In the context menu of the device, select All tasks → Connection Tunneling.
4. In the Connection Tunneling window that opens, create a tunnel.

674
The administrator can obtain remote access to the desktop of a client device through a Network Agent installed
on the device.
Remote connection to a device through the Network Agent is possible even if the TCP and UDP ports of the client
device are closed. Upon establishing the connection with the device, the administrator gains full access to
information stored on this device and can manage applications installed on it.
This section describes how to establish a connection to a Windows client device and a macOS client device
through the Network Agent.
Connecting to Windows client devices

Remote connection with a Windows client device can be established in one of the following ways:
By using a standard Microsoft Windows component named Remote Desktop Connection.

Connection to a remote desktop is established through the standard Windows utility mstsc.exe in accordance
with the utility's settings.
By using the Windows Desktop Sharing technology.
Connecting to the Windows client device using Remote Desktop Connection
Connection to the current remote desktop session of the user is established without the user's knowledge. Once
the administrator connects to the session, the device user is disconnected from the session without an advance
noti cation.
To connect to the desktop of a client device through the Remote Desktop Connection component:
1. In the Administration Console tree, select the device to which you need to obtain access.
2. In the context menu of the device, select All tasks → Connect to device → New RDP session.
The standard Windows utility mstsc.exe starts, which helps to connect to the remote desktop.
3. Follow the instructions shown in the utility's dialog boxes.
When connection to the device is established, the desktop is available in the Remote Desktop Connection
window of Microsoft Windows.
Connecting to the Windows client device using Windows Desktop Sharing
When connecting to an existing session of the remote desktop, the session user on the device receives a
connection request from the administrator. No information about remote activity on the device and its results will
be saved in reports created by Kaspersky Security Center.
The administrator can connect to an existing session on a client device without disconnecting the user in this
session. In this case, the administrator and the session user on the device share access to the desktop.
The administrator can con gure an audit of user activity on a remote client device. During the audit, the application
saves information about les on the client device that have been opened and/or modi ed by the administrator.
To connect to the desktop of a client device through Windows Desktop Sharing, the following conditions must be
met:
675
Microsoft Windows Vista or later is installed on the administrator's workstation. The type of operating system
of the device hosting Administration Server imposes no restrictions on connection through Windows Desktop
Sharing.
To check whether the Windows Desktop Sharing feature is included in your Windows edition, make sure that
there is CLSID\{32BE5ED2-5C86-480F-A914-0FF8885A1B3F} key in the Windows Registry.
Microsoft Windows Vista or later is installed on the client device.
Kaspersky Security Center uses a license for Vulnerability and patch management.
To connect to the desktop of a client device through Windows Desktop Sharing:
2. In the context menu of the device, select All tasks → Connect to device → Windows Desktop Sharing.
3. In the Select remote desktop session window that opens, select the session on the device to which you need
to connect.
If connection to the device is established successfully, the desktop of the device will be available in the
Kaspersky Remote Desktop Session Viewer window.
4. To start interacting with the device, in the main menu of the Kaspersky Remote Desktop Session Viewer
window, select Actions → Interactive mode.
Connecting to macOS client devices

The administrator can use the Virtual Network Computing (VNC) system to connect to macOS devices.
Connection to a remote desktop is established through a VNC client installed on the Administration Server device.
The VNC client switches the keyboard and mouse control from the client device to the administrator.
When the administrator connects to the remote desktop, the user does not receive noti cations or connection
requests from the administrator. The administrator connects to an existing session on the client device, without
disconnecting the user from this session.
To connect to the desktop of a client macOS device through the VNC client, the following conditions must be met:
VNC client is installed on the Administration Server device.
Remote login and remote management are allowed on the client device.
User has allowed the administrator access to the client device in the Sharing settings of the macOS operating
system.
To connect to the desktop of a client device through the Virtual Network Computing system:
2. In the context menu of the device, select All tasks → Connection Tunneling.
3. In the Connection Tunneling window that opens, do the following:
a. In the 1. Network port section, specify the network port number of the device to which you need to
connect.
676
b. In the 2. Tunneling section, click the Create tunnel button.
c. In the 3. Network settings section, click the Copy button.
4. Open the VNC client and paste the copied network attributes into the text eld. Press Enter.
5. In the window that opens, view the certi cate details. If you agree to use the certi cate, click the Yes button.
6. In the Authentication window, specify the credentials of the client device, and then click OK.

To connect to a device through Windows Desktop Sharing:
1. In the console tree, on the Devices tab, select the Managed devices folder.
The workspace of this folder displays a list of devices.
2. In the context menu of the device to which you want to connect, select Connect to device → Windows
Desktop Sharing.
The Select remote desktop session window opens.
3. In the Select remote desktop session window, select a desktop session for connection to the device.
4. Click OK.
The device is connected.
Con guring the restart of a client device

When using, installing, or removing Kaspersky Security Center, you may have to restart the device. You can specify
the restart settings only for devices running Windows.
To con gure the restart of a client device:
1. In the console tree, select the administration group for which you have to con gure the restart.
3. In the workspace, select a policy of Kaspersky Security Center Network Agent in the list of policies, and then
select Properties in the context menu of the policy.
4. In the policy properties window, select the Restart management section.
5. Select the action that must be performed if a restart of the device is required:
Select Do not restart the operating system to block automatic restart.
Select Restart the operating system automatically if necessary to allow automatic restart.
677
Select Prompt user for action to enable prompting the user to allow the restart.
You can specify the frequency of restart requests, and enable forced restart and forced closure of applications
in blocked sessions on the device by selecting the corresponding check boxes and time settings in spin boxes.
6. Click OK to save changes and close the policy properties window.
Restart of the device will now be con gured.
Auditing actions on a remote client device

The application enables auditing of the administrator's actions on a remote client devices running Windows. During
the audit, the application saves, on the device, information about les that have been opened and/or modi ed by
the administrator. Audit of the administrator's actions is available when the following conditions are met:
The Vulnerability and Patch Management license is in use.
The administrator has the right to start shared access to the desktop of the remote device.
To enable auditing of actions on a remote client device:
1. In the console tree, select the administration group for which the audit of the administrator's actions should be
con gured.
3. Select a policy of Kaspersky Security Center Network Agent, then select Properties in the context menu of
the policy.
4. In the policy properties window, select the Windows Desktop Sharing section.
5. Select the Enable audit check box.
6. In the Masks of les to monitor when read and Masks of les to monitor when modi ed lists, add le masks
on which the application must monitor actions during the audit.
By default, the application monitors actions on les with .txt, .rtf, .doc, .xls, .docx, .xlsx, .odt, and .pdf extensions.
7. Click OK to save changes and close the policy properties window.
This results in con guration of the audit of the administrator's actions on the user's remote device with shared
desktop access.
Records of the administrator's actions on the remote device are logged:
In the event log on the remote device.
In a le with the syslog extension located in the Network Agent folder on a remote device (for example,
C:\ProgramData\KasperskyLab\adminkit\1103\logs).
In the events database of Kaspersky Security Center.
678
Checking the connection between a client device and the Administration
Server
Kaspersky Security Center allows you to check connections between a client device and the Administration
Server, automatically or manually.
Automatic check of connection is performed on Administration Server. Manual check of the connection is
performed on the device.
Automatically checking the connection between a client device and the Administration
Server
To start an automatic check of the connection between a client device and Administration Server:
1. In the console tree, select the administration group that includes the device.
2. In the workspace of the administration group, on the Devices tab, select the device.
3. In the context menu of the device, select Check device accessibility.
A window opens that contains information about the accessibility of the device.
Manually checking the connection between a client device and the Administration Server.
Klnagchk utility
You can check the connection and obtain detailed information about the settings of the connection between a
client device and Administration Server by using the klnagchk utility.
When Network Agent is installed on a device, the klnagchk utility is automatically copied to the Network Agent
When started from the command line, the klnagchk utility can perform the following actions (depending on the
keys in use):
Displays on the screen or logs the values of the settings used for connecting the Network Agent installed on
the device to Administration Server.
Records into an event log le Network Agent statistics (since its last startup) and utility operation results, or
displays the information on the screen.
Makes an attempt to establish connection between Network Agent and Administration Server.
If the connection attempt fails, the utility sends an ICMP packet to check the status of the device on which
Administration Server is installed.
To check the connection between a client device and Administration Server using the klnagchk utility:
On the device, start the klnagchk utility from the command line.
679
klnagchk [-logfile <file name>] [-sp] [-savecert <path to certificate file>] [-restart]
-logfile <file name> —Record in a log le the values of the settings of connection between Network
Agent and Administration Server and the utility operation results.
By default, information is saved in the standard output stream (stdout). If the key is not in use, settings, results,
and error messages are displayed on the screen.
-sp —Show the password for the user's authentication on the proxy server.
The setting is in use if connection to the Administration Server is established through a proxy server.
-savecert <file name> —Save the certi cate, used to access the Administration Server, in the speci ed
le.
-restart —Restart Network Agent after the utility has completed.
Upon shutting down a device, Network Agent noti es the Administration Server of this event. In Administration
Console that device is displayed as shut down. However, Network Agent cannot notify Administration Server of all
such events. The Administration Server, therefore, periodically analyzes the Connected to Administration Server
attribute (the value of this attribute is displayed in Administration Console, in the device properties, in the General
section) for each device and compares it against the synchronization interval from the current settings of Network
Agent. If a device has not responded over more than three successive synchronization intervals, that device is
marked as shut down.
Identifying client devices on the Administration Server

Client devices are identi ed based on their names. A device name is unique among all the names of devices
connected to Administration Server.
The name of a device is relayed to Administration Server either when the Windows network is polled and a new
device is discovered in it, or at the rst connection of Network Agent installed on a device to Administration
Server. By default, the name matches the device name in the Windows network (NetBIOS name). If a device with
this name is already registered on the Administration Server, an index with the next sequence number will be added
to the new device name, for example: <Name>-1, <Name>-2. Under this name, the device is added to the
Moving devices to an administration group

You can move devices from one administration group to another only if you have the Modify permission in the
Management of administration groups area for both source and target administration groups (or for the
Administration Server to which these groups belong).
To include one or several devices in a selected administration group:
1. In the console tree, expand the Managed devices folder.
2. In the Managed devices folder, select the subfolder that corresponds to the group in which the client devices
will be included.
680
If you want to include the devices in the Managed devices group, you can skip this step.
3. In the workspace of the selected administration group, on the Devices tab, start the process of including the
devices in the group in one of the following ways:
By adding the devices to the group by clicking the Move devices to group button in the information box for
the list of devices
By selecting Create → Device in the context menu of the list of devices
The Move Devices Wizard starts. Following its instructions, select a method for moving the devices to the group
and create a list of devices to include in the group.
If you create the list of devices manually, you can use an IP address (or an IP range), a NetBIOS name, or a DNS
name as the address of a device. You can manually move to the list only devices for which information has
already been added to the Administration Server database upon connection of the device, or after device
discovery.
To import a list of devices from a le, specify a TXT le with a list of addresses of the devices to be added. Each
address must be speci ed in a separate line.
After the Wizard completes, the selected devices are included in the administration group and are displayed in the
list of devices under names generated by Administration Server.
You can move a device to the selected administration group by dragging it from the Unassigned devices
folder to the folder of that administration group.

You can change the Administration Server that manages client devices to a di erent Server using the Change
Administration Server task.
To change the Administration Server that manages client devices to a di erent Server:
1. Connect to the Administration Server that manages the devices.
2. Create the Administration Server change task in one of the following ways:
If you need to change the Administration Server for devices included in the selected administration group,
create a task for the selected group.
If you need to change the Administration Server for devices included in di erent administration groups or in
none of the existing administration groups, create a task for speci c devices.
Add Task Wizard, select the Kaspersky Security Center node, open the Advanced folder, and select the
Change Administration Server task.
3. Run the created task.
681
After the task is complete, the client devices for which it was created are put under the management of the
Administration Server speci ed in the task settings.
If the Administration Server supports encryption and data protection and you are creating a Change
Administration Server task, a warning is displayed. The warning states that if any encrypted data is stored on
devices, after the new Server begins managing the devices, users will be able to access only the encrypted
data with which they previously worked. In other cases, no access to encrypted data is provided. For detailed
descriptions of scenarios in which access to encrypted data is not provided, refer to the Kaspersky Endpoint
Security for Windows Online Help .
Clusters and server arrays

Kaspersky Security Center supports the cluster technology. If Network Agent sends information to Administration
Server con rming that an application installed on a client device is part of a server array, this client device
becomes a cluster node. The cluster will be added as an individual object in the Managed devices folder of the
console tree with the servers icon ( ).
A few typical features of a cluster can be distinguished:
A cluster and any of its nodes are always in the same administration group.
If the administrator attempts to move a cluster node, the node moves back to its original location.
If the administrator attempts to move a cluster to a di erent group, all of its nodes move with it.
Turning on, turning o , and restarting client devices remotely

Kaspersky Security Center allows you to manage client devices remotely by turning on, shutting down, or
restarting them.
To remotely manage client devices:
1. Connect to the Administration Server that manages the devices.
2. Create a device management task in one of the following ways:
If you need to turn on, turn o or restart devices that are included in the selected administration group,
If you have to turn on, turn o or restart devices that are included in various administration groups or belong
to none of them, create a task for speci c devices.
Add Task Wizard, select the Kaspersky Security Center node, open the Advanced folder, and select the
Manage devices task.
After the task is complete, the command (turn on, turn o , or restart) will be executed on the selected devices.
682
About the usage of the continuous connection between a managed device
and the Administration Server
By default, Kaspersky Security Center does not feature continuous connectivity between managed devices and
the Administration Server. Network Agents on managed devices periodically establish connections and
synchronize with the Administration Server. The interval between those synchronization sessions is de ned in a
policy of Network Agent and is 15 minutes by default. If an early synchronization is required (for example, to force
the application of a policy), the Administration Server sends a signed network packet to Network Agent on port
UDP 15000. (The Administration Server can send this packet over an IPv4 or IPv6 network.) If no connection
through UDP is possible between the Administration Server and a managed device for any reason, synchronization
runs at the next routine connection between Network Agent and the Administration Server within the
synchronization interval.
However, some operations cannot be performed without an early connection between Network Agent and the
Administration Server. These operation include running and stopping local tasks, receiving statistics for a managed
application, and creating a tunnel. To make these operations possible, you must enable the Do not disconnect
from the Administration Server option on the managed device.

Although Kaspersky Security Center automatically synchronizes the status, settings, tasks, and policies for
managed devices, in some cases the administrator needs to know exactly whether synchronization has already
been performed for a speci ed device at the present moment.
In the context menu of managed devices in Administration Console, the All tasks menu item contains the Force
synchronization command. When Kaspersky Security Center 14 executes this command, the Administration
Server attempts to connect to the device. If this attempt is successful, forced synchronization will be performed.
Otherwise, synchronization will be forced only after the next scheduled connection between Network Agent and
About connection schedule

In the Network Agent properties window, in the Connectivity section, in the Connection schedule subsection,
you can specify time intervals during which Network Agent will transmit data to the Administration Server.
Connect when necessary. If this option is selected, the connection is established when Network Agent has to
send data to the Administration Server.
Connect at speci ed time intervals. If this option is selected, Network Agent connects to the Administration
Server at a speci ed time. You can add several connection time periods.
Sending messages to device users

To send a message to users of devices:
683
2. Create a message sending task for device users in one of the following ways:
If you want to send a message to the users of devices that belong to the selected administration group,
If you want to send a message to the users of devices that belong to di erent administration groups or that
do not belong to any administration groups, create a task for speci c devices.
3. In the task type window of the Add Task Wizard, select the Kaspersky Security Center 14 Administration
Server node, open the Advanced folder, and select the Send message to user task. The send messages to
user task is available only for devices running Windows. You can also send messages in the user's context menu
in the User accounts folder.
After the task is complete, the created message will be sent to the users of the selected devices. The send
messages to user task is available only for devices running Windows. You can also send messages in the user's
context menu in the User accounts folder.
Managing Kaspersky Security for Virtualization

Kaspersky Security Center supports the option of connection of virtual machines to the Administration Server.
Virtual machines are protected by Kaspersky Security for Virtualization. For more details, please refer to the
documentation for this application.

You can change conditions to assign the Critical or Warning status to a device.
To enable changing the device status to Critical:
1. Open the properties window in one of the following ways:
In the Policies folder, in the context menu of an Administration Server policy, select Properties.
Select Properties in the context menu of an administration group.
2. In the Properties window that opens, in the Sections pane, select Device status.
3. In the right pane, in the Set to Critical if these are speci ed section, select the check box next to a condition
in the list.
You can change only settings that are not locked in the parent policy.
4. Set the required value for the selected condition.

You can set values for some, but not all, conditions.
5. Click OK.
684
When speci ed conditions are met, the managed device is assigned the Critical status.
To enable changing the device status to Warning:
In the Policies folder, in the context menu of the Administration Server policy, select Properties.
Select Properties in the context menu of the administration group.
2. In the Properties window that opens, in the Sections pane select Device status.
3. In the right pane, in the Set to Warning if these are speci ed section, select the check box next to a condition
in the list.

5. Click OK.
When speci ed conditions are met, the managed device is assigned the Warning status.
Tagging devices and viewing assigned tags

Kaspersky Security Center allows you to tag devices. A tag is the ID of a device that can be used for grouping,
describing, or nding devices. Tags assigned to devices can be used for creating selections, for nding devices,
and for distributing devices among administration groups.
You can tag devices manually or automatically. Tag a device manually in the device properties; you may use manual
tagging when you have to tag an individual device. Auto-tagging is performed by Administration Server in
accordance with the speci ed tagging rules.
In the properties of an Administration Server, you can set up auto-tagging for devices managed by this
Administration Server. Devices are tagged automatically when speci ed rules are met. An individual rule
corresponds to each tag. Rules are applied to the network properties of the device, operating system, applications
installed on the device, and other device properties. For example, you can set up a rule that will assign the Win tag
to all devices running Windows. Then, you can use this tag when creating a device selection; this will help you sort
out all devices running Windows, and assign them a task.
You can also use tags as conditions of policy pro le activation on a managed device in order to apply speci c
policy pro les only on devices with speci c tags. For example, if a device tagged as Courier appears in the Users
administration group and if activation of the corresponding policy pro le by the Courier tag has been enabled,
then the policy created for the Users group will not be applied to this device—but the pro le of the policy pro le
will be applied. The policy pro le can allow this device to start some applications that have been blocked from
running by the policy.
685
You can create multiple tagging rules. A single device can be assigned multiple tags if you have created multiple
tagging rules and if the respective conditions of these rules are met simultaneously. You can view the list of all
assigned tags in the device properties. Each tagging rule can be enabled or disabled. If a rule is enabled, it is applied
to devices managed by Administration Server. If you are not using a rule currently but may need it in the future, you
do not have to remove it; you can simply clear the Enable rule check box instead. In this case, the rule is disabled; it
will not be executed until the Enable rule check box is selected again. You may need to disable a rule without
removing it if you have to exclude the rule from the list of tagging rules temporarily and then include it again.
Automatic device tagging

You can create and edit automatic tagging rules in the Administration Server properties window.
To tag devices automatically:
1. In the console tree, select the node with the name of the Administration Server for which you have to specify
tagging rules.
3. In the Administration Server properties window, select the Tagging rules section.
4. In the Tagging rules section, click the Add button.

The New rule window opens.
5. In the New rule window, con gure the general properties of the rule:
Specify the rule name.

The rule name cannot be more than 255 characters long and cannot include any special characters (such as
"*<>?\:|).
Enable or disable the rule using the Enable rule check box.
By default, the Enable rule check box is selected.
In the Tag eld, enter the tag name.

The tag name cannot be more than 255 characters long and cannot include any special characters (such as
"*<>?\:|).
6. In the Conditions section, click the Add button to add a new condition, or click the Properties button to edit
an existing condition.
The New Auto-Tagging Rule Condition Wizard window opens.
7. In the Tag assignment condition window, select the check boxes for the conditions that must a ect tagging.
You can select multiple conditions.
8. Depending on which tagging conditions you selected, the Wizard displays the windows for setup of the
corresponding conditions. Set up the triggering of the rule by the following conditions:
Device's use or association with a speci c network—Network properties of the device, such as device
name in the Windows network, and device inclusion in a domain or an IP subnet.
If case sensitive collation is set for the database that you use for Kaspersky Security Center, keep case
when you specify a device DNS name. Otherwise, the auto-tagging rule will not work.
686
Use of Active Directory—Presence of the device in an Active Directory organizational unit and membership
of the device in an Active Directory group.
Speci c applications—Presence of Network Agent on the device, operating system type, version, and
architecture.
Virtual machines—Inclusion of the device in a speci c type of virtual machines.
Application from the applications registry installed—Presence of applications of di erent vendors on the
device.
9. After the condition is set up, enter a name for it, and then close the Wizard.
If necessary, you can set multiple conditions for a single rule. In this case, the tag will be assigned to a device if it
meets at least one condition. The conditions that you added will be displayed in the rule properties window.
10. Click OK in the New rule window, then click OK in the Administration Server properties window.
The newly created rules are enforced on devices managed by the selected Administration Server. If the settings of
a device meet the rule conditions, the device is assigned the tag.
Viewing and con guring tags assigned to a device

You can view the list of all tags that have been assigned to a device, as well as proceed to set up automatic tagging
rules in the device properties window.
To view and set up the tags that have been assigned to a device:
1. In the console tree, open the Managed devices folder.
2. In the workspace of the Managed devices folder, select the device for which you want to view the assigned
tags.
3. In the context menu of the mobile device, select Properties.
4. In the device properties window, select the Tags section.

A list of tags assigned to the selected device is displayed, as well as the way in which each of the tags were
assigned: manually or by a rule.
5. If necessary, perform one of the following actions:
To proceed to setup of tagging rules, click the Set up auto-tagging rules link (only for Windows).
To rename a tag, select one and click the Rename button.
To remove a tag, select one and click the Remove button.
To add a tag manually, enter one in the eld in the lower part of the Tags section and click the Add button.
6. Click the Apply button, if you have made changes to the Tags section, for your changes to take e ect.
7. Click OK.
If you removed or renamed a tag in the device properties, this change will not a ect the tagging rules that have
been set up in the Administration Server properties. The change will only apply to the device whose properties it
has been made.
687
Remote diagnostics of client devices. Kaspersky Security Center remote
diagnostics utility
The utility for remote diagnostics of Kaspersky Security Center (hereinafter referred to as the remote diagnostics
utility) is designed for remote execution of the following operations on client devices:
Enabling and disabling tracing, changing the tracing level, downloading the trace le.
Downloading system information and application settings.
Downloading event logs.
Generating a dump le for an application.
Starting diagnostics and downloading diagnostics reports.
Starting and stopping applications.
You can use event logs and diagnostics reports downloaded from a client device to troubleshoot problems on your
own. Also, a Kaspersky Technical Support specialist might ask you to download trace les, dump les, event logs,
and diagnostics reports from a client device for further analysis at Kaspersky.
The remote diagnostics utility is automatically installed on the device together with Administration Console.
Connecting the remote diagnostics utility to a client device

To connect the remote diagnostics utility to a client device:
1. Select any administration group in the console tree.
2. In the workspace, on the Devices tab, in the context menu of any device, select Custom tools → Remote
diagnostics.
The main window of the remote diagnostics utility opens.
3. In the rst eld of the main window of the remote diagnostics utility, specify which tools you intend to use to
connect to the device:
Access using Microsoft Windows network.
Access using Administration Server.
4. If you have selected Access using Microsoft Windows network in the rst eld of the main utility window,
perform the following actions:
In the Device eld, specify the address of the device to which you need to connect
You can use an IP address, NetBIOS name, or DNS name as the device address.
The default value is the address of the device from whose context menu the utility was started.
Specify an account for connecting to the device:
688
Connect as current user (selected by default). Connect by using the current user account.
Use provided user name and password to connect. Connect by using a provided user account. Specify
the User name and the Password of the required account.
Connection to a device is possible only under the account of the local administrator of the device.
5. If you have selected Access using Administration Server in the rst eld of the main utility window, perform
the following actions:
In the Administration Server eld, specify the address of the Administration Server from which you intend
to connect to the device.
You can use an IP address, NetBIOS name, or DNS name as the server address.
The default value is the address of the Administration Server from which the utility has been run.
If required, select the Use SSL, Compress tra ic, and Device belongs to secondary Administration
Server check boxes.
If the Device belongs to secondary Administration Server check box is selected, you can ll in the Device
belongs to secondary Administration Server eld with the name of the secondary Administration Server
that manages the device by clicking the Browse button.
6. To connect to the device, click the Sign in button.
You have to authorize by using two-step veri cation if two-step veri cation is enabled for your account.
This opens the window intended for remote diagnostics of the device (see the gure below). The left part of the
window contains links to operations of device diagnostics. The right part of the window contains the object tree
of the device with which the utility can operate. The lower part of the window displays the progress of the utility
operations.
Remote diagnostics utility. Remote device diagnostics window
689
The remote diagnostics utility saves les downloaded from devices on the desktop of the device from which it
was started.
Enabling and disabling tracing, downloading the trace le

To enable tracing on a remote device:
1. Run the remote diagnostics utility and connect to the necessary device.
2. In the objects tree of the device, select the application for which you want to enable tracing.
Tracing can be enabled and disabled for applications with self-defense only if the device is connected
using Administration Server tools.
If you want to enable tracing for Network Agent, you can also do it while creating the Install required updates
and x vulnerabilities task. In this case, Network Agent will write the tracing information even if tracing is
disabled for Network Agent in the remote diagnostics utility.
3. To enable tracing:
a. In the left part of the remote diagnostics utility window, click Enable tracing.
b. In the Select tracing level window that opens, we recommend that you keep the default values of the
settings. When required, a Technical Support specialist will guide you through the con guration process. The
following settings are available:
Tracing level
The tracing level de nes the amount of detail that the trace le contains.
Rotation-based tracing (available for Kaspersky Endpoint Security only)
The application overwrites the tracing information to prevent excessive increase in the size of the
trace le. Specify the maximum number of les to be used to store the tracing information, and the
maximum size of each le. If the maximum number of trace les of the maximum size are written, the
oldest trace le is deleted so that a new trace le can be written.
c. Click OK.
4. For Kaspersky Endpoint Security, a Technical Support specialist may ask you to enable Xperf tracing for
information about the system performance.
To enable Xperf tracing:
a. In the left part of the remote diagnostics utility window, click Enable Xperf tracing.
b. In the Select tracing level window that opens, depending on the request from the Technical Support
specialist, select one of the following tracing levels:
Light level
690
A trace le of this type contains the minimum amount of information about the system.
Deep level
A trace le of this type contains more detailed information than trace les of the Light type and
may be requested by Technical Support specialists when a trace le of the Light type is not enough
for the performance evaluation. A Deep trace le contains technical information about the system
including information about hardware, operating system, list of started and nished processes and
applications, events used for performance evaluation, and events from Windows System
Assessment Tool.
c. Select one of the following tracing types:
Basic type
The tracing information is received during operation of the Kaspersky Endpoint Security application.
On-restart type
The tracing information is received when the operating system starts on the managed device. This
tracing type is e ective when the issue that a ects the system performance occurs after the
device is turned on and before Kaspersky Endpoint Security starts.
d. You may also be asked to enable the Rotation-based tracing option to prevent excessive increase in the
size of the trace le. Then specify the maximum size of the trace le. When the le reaches the maximum
size, the oldest tracing information is overwritten with new information.
e. Click OK.
In some cases, the security application and its task must be restarted in order to enable tracing.
The remote diagnostics utility enables tracing for the selected application.
To download a trace le of an application:
1. Run the remote diagnostics utility and connect to the necessary device, as described in "Connecting the
remote diagnostics utility to a client device".
2. In the node of the application, in the Trace les folder, select the required le.
3. In the left part of the remote diagnostics utility window, click Download entire le.
For large les the most recent trace parts can be downloaded.
You can delete the highlighted trace le. The le can be deleted after tracing is disabled.
The selected le is downloaded to the location speci ed in the lower part of the window.
To disable tracing on a remote device:
691
2. In the device object tree, select the application for which you want to disable tracing.
Tracing can be enabled and disabled for applications with self-defense only if the device is connected
using Administration Server tools.
3. In the left part of the remote diagnostics utility window, click Disable tracing.
The remote diagnostics utility disables tracing for the selected application.

To download application settings from a remote device:
2. In the objects tree of the remote diagnostics utility window, select the top node with the name of the device.
3. In the left part of the remote diagnostics utility window, select the action you need from the following options:
Download System Info
Download application settings
Generate process dump le

In the window that opens after you click this link, specify the executable le of the application for which you
want to generate a dump le.
Start utility
In the window that opens after you click this link, specify the executable le of the utility that you want to
start, and its run settings.
The selected utility is downloaded and launched on the device.

To download an event log from a remote device:
2. In the Event log folder of the device object tree, select the relevant log.
3. Download the selected log by clicking the Download event log <Event log name> link in the left part of the
remote diagnostics utility window.
The selected event log is downloaded to the location speci ed in the lower pane.
692
Downloading multiple diagnostic information items
Kaspersky Security Center remote diagnostics utility allows you to download multiple items of diagnostic
information including event logs, system information, trace les, and dump les.
To download diagnostic information from a remote device:
2. In the left part of the remote diagnostics utility window, click Download.
3. Select the check boxes next to the items that you want to download.
4. Click Start.
Every selected item is downloaded to the location speci ed in the lower pane.
Starting diagnostics and downloading the results

To start diagnostics for an application on a remote device and download the results:
2. In the object tree of the device, select the necessary application.
3. Start diagnostics by clicking the Run diagnostics link in the left part of the remote diagnostics utility window.
A diagnostics report appears in the node of the selected application in the object tree.
4. Select the newly generated diagnostics report in the objects tree and download it by clicking the Download
folder link.
The selected report is downloaded to the location speci ed in the lower pane.
You can start, stop, and restart applications only if you have connected the device using Administration
Server tools.
To start, stop, or restart an application:
2. In the object tree of the device, select the necessary application.
3. Select an action in the left part of the remote diagnostics utility window:
Stop application
693
Restart application
Start application
Depending on the action that you have selected, the application is started, stopped, or restarted.
UEFI protection devices

A UEFI protection device is a device with Kaspersky Anti-Virus for UEFI integrated at the BIOS level. Integrated
protection ensures device security from the moment the system starts, while protection on devices without
integrated software begins functioning only after the security application starts. Kaspersky Security Center
supports management of these devices.
To modify the connection settings of UEFI protection devices:
3. In the Administration Server properties window, select Server connection settings → Additional ports.
4. In the Additional ports section, modify the relevant settings:
5. Click OK.

To view the settings of a managed device:
2. In the workspace of the folder, select a device.
3. In the context menu of the device, select Properties.
The properties window of the selected device opens, with the General section selected.
General
694
The General section displays general information about the client device. Information is provided on the basis of
data received during the last synchronization of the client device with the Administration Server:
Name
In this eld, you can view and modify the client device name in the administration group.
Description
In this eld, you can enter an additional description for the client device.
Windows domain
Windows domain or workgroup, which contains the device.
NetBIOS name
Windows network name of the client device.
DNS name
Name of the DNS domain of the client device.
IP address
Device IP address.
Group
Administration group, which includes the client device.
Last updated
Date the anti-virus databases or applications were last updated on the device.
Last visible
Date and time the device was last visible on the network.
Connected to Administration Server
Date and time Network Agent installed on the client device last connected to the Administration Server.
695
If this option is enabled, continuous connectivity between the managed device and the Administration
Server is maintained. You may want to use this option if you are not using push servers, which provide such
connectivity.
If this option is disabled and push servers are not in use, the managed device only connects to the
Administration Server to synchronize data or to transmit information.
The maximum total number of devices with the Do not disconnect from the Administration Server option
selected is 300.
This option is disabled by default on managed devices. This option is enabled by default on the device
where the Administration Server is installed and stays enabled even if you try to disable it.
Protection
The Protection section provides information about the current status of anti-virus protection on the client device:
Device status
Status of the client device assigned on the basis of the criteria de ned by the administrator for the status
of anti-virus protection on the device and the activity of the device on the network.
All problems
This table contains a complete list of problems detected by the managed applications installed on the
client device. Each problem is accompanied by a status, which the application suggests you assign to the
device for this problem.
Real-time protection
This eld shows the current status of real-time protection on the client device.
When the status changes on the device, the new status is displayed in the device properties window only
after the client device is synchronized with the Administration Server.
Last on-demand scan
Date and time the last virus scan was performed on the client device.
Total number of threats detected on the client device since installation of the anti-virus application ( rst
scan), or since the last reset of the threat counter.
Active threats
Number of unprocessed les on the client device.

This eld ignores the number of unprocessed les on mobile devices.
Disk encryption status
696
The current status of le encryption on the local drives of the device.
Applications
The Applications section lists all Kaspersky applications installed on the client device:
Events
Click the button to view a list of events that have occurred on the client device when the application has
been running, and to view the task results for this application.
Statistics
Click this button to view current statistical information about the application.
Properties
Click the button to receive information about the application and to con gure the application.
Tasks
In the Tasks tab, you can manage client device tasks: view the list of existing tasks, create new ones, remove, start,
and stop tasks, modify their settings, and view execution results. The list of tasks is provided based on data
received during the last session of client synchronization with the Administration Server. The Administration Server
requests the task status details from the client device. If connection is not established, the status is not displayed.
Events
The Events tab displays events logged on the Administration Server for the selected client device.
Tags
In the Tags tab, you can manage the list of keywords that are used for nding client devices: view the list of existing
tags, assign tags from the list, con gure auto-tagging rules, add new tags and rename old tags, and remove tags.
System Info
The General system info section provides information about the application installed on the client device.
In the Applications registry section, you can view the registry of applications installed on the client device and
their updates; you can also set up the display of the applications registry.
697
Information about installed applications is provided if Network Agent installed on the client device sends required
information to the Administration Server. You can con gure sending of information to the Administration Server in
the properties window of Network Agent or its policy, in the Repositories section. Information about installed
applications is provided only for devices running Windows.
Network Agent provides information about the applications based on data received from the system registry.
Display incompatible security applications only
If this option is enabled, the applications list contains only those security applications that are
incompatible with Kaspersky applications.
Show updates
If this option is enabled, the applications list contains not only applications, but also the update packages
installed for them.
To show the list of updates, 100 KB of tra ic are needed. If you close the list and reopen it, you will have to
spend 100 KB of tra ic again.
Export to le
Click this button to export the list of applications installed on the device to a CSV le or TXT le.
History
Click this button to view events concerning installation of applications on the device. The following
information is displayed:
Date and time when the application was installed on the device
Application name
Application version
Properties
Click this button to view the properties of the application selected in the list of applications installed on
the device. The following information is displayed:
Application name
Application version
Application vendor
Executable les
698
The Executable les section displays executable les found on the client device.
Hardware registry
In the Hardware registry section, you can view information about hardware installed on the client device. You can
view this information for Windows devices and Linux devices.
Ensure that the lshw utility is installed on Linux devices from which you want to fetch hardware details. Hardware
details fetched from virtual machines may be incomplete depending on the hypervisor used.
Sessions
The Sessions section displays information about the client device owner, as well as accounts of users who have
worked on the selected client device.
Information about domain users is generated based on Active Directory data. The details of local users are
provided by Windows Security Account Manager installed on the client device.
Device owner
The Device owner eld displays the name of the user whom the administrator can contact when the need
arises to perform certain operations on the client device.
Use the Assign and Properties buttons to select the device owner and view information about the user
who has been appointed the device owner.
Use the button with the red cross to delete the current device owner.
The list displays accounts of users that work on the client device.
Name
Name of the device in the Windows network.
Participant's name
Name (domain or local) of the user who logged on to the system on that device.
Account
Account of the user who has logged on to that device.
Email
User email address.
Phone
699
User telephone number.
Incidents
In the Incidents tab, you can view, edit, and create incidents for the client device. Incidents can be created either
automatically, through managed Kaspersky applications installed on the client device, or manually by the
administrator. For example, if some users regularly move malware from their removable drives to devices, the
administrator can create an incident. The administrator can provide a brief description of the case and
recommended actions (such as disciplinary actions to be taken against a user) in the text of the incident, and can
add a link to the user or users.
An incident for which all of the required actions have been taken is called processed. The presence of unprocessed
incidents can be chosen as the condition for a change of the device status to Critical or Warning.
This section contains a list of incidents that have been created for the device. Incidents are classi ed by severity
level and type. The type of an incident is de ned by the Kaspersky application, which creates the incident. You can
highlight processed incidents in the list by selecting the check box in the Processed column.
Software vulnerabilities
The Software vulnerabilities section provides information about vulnerabilities in third-party applications installed
on client devices. You can use the search eld above the list to look for vulnerabilities by name.
Export to le
Click the Export to le button to save the list of vulnerabilities to le. By default, the application exports
the list of vulnerabilities to a CSV le.
Show only vulnerabilities that can be xed
If this option is enabled, the section displays vulnerabilities that can be xed by using a patch.
If this option is disabled, the section displays both vulnerabilities that can be xed by using a patch, and
vulnerabilities for which no patch has been released.
Properties
Select a software vulnerability in the list and click the Properties button to view the properties of the
selected software vulnerability in a separate window. In the window, you can do the following:
Ignore software vulnerability on this managed device (in Administration Console or in Kaspersky
Security Center Web Console).
View the list of recommended xes for the vulnerability.
Manually specify the software updates to x the vulnerability (in Administration Console or in
Kaspersky Security Center Web Console).
View vulnerability instances.
View the list of existing tasks to x vulnerability and create new tasks to x vulnerability.
700
Available updates
This section displays a list of software updates found on this device but not installed yet.
Show installed updates
If this option is enabled, the list displays both updates that have not been installed and those already
installed on the client device.
Active policies
This section displays a list of Kaspersky application policies currently active on this device.
Export to le
You can click the Export to le button to save the list of active policies to a le. By default, the application
exports the list of policies to a CSV le.
Active policy pro les
Active policy pro les
The list allows you to view information about the existing policy pro les, which are active on client devices.
You can use the search bar above the list to nd active policy pro les on the list by entering a policy name
or a policy pro le name.
Export to le
You can click the Export to le button to save the list of active policy pro les to a le. By default, the
application exports the list of policy pro les to a CSV le.
Distribution points
This section provides a list of distribution points with which the device interacts.
Export to le
Click the Export to le button to save to a le a list of distribution points with which the device interacts.
By default, the application exports the list of devices to a CSV le.
Properties
Click the Properties button to view and con gure the distribution point with which the device interacts.
701
General
In the General section, you can modify the policy status and specify the inheritance of policy settings:
In the Policy status block, you can select one of the policy modes:
Active policy
If this option is selected, the policy becomes active.

Out-of-o ice policy
If this option is selected, the policy becomes active when the device leaves the corporate network.
Inactive policy
If this option is selected, the policy becomes inactive, but it is still stored in the Policies folder. If
required, the policy can be activated.
In the Settings inheritance settings group, you can con gure the policy inheritance:
Inherit settings from parent policy
If this option is enabled, the policy setting values are inherited from the upper-level group policy and,
therefore, are locked.
Force inheritance of settings in child policies
If this option is enabled, after policy changes are applied, the following actions will be performed:
The values of the policy settings will be propagated to the policies of administration
subgroups, that is, to the child policies.
In the Settings inheritance block of the General section in the properties window of each child
policy, the Inherit settings from parent policy option will be automatically enabled.
If this option is enabled, the child policies settings are locked.
Event con guration
The Event con guration section allows you to con gure event logging and event noti cation. Events are
distributed by importance level on the following tabs:
702
Critical
The Critical tab is not displayed in the Network Agent policy properties.
Functional failure
Warning
Info
On each tab, the list shows the types of events and the default event storage term on the Administration Server
(in days). Clicking the Properties button lets you specify the settings of event logging and noti cations about
events selected in the list. By default, common noti cation settings speci ed for the entire Administration Server
are used for all event types. However, you can change speci c settings for the required event types.
For example, on the Warning tab, you can con gure the Incident has occurred event type. Such events may
happen, for instance, when the free disk space of a distribution point is less than 2 GB (at least 4 GB are required
to install applications and download updates remotely). To con gure the Incident has occurred event, select it and
click the Properties button. After that, you can specify where to store the occurred events and how to notify
about them.
If Network Agent detected an incident, you can manage this incident by using the settings of a managed device.
To select multiple event types, use the Shift or Ctrl key; to select all types, use the Select all button.

To con gure the Network Agent policy:
2. In the workspace of the folder, select the Network Agent policy.
The properties window of the Network Agent policy opens.
General
In the General section, you can modify the policy status and specify the inheritance of policy settings:
Active policy

Out-of-o ice policy
703
Inactive policy
Event con guration
The Event con guration section allows you to con gure event logging and event noti cation. Events are
distributed by importance level on the following tabs:
Critical
The Critical tab is not displayed in the Network Agent policy properties.
Functional failure
Warning
Info
On each tab, the list shows the types of events and the default event storage term on the Administration Server
(in days). Clicking the Properties button lets you specify the settings of event logging and noti cations about
events selected in the list. By default, common noti cation settings speci ed for the entire Administration Server
are used for all event types. However, you can change speci c settings for the required event types.
For example, on the Warning tab, you can con gure the Incident has occurred event type. Such events may
to install applications and download updates remotely). To con gure the Incident has occurred event, select it and
click the Properties button. After that, you can specify where to store the occurred events and how to notify
about them.
If Network Agent detected an incident, you can manage this incident by using the settings of a managed device.
704
To select multiple event types, use the Shift or Ctrl key; to select all types, use the Select all button.
Settings
In the Settings section, you can con gure the Network Agent policy:
Distribute les through distribution points only
If this option is enabled, Network Agents on managed devices retrieve updates from distribution points
only.
If this option is disabled, Network Agents on managed devices retrieve updates from distribution points or
from Administration Server.
Note that the security applications on managed devices retrieve updates from the source set in the
update task for each security application. If you enable the Distribute les through distribution
points only option, make sure that Kaspersky Security Center is set as an update source in the
update tasks.
Maximum size of event queue, in MB
In this eld you can specify the maximum space on the drive that an event queue can occupy.
The default value is 2 megabytes (MB).
Application is allowed to retrieve policy's extended data on device
Network Agent installed on a managed device transfers information about the applied security application
policy to the security application (for example, Kaspersky Endpoint Security for Windows). You can view
the transferred information in the security application interface.
Network Agent transfers the following information:
Time of the policy delivery to the managed device
Name of the active or out-of-o ice policy at the moment of the policy delivery to the managed device
Name and full path to the administration group that contained the managed device at the moment of
the policy delivery to the managed device
List of active policy pro les

You can use the information to ensure the correct policy is applied to the device and for
troubleshooting purposes. By default, this option is disabled.
Protect Network Agent service against unauthorized removal or termination, and prevent changes to the
settings
705
If this option is enabled, by clicking the Modify button you can specify the password for the klmover utility
and Network Agent remote uninstallation.
Repositories
In the Repositories section, you can select the types of objects whose details will be sent from Network Agent to
Administration Server. If modi cation of some settings in this section is prohibited by the Network Agent policy,
you cannot modify these settings. The settings in the Repositories section are available only on devices running
Windows:
Details of Windows Update updates
If this option is enabled, information about Microsoft Windows Update updates that must be installed on
client devices is sent to the Administration Server.
Sometimes, even if the option is disabled, updates are displayed in the device properties in the Available
updates section. This might happen if, for example, the devices of the organization had vulnerabilities that
could be xed by these updates.
By default, this option is enabled. It is available only for Windows.
Details of software vulnerabilities and corresponding updates
If this option is enabled, information about vulnerabilities in third-party software (including Microsoft
software), detected on managed devices, and about software updates to x third-party vulnerabilities (not
including Microsoft software) is sent to the Administration Server.
Selecting this option (Details of software vulnerabilities and corresponding updates) increases the
network load, Administration Server disk load, and Network Agent resource consumption.
To manage software updates of Microsoft software, use the Details of Windows Update updates option.
Hardware registry details
Network Agent installed on a device sends information about the device hardware to the Administration
Server. You can view the hardware details in the device properties.
Ensure that the lshw utility is installed on Linux devices from which you want to fetch hardware details.
Hardware details fetched from virtual machines may be incomplete depending on the hypervisor used.
Details of installed applications
706
If this option is enabled, information about applications installed on client devices is sent to the
Include information about patches
Information about patches of applications installed on client devices is sent to the Administration Server.
Enabling this option may increase the load on the Administration Server and DBMS, as well as cause
increased volume of the database.
Software updates and vulnerabilities
In the Software updates and vulnerabilities section, you can con gure search and distribution of Windows
updates, as well as enable scanning of executable les for vulnerabilities. The settings in the Software updates
and vulnerabilities section are available only on devices running Windows:
If this option is enabled, Windows updates are downloaded to the Administration Server. The
Administration Server provides downloaded updates to Windows Update on client devices in centralized
mode through Network Agents.
If this option is disabled, the Administration Server is not used for downloading Windows updates. In this
case, client devices receive Windows updates on their own.
Under Allow users to manage installation of Windows Update updates, you can limit Windows updates that
users can install on their devices manually by using Windows Update.
707
In the Windows Update search mode settings group, you can select the update search mode:
Active
Passive
Disabled
Scan executable les for vulnerabilities when running them
708
If this option is enabled, executable les are scanned for vulnerabilities when they are run.
Restart management
In the Restart management section, you can specify the action to be performed if the operating system of a
managed device has to be restarted for correct use, installation, or uninstallation of an application. The settings in
the Restart management section are available only on devices running Windows:
Do not restart the operating system
The operating system will not be restarted.
Restart the operating system automatically if necessary
If necessary, the operating system is restarted automatically.
The application prompts the user to allow restarting the operating system.
Repeat the prompt every (min)
If this option is enabled, the application prompts the user to allow restarting the operating system with
the frequency speci ed in the eld next to the check box. By default, the prompting frequency is 5
minutes.
If this option is disabled, the application does not prompt the user to allow restarting repeatedly.
Force restart after (min)
If this option is enabled, after prompting the user, the application forces restart of the operating
system upon expiration of the time interval speci ed in the eld next to the check box.
If this option is disabled, the application does not force restart.
Wait time before forced closure of applications in blocked sessions (min)
709
Applications are forced to close when the user's device goes locked (automatically after a speci ed
interval of inactivity, or manually).
If this option is enabled, applications are forced to close on the locked device upon expiration of the
time interval speci ed in the entry eld.
If this option is disabled, applications do not close on the locked device.
Windows Desktop sharing
In the Windows Desktop Sharing section, you can enable and con gure the audit of the administrator's actions
performed on a remote device when desktop access is shared. The settings in the Windows Desktop Sharing
section are available only on devices running Windows:
Enable audit
If this option is enabled, audit of the administrator's actions is enabled on the remote device. Records of
the administrator's actions on the remote device are logged:
In the event log on the remote device
In a le with the syslog extension located in the Network Agent installation folder on the remote
device
In the event database of Kaspersky Security Center

Audit of the administrator's actions is available when the following conditions are met:
The Vulnerability and Patch Management license is in use
The administrator has the right to start shared access to the desktop of the remote device
If this option is disabled, the audit of the administrator's actions is disabled on the remote device.
Masks of les to monitor when read
The list contains le masks. When the audit is enabled, the application monitors the administrator's reading
les that match the masks and saves information about les read. The list is available if the Enable audit
check box is selected. You can edit le masks and add new ones to the list. Each new le mask should be
speci ed in the list on a new line.
By default, the following le masks are speci ed:*.txt, *.rtf, *.doc, *.xls, *.docx, *.xlsx, *.odt, *.pdf.
Masks of les to monitor when modi ed
The list contains masks of les on the remote device. When audit is enabled, the application monitors
changes made by the administrator in les that match masks, and saves information about those
modi cations. The list is available if the Enable audit check box is selected. You can edit le masks and add
new ones to the list. Each new le mask should be speci ed in the list on a new line.
Manage patches and updates

710
In the Manage patches and updates section, you can con gure download and distribution of updates, as well as
installation of patches, on managed devices:
If this option is enabled, Kaspersky patches that have the Unde ned approval status are automatically
installed on managed devices immediately after they are downloaded from update servers.
If this option is disabled, Kaspersky patches that have been downloaded and tagged with the Unde ned
status will be installed only after you change their status to Approved.
Download updates and anti-virus databases from Administration Server in advance (recommended)
If this option is enabled, the o line model of update download is used. When the Administration Server
receives updates, it noti es Network Agent (on devices where it is installed) of the updates that will be
required for managed applications. When Network Agent receives information about these updates, it
downloads the relevant les from the Administration Server in advance. At the rst connection with
Network Agent, the Administration Server initiates an update download. After Network Agent downloads
all the updates to a client device, the updates become available for applications on that device.
When a managed application on a client device attempts to access Network Agent for updates, Network
Agent checks whether it has all required updates. If the updates are received from the Administration
Server not more than 25 hours before they were requested by the managed application, Network Agent
does not connect to the Administration Server but supplies the managed application with updates from
the local cache instead. Connection with the Administration Server may not be established when Network
Agent provides updates to applications on client devices, but connection is not required for updating.
If this option is disabled, the o line model of update download is not used. Updates are distributed
according to the schedule of the update download task.
Connectivity
The Connectivity section includes three nested subsections:
Network
Connection pro les (only for Windows and macOS)
Connection schedule
In the Network subsection, you can con gure the connection to Administration Server, enable the use of a UDP
port, and specify its number. The following options are available:
In the Connection to Administration Server settings group, you can con gure connection to the
Administration Server and specify the time interval for synchronization between client devices and the
Compress network tra ic
711
If this option is enabled, the speed of data transfer by Network Agent is increased by means of a
decrease in the amount of information being transferred and a consequent decreased load on the
The workload on the CPU of the client computer may increase.
By default, this check box is enabled.
If this option is enabled, a UDP port, necessary for the work of Network Agent, is added to the
Microsoft Windows Firewall exclusion list.
Use SSL
via SSL.
Use connection gateway on distribution point (if available) under default connection settings
If this option is enabled, the connection gateway on the distribution point is used under the settings
speci ed in the administration group properties.
Use UDP port
If you need the managed devices to connect to KSN proxy server through a UDP port, enable the Use UDP
port option and specify a UDP port number. By default, this option is enabled. The default UDP port to
connect to the KSN proxy server is 15111.
UDP port number
In this eld you can enter the UDP port number. The default port number is 15000.
The decimal system is used for records.
If the client device runs Windows XP Service Pack 2, the integrated rewall blocks UDP port 15000. This
port should be opened manually.
Use distribution point to force connection to the Administration Server
Select this option if you selected the Use this distribution point as a push server option in the
distribution point settings window. Otherwise, the distribution point will not act as a push server.
712
In the Connection pro les subsection, you can specify the network location settings, con gure connection
pro les for Administration Server, and enable out-of-o ice mode when Administration Server is not available. The
settings in the Connection pro les section are available only on devices running Windows and macOS:
Network location settings
Network location settings de ne the characteristics of the network to which the client device is
connected and specify rules for Network Agent switching from one Administration Server connection
pro le to another when those network characteristics are altered.
Administration Server connection pro les
In this section, you can view and add pro les for Network Agent connection to the Administration Server. In
this section, you can also create rules for switching Network Agent to di erent Administration Servers
when the following events occur:
When the client device connects to a di erent local network
When the device loses connection with the local network of the organization
When the connection gateway address is changed or the DNS server address is modi ed
Enable out-of-o ice mode when Administration Server is not available
device use policy pro les for devices in out-of-o ice mode, as well as out-of-o ice policies. If no out-of-
o ice policy has been de ned for the application, the active policy will be used.
In the Connection schedule subsection, you can specify the time intervals during which Network Agent sends
data to the Administration Server:
Connect when necessary
If this option is selected, the connection is established when Network Agent has to send data to the
Connect at speci ed time intervals
If this option is selected, Network Agent connects to the Administration Server at a speci ed time. You
can add several connection time periods.
Distribution points
The Distribution points section includes four nested subsections:

713
Network polling
Internet connection settings
KSN Proxy
Updates
In the Network polling subsection, you can con gure automatic polling of the network. You can enable three types
of polling, that is, network polling, IP range polling, and Active Directory polling:
Enable network polling
If the option is enabled, the Administration Server automatically polls the network according to the
schedule that you con gured by clicking the Set quick polling schedule and Set full polling schedule links.
If this option is disabled, the Administration Server polls the network with the interval speci ed in the
Frequency of network polls (min) eld.
The device discovery interval for Network Agent versions prior to 10.2 can be con gured in the Frequency
of polls from Windows domains (min) (for quick Windows network poll) and Frequency of network polls
(min) (for full Windows network poll) elds.
Enable IP range polling
If the option is enabled, the distribution point automatically polls IP ranges according to the schedule that
you con gured by clicking the Set polling schedule link.
If this option is disabled, the distribution point does not poll IP ranges.
The frequency of IP range polling for Network Agent versions prior to 10.2 can be con gured in the Poll
interval (min) eld. The eld is available if the option is enabled.
Use Zeroconf polling (on Linux platforms only; manually speci ed IP ranges will be ignored)
If this option is enabled, the distribution point automatically polls the network with IPv6 devices by using
zero-con guration networking (also referred to as Zeroconf). In this case, the enabled IP range polling is
ignored, because the distribution point polls the whole network.
To start to use Zeroconf, the following conditions must be ful lled:
The distribution point must run Linux.
You must install the avahi-browse utility on the distribution point.

If this option is disabled, the distribution point does not poll networks with IPv6 devices.
Enable Active Directory polling
714
If the option is enabled, the distribution point automatically polls Active Directory according to the
schedule that you con gured by clicking the Set polling schedule link.
If this option is disabled, the Administration Server does not poll Active Directory.
The frequency of Active Directory polling for Network Agent versions prior to 10.2 can be con gured in the
Poll interval (min) eld. The eld is available if this option is enabled.
In the Internet connection settings subsection, you can specify the internet access settings:
Use proxy server
If this check box is selected, in the entry elds you can con gure the proxy server connection.
Address of the proxy server.
Port number
If this option is enabled, no proxy server is used to connect to devices on the local network.
authentication.
User name
User account under which connection to the proxy server is established.
Password
In the KSN Proxy subsection, you can con gure the application to use the distribution point to forward KSN
requests from the managed devices:
715
By default, this option is disabled. Enabling this option takes e ect only if the Use Administration Server
as a proxy server and I agree to use Kaspersky Security Network options are enabled in the
Administration Server properties window.
You can assign a node of an active-passive cluster to a distribution point and enable KSN proxy server on
this node.
The distribution point forwards KSN requests from the managed devices to the Administration Server.
Access KSN Cloud/Private KSN directly over the internet
The distribution point forwards KSN requests from managed devices to the KSN Cloud or Private KSN. The
KSN requests generated on the distribution point itself are also sent directly to the KSN Cloud or Private
KSN.
The distribution points that have Network Agent version 11 (or earlier) installed cannot access Private KSN
directly. If you want to recon gure the distribution points to send KSN requests to Private KSN, enable the
Forward KSN requests to Administration Server option for each distribution point.
The distribution points that have Network Agent version 12 (or later) installed can access Private KSN
directly.
TCP port
Use UDP port
In the Updates subsection, you can specify whether Network Agent should download di les by enabling or
disabling the Download di les option. (By default, this option is enabled.)
Revision history
On the Revision history tab, you can view the history of Network Agent policy revisions. You can compare
revisions, view revisions, and perform advanced operations, such as save revisions to a le, roll back to a revision,
and add and edit revision descriptions.
716
Feature comparison by the Network Agent operating systems
The table below shows which Network Agent policy settings you can use to con gure Network Agent with a
speci c operating system.
Network Agent policy settings: comparison by operating systems
Policy section Windows Mac Linux
General
Event con guration
Settings
Only the Maximum size of event queue, in MB and
Application is allowed to retrieve policy's extended data on
device options are available.
Repositories
Only the Details of installed applications and Hardware
registry details options are available.
Software updates and

vulnerabilities
Restart management
Windows Desktop
Sharing
Manage patches and

updates
Connectivity →
Network Except the Open Network Agent ports in Microsoft
Windows Firewall option.
Connectivity →
Connection pro les
Connectivity →
Connection schedule
Distribution points →
Network polling Only the IP range polling section is available.
Internet connection
settings
KSN Proxy
Updates
Revision history
717
This section provides information about user accounts and roles supported by the application. This section
contains instructions on how to create accounts and roles for users of Kaspersky Security Center.
Kaspersky Security Center allows you to manage user accounts and groups of accounts. The application supports
two types of accounts:
Accounts of organization employees. Administration Server retrieves data of the accounts of those users when
polling the organization's network.
Accounts of internal users. These accounts are applied when virtual Administration Servers are used. Accounts
of internal users are created and used only within Kaspersky Security Center.
Working with user accounts

Kaspersky Security Center allows you to manage user accounts and groups of accounts. The application supports
two types of accounts:
Accounts of organization employees. Administration Server retrieves data of the accounts of those users when
polling the organization's network.
Accounts of internal users. These accounts are applied when virtual Administration Servers are used. Accounts
of internal users are created and used only within Kaspersky Security Center.
All user accounts can be viewed in the User accounts folder in the console tree. The User accounts folder is a
subfolder of the Advanced folder by default.
You can perform the following actions on user accounts and groups of accounts:
Con gure users' rights of access to the application features using roles.
Send messages to users by email and SMS.
View the list of the user's mobile devices.
Issue and install certi cates on the user's mobile devices.
View the list of certi cates issued to the user.
Disable two-step veri cation for a user account.

To add a new internal user account to Kaspersky Security Center:

2. In the workspace, click the Add user button.
3. In the New user window that opens, specify the settings of the new user account:
718
A user name ( )
Please be careful when entering the user name. You will not be able to change it after saving the
changes.
Description
Full name
Main email
Main phone
Password for the user connection to Kaspersky Security Center

The password must comply with the following rules:
The password must be 8 to 16 characters long.
The password must contain characters from at least three of the groups listed below:
Uppercase letters (A-Z)
Lowercase letters (a-z)
Numbers (0-9)
Special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;)
The password must not contain any whitespaces, Unicode characters, or the combination of "." and "@",
when "." is placed before "@".
The number of attempts for entering the password is limited. By default, the maximum number of
allowed password entry attempts is 10. You can change the allowed number of attempts to enter a
password, as described in "Changing the number of allowed password entry attempts".
If the user enters an invalid password the speci ed number of times, the user account is blocked for
one hour. In the list of user accounts, the user icon ( ) of a blocked account is dimmed (unavailable).
You can unblock the user account only by changing the password.
If necessary, select the Disable account check box to prohibit the user from connecting to the application.
You can disable an account, for example, if you want to create it beforehand but activate it later.
Select the Request the password when account settings are modi ed check box if you want to enable an
additional option to protect a user account from unauthorized modi cation. If this option is enabled,
modifying user account settings requires authorization of the user with the Modify object ACLs right of the
4. Click OK.
719
The newly created user account is displayed in the workspace of the User accounts folder.

To edit an internal user account in Kaspersky Security Center:

2. In the workspace, double-click the internal user account that you want to edit.
3. In the Properties: <user name> window that opens, change the settings of the user account:
Description
Full name
Main email
Main phone
Password for the user connection to Kaspersky Security Center

Numbers (0-9)
one hour. In the list of user accounts, the user icon ( ) of a blocked account is dimmed (unavailable).
You can unblock the user account only by changing the password.
If necessary, select the Disable account check box to prohibit the user from connecting to the application.
You can disable an account, for example, after an employee leaves the company.
720
Select the Request the password when account settings are modi ed option if you want to enable an
additional option to protect a user account from unauthorized modi cation. If this option is enabled,
modifying user account settings requires authorization of the user with the Modify object ACLs right of the
4. Click OK.
The edited user account is displayed in the workspace of the User accounts folder.
Changing the number of allowed password entry attempts

The Kaspersky Security Center user can enter an invalid password a limited number of times. After the limit is
reached, the user account is blocked for one hour.
By default, the maximum number of allowed attempts to enter a password is 10. You can change the number of
allowed password entry attempts, as described in this section.
To change the number of allowed password entry attempts:
2. Go to the following key:
For 32-bit systems:

HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1093\1.0.0.0\ServerFlags
For 64-bit systems:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1093\1.0.0.0\ServerF
3. If the SrvSplPpcLogonAttempts value is not present, create it. The value type is DWORD.
By default, after Kaspersky Security Center is installed this value is not created.
4. Specify the required number of attempts in the SrvSplPpcLogonAttempts value.
The maximum number of allowed password entry attempts is changed.
Con guring the check of the name of an internal user for uniqueness
You can con gure the check of the name of an internal user of Kaspersky Security Center for uniqueness when
this name is added to the application. The check of the name of an internal user for uniqueness can only be
performed on a virtual Administration Server or on the primary Administration Server for which the user account is
to be created, or on all virtual Administration Servers and on the primary Administration Server. By default, the
name of an internal user is checked for uniqueness on all virtual Administration Servers and on the primary
To enable the check of the name of an internal user for uniqueness on a virtual Administration Server or on the
primary Administration Server:
721
For 32-bit systems:

For 64-bit systems:

3. For the LP_InterUserUniqVsScope (DWORD) key, set the 00000001 value.

The name will only be checked for uniqueness on the virtual Administration Server on which the internal user was
created, or on the primary Administration Server if the internal user was created on the primary Administration
Server.
To enable the check of the name of an internal user on all virtual Administration Servers and on the primary
For 64-bit systems:

For 32-bit systems:

3. For the LP_InterUserUniqVsScope (DWORD) key, set the 00000000 value.

The check of the name for uniqueness will be performed on all virtual Administration Servers and on the primary
Adding a security group

You can add security groups (groups of users), perform exible con guration of groups and security group access
to various application features. Security groups can be assigned names that correspond to their respective
purposes. For example, the name can correspond to where users are located in the o ice or to the name of the
company's organizational unit to which the users belong.
One user can belong to several security groups. A user account managed by a virtual Administration Server can
belong only to security groups of this virtual Server and have access rights only within this virtual Server.
To add a security group:

722
1. In the console tree select the User accounts folder.
2. Click the Add security group button.

The Add security group window opens.
3. In the Add security group window, in the General section specify the name of the group.
A group name cannot be more than 255 characters long and contain special symbols such as *, <, >, ?, \, :, |. The
group name must be unique.
You can enter the group description in the Description entry eld. Filling in the Description eld is optional.
4. Click OK.
The security group that you have added appears in the User accounts folder in the console tree. You can add
users to the newly created group.
Adding a user to a group

To add a user to a group:
1. In the console tree, select the User accounts folder.

2. In the list of user accounts and groups, select the group to which you want to add the user.
3. In the group properties window, select the Group users section and click the Add button.
A window with a list of users opens.
4. In the list, select a user that you want to include in the group.
5. Click OK.
The user is added to the group and displayed in the list of group users.
Con guring access rights to application features. Role-based access

control
Kaspersky Security Center provides facilities for role-based access to the features of Kaspersky Security Center
and managed Kaspersky applications.
You can con gure access rights to application features for Kaspersky Security Center users in one of the following
ways:
By con guring the rights for each user or group of users individually.
By creating standard user roles with a prede ned set of rights and assigning those roles to users depending on
their scope of duties.
User role (also referred to as a role) is a prede ned set of access rights to the features of Kaspersky Security
Center or managed Kaspersky applications. A role can be assigned to a user or a group of users.
723
Application of user roles is intended to simplify and shorten routine procedures of con guring users' access rights
to application features. Access rights within a role are con gured in accordance with the standard tasks and the
users' scope of duties.
User roles can be assigned names that correspond to their respective purposes. You can create an unlimited
number of roles in the application.
You can use the prede ned user roles with already con gured set of rights, or create new roles and con gure the
required rights yourself.

The table below shows the Kaspersky Security Center features with the access rights to manage the associated
tasks, reports, settings, and perform the associated user actions.
To perform the user actions listed in the table, a user has to have the right speci ed next to the action.
Read, Modify, and Execute rights are applicable to any task, report, or setting. In addition to these rights, a user
has to have the Perform operations on device selections right to manage tasks, reports, or settings on device
selections.
All tasks, reports, settings, and installation packages that are missing in the table belong to the General
features: Basic functionality functional area.
Functional Right User action: right Task Report Oth

area required to
perform the action
General Modify None None None

Add device to
features:
an
Management
administration
of
group: Modify
administration
groups
Delete device
from an
administration
group: Modify
Add an
administration
group to
another
administration
group: Modify
Delete an
administration
group from
another
administration
group: Modify
724
General Read Get read access None None None
features: to all objects: Read
Access
objects
regardless of
their ACLs
General None
Read Device moving "Download "Report on
features:
rules (create, updates to the protection
Basic
Modify modify, or Administration status"
functionality
delete) for the Server
Execute virtual Server: repository" "Report on
Modify, threats"
Perform "Deliver reports"
Perform
operations on "Report on
operations on
device "Distribute most heavily
device
selections installation infected
selections
package" devices"
Get Mobile
(LWNGT) "Install "Report on
protocol application on status of anti-
custom secondary virus
certi cate: Administration databases"
Read Servers
remotely" "Report on
Set Mobile errors"
(LWNGT)
protocol
"Report on
custom
network
certi cate:
attacks"
Write
"Summary
Get NLA-
report on mail
de ned
system
network list:
protection
Read
applications
installed"
Add, modify, or
delete NLA-
"Summary
de ned
report on
network list:
perimeter
Modify
defense
applications
View Access installed"
Control List of
groups: Read
"Summary
report on
View the types of
Kaspersky applications
Event Log: installed"
Read
"Report on
users of
infected
devices"
"Report on
incidents"
725
"Report on
events"
"Report on
activity of
distribution
points"
"Report on
Secondary
Administration
Servers"
"Report on
Device
Control
events"
"Report on
vulnerabilities"
"Report on
prohibited
applications"
"Report on
Web Control"
"Report on
encryption
status of
managed
devices"
"Report on
encryption
status of
mass storage
devices"
"Report on le
encryption
errors"
"Report on
blockage of
access to
encrypted
les"
"Report on
rights to
access
encrypted
devices"
"Report on
e ective user
726
permissions"
"Report on
rights"
General None None None

Read View deleted
features:
objects in the
Deleted
Modify Recycle Bin:
objects
Read
Delete objects
from the
Recycle Bin:
Modify
General None None Setting

Delete events Change events
features:
registration Virus
Event
Edit event settings: Edit outb
processing
noti cation event logging sett
settings settings num
virus
Edit event Change events dete
logging noti cation requ
settings settings: Edit crea
event virus
noti cation outb
Modify
settings even
Delete events: Virus

Delete events outb
sett
perio
time
evalu
of vi
dete
The
max
num
even
store
the
data
Perio
time
stor
even
from
dele
devi
General None None

Read Specify ports "Backup of
features:
of Administration
Operations on
Administration Server data"
727
Administration Modify Server for the "Databases
Server network agent maintenance"
Execute connection:
Modify
Modify object
ACLs Specify ports
of Activation
Perform Proxy launched
operations on on the
device Administration
selections Server: Modify
Specify ports
of Activation
Proxy for
Mobile
launched on
the
Administration
Server: Modify
Specify ports
of the Web
Server for
distribution of
standalone
packages:
Modify
Specify ports
of the Web
Server for
distribution of
MDM pro les:
Modify
Specify SSL
ports of the
Administration
Server for
connection via
Kaspersky
Security
Center Web
Console:
Modify
Specify ports
of the
Administration
Server for
mobile
connection:
Modify
Specify the
maximum
number of
events stored
728
in the
Administration
Server
database:
Modify
Specify the
maximum
number of
events that can
be sent by the
Administration
Server: Modify
Specify time
period during
which events
can be sent by
the
Administration
Server: Modify
General Approve or decline None Installat

Manage "Report on
features: installation of the package
Kaspersky license key
Kaspersky patch: Manage "Kasper
patches usage by
software Kaspersky
virtual
deployment patches
Read Administration
Server"
Modify
"Report on
Execute Kaspersky
software
versions"
Perform
operations on
device "Report on
selections incompatible
applications"
"Report on
versions of
Kaspersky
software
module
updates"
"Report on
protection
deployment"

Export key le Export key le:
features: Key
Export key le
management
Modify
Modify
Administration
Server license
729
key settings:
Modify

Read Create reports
features:
regardless of
Enforced
Modify their ACLs:
report
Write
management
Execute
reports
regardless of
their ACLs:
Read
General Con gure Register, update, None None None

features: hierarchy of or delete
Hierarchy of Administration secondary
Administration Servers Administration
Servers Servers:
Con gure
hierarchy of
Administration
Servers
General Modify object None None None

Change
features: User ACLs
Security
permissions
properties of
any object:
Modify object
ACLs
Manage user
roles: Modify
object ACLs
Manage
internal users:
Modify object
ACLs
Manage
security
groups: Modify
object ACLs
Manage aliases:
Modify object
ACLs
General None "Report on None

Manage virtual Get list of
features: results of
Administration virtual
Virtual installation of
Servers Administration
Administration third-party
Servers: Read
Servers software
Read
updates"
Get
Modify information on
730
Execute the virtual
Administration
Perform Server: Read
operations on
device Create, update,
selections or delete a
virtual
Administration
Server:
Manage virtual
Administration
Servers
Move a virtual
Administration
Server to
another group:
Manage virtual
Administration
Servers
Set
administration
virtual Server
permissions:
Manage virtual
Administration
Servers
Mobile device None None None

Connect new Get Key
management:
devices Management
General
Service restore
Send only data: Read
information
commands to Delete user
mobile devices certi cates:
Manage
Send certi cates
commands to
mobile devices Get user
certi cate
Manage public part:
certi cates Read
Read Check if Public

Key
Modify Infrastructure
is enabled:
Read
Check Public
Key
Infrastructure
account: Read
Get Public Key

Infrastructure
731
templates:
Read
Get Public Key

Infrastructure
templates by
Extended Key
Usage
certi cate:
Read
Check if Public
Key
Infrastructure
certi cate is
revoked: Read
Update user
certi cate
issuance
settings:
Manage
certi cates
Get user
certi cate
issuance
settings: Read
Get packages
by application
name and
version: Read
Set or cancel
user
certi cate:
Manage
certi cates
Renew user
certi cate:
Manage
certi cates
Set user
certi cate tag:
Manage
certi cates
Run generation
of MDM
installation
package;
cancel
generation of
MDM
installation
package:
732
Connect new
devices
System None "Report on device None

Start RDP Create
management: users"
sessions desktop
Connectivity
sharing session:
Connect to The right to
existing RDP create
sessions desktop
sharing
Initiate session
tunneling
Create RDP
Save les from session:
devices to the Connect to
administrator's existing RDP
workstation sessions
Read Create tunnel:

Initiate
tunneling
Modify
Save content
Execute
network list:
Save les from
Perform devices to the
operations on administrator's
device workstation
selections
System None None

Read Get or export "Report on
management:
hardware hardware
Hardware
Modify inventory registry"
inventory
object: Read
Execute "Report on
Add, set or con guration
Perform delete changes"
operations on hardware
device inventory "Report on
selections object: Write hardware"
System None None None

Read View CISCO
management:
settings: Read
Network
Modify
access control
Change CISCO
settings: Write
System "Create installation None Installat

Deploy PXE Deploy PXE
management: package upon package
servers servers: Deploy
Operating reference device Image"
PXE servers
system OS image"
Read
deployment
View a list of
Modify PXE servers:
Read
733
Execute Start or stop
the installation
Perform process on PXE
operations on clients:
device Execute
selections
Manage drivers
for WinPE and
operating
system images:
Modify
System "Report on None

Read View third- "Perform
management: software
party patch Windows
Vulnerability updates"
Modify properties: Update
and patch
Read synchronization"
management
Execute
Change third- "Install Windows
Perform party patch Update
operations on properties: updates"
device Modify
selections "Fix
vulnerabilities"
"Install required
updates and x
vulnerabilities"
System None None Installat

Read View third-
management: package
party
Remote
Modify Vulnerability "Cus
installation
and Patch appl
Execute Management
based "VAP
installation pack
Perform
package
operations on
properties:
device
Read
selections
Change third-
party
Vulnerability
and Patch
Management
based
installation
package
properties:
Modify
System None None None

Read "Report on
management:
installed
Software
Modify applications"
inventory
Execute
734
Perform "Report on
operations on applications
device registry
selections history"
"Report on
status of
licensed
applications
groups"
"Report on
third-party
software
license keys"

User roles assigned to Kaspersky Security Center users provide them with sets of access rights to application
features.
required rights yourself. Some of the prede ned user roles available in Kaspersky Security Center can be
associated with speci c job positions, for example, Auditor, Security O icer, Supervisor (these roles are present
in Kaspersky Security Center starting from the version 11). Access rights of these roles are pre-con gured in
accordance with the standard tasks and scope of duties of the associated positions. The table below shows how
roles can be associated with speci c job positions.
Examples of roles for speci c job positions
Role Comment
Auditor Permits all operations with all types of reports, all viewing operations, including viewing deleted
objects (grants the Read and Write permissions in the Deleted objects area). Does not permit
other operations. You can assign this role to a person who performs the audit of your
organization.
Supervisor Permits all viewing operations; does not permit other operations. You can assign this role to a
security o icer and other managers in charge of the IT security in your organization.
Security Permits all viewing operations, permits reports management; grants limited permissions in the
O icer System management: Connectivity area. You can assign this role to an o icer in charge of
the IT security in your organization.
The table below shows the access rights assigned to each prede ned user role.
Access rights of prede ned user roles
Role Description
Administration Permits all operations in the following functional areas:

Server General features:
Administrator
Basic functionality
Event processing

735
System management:
Connectivity
Hardware inventory
Software inventory
Administration Grants the Read and Execute rights in all of the following functional areas:
Server Operator General features:
Basic functionality
System management:
Connectivity
Hardware inventory
Software inventory
Auditor Permits all operations in the functional areas, in General features:

Access objects regardless of their ACLs
Deleted objects
Enforced report management
You can assign this role to a person who performs the audit of your organization.
Installation Permits all operations in the following functional areas:

Administrator General features:
Basic functionality
Kaspersky software deployment
License key management
System management:
Operating system deployment
Vulnerability and patch management
Remote installation
Software inventory
736
Grants the Read and Execute rights in the General features: Virtual Administration
Servers functional area.
Installation Grants the Read and Execute rights in all of the following functional areas:
Operator General features:
Basic functionality
Kaspersky software deployment (also grants the Manage Kaspersky patches

right in this area)
System management:
Remote installation
Software inventory
Kaspersky Permits all operations in the following functional areas:

Endpoint Security General features: Basic functionality
Administrator
Kaspersky Endpoint Security area, including all features
Kaspersky Grants the Read and Execute rights in all of the following functional areas:
Operator
Main Administrator Permits all operations in functional areas, except for the following areas, in General
features:
Main Operator Grants the Read and Execute (where applicable) rights in all of the following functional
areas:
General features:
Basic functionality
Deleted objects
Operations on Administration Server
737
Mobile Device Management: General
System management, including all features
Mobile Device Permits all operations in the following functional areas:

Management General features: Basic functionality
Administrator
Mobile Device Grants the Read and Execute rights in the General features: Basic functionality
Management functional area.
Operator Grants Read and Send only information commands to mobile devices in the Mobile
Device Management: General functional area.
Security O icer Permits all operations in the following functional areas, in General features:
Grants the Read, Modify, Execute, Save les from devices to the administrator's
workstation, and Perform operations on device selections rights in the System
management: Connectivity functional area.
You can assign this role to an o icer in charge of the IT security in your organization.
Self Service Portal Permits all operations in the Mobile Device Management: Self Service Portal
User functional area. This feature is not supported in Kaspersky Security Center 11 and later
version.
Supervisor Grants the Read right in the General features: Access objects regardless of their
ACLs and General features: Enforced report management functional areas.
You can assign this role to a security o icer and other managers in charge of the IT
security in your organization.
Vulnerability and Permits all operations in the General features: Basic functionality and System
Patch management (including all features) functional areas.
Management
Administrator
Vulnerability and Grants the Read and Execute (where applicable) rights in the General features: Basic
Patch functionality and System management (including all features) functional areas.
Management
Operator
Adding a user role

To add a user role:
738
3. In the Administration Server properties window, in the Sections pane select User roles and click the Add
button.
The User roles section is available if the Display security settings sections option is enabled.
4. In the New role properties window, con gure the role:
In the Sections, select General and specify the name of the role.
The name of a role cannot be more than 100 characters long.
Select the Rights section, and con gure the set of rights by selecting the Allow and Deny check boxes next
to the application features.
If you are operating on the primary Administration Server, you can enable the Relay list of roles to secondary
Administration Servers option.
5. Click OK.
The role is added.
User roles that have been created for Administration Server are displayed in the Administration Server properties
window, in the User roles section. You can modify and delete user roles, as well as assign roles to user groups or
selected users.
Assigning a role to a user or a user group

To assign a role to a user or a group of users:
3. In the Administration Server properties window, select the Security section.
4. In the Names of groups or users eld, select a user or a group of users to which you want to assign a role.
If the user or the group is not contained in the eld, you can add it by clicking the Add button.
When you add a user by clicking the Add button, you can select the type of user authentication (Microsoft
Windows or Kaspersky Security Center). Kaspersky Security Center authentication is used for selecting the
accounts of internal users that are used for working with virtual Administration Servers.
5. Select the Roles tab and click the Add button.

The User roles window opens. This window displays user roles that have been created.
6. In the User roles window, select a role for the user group.
7. Click OK.
739
The role with a set of rights for working with Administration Server is assigned to the user or the user group. Roles
that have been assigned are displayed on the Roles tab in the Security section of the Administration Server
properties window.
Assigning permissions to users and groups

You can give users and groups permissions to use di erent features of Administration Server and of the Kaspersky
programs for which you have management plug-ins, for example, Kaspersky Endpoint Security for Windows.
To assign permissions to a user or a group of users:
1. In the console tree, do one of the following:
Expand the Administration Server node and select the subfolder with the name of the required
Select the administration group.
2. In the context menu of the Administration Server or the administration group, select Properties.
3. In the Administration Server properties window (or the administration group properties window) that opens, in
the left Sections pane select Security.
4. In the Security section, in the Names of groups or users list select a user or a group.
5. In the permissions list in the lower part of the workspace, on the Rights tab con gure the set of rights for the
user or group:
a. Click the plus signs (+) to expand the nodes in the list and gain access to the permissions.
b. Select the Allow and Deny check boxes next to the permissions that you want.
Example 1: Expand the Access objects regardless of their ACLs node or Deleted objects node, and select
Read.
Example 2: Expand the Basic functionality node, and select Write.
6. When you have con gured the set of rights, click Apply.
The set of rights for the user or group of users will be con gured.
The permissions of the Administration Server (or the administration group) are divided into the following areas:
General features:
Management of administration groups (only for Kaspersky Security Center 11 or later)
Access objects regardless of their ACLs (only for Kaspersky Security Center 11 or later)
Basic functionality
740
Deleted objects (only for Kaspersky Security Center 11 or later)
Event processing
Operations on Administration Server (only in the property window of Administration Server)
Deploy Kaspersky applications
Enforced report management (only for Kaspersky Security Center 11 or later)
Hierarchy of Servers
User rights
Mobile Device Management:
General
System Management:
Connectivity
Hardware inventory
Network Access Control
Deploy operating system
Manage vulnerabilities and patches
Remote installation
Software inventory
If neither Allow nor Deny is selected for a permission, then the permission is considered unde ned: it is denied until
it is explicitly denied or allowed for the user.
The rights of a user are the sum of the following:
User's own rights
Rights of all the roles assigned to this user
Rights of all the security group to which the user belongs
Rights of all the roles assigned to the security groups to which the user belongs
If at least one of these sets of rights has Deny for a permission, then the user is denied this permission, even if
other sets allow it or leave it unde ned.
741
Propagating user roles to secondary Administration Servers
By default, the lists of user roles of the primary and secondary Administration Servers are independent. You can
con gure the application to automatically propagate the user roles created on the primary Administration Server
to all of the secondary Administration Servers. The user roles can also be propagated from a secondary
Administration Server to its own secondary Administration Servers.
To propagate user roles from the primary Administration Server to the secondary Administration Servers:
In the console tree, right-click the name of the Administration Server and select Properties in the context
menu.
If you have an active Administration Server policy, in the workspace of the Policies folder, right-click this
policy and select Properties in the context menu.
3. In the Administration Server properties window, or in the policy settings window, in the Sections pane select
User roles.
The User roles section is available if the Display security settings sections option is enabled.
4. Enable the Relay list of roles to secondary Administration Servers option.
5. Click OK.
The application copies the user roles of the primary Administration Server to the secondary Administration
Servers.
When the Relay list of roles to secondary Administration Servers option is enabled and the user roles are
propagated, they cannot be edited or deleted on the secondary Administration Servers. When you create a new
role or edit an existing one on the primary Administration Server, the changes are automatically copied to the
secondary Administration Servers. When you delete a user role on the primary Administration Server, this role
remains on the secondary Administration Servers afterward, but it can be edited or deleted.
The roles that are propagated to the secondary Administration Server from the primary Server are displayed with
the lock icon ( ). You cannot edit these roles on the secondary Administration Server.
If you create a role on the primary Administration Server, and there is a role with the same name on its secondary
Administration Server, the new role is copied to the secondary Administration Server with the index added to its
name, for example, ~~1, ~~2 (the index can be random).
If you disable the Relay list of roles to secondary Administration Servers option, all the user roles remain on the
secondary Administration Servers, but they become independent from those on the primary Administration
Server. After becoming independent, the user roles on the secondary Administration Servers can be edited or
deleted.
Assigning the user as a device owner
742
You can assign the user as a device owner to allocate a device to that user. If you have to perform some actions on
the device (for example, upgrade hardware), the administrator can notify the device owner to authorize those
actions.
To assign a user as the owner of a device:
2. In the workspace of the folder, on the Devices tab, select the device for which you need to assign an owner.
3. In the context menu of the device, select Properties.
4. In the device properties window, select System Info → Sessions.
5. Click the Assign button next to the Device owner eld.
6. In the User selection window, select the user to assign as the device owner and click OK.
7. Click OK.
The device owner is assigned. By default, the Device owner eld is lled with a value from Active Directory and is
updated during every Active Directory poll. You can view the list of device owners in the Report on device owners.
You can create a report using the New Report Wizard.
Delivering messages to users

To send a message to a user by email:
1. In the console tree, in the User accounts folder, select a user.

2. In the user's context menu, select Notify by email.
3. Fill in the relevant elds in the Send message to user window and click the OK button.
The message will be sent to the email address that has been speci ed in the user's properties.
To send an SMS message to a user:
2. In the user's context menu, select Send an SMS.
3. Fill in the relevant elds in the SMS text window and click the OK button.
The message will be sent to the mobile device with the number that has been speci ed in the user's properties.
Viewing the list of user mobile devices

To view a list of a user's mobile devices:
743
2. In the context menu of the user account, select Properties.
3. In the properties window of the user account, select the Mobile devices section.
In the Mobile devices section, you can view the list of the user's mobile devices and information about each of
them. You can click the Export to le button to save the list of mobile devices to a le.
Installing a certi cate for a user

You can install three types of certi cates for a user:
Shared certi cate, which is required to identify the user's mobile device.
Mail certi cate, which is required to set up the corporate mail on the user's mobile device.
VPN certi cate, which is required to set up the virtual private network on the user's mobile device.
To issue a certi cate to a user and then install it:
1. In the console tree, open the User accounts folder and select a user account.
2. In the context menu of the user account, select Install certi cate.
The Certi cate Installation Wizard starts. Follow the instructions of the Wizard.
After the Certi cate Installation Wizard has nished, the certi cate will be created and installed for the user. You
can view the list of installed user certi cates and export it to a le.
Viewing the list of certi cates issued to a user

To view a list of all certi cates issued to a user:

2. In the context menu of the user account, select Properties.
3. In the properties window of the user account, select the Certi cates section.
In the Certi cates section, you can view the list of the user's certi cates and information about each of them. You
can click the Export to le button to save the list of certi cates to a le.
About the administrator of a virtual Administration Server

An administrator of the enterprise network managed through a virtual Administration Server starts Kaspersky
Security Center Web Console under the user account speci ed in this window to view the details of anti-virus
protection.
744
If necessary, several administrator accounts can be created on a virtual Server.
The administrator of a virtual Administration Server is an internal user of Kaspersky Security Center. No data
on internal users is transferred to the operating system. Kaspersky Security Center authenticates internal
users.
Remote installation of operating systems and applications

Kaspersky Security Center allows you to create operating system images and deploy them on client devices on the
network, as well as perform remote installation of applications by Kaspersky or other vendors.
To create images of operating systems, you must install the Windows ADK and the Windows PE add-on for the
Windows ADK tools on the Administration Server. We recommend that you install the latest versions of the
Windows ADK and the Windows PE add-on for the Windows ADK. You can create an image of any version of
Windows operating system that meets the requirements of the Kaspersky Security Center.
Capturing images of operating systems
Kaspersky Security Center can capture operating system images from devices and transfer those images to the
Administration Server. Such images of operating systems are stored on the Administration Server in a dedicated
folder. The operating system image of a reference device is captured and then created through an installation
package creation task.
The functionality of operating system image capturing has the following features:
An operating system image cannot be captured on a device on which Administration Server is installed.
During capture of an operating system image, the sysprep.exe utility resets the settings of the reference
device. If you want to restore the settings of the reference device, select the Create backup copy of the
device state check box in the Operating System Image Creation Wizard.
The image capturing process provides for a restart of the reference device.
Deploying images of operating systems on new devices
You can use the images received for deployment on new networked devices on which no operating system has
been installed yet. A technology named Preboot eXecution Environment (PXE) is used in this case. You select a
networked device that will act as PXE server. This device must meet the following requirements:
Network Agent must be installed on the device.
A DHCP server cannot be active on the device because a PXE server uses the same ports as a DHCP server.
The network segment that includes the device must not contain any other PXE servers.
The following conditions must be met to deploy an operating system:
A network card must be mounted on the device.
The device must be connected to the network.

745
The Network boot option must be selected in BIOS when booting the device.
Deployment of an operating system is performed as follows:
1. The PXE server establishes a connection with the new client device while the latter is booting up.
2. The client device becomes included in Windows Preinstallation Environment (WinPE).
Adding the device to WinPE may require con guration of the set of drivers for WinPE.
3. The client device is registered on Administration Server.
4. The administrator assigns the client device an installation package with an operating system image.
The administrator can add required drivers to the installation package with the operating system image.
The administrator can also specify a con guration le with the operating system settings (answer le) that
is to be applied during installation.
5. The operating system is deployed on the client device.
The administrator can manually specify the MAC addresses of client devices that have not yet been connected,
and assign them the installation package with the operating system image. When the selected client devices
connect to the PXE server, the operating system is automatically installed on those devices.
Deploying images of operating systems on devices where another operating system has already
been installed
Deployment of images of operating systems on client devices where another operating system has already been
installed is performed through the remote installation task for speci c devices.
Note that a clean install of the operating system is performed. All data will be deleted.
Installing applications by Kaspersky and other vendors
The administrator can create installation packages of any applications, including those speci ed by the user, and
install the applications on client devices through the remote installation task.
Creating images of operating systems

Images of operating systems are created using the task of removing the operating system image of the reference
device.
To create the operating system image making task:
2. Click the Create installation package button to run the New Package Wizard.
746
3. In the Select installation package type window of the Wizard, click the Create an installation package with
the operating system image button.
When the Wizard nishes, an Administration Server task is created named Create installation package upon
reference device OS image. You can view the task in the Tasks folder.
When the Create installation package upon reference device OS image task is complete, an installation package
is created that you can use to deploy the operating system on client devices through a PXE server or the remote
installation task. You can view the installation package in the Installation packages folder.

Kaspersky Security Center allows you to deploy WIM images of desktop and server-based Windows® operating
systems on devices within an organization's network.
The following methods can be used to retrieve an operating system image that would be deployable by using
Kaspersky Security Center tools:
Import from the install.wim le included in the Windows distribution package
Capturing an image from a reference device
Two scenarios are supported for deployment of operating system images:
Deployment on a "clean" device, that is, without any operating system installed
Deployment on a device running Windows
Use Windows Preinstallation Environment (Windows PE) for capturing and deploying operating system images. All
drivers required for proper functioning of all target devices must be added to WinPE. Generally, network adapter
and storage controller drivers must be added.
The following requirements must be met in order to implement scenarios of image deployment and capture:
Windows Automated Installation Kit (WAIK) version 2.0, or later, or Windows ADK with the Windows PE add-on
for the Windows ADK must be installed on the Administration Server. If the scenario allows for installing or
capturing images on Windows XP, WAIK must be installed.
A DHCP server must be available on the network where the target device is located.
The shared folder of the Administration Server must be open for reading from the network where the target
device is located. If the shared folder is located on the Administration Server, access is required for the
KlPxeUser account (this account is created automatically while running the Administration Server Installer). If
the shared folder is located outside the Administration Server, access must be granted to everyone.
When selecting the operating system image to be installed, the administrator must explicitly specify the CPU
architecture of the target device: x86 or x86-64.
Con guring the KSN proxy server address
747
By default, the domain name of the Administration Server coincides with the KSN proxy server address. If you
change the domain name for the Administration Server, you have to specify the correct KSN proxy server address
to prevent a loss of connection between host devices and KSN.
To con gure the KSN proxy server address:
1. In the console tree, go to Advanced → Remote installation → Installation packages.
2. In the context menu of Installation packages, select Properties.
3. In the window that opens, specify the new KSN proxy server address in the General tab.
From now on, the speci ed address is used as the KSN proxy server address.
Adding drivers for Windows Preinstallation Environment (WinPE)

To add drivers for Windows Preinstallation Environment (WinPE):
1. In the Remote installation folder in the console tree, select the Deploy device images subfolder.
2. In the workspace of the Deploy device images folder, click the Additional actions button and select Con gure
driver set for Windows Preinstallation Environment (WinPE) in the drop-down list.
The Windows Preinstallation Environment drivers window opens.
3. In the Windows Preinstallation Environment drivers window click the Add button.
The Select driver window opens.
4. In the Select driver window, select a driver from the list.

If the necessary driver is missing from the list, click the Add button and specify the driver name and folder of
the driver distribution package in the Add driver window that opens.
You can select a folder by clicking the Browse button.
In the Add driver window, click OK.
5. In the Select driver window, click OK.

The driver will be added to the Administration Server repository. When added to the repository, the driver is
displayed in the Select driver window.
6. In the Windows Preinstallation Environment drivers window, click OK.
The driver will be added to Windows Preinstallation Environment (WinPE).
Adding drivers to an installation package with an operating system image

To add drivers to an installation package with an operating system image:
2. From the context menu of an installation package with an operating system image, select Properties.
748
The installation package properties window opens.
3. In the installation package properties window, select the Additional drivers section.
4. Click the Add button in the Additional drivers section.

The Select driver window opens.
5. In the Select driver window, select drivers that you want to add to the installation package with the operating
system image.
You can add new drivers to the Administration Server repository by clicking the Add button in the Select driver
window.
6. Click OK.
Added drivers are displayed in the Additional drivers section of the properties window of the installation
package with the operating system image.
Con guring sysprep.exe utility

The sysprep.exe utility is intended to prepare the device for creation of an operating system image.
To con gure sysprep.exe utility:
2. From the context menu of an installation package with an operating system image, select Properties.
The installation package properties window opens.
3. In the installation package properties window, select the sysprep.exe settings section.
4. In the sysprep.exe settings section, specify a con guration le to be used during deployment of the operating
system on the client device:
Use default con guration le. Select this option to use the answer le generated by default during capture
of the operating system image.
Specify custom values of main settings. Select this option to specify values for settings through the user
interface.
Specify con guration le. Select this option to use a custom answer le.
5. To apply the changes made, click the Apply button.
Deploying operating systems on new networked devices

To deploy an operating system on new devices that have not yet had any operating system installed:
1. In the Remote installation folder in the console tree, select the Deploy device images subfolder.
Ensure that the Display Vulnerability and Patch Management option is enabled in the Con gure interface
window. Otherwise, the Remote installation folder is not displayed.
749
2. Click the Additional actions button and select Manage the list of PXE servers on the network in the drop-
down list.
The Properties: Deploy device images window opens, on the PXE servers section.
3. In the PXE servers section, click the Add button and, in the PXE servers window that opens, select the device
that will be used as PXE server.
The device that you added is displayed in the PXE servers section. The created WinPE les are transferred to
the device from the Administration Server. The le transfer process usually takes 10 minutes. Once the transfer
is completed, the displayed Status value changes from Getting started to Ready.
4. In the PXE servers section select a PXE server and click the Properties button.
5. In the properties window of the selected PXE server, on the PXE server connection settings tab con gure
connection between Administration Server and the PXE server.
6. Boot the client device on which you want to deploy the operating system.
7. In the BIOS of the client device, select the Network boot installation option.
The client device connects to the PXE server and is then displayed in the workspace of the Deploy device
images folder.
8. In the Actions section, click the Assign installation package link to select the installation package that will be
used for the operating system installation on the selected device.
Use the DiskPart tool on the selected device to check the available disks. At the Windows PE command prompt,
type diskpart to open the DiskPart tool. Type list disk to list the disks.
After you added the device and assigned the installation package to it, the operating system deployment starts
automatically on this device.
9. To cancel the operating system deployment on the client device, click the Cancel OS image installation link in
the Actions section.
To add devices by MAC address:
In the Deploy device images folder, click Add device MAC address to open the New device window, and
specify the MAC address of the device that you want to add.
In the Deploy device images folder, click Import MAC addresses of devices from le to select the le
containing a list of MAC addresses of all devices on which you want to deploy an operating system.
Deploying operating systems on client devices

To deploy an operating system on client devices with another operating system already installed:
1. In the console tree, open the Remote installation folder and click the Deploy installation package on managed
devices (workstations) link to run the Protection Deployment Wizard.
2. In the Select installation package window of the Wizard specify an installation package with an operating
system image.
When the Wizard completes its operation, a remote installation task is created for installing the operating
system on client devices. You can start or stop the task in the Tasks folder.
750
Creating installation packages of applications
To create an application installation package:
2. Click the Create installation package button to run the New Package Wizard.
3. In the Select installation package type window of the Wizard, click one of the following buttons:
Create an installation package for a Kaspersky application. Select this option if you want to create an
installation package for a Kaspersky application.
Create an installation package for the speci ed executable le. Select this option if you want to create
an installation package for a third-party application by using an executable le. Typically, the executable le
is a setup le of the application.
Copy entire folder to the installation package
Select this option if the executable le is accompanied with additional les required for the
application installation. Before you enable this option, make sure that all of the required les are
stored in the same folder. If this option is enabled, the application adds the entire contents of the
folder, including the speci ed executable le, to the installation package.
Specify installation parameters
For successful remote installation, most applications require the installation to be performed in
silent mode. If this is the case, you must specify the parameter for a silent installation.
Con gure the installation settings:

If the application requires additional parameters for a silent installation, specify them in this eld.
Refer to the vendor's documentation for details.
You can also enter other parameters.
Convert settings to recommended values for applications recognized by Kaspersky Security

Center 14
The application will be installed with the recommended settings, if information about the
speci ed application is contained in the Kaspersky database.
If you entered parameters in the Executable le command line eld, they are rewritten with the
recommended settings.
The Kaspersky database is created and maintained by Kaspersky analysts. For each application
that is added to the database, Kaspersky analysts de ne optimal installation settings. The
settings are de ned to ensure successful remote installation of an application to a client device.
The database is updated on the Administration Server automatically when you run the Download
updates to the repository of the Administration Server task.
Select an application from the Kaspersky database to create an installation package. Select this option
if you want to select the required third-party application from the Kaspersky database to create an
751
installation package. The database is created automatically when you run the Download updates to the
repository of the Administration Server task; the applications are displayed in the list.
Create an installation package with the operating system image. Select this option if you have to create
an installation package with an image of the operating system of a reference device.
When the Wizard nishes, an Administration Server task is created with the name Create installation
package upon reference device OS image. When this task is completed, an installation package is created
that you can use to deploy the operating system image through a PXE server or the remote installation task.
When the Wizard nishes, an installation package is created that you can use to install the application on client
devices. You can view the installation package by selecting Installation packages in the console tree.
Issuing a certi cate for installation packages of applications

To issue a certi cate for the installation package of an application:
2. In the context menu of the Installation packages folder, select Advanced.

This opens the properties window of the Installation packages folder.
3. In the properties window of the Installation packages folder, select the Sign stand-alone packages section.
4. In the Sign stand-alone packages section, click the Specify button.

The Certi cate window.
5. In the Certi cate type eld, specify the public or private certi cate type:
If the PKCS #12 container value is selected, specify the certi cate le and the password.
If the X.509 certi cate value is selected:
6. Click OK.
A certi cate for the installation package of the application is issued.

To install an application on client devices:
752
1. In the console tree, open the Remote installation folder and click Deploy installation package on managed
devices (workstations) to run the Protection Deployment Wizard.
2. In the Select installation package window of the Wizard specify the installation package of an application that
you want to install.
When the Wizard nishes, a remote installation task is created to install the application on client devices. You can
start or stop the task in the Tasks folder.
Using the Protection Deployment Wizard, you can install Network Agent on client devices running Windows,
Linux, and macOS.
To manage 64-bit security applications using Kaspersky Security Center on devices running Linux operating
systems, you must use the 64-bit Network Agent for Linux. You can download the necessary version of
Network Agent from the Technical Support website .
Before remote installation of Network Agent on a device running Linux, you have to prepare the device.
Managing object revisions

This section contains information about object revision management. Kaspersky Security Center allows you to
track object modi cation. Every time you save changes made to an object, a revision is created. Each revision has a
number.
Application objects that support revision management include:
Policies
Tasks
User accounts
You can perform the following actions on object revisions:
Compare a selected revision to the current one
Compare selected revisions
Compare an object to a selected revision of another object of the same type
View a selected revision

753
Roll back changes made to an object to a selected revision
Save revisions as a .txt le
In the properties window of any object that supports revision management, the Revision history section displays a
list of object revisions with the following details:
Object revision number
Date and time the object was modi ed
Name of the user who modi ed the object
Action performed on the object
Description of the revision related to the change made to the object settings
By default, the object revision description is blank. To add a description to a revision, select the relevant revision
and click the Description button. In the Object revision description window, enter some text for the revision
description.
About object revisions

Viewing the Revision history section

754
You can compare revisions of an object to the current revision, compare di erent revisions selected in the list, or
compare a revision of an object to a revision of another object of the same type.
To view the Revision history section of an object:
1. In the console tree, select one of the following objects:
Administration Server node
Policies folder
Tasks folder
Folder of an administration group
User accounts folder
Deleted objects folder
Installation packages subfolder, which is nested in the Remote installation folder
2. Depending on the location of the relevant object, do one of the following:
If the object is in the Administration Server node or an administration group node, right-click the node and
in the context menu select Properties.
If the object is in the Policies, Tasks, User accounts, Deleted objects, or Installation packages folder,
select the folder, and in the corresponding workspace select the object.
The object properties window opens.
3. In the left Sections pane, select Revision history.
The revision history is displayed in the workspace.
Comparing object revisions

You can compare past revisions of an object to the current revision, compare di erent revisions selected in the list,
or compare a revision of an object to a revision of another object of the same type.
To compare revisions of an object:
1. Select an object and proceed to the properties window of the object.
2. In the properties window, proceed to the Revision history section.
3. In the workspace, in the list of object revisions select the revision for comparison.
To select more than one revision of the object, use the Shift and Ctrl keys.
Click the Compare split button and select one of the values in the drop-down list:
Compare to current revision
755
Select this option to compare the selected revision to the current one.
Select this option to compare two selected revisions.
Compare to another task
If you work with task revisions, select Compare to another task to compare the selected revision to
a revision of another task.
If you work with policy revisions, select Compare to another policy to compare the selected
revision to a revision of another policy.
Double-click the name of a revision, and in the revision properties window that opens click one of the
following buttons:
Compare to current
Click this button to compare the selected revision to the current one.
Compare to previous
Click this button to compare the selected revision to the previous one.
A report in HTML format about comparison of the revisions is displayed in your default browser.
In this report, you can minimize some of the sections containing revision settings. To minimize a section with
object revision settings, click the arrow icon ( ) next to the section name.
Administration Server revisions include all details of changes made, except for details from the following areas:
Tra ic section
Tagging rules section
Noti cation section
Distribution points section
Virus outbreak section

No information is recorded, from the Virus outbreak section, about the con guration of policy activation that
occurs when a Virus outbreak event is triggered.
You can compare revisions of a deleted object to a revision of an existing object, but not the reverse: you cannot
compare revisions of an existing object to a revision of a deleted object.
Setting storage term for object revisions and for deleted object information
756
The storage term for object revisions and for information about deleted objects is the same. The default storage
term is 90 days. This is enough time for the regular audit of the program.
Only users with Modify permission in the Deleted objects area can change the storage period.
To change the storage term for object revisions and for information about deleted objects:
1. In the console tree, select the Administration Server for which you want to change the storage period.
2. Right-click and in the context menu select Properties.
3. In the Administration Server properties window that opens, in the Revision history repository section enter
the desired storage term (the number of days).
4. Click OK.
The object revisions and information about deleted objects will be stored for the number of days that you
entered.
Viewing an object revision

If you need to know which modi cations were made to an object over a certain period of time, you can view the
revisions of this object.
To view the revisions of an object:
1. Proceed to the Revision history section of the object.
2. In the list of object revisions, select the revision whose settings you want to view.
Click the View revision button.
Open the revision properties window by double-clicking the revision name, and then clicking the View
revision button.
A report in HTML format with the settings of the selected object revision is displayed. In this report, you can
minimize some of the sections with object revision settings. To minimize a section with object revision settings,
click the arrow icon ( ) next to the section name.
Saving an object revision to a le

You can save an object revision as a text le, for example, in order to send it by email.
To save an object revision to a le:
2. In the list of revisions of an object, select the one whose settings you have to save.
3. Click the Advanced button and select the Save to le value in the drop-down list.
757
The revision is now saved as a .txt le.
Rolling back changes

You can roll back changes made to an object, if necessary. For example, you may have to revert the settings of a
policy to their state on a speci c date.
To roll back changes made to an object:
2. In the list of object revisions, select the number of the revision to which you have to roll back changes.
The object is now rolled back to the selected revision. The list of object revisions displays a record of the action
that was taken. The revision description displays information about the number of the revision to which you
reverted the object.

You can add a description for the revision to simplify the search for revisions in the list.
To add a description for a revision:
2. In the list of object revisions, select the revision for which you need to add a description.
3. Click the Description button.
4. In the Object revision description window, enter some text for the revision description.
By default, the object revision description is blank.
5. Click OK.
Deletion of objects
This section provides information about deleting objects and viewing information about objects after they are
deleted.
You can delete objects, including the following:
Policies
Tasks

758
Users
Security groups
When you delete an object, information about it remains in the database. The storage term for information about
the deleted objects is the same as the storage term for object revisions (the recommended term is 90 days). You
can change the storage term only if you have the Modify permission in the Deleted objects area of rights.
About deletion of client devices
When you delete a managed device from an administration group, the application moves the device to the
Unassigned devices group. After device deletion, the installed Kaspersky applications—Network Agent and any
security application, for example Kaspersky Endpoint Security—remain on the device.
Kaspersky Security Center handles the devices in the Unassigned devices group according to the following rules:
If you have con gured device moving rules and a device meets the criteria of a moving rule, the device is
automatically moved to an administration group according to the rule.
The device is stored in the Unassigned devices group and automatically removed from the group according to
the device retention rules.
The device retention rules do not a ect the devices that have one or more drives encrypted with full disk
encryption. Such devices are not deleted automatically—you can only delete them manually. If you need to
delete a device with an encrypted drive, rst decrypt the drive, and then delete the device.
When you delete a device with encrypted drive, the data required to decrypt the drive is also deleted. In this
case, to decrypt the drive, the following conditions must be met:
The device is reconnected to Administration Server to restore the data required to decrypt the drive.
The device user remembers the decryption password.
The security application that was used to encrypt the drive, for example Kaspersky Endpoint Security for
Windows, is still installed on the device.
If the drive was encrypted by Kaspersky Disk Encryption technology, you can also try recovering data by using
the FDERT Restore Utility .
When you delete a device from the Unassigned devices group manually, the application removes the device from
the list. After device deletion, the installed Kaspersky applications (if any) remain on the device. Then, if the device
is still visible to Administration Server and you have con gured regular network polling, Kaspersky Security Center
discovers the device during the network polling and adds it back to the Unassigned devices group. Therefore, it is
reasonable to delete a device manually only if the device is invisible to Administration Server.
Deleting an object
You can delete objects such as policies, tasks, installation packages, internal users, and internal user groups if you
have Modify permission, which is in the Basic functionality category of rights (see Assigning permissions to users
and groups for more information).
To delete an object:
759
1. In the console tree, in the workspace of the required folder select an object.
Right-click the object and select Delete.
The object will be deleted, and the information about it will be stored in the database.
Viewing information about deleted objects

Information about deleted objects is stored in the Deleted objects folder for the same amount of time as object
revisions (the recommended period is 90 days).
Only users with Read permission in the Deleted objects area of rights can view the list of deleted objects (see
Assigning permissions to users and groups for more information).
To view the list of deleted objects,
In the console tree, select Deleted objects (by default, Deleted objects is a subfolder of the Advanced folder).
If you do not have Read permission in the Deleted objects area of rights, an empty list is displayed in the Deleted
objects folder.
The workspace of the Deleted objects folder contains the following information about deleted objects:
Name. The name of the object.
Type. Object type, such as policy, task, or installation package.
Time. Time when the object was deleted.
User. Account name of the user who deleted the object.
To view more information about an object:
1. In the console tree, select Deleted objects (by default, Deleted objects is a subfolder of the Advanced folder).
2. In the Deleted objects workspace, select the object that you want.
The box for working with the selected object appears on the right side of the workspace.
Click the Properties link in the box.
Right-click the object you selected in the workspace, and in the context menu select Properties.
The properties window of the object opens, displaying the following tabs:
General
760
Revision history
Deleting objects permanently from the list of deleted objects

Only users with Modify permission in the Deleted objects area of rights can delete objects permanently from the
list of deleted objects (see Assigning permissions to users and groups for more information).
To delete an object from the list of deleted objects:
1. In the console tree, select the node of the required Administration Server and then select the Deleted objects
folder.
2. In the workspace, select the object(s) that you want to delete.
In the context menu of the object(s) that you selected, select Delete.
4. In the con rmation dialog box, click Yes.
The object is deleted permanently from the list of deleted objects. All information about this object (including all
its revisions) is permanently removed from the database. You cannot restore this information.

Management of mobile device protection through Kaspersky Security Center is carried out by using the Mobile
Device Management feature, which requires a dedicated license. If you are intending to manage mobile devices
owned by employees in your organization, you must enable Mobile Device Management.
This section provides instructions for enabling, con guring and disabling Mobile Device Management. This section
also describes how to manage mobile devices connected to Administration Server.
For details about Kaspersky Security for Mobile, see Kaspersky Security for Mobile Help.
Scenario: Mobile Device Management deployment

This section provides a scenario for con guring the Mobile Device Management feature in Kaspersky Security
Center.
Prerequisites
Make sure that you have a license that grants access to the Mobile Device Management feature.
Stages
761
Deployment of the Mobile Device Management feature proceeds in stages:
1 Preparing the ports
Make sure that port 13292 is available on the Administration Server. This port is required for connecting mobile
devices. Also, you may want to make port 17100 available. This port is only required for the activation proxy server
for managed mobile devices; if managed mobile devices have internet access, you do not have to make this port
available.
2 Enabling Mobile Device Management
You can enable Mobile Device Management when you are running the Administration Server Quick Start Wizard
or later.
3 Specifying the external address of the Administration Server
You can specify the external address when you run the Administration Server Quick Start Wizard or later. If you
did not select Mobile Device Management for installation and did not specify the address in the installation
wizard, specify the external address in the installation package properties.
4 Adding mobile devices to the Managed devices group
Add the mobile devices to the Managed devices group so that you can manage these devices through policies.
You can create a moving rule in one of the steps of the Administration Server Quick Start Wizard. You can also
create the moving rule later. If you do not create such a rule, you can add mobile devices to the Managed devices
group manually.
You can add mobile devices to the Managed devices group directly, or you can create a subgroup (or multiple
subgroups) for them.
At any time afterward, you can connect any new mobile device to the Administration Server using the New
Mobile Device Connection Wizard.
5 Creating a policy for mobile devices
To manage mobile devices, create a policy (or multiple polices) for them in the group where these devices belong.
You can change the settings of this policy at any time afterward.
Results
Upon completion of the scenario, you can manage Android and iOS devices using Kaspersky Security Center. You
can work with certi cates of mobile devices and send commands to mobile devices.
About group policy for managing EAS and iOS MDM devices
To manage iOS MDM and EAS devices, you can use the Kaspersky Device Management for iOS management plug-
in, which is included in the Kaspersky Security Center distribution kit. Kaspersky Device Management for iOS allows
you to create group policies for specifying the con guration settings of iOS MDM and EAS devices without using
iPhone® Con guration Utility and the management pro le of Exchange ActiveSync.
A group policy for managing EAS and iOS MDM devices provides the administrator with the following options:
For managing EAS devices:
Con guring the device-unlocking password.
Con guring data storage on the device in encrypted form.
Con guring synchronization of corporate mail.

762
Con guring the hardware features of mobile devices, such as the use of removable drives, the camera, or
Bluetooth.
Con guring restrictions on use of mobile applications on the device.
For managing iOS MDM devices:
Con guring device password security settings.
Con guring restrictions on usage of hardware features of the device and restrictions on installation and
removal of mobile apps.
Con guring restrictions on the use of pre-installed mobile apps, such as YouTube™, iTunes® Store, or Safari.
Con guring restrictions on media content (such as movies and TV shows) viewed, by the region where the
device is located.
Con guring device connection to the internet through the proxy server (Global HTTP proxy).
Con guring the account with which the user can access corporate applications and services (Single Sign-
On (SSO) technology).
Monitoring internet usage (visits to websites) on mobile devices.
Con guring wireless networks (Wi-Fi), access points (APNs), and virtual private networks (VPNs) that use
di erent authentication mechanisms and network protocols.
Con guring settings of the connection to AirPlay® devices for streaming photos, music, and videos.
Con guring settings of the connection to AirPrint™ printers for wireless printing of documents from the
device.
Con guring synchronization with the Microsoft Exchange server and user accounts for using corporate
email on devices.
Con guring user credentials for synchronization with the LDAP directory service.
Con guring user credentials for connecting to CalDAV and CardDAV services that give users access to
corporate calendars and contact lists.
Con guring settings of the iOS interface, such as fonts or icons for favorite websites, on the user's device.
Adding new security certi cates on devices.
Con guring the Simple Certi cate Enrollment Protocol (SCEP) server for automatic retrieval of certi cates
by the device from the Certi cation Authority.
Adding custom settings for working with mobile apps.
A policy for managing EAS and iOS MDM devices is special in that it is assigned to an administration group that
includes iOS MDM Server and Exchange ActiveSync Mobile Devices Server (referred to collectively as "Mobile
Device Servers"). All settings speci ed in this policy are rst applied to Mobile Device Servers and then to mobile
devices managed by such servers. In the case of a hierarchical structure of administration groups, secondary
Mobile Device Servers receive the policy settings from primary Mobile Device Servers and distribute them to
mobile devices.
763
For more details on how to use the group policy for managing EAS and iOS MDM devices in Kaspersky Security
Center Administration Console, please refer to the Kaspersky Security for Mobile documentation.
Enabling Mobile Device Management

To manage mobile devices, you must enable Mobile Device Management. If you did not enable this feature in the
Quick Start Wizard, you can enable it later. Mobile Device Management requires a license.
Enabling Mobile Device Management is only available on the primary Administration Server.
To enable Mobile Device Management:
1. In the console tree, select the Mobile Device Management folder.
2. In the workspace of the folder, click the Enable Mobile Device Management button. This button is only
available if you have not enabled Mobile Device Management before.
The Additional components page of the Administration Server Quick Start Wizard is displayed.
3. Select Enable Mobile Device Management in order to manage mobile devices.
4. On the Select application activation method page, activate the application by using a key le or activation
code.
Management of mobile devices will not be possible until you activate the Mobile Device Management feature.
5. On the Proxy server settings to gain access to the Internet page, select the Use proxy server check box if
you want to use a proxy server when connecting to the internet. When this check box is selected, the elds
become available for entering settings. Specify the settings for proxy server connection.
6. On the Check for updates for plug-ins and installation packages page, select one of the following options:
Check whether plug-ins and installation packages are up to date
Starting the check of up-to-date status. If the check detects outdated versions of some plug-ins or
installation packages, the Wizard prompts you to download up-to-date versions to replace the
outdated ones.
Skip check
Continuing work without checking whether plug-ins and installation packages are up-to-date. You can
select this option if, for example, you have no internet access or if you want to proceed with the
outdated version of the application for some reason.
Skipping the check of updates for plug-ins may result in improper functioning of the application.
7. On the Latest plug-in versions available page, download and install the latest versions of plug-ins in the
language that your application version requires. Updating the plug-ins does not require a license.
764
After you install the plug-ins and packages, the application checks whether all plug-ins required for proper
functioning of mobile devices have been installed. If outdated versions of some plug-ins are detected, the
Wizard prompts you to download up-to-date versions to replace the outdated ones.
8. On the Mobile device connection settings page, set up the Administration Server ports.
When the Wizard completes, the following changes will be made:
The Kaspersky Endpoint Security for Android policy will be created.
The Kaspersky Device Management for iOS policy will be created.
Ports will be opened on the Administration Server for mobile devices.
Modifying the Mobile Device Management settings

To enable support of mobile devices:
2. In the workspace of the folder, click the Connection ports for mobile devices link.
The Additional ports section of the Administration Server properties window is displayed.
3. In the Additional ports section, modify the relevant settings:
SSL port for the activation proxy server
The number of an SSL port for connection of Kaspersky Endpoint Security for Windows to activation
servers of Kaspersky.
A port opens for mobile devices to connect to the Licensing Server. You can de ne the port number
and other settings in the elds below.
Number of the port through which mobile devices connect to the Administration Server and exchange
data with it. The default port number is 13292.
You can assign a di erent port if port 13292 is being used for other purposes.
765
4. Click OK.
Disabling Mobile Device Management
Disabling Mobile Device Management is only available on the primary Administration Server.
To disable Mobile Device Management:
2. In the workspace of this folder, click the Con gure additional components link.
The Additional components page of the Administration Server Quick Start Wizard is displayed.
3. Select Do not enable Mobile Device Management if you do not want to manage mobile devices any longer.
4. Click OK.
Previously connected mobile devices will not be able to connect to Administration Server. The port for mobile
device connection and the port for mobile device activation will be closed automatically.
Policies that were created for Kaspersky Endpoint Security for Android and Kaspersky Device Management for
iOS will not be deleted. The certi cate issuance rules will not be modi ed. The plug-ins that have been installed
will not be removed. The moving rule for mobile devices will not be deleted.
After you re-enable Mobile Device Management on managed mobile devices, you may have to reinstall mobile
apps that are required for mobile device management.
Working with commands for mobile devices

This section contains information about commands for managing mobile devices supported by Kaspersky Security
Center. The section provides instructions on how to send commands to mobile devices, as well as how to view the
execution statuses of commands in the command log.
Commands for mobile device management

Kaspersky Security Center supports commands for mobile device management.
Such commands are used for remote mobile device management. For example, if your mobile device is lost, you
can delete corporate data from the device by using a command.
You can use commands for the following types of managed mobile devices:
iOS MDM devices
Kaspersky Endpoint Security (KES) devices

766
EAS devices
Each device type supports a dedicated set of commands.
Special considerations for certain commands
For all types of devices, if the Reset to factory settings command is successfully executed, all data is deleted
from the device, and the device settings are rolled back to their factory values.
After successful execution of the Wipe corporate data command on an iOS MDM device, all installed
con guration pro les, provisioning pro les, the iOS MDM pro le, and applications for which the Remove
together with iOS MDM pro le check box has been selected are removed from the device.
If the Wipe corporate data command is successfully executed on a KES device, all corporate data, entries in
Contacts, the SMS history, the call log, the calendar, the internet connection settings, and the user accounts,
except for the Google™ account, will be deleted from the device. For a KES device, all data from the memory
card will also be deleted.
Before sending the Locate command to a KES device, you will have to con rm that you are using this command
for an authorized search for a lost device that belongs to your organization or to one of your employees. A
mobile device that receives the Locate command is not locked.
List of commands for mobile devices
The following table shows sets of commands for iOS MDM devices.
Supported commands for mobile device management: iOS MDM devices
Commands Command execution result
Lock The mobile device is locked.
Unlock Mobile device locking with a PIN is disabled. The previously speci ed PIN has been reset.
Reset to All data is deleted from the mobile device and the settings are rolled back to their default
factory values.
settings
Wipe All installed con guration pro les, provisioning pro les, the iOS MDM pro le, and applications
corporate for which the Remove together with iOS MDM pro le check box has been selected are
data removed from the device.
Synchronize The mobile device data is synchronized with the Administration Server.
device
Install The con guration pro le is installed on the mobile device.

pro le
Remove The con guration pro le is deleted from the mobile device.
pro le
Install The provisioning pro le is installed on the mobile device.

provisioning
pro le
Remove The provisioning pro le is deleted from the mobile device.

provisioning
pro le
Install app The app is installed on the mobile device.
767
Remove The app is removed from the mobile device.
app
Enter Redemption code entered for a paid app.

redemption
code
Con gure Data roaming and voice roaming enabled or disabled.

roaming
The following table shows sets of commands for KES devices.
Supported commands for mobile device management: KES devices
Command Command execution result
Lock The mobile device is locked.
Unlock Mobile device locking with a PIN is disabled. The previously speci ed PIN has been reset.
Reset to All data is deleted from the mobile device and the settings are rolled back to their default
factory values.
settings
Wipe Corporate data, entries in Contacts, the SMS history, the call log, the calendar, the internet
corporate connection settings, and the user accounts (except for the Google account) have been
data deleted. Memory card data has been wiped.
Synchronize The mobile device data is synchronized with the Administration Server.
device
Locate The mobile device is located and shown on Google Maps™. The mobile carrier charges a fee
device for sending SMS messages and for providing internet connectivity.
Mugshot The mobile device is locked. The photo has been taken by the front camera of the device and
saved on Administration Server. Photos can be viewed in the command log. The mobile carrier
charges a fee for sending SMS messages and for providing internet connectivity.
Alarm The mobile device sounds an alarm.
The following table shows the commands for EAS devices.
Supported commands for mobile device management: EAS devices
Commands Command execution result
Reset to factory All data is deleted from the mobile device and the settings are rolled back to their
settings default values.

To ensure timely delivery of commands to KES devices managed by the Android operating system, Kaspersky
Security Center uses the mechanism of push noti cations. Push noti cations are exchanged between KES devices
and Administration Server through Google Firebase Cloud Messaging. In Kaspersky Security Center Administration
Console, you can specify the Google Firebase Cloud Messaging settings to connect KES devices to the service.
To retrieve the settings of Google Firebase Cloud Messaging, you must have a Google account.
To con gure Google Firebase Cloud Messaging:
1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.
768
This opens the properties window of the Mobile devices folder.
3. Select the Google Firebase Cloud Messaging settings section.
4. In the Sender ID eld, specify the number of a Google API project that you have received when creating one in
the Google Developer Console.
5. In the Server key eld, enter a common server key that you have created in the Google Developer Console.
At the next synchronization with Administration Server, KES devices managed by Android operating systems will
be connected to Google Firebase Cloud Messaging.
You can edit the Google Firebase Cloud Messaging settings by clicking the Reset settings button.
Sending commands
To send a command to the user's mobile device:
The folder workspace displays a list of managed mobile devices.
2. Select the user's mobile device to which you need to send a command.
3. In the context menu of the mobile device, select Show command log.
4. In the Mobile device management commands window, proceed to the section with the name of the command
that you need to send to the mobile device, then click the Send command button.
Depending on the command that you have selected, clicking the Send command button may open the window
of advanced settings of the application. For example, when you send the command for deleting a provisioning
pro le from a mobile device, the application prompts you to select the provisioning pro le that must be deleted
from the mobile device. De ne the advanced settings of the command in that window and con rm your
selection. After that, the command will be sent to the mobile device.
You can click the Resend button to send the command to the user's mobile device again.
You can click the Remove from queue button to cancel execution of a command that was sent if the command
has not yet been executed.
The Command log section displays commands that have been sent to the mobile device, with the respective
execution statuses. Click Refresh to update the list of commands.
5. Click OK to close the Mobile device management commands window.
Viewing the statuses of commands in the command log

The application saves to the command log information about all commands that have been sent to mobile devices.
The command log contains information about the time and date that each command was sent to the mobile
device, their respective statuses, and detailed descriptions of command execution results. For example, in case
execution of a command is unsuccessful, the log displays the cause of the error. Records are stored in the
command log for 30 days maximum.
Commands sent to mobile devices can have the following statuses:
769
Running—The command has been sent to the mobile device.
Completed—The command execution has successfully completed.
Completed with error—The command execution has failed.
Deleting—The command is being removed from the queue of commands sent to the mobile device.
Deleted—The command has been successfully removed from the queue of commands sent to the mobile
device.
Error deleting—The command could not be removed from the queue of commands sent to the mobile device.
The application maintains a command log for each mobile device.
To view the log of commands sent to a mobile device:
2. In the list of mobile devices, select the one for which you want to view the command log.
The Mobile device management commands window opens. The sections of the Mobile device management
commands window correspond to the commands that can be sent to the mobile device.
4. Select sections containing the necessary commands and view information about how the commands are sent
and executed in the Command log section.
In the Command log section, you can view the list of commands that have been sent to the mobile device and
details about those commands. The Show commands lter allows you to display in the list only commands with the
selected status.
Working with certi cates of mobile devices

This section contains information about how to work with certi cates of mobile devices. The section contains
instructions on how to install certi cates on users' mobile devices and how to con gure certi cate issuance rules.
The section also contains instructions on how to integrate the application with the public keys infrastructure and
how to con gure the support of Kerberos.
Starting the Certi cate Installation Wizard

You can install the following types of certi cates on a user's mobile device:
Shared certi cates for identifying the mobile device
Mail certi cates for con guring the corporate mail on the mobile device
VPN certi cate for con guring access to a virtual private network on the mobile device
To install a certi cate on a user's mobile device:

770
1. In the console tree, expand the Mobile Device Management folder and select the Certi cates subfolder.
2. In the workspace of the Certi cates folder, click the Add certi cate link to run the Certi cate Installation
Wizard.
After the Wizard nishes, a certi cate will be created and added to the list of the user's certi cates; in addition, a
noti cation will be sent to the user, providing the user with a link for downloading and installing the certi cate on
the mobile device. You can view the list of all certi cates and export it to a le. You can delete and reissue
certi cates, as well as view their properties.
Step 1. Selecting certi cate type

Specify the type of certi cate that must be installed on the user's mobile device:
Mobile certi cate—for identifying the mobile device
Mail certi cate—for con guring the corporate mail on the mobile device
VPN certi cate—for con guring access to a virtual private network on the mobile device
Step 2. Selecting device type
This window is displayed only if you selected Mail certi cate or VPN certi cate as the certi cate type.
Specify the type of the operating system on the device:
iOS MDM device. Select this option if you have to install a certi cate on a mobile device that is connected to
the iOS MDM Server by using iOS MDM protocol.
KES device managed by Kaspersky Security for Mobile. Select this option if you have to install a certi cate
on a KES device. In this case, the certi cate will be used for user identi cation upon every connection to the
KES device connected to Administration Server without user certi cate authentication. Select this option
if you have to install a certi cate on a KES device using no certi cate authentication. In this case, at the nal
step of the Wizard, in the User noti cation method window the administrator must select the user
authentication type used at every connection to the Administration Server.
Step 3. Selecting a user

In the list, select users, user groups, or Active Directory user groups for which you have to install the certi cate.
In the User selection window, you can search for Kaspersky Security Center internal users . You can click Add to
add an internal user.
771
Step 4. Selecting certi cate source
In this window, you can select the certi cate source that Administration Server will use to identify the mobile
device. You can specify a certi cate using one of the following methods:
Create a certi cate automatically, by means of Administration Server tools, then deliver the certi cate to the
device.
Specify a certi cate le that was created earlier. This method is not available if multiple users were selected at
the previous step.
Select the Publish certi cate check box if you have to send to a user a noti cation about creation of a certi cate
for his or her mobile device.
If the user's mobile device has already been previously authenticated using a certi cate so there is no need to
specify an account name and password to receive a new certi cate, clear the Publish certi cate check box. In this
case, the User noti cation method window will not be displayed.
Step 5. Assigning a tag to the certi cate

The Certi cate tag window is displayed if iOS MDM device has been selected in the Device type.
In the drop-down list, you can assign a tag to the certi cate of the user's iOS MDM device. The certi cate with the
assigned tag may have speci c parameters set for this tag in the Kaspersky Device Management for iOS policy
properties.
The drop-down list prompts you to select the Certi cate template 1, Certi cate template 2, or Certi cate
template 3 tag. You can con gure the tags in the following sections:
If Mail certi cate has been selected in the Certi cate type window, the tags for it can be con gured in the
properties of the Exchange ActiveSync account for mobile devices (Managed devices → Policies →
Kaspersky Device Management for iOS policy properties > Exchange ActiveSync section → Add →
Advanced).
If VPN certi cate has been selected in the Certi cate type window, the tags for it can be con gured in the
properties of the VPN for mobile devices (Managed devices → Policies → Kaspersky Device Management for
iOS policy properties → VPN section → Add → Advanced). You cannot con gure the tags used for VPN
certi cates if the L2TP, PPTP, or IPSec (Cisco™) connection type is selected for your VPN.
Step 6. Specifying certi cate publishing settings

In this window, you can specify the following certi cate publishing settings:
Do not notify the user about a new certi cate
772
Enable this option if you do not want to send a user a noti cation about creation of a certi cate for the
user's mobile device. In this case, the User noti cation method window will not be displayed.
This option is only applicable to devices with Kaspersky Endpoint Security for Android installed.
You might want to enable this option, for example, if the user's mobile device has already been previously
authenticated by means of a certi cate so there is no need to specify an account name and password to
receive a new certi cate.
Allow the device to have multiple receipts of a single certi cate (only for devices with Kaspersky Endpoint
Security for Android installed)
Enable this option if you want Kaspersky Security Center to automatically resend the certi cate every
time it is soon to expire or when it is not found on the target device.
The certi cate is automatically resent several days before the certi cate expiration date. You can set the
number of days in the Certi cate issuance rules window.
In some cases, the certi cate cannot be found on the device. For example, this can happen when the user
reinstalls the Kaspersky security application on the device or resets the device settings and data to
factory defaults. In this case Kaspersky Security Center checks the device ID at the next attempt of the
device to connect to the Administration Server. If the device has the same ID as it had when the certi cate
was issued, the application resends the certi cate to the device.
Step 7. Selecting user noti cation method
This window is not displayed if you selected iOS MDM device as the device type or if you selected the Do not
notify the user about a new certi cate option.
In the User noti cation method window, you can con gure the user noti cation about certi cate installation on
the mobile device.
In the Authentication method eld, specify the user authentication type:
Credentials (domain or alias)
In this case, the user employs the domain password or the password of a Kaspersky Security Center
internal user to receive a new certi cate.
One-time password
In this case, the user receives a one-time password that will be sent by email or by SMS. This password
must be entered to receive a new certi cate.
This option changes to Password if you enabled (selected) the Allow the device multiple receipts of a
single certi cate (only for devices with Kaspersky security applications for mobile devices installed)
option in the Certi cate publishing settings window.
773
Password
In this case, the password is used every time the certi cate is sent to the user.
This option changes to One-time password, if you disabled (cleared) the Allow the device multiple
receipts of a single certi cate (only for devices with Kaspersky security applications for mobile
devices installed) option in the Certi cate publishing settings window.
This eld is displayed if you selected Mobile certi cate in the Certi cate type window or if you selected KES
device connected to Administration Server without user certi cate authentication as the device type.
Select the user noti cation option:
Show authentication password after the Wizard nishes
If you select this option, the user name, user name in Security Account Manager (SAM), and password for
certi cate retrieval for each of the selected users will be displayed at the nal step of the Certi cate
Installation Wizard. Con guration of user noti cation about an installed certi cate will be unavailable.
When you add certi cates for multiple users, you can save the provided credentials to a le by clicking the
Export button at the last step of the Certi cate Installation Wizard.
This option is unavailable if you selected Credentials (domain or alias) at the User noti cation
method step of the Certi cate Installation Wizard.
Notify user of new certi cate
If you select this option, you can con gure user noti cation about a new certi cate.
By email
In this group of settings, you can con gure user noti cation about installation of a new certi cate on
his or her mobile device using email messages. This noti cation method is only available if the SMTP
Server is enabled.
Click the Edit message link to view and edit the noti cation message, if necessary.
By SMS
In this group of settings, you can con gure the user noti cation about using SMS to install a certi cate
on mobile devices. This noti cation method is only available if SMS noti cation is enabled.
Click the Edit message link to view and edit the noti cation message, if necessary.
Step 8. Generating the certi cate

At this step, the certi cate is created.
You can click Finish to exit the Wizard.
774
The certi cate is generated and displayed in the list of certi cates in the workspace of the Certi cates folder.
Con guring certi cate issuance rules

The certi cates are used for the device authentication on the Administration Server. All managed mobile devices
must have certi cates. You can con gure how the certi cates are issued.
To con gure certi cate issuance rules:
2. In the workspace of the Certi cates folder, click the Con gure certi cate issuance rules button to open the
Certi cate issuance rules window.
3. Proceed to the section with the name of a certi cate type:

Issuance of mobile certi cates—To con gure the issuance of certi cates for the mobile devices.
Issuance of mail certi cates—To con gure the issuance of mail certi cates.
Issuance of VPN certi cates—To con gure the issuance of VPN certi cates.
4. In the Issuance settings section, con gure the issuance of the certi cate:
Specify the certi cate term in days.
Select a certi cate source (Administration Server or Certi cates are speci ed manually).
Administration Server is selected as the default source of certi cates.
Specify a certi cate template (Default template, Other template).

Con guration of templates is available if the Integration with PKI section features the integration with
Public Key Infrastructure enabled.
5. In the Automatic Updates settings section, con gure automatic updates of the certi cate:
In the Renew when certi cate is to expire in (days) eld, specify how many days before expiration the
certi cate must be renewed.
To enable automatic updates of certi cates, select the Reissue certi cate automatically if possible check
box.
A mobile certi cate can be renewed manually only.
6. In the Password protection section, enable and con gure the use of a password when decrypting certi cates.
Password protection is only available for mobile certi cates.
a. Select the Prompt for password during certi cate installation check box.
b. Use the slider to de ne the maximum number of symbols in the password for encryption.
7. Click OK.
775
Integration with public key infrastructure
Integration of the application with the public key infrastructure (PKI) is required to simplify the issuance of domain
certi cates to users. Following integration, certi cates are issued automatically.
The minimum supported PKI server version is Windows Server 2008.
You have to con gure the account for integration with PKI. The account must meet the following requirements:
Be a domain user and administrator on a device that has Administration Server installed.
Be granted the SeServiceLogonRight privilege on the device with Administration Server installed.
To create a permanent user pro le, log on at least once under the con gured user account on the device with
Administration Server installed. In this user's certi cate repository on the Administration Server device, install the
Enrollment Agent certi cate provided by domain administrators.
To con gure integration with the public keys infrastructure:
2. In the workspace, click the Integrate with public key infrastructure button to open the Integration with PKI
section of the Certi cate issuance rules window.
The Integration with PKI section of the Certi cate issuance rules window opens.
3. Select the Integrate issuance of certi cates with PKI check box.
4. In the Account eld, specify the name of the user account to be used for integration with the public key
infrastructure.
5. In the Password eld, enter the domain password for the account.
6. In the Certi cate template name in PKI system list, select the certi cate template that will be used for the
issuance of certi cates to domain users.
A dedicated service is run in Kaspersky Security Center under the speci ed user account. This service is
responsible for issuing users' domain certi cates. The service is run when the list of certi cate templates is
loaded by clicking the Refresh list button or when a certi cate is generated.
7. Click OK to save the settings.
Following integration, certi cates are issued automatically.
Enabling support of Kerberos Constrained Delegation

The application supports usage of Kerberos Constrained Delegation.
To enable support of Kerberos Constrained Delegation:
1. In the console tree, open the Mobile Device Management folder.
776
2. In the Mobile Device Management folder in the console tree, select the Mobile Device Servers subfolder.
5. In the properties window of the iOS MDM Server, select the Settings section.
6. In the Settings section, select the Ensure compatibility with Kerberos constrained delegation check box.
7. Click OK.
Adding iOS mobile devices to the list of managed devices

To add an iOS mobile device to the list of managed devices, a shared certi cate must be delivered and installed on
the device. Shared certi cates are used by Administration Server for identifying mobile devices. A shared
certi cate for an iOS mobile device is delivered within an iOS MDM pro le. After a shared certi cate is delivered
and installed on a mobile device, the device appears in the list of managed devices.
Kaspersky no longer supports Kaspersky Safe Browser.
You can add mobile devices of users to the list of managed devices by means of the New Mobile Device
Connection Wizard.
To connect an iOS device to the Administration Server by using a shared certi cate:
1. Start the New Mobile Device Connection Wizard in one of the following ways:
Use the context menu in the User accounts folder:
1. In the console tree, expand the Advanced folder and select the User accounts subfolder.
2. In the workspace of the User accounts folder, select the users, user groups, or Active Directory user
groups whose mobile devices you want to add to the list of managed devices.
3. Right-click and in the context menu of the user account, select Add mobile device.
The New Mobile Device Connection Wizard starts.
In the workspace of the Mobile devices folder click the Add mobile device button:
1. In the console tree, expand the Mobile Device Management folder and select the Mobile devices
subfolder.
2. In the workspace of the Mobile devices subfolder, click the Add mobile device button.
2. On the Operating system page of the Wizard, select iOS as the mobile device operating system type.
3. On the Selecting iOS MDM Server page, select the iOS MDM Server.
777
4. On the Select users whose mobile devices you want to manage page, select the users, user groups, or Active
Directory user groups whose mobile devices you want to add to the list of managed devices.
This step is skipped if you start the Wizard by selecting Add mobile device in the context menu of the
User accounts folder.
If you want to add a new user account into the list, click the Add button and enter the user account properties
in the window that opens. If you want to modify or review the user account properties, select the user account
from the list and click the Properties button.
5. On the Certi cate source page of the Wizard, specify the method for creating the shared certi cate that
Administration Server will use to identify the mobile device. You can specify a shared certi cate in one of the
following ways:
Issue certi cate through Administration Server tools
Select this option to create a new certi cate by means of Administration Server tools if you did not
create it previously.
If this option is selected, the iOS MDM pro le will be automatically signed with a certi cate generated
by Administration Server.
Specify certi cate le
Select this option to specify a certi cate le that was created earlier.
This method is not available if multiple users were selected at the previous step.
6. On the User noti cation method page of the Wizard, de ne the settings for notifying the mobile device user
by SMS or email about certi cate creation:
Show link in Wizard
If you select this option, a link to the installation package will be shown at the nal step of the New
Device Connection Wizard.
This option is not available if multiple users were selected for the device connection.
Send link to user
Selecting this option allows you to con gure user noti cation of connection of a new mobile device.
You can select the email address type, specify an additional email address, and edit the message text.
You can also select the type of the user phone for sending an SMS message, specify an additional
phone number, and edit the SMS message text.
If the SMTP Server has not been con gured, no email messages can be sent to users. If SMS
noti cation has not been con gured, no SMS messages can be sent to users.
7. On the Result page, click Finish to close the Wizard.
778
The iOS MDM pro le is automatically published on the Kaspersky Security Center Web Server. The mobile
device user receives a noti cation with a link for downloading the iOS MDM pro le from the Web Server. The
user clicks the link. Next, the mobile device's operating system prompts the user to accept the iOS MDM pro le
installation. The user must agree to install the iOS MDM pro le before the iOS MDM pro le can be downloaded
to the mobile device. After the iOS MDM pro le is downloaded and the mobile device is synchronized with the
Administration Server, the device is displayed in the Mobile devices folder, which is a subfolder of the Mobile
Device Management folder in the console tree.
For the user to proceed to the Kaspersky Security Center Web Server by using the link, connection with the
Administration Server over port 8061 must be available on the mobile device.
Adding Android mobile devices to the list of managed devices

To add an Android mobile device to the list of managed devices, Kaspersky Endpoint Security for Android and a
shared certi cate must be delivered and installed on the mobile device. Shared certi cates are used by
Administration Server for identifying mobile devices. After a shared certi cate is delivered and installed on a
mobile device, the device appears in the list of managed devices.
You can add mobile devices of users to the list of managed devices by means of the New Mobile Device
Connection Wizard. The New Mobile Device Connection Wizard provides two options for delivery and installation
of a shared certi cate and Kaspersky Endpoint Security for Android:
By using a Google Play link
By using a link from Kaspersky Security Center Web Server

The Kaspersky Endpoint Security for Android installation package stored for distribution on Administration
Server is used for installation
Starting the New Mobile Device Connection Wizard
To start the New Mobile Device Connection Wizard, do one of the following:
Use the context menu in the User accounts folder:
1. In the console tree, expand the Advanced folder and select the User accounts subfolder.
2. In the workspace of the User accounts folder, select the users, user groups, or Active Directory user groups
whose mobile devices you want to add to the list of managed devices.
3. Right-click and in the context menu of the user account, select Add mobile device.
In the workspace of the Mobile devices folder click the Add mobile device button:
1. In the console tree, expand the Mobile Device Management folder and select the Mobile devices
subfolder.
2. In the workspace of the Mobile devices subfolder, click the Add mobile device button.
779
Adding an Android mobile device by using a Google Play link
To install Kaspersky Endpoint Security for Android and a shared certi cate on a mobile device using a Google Play
link:
1. Start the New Mobile Device Connection Wizard.
2. On the Operating system page of the Wizard, select Android as the mobile device operating system type.
3. On the Kaspersky Endpoint Security for Android installation method page of the Wizard, select By using a
Google Play link.
4. On the Select users whose mobile devices you want to manage page of the Wizard, select the users, user
groups, or Active Directory user groups whose mobile devices you want to add to the list of managed devices.
This step is skipped if the Wizard is started by selecting Add mobile device in the context menu of User
accounts folder.
following ways:
If this option is selected, the certi cate is automatically issued by using Administration Server tools.
Show link in Wizard
Send link to user
780
After the Wizard nishes, a link and a QR code will be sent to the user's mobile device, allowing download of
Kaspersky Endpoint Security for Android. The user clicks the link or scans the QR code. Next, the mobile device's
operating system prompts the user to accept installation of Kaspersky Endpoint Security for Android
installation. After Kaspersky Endpoint Security for Android is downloaded and installed, the mobile device
connects to the Administration Server and downloads a shared certi cate. After the certi cate is installed on
the mobile device, the device is displayed in the Mobile devices folder, which is a subfolder of the Mobile Device
Management folder in the console tree.
Adding an Android mobile device using a link from Kaspersky Security Center Web Server
Kaspersky Endpoint Security for Android installation package published on the Administration Server is used
for installation.
To install Kaspersky Endpoint Security for Android and a shared certi cate on a mobile device using a link from
Web Server:
1. Start the New Mobile Device Connection Wizard.
2. On the Operating system page of the Wizard, select Android as the mobile device operating system type.
3. On the Kaspersky Endpoint Security for Android installation method page of the Wizard, select By using a
link from Web Server.
In the eld that appears below, select an installation package or create a new one by clicking New.
4. On the Select users whose mobile devices you want to manage page of the Wizard, select the users, user
groups, or Active Directory user groups whose mobile devices you want to add to the list of managed devices.
This step is skipped if the Wizard is started by selecting Add mobile device in the context menu of User
accounts folder.
following ways:
781
If this option is selected, the certi cate is automatically issued by using Administration Server tools.
Show link in Wizard
Send link to user
The mobile app package of Kaspersky Endpoint Security for Android is automatically published on the Kaspersky
Security Center Web Server. The mobile app package contains the app, the settings for connecting the mobile
device to the Administration Server, and a certi cate. The mobile device user will receive a noti cation
containing a link for downloading the package from the Web Server. The user clicks the link. The operating
system of the device then prompts the user to accept installation of the mobile app package. If the user agrees,
the package will be downloaded to the mobile device. After the package is downloaded and the mobile device is
synchronized with the Administration Server, the device is displayed in the Mobile devices folder, which is a
subfolder of the Mobile Device Management folder in the console tree.
Managing Exchange ActiveSync mobile devices

This section describes advanced features for management of EAS devices through Kaspersky Security Center.
In addition to management of EAS devices by means of commands, the administrator can use the following
options:
782
Create management pro les for EAS devices, assign them to users' mailboxes. EAS device management pro le
is a policy of Exchange ActiveSync that is used on a Microsoft Exchange server to manage EAS devices. In an
EAS device management pro le, you can con gure the following groups of settings:
User password management settings
Mail synchronization settings
Restrictions on the use of the mobile device features
Restrictions on the use of mobile applications on the mobile device
Depending on the mobile device model, settings of a management pro le can be applied partially. The
status of an Exchange ActiveSync policy that has been applied can be viewed in the mobile device
properties.
View information about the settings of EAS device management. For example, in the mobile device properties,
the administrator can view the time of the last synchronization with a Microsoft Exchange server, the EAS
device ID, the Exchange ActiveSync policy name and its current status on the mobile device.
Disconnect EAS devices from management if they are out of use.
De ne the settings of Active Directory polling by the Exchange Mobile Device Server, which allows updating the
information about users' mailboxes and mobile devices.
Adding a management pro le

To manage EAS devices, you can create EAS device management pro les and assign them to selected Microsoft
Exchange mailboxes.
Only one EAS device management pro le can be assigned to a Microsoft Exchange mailbox.
To add an EAS device management pro le for a Microsoft Exchange mailbox:
3. In the workspace of the Mobile Device Servers folder, select an Exchange Mobile Device Server.
4. In the context menu of the Exchange Mobile Device Server, select Properties.
The Mobile Device Server properties window opens.
5. In the properties window of the Exchange Mobile Device Server, select the Mailboxes section.
6. Select a mailbox and click the Assign pro le button.

The Policy pro les window opens.
7. In the Policy pro les window, click the Add button.

The New pro le window opens.
783
8. Con gure the pro le on the tabs of the New pro le window.
If you want to specify the pro le name and the update interval, select the General tab.
If you want to con gure the password of the mobile device user, select the Password tab.
If you want to con gure synchronization with the Microsoft Exchange server, select the Synchronization
tab.
If you want to con gure restrictions on the mobile device features, select the Feature Restrictions tab.
If you want to con gure restrictions on the use of mobile applications on the mobile device, select the
Application Restrictions tab.
9. Click OK.
The new pro le will be displayed in the list of pro les in the Policy pro les window.
If you want this pro le to be automatically assigned to new mailboxes, as well as to mailboxes whose pro les
have been deleted, select it in the list of pro les and click the Set as default pro le button.
The default pro le cannot be deleted. To delete the current default pro le, you must assign the "default
pro le" attribute to a di erent pro le.
10. In the Policy pro les window, click OK.

The management pro le settings will be applied on the EAS device at the next synchronization of the device
with the Exchange Mobile Device Server.
Removing a management pro le

To remove an EAS device management pro le for a Microsoft Exchange mailbox:
3. In the workspace of the Mobile Device Servers folder, select an Exchange Mobile Device Server.
4. In the context menu of the Exchange Mobile Device Server, select Properties.
5. In the properties window of the Exchange Mobile Device Server, select the Mailboxes section.
6. Select a mailbox and click the Change pro les button.

The Policy pro les window opens.
7. In the Policy pro les window, select the pro le that you want to remove and click the red Delete button.
The selected pro le will be removed from the list of management pro les. The current default pro le will be
applied to EAS devices managed by the pro le that has been removed.
784
If you want to remove the current default pro le, re-assign the "default pro le" property to another pro le,
then remove the rst one.
Handling Exchange ActiveSync policies

After you install Exchange Mobile Device Server, in the Mailboxes section of the Server properties window, you can
view information about accounts of the Microsoft Exchange server that have been retrieved by polling the current
domain or domain forest.
Also, in the Exchange Mobile Device Server properties window, you can use the following buttons:
Change pro les allows you to open the Policy pro les window, which contains a list of policies retrieved from
the Microsoft Exchange server. In this window, you can create, edit, or delete Exchange ActiveSync policies. The
Policy pro les window is almost identical to the policy editing window in Exchange Management Console.
Assign pro les to mobile devices allows you to assign a selected Exchange ActiveSync policy to one or several
accounts.
Enable/disable ActiveSync allows you to enable or disable Exchange ActiveSync HTTP for one or multiple
accounts.
Con guring the scan scope

In the properties of the newly installed Exchange Mobile Device Server, in the Settings section, you can con gure
the scan scope. By default, the scan scope is the current domain in which the Exchange Mobile Device Server is
installed. Selecting the Entire domain forest value expands the scan scope to include the entire domain forest.
Working with EAS devices

Devices retrieved by scanning the Microsoft Exchange server will be added to the common list of devices, which is
located in the Mobile Device Management node, in the Mobile devices folder.
If you want the Mobile devices folder to display Exchange ActiveSync devices only (hereinafter referred to as EAS
devices), lter the device list by clicking the Exchange ActiveSync (EAS) link that is located above this list.
You can manage EAS devices by means of commands. For example, the Reset to factory settings command
allows you to remove all data from a device and reset the device settings to the factory settings. This command is
useful if the device is lost or stolen, when you need to prevent corporate or personal data from falling into the
hands of a third party.
If all data has been deleted from the device, it will be deleted again the next time the device connects to the
Microsoft Exchange Server. The command will be reiterated until the device is removed from the list of
devices. This behavior is caused by the operation principles of the Microsoft Exchange server.
To remove an EAS device from the list, in the context menu of the device, select Delete. If the Exchange
ActiveSync account is not deleted from the EAS device, the latter will reappear on the list of devices after the
next synchronization of the device with the Microsoft Exchange server.
785
Viewing information about an EAS device
To view information about an EAS device:
2. In the workspace, lter EAS devices by clicking the Exchange ActiveSync (EAS) link.
3. From the context menu of the mobile device select Properties.

The properties window of the EAS device opens.
The properties window of the mobile device displays information about the connected EAS device.
Disconnecting an EAS device from management

To disconnect an EAS device from management by the Exchange Mobile Device Server:
2. In the workspace, lter EAS devices by clicking the Exchange ActiveSync (EAS) link.
3. Select the mobile device that you want to disconnect from management by the Exchange Mobile Device
Server.
4. In the context menu of the mobile device, select Delete.
The EAS device is marked for removal with a red cross icon. The mobile device is removed from the list of
managed devices after it is removed from the Exchange ActiveSync Server database. To do so, the
administrator must remove the user account on the Microsoft Exchange server.
User's rights to manage Exchange ActiveSync mobile devices
To manage mobile devices running under the Exchange ActiveSync protocol with Microsoft Exchange Server 2010
or Microsoft Exchange Server 2013, make sure that the user is included in a role group for which the following
commandlets are allowed to execute:
Get-CASMailbox
Set-CASMailbox
Remove-ActiveSyncDevice
Clear-ActiveSyncDevice
Get-ActiveSyncDeviceStatistics
786
Get-AcceptedDomain
Set-AdServerSettings
Get-ActiveSyncMailboxPolicy
New-ActiveSyncMailboxPolicy
Set-ActiveSyncMailboxPolicy
Remove-ActiveSyncMailboxPolicy
To manage mobile devices running under Exchange ActiveSync protocol with Microsoft Exchange Server 2007,
make sure that the user has been granted administrator rights. If the rights have not been granted, execute the
commandlets to assign the administrator rights to the user (see the table below).
Administrator rights required for managing Exchange ActiveSync mobile devices on Microsoft Exchange Server 2007
Access Object Cmdlet
Full Branch "CN=Mobile Mailbox Policies,CN=Your Add-ADPermission -User <User

Organization,CN=Microsoft name> -Identity "CN=Mobile M
Exchange,CN=Services,CN=Con guration,DC=yourdomain" Policies,CN=<Organization
name>,CN=Microsoft
Exchange,CN=Services,CN=Conf
<Domain name>" -InheritanceT
AccessRight GenericAll
Read Branch "CN= Your Organization,CN=Microsoft Add-ADPermission -User <User

Exchange,CN=Services,CN=Con guration,DC= name> -Identity "CN=<Organiz
yourdomain" name>,CN=Microsoft
Exchange,CN=Services,CN=Conf
<Domain name>" -Inheritance
AccessRight GenericRead
Read/write Properties msExchMobileMailboxPolicyLink and Add-ADPermission -User <User

msExchOmaAdminWirelessEnable for objects in Active name> -Identity "DC=<Domain
Directory InheritanceType All -AccessR
ReadProperty,WriteProperty -
msExchMobileMailboxPolicyLin
msExchOmaAdminWirelessEnable
Full Mailbox repositories for ms-Exch-Store-Admin Get-MailboxDatabase | Add-AD

User <user or group name> -E
ms-Exch-Store-Admin
For detailed information about how to use commandlets in Exchange Management Shell console, please refer to
the Microsoft Exchange Server Technical Support website .
Managing iOS MDM devices

This section describes advanced features for management of iOS MDM devices through Kaspersky Security
Center. The application supports the following features for management of iOS MDM devices:
De ne the settings of managed iOS MDM devices in centralized mode and restrict features of devices through
con guration pro les. You can add or modify con guration pro les and install them on mobile devices.
787
Install apps on mobile devices by means of provisioning pro les, bypassing App Store. For example, you can use
provisioning pro les for installation of in-house corporate apps on users' mobile devices. A provisioning pro le
contains information about an app and a mobile device.
Install apps on an iOS MDM device through the App Store. Before installing an app on an iOS MDM device, you
must add that app to an iOS MDM Server.
Every 24 hours, a push noti cation is sent to all connected iOS MDM devices in order to synchronize data with the
iOS MDM Server.
For information about the con guration pro le and the provisioning pro le, as well as apps installed on an iOS MDM
device, please refer to the properties window of the device.
Signing an iOS MDM pro le by a certi cate

You can sign an iOS MDM pro le by a certi cate. You can use a certi cate that you issued yourself or you can
receive a certi cate from trusted certi cation authorities.
To sign an iOS MDM pro le by a certi cate:
3. In the properties window of the folder, select the Connection settings for iOS devices section.
4. Click the Browse button under the Select certi cate le eld.
The Certi cate window.
5. In the Certi cate type eld, specify the public or private certi cate type:
If the PKCS #12 container value is selected, specify the certi cate le and the password.
If the X.509 certi cate value is selected:
6. Click OK.
The iOS MDM pro le is signed by a certi cate.
Adding a con guration pro le
788
To create a con guration pro le, you can use Apple Con gurator 2, which is available at the Apple Inc. website.
Apple Con gurator 2 works only on devices running macOS; if you do not have such devices at your disposal,
you can use iPhone Con guration Utility on the device with Administration Console instead. However, Apple
Inc. does not support iPhone Con guration Utility any longer.
To create a con guration pro le using iPhone Con guration Utility and to add it to an iOS MDM Server:
2. In the workspace of the Mobile Device Management folder, select the Mobile Device Servers subfolder.

5. In the properties window of the iOS MDM Server, select the Con guration pro les section.
6. In the Con guration pro les section, click the Create button.
The New con guration pro le window opens.
7. In the New con guration pro le window, specify a name and ID for the pro le.
The con guration pro le ID should be unique; the value should be speci ed in Reverse-DNS format, for example,
com.companyname.identi er.
8. Click OK.
iPhone Con guration Utility then starts if you have it installed.
9. Recon gure the pro le in iPhone Con guration Utility.

For a description of the pro le settings and instructions on how to con gure the pro le, please refer to the
documentation enclosed with iPhone Con guration Utility.
After you con gure the pro le with iPhone Con guration Utility, the new con guration pro le is displayed in the
Con guration pro les section in the properties window of the iOS MDM Server.
You can click the Modify button to modify the con guration pro le.
You can click the Import button to load the con guration pro le to a program.
You can click the Export button to save the con guration pro le to a le.
The pro le that you have created must be installed on iOS MDM devices.
Installing a con guration pro le on a device

To install a con guration pro le to a mobile device:
789
2. In the workspace, lter iOS MDM devices by protocol type (iOS MDM).
3. Select the user mobile device on which you have to install a con guration pro le.
You can select multiple mobile devices to install the pro le on them simultaneously.
5. In the Mobile device management commands window, proceed to the Install pro le section and click the
Send command button.
You can also send the command to the mobile device by selecting All commands in the context menu of that
mobile device, and then selecting Install pro le.
The Select pro les window opens showing a list of pro les. Select from the list the pro le that you have to
install on the mobile device. You can select multiple pro les to install them on the mobile device simultaneously.
To select the range of pro les, use the Shift key. To combine pro les into a group, use the CTRL key.
6. Click OK to send the command to the mobile device.

When the command is executed, the selected con guration pro le will be installed on the user's mobile device.
If the command is successfully executed, the current status of the command in the command log will be shown
as Done.
You can view the pro le that you installed and remove it, if necessary.
Removing the con guration pro le from a device

To remove a con guration pro le from a mobile device:
2. In the workspace, lter iOS MDM devices by clicking the iOS MDM link.
3. Select the user's mobile device from which you have to remove the con guration pro le.
You can select multiple mobile devices to remove the pro le from them simultaneously.
5. In the Mobile device management commands window, proceed to the Remove pro le section and click the
Send command button.
You can also send the command to the mobile device by selecting All commands from the context menu of the
device, and then selecting Remove pro le.
The Remove pro les window opens showing a list of pro les.
6. Select from the list the pro le that you have to remove from the mobile device. You can select multiple pro les
to remove them from the mobile device simultaneously. To select the range of pro les, use the Shift key. To
790
combine pro les into a group, use the CTRL key.

When the command is executed, the selected con guration pro le will be removed from the user's mobile
device. If the command is executed successfully, the current status of the command will be shown as
Completed.
Adding a new device by publishing a link to a pro le

In Administration Console, the administrator creates a new iOS MDM pro le, using the New Mobile Device
Connection Wizard. The Wizard performs the following actions:
The iOS MDM pro le is automatically published on the Web Server.
The user is sent a link to the iOS MDM pro le by SMS or by email. Upon receiving the link, the user installs the
iOS MDM pro le on the mobile device.
The mobile device connects to the iOS MDM Server.
Due to a stricter security policy introduced by Apple, you have to set up TLS 1.1 and TLS 1.2 protocol versions
when connecting a mobile device running iOS 11 to an Administration Server that has integration with Public
Key Infrastructure (PKI) enabled.
Adding a new device through pro le installation by the administrator

To connect a mobile device to an iOS MDM Server by installing an iOS MDM pro le on that mobile device, the
1. In Administration Console, open the New Device Connection Wizard.
2. Create a new iOS MDM pro le by selecting the Show certi cate after the Wizard nishes check box in the
New Pro le Wizard window.
3. Save the iOS MDM pro le.
4. Install the iOS MDM pro le on the user's mobile device through the Apple Con gurator utility.
The mobile device connects to the iOS MDM Server.
791
Due to a stricter security policy introduced by Apple, you have to set up TLS 1.1 and TLS 1.2 protocol versions
when connecting a mobile device running iOS 11 to an Administration Server that has integration with Public
Key Infrastructure (PKI) enabled.
Adding a provisioning pro le

To add a provisioning pro le to an iOS MDM Server:

5. In the properties window of the iOS MDM Server, go to the Provisioning pro les section.
6. In the Provisioning pro les section, click the Import button and specify the path to a provisioning pro le le.
The pro le will be added to the iOS MDM Server settings.
You can click the Export button to save the provisioning pro le to a le.
You can install the provisioning pro le that you imported on iOS MDM devices.
Installing a provisioning pro le to a device

To install a provisioning pro le on a mobile device:
3. Select the user's mobile device on which you have to install the provisioning pro le.
You can select multiple mobile devices to install the provisioning pro le simultaneously.
5. In the Mobile device management commands window, proceed to the Install provisioning pro le section and
click the Send command button.
You can also send the command to the mobile device by selecting All commands from the context menu of
that mobile device, and then selecting Install provisioning pro le.
792
The Select provisioning pro les window opens showing a list of provisioning pro les. Select from the list the
provisioning pro le that you have to install on the mobile device. You can select multiple provisioning pro les to
install them on the mobile device simultaneously. To select the range of provisioning pro les, use the Shift key.
To combine provisioning pro les into a group, use the Ctrl key.

When the command is executed, the selected provisioning pro le will be installed on the user's mobile device. If
the command is successfully executed, its current status in the command log is shown as Completed.
You can view the pro le that you installed and remove it, if necessary.
Removing a provisioning pro le from a device

To remove a provisioning pro le from a mobile device:
3. Select the user's mobile device from which you have to remove the provisioning pro le.
You can select multiple mobile devices to remove the provisioning pro le from them simultaneously.
5. In the Mobile device management commands window, proceed to the Remove provisioning pro le section
and click the Send command button.
You can also send the command to the mobile device by selecting All commands from the context menu and
then selecting Remove provisioning pro le.
The Remove provisioning pro les window opens showing a list of pro les.
6. Select from the list the provisioning pro le that you need to remove from the mobile device. You can select
multiple provisioning pro les to remove them from the mobile device simultaneously. To select the range of
provisioning pro les, use the Shift key. To combine provisioning pro les into a group, use the Ctrl key.

When the command is executed, the selected provisioning pro le will be removed from the user's mobile device.
Applications that are related to the deleted provisioning pro le will not be operable. If the command is executed
successfully, the current status of the command will be shown as Completed.
793
Adding a managed application

Before installing an app on an iOS MDM device, you must add that app to an iOS MDM Server. An application is
considered managed if it has been installed on a device through Kaspersky Security Center. A managed application
can be managed remotely by means of Kaspersky Security Center.
To add a managed application to an iOS MDM Server:

5. In the properties window of the iOS MDM Server, select the Managed applications section.
6. Click the Add button in the Managed applications section.

The Add an application window opens.
7. In the Add an application window, in the App name eld, specify the name of the application to be added.
8. In the Apple ID or App Store link eld, specify the Apple ID of the application to be added, or specify a link to a
manifest le that can be used to download the application.
9. If you want a managed application to be removed from the user's mobile device along with the iOS MDM pro le
when removing the latter, select the Remove together with iOS MDM pro le check box.
10. If you want to block the application data backup through iTunes, select the Block data backup check box.
11. Click OK.
The added application is displayed in the Managed applications section of the properties window of the iOS
MDM Server.
Installing an app on a mobile device

To install an app on an iOS MDM mobile device:
2. Select the iOS MDM device on which you want to install an app.
794
You can select multiple mobile devices to install the application on them simultaneously.
4. In the Mobile device management commands window, proceed to the Install app section and click the Send
command button.
mobile device, and then selecting Install app.
The Select apps window opens showing a list of pro les. Select from the list the application that you have to
install on the mobile device. You can select multiple applications to install them on the mobile device
simultaneously. To select a range of apps, use the Shift key. To combine apps into a group, use the Ctrl key.

When the command is executed, the selected application will be installed on the user's mobile device. If the
command is successfully executed, its current status in the command log will be shown as Completed.
You can click the Resend button to send the command to the user's mobile device again. You can click the
Remove from queue button to cancel execution of a command that was sent if the command has not yet been
executed.
Information about the application installed is displayed in the properties of the iOS MDM mobile device. You can
remove the application from the mobile device through the command log or the context menu of the mobile
device.
Removing an app from a device

To remove an app from a mobile device:
3. Select the user's mobile device from which you have to remove the app.
You can select multiple mobile devices to remove the app from them simultaneously.
5. In the Mobile device management commands window, proceed to the Remove app section and click the Send
command button.
mobile device, and then selecting Remove app.
The Remove apps window opens showing a list of applications.
6. Select from the list the app that you need to remove from the mobile device. You can select multiple apps to
remove them simultaneously. To select a range of apps, use the Shift key. To combine apps into a group, use the
Ctrl key.
795
When the command is executed, the selected app will be removed from the user's mobile device. If the
command is executed successfully, the current status of the command will be shown as Completed.
Con guring roaming on an iOS MDM mobile device

To con gure roaming:
2. In the Mobile Device Management folder, select the Mobile devices subfolder.
3. Select the iOS MDM device owned by the user for whom you have to con gure roaming.
You can select multiple mobile devices to con gure roaming on them simultaneously.
5. In the Mobile device management commands window, proceed to the Con gure roaming section and click
the Send command button.
You can also send the command to the mobile device by selecting All commands → Con gure roaming from
the context menu of the device.
6. In the Roaming settings window, specify the relevant settings:
Enable data roaming
If this option is enabled, the data roaming is enabled on the iOS MDM mobile device. The user of the iOS
MDM mobile device can surf the internet while in roaming.
Roaming is con gured for the selected devices.
Viewing information about an iOS MDM device

To view information about an iOS MDM device:
796
3. Select the mobile device for which you want to view the information.

The properties window of the iOS MDM device opens.
The properties window of the mobile device displays information about the connected iOS MDM device.
Disconnecting an iOS MDM device from management

To disconnect an iOS MDM device from the iOS MDM Server:
3. Select the mobile device that you have to disconnect.
The iOS MDM device will be marked in the list for removal. The mobile device will be automatically removed from
the list of managed devices after it is removed from the iOS MDM Server database. The mobile device will be
removed from the iOS MDM Server database within one minute.
After the iOS MDM device is disconnected from management, all installed con guration pro les, the iOS MDM
pro le, and applications for which the Remove together with iOS MDM pro le option has been enabled, will be
removed from the mobile device.
Sending commands to a device

To send a command to an iOS MDM device:
1. In Administration Console, open the Mobile Device Management node.
2. Select the Mobile devices folder.
3. In the Mobile devices folder, select the mobile device to which the commands need to be sent.
5. In the list that appears, select the command to be sent to the mobile device.
Checking the execution status of commands sent

To check the execution status of a command that has been sent to a mobile device:
1. In Administration Console, open the Mobile Device Management node.
2. Select the Mobile devices folder.

797
3. In the Mobile devices folder, select the mobile device on which the execution status needs to be checked for
the selected commands.
Managing KES devices

In Kaspersky Security Center, you can manage KES mobile devices in the following ways:
Centrally manage KES devices by using commands.
View information about the settings for management of KES devices.
Install applications by using mobile app packages.
Disconnect KES devices from management.
Creating a mobile applications package for KES devices

A Kaspersky Endpoint Security for Android license is required to create a mobile applications package for KES
devices.
To create a mobile applications package:
2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.
3. In the Mobile apps package management window, click the New button.
4. The Mobile Applications Package Creation Wizard starts. Follow the instructions of the Wizard.
The newly created mobile applications package is displayed in the Mobile apps package management window.
Enabling certi cate-based authentication of KES devices

To enable certi cate-based authentication of a KES device:
1. Open the system registry of the client device that has Administration Server installed (for example, locally, using
For 32-bit systems:

For 64-bit systems:
798
3. Create a key with the LP_MobileMustUseTwoWayAuthOnPort13292 name.
4. Specify REG_DWORD as the key type.
5. Set the key value on 1.
Mandatory certi cate-based authentication of the KES device using a shared certi cate will be enabled after
you run the Administration Server service.
The rst connection of the KES device to the Administration Server does not require a certi cate.
By default, certi cate-based authentication of KES devices is disabled.
Viewing information about a KES device

To view information about a KES device:
2. In the workspace, lter KES devices by protocol type (KES).
3. Select the mobile device for which you want to view the information.
The properties window of the KES device opens.
The properties window of the mobile device displays information about the connected KES device.
Disconnecting a KES device from management

To disconnect a KES device from management, the user has to remove Network Agent from the mobile device.
After the user has removed Network Agent, the mobile device details are removed from the Administration Server
database, and the administrator can remove the mobile device from the list of managed devices.
To remove a KES device from the list of managed devices:
2. In the workspace, lter KES devices by protocol type (KES).
3. Select the mobile device that you must disconnect from management.
799
The mobile device is removed from the list of managed devices.
If Kaspersky Endpoint Security for Android has not been removed from the mobile device, that mobile device
reappears in the list of managed devices after synchronization with the Administration Server.

Data encryption reduces the risk of unintentional leakage in case your notebook, removable drive, or hard drive is
stolen or lost, or upon access by unauthorized users and applications.
Kaspersky Endpoint Security for Windows provides encryption functionality. Kaspersky Endpoint Security for
Windows allows you to encrypt les stored on local drives of devices and removable drives, as well as encrypt
removable drives and hard drives entirely.
Encryption rules are con gured through Kaspersky Security Center by de ning policies. Encryption and decryption
according to the existing rules are performed when applying a policy.
Availability of the encryption management feature is determined by the user interface settings.
The administrator can perform the following actions:
Con gure and perform le encryption or decryption on local drives of the device.
Con gure and perform le encryption on removable drives.
Create rules of access to encrypted les by applications.
Create and deliver to the user a key le for access to encrypted les if le encryption is restricted on the user's
device.
Con gure and perform hard drive encryption.
Manage user access to encrypted hard drives and removable drives (manage authentication agent accounts,
create and deliver to users information on request for account name and password restoration, as well as
access keys for encrypted devices).
View encryption statuses and reports about encryption of les.
These operations are performed using tools integrated into Kaspersky Endpoint Security for Windows. For
detailed instructions on how to perform operations and a description of encryption features please refer to the
Kaspersky Endpoint Security for Windows Online Help .
Kaspersky Security Center supports encryption management functionality for devices running macOS operating
systems. Encryption is con gured using Kaspersky Endpoint Security for Mac tools for those application versions
that support encryption functionality. For detailed instructions on how to perform operations and a description of
encryption features, refer to the Kaspersky Endpoint Security for Mac Administrator's Guide.
800
Viewing the list of encrypted devices
To view the list of devices storing encrypted information:
1. In the console tree of Administration Server, select the Data encryption and protection folder.
2. Open the list of encrypted devices in one of the following ways:
By clicking the Go to list of encrypted drives link in the Manage encrypted drives section.
By selecting the Encrypted drives folder in the console tree.
The workspace displays information about devices on the network storing encrypted les, and about devices
encrypted at the drive level. After the information on a device is decrypted, the device is automatically removed
from the list.
You can sort the information in the list of devices either in ascending or descending order in any column.
The user interface settings determine whether the Data encryption and protection folder appears in the
console tree.

When running data encryption or decryption tasks on devices, Kaspersky Endpoint Security for Windows sends
Kaspersky Security Center information about events of the following types:
Cannot encrypt or decrypt a le, or create an encrypted archive due to a lack of free disk space.
Cannot encrypt or decrypt a le, or create an encrypted archive due to license issues.
Cannot encrypt or decrypt a le, or create an encrypted archive due to missing access rights.
The application has been prohibited to access an encrypted le.
Unknown errors.
To view a list of events that have occurred during data encryption on devices:
1. In the console tree of Administration Server, select the Data encryption and protection folder.
2. Open the list of events that occurred during encryption in one of the following ways:
By clicking the Go to error list link in the Data encryption errors section.
By selecting the Encrypted drives folder in the console tree.
The workspace displays information about problems that have occurred during data encryption on devices.
You can take the following actions in the list of encryption events:
801
Sort data records in ascending or descending order in any of the columns.
Perform a quick search for records (by text match with a substring in any of the list elds).
Export the list of events to a text le.
The user interface settings determine whether the Data encryption and protection folder appears in the
console tree.
Exporting the list of encryption events to a text le

To export the list of encryption events to a text le:
1. Create a list of encryption events.
2. From the context menu of the events list select Export list.
The Export list window opens.
3. In the Export list window, specify the name of the text le with the list of events, select a folder to save it and
click the Save button.
The list of encryption events will be saved to the le that you have speci ed.

You can generate the following reports:
Report on encryption status of mass storage devices. This report contains information about the device
encryption status for all groups of devices.
Report on rights of access to encrypted devices. This report contains information about the status of user
accounts that have been granted access to encrypted devices.
Report on le encryption errors. This report contains information about errors that occurred when data
encryption or decryption tasks were run on devices.
Report on encryption status of managed devices. This report contains information about whether the
encryption status of devices meets the encryption policy.
Report on blockage of access to encrypted les. This report contains information about blocking application
access to encrypted les.
To generate the report on encryption of devices:
1. In the console tree, select the Data encryption and protection folder.
To generate the report on the encryption status of managed devices, click the View report on encryption
status of mass storage devices link.
802
If you have not con gured this report yet, the New Report Template Wizard will start. Follow the steps of the
Wizard.
To generate the report on encryption status of mass storage devices, in the console tree select the
Encrypted drives subfolder, and then click the View report on encryption status of mass storage devices
button.
The report generation starts. The report appears on the Reports tab of the Administration Server node.
To generate the report on rights of access to encrypted devices:
Click the Report on rights to access encrypted drives link in the Manage encrypted drives section to
start the New Report Template Wizard.
Select the Encrypted drives subfolder, then click the Report on rights to access encrypted drives button
to start the New Report Template Wizard.
3. Follow the steps of the New Report Template Wizard.
To generate the report on le encryption errors:
Click the View report on le encryption errors link in the Data encryption errors section to start the New
Report Template Wizard.
Select the Encryption events subfolder, then click the Report on le encryption errors link to start the
New Report Template Wizard.
3. Follow the steps of the New Report Template Wizard.
To generate the report on the status of encryption of managed devices:
3. Click the New report template button to start the New Report Template Wizard.
4. Follow the instructions of the New Report Template Wizard. In the Selecting the report template type window,
in the Other section select Report on encryption status of managed devices.
After you have nished with the New Report Template Wizard, a new report template appears in the
Administration Server node, on the Reports tab.
803
5. In the node of the relevant Administration Server on the Reports tab, select the report template that was
created during the previous steps of the instructions.
You can also obtain information about whether the encryption statuses of devices and removable drives conform
to the encryption policy by viewing information panes on the Statistics tab of the Administration Server node.
To generate the report on blockage of access to encrypted les:
3. Click the New report template button to start the New Report Template Wizard.
4. Follow the instructions of the New Report Template Wizard. In the Selecting the report template type window,
in the Other section, select Report on blockage of access to encrypted les.
After the New Report Template Wizard nishes, a new report template appears in the Administration Server
node, on the Reports tab.
5. In the node of the Administration Server on the Reports tab, select the report template that was created
during the previous steps of the instructions.
Transmitting encryption keys between Administration Servers

If the data encryption feature is enabled on a managed device, the encryption key is stored on the Administration
Server. The encryption key is used to access encrypted data and to manage the encryption policy.
The encryption key must be transmitted to another Administration Server in the following cases:
You recon gure Network Agent on a managed device to assign the device to another Administration Server. If
this device contains encrypted data, the encryption key must be transmitted to the target Administration
Server. Otherwise, the data cannot be decrypted.
You encrypt a removable drive connected to a device D1 that is managed by the Administration Server S1, and
then you connect this removable drive to a device D2 managed by the Administration Server S2. To access to
the data on the removable drive, the encryption key must be transmitted from the Administration Server S1 to
the Administration Server S2.
You encrypt a le on a device D1 managed by the Administration Server S1, and then you try to access the le
on a device D2 managed by the Administration Server S2. To access the le, the encryption key must be
transmitted from the Administration Server S1 to the Administration Server S2.
You can transmit encryption keys the following ways:
Automatically, by enabling the Use hierarchy of Administration Servers to obtain encryption keys option in
the properties of two Administration Servers between which an encryption key must be transmitted. If this
option is disabled for one of the Administration Servers, the automatic transmission of encryption keys is not
possible.
804
When you enable the Use hierarchy of Administration Servers to obtain encryption keys option in an
Administration Server properties, the Administration Server sends all of the encryption keys stored in its
repository to the primary Administration Server (if any) one level up in the hierarchy.
When you try to access encrypted data, the Administration Server rst searches the encryption key in its own
repository. If the Use hierarchy of Administration Servers to obtain encryption keys option is enabled and
the required encryption key has not been found in the repository, the Administration Server additionally sends a
request to the primary Administration Servers (if any) to provide the required encryption key. The request will
be sent to all of the primary Administration Servers up to the server on the highest level of the hierarchy.
Manually from one Administration Server to another by exporting and importing the le containing the
encryption keys.
To enable automatic transmission of encryption keys between Administration Servers within the hierarchy:
1. In the console tree, select the Administration Server for which you want to enable automatic transmission of
encryption keys.
3. In the properties window, select the Encryption algorithm section.
4. Enable the Use hierarchy of Administration Servers to obtain encryption keys option.
5. Click OK to apply the changes.
The encryption keys will be transmitted to primary Administration Servers (if any) at the next synchronization
(the heartbeat). This Administration Server will also provide, upon request, an encryption key from its repository
to a secondary Administration Server.
To transmit encryption keys between Administration Servers manually:
1. In the console tree of Administration Server, select the secondary Administration Server from which you want
to transmit encryption keys.
4. Click the Export encryption keys from Administration Server.
5. In the Export encryption keys window:
Click the Browse button, and then specify where to save the le.
Specify a password to protect the le from unauthorized access.
Remember the password. A lost password cannot be retrieved. If the password is lost, you have to
repeat the export procedure. Therefore, make a note of the password and keep it handy.
6. Transmit the le to another Administration Server, for example, through a shared folder or removable drive.
7. On the target Administration Server, make sure that Kaspersky Security Center Administration Console is
running.
805
8. In the console tree of Administration Server, select the target Administration Server where you want to
transmit encryption keys.
11. Click Import encryption keys to Administration Server.
12. In the Import encryption keys window:
Click the Browse button, and then select the le containing encryption keys.
Specify the password.
13. Click OK.
The encryption keys are transmitted to the target Administration Server.
Data repositories
This section provides information about data stored on the Administration Server and used for tracking the
condition of client devices and for servicing them.
The Repositories folder of the console tree displays the data used for tracking the statuses of client devices.
The Repositories folder contains the following objects:
Updates downloaded by the Administration Server that are distributed to client devices
List of equipment detected on the network
License keys detected on client devices
Files placed in Quarantine folders on devices by security applications
Files placed in Backup on client devices
Files postponed for a later scan by security applications
Exporting a list of repository objects to a text le

You can export the list of objects from the repository to a text le.
To export the list of objects from the repository to a text le:
1. In the console tree, in the Repositories folder select the subfolder of the relevant repository.
2. In the repository subfolder, select Export list in the context menu.
806
This will open the Export list window, in which you can specify the name of text le and path to the folder
where it was placed.
Kaspersky Security Center places the installation packages for applications of Kaspersky and third-party vendors
in data repositories.
An installation package is a set of les required to install an application. An installation package contains the setup
settings and initial con guration of the application being installed.
If you want to install an application on a client device, create an installation package for that application, or use an
existing one. The list of created installation packages is stored in the Remote installation folder of the console
tree, the Installation packages subfolder.
Main statuses of les in the repository

Security applications scan les on devices for known viruses and other programs that may pose a threat, assign
statuses to les, and place some of them in the repository.
For example, security applications can do the following:
Save a copy of a le to the repository before deletion
Isolate probably infected les in the repository
The main statuses of les are presented in the table below. You can obtain more detailed information about
actions to take on les in respective Help systems of security applications.
Statuses of les in the repository
Status Status description

name
Infected The le has a section of code of a known virus or other malware whose information is found in
Kaspersky anti-virus databases.
Not No known viruses or other malware were detected in the le.

infected
Warning The le contains a fragment of code that partially matches a snippet of code of a known
threat.
Probably The le contains either modi ed code of a known virus or code resembling a virus that is not
infected yet known to Kaspersky.
Placed to The user manually placed the le in the repository because the le's behavior gave rise to
folder by suspicion that it contains some threats. The user can scan the le for threats by using up-to-
user date databases.
False A Kaspersky application assigned Infected status to a non-infected le because its code is
positive similar to that of a virus. After a scan with up-to-date databases, the le is identi ed as non-
infected.
Disinfected The le was successfully disinfected.
807
Deleted The le was deleted during processing.
Password- The le cannot be processed because it is protected with a password.

protected
Triggering of rules in Smart Training mode

This section provides information about the detections performed by the Adaptive Anomaly Control rules in
Kaspersky Endpoint Security for Windows on client devices.
The rules detect anomalous behavior on client devices and may block it. If the rules work in Smart Training mode,
they detect anomalous behavior and send reports about every such occurrence to Kaspersky Security Center
Administration Server. This information is stored as a list in the Triggering of rules in Smart Training state
subfolder of the Repositories folder. You can con rm detections as correct or add them as exclusions, so that this
type of behavior is not considered anomalous anymore.
Information about detections is stored in the event log on the Administration Server (along with other events) and
in the Adaptive Anomaly Control report.
For more information about Adaptive Anomaly Control, the rules, their modes and statuses, refer to Kaspersky
Endpoint Security for Windows Help .
Viewing the list of detections performed using Adaptive Anomaly Control rules
To view the list of detections performed by Adaptive Anomaly Control rules:
1. In the console tree, select the node of the Administration Server that you require.
2. Select the Triggering of rules in Smart Training state subfolder (by default, this is a subfolder of Advanced →
Repositories).
The list displays the following information about detections performed using Adaptive Anomaly Control rules:
The name of the administration group where the device belongs.
Device name
The name of the client device where the rule was applied.
Name
The name of the rule that was applied.
Status
808
Excluding—If the Administrator processed this item and added it as an exclusion to the rules. This
status remains till the next synchronization of the client device with the Administration Server; after the
synchronization, the item disappears from the list.
Con rming—If the Administrator processed this item and con rmed it. This status remains till the next
synchronization of the client device with the Administration Server; after the synchronization, the item
disappears from the list.
Empty—If the Administrator did not process this item.
Total times rules were triggered
The number of detects within one heuristic rule, one process and one client device. This number is
counted by Kaspersky Endpoint Security.
User name
The name of the client device user who run the process that generated the detect.
Source process path
Path to the source process, i.e. to the process that performs the action (for more information, refer to
the Kaspersky Endpoint Security help).
Source process hash
SHA-256 hash of the source process le (for more information, refer to the Kaspersky Endpoint
Security help).
Source object path
Path to the object that started the process (for more information, refer to the Kaspersky Endpoint
Security help).
Source object hash
SHA-256 hash of the source le (for more information, refer to the Kaspersky Endpoint Security help).
Target process path
Path to the target process (for more information, refer to the Kaspersky Endpoint Security help).
Target process hash
SHA-256 hash of the target le (for more information, refer to the Kaspersky Endpoint Security help).
Target object path
809
Path to the target object (for more information, refer to the Kaspersky Endpoint Security help).
Target object hash
SHA-256 hash of the target le (for more information, refer to the Kaspersky Endpoint Security help).
Processed
Date when the anomaly was detected.
To view properties of each information element:
2. Select the Triggering of rules in Smart Training state subfolder (by default, this is a subfolder of Advanced →
Repositories).
3. In the Triggering of rules in Smart Training state workspace, select the object that you want.
Click the Properties link in the information box that appears on the right side of the screen.
Right-click and in the context menu select Properties.
The properties window of the object opens, displaying information about the selected element.
You can con rm or add to exclusions any element in the list of detections of Adaptive Anomaly Control rules.
To con rm an element,
Select an element (or several elements) in the list of detections and click the Con rm button.
The status of the element(s) will be changed to Con rming.
Your con rmation will contribute to the statistics used by the rules (for more information, refer to Kaspersky
Endpoint Security 11 for Windows Help).
To add an element as an exclusion,
Right-click an element (or several elements) in the list of detections and select Add to exclusions in the context
menu.
The Add Exclusion Wizard starts. Follow the Wizard instructions.
If you reject or con rm an element, it will be excluded from the list of detections after the next synchronization of
the client device with the Administration Server, and will no longer appear in the list.
810
Adding exclusions from the Adaptive Anomaly Control rules
The Add Exclusion Wizard allows you to add exclusions from the Adaptive Anomaly Control rules for Kaspersky
Endpoint Security.
You can start the Wizard through one of the three procedures below.
To start the Add Exclusion Wizard through the Adaptive Anomaly Control node:
1. In the console tree, select the node of the required Administration Server.
2. Select Triggering of rules in Smart Training state (by default, this is a subfolder of Advanced → Repositories).
3. In the workspace, right-click an element (or several elements) in the list of detections and select Add to
exclusions.
You can add up to 1000 exclusions at a time. If you select more elements and try to add them to exclusions, an
error message is displayed.
The Add Exclusion Wizard starts.
You can start the Add Exclusion Wizard from other nodes in the console tree:
Events tab of the main window of the Administration Server (then the User requests option or Recent events
option).
Report on Adaptive Anomaly Control rules state, Detections count column.
Step 1. Selecting the application
This step can be skipped if you have only one Kaspersky Endpoint Security for Windows version and do not
have other applications that support the Adaptive Anomaly Control rules.
The Add Exclusion Wizard shows the list of Kaspersky applications whose management plug-ins allow you to add
exclusions to the policies for these applications. Select an application from this list and click Next to proceed to
selecting the policy to which the exclusion will be added.
Step 2. Selecting the policy (policies)
The Wizard shows the list of policies (with policy pro les) for Kaspersky Endpoint Security.
Select all the policies and pro les to which you want to add exclusions and click Next.
Step 3. Processing of the policy (policies)
The Wizard displays a progress bar as the policies are processed. You can interrupt the processing of policies by
clicking Cancel.
Inherited policies cannot be updated. If you do not have the rights to modify a policy, this policy will not be updated
either.
When all the policies are processed (or if you interrupt the processing), a report appears. It shows which policies
were updated successfully (green icon) and which policies were not updated (red icon).
This is the last step of the Wizard. Click Finish to close the Wizard.
811
Quarantine and Backup
Kaspersky anti-virus applications installed on client devices may place les in Quarantine or Backup during device
scan.
Quarantine is a special repository for storing les that are probably infected with viruses and les that cannot be
disinfected at the time when they are detected.
Backup is designed for storing backup copies of les that have been deleted or modi ed during the disinfection
process.
Kaspersky Security Center creates a summarized list of les placed in Quarantine or Backup by Kaspersky
applications on the devices. Network Agents on client devices transmit information about the les in Quarantine
and Backup to the Administration Server. You can use Administration Console to view the properties of les stored
in repositories on devices, run virus scans of those repositories, and delete les from them. The icons of the le
statuses are described in the appendix.
Operations with Quarantine and Backup are supported for versions 6.0 or later of Kaspersky Anti-Virus for
Windows Workstations and Kaspersky Anti-Virus for Windows Servers, as well as for Kaspersky Endpoint
Security 10 for Windows, or later versions.
Kaspersky Security Center does not copy les from repositories to Administration Server. All les are stored in
repositories on the devices. You can restore a le only on the device with the anti-virus application, which placed
that le in the repository.
Enabling remote management for les in the repositories

By default, you cannot manage les placed in repositories on client devices.
To enable remote management of les stored in repositories on client devices:
1. In the console tree, select an administration group, for which you want to enable remote management for les in
the repository.
3. On the Policies tab, select the policy of the security application that has placed the les in the repositories on
the devices.
4. In the policy settings window in the Data transfer to Administration Server group of settings, select the check
boxes corresponding to the repositories for which you want to enable the remote management.
The location of the Data transfer to Administration Server settings group in the policy properties window
and the names of check boxes depend on the currently used security application.
Viewing properties of a le placed in repository
812
To view properties of a le in Quarantine or Backup:
1. In the console tree, select the Repositories folder, the Quarantine or Backup subfolder.
2. In the workspace of the Quarantine (Backup) folder, select a le whose properties you want to view.
3. By selecting Properties in the context menu of the le.
Deleting les from repositories

To delete a le from Quarantine or Backup:
1. In the console tree, in the Repositories folder, select the Quarantine or Backup subfolder.
2. In the workspace of the Quarantine (or Backup) folder select the les that you want to delete by using the
Shift and Ctrl keys.
3. Delete the les in one of the following ways:
By selecting Delete in the context menu of the les.
By clicking the Delete (Delete) if you want to delete one le) link in the information box for the selected les.
The security applications that placed les in repositories on client devices will delete the same les from those
repositories.
Restoring les from repositories

To restore a le from Quarantine or Backup:
2. In the workspace of the Quarantine (Backup) folder select the les that you want to restore by using the Shift
and Ctrl keys.
3. Start restoration of the les in one of the following ways:
By selecting Restore in the context menu of the les.
By clicking the Restore link in the information box for the selected les.
The security applications that placed les in repositories on client devices will restore the same les to their
original folders.
Saving a le from repositories to disk

Kaspersky Security Center allows you to save on a disk copies of les that a security application placed in
Quarantine or Backup on a client device. Files are copied to the device with Kaspersky Security Center installed, to
the speci ed folder.
To save a copy of le from Quarantine or Backup to a hard drive:
813
2. In the workspace of the Quarantine (Backup) folder, select a le that you want to copy to the hard drive.
3. Start copying in one of the following ways:
By selecting Save to Disk in the context menu of the le.
By clicking the Save to Disk link in the information box for the selected le.
The security application that placed the le in Quarantine on the client device will save a copy of that le to the
speci ed folder.
Scanning les in Quarantine

To scan quarantined les:
1. In the console tree, select the Repositories folder, the Quarantine subfolder.
2. In the workspace of the Quarantine folder, select the les that you want to scan by using the Shift and Ctrl
keys.
3. Start the le scan in one of the following ways:
By selecting Scan in the context menu of the le.
By clicking the Scan link in the information box for the selected les.
The application runs the on-demand scan task for security applications that have placed the selected les in
Quarantine on the devices where those les are stored.
Active threats
Information about unprocessed les that have been detected on client devices is stored in the Repositories
folder, Active threats subfolder.
Postponed processing and disinfection are performed by the security application upon request or after a
speci ed event occurs. You can con gure the postponed processing.
Disinfecting an unprocessed le
To start disinfection of an unprocessed le:
1. In the console tree, in the Repositories folder select the Active threats subfolder.
2. In the workspace of the Active threats folder, select the le that you have to disinfect.
3. Start disinfection of the le in one of the following ways:
By selecting Disinfect in the context menu of the le.
814
By clicking the Disinfect link in the information box for the selected le.
The attempt to disinfect this le is then performed.
If the le is disinfected, the security application installed on the client device restores it to its original folder. The
record of the le is removed from the list in the Active threats folder. If the le cannot be disinfected, the security
application installed on the device deletes it from that device. The record of the le is removed from the list in the
Active threats folder.
Saving an unprocessed le to disk

Kaspersky Security Center allows you to save to disk copies of unprocessed les found on client devices. Files are
copied to the device with Kaspersky Security Center installed, to the speci ed folder. You can download a le only
if the le is stored in the backup storage of the managed device.
To save a copy of an unprocessed le to disk:
2. In the workspace of the Active threats folder, select the les that you have to copy to disk.
3. Start copying in one of the following ways:
By selecting Save to Disk in the context menu of the le.
By clicking the Save to Disk link in the information box for the selected le.
The security application installed on the client device on which the unprocessed le has been found saves a copy
of that le to the speci ed folder.
Deleting les from the "Active threats" folder

To delete a le from the Active threats folder:
2. In the workspace of the Active threats folder, select the les that you have to delete by using the Shift and
Ctrl keys.
3. Delete the les in one of the following ways:
By selecting Delete in the context menu of the les.
By clicking the Delete (Delete if you want to delete one le) link in the information box for the selected les.
The security applications that placed the les in repositories on client devices, will delete the same les from
those repositories. The records of the les are removed from the list in the Active threats folder.
815
This section describes how to use an online service infrastructure named Kaspersky Security Network (KSN). The
section provides the details on KSN, as well as instructions on how to enable KSN, con gure access to KSN, and
view the statistics of the use of KSN proxy server.
About KSN
Kaspersky Security Network (KSN) is an online service infrastructure that provides access to the online Knowledge
Base of Kaspersky, which contains information about the reputation of les, web resources, and software. The use
of data from Kaspersky Security Network ensures faster responses by Kaspersky applications to threats, improves
the e ectiveness of some protection components, and reduces the risk of false positives. KSN allows you to use
Kaspersky reputation databases to retrieve information about applications installed on managed devices.
Kaspersky Security Center supports the following KSN infrastructure solutions:
Global KSN is a solution that allows you to exchange information with Kaspersky Security Network. If you
participate in KSN, you agree to send to Kaspersky, in automatic mode, information about the operation of
Kaspersky applications installed on client devices that are managed through Kaspersky Security Center.
Information is transferred in accordance with the current KSN access settings. Kaspersky analysts additionally
analyze received information and include it in the reputation and statistical databases of Kaspersky Security
Network. Kaspersky Security Center uses this solution by default.
Private KSN is a solution that allows users of devices with Kaspersky applications installed to obtain access to
reputation databases of Kaspersky Security Network, and other statistical data, without sending data to KSN
from their own computers. Kaspersky Private Security Network (Private KSN) is designed for corporate
customers who are unable to participate in Kaspersky Security Network for any of the following reasons:
User devices are not connected to the internet.
Transmission of any data outside the country or outside the corporate LAN is prohibited by law or restricted
by corporate security policies.
You can set up access settings of Kaspersky Private Security Network in the KSN Proxy settings section of
The application prompts you to join KSN while running the Quick Start Wizard. You can start or stop using KSN at
any moment when using the application.
You use KSN in accordance with the KSN Statement that you read and accept when you enable KSN. If the KSN
Statement is updated, it is displayed to you when you update or upgrade Administration Server. You can accept
the updated KSN Statement or decline it. If you decline it, you keep using KSN in accordance with the previous
version of KSN Statement that you accepted before.
When KSN is enabled, Kaspersky Security Center checks if the KSN servers are accessible. If access to the servers
using system DNS is not possible, the application uses public DNS. This is necessary to make sure the level of
security is maintained for the managed devices.
Client devices managed by the Administration Server interact with KSN through KSN proxy server. KSN proxy
server provides the following features:
Client devices can send requests to KSN and transfer information to KSN even if they do not have direct
access to the internet.
The KSN proxy server caches processed data, thus reducing the load on the outbound channel and the time
period spent for waiting for information requested by a client device.
816
You can con gure the KSN proxy server in the KSN Proxy settings section of the Administration Server properties
window.
Setting up access to Kaspersky Security Network

You can set up access to Kaspersky Security Network (KSN) on the Administration Server and on a distribution
point.
To set up Administration Server access to Kaspersky Security Network (KSN):
1. In the console tree, select the Administration Server for which you want to con gure access to KSN.
3. In the Administration Server properties window, in the Sections pane, select KSN Proxy → KSN Proxy settings.
4. In the workspace, enable the Use Administration Server as proxy server option to use the KSN proxy service.
Data is sent from client devices to KSN in accordance with the Kaspersky Endpoint Security policy, which is
active on those client devices. If this check box is cleared, no data will be sent to KSN from the Administration
Server and client devices through Kaspersky Security Center. However, client devices can send data to KSN
directly (bypassing Kaspersky Security Center), in accordance with their respective settings. The Kaspersky
Endpoint Security for Windows policy, which is active on client devices, determines which data will be sent
directly (bypassing Kaspersky Security Center) from those devices to KSN.
5. Enable the I agree to use Kaspersky Security Network option.

If this option is enabled, client devices send patch installation results to Kaspersky. When enabling this option,
make sure to read and accept the terms of the KSN Statement.
If you are using Private KSN , enable the Con gure Private KSN option and click the Select le with KSN
Proxy settings button to download the settings of Private KSN ( les with the extensions pkcs7 and pem). After
the settings are downloaded, the interface displays the provider's name and contacts, as well as the creation
date of the le with the settings of Private KSN.
When you enable Private KSN, pay attention to the distribution points con gured to send KSN requests
directly to the Cloud KSN. The distribution points that have Network Agent version 11 (or earlier) installed
will continue to send KSN requests to the Cloud KSN. To recon gure the distribution points to send KSN
requests to Private KSN, enable the Forward KSN requests to Administration Server option for each
distribution point. You can enable this option in the distribution point properties or in the Network Agent
policy.
When you select the Con gure Private KSN check box, a message appears with details about Private KSN.
The following Kaspersky applications support Private KSN:
Kaspersky Security for Virtualization 3.0 Agentless Service Pack 2
Kaspersky Security for Virtualization 3.0 Service Pack 1 Light Agent
817
If you enable the Con gure Private KSN option in Kaspersky Security Center, these applications receive
information about supporting Private KSN. In the settings window of the application, in the Kaspersky Security
Network subsection of the Advanced Threat Protection section, KSN provider: Private KSN is displayed.
Otherwise, KSN provider: Global KSN is displayed.
If you use application versions earlier than Kaspersky Security for Virtualization 3.0 Agentless Service Pack
2 or earlier than Kaspersky Security for Virtualization 3.0 Service Pack 1 Light Agent when running Private
KSN, we recommend that you use secondary Administration Servers for which the use of Private KSN has
not been enabled.
Kaspersky Security Center does not send any statistical data to Kaspersky Security Network if Private
KSN is con gured in the KSN Proxy → KSN Proxy settings section of the Administration Server
properties window.
If you have the proxy server settings con gured in the Administration Server properties, but your network
architecture requires that you use Private KSN directly, enable the Ignore proxy server settings when
connecting to Private KSN option. Otherwise, requests from the managed applications cannot reach Private
KSN.
6. Con gure the Administration Server connection to the KSN proxy service:
Under Connection settings, for the TCP port, specify the number of the TCP port that will be used for
connecting to the KSN proxy server. The default port to connect to the KSN proxy server is 13111.
If you want the Administration Server to connect to the KSN proxy server through a UDP port, enable the
Use UDP port option and specify a port number for the UDP port. By default, this option is disabled, and
TCP port is used. If this option is enabled, the default UDP port to connect to the KSN proxy server is 15111.
7. Enable the Connect secondary Administration Servers to KSN through primary Administration Server
option.
If this option is enabled, secondary Administration Servers use the primary Administration Server as the KSN
proxy server. If this option is disabled, secondary Administration Servers connect to KSN on their own. In this
case, managed devices use secondary Administration Servers as KSN proxy servers.
Secondary Administration Servers use the primary Administration Server as a proxy server if in the right
pane of the KSN Proxy settings section, in the properties of secondary Administration Servers the Use
Administration Server as a proxy server check box is selected.
8. Click OK.
The KSN access settings will be saved.
You can also set up distribution point access to KSN, for example, if you want to reduce the load on the
Administration Server. The distribution point that acts as a KSN proxy server sends KSN requests from managed
devices to Kaspersky directly, without using the Administration Server.
To set up distribution point access to Kaspersky Security Network (KSN):
1. Make sure that the distribution point is assigned manually.
818
5. Select the distribution point in the list and click the Properties button to open its properties window.
6. In the distribution point properties window, in the KSN Proxy section, select Access KSN Cloud directly over
Internet.
7. Click OK.
The distribution point will act as a KSN proxy server.

To enable KSN:
1. In the console tree, select the Administration Server for which you need to enable KSN.
3. In the Administration Server properties window, in the KSN Proxy section, select the KSN Proxy settings
subsection.
4. Select the Use Administration Server as a proxy server.

The KSN proxy server is enabled.
5. Select the I agree to use Kaspersky Security Network check box.

KSN will be enabled.
If this check box is selected, client devices send patch installation results to Kaspersky. When selecting this
check box, you should read and accept the terms of the KSN Statement.
6. Click OK.
To disable KSN:
1. In the console tree, select the Administration Server for which you need to enable KSN.
subsection.
4. Clear the Use Administration Server as proxy server check box to disable the KSN proxy service, or clear the I
agree to use Kaspersky Security Network check box.
If this check box is cleared, client devices will send no patch installation results to Kaspersky.
If you are using Private KSN, clear the Con gure Private KSN check box.
KSN will be disabled.
5. Click OK.
819
When you enable Kaspersky Security Network (KSN), you must read and accept the KSN Statement. You can view
the accepted KSN Statement at any time.
To view the accepted KSN Statement:
1. In the console tree, select the Administration Server for which you enabled KSN.
subsection.
4. Click the View accepted KSN Statement link.
In the window that opens, you can view the text of the accepted KSN Statement.
Viewing the KSN proxy server statistics

KSN proxy server is a service that ensures interaction between the Kaspersky Security Network infrastructure
and client devices that are managed through the Administration Server.
Using a KSN proxy server provides you the following features:
In the Administration Server properties window, you can con gure the KSN proxy server and view statistics on the
KSN proxy server usage.
To view the statistics of KSN proxy server:
1. In the console tree, select the Administration Server for which you need to view the KSN statistics.
3. In the Administration Server properties window, in the KSN Proxy section, select the KSN Proxy statistics
subsection.
This section displays the statistics of the operation of KSN proxy server. If necessary, perform these additional
actions:
Click Refresh to update the statistics on the KSN proxy server usage.
Click the Export to le button to export the statistics to a CSV le.
Click the Check KSN connection button to check if the Administration Server is currently connected to
KSN.
820

the updated KSN Statement or decline it. If you decline it, you keep using KSN in accordance with the version of
the KSN Statement that you previously accepted.
After updating or upgrading Administration Server, the updated KSN Statement is displayed automatically. If you
decline the updated KSN Statement, you still can view and accept it later.
To view and then accept or decline an updated KSN Statement:
2. On the Monitoring tab, in the Monitoring section, click the The accepted Kaspersky Security Network
Statement is obsolete link.
The KSN Statement window opens.
3. Carefully read the KSN Statement, and then make your decision. If you accept the updated KSN Statement,
click the I accept the terms of the License Agreement button. If you decline the updated KSN Statement,
click the Cancel button.
Depending on your choice, KSN keeps working in accordance with the terms of the current or updated KSN
Statement. You can view the text of the accepted KSN Statement in the properties of Administration Server at
any time.
Enhanced protection with Kaspersky Security Network

Kaspersky o ers an extra layer of protection to users through the Kaspersky Security Network. This protection
method is designed to combat advanced persistent threats and zero-day attacks. Integrated cloud technologies
and the expertise of Kaspersky virus analysts make Kaspersky Endpoint Security the unsurpassed choice for
protection against the most sophisticated network threats.
Details on enhanced protection in Kaspersky Endpoint Security are available on the Kaspersky website.

On a managed device assigned to work as a distribution point, you can enable KSN proxy server. A managed device
works as KSN proxy server when the ksnproxy service is running on the device. You can check, turn on, or turn o
this service on the device locally.
You can assign a Windows-based or a Linux-based device as a distribution point. The method of distribution point
checking depends on the operating system of this distribution point.
To check whether the Windows-based distribution point works as KSN proxy server:
1. On the distribution point device, in Windows, open Services (All Programs → Administrative Tools →
Services).
821
2. In the list of services, check whether the ksnproxy service is running.
If the ksnproxy service is running, then Network Agent on the device participates in Kaspersky Security
Network and works as KSN proxy server for the managed devices included in the scope of the distribution
point.
If you want, you may turn o the ksnproxy service. In this case, Network Agent on the distribution point stops
participating in Kaspersky Security Network. This requires local administrator rights.
To check whether the Linux-based distribution point works as KSN proxy server:
1. On the distribution point device, display the list of running processes.
2. In the list of running processes, check whether the /opt/kaspersky/ksc64/sbin/ksnproxy process is

running.
If /opt/kaspersky/ksc64/sbin/ksnproxy process is running, then Network Agent on the device participates in

Kaspersky Security Network and works as the KSN proxy server for the managed devices included in the scope of
Switching between Online Help and O line Help

If you do not have internet access, you can use the O line Help.
To switch between Online Help and O line Help:
1. In the Kaspersky Security Center main window, in the console tree select the Kaspersky Security Center 14.
2. Click the Global interface settings link.

The settings window opens.
3. In the settings window, click Use O line Help.
4. Click OK.
The settings are applied and saved. If you want, you can change the settings back at any time and start using
Online Help at any time.
Export of events to SIEM systems

This section explains how to export events registered by Kaspersky Security Center to external Security
Information and Event Management (SIEM) systems.

Kaspersky Security Center allows con guring by one of the following methods: export to any SIEM system that
use Syslog format, export to QRadar, Splunk, ArcSight SIEM systems that use LEEF and CEF formats or export of
events to SIEM systems directly from the Kaspersky Security Center database. When you complete this scenario,
Administration Server sends events to SIEM system automatically.
822
Prerequisites
Before you start con guration export of events in the Kaspersky Security Center:
Learn more about the methods of event export.
Make sure that you have the values of system settings.
You can perform the steps of this scenario in any order.
The process of export of events to SIEM system consists of the following steps:
Con guring SIEM system to receive events from Kaspersky Security Center
How-to instructions: Con guring event export in a SIEM system
Selecting events you want to export to SIEM system:
Administration Console: Marking events of a Kaspersky application for export in Syslog format, Marking general
events for export in Syslog format
Kaspersky Security Center Web Console: Marking events of a Kaspersky application for export in Syslog format,
Con guring export of events to SIEM system using one of the following methods:
Using TCP/IP, UDP or TLS over TCP protocols.

Administration Console: Con guring export of events to SIEM systems
Kaspersky Security Center Web Console: Con guring export of events to SIEM systems
Using export of events directly from the Kaspersky Security Center database (A set of public views is provided
in the Kaspersky Security Center database; you can nd the description of these public views in the klakdb.chm
document.)
Results
After con guring export of events to SIEM system you can view export results if you selected events which you
want to export.
Before you begin

When setting up automatic export of events in the Kaspersky Security Center, you must specify some of the SIEM
system settings. It is recommended that you check these settings in advance in order to prepare for setting up
To successfully con gure automatic sending of events to a SIEM system, you must know the following settings:
823
SIEM system server address
The IP address of the server on which the currently used SIEM system is installed. Check this value in your
SIEM system settings.
SIEM system server port
Port number used to establish a connection between Kaspersky Security Center and your SIEM system
server. You specify this value in the Kaspersky Security Center settings and in the receiver settings of your
SIEM system.
Protocol
Protocol used for transferring messages from Kaspersky Security Center to your SIEM system. You
specify this value in the Kaspersky Security Center settings and in the receiver settings of your SIEM
system.

Kaspersky Security Center allows you to receive information about events that occur during the operation of
Administration Server and Kaspersky applications installed on managed devices. Information about events is saved
in the Administration Server database. You can export this information to external SIEM systems. Exporting event
information to external SIEM systems enables administrators of SIEM systems to promptly respond to security
system events that occur on managed devices or administration groups.
Event types
In Kaspersky Security Center, there are the following types of events:
General events. These events occur in all managed Kaspersky applications. An example of a general event is
Virus outbreak. General events have strictly de ned syntax and semantics. General events are used, for
instance, in reports and dashboards.
Managed Kaspersky applications-speci c events. Each managed Kaspersky application has its own set of
events.
Event sources
Events can be generated by the following applications:
Kaspersky Security Center components:
Network Agent
iOS MDM Server
824
Managed Kaspersky applications

For details about the events generated by Kaspersky managed applications, refer to the documentation of the
corresponding application.
You can view the full list of events that can be generated by an application on the Event con guration tab in the
application policy. For Administration Server, you can additionally view the event list in the Administration Server
properties.
Importance level of events
Each event has its own importance level. Depending on the conditions of its occurrence, an event can be assigned
various importance levels. There are four importance levels of events:
A critical event is an event that indicates the occurrence of a critical problem that may lead to data loss, an
operational malfunction, or a critical error.
A functional failure is an event that indicates the occurrence of a serious problem, error or malfunction that
occurred during operation of the application or while performing a procedure.
A warning is an event that is not necessarily serious, but nevertheless indicates a potential problem in the
future. Most events are designated as warnings if the application can be restored without loss of data or
functional capabilities after such events occur.
An info event is an event that occurs for the purpose of informing about successful completion of an
operation, proper functioning of the application, or completion of a procedure.
Each event has a de ned storage term, during which you can view or modify it in Kaspersky Security Center. Some
events are not saved in the Administration Server database by default because their de ned storage term is zero.
Only events that will be stored in the Administration Server database for at least one day can be exported to
external systems.
About event export

You can use event export within centralized systems that deal with security issues on an organizational and
technical level, provide security monitoring services, and consolidate information from di erent solutions. These
are SIEM systems, which provide real-time analysis of security alerts and events generated by network hardware
and applications, or Security Operation Centers (SOCs).
These systems receive data from many sources, including networks, security, servers, databases, and applications.
SIEM systems also provide functionality to consolidate monitored data in order to help you avoid missing critical
events. In addition, the systems perform automated analysis of correlated events and alerts in order to notify the
administrators of immediate security issues. Alerting can be implemented through a dashboard or can be sent
through third-party channels such as email.
The process of exporting events from Kaspersky Security Center to external SIEM systems involves two parties:
an event sender—Kaspersky Security Center and an event receiver—SIEM system. To successfully export events,
you must con gure this in your SIEM system and in the Kaspersky Security Center Administration Console. It does
not matter which side you con gure rst. You can con gure the transmission of events in the Kaspersky Security
Center and then con gure the receipt of events by the SIEM system, or vice versa.
825
Methods for sending events from Kaspersky Security Center
There are three methods for sending events from Kaspersky Security Center to external systems:
Sending events over the Syslog protocol to any SIEM system

Using the Syslog protocol, you can relay any events that occur on the Kaspersky Security Center
Administration Server and in Kaspersky applications that are installed on managed devices. The Syslog protocol
is a standard message-logging protocol. You can use it to export events to any SIEM system.
For this purpose, you need to mark the events that you want to relay to the SIEM system. You can mark the
events in Administration Console or Kaspersky Security Center Web Console. Only marked events will be
relayed to the SIEM system. If you marked nothing, no events will be relayed.
Sending events over the CEF and LEEF protocols to QRadar, Splunk, and ArcSight systems
You can use the CEF and LEEF protocols to export general events. When exporting events over the CEF and
LEEF protocols, you do not have the capability to select speci c events to export. Instead, all general events
are exported. Unlike the Syslog protocol, the CEF and LEEF protocols are not universal. CEF and LEEF are
intended for the appropriate SIEM systems (QRadar, Splunk, and ArcSight). Therefore, when you choose to
export events over one of these protocols, you use the required parser in the SIEM system.
To export events over the CEF and LEEF protocols, the Integration with the SIEM systems feature must be
activated in Administration Server by using an active license key or valid activation code.
Directly from the Kaspersky Security Center database to any SIEM system
This method of exporting events can be used to receive events directly from public views of the database by
means of SQL queries. The results of a query are saved to an XML le that can be used as input data for an
external system. Only events available in public views can be exported directly from the database.
Receipt of events by the SIEM system
The SIEM system must receive and correctly parse events received from Kaspersky Security Center. For these
purposes, you must properly con gure the SIEM system. The con guration depends on the speci c SIEM system
utilized. However, there are a number of general steps in the con guration of all SIEM systems, such as con guring
the receiver and the parser.

an event sender—Kaspersky Security Center and an event receiver—SIEM system. You must con gure the export
of events in your SIEM system and in the Kaspersky Security Center.
The settings that you specify in the SIEM system depend on the particular system that you are using. Generally, for
all SIEM systems you must set up a receiver and, optionally, a message parser to parse received events.
Setting up the receiver
To receive events sent by Kaspersky Security Center, you must set up the receiver in your SIEM system. In general,
the following settings must be speci ed in the SIEM system:
Export protocol or input type

826
It is the message transfer protocol, either TCP/IP or UDP. This protocol must be the same as the protocol
you speci ed in Kaspersky Security Center.
Port
Port number to connect to Kaspersky Security Center. This port must be the same as the port you
speci ed in Kaspersky Security Center.
Message protocol or source type
The protocol used to export events to the SIEM system. It can be one of the standard protocols: Syslog,
CEF, or LEEF. The SIEM system selects the message parser according to the protocol you specify.
Depending on the SIEM system that you use, you may have to specify some additional receiver settings.
The gure below shows the receiver setup screen in ArcSight.
Receiver setup in ArcSight
Message parser
Exported events are passed to SIEM systems as messages. These messages must be properly parsed so that
information on the events can be used by the SIEM system. Message parsers are part of the SIEM system; they are
used to split the contents of the message into the relevant elds, such as event ID, severity, description,
parameters and so on. This enables the SIEM system to process events received from Kaspersky Security Center
so that they can be stored in the SIEM system database.
Each SIEM system has a set of standard message parsers. Kaspersky also provides message parsers for some
SIEM systems, for example, for QRadar and ArcSight. You can download these message parsers from the websites
of the corresponding SIEM systems. When con guring the receiver, you can select to use one of the standard
message parsers or a message parser from Kaspersky.

827
This section describes how to mark events for further export to SIEM systems in Syslog format.
After enabling automatic export of events, you must select which events will be exported to the external SIEM
system.
You can con gure export of events in the Syslog format to an external system based on one of the following
conditions:
Marking general events. If you mark events to export in a policy, in the settings of an event, or in the
Administration Server settings, the SIEM system will receive the marked events that occurred in all applications
managed by the speci c policy. If exported events were selected in the policy, you will not be able to rede ne
them for an individual application managed by this policy.
Marking events for a managed application. If you mark events to export for a managed application installed on a
managed device, the SIEM system will receive only the events that occurred in this application.
Marking events of a Kaspersky application for export in Syslog format

If you want to export events that occurred in an individual managed application installed on a managed device,
mark the events for export for the application. If previously exported events were marked in the policy, you will not
be able to rede ne the marked events for an individual application managed by this policy.
To mark the events for export for an individual managed application:
1. In the Kaspersky Security Center console tree, select the Managed devices node and go to the Devices tab.
2. Right-click to open the context menu of the relevant device and select Properties.
3. In the device properties window that opens, select the Applications section.
4. In the list of applications that appears, select the application whose events you need to export and click the
Properties button.
5. In the application properties window, select the Event con guration section.
6. In the list of events that appears, select one or several events that need to be exported to the SIEM system,
and click the Properties button.
7. In the event properties window that appears, select the Export to SIEM system using Syslog check box to
mark the selected events for export in Syslog format. Clear the Export to SIEM system using Syslog check
box to unmark the selected events for export in Syslog format.
If event properties are de ned in a policy, the elds of this window cannot be edited.
828
Event properties window
9. Click OK in the application properties window and in the device properties window.
The marked events will be sent to the SIEM system over the Syslog format. The events for which you unselected
the Export to SIEM system using Syslog check box, will not be exported to a SIEM system. The export will start
immediately after you enable automatic export and select the events to export. Con gure the SIEM system to
ensure that it can receive events from Kaspersky Security Center.

If you want to export events that occurred in all applications managed by a speci c policy, mark the events to
export in the policy. In this case, you cannot mark events for an individual managed application.
To mark general events for export to a SIEM system:
1. In the Kaspersky Security Center console tree, select the Policies node.
2. Right-click to open the context menu of the relevant policy and select Properties.
3. In the policy properties window that opens, select the Event con guration section.
4. In the list of events that appears, select one or several events that need to be exported to the SIEM system,
and click the Properties button.
If you need to select all events, click the Select all button.
5. In the event properties window that appears, select the Export to SIEM system using Syslog check box to
mark the selected events for export in Syslog format. Unselect the Export to SIEM system using Syslog check
box to unmark the selected events for export in Syslog format.
829
Administration Server event properties window
7. In the policy properties window, click OK.
The marked events will be sent to the SIEM system over the Syslog format. The events for which you unselected
the Export to SIEM system using Syslog check box, will not be exported to a SIEM system. The export will start
immediately after you enable automatic export and select the events to export. Con gure the SIEM system to
ensure that it can receive events from Kaspersky Security Center.

You can use the Syslog format to export to SIEM systems the events that occur in Administration Server and other
Kaspersky applications installed on managed devices.
Syslog is a standard for message logging protocol. It permits separation of the software that generates messages,
the system that stores them, and the software that reports and analyzes them. Each message is labeled with a
facility code, indicating the software type that generates the message, and is assigned a severity level.
The Syslog format is de ned by Request for Comments (RFC) documents published by the Internet Engineering
Task Force (internet standards). The RFC 5424 standard is used to export the events from Kaspersky Security
Center to external systems.
In Kaspersky Security Center, you can con gure export of the events to the external systems using the Syslog
format.
The export process consists of two steps:
1. Enabling automatic event export. At this step, Kaspersky Security Center is con gured so that it sends events
to the SIEM system. Kaspersky Security Center starts sending events immediately after you enable automatic
export.
2. Selecting the events to be exported to the external system. At this step, you select which event to export to
the SIEM system.
830
You can use the CEF and LEEF formats to export to SIEM systems general events, as well as the events
transferred by Kaspersky applications to the Administration Server. The set of export events is prede ned, and
you cannot select the events to be exported.
Select the format of export on the basis of the SIEM system used. The table below shows SIEM systems and the
corresponding formats of export.
Formats of event export to a SIEM system
SIEM system Format of export
QRadar LEEF
ArcSight CEF
Splunk CEF
LEEF (Log Event Extended Format)—A customized event format for IBM Security QRadar SIEM. QRadar can
integrate, identify, and process LEEF events. LEEF events must use UTF-8 character encoding. You can nd
detailed information on LEEF protocol in IBM Knowledge Center .
CEF (Common Event Format)—An open log management standard that improves the interoperability of
security-related information from di erent security and network devices and applications. CEF enables you to
use a common event log format so that data can easily be integrated and aggregated for analysis by an
enterprise management system.
Automatic export means that Kaspersky Security Center sends general events to the SIEM system. Automatic
export of events starts immediately after you enable it. This section explains in detail how to enable automatic
event export.
Con guring Kaspersky Security Center for export of events to a SIEM

system
You can enable automatic event export in Kaspersky Security Center.
Only general events can be exported from managed applications over the CEF and LEEF formats.
Application-speci c events cannot be exported from managed applications over the CEF and LEEF formats.
If you need to export events of managed applications or a custom set of events that has been con gured
using the policies of managed applications, you have to export the events in the Syslog format.
To enable automatic export of events:
1. In the Kaspersky Security Center console tree, select the Administration Server whose events you want to
export.
831
2. In the workspace of the selected Administration Server, select the Events tab.
3. Click the drop-down arrow next to the Con gure noti cations and event export link and select Con gure
export to SIEM system in the drop-down list.
The events properties window opens, displaying the Event export section.
4. In the Event export section, specify the following export settings:
Event export section of the event properties window
Automatically export events to SIEM system database
Select this check box to enable automatic export of events to SIEM systems. Selecting this check box
enables all elds in the Exporting events section.
SIEM system
Select the SIEM system to export the events: QRadar® (LEEF format), ArcSight (CEF format), Splunk®
(CEF format), and Syslog format (RFC 5424).
Specify the SIEM system server address. The address can be speci ed as a DNS or NetBIOS‑name or
as an IP-address.
832
Specify the port number to connect to the SIEM system server. This port number must be the same as
that, which your SIEM system uses to receive the events (see section Con guring a SIEM system for
details).
Protocol
833
Select the protocol to be used for transferring messages to the SIEM system. You can select either the
TCP/IP, UDP, or TLS over TCP protocol.
Specify the following TLS settings if you select the TLS over TCP protocol:
SIEM server authentication

Choose one of the following ways to authenticate the SIEM system server:
By using CA certi cates. You can receive a le with a list of certi cates from a trusted
certi cation authority (CA) and upload the le to Kaspersky Security Center. Kaspersky Security
Center checks whether the SIEM system server certi cate is also signed by a trusted CA or not.
To add a trusted certi cate, click the Browse button, and then upload the certi cate.
If you select the By using CA certi cates option, you can specify subject names in the Subjects
of server certi cates (optional) eld. Subject name is a domain name for which the certi cate is
received. Kaspersky Security Center cannot connect to the SIEM system server if the domain
name of the SIEM system server does not match the subject name of the SIEM system server
certi cate. However, the SIEM system server can change its domain name if you change the
subject name in the certi cate. To do this, specify the subject names in the Subjects of server
certi cates (optional) eld. If any of the speci ed subject names matches the subject name of
the SIEM system certi cate, Kaspersky Security Center validates the SIEM system server
certi cate.
By using SHA-1 thumbprints of server certi cates. You can specify SHA-1 thumbprints of the
SIEM system certi cates in Kaspersky Security Center. To add a SHA-1 thumbprint, enter it in the
eld under the option.
Client authentication
For client authentication, you can insert your certi cate or generate it in Kaspersky Security Center.
Insert certi cate. You can use a certi cate that you received from any source, for example, from
any trusted CA. To insert an existing certi cate, click the Browse for certi cate button. In the
opened Certi cate window, choose one of the following certi cate types, and then specify the
certi cate and its private key:
X.509 certi cate. Upload a le with a private key in the Private key (*.prk, *.pem) eld, and a
le with a certi cate in the Certi cate (*.cer) eld. To do this, click the Browse button to the
right of the corresponding eld, and then add the required le. Both les do not depend on
each other and the order of loading the les is not signi cant. After you upload both les,
specify the password for decoding the private key in the Password eld. The password can
have an empty value if the private key is not encoded.
PKCS #12 container. Upload a single le that contains a certi cate and its private key in
the Certi cate le eld. To do this, click the Browse button to the right of the eld, and then
add the required le. After you upload the le, specify the password for decoding the private
key in the Password eld. The password can have an empty value if the private key is not
encoded.
Generate key. You can generate a self-signed certi cate in Kaspersky Security Center. Click the
Generate certi cate button, and then enter a subject name in the Subject eld. The client
certi cate is generated for this subject name and the SHA-1 thumbprint of this certi cate is
displayed in the SHA-1 thumbprint of client certi cate eld. As a result, Kaspersky Security
Center stores the generated self-signed certi cate, and you can pass the public part of the
certi cate or SHA-1 thumbprint to the SIEM system.
If you select Syslog format, you must specify:
834
Maximum message size, in bytes
Specify the maximum size (in bytes) of one message relayed to the SIEM system. Each event is relayed
in one message. If the actual length of a message exceeds the speci ed value, the message is
truncated and data may be lost. The default size is 2048 bytes. This eld is available only if you selected
the Syslog format in the SIEM system eld.
5. If you want to export to the SIEM system database the events that occurred after a speci ed date in the past,
click the Export archive button and specify the start date for event export. By default, the event export starts
immediately after you enable it.
6. Click OK.
Automatic export of events is enabled.
After enabling automatic export of events, you must select which events will be exported to the SIEM system.

You can retrieve events directly from the Kaspersky Security Center database without having to use the
Kaspersky Security Center interface. You can either query the public views directly and retrieve the event data or
create your own views on the basis of existing public views and address them to get the data you need.
Public views
For your convenience, a set of public views is provided in the Kaspersky Security Center database. You can nd
the description of these public views in the klakdb.chm document.
The v_akpub_ev_event public view contains a set of elds that represent the event parameters in the database. In
the klakdb.chm document you can also nd information on public views corresponding to other Kaspersky Security
Center entities, for example, devices, applications, or users. You can use this information in your queries.
This section contains instructions for creating an SQL query by means of the klsql2 utility and a query example.
To create SQL queries or database views, you can also use any other program for working with databases.
Information on how to view the parameters for connecting to the Kaspersky Security Center database, such as
instance name and database name, is given in the corresponding section.

This section describes how to download and use the klsql2 utility, and how to create an SQL query by using this
utility. When you create an SQL query by means of the klsql2 utility, you do not have to provide database name and
access parameters, because the query addresses Kaspersky Security Center public views directly.
To use the klsql2 utility:
1. Locate the klsql2 utility in the installation folder of Kaspersky Security Center. Do not use klsql2 utility versions
intended for older Kaspersky Security Center versions.
835
2. Create the src.sql le in any text editor and place the le in the same folder with the utility.
3. In the src.sql le, type the SQL query that you want, and then save the le.
4. On the device with Kaspersky Security Center Administration Server installed, in the command line, type the
following command to run the SQL query from the src.sql le and save the results to the result.xml le:
klsql2 -i src.sql -o result.xml
5. Open the newly created result.xml le to view the query results.
You can edit the src.sql le and create any query to the public views. Then, from the command line, execute your
query and save the results to a le.

This section shows an example of an SQL query, created by means of the klsql2 utility.
The following example illustrates retrieval of the events that occurred on devices during the last seven days, and
display of the events ordered by the time they occur, the most recent events are displayed rst.
Example:
SELECT
e.nId, /* event identifier */
e.tmRiseTime, /* time, when the event occurred */
e.strEventType, /* internal name of the event type */
e.wstrEventTypeDisplayName, /* displayed name of the event */
e.wstrDescription, /* displayed description of the event */
e.wstrGroupName, /* name of the group, where the device is located */
h.wstrDisplayName, /* displayed name of the device, on which the event occurred */
CAST(((h.nIp / 16777216) & 255) AS varchar(4)) + '.' +
CAST(((h.nIp) & 255) AS varchar(4)) as strIp /* IP-address of the device, on which
the event occurred */
FROM v_akpub_ev_event e
INNER JOIN v_akpub_host h ON h.nId=e.nHostId
WHERE e.tmRiseTime>=DATEADD(Day, -7, GETUTCDATE())
ORDER BY e.tmRiseTime DESC

It can be helpful to know a database name if you need, for example, send an SQL query and connect to the
database from your SQL script editor.
To view the name of the Kaspersky Security Center database:
2. In the Administration Server properties window, in the Sections pane select Advanced and then Details of
current database.
836
3. In the Details of current database section, note the following database properties (see gure below):
Instance name
Name of the current Kaspersky Security Center database instance. The default value is
.\KAV_CS_ADMIN_KIT.
Database name
Name of the Kaspersky Security Center SQL database. The default value is KAV.
Section with information about the current Administration Server database
Use the database name to address the database in your SQL queries.

You can control for successful completion of the event export procedure. To do this, check whether messages
with export events are received by your SIEM system.
837
If the events sent from Kaspersky Security Center are received and properly parsed by your SIEM system,
con guration on both sides is done properly. Otherwise, check the settings you speci ed in Kaspersky Security
Center against the con guration in your SIEM system.
The gure below shows the events exported to ArcSight. For example, the rst event is a critical Administration
Server event: "Device status is Critical".
The representation of export events in the SIEM system varies according to the SIEM system you use.
Example of events
Using SNMP for sending statistics to third-party applications

This section describes how to get information from Administration Server by using Simple Network Management
Protocol (SNMP) in Windows. Kaspersky Security Center contains SNMP agent, which transfers statistics of
Administration Server performance to side applications using OIDs.
This section also contains information on resolving problems that you might encounter while using SNMP for
SNMP agent and object identi ers

For Kaspersky Security Center, SNMP agent is implemented as a dynamic library klsnmpag.dll, which is
registered by the installer during Administration Server installation. SNMP agent works inside the snmp.exe
process (that is a Windows service). Third-party applications use SNMP to receive statistics, which comes in the
form of counters, on Administration Server performance.
Each counter has a unique object identi er (also referred to as OID). An object identi er is a sequence of numbers
divided by dots. The object identi ers of Administration Server start with the 1.3.6.1.4.1.23668.1093 pre x. The OID of
the counter is a concatenation of that pre x with a su ix describing the counter. For example, the counter with the
OID value of 1.3.6.1.4.1.23668.1093.1.1.4 has the su ix with value of 1.1.4.
You can use an SNMP client (such as Zabbix) to monitor the state of your system. In order to get the information,
you can search for a value of OID that corresponds to the information and enter that value into your SNMP client.
Then your SNMP client will return you another value that characterizes the status of your system.
838
The list of counters and counter types is in the adminkit.mib le on the Administration Server. MIB stands for
Management Information Base. You can import and parse .mib les via the MIB Viewer application that is
designed for requesting and displaying the counter values.
Getting a string counter name from an object identi er

In order to use an object identi er (OID) for transferring information to third-party applications, you may need to
get a string counter name from that OID.
To get a string counter name from an OID:
1. Open the adminkit.mib le, that is located on the Administration Server, in a text editor.
2. Locate the namespace describing the rst value (from left to right).
For example, for 1.1.4 OID su ix would be "counters" (::= { kladminkit 1 }).
3. Locate the namespace describing the second value.

For example, for 1.1.4 OID su ix would be counters 1, which stands for deployment.
4. Locate the namespace describing the third value.

For example, for 1.1.4 OID su ix would be deployment 4, which stands for hostsWithAntivirus.
The string counter name is the concatenation of these values, for example, <MIB base
namespace>.counters.deployment.hostsWithAntivirus, and it corresponds to the OID with the value of
1.3.6.1.4.1.23668.1093.1.1.4.
Values of object identi ers for SNMP

The table below shows the values and descriptions of the objects identi ers (also referred to as OIDs), that are
used for transferring information on Administration Server performance to third-party applications.
Values and descriptions of object identi ers for SNMP
Value of object identi er Numeric data OID Description

type
deploymentStatus INTEGER { .1.3.6.1.4.1.23668.1093.1.1.1 Deployment status. The status

ok(0), can be one of the following:
info(1), Info. License is not valid for
warning(2), devices anymore.
critical(3)
} Warning. One of the
following:
There are M devices with
Kaspersky applications
installed on a total of N
devices in Administration
Server groups (N > M).
License L expires on N
devices in M days.
839
Task T of installing
applications has been
successfully nished on N
devices, reboot is needed fo
M devices.
Critical. License expired for

N devices.
OK. None of the above.
noAntivirusSoftware INTEGER { .1.3.6.1.4.1.23668.1093.1.1.2.1 The reason deploymentStatu

off(0), shows that the Administration
on(1) } Server group contains too many
devices without managed
applications.
Value equals 1 in case a few
devices were found without
managed applications, and 0
otherwise.
remoteInstallTaskFailed INTEGER { .1.3.6.1.4.1.23668.1093.1.1.2.2 The reason deploymentStatu

off(0), shows that the task of the
on(1) } remote installation has failed on
some devices. The number of
those devices can be obtained
via
hostsRemoteInstallFailed
licenceExpiring INTEGER { .1.3.6.1.4.1.23668.1093.1.1.2.3 The reason deploymentStatu

off(0), shows that there are some
on(1) } devices with a license expiring in
the next 7 days. The number of
those devices can be obtained
via hostsLicenseExpiring.
licenceExpired INTEGER { .1.3.6.1.4.1.23668.1093.1.1.2.4 The reason deploymentStatu

on(1) } devices with an expired license.
You can obtain the number of
those devices via
hostsLicenseExpired.
hostsInGroups Counter32 .1.3.6.1.4.1.23668.1093.1.1.3 Number of devices in

Administration Server groups.
hostsWithAntivirus Counter32 .1.3.6.1.4.1.23668.1093.1.1.4 Number of devices in

Administration Server groups
with managed applications
installed.
hostsRemoteInstallFailed Counter32 .1.3.6.1.4.1.23668.1093.1.1.5 Number of devices on which the

task of the remote installation
failed.
licenceExpiringSerial OCTET .1.3.6.1.4.1.23668.1093.1.1.6 ID of a license key that expires

STRING soon (in less than 7 days).
licenceExpiredSerial OCTET .1.3.6.1.4.1.23668.1093.1.1.7 ID of the expired license key.

STRING
840
licenceExpiringDays Unsigned32 .1.3.6.1.4.1.23668.1093.1.1.8 Number of days before a license
expires.
hostsLicenceExpiring Counter32 .1.3.6.1.4.1.23668.1093.1.1.9 Number of devices with a licens

that expires soon (in less than 7
days).
hostsLicenceExpired Counter32 .1.3.6.1.4.1.23668.1093.1.1.10 Number of devices with an

expired license.
updatesStatus INTEGER { .1.3.6.1.4.1.23668.1093.1.2.1 Current status of Anti-virus

ok(0), bases. The status can be one of
info(1), the following:
warning(2), Info. Administration Server
critical(3) has not been updated in
} more than 1 day, and less tha
1 day had passed since
application installation.
Warning. Administration
Server has not been update
in more than 1 day.
Critical. Administration
Server has not been update
in more than 2 days.
serverNotUpdated INTEGER { .1.3.6.1.4.1.23668.1093.1.2.2.1 This reason shows that

off(0), Administration Server was not
on(1) } updated for a log time. The
amount of time considered long
is speci ed in updatesStatus.
notUpdatedHosts INTEGER { .1.3.6.1.4.1.23668.1093.1.2.2.2 This reason shows that some

off(0), devices were not updated for a
on(1) } long time (7 days or more for
Critical and 3 days for Warning
those devices via
hostsNotUpdated.
lastServerUpdateTime OCTET .1.3.6.1.4.1.23668.1093.1.2.3 Last time when Anti-virus bases

STRING were updated on Administration
Server.
hostsNotUpdated Counter32 .1.3.6.1.4.1.23668.1093.1.2.4 Number of devices containing

Anti-virus bases that are not
updated.
protectionStatus INTEGER { .1.3.6.1.4.1.23668.1093.1.3.1 Status of real-time protection.

ok(0), One of the following:
warning(2), Warning. One of the
critical(3) following:
} A security breach is
detected on a device that
belongs to the Administratio
Server group.
841
Encryption errors made som
devices change protection
status.
Full scan has not been
performed for a long time.
Critical. Anti-virus
protection is not working on
some devices in
groups.
antivirusNotRunning INTEGER { .1.3.6.1.4.1.23668.1093.1.3.2.1 This reason shows that a

off(0), security application is not
on(1) } running on some devices. You
can obtain the number of those
devices via
hostsAntivirusNotRunning
realtimeNotRunning INTEGER { .1.3.6.1.4.1.23668.1093.1.3.2.2 This reason shows that real-tim

off(0), protection is not running on
on(1) } some devices. You can obtain
the number of those devices via
hostsRealtimeNotRunning.
notCuredFound INTEGER { .1.3.6.1.4.1.23668.1093.1.3.2.4 This reason shows that there ar

off(0), devices containing non-
on(1) } disinfected objects. You can
obtain the number of those
devices via
hostsNotCuredObject.
tooManyThreats INTEGER { .1.3.6.1.4.1.23668.1093.1.3.2.5 This reason shows that there ar

off(0), threats found on some devices
on(1) } You can obtain the number of
those devices via
hostsTooManyThreats.
virusOutbreak INTEGER { .1.3.6.1.4.1.23668.1093.1.3.2.6 This reason shows the virus

off(0), outbreak status of the system.
on(1) } Value equals 1 if a certain
amount of viruses were found
during a certain amount of time
and 0 otherwise. Amount of
viruses and amount of time are
speci ed on Administration
Server, by using the Virus
attack settings.
hostsAntivirusNotRunning Counter32 .1.3.6.1.4.1.23668.1093.1.3.3 Number of devices with securit

applications not running.
hostsRealtimeNotRunning Counter32 .1.3.6.1.4.1.23668.1093.1.3.4 Number of devices with real-

time protection not running.
hostsRealtimeLevelChanged Counter32 .1.3.6.1.4.1.23668.1093.1.3.5 Number of devices with real-

time protection level not
acceptable.
842
hostsNotCuredObject Counter32 .1.3.6.1.4.1.23668.1093.1.3.6 Number of devices containing
non-disinfected objects.
hostsTooManyThreats Counter32 .1.3.6.1.4.1.23668.1093.1.3.7 Number of devices containing

threats.
fullscanStatus INTEGER { .1.3.6.1.4.1.23668.1093.1.4.1 Status of Anti-virus full scan.

info(1), Info. Less 7 days have passe
warning(2), since the moment of
critical(3) application installation.
}
Warning. Anti-virus full scan
hasn't been performed for
more than 7 days since the
moment of application
installation.
Critical. Anti-virus full scan

hasn't been performed for
more than 14 days since the
moment of application
installation.
notScannedLately INTEGER { .1.3.6.1.4.1.23668.1093.1.4.2.1 This reason shows that some

off(0), devices have not been scanned
on(1) } for a certain amount of time. Yo
can obtain the number of those
devices via
hostsNotScannedLately. The
amount of time is speci ed in
fullScanStatus.
hostsNotScannedLately Counter32 .1.3.6.1.4.1.23668.1093.1.4.3 Number of devices that have no

been scanned for a certain
amount of time. The amount of
time is speci ed in
fullScanStatus.
logicalNetworkStatus INTEGER { .1.3.6.1.4.1.23668.1093.1.5.1 Status of the logical network of

ok(0), Administration Server. One of
warning(1), the following:
critical(2) Warning. If there are devices
} with a warning status that
can't be accessed or if there
are devices that do not
belong to any Administration
Server group.
Critical. If there are devices

whose control has been lost
by Administration Server, or
there are devices with a
critical status and that
cannot be accessed.

843
notConnectedLongTime INTEGER { .1.3.6.1.4.1.23668.1093.1.5.2.1 This reason shows that some
off(0), devices have not been
on(1) } connected to Administration
Server for a long time (7 days or
more for a device of Warning
status and 4 days for a device o
Critical status). You can obtain
the number of those devices via
hostsNotConnectedLongTime
controlLost INTEGER { .1.3.6.1.4.1.23668.1093.1.5.2.2 This reason shows that there ar

off(0), devices whose control has been
on(1) } lost by Administration Server.
those devices via
hostsControlLost.
hostsFound Counter32 .1.3.6.1.4.1.23668.1093.1.5.3 Number of devices found by

Administration Server that do
not belong to any Administratio
Server groups.
groupsCount Counter32 .1.3.6.1.4.1.23668.1093.1.5.4 Number of groups at

hostsNotConnectedLongTime Counter32 .1.3.6.1.4.1.23668.1093.1.5.5 Number of devices that have no

been connected to
Administration Server for a long
time. The amount of time
considered long is speci ed in
notConnectedLongTime.
hostsControlLost Counter32 .1.3.6.1.4.1.23668.1093.1.5.6 Number of devices that are not

controlled by Administration
Server.
eventsStatus INTEGER { .1.3.6.1.4.1.23668.1093.1.6.1 Status of events subsystem.

warning(1), Warning. One of the
critical(2) following:
} Devices of Administration
Server group have not been
searching for Windows
updates for a long time.
There are devices with statu
problems.
Critical. One of the following

There is an event of "Critical
importance on at least one
device.
There is an event of "Error"
importance on at least one
device.
There is an event of task
completing unsuccessfully o
at least one device.
844
Devices of Administration
Server group have not been
searching for Windows
updates for a long time.
There are devices with statu
problems.
criticalEventOccured INTEGER { .1.3.6.1.4.1.23668.1093.1.6.2.1 The reason eventsStatus

on(1) } critical events on Administration
Server. You can obtain the
number of those events via
criticalEventsCount.
Value equals 1 if there is at least
one critical event on any device
and 0 otherwise.
criticalEventsCount Counter32 .1.3.6.1.4.1.23668.1093.1.6.3 Number of critical events on

Troubleshooting
This section lists solutions for a few typical issues that you might encounter while using the SNMP service.
Third-party application can not connect to the SNMP service
Make sure that SNMP support is installed in Windows. SNMP support is disabled by default.
To allow SNMP support in Windows 10:
1. Navigate to Control Panel.
2. Open the Add or Remove Programs menu.
3. Click Turn Windows features on or o .
4. In the Windows features list, navigate to the SNMP feature, and then click OK.
5. Navigate to Control Panel → Administrative Tools → Services.
6. Choose the SNMP service and run it.
7. Check if listening works by testing it with netstat, for a standard UPD-port.
SNMP support is allowed in Windows 10.
SNMP service is working, yet the third-party application cannot get any values
845
Allow SNMP agent tracing and make sure that a non-empty le is created. This means that the SNMP agent is
properly registered and functioning. After this, allow connections from the SNMP service in the side service
settings. If a side service operates on the same host as the SNMP agent, the list of IP addresses should contain
either the IP address of that host or loopback 127.0.0.1.
An SNMP service that communicates with agents should be running in Windows. You can specify the paths to
SNMP agents in the Windows Registry via regedit.
For Windows 10:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents
For Windows Vista and Windows Server 2008:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SNMP\Parameters\ExtensionAgents
You can allow SNMP agent tracing via regedit as well.
For 32-bit systems:

HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1093\1.0.0.0\SNMP\Debug
For 64-bit systems:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1093\1.0.0.0\SNMP\Deb
"TraceLevel"=dword:00000004
"TraceDir"="C:\\"
Values do not match the statuses of Administration Console
In order to reduce the load at Administration Server, the caching of values is implemented for the SNMP agent. The
latency between the cache being actualized and the values being changed on the Administration Server may cause
mismatches between the values returned by the SNMP agent and the actual ones. When working with third-party
applications, you should consider that possible latency.
Working in a cloud environment

This section provides information about Kaspersky Security Center deployment and maintenance in cloud
environments, such as Amazon Web Services, Microsoft Azure, or Google Cloud.
The addresses of web pages cited in this document are correct as of the Kaspersky Security Center release
date.
About work in a cloud environment

Kaspersky Security Center 14 not only works with on-premises devices, but also provides special features for
working in a cloud environment. Kaspersky Security Center works with the following virtual machines:
Amazon EC2 instances (hereinafter, also referred to as instances). An Amazon EC2 instance is a virtual machine
that is created on the basis of the Amazon Web Services (AWS) platform. Kaspersky Security Center uses
AWS API (Application Programming Interface).
846
Microsoft Azure virtual machines. Kaspersky Security Center uses Azure API.
Google Cloud virtual machines instances. Kaspersky Security Center uses Google API.
You can deploy Kaspersky Security Center on an instance or a virtual machine to manage protection of devices in
a cloud environment and to use special features of Kaspersky Security Center for work in a cloud environment.
These features include:
Using API tools to poll devices in a cloud environment
Using API tools to install Network Agent and security applications on devices in a cloud environment
Searching devices based on whether they belong to a speci c cloud segment
You can also use an instance or a virtual machine on which a Kaspersky Security Center Administration Server is
deployed to protect on-premises devices (for example, if a cloud server turns out to be easier for you to service
and maintain than a physical one). If this is the case, you work with the Administration Server in the same way that
you would if the Administration Server were installed on an on-premises device.
In a Kaspersky Security Center that has been deployed from a paid Amazon Machine Image (AMI) (in AWS) or a
usage-based monthly billed SKU (in Azure), Vulnerability and Patch Management (including integration with SIEM
systems) is automatically activated; Mobile Device Management cannot be activated.
The Administration Server is installed together with Administration Console. Kaspersky Security for Windows
Server is also automatically installed on the device on which the Administration Server is installed.
You can use Cloud Environment Con guration Wizard to con gure Kaspersky Security Center, taking into account
the speci cs of working in a cloud environment.
Scenario: Deployment for cloud environment

This section describes the deployment of Kaspersky Security Center for working in cloud environments such as
Amazon Web Services, Microsoft Azure, and Google Cloud.
After you nish the deployment scenario, Kaspersky Security Center Administration Server and Administration
Console are started and con gured with the default parameters. Anti-Virus protection managed by Kaspersky
Security Center is deployed on the selected Amazon EC2 instances or Microsoft Azure virtual machines. You can
then ne-tune the con guration of Kaspersky Security Center, create a complex structure of administration
groups, and create various policies and tasks for groups.
The deployment of Kaspersky Security Center for working in cloud environments consists of the following parts:
1. Preparation work
2. Deploying Administration Server
3. Installing Kaspersky anti-virus applications on virtual devices that need to be protected
4. Con guring the update download settings
5. Con guring the settings for managing reports about the protection status of devices
847
The Cloud Environment Con guration Wizard is intended for performing the initial con guration. It starts
automatically the rst time that Kaspersky Security Center is deployed from a ready-to-use image. You can
manually start the Wizard at any time. In addition, you can manually perform all of the actions that the Wizard
performs.
We recommend that you plan for a minimum of one hour for deploying Kaspersky Security Center Administration
Server in the cloud environment and at least one working day for protection deployment in the cloud environment.
Deployment of Kaspersky Security Center in the cloud environment proceeds in stages:
1 Planning the con guration of cloud segments
Learn how Kaspersky Security Center works in a cloud environment. Plan where Administration Server will be
deployed (inside or outside of the cloud environment); and determine how many cloud segments you plan to
protect. If you are planning to deploy Administration Server outside of the cloud environment or if you are
planning to protect more than 5000 devices, you will need to install Administration Server manually.
To work with Google Cloud, you can only install Administration Server manually.
2 Planning the resources
Make sure that you have everything that is required for deployment.
3 Subscribing to Kaspersky Security Center as a ready-to-use image
Select one of the ready-to-use AMIs at AWS Marketplace or select a Usage-based monthly billed SKU at Azure
Marketplace, pay for it according to marketplace rules if necessary (or use the BYOL model), and then use the
image to deploy an Amazon EC2 instance or Microsoft Azure virtual machine with Kaspersky Security Center
installed.
This stage is necessary only if you plan to deploy Administration Server on an instance or a virtual machine within
a cloud environment and you are also planning to deploy protection for no more than 5000 devices. Otherwise,
this stage is not necessary and instead you manually have to install Administration Server, Administration
Console, and the DBMS.
This step is unavailable for Google Cloud.
4 Determining the location of the DBMS
Determine where your DBMS will be.
If you plan to use a database outside the cloud environment, make sure that you have a working database.
If you plan to use Amazon Relational Database Service (RDS), create a database with RDS in the AWS cloud
environment.
If you plan to use Microsoft Azure SQL DBMS, create a database with the Azure Database service in the
Microsoft Azure cloud environment.
If you plan to use Google MySQL, create a database in the Google Cloud (Please refer to
https://cloud.google.com/sql/docs/mysql for details).
5 Installing Administration Server and Administration Console (Microsoft Management Console based and/or
web-based Console) on selected devices manually
Install Administration Server, Administration Console, and the DBMS on the selected devices, as described in the
main installation scenario for Kaspersky Security Center.
This stage is necessary if you plan to place Administration Server outside of a cloud environment or if you plan
to deploy protection for more than 5000 devices. Then make sure that your Administration Server meets
hardware requirements. Otherwise, this stage is not necessary and a subscription to Kaspersky Security Center
as a ready-to-use image in AWS Marketplace, Azure Marketplace, or Google Cloud is su icient.
6 Ensuring that Administration Server has the permissions to work with cloud APIs
848
In AWS, go to the AWS Management Console and create an IAM role or an IAM user account. The created IAM
role (or IAM user account) will allow Kaspersky Security Center to work with the AWS API: Poll cloud segments
and deploy protection.
In Azure, create a subscription and an Application ID with password. Kaspersky Security Center uses these
credentials to work with the Azure API: Poll cloud segments and deploy protection.
In Google Cloud, register a project, get your project ID and a private key. Kaspersky Security Center uses these
credentials to poll cloud segments by using the Google API.
7 Creating an IAM role for protected instances (for AWS only)
In the AWS Management Console, create an IAM role that de nes the set of permissions for executing requests
to AWS. This newly created role will be subsequently assigned to new instances. The IAM role is required in order
to use Kaspersky Security Center to install applications on instances.
8 Preparing a database by using Amazon Relational Database Service or Microsoft Azure SQL
If you plan to use Amazon Relational Database Service (RDS), create an Amazon RDS database instance and an
S3 bucket on which the database backup will be stored. You can skip this stage if you want a database on the
same EC2 instance where Administration Server is installed or if you want your database to be located
somewhere else.
If you plan to use Microsoft Azure SQL, create a storage account and a database in Microsoft Azure.
If you plan to use Google MySQL, con gure your database in the Google Cloud. (Please refer to
https://cloud.google.com/sql/docs/mysql for details.)
9 Licensing Kaspersky Security Center for working in the cloud environment
Make sure that you have licensed Kaspersky Security Center to work in the cloud environment and provide an
activation code or key le so that the application can add it to license storage. This stage can be completed in
the Cloud Environment Con guration Wizard.
This stage is required if you are using Kaspersky Security Center installed from a free ready-to-use AMI based
on the BYOL model or if you are manually installing Kaspersky Security Center without the use of AMIs. In each
of these cases, you will need a license for Kaspersky Security for Virtualization or a license for Kaspersky Hybrid
Cloud Security, to activate Kaspersky Security Center.
If you are using Kaspersky Security Center installed from a ready-to-use image, this stage is not necessary and
the corresponding window of the Cloud Environment Con guration Wizard is not displayed.
10 Authorization in the cloud environment
Provide Kaspersky Security Center with your AWS, Azure, or Google Cloud credentials so that Kaspersky
Security Center can operate with the necessary permissions. This stage can be completed in the Cloud
Environment Con guration Wizard.
11 Polling a cloud segment so that Administration Server can receive information about devices in the cloud
segment
Start cloud segment polling. In the AWS environment, Kaspersky Security Center will receive the addresses and
names of all instances that can be accessed, based on the permissions of the IAM role or IAM user. In the
Microsoft Azure environment, Kaspersky Security Center will receive the addresses and names of all virtual
machines that can be accessed, based on the permissions of the Reader role.
You can then use Kaspersky Security Center to install Kaspersky applications and software from other vendors
on the detected instances or virtual machines.
Kaspersky Security Center regularly starts a poll, which means that new instances or virtual machines are
automatically detected.
12 Combining all network devices into the Cloud administration group
849
Move the discovered instances or virtual machines into the Managed devices\Cloud administration group so
that they can become available for centralized management. If you want to assign devices to subgroups, for
example, depending on which operating system is installed on them, you can create several administration groups
within the Managed devices\Cloud group. You can enable automatic moving of all devices that will be detected
during routine polls to the Managed devices\Cloud group.
13 Using Network Agent to connect networked devices to Administration Server
Install Network Agent on devices in the cloud environment. Network Agent is the Kaspersky Security Center
component that provides for communication between devices and Administration Server. Network Agent
settings are con gured automatically by default.
You can install Network Agent on each device locally. You can also install Network Agent on devices remotely
using Kaspersky Security Center. Or, you can skip this stage and install Network Agent together with the latest
versions of the security applications.
14 Installing the latest versions of security applications on networked devices
Select the devices on which you want to install security applications, and then install the latest versions of
security applications on those devices. You can perform the installation either remotely using Kaspersky Security
Center on Administration Server or locally.
You may have to create installation packages for these programs manually.
Kaspersky Endpoint Security for Linux is intended for instances and virtual machines running Linux.
Kaspersky Security for Windows Server is intended for instances and virtual machines running Windows.
15 Con guring update settings
The Find vulnerabilities and required updates task is created automatically when Cloud Environment
Con guration Wizard is run. You can also create the task manually. This task automatically nds and downloads
required application updates for subsequent installation to network devices using Kaspersky Security Center
tools.
It is recommended to complete the following stage after Cloud Environment Con guration Wizard nishes:
16 Con guring report management
You can view reports on the Monitoring tab in the workspace of the Administration Server node. You can also
receive reports by email. Reports on the Monitoring tab are available by default. To con gure the receipt of
reports by email, specify the email addresses that should receive reports, and then con gure the format of
reports.
Results
Upon completion of the scenario, you can make sure that the initial con guration was successful:
You can connect to Administration Server through Administration Console or Kaspersky Security Center Web
Console.
The latest versions of Kaspersky security applications are installed and running on managed devices.
Kaspersky Security Center has created the default policies and tasks for all managed devices.
Prerequisites for deploying Kaspersky Security Center in a cloud

environment
850
Before starting deployment of Kaspersky Security Center in the Amazon Web Services or Microsoft Azure cloud
environment, make sure that you have the following:
Internet access
One of the following accounts:
Amazon Web Services account (for work with AWS)
Microsoft account (for work with Azure)
Google account (for work with Google Cloud)
One of the following:
License for Kaspersky Security for Virtualization
License for Kaspersky Hybrid Cloud Security
Funds to purchase such a license (Kaspersky Security for Virtualization or Kaspersky Hybrid Cloud Security)
Funds to pay for a ready-to-use image at the Azure Marketplace
Guides for the latest versions of Kaspersky Endpoint Security for Linux and Kaspersky Security for Windows
Server
Hardware requirements for the Administration Server in a cloud environment

For deployment in cloud environments, the requirements for Administration Server and database server are the
same as the requirements for physical Administration Server (depending on how many devices you want to
manage). Please refer to the documentation of the cloud environment for details.
Licensing options in a cloud environment

Work in a cloud environment is outside the basic functionality of Kaspersky Security Center and therefore requires
a dedicated license.
Two Kaspersky Security Center licensing options are available for working in a cloud environment:
Paid AMI (in Amazon Web Services) or Usage-based monthly billed SKU (in Microsoft Azure).
This grants a license for Kaspersky Security Center as well as licenses for Kaspersky Endpoint Security for
Linux and Kaspersky Security for Windows Server. You have to pay according to the rules of the cloud
environment that you use.
This model lets you have not more than 200 client devices for one Administration Server.
A free-of-charge, ready-to-use image using a proprietary license, according to the Bring Your Own License
(BYOL) model.
For Kaspersky Security Center licensing in AWS or Azure, you must have a license for one of the following
applications:
851
Kaspersky Security for Virtualization
Kaspersky Hybrid Cloud Security
The BYOL model lets you have up to 100,000 client devices for one Administration Server. This model also lets
you manage devices outside the AWS, Azure, or Google environment.
You can choose the BYOL model in any of the following cases:
You already own a valid license for Kaspersky Security for Virtualization.
You already own a valid license for Kaspersky Hybrid Cloud Security.
You are willing to purchase a license immediately before deployment of Kaspersky Security Center.
At the stage of initial setup, Kaspersky Security Center prompts you for an activation code or key le.
If you choose BYOL, you will not have to pay for Kaspersky Security Center through Azure Marketplace or AWS
Marketplace.
In both cases, Vulnerability and Patch Management is automatically activated, and Mobile Device Management
cannot be activated.
You may encounter an error when trying to activate the feature Support of the cloud environment using the
license for Kaspersky Hybrid Cloud Security.
Upon subscribing to Kaspersky Security Center, you get an Amazon Elastic Compute Cloud (Amazon EC2)
instance or a Microsoft Azure virtual machine with Kaspersky Security Center Administration Server. The
installation packages for Kaspersky Security for Windows Server and Kaspersky Endpoint Security for Linux are
available on the Administration Server. You can install these applications on devices in the cloud environment. You
do not have to license these applications.
If a managed device is not visible to the Administration Server for more than a week, the application
(Kaspersky Security for Windows Server or Kaspersky Endpoint Security for Linux) on the device will shift to
limited functionality mode. To activate the application again, you have to make the device on which the
application is installed visible to the Administration Server again.
Database options for work in a cloud environment

You must have a database to work with Kaspersky Security Center. When deploying Kaspersky Security Center in
AWS, in Microsoft Azure, or Google Cloud, you have three options:
Create a local database on the same device with the Administration Server. Kaspersky Security Center comes
with a SQL Server Express database that can support up to 5000 managed devices. Choose this option if SQL
Server Express Edition is enough for your needs.
Create a database with the Relational Database Service (RDS) in the AWS cloud environment, or with the Azure
Database service in the Microsoft Azure cloud environment. Choose this option if you want a DBMS other than
SQL Express. Your data will be transferred inside the cloud environment, where it will remain, and you will not
have any extra expenses. If you already work with Kaspersky Security Center on premises and have some data
in your database, you can transfer your data to the new database.
For work on Google Cloud Platform, you can only use Cloud SQL for MySQL.
852
Use an existing database server. Choose this option if you already have a database server and want to use it for
Kaspersky Security Center. If this server is outside the cloud environment, your data will be transferred over the
internet, which might result in extra expenses.
The procedure of Kaspersky Security Center deployment in the cloud environment has a special step for creating
(choosing) a database.
Working in Amazon Web Services cloud environment

This section tells you how to prepare for working with Kaspersky Security Center in Amazon Web Services.
date.
About work in Amazon Web Services cloud environment

You can purchase Kaspersky Security Center at AWS Marketplace in the form of an Amazon Machine Image
(AMI), which is a ready-to-use image of a precon gured virtual machine. You can subscribe to a paid AMI or BYOL
AMI and, based on that image, create an Amazon EC2 instance with Kaspersky Security Center Administration
Server installed.
To work with the AWS platform and, in particular, to purchase apps at AWS Marketplace and create instances, you
need an Amazon Web Services account. You can create a free account at https://aws.amazon.com . You can also
use an existing Amazon account.
If you subscribed to an AMI available at AWS Marketplace, you receive an instance with your ready-to-use
Kaspersky Security Center. You do not have to install the application yourself. In this case, Kaspersky Security
Center Administration Server is installed on the instance without your involvement. After installation, you can start
Administration Console and connect to Administration Server to begin working with Kaspersky Security Center.
To learn more about an AMI and how AWS Marketplace works, please visit the AWS Marketplace Help page . For
more information about working with the AWS platform, using instances, and related concepts, please refer to the
Amazon Web Services documentation .
date.
Creating IAM roles and IAM user accounts for Amazon EC2 instances
This section describes the actions that must be performed to ensure correct operation of the Administration
Server. These actions include work with the AWS Identity and Access Management (IAM) roles and user accounts.
Also described are the actions that must be taken on client devices to install Network Agent on them and then
install Kaspersky Security for Windows Server and Kaspersky Endpoint Security for Linux.
853
Ensuring that the Kaspersky Security Center Administration Server has the permissions to
work with AWS
The standards for operating in the Amazon Web Services cloud environment prescribe that a special IAM role be
assigned to the Administration Server instance for working with AWS services. An IAM role is an IAM entity that
de nes the set of permissions for execution of requests to AWS services. The IAM role provides the permissions
for cloud segment polling and installation of applications on instances.
After you create an IAM role and assign it to the Administration Server, you will be able to deploy protection of
instances by using this role, without providing any additional information to Kaspersky Security Center.
However, it may be advisable to not create an IAM role for the Administration Server in the following cases:
The devices whose protection you plan to manage are EC2 instances within the Amazon Web Services cloud
environment but the Administration Server is outside of the environment.
You plan to manage the protection of instances not only within your cloud segment but also within other cloud
segments that were created under a di erent account in AWS. In this case, you will need an IAM role only for
the protection of your cloud segment. An IAM role will not be needed to protect another cloud segment.
In these cases, instead of creating an IAM role you will need to create an IAM user account, that will be used by
Kaspersky Security Center to work with AWS services. Before starting to work with the Administration Server,
create an IAM user account with an AWS IAM access key (hereinafter also referred to as IAM access key).
Creation of an IAM role or IAM user account requires the AWS Management Console . To work with the AWS
Management Console, you will need a user name and password from an account in AWS.
Creating an IAM role for the Administration Server

Before you deploy the Administration Server, in the AWS Management Console create an IAM role with
permissions required for installation of applications on instances. For more details, see AWS Help sections about
IAM roles.
To create an IAM role for the Administration Server:
1. Open the AWS Management Console and log in under your AWS account.
2. In the Roles section, create a role with the following permissions:
AmazonEC2ReadOnlyAccess, if you plan to only run cloud segment polling and do not plan to install
applications on EC2 instances using AWS API.
AmazonEC2ReadOnlyAccess and AmazonSSMFullAccess, if you plan to run cloud segment polling and
install applications on EC2 instances using AWS API. In this case, you will also need to assign an IAM role with
the AmazonEC2RoleforSSM permission to the protected EC2 instances.
You will need to assign this role to the EC2 instance that you will use as the Administration Server.
The newly created role is available for all applications on the Administration Server. Therefore, any application
running on the Administration Server has the capability to poll cloud segments or install applications on EC2
instances within a cloud segment.
854
date.
Creating an IAM user account for work with Kaspersky Security Center
An IAM user account is required for working with Kaspersky Security Center if the Administration Server has not
been assigned an IAM role with permissions for device discovery and installation of applications on instances. The
same account, or a di erent account, is also required for backing up the Administration Server data task if you use
an S3 bucket. You can create one IAM user account with all the necessary permissions, or you can create two
separate user accounts.
An IAM access key that you will need to provide to Kaspersky Security Center during initial con guration is
automatically created for the IAM user. An IAM access key consists of an access key ID and a secret key. For more
details about the IAM service, please refer to the following AWS reference pages:
http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html .
http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UseCases.html#UseCase_EC2 .
To create an IAM user account with the necessary permissions:
1. Open the AWS Management Console and sign in under your account.
2. In the list of AWS services, select IAM (as shown in the gure below).
List of services in the AWS Management Console
A window opens containing a list of user names and a menu that lets you work with the tool.
3. Navigate through the areas of the console dealing with user accounts, and add a new user name or names.
4. For the user(s) you add, specify the following AWS properties:
855
Access type: Programmatic Access.
Permissions boundary not set.
Permissions:
ReadOnlyAccess—If you plan to run only cloud segment polling and do not plan to install applications on
EC2 instances using AWS API.
ReadOnlyAccess and AmazonSSMFullAccess—If you plan to run cloud segment polling and install
applications on EC2 instances using AWS API. In this case, you must assign an IAM role with the
AmazonEC2RoleforSSM permission to the protected EC2 instances.
After you add permissions, view them for accuracy. In case of a mistaken selection, go back to the previous
screen and make the selection again.
5. After you create the user account, a table appears containing the IAM access key of the new IAM user. The
access key ID is displayed in the Access key ID column. The secret key is displayed as asterisks in the Secret
access key column. To view the secret key, click Show.
The newly created account is displayed in the list of IAM user accounts that corresponds to your account in
AWS.
When deploying Kaspersky Security Center in a cloud segment, you must specify that you are using an IAM user
account and provide the access key ID and secret access key to Kaspersky Security Center.
date.
Creating an IAM role for installation of applications on Amazon EC2 instances

Before you start protection deployment on EC2 instances by using Kaspersky Security Center, create in the AWS
Management Console an IAM role with permissions required for installation of applications on instances. For
more details, see AWS Help sections AWS Help about IAM roles.
The IAM role is required so that you can assign it to all EC2 instances on which you plan to install security
applications by using Kaspersky Security Center. If you do not assign an instance the IAM role with the necessary
permissions, installation of applications on this instance using AWS API tools will result in an error.
To work with the AWS Management Console, you will need a user name and password from an account in AWS.
To create an IAM role for installing applications on instances:
1. Open the AWS Management Console and log in under your AWS account.
2. In the menu on the left, select Roles.
3. Click the Create Role button.
4. In the list of services that appears, select EC2 and then in the Select Your Use Case list select EC2 again.
5. Click the Next: Permissions button.
856
6. In the list that opens, select the check box next to AmazonEC2RoleforSSM.
7. Click the Next: Review button.
8. Enter a name and a description for the IAM role and click the Create role button.
The role that you created appears in the list of roles with the name and description that you entered.
Hereinafter, you can use the newly created IAM role to create new EC2 instances that you intend to protect
through Kaspersky Security Center, as well as associate it with existing instances.
date.
Working with Amazon RDS

This section describes which actions must be taken to prepare a database of Amazon Relational Database Service
(RDS) for Kaspersky Security Center, place it in an option group, create an IAM role for working with an RDS
database, prepare an S3 bucket for storage, and migrate an existing database to RDS.
Amazon RDS is a web service that helps AWS users to set up, operate, and scale a relational database in the AWS
cloud environment. If you want, you can use an Amazon RDS database to work with Kaspersky Security Center.
You can work with the following databases:
Microsoft SQL Server
SQL Express Edition
Aurora MySQL 5.7
Standard MySQL 5.7
Creating an Amazon RDS instance

If you want to use Amazon RDS as the DBMS, you have to create an Amazon RDS database instance. This section
describes how to select SQL Express Edition; if you want to work with Aurora MySQL or Standard MySQL
(versions 5.7, 8.0), you must select one of those engines.
To create an Amazon RDS database instance:
1. Open the AWS Management Console at https://console.aws.amazon.com and sign in under your account.
2. Using the AWS interface, create a database with the following settings:
Engine: Microsoft SQL Server, SQL Express Edition
DB engine version: SQL Server 2014 12.00.5546.0v1
DB instance class: db.t2.medium
857
Storage type: General purpose
Allocated storage: minimum 50 GiB
Security group: the same group where the EC2 instance with Kaspersky Security Center Administration
Server will be located
Create an identi er, username and password for your RDS instance.
You may leave default settings in all the other elds. Or, change the default settings if you want to customize
your Amazon RDS instance. To get help, refer to the AWS information pages.
3. At the last step, AWS displays the results of the process. If you want to view the details of your Amazon RDS
instance, click View DB instance details. If you want to proceed to the next action, start creating an option
group for your Amazon RDS instance.
The creation of a new Amazon RDS instance may take up to several minutes. After the instance is created, you
can use it for work with Kaspersky Security Center data.
date.
Creating option group for Amazon RDS instance

You need to place your Amazon RDS instance into an option group.
To create an option group for your Amazon RDS instance:
1. Make sure that you are in the AWS Management Console (https://console.aws.amazon.com ) and signed in
under your account.
2. In the menu line, click Services.

The list of available services appears (see gure below).
858
3. In the list, click RDS.
4. In the left pane, click Option groups.
5. Click the Create group button.
6. Create an option group with the following settings, if you chose SQL Server at the stage of creating the
Amazon RDS instance:
Engine: SQLserver-ex
Major engine version: 12.00
If you chose a di erent SQL database at the stage of creating the Amazon RDS instance, then choose a
corresponding engine.
The group is created and displayed in the list of your groups.
After creating the option group, place your Amazon RDS instance into this option group.
date.
Modifying the option group

The default con guration of the option group in which you placed the Amazon RDS instance is not enough for
working with the Kaspersky Security Center database. You have to add options to the option group and create a
new IAM role for working with the database.
To modify the option group and create a new IAM role:
under your account.
2. In the menu line, click Services.

The list of available services appears (see gure below).
859
3. In the list, select RDS.
4. In the left pane, click Option groups.

The list of option groups is displayed.
5. Select the option group in which you placed your Amazon RDS instance and click the Add option button.
The Add option window opens.
6. In the IAM role section, select the Create a new role / Yes option and enter a name for the new IAM role.
The role is created with a default set of permissions. Later, you will have to change its permissions.
7. In the S3 bucket section, do one of the following:
If you haven't created an Amazon S3 bucket instance for the data backup, select the Create a new S3
bucket link and create a new S3 bucket, using the AWS interface.
If you already have created an Amazon S3 bucket instance for the Administration Server data backup task,
select your S3 bucket from the drop-down menu.
8. Finish adding options by clicking the Add option button at the bottom of the page.
You have modi ed the option group and created a new IAM role for working with the RDS database.
date.
Modifying permissions for IAM role for Amazon RDS database instance
860
After you add options to the option group, you must assign required permissions to the IAM role that you created
for working with the Amazon RDS database instance.
To assign required permissions to the IAM role that you created for work with the Amazon RDS database instance:
under your account.
2. In the list of services, select IAM.

A window opens containing a list of user names and a menu that lets you work with the tool.
3. In the menu, select Roles.
4. In the list of IAM roles displayed in the workspace, select the role that you created when adding option to the
option group.
5. Using the AWS interface, delete the sqlNativeBackup-<date> policy.
6. Using the AWS interface, attach the AmazonS3FullAccess policy to the role.
The IAM role is assigned the required permissions to work with Amazon RDS.
date.
Preparing Amazon S3 bucket for database

If you plan to use Amazon Relational Database System (Amazon RDS) database, you have to create an Amazon
Simple Storage Service (Amazon S3) bucket instance where the regular Backup of the database will be stored. For
information about Amazon S3 and about S3 buckets, refer to the Amazon help pages. For more information about
creating an Amazon S3 instance, refer to Amazon S3 help page .
To create an Amazon S3 bucket:
1. Make sure that the AWS Management Console is open and you are signed in under your account.
2. In the list of AWS services, select S3.
3. Navigate the console to create a bucket, following the instructions of the wizard.
4. Select the same region where your Administration Server is located (or will be located).
5. When the wizard nishes, make sure that the new bucket appears in the list of buckets.
A new S3 bucket is created and appears in your list of buckets. You have to specify this bucket when adding
options to the option group. You will also have to specify the address of your S3 bucket to Kaspersky Security
Center when the Kaspersky Security Center creates the Backup of Administration Server data task.
date.
861
Migrating the database to Amazon RDS
You can migrate your Kaspersky Security Center database from an on-premises device to an Amazon S3 instance
that supports Amazon RDS. To do this, you need an S3 bucket for an RDS database and an IAM user account with
AmazonS3FullAccess permission for this S3 bucket.
To perform the migration of the database:
1. Make sure that you have created an RDS instance (refer to Amazon RDS reference pages for more information).
2. On your physical Administration Server (on-premises), run the Kaspersky Backup utility to back up
Administration Server data.
You must make sure that the le is named backup.zip.
3. Copy the backup.zip le to the EC2 instance on which Administration Server is installed.
Make sure that you have enough disk space on the EC2 instance on which Administration Server is
installed. In the AWS environment, you can add disk space to your instance to accommodate the process
of database migration.
4. On the AWS Administration Server, start the Kaspersky Backup utility again in interactive mode.
5. At the Select action step, select Restore Administration Server data and click Next.
6. At the Restore settings step, click the Browse button next to the Folder for storage of backup copies.
7. In the Sign In to Online Storage window that opens, ll in the following elds and then click OK:
S3 bucket name
The name of your S3 bucket.
Backup folder
Specify the location of the storage folder that is meant for backup.
Access key ID
AWS IAM access key ID that belongs to the IAM user who has the permissions to use the S3 bucket
(the AmazonS3FullAccess permission).
Secret key
AWS IAM secret key that belongs to the IAM user who has the permissions to use the S3 bucket (the
AmazonS3FullAccess permission).
8. Select the Migrate from local backup option. The Browse button becomes available.
862
9. Click the Browse button to choose the folder on the AWS Administration Server where you copied the
backup.zip le.
10. Click Next and complete the procedure.
Your data will be restored to the RDS database using your S3 bucket. You can use this database for further work
with Kaspersky Security Center in the AWS environment.
date.
Working in Microsoft Azure cloud environment

This section provides information about Kaspersky Security Center deployment and maintenance in a cloud
environment provided by Microsoft Azure, as well as details of protection deployment on virtual machines in this
cloud environment.
In a Kaspersky Security Center that has been deployed from a Usage-based monthly billed SKU, Vulnerability and
Patch Management is automatically activated, and Mobile Device Management cannot be activated.
About work in Microsoft Azure

To work with the Microsoft Azure platform and, in particular, to purchase apps at the Azure Marketplace and
create virtual machines, you will need an Azure subscription. Before you deploy Administration Server, create an
Azure Application ID with permissions required for installation of applications on virtual machines.
If you purchase a Kaspersky Security Center image at the Azure Marketplace, you can deploy a virtual machine
with your ready-to-use Kaspersky Security Center Administration Server. You must select settings of the virtual
machine, but you do not have to install the application yourself. After installation, you can start Administration
Console and connect to Administration Server to begin working with Kaspersky Security Center.
You can also use an Azure virtual machine with Kaspersky Security Center Administration Server deployed on it to
protect on-premises devices (for example, if a cloud server turns out to be easier to service and maintain than a
physical one). If this is the case, you work with the Administration Server in the same way that you would if the
Administration Server were installed on an on-premises device. If you do not plan to use Azure API tools, you do
not need an Azure Application ID. In this case, an Azure subscription is enough.
Creating a subscription, Application ID, and password

To work with Kaspersky Security Center in the Microsoft Azure environment, you need an Azure subscription,
Azure Application ID, and Azure Application password. You can use an existing subscription, if you already have one.
An Azure subscription grants its owner access to the Microsoft Azure Platform Management Portal and to
Microsoft Azure services. The owner can use the Microsoft Azure Platform to manage services such as Azure SQL
and Azure Storage.
To create a Microsoft Azure subscription,

863
Go to https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/create-subscription and
follow the instructions there.
More information about creating a subscription is available on the Microsoft website . You will get a subscription
ID, which you will later provide to Kaspersky Security Center together with Application ID and password.
To create and save Azure Application ID and password:
1. Go to https://portal.azure.com and make sure that you are logged in.
2. Following the instructions on the reference page , create your Application ID.
3. Go to the Keys section of the application settings.
4. In the Keys section, ll in the Description and Expires elds and leave the Value eld empty.
5. Click Save.
When you click Save, the system automatically lls the Value eld with a long sequence of characters. This
sequence is your Azure Application password (for example,
yXyPOy6Tre9PYgP/j4XVyJCvepPHk2M/UYJ+QlfFvdU=). The description is displayed as you entered it.
6. Copy the password and save it, so that you can later provide the Application ID and password to Kaspersky
Security Center.
You can copy the password only when it has been created. Later, the password will no longer be displayed and
you cannot restore it.
date.
Assigning a role to the Azure Application ID

If you only want to detect virtual machines using device discovery, your Azure Application ID must have the Reader
role. If you want not only to detect virtual machines, but also to deploy protection on the virtual machines, your
Azure Application ID must have the Virtual Machine Contributor role.
Follow the instructions on the Microsoft website to assign a role to your Azure Application ID.
Deploying Administration Server in Microsoft Azure and selecting database

To deploy Administration Server in the Microsoft Azure environment:
1. Sign in to Microsoft Azure using your account.
2. Go to the Azure portal .
3. In the left pane, click the green plus sign.
4. Type "Kaspersky Hybrid Cloud Security" in the search eld in the menu.
864
Kaspersky Hybrid Cloud Security is a combination of Kaspersky Security Center and two security applications
for protection of instances: Kaspersky Endpoint Security for Linux and Kaspersky Security for Windows Server.
5. In the list of results, select Kaspersky Hybrid Cloud Security or Kaspersky Hybrid Cloud Security (BYOL).
In the right part of the screen, an information window appears.
6. Read information and click the Create button in the end of the information window.
7. Fill all the necessary elds. Use the tooltips to get information and assistance.
8. When selecting the size, select one of the three starred options.
In most cases, 8 gigabytes (GB) of RAM is enough. However, in Azure, you can increase the size of RAM and
other resources of the virtual machine at any time.
9. When selecting a database, select one of the following, according to your plan:
Local—If you want a database on the same virtual machine where the Administration Server will be deployed.
Kaspersky Security Center comes with an SQL Server Express database. Choose this option if SQL Server
Express is enough for your needs.
New—If you want a new RDS database in the Azure environment. Choose this option if you want a DBMS
other than SQL Server Express. Your data will be transferred to the cloud environment, where it will remain,
and you will not have any extra expenses.
Existing—If you want to use an existing database server. In this case, you will have to specify its location. If
this server is outside the Azure environment, your data will be transferred over the internet, which might
result in extra expenses.
10. When entering the subscription ID, use the subscription that you created earlier.
After deployment, you can connect to the Administration Server using RDP. You can use the Administration
Console to work with the Administration Server.
Working with Azure SQL

This section describes which actions must be taken to prepare a Microsoft Azure database for Kaspersky Security
Center, prepare an Azure storage account, and migrate an existing database to Azure SQL.
SQL Database is a general-purpose relational database managed service in Microsoft Azure.
date.
Creating Azure storage account

You have to create a storage account in Microsoft Azure for working with Azure SQL database and for
deployment scripts.
To create a storage account:
865
1. Sign in to the Azure portal.
2. In the left pane, select Storage accounts to proceed to the Storage accounts window.
3. In the Storage accounts window, click the Add button to proceed to the Create storage account window.
4. Fill in all the necessary elds to create a storage account:
Location: must be the same as the location of the Administration Server.
Other elds: you may leave the default values.
Use the tooltips to get information about each eld.

After the storage account is created, the list of your storage accounts is displayed.
5. In the list of your storage accounts, click the name of the newly created account to see information about this
account.
6. Make sure you know the account name, the resource group, and access keys for this storage account. You will
need this information for working with Kaspersky Security Center.
You can refer to Azure website for help.
If you already have a storage account, you can use it for working with Kaspersky Security Center.
Creating Azure SQL database and SQL Server

You need an SQL database and SQL Server in the Azure environment.
To create an Azure SQL database and SQL Server:
1. Follow the instructions on the Azure website.

You can create a new server when Microsoft Azure prompts you to do so; if you already have an Azure SQL
Server, you can use it for Kaspersky Security Center rather than creating a new one.
2. After creating the SQL database and SQL Server, make sure that you know its resource name and resource
group:
a. Go to https://portal.azure.com and make sure that you are logged in.
b. In the left pane, select SQL databases.
c. Click the name of a database from the list of your databases.

The properties window opens.
d. The name of the database is the resource name. The name of the resource group is displayed in the
Overview section of the properties window.
You need the resource name and resource group of the database for migrating the database to Azure SQL.
Migrating the database to Azure SQL

866
After Administration Server is deployed in the Azure environment, you can migrate your Kaspersky Security Center
database from an on-premises device to Azure SQL. You need an Azure storage account for an Azure SQL
database. You also must have Microsoft SQL Server Data-Tier Application Framework (DacFx) and
SQLSysCLRTypes on your Administration Server.
To perform the migration of the database:
1. Make sure that you have created an Azure storage account.
2. Make sure that you have SQLSysCLRTypes and DacFx on your Administration Server.
You can download Microsoft SQL Server Data-Tier Application Framework (17.0.1 DacFx) and SQLSysCLRTypes
(choose the version corresponding to the version of your SQL Server) from the o icial Microsoft website.
3. On your physical Administration Server (on-premises), run the Kaspersky Backup utility to back up
Administration Server data with the Migrate to Azure format option enabled.
4. Copy the backup le to the Azure Administration Server.
Make sure that you have enough disk space on the Azure virtual machine where the Administration Server
is installed. In the Azure environment, you can add disk space to your virtual machines to accommodate the
process of database migration.
5. On the Administration Server located in the Microsoft Azure environment, start the Kaspersky Backup utility
again in interactive mode.
6. At the Select action step, select Restore Administration Server data and click Next.
7. At the Restore settings step, click the Browse button next to the Folder for storage of backup copies.
8. In the Sign In to Online Storage window that opens, ll in the following elds and then click OK:
Backup folder
Specify the location of the storage folder that is meant for backup.
Azure Application password
The characters of the password are displayed as asterisks. After you begin entering the password, the
Show button becomes available. Click and hold this button to view the characters you entered.
867
Available in the properties of your storage account, in the Access Keys section. You can use any of the
keys (key1 or key2).
Available in the properties of your Azure SQL Server.
Available in the properties of your Azure SQL Server.

You can provide only one Azure Application ID for polling and other purposes. If you want to poll another
Azure segment, you must rst delete the existing Azure connection.
9. Select the Migrate from local backup option.

The Browse button becomes available.
10. Click the Browse button to choose the folder on the Azure Administration Server where you copied the
backup le.
11. Click Next and complete the procedure.
Your data will be restored to the Azure SQL database by using your Azure storage. You can use this database for
further work with Kaspersky Security Center in the Azure environment.
date.
Working in Google Cloud

This section provides information about work with Kaspersky Security Center in a cloud environment provided by
Google.
Creating client email, project ID, and private key

You can use the Google API to work with Kaspersky Security Center in Google Cloud Platform. A Google account
is required. Please refer to the Google documentation at https://cloud.google.com for more information.
You will need to create and provide Kaspersky Security Center with the following credentials:
868
Client email
Client email is the email address that you used for registering your project at Google Cloud.
Project ID
Project ID is the ID that you received when you registered your project at Google Cloud.
Private key
Private key is the sequence of characters that you received as your private key when you registered your
project at Google Cloud. You might want to copy and paste this sequence to avoid mistakes.
Working with Google Cloud SQL for MySQL instance

You can create a database in Google Cloud and use this database for Kaspersky Security Center.
Kaspersky Security Center works with MySQL 5.7 and 5.6. Other versions of MySQL have not been tested.
To create and con gure a MySQL database:
In your browser, go to https://cloud.google.com/sql/docs/mysql/create-instance#create-2nd-gen and follow the

instructions provided.
When con guring a MySQL database, use the following ags:

sort_bu er_size 10000000
join_bu er_size 20000000
innodb_lock_wait_timeout 300
max_allowed_packet 32000000
innodb_thread_concurrency 20
max_connections 151
tmp_table_size 67108864
max_heap_table_size 67108864
lower_case_table_names 1
Prerequisites for client devices in a cloud environment necessary for work

with Kaspersky Security Center
869
The devices on which you intend to install Administration Server, Network Agent, and Kaspersky security
applications must meet the following conditions:
The con guration of security groups makes available the following ports on the Administration Server (minimum
set of ports required for deployment):
8060 HTTP—For transfer of Network Agent installation packages and security application installation
packages from the Administration Server to protected instances
8061 HTTPS—For transfer of Network Agent installation packages and security application installation
packages from the Administration Server to protected instances
13000 TCP—For transfers from protected instances and secondary Administration Servers to the primary
Administration Server using SSL
13000 UDP—For transfer of information about shutdown of instances to the Administration Server
14000 TCP—For transfers from protected instances and secondary Administration Servers to the primary
Administration Server without using SSL
13291—For connecting Administration Console to the Administration Server
40080—For the operation of deployment scripts
You can con gure security groups in AWS Management Console or at the Azure portal. If you intend to use
Kaspersky Security Center in a non-default con guration, please refer to the Knowledge Base . Examples of
non-default con gurations include not installing Administration Console on the Administration Server device
but installing it on your workstation instead, or using a KSN proxy server.
Port 15000 UDP is available on the client devices (for receipt of requests for communication with the
Administration Server).
In the AWS cloud environment:
If you plan to use AWS API, the IAM role is set under which the applications will be installed on the instances.
On each Amazon EC2 instance, Systems Manager Agent (SSM Agent) is installed and running.
SSM Agent enables Kaspersky Security Center to automatically install applications on devices and groups
of devices without requesting con rmation by an administrator each time.
On instances that are running a Windows operating system and were deployed from AMIs later than
November 2016, SSM Agent is installed and running. You will have to manually install SSM Agent on all other
devices. For details about installing SSM Agent on devices running Windows and Linux operating systems,
please refer to the AWS Help page .
In the Microsoft Azure cloud environment:
On each Azure virtual machine, Azure VM Agent is installed and running.

By default, a new virtual machine is created with Azure VM Agent, and you do not have to install or enable it
manually. Please refer to Microsoft Help pages for details about Azure VM Agent on Windows devices and
on Linux devices.
Your Azure Application ID has the following roles:
Reader (to discover virtual machines by using polling)
870
Virtual Machine Contributor (to deploy protection on the virtual machines)
SQL Server Contributor (to use an SQL database in the Microsoft Azure environment)
If you want to perform all these operations, assign all the three roles to your Azure Application ID.
Creating installation packages required for Cloud Environment

Con guration Wizard
Cloud Environment Con guration Wizard in Kaspersky Security Center is available if you have the installation
packages and management plug-ins for the following programs:
These installation packages are required for installing Kaspersky Security for Windows Server and Kaspersky
Endpoint Security for Linux on the instances or virtual machines that you want to protect. If you do not have these
installation packages, you must create them. Otherwise, the Wizard cannot work.
To create installation packages:
1. Download the latest versions of the applications and plug-ins at the Kaspersky website:
The installer and the management plug-in for Kaspersky Security for Windows Server.
The installer, les for remote installation via Kaspersky Security Center, and the management plug-in for
Kaspersky Endpoint Security for Linux.
2. Save all les on the instance (or virtual machine) where the Administration Server is installed.
3. Extract the les from all the packages.
4. Start Kaspersky Security Center.
5. In the console tree, go to Advanced → Remote installation → Installation packages and click Create
6. Select Create Kaspersky installation package.
7. Specify the name for the package and the path to the application installer: <folder>\< le name>.kud, and then
click Next.
8. Read the End User License Agreement and select the check box con rming that you accept its terms, and then
click Next.
The installation package will be uploaded to the Administration Server and will be available in the list of installation
packages.
The Cloud Environment Con guration Wizard will become available as soon as you create the installation packages
and install the management plug-ins for Kaspersky Security for Windows Server and Kaspersky Endpoint Security
for Linux on the Administration Server.
871
Cloud Environment Con guration Wizard
To con gure Kaspersky Security Center by using this Wizard, you must have the following:
Speci c credentials for a cloud environment:
An IAM role that has been granted the right to poll the cloud segment or an IAM user account that has been
granted the right to poll the cloud segment (for work with Amazon Web Services)
Azure Application ID, password, and subscription (for work with Microsoft Azure)
Google client email, Project ID, and private key (for work with Google Cloud)
If you do not want to use cloud environment capabilities (if, for example, you want to manage protection of physical
client devices only), you can close the Cloud Environment Con guration Wizard and run the standard
Administration Server Quick Start Wizard manually.
The Cloud Environment Con guration Wizard starts automatically at the rst connection to Administration Server
through Administration Console if you are deploying Kaspersky Security Center from a ready-to-use image. You
can also start the Cloud Environment Con guration Wizard manually at any time.
To start the Cloud Environment Con guration Wizard manually:
2. In the context menu of the node, select All Tasks → Cloud Environment Con guration Wizard.
The average work session with this Wizard lasts about 15 minutes.
About the Cloud Environment Con guration Wizard

This Wizard allows you to con gure Kaspersky Security Center while taking into account the speci cs of working in
a cloud environment.
The Wizard creates the following objects:
Network Agent policy with default settings
Policy for Kaspersky Endpoint Security for Linux
Policy for Kaspersky Security for Windows Server
Administration group for instances and a rule for automatically moving instances to this administration group
Administration Server data backup task
Tasks for installing protection on devices running Linux and Windows
Tasks for each managed device:
Quick Virus Scan

872
Update download
If you selected the BYOL licensing option, the Wizard also activates Kaspersky Security Center with a key le or
activation code and places the key le or activation code in the license storage.
This step is not displayed if you signed up for one of the ready-to-use AMIs (at the AWS Marketplace), or for a
Usage-based monthly billed SKU (at the Azure Marketplace). In this case, the Wizard immediately proceeds to
the next step. However, you cannot purchase a ready-to-use AMI for Google Cloud.
If you selected BYOL licensing option for Kaspersky Security Center, the Wizard prompts you to select the
application activation method.
Activate the application with an activation code (or a key le) for Kaspersky Security for Virtualization or for
Kaspersky Hybrid Cloud Security.
You can activate the application in one of the following ways:
By entering an activation code.

Online activation will start. This process involves veri cation of the speci ed activation code, as well as
issuance and activation of a key le.
By specifying a key le.

The application will check the key le and either activate it if it contains the correct information, or prompt you
to specify another key le.
Kaspersky Security Center places the license key in the license storage and marks it as automatically distributed
on managed devices.
If you connect to an instance using standard Remote Desktop Connection in Microsoft Windows or a similar
application, in the remote connection properties you must specify the drive of the physical device that you are
using to connect. This ensures access from the instance to the les on your physical device, and lets you select
and specify the key le.
When working with Kaspersky Security Center deployed from a paid AMI or for a Usage-based monthly billed
SKU, you cannot add key les or activation codes to the license storage.
Step 2. Selecting the cloud environment

Select the cloud environment in which you are deploying Kaspersky Security Center: AWS, Azure, or Google Cloud.
Step 3. Authorization in the cloud environment
873
AWS
If you selected AWS, either specify that you have an IAM role with the required rights, or provide Kaspersky
Security Center with an AWS IAM access key. Cloud segment polling is not possible without an IAM role or an AWS
IAM access key.
Specify the following settings for the connection that will be used for further polling of the cloud segment:
Connection name
Enter a name for the connection. The name cannot contain more than 256 characters. Only Unicode
characters are permitted.
This name will also be used as the name for the administration group for the cloud devices.
If you plan to work with more than one cloud environment, you might want to include the name of the
environment in the connection name, for example, "Azure Segment", "AWS Segment", or "Google Segment".
Use AWS IAM role
Select this option if you have already created an IAM role for the Administration Server to use AWS
services.
Use AWS IAM user account
Select this option if you have an IAM user account with the necessary permissions and you can enter a key
ID and secret key.
Access key ID
The IAM access key ID is a sequence of alphanumeric characters. You received the key ID when you
created the IAM user account.
Secret key
The characters of the secret key are displayed as asterisks. After you begin entering the secret key, the
Show button is displayed. Click and hold this button for the necessary amount of time to view the
characters you entered.
This connection is saved in the application settings. The Cloud Environment Con guration Wizard allows you to
create only a single AWS IAM access key. Subsequently, you can specify more connections to manage other cloud
segments.
If you want to install applications on instances through Kaspersky Security Center, you must make sure that your
IAM role (or the IAM user whose account is associated with the key that you are entering) has all the necessary
permissions.
Azure
874
If you selected Azure, specify the following settings for the connection that will be used for further polling the
cloud segment:
Connection name

You received a password (key) when you created Azure storage account for working with Kaspersky
Security Center.
The key is available in section "Overview of the Azure storage account," in subsection "Keys."
This connection is saved in the application settings.
Google Cloud
If you selected Google Cloud, specify the following settings for the connection that will be used for further polling
the cloud segment:
Connection name
875
Client email
Project ID
Private key
This connection is saved in the application settings.
Step 4. Con guring synchronization with Cloud and choosing further

actions
At this step, cloud segment polling starts and a special administration group for instances is created. The instances
found during polling are placed into this group. The cloud segment polling schedule is con gured (every 5 minutes
by default).
A Synchronize with Cloud automatic moving rule is also created. For each subsequent scan of the cloud network,
virtual devices detected will be moved to the corresponding subgroup within the Managed devices\Cloud group.
On the Synchronization with the cloud segment page, you can de ne the following settings:
Synchronize administration group structure with the cloud segment
876
If this option is enabled, the Cloud group is automatically created within the Managed devices group and a
cloud device discovery is started. The instances and virtual machines detected during each cloud network
scan are placed into the Cloud group. The structure of the administration subgroups within this group
matches the structure of your cloud segment (in AWS, availability zones and placement groups are not
represented in the structure; in Azure, subnets are not represented in the structure). Devices that have not
been identi ed as instances in the cloud environment are in the Unassigned devices group. This group
structure allows you to use group installation tasks to install anti-virus applications on instances, as well as
set up di erent policies for di erent groups.
If this option is disabled, the Cloud group is also created and the cloud device discovery is also started;
however, subgroups matching the cloud segment structure are not created within the group. All detected
instances are in the Cloud administration group so they are displayed in a single list. If your work with
Kaspersky Security Center requires synchronization, you can modify the properties of the Synchronize
with Cloud rule and enforce it. Enforcing this rule alters the structure of subgroups in the Cloud group so
that it matches the structure of your cloud segment.
Deploy protection
If this option is selected, the Wizard creates a task to install security applications on instances. After the
Wizard nishes, the Protection Deployment Wizard automatically starts on the devices in your cloud
segments, and you will be able to install Network Agent and security applications on those devices.
Kaspersky Security Center can perform the deployment with its native tools. If you do not have
permissions to install the applications on EC2 instances or Azure virtual machines, you can con gure the
Remote installation task manually and specify an account with the required permissions. In this case, the
Remote installation task will not work for the devices discovered using AWS API or Azure. This task will only
work for the devices discovered using Active Directory polling, Windows domains polling, or IP range polling.
If this option is not selected, the Protection Deployment Wizard is not started and tasks for installing
security applications on instances are not created. You can manually perform both actions later.
For Google Cloud, you can only perform the deployment with Kaspersky Security Center native tools. If you
selected Google Cloud, the Deploy protection option is not available.
Step 5. Con guring Kaspersky Security Network in the cloud environment

Specify the settings for relaying information about Kaspersky Security Center operations to the Kaspersky
Security Network knowledge base. Select one of the following options:
877
Network.
Kaspersky recommends participation in Kaspersky Security Network.
Step 6. Con guring email noti cations in the cloud environment

Con gure the delivery of noti cations about events registered during the operation of Kaspersky applications on
virtual client devices. These settings will be used as the default settings for application policies.
settings:
SMTP servers

SMTP server port
You can test the new email noti cation settings by clicking the Send test message button. If the test message
was successfully received at the addresses speci ed in the Recipients (email addresses) eld, the settings have
been correctly con gured.
878
Step 7. Creating an initial con guration of the protection of the cloud
environment
At this step, Kaspersky Security Center automatically creates policies and tasks. The Con gure initial protection
window displays a list of policies and tasks created by the application.
If you use an RDS database in the AWS cloud environment, you have to provide IAM access key pair to Kaspersky
Security Center when the Administration Server backup task is being created. In this case, ll in the following elds:
S3 bucket name
Access key ID
You received the key ID (sequence of alphanumeric characters) when you created the IAM user account
for working with S3 bucket storage instance.
Secret key
If you use an Azure SQL database in the Azure cloud environment, you have to provide information about your
Azure SQL Server to Kaspersky Security Center when the Administration Server backup task is being created. In
this case, ll in the following elds:
879
Available in the properties of your storage account, in the Access Keys section. You can use any of the keys
(key1 or key2).
If you are deploying the Administration Server in the Google Cloud, you have to select a folder where the backup
copies will be stored. Select a folder on your local device or a folder on a virtual machine instance.
The Next button becomes available after the creation of all policies and tasks that are necessary for minimum
con guration of protection.
If a device on which the tasks are supposed to run is not visible to the Administration Server, then the tasks start
only when the device becomes visible. If you create a new EC2 instance or a new Azure virtual machine, it might
take some time before it becomes visible to the Administration Server. If you want Network Agent and the security
applications to be installed on all the newly created devices as soon as possible, make sure that the Run missed
tasks option is enabled for the Install application remotely tasks. Otherwise, a newly created instance/virtual
machine will not get Network Agent and the security applications until the task starts according to its schedule.
Step 8. Selecting the action when the operating system must be restarted
during installation (for the cloud environment)
If you previously selected Deploy protection, you must choose what to do when the operating system of a target
device has to be restarted. If you did not select the Deploy protection option, this step is skipped.
Select whether to restart instances if the device operating system has to be restarted during installation of
applications:
Restart the device
880
If you want to force the closing of all applications in blocked sessions on the instances before the restart, select
the Force closure of applications in blocked sessions check box. If this check box is cleared, you will have to close
manually all applications that are running on blocked instances.
Step 9. Receiving updates by the Administration Server

At this step, you can view the progress of downloading updates necessary for correct operation of the
Administration Server. You can click the Next button, without waiting for download completion, to proceed to the
nal page of the Wizard.
The Wizard nishes.
Checking con guration

To check whether Kaspersky Security Center 14 is properly con gured for working in a cloud environment:
1. Start Kaspersky Security Center and make sure that you can connect to the Administration Server via the
2. In the console tree, select Managed devices\Cloud.
3. When viewing any of the subgroups in the Managed devices\Cloud group, make sure that the Devices tab
displays all devices of that subgroup.
If the devices are not displayed, you can poll the corresponding cloud segments manually to nd them.
4. Make sure that the Policies tab has active policies for the following applications:
Kaspersky Security Center Network Agent
If they are not listed, you can create them manually.
5. Make sure that the Tasks tab lists the following tasks:
Update task for Windows Server
Database maintenance
Download updates to the Administration Server repository
Find vulnerabilities and required updates
Install protection for Windows
Install protection for Linux
881
Quick scan task for Windows Server
Quick Scan
Install updates for Linux
If they are not listed, you can create them manually.
Kaspersky Security Center 14 is properly con gured for work in a cloud environment.
Cloud device group

You can manage cloud devices by combining them into groups. At the stage of initially con guring Kaspersky
Security Center, the Managed devices\Cloud administration group is created by default, and cloud devices
detected during polling are placed into this group.
If you selected the Synchronize administration group structure with the cloud segment option when you
con gured synchronization, the structure of subgroups in this administration group is identical to the structure of
your cloud segments. (However, in AWS, availability zones and placement groups are not represented in the
structure; in Microsoft Azure, subnets are not represented in the structure.) Empty subgroups within the group
that are detected during polling are automatically deleted.
You can also manually create administration groups by combining all or speci c devices.
By default, the Managed devices\Cloud group inherits the policies and tasks from the Managed devices group.
You can change the settings if the Editing allowed check boxes are selected in the properties of the settings of
the corresponding policies and tasks.
Network segment polling

Information about the structure of the network and devices in this network is received by the Administration
Server through regular polling of cloud segments by using AWS API, Azure API, or Google API tools. Kaspersky
Security Center uses this information to update the contents of the Unassigned devices and Managed devices
folders. If you have con gured devices to be moved to administration groups automatically, the detected devices
are included in administration groups.
To allow the Administration Server to poll cloud segments, you must have the rights provided with an IAM role or
IAM user account (in AWS), or with Application ID and password (in Azure), or with a Google client email, Google
project ID, and private key.
You can add and delete connections, as well as set the polling schedule for each cloud segment.

To add a connection for cloud segment polling to the list of available connections:
1. In the console tree, select the Device discovery → Cloud node.
882
2. In the workspace of the window, click Con gure polling.
A properties window opens containing a list of connections available for cloud segment polling.

The Connection window opens.
4. Specify the name of the cloud environment for the connection that will be used for further polling of the cloud
segment:
Cloud environment
The environment in which the EC2 instances (or virtual machines) are located can be Amazon Web
Services (AWS), Microsoft Azure, or Google Cloud.
If you selected AWS, specify the following settings:
Connection name
environment in the connection name, for example, "Azure Segment", "AWS Segment", or "Google
Segment".
Use AWS IAM role
services.
Use AWS IAM user account
Select this option if you have an IAM user account with the necessary permissions and you can enter a
key ID and secret key.
Access key ID
Secret key
883
The Cloud Environment Con guration Wizard allows you to specify only a single AWS IAM access key.
Subsequently, you can specify more connections to manage other cloud segments.
If you selected Azure, specify the following settings:
Connection name
Segment".

Security Center.
If you selected Google Cloud, specify the following settings:
Connection name
884
Segment".
Client email
Project ID
Private key
Private key is the sequence of characters that you received as your private key when you registered
your project at Google Cloud. You might want to copy and paste this sequence to avoid mistakes.
5. If you want, select Set polling schedule and change the default settings.
The connection is saved in the application settings.
After the new cloud segment is polled for the rst time, the subgroup corresponding to that segment appears in
the Managed devices\Cloud administration group.
If you specify incorrect credentials, no instances will be found during cloud segment polling and a new
subgroup will not appear in the Managed devices\Cloud administration group.
Deleting connections for cloud segment polling

If you no longer have to poll a speci c cloud segment, you can delete the connection corresponding to that
segment from the list of available connections. You can also delete a connection if, for example, permissions to poll
a cloud segment have been transferred to another AWS IAM user with a di erent key.
To delete a connection:
2. In the workspace of the window, select Con gure polling.

A window opens containing a list of connections available for cloud segment polling.
3. Select the connection that you want to delete and click the Delete button in the right part of the window.
4. In the window that opens, click the OK button to con rm your selection.
885
If you are deleting connections from the list of available connections, the devices that are in the corresponding
segments are automatically deleted from the corresponding administration groups.
Con guring the polling schedule

Cloud segment polling is performed according to schedule. You can set the polling frequency.
The polling frequency is automatically set at 5 minutes by the Cloud Environment Con guration Wizard. You can
change this value at any time and set a di erent schedule. However, it is not recommended to con gure polling to
run more frequently than every 5 minutes, because this could lead to errors in the API operation.
To con gure a cloud segment polling schedule:
2. In the workspace, click Con gure polling.

The cloud properties window opens.
3. In the list, select the connection you want and click the Properties button.
The connection properties window opens.
4. In the properties window, click the Set polling schedule link.

The Schedule window opens.
Scheduled start
Polling schedule options:
Every N days
The polling runs regularly, with the speci ed interval in days, starting from the speci ed date and
time.
Every N minutes
The polling runs regularly, with the speci ed interval in minutes, starting from the speci ed time.
By days of week
886
Run missed tasks
If the Administration Server is switched o or unavailable during the time for which the poll is scheduled,
the Administration Server can either start the poll immediately after it is switched on, or wait for the
next time for which the poll scheduled.
If this option is enabled, the Administration Server starts polling immediately after it is switched on.
If this option is disabled, the Administration Server waits for the next time for which the polling is
scheduled.
The polling schedule is con gured and saved.
Installing applications on devices in a cloud environment

You can install the following Kaspersky applications on the devices in a cloud environment: Kaspersky Security for
Windows Server (for Windows devices) and Kaspersky Endpoint Security for Linux (for Linux devices).
Client devices on which you intend to install protection must meet the requirements for Kaspersky Security
Center operation in a cloud environment. You must have a valid license to install applications on AWS instances,
Microsoft Azure virtual machines or Google virtual machine instances.
Kaspersky Security Center 14 supports the following scenarios:
A client device is discovered by means of an API; the installation is also performed by means of an API. For AWS
and Azure cloud environments, this scenario is supported.
A client device is discovered by means of Active Directory polling, Windows domains polling, or IP range polling;
the installation is performed by means of Kaspersky Security Center.
A client device is discovered by means of Google API; the installation is performed by means of Kaspersky
Security Center. For Google Cloud, only this scenario is supported.
Other ways of installation of the applications are not supported.
To install applications on virtual devices, use installation packages.
To create a task for remote installation of the application on instances by using AWS API or Azure API:
2. Click the New task button.

3. On the Select the task type page, select Install application remotely as the task type.
887
4. On the Select devices page, select the relevant devices from the Managed devices\Cloud group.
5. If Network Agent has not yet been installed on the devices on which you are intending to install the application,
on the Selecting an account to run the task page select Account required (Network Agent is not used) and
click the Add button in the right part of the window. In the menu that appears, select one of the following:
Cloud account
Select this option if you want to install applications on instances in AWS and you have an AWS IAM
access key with the required permissions but do not have an IAM role. Also select this option if you
want to install applications on devices in the Azure environment.
In the window that opens, provide Kaspersky Security Center with credentials that grant you rights to
install applications on the relevant devices.
Select the cloud environment: AWS or Azure.
In the Account name eld, enter a name for these credentials. This name will be displayed in the list of
the accounts to run the task.
If you selected AWS, in the Access key ID and Secret key elds, enter the credentials for the IAM user
account that has the rights to install applications on the speci ed devices.
If you selected Azure, in the Azure subscription ID and Azure Application password elds enter the
credentials for the Azure account that has the rights to install applications on the speci ed devices.
If you specify incorrect credentials, the remote installation task will end with an error on the devices for
which it is scheduled.
Account
For instances running Windows, select this option in case you do not intend to install the application
using AWS or Azure API tools. In this case, make sure that the devices in your cloud segment meet the
necessary conditions. Kaspersky Security Center installs applications on its own, without using AWS
API or Azure API.
If you specify incorrect data, the remote installation task will end with an error on the devices for which
it is scheduled.
IAM role
Select this option if you want to install applications on the instances in the AWS environment and have
an IAM role with the required rights.
If you select this option, but do not have an IAM role with the required rights, the remote installation
task will end with an error on the devices for which it is scheduled.
SSH certi cate
888
For instances running Linux, select this option if you do not intend to install the application by using
AWS API or Azure API tools. In this case, make sure that the devices in your cloud segment meet the
necessary conditions. Kaspersky Security Center installs applications on its own, without using AWS
API or Azure API.
To specify the private key of the SSH certi cate, you can generate it by using the ssh-keygen utility.
Note that Kaspersky Security Center supports the PEM format of private keys, but the ssh-keygen
utility generates SSH keys in the OPENSSH format by default. The OPENSSH format is not supported
by Kaspersky Security Center. To create a private key in the supported PEM format, add the -m PEM
option in the ssh-keygen command. For example:
ssh-keygen -m PEM -t rsa -b 4096 -C "< user email >"
You can provide multiple credentials by clicking the Add button for each new one. If di erent cloud segments
require di erent credentials, provide the credentials for all the segments.
After the Wizard nishes, the task for remote installation of the application appears in the list of tasks in the
workspace of the Tasks folder.
In Microsoft Azure, remote installation of security applications on a virtual machine may result in deleting
Custom Script Extension installed on this virtual machine.
Viewing the properties of cloud devices

To view the properties of a cloud device:
1. In the console tree, in the Device discovery → Cloud node, select the subnode that corresponds to the group
where the relevant instance is located.
If you are unaware of the group where the relevant virtual device is located, use the search function:
a. Right-click the name of the Managed devices → Cloud node, and then select Search in the context menu.
b. In the window that opens, perform a search.

If a device exists that meets the criteria that you set, its name and details will be displayed in the lower part
of the window.
2. Right-click the name of the relevant node. In the context menu, select Properties.
In the window that opens, the object properties are displayed.
The System Info → General system info section contains the properties that are speci c for devices in cloud
environment:
Device discovered using API (AWS, Azure, or Google Cloud; if the device cannot be detected by using API
tools, the No value is displayed).
Cloud Region.
Cloud VPC (for AWS and Google Cloud devices only).
Cloud availability zone (for AWS and Google Cloud devices only).
889
Cloud subnet.
Cloud placement group (this unit is only displayed if the instance belongs to a placement group; otherwise,
it is not displayed).
You can click the Export to le button to export this information to a .csv or .txt le.
Synchronization with cloud

During the Cloud Environment Con guration Wizard operation, the Synchronize with Cloud rule is created
automatically. This rule allows you to automatically move instances detected in each poll, from the Unassigned
devices group to the Managed devices\Cloud group, to make these instances available for centralized
management. By default, the rule is active after it is created. You can disable, modify, or enforce the rule at any
time.
To edit the properties of the Synchronize with Cloud rule and/or enforce the rule:
1. In the console tree, right-click the name of the Device discovery node.
3. In the Properties window that opens, in the Sections pane, select Move devices.
4. In the list of device moving rules in the workspace, select Synchronize with Cloud and then click the
Properties button in the lower part of the window.
The rule properties window opens.
5. If necessary, specify the following settings in the Cloud segments settings group:
Device is in cloud segment
The rule only applies to devices that are in the selected cloud segment. Otherwise, the rule applies to all
devices that have been discovered.
Include child objects
The rule applies to all devices in the selected segment and in all nested cloud subsections.
Otherwise, the rule only applies to devices that are in the root segment.
Move devices from nested objects to corresponding subgroups
If this option is enabled, devices from nested objects are automatically moved to the subgroups
that correspond to their structure.
If this option is disabled, devices from nested objects are automatically moved to the root of the
Cloud subgroup without any further branching.
890
Create subgroups corresponding to containers of newly detected devices
If this option is enabled, when the structure of the Managed devices\Cloud group has no
subgroups that will match the section containing the device, Kaspersky Security Center creates
such subgroups. For example, if a new subnet is discovered during device discovery, a new group
with the same name will be created under the Managed devices\Cloud group.
If this option is disabled, Kaspersky Security Center does not create any new subgroups. For
example, if a new subnet is discovered during network poll, a new group with the same name will
not be created under the Managed devices\Cloud group, and the devices that are in that
subnet will be moved into the Managed devices\Cloud group.
Delete subgroups for which no match is found in the cloud segments
If this option is enabled, the application deletes from the Cloud group all the subgroups that do
not match any existing cloud objects.
If this option is disabled, subgroups that do not match any of the existing cloud objects are
retained.
If you enabled the Synchronize with Cloud option when running the Cloud Environment Con guration
Wizard, the Synchronize with Cloud rule is created with the Create subgroups corresponding to
containers of newly detected devices and Delete subgroups for which no match is found in the cloud
segments check boxes selected.
If you did not enable Synchronize with Cloud option, the Synchronize with Cloud rule is created with
these options disabled (cleared). If your work with Kaspersky Security Center requires that the structure
of subgroups in the Managed devices\Cloud subgroup matches the structure of cloud segments,
enable the Create subgroups corresponding to containers of newly detected devices and Delete
subgroups for which no match is found in the cloud segments options in the rule properties, and then
enforce the rule.
6. In the Device discovered using API drop-down list, select one of the following values:
environment.
Azure. The device is discovered by using the Azure API, that is, the device is de nitely in the Azure cloud
environment.
No. The device cannot be detected by using the AWS, Azure, or Google API, that is, it is either outside the
cloud environment or it is in the cloud environment but it cannot be detected by using an API.
7. No value. This condition does not apply.If necessary, set up other rule properties in other sections.
8. If necessary, enforce the rule by clicking the Force button in the lower part of the window.
The Rule Execution Wizard starts. Follow the instructions of the Wizard. When the Wizard nishes, the rule will
be run and the structure of subgroups in the Managed devices\Cloud subgroup will match the structure of
your cloud segments.
891
The properties are set up and saved.
To disable the Synchronize with Cloud rule:
1. In the console tree, right-click the name of the Device discovery node.
3. In the Properties window that opens, in the Sections pane, select Move devices.
4. In the list of device moving rules in the workspace, disable (clear) the Synchronize with Cloud option and click
OK.
The rule is disabled and will no longer be applied.
Using deployment scripts for deploying security applications

When Kaspersky Security Center is deployed in a cloud environment, you can use deployment scripts for
automating the deployment of security applications. The deployment scripts for the Amazon Web Services,
Microsoft Azure, and Google Cloud are available as ZIP les at the Kaspersky Support page.
You can deploy the latest versions of Kaspersky Endpoint Security for Linux and Kaspersky Security for Windows
Server by using deployment scripts only if you already have created installation packages and management plug-
ins for these programs. To deploy the latest versions of the security applications by using deployment scripts,
perform the following on the Administration Server in the cloud environment:
1. Run the Cloud Environment Con guration Wizard.
2. Follow the instructions provided at https://support.kaspersky.com/14713 .
Deployment of Kaspersky Security Center in Yandex.Cloud

You can deploy Kaspersky Security Center in Yandex.Cloud. Only the pay-per-use mode is available; cloud
databases are not supported.
In Yandex.Cloud, the following deployment methods for the security applications are available:
By native means of Kaspersky Security Center, that is, via the Remote installation task (the deployment of the
security programs is only possible if Administration Server and the virtual machines to be protected are on the
same network segment)
Via deployments scripts
For deployment of Kaspersky Security Center in Yandex.Cloud, you must have a service account in Yandex.Cloud.
You must give this account the marketplace.meteringAgent permission and associate this account with the virtual
machine (please refer to https://cloud.yandex.com/en for details).
Appendices
892
This section provides reference information and additional facts regarding the use of Kaspersky Security Center.
Advanced features
This section describes a range of additional options of Kaspersky Security Center designed for expanding the
functionality of centralized management of applications on devices.
Kaspersky Security Center operation automation. klakaut utility

You can automate the Kaspersky Security Center operation using the klakaut utility. The klakaut utility and a Help
system for it are located in the Kaspersky Security Center installation folder.
Custom tools
Kaspersky Security Center allows you to create a list of custom tools (hereinafter also referred to simply as
tools), that is, applications activated for a client device in Administration Console, through the Custom tools group
of the context menu. Each tool in the list will be associated with a separate menu command, which Administration
Console uses to start the application corresponding to that tool.
The applications starts on the administrator's workstation. The application can accept the attributes of a remote
client device as command-line arguments (NetBIOS name, DNS name, or IP address). Connection to the remote
device can be established through tunneling.
By default, the list of custom tools contains the following service programs for each client device:
Remote diagnostics is a utility for remote diagnostics of Kaspersky Security Center.
Remote Desktop is a standard Microsoft Windows component named Remote Desktop Connection.
Computer Management is a standard Microsoft Windows component.
To add or remove custom tools, or to edit their settings,
In the context menu of the client device, select Custom tools → Con gure custom tools.
The Custom tools window opens. In this window, you can add custom tools or edit their settings by using the Add
and Modify buttons. To remove a custom tool, click the remove button with the red cross icon ( ).
Network Agent disk cloning mode

Cloning the hard drive of a reference device is a popular method of software installation on new devices. If
Network Agent is running in standard mode on the hard drive of the reference device, the following problem arises:
After the reference disk image with Network Agent is deployed on new devices, they are displayed in
Administration Console under a single icon. This problem arises because the cloning procedure causes new
devices to keep identical internal data, which allows the Administration Server to associate a device with an icon in
893
The special Network Agent disk cloning mode allows you to avoid problems with an incorrect display of new
devices in Administration Console after cloning. Use this mode when you deploy software (with Network Agent) on
new devices by cloning the disk.
In disk cloning mode, Network Agent keeps running but does not connect to the Administration Server. When
exiting the cloning mode, Network Agent deletes the internal data, which causes Administration Server to
associate multiple devices with a single icon in Administration Console. Upon completing the cloning of the
reference device image, new devices are displayed in Administration Console properly (under individual icons).
Network Agent disk cloning mode use scenario
1. The administrator installs Network Agent on the reference device.
2. The administrator checks the Network Agent connection to the Administration Server using the klnagchk utility.
3. The administrator enables the Network Agent disk cloning mode.
4. The administrator installs software and patches on the device, and restarts it as many times as needed.
5. The administrator clones the hard drive of the reference device on any number of devices.
6. Each cloned copy must meet the following conditions:
a. The device name must be changed.
b. The device must be restarted.
c. The disk cloning mode must be disabled.
Enabling and disabling the disk cloning mode using the klmover utility
To enable or disable the Network Agent disk cloning mode:
1. Run the klmover utility on the device with Network Agent installed that you have to clone.
The klmover utility is located in the Network Agent installation folder.
2. To enable the disk cloning mode, enter the following command at the Windows command prompt: klmover -
cloningmode 1.
Network Agent switches to disk cloning mode.
3. To request the current status of the disk cloning mode, enter the following command at the command prompt:
klmover -cloningmode.
The utility window shows whether the disk cloning mode is enabled or disabled.
4. To disable the disk cloning mode, enter the following command in the utility command line: klmover -
cloningmode 0.
Preparing a reference device with Network Agent installed for creating an

image of operating system
894
You may want to create an operating system image of a reference device with Network Agent installed and then to
deploy the image on the networked devices. In this case, you create an operating system image of a reference
device on which the Network Agent has not yet been started. If you start the Network Agent on a reference
device before creating an operating system image, Administration Server's identi cation of devices deployed from
an operating system image of the reference device will be problematic.
To prepare the reference device for creating an image of the operating system:
1. Make sure that the Windows operating system is installed on the reference device and install the other
software that you need on that device.
2. On the reference device, in the Windows Network Connections settings, disconnect the reference device from
the network where Kaspersky Security Center is installed.
3. On the reference device, start the local installation of Network Agent by using the setup.exe le.
The Kaspersky Security Center Network Agent Setup Wizard starts. Follow the instructions of the Wizard.
4. On the Administration Server page of the Wizard, specify the Administration Server IP address.
If you do not know the exact address of the Administration Server, enter localhost. You can change the IP
address later by using the klmover utility with the -address key.
5. On the Start application page of the Wizard, disable the Start application during installation option.
6. When the Network Agent installation is complete, do not restart the device before creating an operating
system image.
If you restart the device, you will have to repeat the whole process of preparing a reference device for creation
of an operating system image.
7. On the reference device, in the command line, start the sysprep utility and execute the following command:
sysprep.exe /generalize /oobe /shutdown.
The reference device is ready for creating an operating system image.
Con guring receipt of messages from File Integrity Monitor

Managed applications such as Kaspersky Security for Windows Server or Kaspersky Security for Virtualization
Light Agent send messages from File Integrity Monitor to Kaspersky Security Center. Kaspersky Security Center
also allows you to monitor any changes to critically important components of systems (such as web servers and
ATMs) and promptly respond to breaches of the integrity of such systems. For these purposes, you can receive
messages from the File Integrity Monitor component. The File Integrity Monitor component lets you monitor not
only the le system of a device, but also its registry hives, rewall status, and the status of connected hardware.
You must con gure Kaspersky Security Center to receive messages from the File Integrity Monitor component
without using Kaspersky Security for Windows Server or Kaspersky Security for Virtualization Light Agent.
To con gure receipt of messages from File Integrity Monitor:
For 32-bit systems:

895
For 64-bit systems:

3. Create keys:
Create the key KLSRV_EVP_FIM_PERIOD_SEC to specify the time period for counting the number of
processed events. Specify the following settings:
a. Specify KLSRV_EVP_FIM_PERIOD_SEC as the key name.
b. Specify DWORD as the key type.
c. Specify a range of values for the time interval from 43 200 to 172 800 seconds. By default, the time
interval is 86 400 seconds.
Create the key KLSRV_EVP_FIM_LIMIT to limit the number of received events for the speci ed time
interval. Specify the following settings:
a. Specify KLSRV_EVP_FIM_LIMIT as the key name.
c. Specify a range of values for received events from 2 000 to 50 000. The default number of events is
20 000.
Create the key KLSRV_EVP_FIM_PERIOD_ACCURACY_SEC to count events with accuracy up to a speci c

time interval. Specify the following settings:
a. Specify KLSRV_EVP_FIM_PERIOD_ACCURACY_SEC as the key name.
c. Specify a range of values from 120 to 600 seconds. The default time interval is 300 seconds.
Create the key KLSRV_EVP_FIM_OVERFLOW_LATENCY_SEC so that, after the speci ed amount of time,
the application can check whether the number of events processed over the time interval is turning out to
be less than the speci ed limit. This check is performed upon reaching the limit for receiving events. If this
condition is met, the application resumes saving events to the database. Specify the following settings:
a. Specify KLSRV_EVP_FIM_OVERFLOW_LATENCY_SEC as the key name.
c. Specify a range of values from 600 to 3 600 seconds. The default time interval is 1 800 seconds.
If the keys are not created, the default values are used.
The limits on receiving events from the File Integrity Monitor component will be con gured. You can view the
results of the File Integrity Monitor component in the reports named Top 10 rules of File Integrity Monitor /
System Integrity Monitoring that were triggered on devices most frequently and Top 10 devices with File
Integrity Monitor / System Integrity Monitoring rules most frequently triggered.
896
The Administration Server maintenance allows you to reduce the database volume, and improve the performance
and operation reliability of the application. We recommend that you maintain the Administration Server at least
every week.
The Administration Server maintenance is performed using the dedicated task. The application performs the
following actions when maintaining the Administration Server:
Checks the database for errors.
Re-organizes database indexes.
Updates the database statistics.
Shrinks the database (if necessary).
The Administration Server maintenance task supports MariaDB versions 10.3 and later. If you use MariaDB
versions 10.2 or earlier, administrators have to maintain this DBMS on their own.
To create the Administration Server maintenance task:
1. In the console tree, select the node of the Administration Server for which you want to create the
Administration Server maintenance task.
2. Select the Tasks folder.
3. By clicking the New task button in the workspace of the Tasks folder.
4. In the Select the task type window of the Wizard, select Administration Server maintenance as the task type
and click Next.
5. If you have to shrink the Administration Server database during maintenance, in the Settings window of the
Wizard, select the Shrink database check box.
The newly created task is displayed in the list of tasks in the workspace of the Tasks folder. Only one
Administration Server maintenance task can be running for a single Administration Server. If an Administration
Server maintenance task has already been created for an Administration Server, no new Administration Server
maintenance task can be created.
User noti cation method window

In the User noti cation method window, you can con gure the user noti cation about certi cate installation on
the mobile device:
Show link in Wizard. If you select this option, a link to the installation package will be shown at the nal step of
the New Device Connection Wizard.
897
Send link to user. If you select this option, you can specify the settings for notifying the user about connection
of a device.
In the By email group of settings, you can con gure user noti cation about installation of a new certi cate on his
or her mobile device using email messages. This noti cation method is only available if the SMTP Server is enabled.
In the By SMS group of settings, you can con gure the user noti cation about installation of a certi cate on his or
her mobile device by using SMS. This noti cation method is only available if SMS noti cation is enabled.
Click the Edit message link in the By email and By SMS groups of settings to view and edit the noti cation
message, if necessary.
General section
In this section, you can adjust the general pro le settings for Exchange ActiveSync mobile devices:
Name
Pro le name.
Allow non-provisionable devices
If this option is enabled, devices that cannot access all the Exchange ActiveSync policy settings are
allowed to connect to Mobile Device Server. By using the connection, you can manage Exchange
ActiveSync mobile devices. For example, you can set passwords, con gure sending emails, or view
information about the devices, such as the device ID or the policy status.
If this option is disabled, you cannot connect to the Mobile Device Server and manage Exchange
ActiveSync mobile devices.
By default, this option is enabled. You can disable this option if you are not going to manage Exchange
ActiveSync mobile devices and receive information about them.
Updating frequency (hours)
If this option is enabled, the application refreshes information about the Exchange ActiveSync policy with
the frequency speci ed in the entry eld.
If the option is disabled, information about the Exchange ActiveSync policy is not refreshed.
By default, this option is enabled, and the refreshing interval is one hour.
Device selection window

Choose a selection from the Device selection list. The list contains the default selections and the selections
created by the user.
You can view the details of device selections in the workspace of the Device selections section.
898
De ne the name of the new object window
In the window, specify the name of the newly created object. A name cannot be more than 100 characters long and
cannot include any special characters ("*<>?\:|).
Application categories section

In this section, you can con gure the distribution of information about application categories on client devices.
Full data transmission (for Network Agents Service Pack 2 and earlier)
If this option is selected, all data from an application category will be transmitted to client devices after that
category is modi ed. This data transmission option is used with Network Agent Service Pack 2 and earlier
versions.
Transmission of modi ed data only (for Network Agents Service Pack 2 and later)
If this option is selected, when an application category is modi ed, only modi ed data will be transmitted to
client devices, not all data from that category. This data transmission option is used with Network Agent
Service Pack 2 and later versions.
Features of using the management interface

This section describes actions that you can perform in the main window of Kaspersky Security Center.
Console tree
The console tree (see the gure below) is designed to display the hierarchy of Administration Servers on the
corporate network, the structure of their administration groups, and other objects of the application, such as the
Repositories or Application management folders. The name space of Kaspersky Security Center can contain
several nodes including the names of servers corresponding to the installed Administration Servers included in the
hierarchy.
899
Console tree
Administration Server node
The Administration Server – <Device name> node is a container that shows the structural organization of the
selected Administration Server.
The workspace of the Administration Server node contains summary information about the current status of the
application and devices managed through the Administration Server. Information in the workspace is distributed
between various tabs:
Monitoring. Displays information about the application operation and the current status of client devices in
real-time mode. Important messages for the administrator (such as messages on vulnerabilities, errors, or
viruses detected) are highlighted in a speci c color. You can use links on the Monitoring tab to perform the
standard administrator tasks (for example, install and con gure the security application on client devices), as
well as to go to other folders in the console tree.
Statistics. Contains a set of charts grouped by topics (protection status, Anti-Virus statistics, updates, etc.).
These charts visualize current information about the application operation and the status of client devices.
Reports. Contains templates for reports generated by the application. On this tab, you can create reports
using preset templates, as well as create custom report templates.
Events window. Contains records on events that have been registered during the application operation. Those
records are distributed between topics for ease of reading and ltering. On this tab, you can view selections of
events that have been generated automatically, as well as create custom selections.
900
Folders in the Administration Server node
The Administration Server – <Device name> node includes the following folders:
Managed devices. This folder is intended for storage, display, con guration, and modi cation of the structure
of administration groups, group policies, and group tasks.
Mobile Device Management. This folder is intended for managing mobile devices. The Mobile Device
Management folder contains the following subfolders:
Mobile Device Servers. Intended for managing iOS MDM Servers and Microsoft Exchange Mobile Devices
Servers.
Mobile Devices. It is intended for managing mobile devices, KES, Exchange ActiveSync, and iOS MDM.
Certi cates. It is intended for managing certi cates of mobile devices.
Device selections. This folder is intended for quick selection of devices that meet speci ed criteria (a device
selection) among all managed devices. For example, you can quickly select devices on which no security
application is installed, and proceed to these devices (view the list). You can perform speci c actions on these
selected devices, for example, assign them some tasks. You can use preset selections or create your own
custom selections.
Unassigned devices. This folder contains a list of devices that have not been included in any of the
administration groups. You can perform some actions on unassigned devices, for example, move them into
administration groups or install applications on them.
Policies. This folder is intended for viewing and creating policies.
Tasks. This folder is intended for viewing and creating tasks.
Kaspersky Licenses. Contains a list of license keys available for Kaspersky applications. In the workspace of
this folder, you can add new license keys to the license key repository, deploy license keys to managed devices,
and view the license key usage report.
Advanced. This folder contains a set of subfolders that correspond to various groups of application features.
Advanced folder. Moving folders in the console tree
The Advanced folder includes the following subfolders:
User accounts. Contains a list of network user accounts.
Application management. Intended for managing applications installed on devices on the network. The
Application management folder contains the following subfolders:
Application categories. Intended for managing custom application categories.
Applications registry. Contains a list of applications on devices with Network Agent installed.
Executable les. Contains the list of executable les stored on client devices with Network Agent installed.
Software vulnerabilities. Contains a list of vulnerabilities in applications on devices with Network Agent
installed.
901
Software updates. Contains a list of application updates received by Administration Server that can be
distributed on devices.
Third-party licenses usage. Contains a list of licensed applications groups. You can use licensed
applications groups to monitor the usage of licenses for third-party software (non-Kaspersky applications)
and possible violations of licensing restrictions.
Remote installation. This folder is intended for managing remote installation of operating systems and
applications. The Remote installation folder contains the following subfolders:
Deploy device images. Intended for deploying images of operating systems on devices.
Installation packages. Contains a list of installation packages that can be used for remote installation of
applications on devices.
Data encryption and protection. This folder is intended for managing the process of data encryption on hard
drives and removable drives.
Network poll. This folder displays the network in which Administration Server is installed. Administration Server
receives information about the structure of the network and its devices, through regular polls of the Windows
network, IP subnets, and Active Directory® on the corporate network. Poll results are displayed in the
workspaces of the corresponding folders: Domains, IP ranges, and Active Directory.
Repositories. This folder is intended for operations with objects used to monitor the status of devices and
perform maintenance. The Repositories folder contains the following subfolders:
Adaptive anomaly detection. Contains a list of detects performed by the Kaspersky Endpoint Security
rules working in the SMART Training mode on client devices.
Kaspersky software updates and patches. Contains a list of updates received by Administration Server
that can be distributed to devices.
Hardware. Contains a list of hardware connected to the organization's network.
Quarantine. Contains a list of objects moved to Quarantine by anti-virus applications on devices.
Backup. Contains a list of backup copies of les that were deleted or modi ed during disinfection on
devices.
Unprocessed les. Contains a list of les assigned for later scanning by anti-virus applications.
You can change the set of subfolders included in the Advanced folder. Frequently used subfolders can be moved
up one level from the Advanced folder. Subfolders that are used rarely can be moved to the Advanced folder.
To move a subfolder out of the Advanced folder:
1. In the console tree, select the subfolder that you want to move out of the Advanced folder.
2. In the context menu of the subfolder, select View → Move from Advanced folder.
You can also move a subfolder out of the Advanced folder in the workspace of the Advanced folder by
clicking the Move from Advanced folder link in the section with the name of that subfolder.
To move a subfolder to the Advanced folder:
902
1. In the console tree, select the subfolder that you need to move to the Advanced folder.
2. In the context menu of the subfolder, select View → Move to Advanced folder.
How to update data in the workspace
In Kaspersky Security Center, the workspace data (such as device statuses, statistics, and reports) are never
updated automatically.
To update data in the workspace:
Press the F5 key.
In the context menu of the object in the console tree, select Refresh.
Click the refresh icon ( ) in the workspace.
How to navigate the console tree

To navigate the console tree, you can use the following toolbar buttons:
—One step back.
—One step forward.
—One level up.
You can also use a navigation chain located in the upper-right corner of the workspace. The navigation chain
contains the full path to the folder of the console tree in which you are currently located. All elements of the chain,
except for the last one, are links to the objects in the console tree.
How to open the object properties window in the workspace

You can change the properties of the most Administration Console objects in the object properties window.
To open the properties window of an object located in the workspace:
From the context menu of the object, select Properties.
Select an object and press ALT+ENTER.
How to select a group of objects in the workspace

You can select a group of objects in the workspace. You can select a group of objects, for example, to create a set
of devices for which you may create tasks later.
903
To select an objects range:
1. Select the rst object in the range and press Shift.
2. Hold down the Shift key and select the last object in the range.
The range will be selected.
To group separate objects:
1. Select the rst object in the group and press Ctrl.
2. Hold down the Ctrl key and select other objects that you want to include in the group.
The objects will be grouped.
How to change the set of columns in the workspace

Administration Console allows you to change a set of columns displayed in the workspace.
To change a set of columns displayed in the workspace:
1. In the console tree, click the object for which you wish to change the set of columns.
2. In the workspace of the folder, open the window intended for con guration of the set of columns by clicking
the Add/Remove columns link.
3. In the Add/Remove columns window, specify the set of columns to be displayed.
Reference information
Tables of this section provide summary information about the context menu of Administration Console objects, as
well as about the statuses of console tree objects and workspace objects.
Context menu commands

This section lists Administration Console objects and corresponding context menu items (see table below).
Items of the context menu of Administration Console objects
Object Menu item Menu item purpose
General items of context Search Opens the devices search window.

menu
Refresh Refreshes the display of the selected object.
Export list Exports the current list to a le.
Properties Opens the properties window of the selected

object.
View → Add/Remove Adds or removes columns to/from the table

904
columns of objects in the workspace.
View → Large icons Shows objects in the workspace as large

icons.
View → Small icons Shows objects in the workspace as small

icons.
View → List Shows objects in the workspace as a list.
View → Table Shows objects in the workspace as a table.
View → Con gure Con gures the display of Administration

Console elements.
Kaspersky Security Center New → Administration Adds an Administration Server to the console
Server tree.
<Administration Server Connect to Connects to the Administration Server.

name> Administration Server
Disconnect from Disconnects from the Administration Server.

Managed devices Install application Starts the Application Remote Installation

Wizard.
View → Con gure Con gures the display of interface elements.

interface
Remove Removes the Administration Server from the

console tree.
Install application Starts the Remote Installation Wizard for the

Reset Virus Counter Resets the virus counters for devices included
in the administration group.
View report on threats Creates a report on threats and virus activity

on devices included in the administration
group.
New → Group Creates an administration group.
All Tasks → New group Creates a structure of administration groups

structure based on the structure of domains or Active
Directory.
All Tasks → Show Starts the New Message for User Wizard
Message intended for the users of devices included in
the administration group.
Managed devices → New → Secondary Starts the Add Secondary Administration

Administration Servers Administration Server Server Wizard.
New → Virtual Starts the New Virtual Administration Server

Administration Server Wizard.
Mobile Device Management New → Mobile device Connects a new mobile device of the user.
→ Mobile devices
Mobile Device Management New → Certi cate Creates a certi cate.

→ Certi cates
Create → Mobile Connects a new mobile device of the user.
device
Device selections New → New selection Creates a device selection.

905
All Tasks → Import Imports a selection from a le.
Kaspersky Licenses Add activation code or Adds a license key to the Administration
key le Server repository.
Activate Application Starts the Application Activation Task

Creation Wizard.
Report on usage of Creates and shows a report on license keys on

license keys client devices.
Application New → Category Creates an application category.

management → Application
categories
Application Filter Sets up a lter for the list of applications.

management → Applications
registry Monitored Con gures the publishing of events related to
Applications installation of applications.
Remove applications Clears the list of all details of applications that

that are not installed are no longer installed on networked devices.
Application management → Accept License Accepts the License Agreements of software

Software updates Agreements for updates updates.
Application management → New → Licensed Creates a licensed applications group.

Third-party licenses usage applications group
Remote installation → Show current Shows the list of up-to-date versions of

Installation packages application versions Kaspersky applications available on web
servers.
New → Installation Creates an installation package.

package
All Tasks → Update Updates application databases in installation

databases packages.
All Tasks → Show the Shows the list of stand-alone packages

general list of stand- created for installation packages.
alone packages
Device discovery → Domains All Tasks → Device Sets up the Administration Server's response
Activity to inactivity of networked devices.
Device discovery → IP New → IP range Creates an IP range.

ranges
Repositories → Updates for Download updates Opens the properties window of the
Kaspersky databases and Download updates to the repository task of
software modules the Administration Server.
Updates Download Con gures the Download updates to the

Settings repository task of the Administration Server.
Report on usage of Creates and shows a report on versions of

anti-virus databases databases.
All Tasks → Clear Clears the repository of updates on the

updates repository Administration Server.
Repositories → Hardware New → Device Creates a new device.
906
List of managed devices. Description of columns
The following table displays the names and respective descriptions of columns in the list of managed devices.
Descriptions of columns in the list of managed devices
Column name Value
Name NetBIOS name of the client device. The descriptions of the icons of device names are
given in the appendix.
Operating Type of operating system installed on the client device.

system type
Windows Name of the Windows domain in which the client device is located.
domain
Network Result of Network Agent installation on the client device (Yes, No, Unknown).
Agent is
installed
Network The result of Network Agent operation (Yes, No, Unknown).

Agent is
running
Real-time Security application is installed (Yes, No, Unknown).

protection
Last Time period that has elapsed since the client device was connected to the Administration
connected to Server.
Administration
Server
Protection The time period that has elapsed since the last update of managed devices.
last updated
Status Current status of the client device (OK, Critical, or Warning).
Status Reasons for change of the client device status to Critical or Warning.
description The device status changes to Warning or Critical for the following reasons:
Security application is not installed.
Too many viruses detected.
Real-time protection level di ers from the level set by the Administrator.
Virus scan has not been performed in a long time.
Databases are outdated.
Not connected in a long time.
Active threats are detected.
Restart is required.
Incompatible applications are installed.
Software vulnerabilities have been detected.

907
Check for Windows Update updates has not been performed in a long time.
Invalid encryption status.
Mobile device settings do not comply with the policy.
Unprocessed incidents detected.
Device status de ned by application.
Device is out of disk space.
License expires soon.

The device status only changes to Critical by the following reasons:
License expired.
Device has become unmanaged.
Protection is disabled.
Security application is not running.
Managed Kaspersky applications on client devices can add status descriptions to the list.
Kaspersky Security Center can receive the description of a client device status from
managed Kaspersky applications installed on that device. If the status that has been
assigned to the device by a managed application is other than that assigned by Kaspersky
Security Center, Administration Console displays the status that is the most critical to the
device security. For example, if a managed application has assigned the Critical status to
the device while Kaspersky Security Center has assigned it the Warning status,
Administration Console displays the Critical status for that device with the corresponding
description provided by the managed application.
Information Time period that has elapsed since the client device was last synchronized successfully
last updated with the Administration Server (that is, since the last network scan).
DNS name DNS domain name of the client device.
DNS domain The main DNS su ix.
IP address IP address of the client device. It is recommended to use the IPv4 address.
Last visible Time period during which the client device has remained visible on the network.
Last full scan Date and time of the last scan of the client device performed by the security application
upon the user's request.
Total number Number of threats found.

of threats
detected
Real-time Real-time protection status (Starting, Running, Running (maximum protection), Running
protection (maximum speed), Running (recommended settings), Running (custom settings), Stopped,
status Paused, Failed).
Connection IP The IP address that is used for connection to Kaspersky Security Center Administration
address Server.
Network Version of Network Agent.

Agent version
Application Version of the security application installed on the client device.

908
version
Anti-virus The version of the anti-virus databases.

databases
last updated
System last Date and time when the client device was last turned on.
started
Restart is Restart of the client device is required.

required
Distribution Name of the device that acts as distribution point for this client device.
point
Description Description of the client device received after a network scan.
Encryption Data encryption status of the client device.

status
WUA status Status of Windows Update Agent on the client device.

Yes corresponds to client devices that receive updates through Windows Update from the
No corresponds to client devices that receive updates through Windows Update from
other sources.
Operating Bit size of the operating system installed on the client device.
system bit
size
Spam Status of Spam protection component (Running, Starting, Stopped, Paused, Failed, No
protection data from device)
status
Data Leakage Status of Data Leakage Prevention component (Running, Starting, Stopped, Paused,
Prevention Failed, No data from device)
status
Collaboration Status of Content Filtering component (Running, Starting, Stopped, Paused, Failed, No
servers data from device)
protection
status
Anti-virus Status of Mail Server anti-virus protection component (Running, Starting, Stopped,
protection Paused, Failed, No data from device)
status of mail
servers
Endpoint Status of Endpoint Sensor component (Running, Starting, Stopped, Paused, Failed, No
Sensor status data from device)
Created Time when the <Device Name> icon was created. This attribute is used to compare various
events with each other.
Name of Name of virtual or secondary Administration Server. This column is only available in lists
virtual or that contain devices from di erent Administration Servers.
secondary
Administration
Server
Parent group Name of the administration group where the < Device Name> icon is located. This column is
only available in lists that contain devices from di erent Administration Servers.
909
Managed by a The parameter can take one of these values:
di erent True, if during remote installation of security applications on the device, it turns out that
Administration the device is managed by di erent Administration Server.
Server
False, otherwise.
Operating The build number of the operating system. You can specify whether the selected operating
system build system must have an equal, earlier, or later build number. You can also con gure searching
for all build numbers except the speci ed one.
Operating The release identi er (ID) of the operating system. You can specify whether the selected
system operating system must have an equal, earlier, or later release ID. You can also con gure
release ID searching for all release ID numbers except the speci ed one.

The table below contains a list of icons displayed in the console tree and in the Administration Console workspace,
next to the names of devices, tasks, and policies. Those icons de ne the statuses of objects.
Icon Status
Device with an operating system for workstations detected in the system but not yet included in any
of the administration groups.
Device with an operating system for workstations included in an administration group, with the OK
status.
Device with an operating system for workstations included in an administration group, with the
Warning status.
Device with an operating system for workstations included in an administration group, with the
Critical status.
Device with an operating system for workstations included in an administration group, which has lost
connection with the Administration Server.
Device with an operating system for servers detected in the system but not yet included in any of
the administration groups.
Device with an operating system for servers included in an administration group, with the OK status.
Device with an operating system for servers included in an administration group, with the Warning
status.
Device with an operating system for servers included in an administration group, with the Critical
status.
Device with an operating system for servers included in an administration group, which has lost
connection with the Administration Server.
910
Mobile device detected on the network and included in none of the administration groups.
Mobile device included in an administration group, with the OK status.
Mobile device included in an administration group, with the Warning status.
Mobile device included in an administration group, with the Critical status.
Mobile device included in an administration group, having lost its connection with the Administration
Server.
UEFI protection device detected on the network but not included in any administration group. UEFI
protection device is on the network.
UEFI protection device detected on the network but not included in any administration group. UEFI
protection device is not on the network.
UEFI protection device included in an administration group, with OK status. UEFI protection device is
on the network.
UEFI protection device included in an administration group, with OK status. UEFI protection device is
not on the network.
UEFI protection device included in an administration group, with Warning status. UEFI protection
device is on the network.
UEFI protection device included in an administration group, with Warning status. UEFI protection
device is not on the network.
UEFI protection device included in an administration group, with Critical status. UEFI protection
device is on the network.
UEFI protection device included in an administration group, with Critical status. UEFI protection
device is not on the network.
Active policy.
Inactive policy.
Active policy inherited from a group that was created on the primary Administration Server.
Active policy inherited from a top-level group.
Task (group task, Administration Server task, or task for speci c devices) with the Scheduled or
Completed successfully status.
Task (group task, Administration Server task, or task for speci c devices) with the Running status.
Task (group task, Administration Server task, or task for speci c devices) with the Failed status.
Task inherited from a group that was created on the primary Administration Server.
Task inherited from a top-level group.
File status icons in Administration Console

For ease of le management in Kaspersky Security Center Administration Console, icons are displayed next to the
names of les (see table below). Icons indicate statuses assigned to les by managed Kaspersky applications on
client devices. Icons are shown in the workspaces of the Quarantine, Backup, and Active threats folders.
911
Statuses are assigned to objects by Kaspersky Endpoint Security installed on the client device on which the object
is located.
Correspondence between icons and le statuses
Icon Status
File with the Infected status.
File with the Warning or Probably infected status.
File with the Added by user status.
File with the False positive status.
File with the Disinfected status.
File with the Deleted status.
File in the Quarantine folder with the Not infected, Password-protected or Must be sent to
Kaspersky status. If there is no status description next to an icon, this means that the managed
Kaspersky application on the client device has reported an unknown status to Kaspersky Security
Center.
File in the Backup folder with the Not infected, Password-protected or Must be sent to Kaspersky
status. If there is no status description next to an icon, this means that the managed Kaspersky
application on the client device has reported an unknown status to Kaspersky Security Center.
File in the Active threats folder with Not infected, Password-protected or Must be sent to
Kaspersky status. If there is no status description next to an icon, this means that the managed
Kaspersky application on the client device has reported an unknown status to Kaspersky Security
Center.
Searching and exporting data

This section contains information about data search methods and about exporting data.
Finding devices
Kaspersky Security Center allows you to nd devices on the basis of speci ed criteria. Search results can be saved
to a text le.
The search feature allows you to nd the following devices:
Client devices in administration groups of an Administration Server and its secondary Servers.
Unassigned devices managed by an Administration Server and its secondary Servers.
To nd client devices included in an administration group:
1. In the console tree, select an administration group folder.
2. Select Search from the context menu of the administration group folder.
912
3. On the tabs of the Search window, specify the criteria for the search of devices, and click the Find now button.
Devices that meet the speci ed search criteria are now displayed in a table in the lower part of the Search
window.
To nd unassigned devices:
1. In the console tree, select the Unassigned devices folder.
2. Select Search from the context menu of the Unassigned devices folder.
window.
To nd devices regardless of whether they are included in an administration group:
2. In the context menu of the node, select Search.
window.
In the Search window you can also search for administration groups and secondary Administration Servers
using a drop-down list in the top right corner of the window. Search functionality for administration groups
and secondary Administration Servers is not available if you opened the Search window from the Unassigned
devices folder.
To nd devices, you can use regular expressions in the elds of the Search window.
Full text search in the Search window is available:
On the Network tab, in the Description eld
On the Hardware tab, in the Device, Vendor, and Description elds
Device search settings

Below are descriptions of the settings used for searching managed devices. Search results are displayed in the
lower part of the window.
Network
On the Network tab, you can specify the criteria that will be used to search for devices according to their network
data:
913
Device name or IP address
Windows domain
Description
914
Within a word:
Example:
Example:
Example:
your query.
Example:
Example:
Virtual query.
Example:
IP range
Managed by a di erent Administration Server
915
Select one of the following values:
Yes. Only the client devices managed by other Administration Servers are considered.
No. Only the client devices managed by the same Administration Server are considered.
Tags
On the Tags tab, you can con gure a device search based on key words (tags) that were previously added to the
descriptions of managed devices:
If this option is enabled, the search results will show devices with descriptions that contain at least one of
the selected tags.
selected tags.
Tag must be included
characters.
Tag must be excluded
characters.
Active Directory
On the Active Directory tab, you can specify that devices should be searched for in the Active Directory
organizational unit (OU) or group. You can also include devices from all child OUs of the speci ed Active Directory
OU in the selection. To select devices, de ne the following settings:
eld.
916
entry eld.
Network activity
On the Network activity tab, you can specify the criteria that will be used to search for devices according to their
network activity:
This device is a distribution point
search:
search:
search:
917
Device is visible
search:
Application
On the Application tab, you can specify the criteria that will be used to search for devices according to the
selected managed application:
Application name
workstation.
Application version
918
Center:
Security Center.
Operating system
On the Operating system tab, you can set up the following criteria to nd devices by their operating system (OS)
type:
919
the speci ed one.
Operating system release ID
Device status
On the Device status tab, you can specify criteria for searching devices based on the device status from the
managed application:
Device status
Real-time protection status
920
Device status de ned by application
Protection components
On the Protection components tab, you can set up the criteria to search for client devices by their protection
status.
Databases released
Last scanned
On the Applications registry tab, you can con gure the search for devices according to applications installed on
them:
Application name
Application version
Vendor
Application status
921
Find by update
Incompatible security application name
Application tag
On the Hierarchy of Administration Servers tab, check the Include data from secondary Administration
Servers (down to level) box if you want the information stored on secondary Administration Servers to be
considered while searching for devices, and in the entry eld, you can specify the nesting level of secondary
Administration Server from which information is considered while searching for devices. By default, this check box
is cleared.
Virtual machines
On the Virtual machines tab, you can con gure the search for devices according to whether these are virtual
machines or part of virtual desktop infrastructure (VDI):

Not important.
922
drop-down list.

Not important.
Hardware
On the Hardware tab, you can con gure search for client devices according to their hardware:
Device
Vendor
Description
in the selection.
Inventory number
CPU frequency, in MHz
The frequency range of a CPU. Devices with CPUs that match the frequency range in these elds
Virtual CPU cores
923
Range of the number of virtual cores in a CPU. Devices with CPUs that match the range in these elds
Hard drive volume, in GB
Range of values for the size of the hard drive on the device. Devices with hard drives that match the range
in these entry elds (inclusive) will be included in the selection.
RAM size, in MB
Range of values for the size of the device RAM. Devices with RAMs that match the range in these entry
Vulnerabilities and updates
On the Vulnerabilities and updates tab, you can set up the criterion to search for devices according to their
Windows Update source:
Users
On the Users tab, you can set up the criteria to search for devices according to the accounts of users who have
logged in to the operating system.
devices on which the speci ed user performed the last login to the system.
Status-a ecting problems in managed applications
On the Status-a ecting problems in managed applications tab, you can set up search for devices according to
descriptions of their statuses provided by the managed application:
924
You can select check boxes for descriptions of statuses from the managed application; upon receipt of
these statuses, the devices will be included in the selection. When you select a status listed for several
applications, you have the option to select this status in all of the lists automatically.
Statuses of components in managed applications
On the Statuses of components in managed applications tab, you can set up the criteria to search for devices
according to the statuses of components in managed applications:
Encryption
Encryption
Advanced Encryption Standard (AES) symmetrical block cipher algorithm. In the drop-down list, you can
select the encryption key size (56-bit, 128-bit, 192-bit, or 256-bit).
Cloud segments
On the Cloud segments tab, you can con gure a search based on whether a device belongs to speci c cloud
segments:
925
If this option is enabled, you can click the Browse button to specify the segment to search.
If the Include child objects option is also enabled, the search is run on all child objects of the speci ed
segment.
environment.
cloud environment.
API.
Application components
This section contains the list of components of those applications that have corresponding management
plug-ins installed in Administration Console.
In the Application components section, you can specify criteria for including devices in a selection according to
the statuses and version numbers of the components that refer to the application that you select:
Status
926
You can select one of the following statuses: No data from device, Stopped, Starting, Paused, Running,
Malfunction, or Not installed. If the selected component of the application installed on a managed device
has the speci ed status, the device is included in the device selection.
Malfunction—An error has occurred during the component operation.
Unlike other statuses, the No data from device status is not sent by applications. This option shows that
the applications have no information about the selected component status. For example, this can happen
when the selected component does not belong to any of the applications installed on the device, or when
the device is turned o .
Version
one.
Using masks in string variables

Using masks for string variables is allowed. When creating masks, you can use the following regular expressions:
Wildcard character (*)—Any string of 0 or more characters.
Question mark (?)—Any single character.
[<range>]—Any single character from a speci ed range or set.

For example: [0–9]—Any digit. [abcdef]—Any of the characters a, b, c, d, e, or f.
Using regular expressions in the search eld

You can use the following regular expressions in the search eld to search for speci c words and characters:
927
*. Replaces any sequence of characters. To search for such words as Server, Servers, or Server room, enter the
Server* expression in the search eld.
?. Replaces any single character. To search for such words as Word or Ward, enter the W?rd expression in the
search eld.
Text in the search eld cannot begin with a question mark (?).
[<range>]. Replaces any single character from a speci ed range or set. To search for any numeral, enter the [0-
9] expression in the search eld. To search for one of the characters—a, b, c, d, e, or f—enter the [abcdef]
expression in the search eld.
Use the following regular expressions in the search eld to run a full-text search:
Space. The result is all devices whose descriptions contain any of the listed words. For example, to search for a
phrase that contains the word "Secondary" or "Virtual" (or both these words), enter the Secondary Virtual
expression in the search eld.
Plus sign (+), AND, or &&. When a plus sign precedes a word, all search results will contain this word. For example,
to search for a phrase that contains both the word "Secondary" and the word "Virtual", you can enter any of the
following expressions in the search eld: +Secondary+Virtual, Secondary AND Virtual, Secondary &&
Virtual.
OR or ||. When placed between two words, it indicates that one word or the other can be found in the text. To
search for a phrase that contains either the word "Secondary" or the word "Virtual", you can enter any of the
following expressions in the search eld: Secondary OR Virtual, Secondary || Virtual.
Minus sign (-). When a minus sign precedes a word, no search results will contain this word. To search for a
phrase that must contain such word as Secondary and must not contain such word as Virtual, you must enter
the +Secondary-Virtual expression in the search eld.
"<some text>". Text enclosed in quotation marks must be present in the text. To search for a phrase that
contains such word combination as Secondary Server, you must enter the "Secondary Server" expression in
the search eld.
Full-text search is available in the following ltering blocks:
In the event list ltering block, by the Event and Description columns.
In the user account ltering block, by the Name column.
In the applications registry ltering block, by the Name column, if the Show in list section has no grouping
selected as the ltering criterion.
Exporting lists from dialog boxes

In dialog boxes of the application you can export lists of objects to text les.
Export of a list of objects is possible for dialog box sections that contain the Export to le button.
Settings of tasks
928
This section lists all settings of tasks in Kaspersky Security Center.

This section contains the settings that you can view and con gure for most of your tasks. The list of settings
available depends on the task you are con guring.
Settings speci ed during task creation
You can specify the following settings when creating a task. Some of these settings can also be modi ed in the
properties of the created task.
Operating system restart settings:
Restart the device
speci ed frequency.
1440 minutes.
Restart after (min)
929
After prompting the user, the application forces restart of the operating system upon expiration of the
speci ed time interval.
1440 minutes.
restart.
Task scheduling settings:
Scheduled start setting:
Every N hours
Every N days
Every N weeks
speci ed time.
Every N minutes
930
Weekly
By days of week
Monthly
Manually
On virus outbreak
931

Run missed tasks
business hours.
932
Devices to which the task will be assigned:
devices.
infected.
selections.
version.
Account settings:
Default account
Specify account
933
Account
Password
Settings speci ed after task creation
You can specify the following settings only after a task is created.
Group task settings:
Distribute to subgroups
This option is only available in the settings of the group tasks.

When this option is enabled, the task scope includes:
The administration group that you selected while creating the task.
The administration groups subordinate to the selected administration group at any level down by
the group hierarchy.
When this option is disabled, the task scope includes only the administration group that you selected
while creating the task.
Distribute to secondary and virtual Administration Servers
When this option is enabled, the task that is e ective on the primary Administration Server is also
applied on the secondary Administration Servers (including virtual ones). If a task of the same type
already exists on the secondary Administration Server, both tasks are applied on the secondary
Administration Server—the existing one and the one that is inherited from the primary Administration
Server.
This option is only available when the Distribute to subgroups option is enabled.
Advanced scheduling settings:
Turn on devices by using the Wake-on-Lan function before starting the task (min)
934
The operating system on the device starts at the speci ed time before the task is started. The default
time period is ve minutes.
Enable this option if you want the task to run on all of the client devices from the task scope, including
those devices that are turned o when the task is about to start.
If you want the device to be automatically turned o after the task is complete, enable the Shut down
the devices after completing the task option. This option can be found in the same window.
Shut down the devices after completing the task
For example, you may want to enable this option for an install update task that installs updates to client
devices each Friday after business hours, and then turns o these devices for the weekend.
Stop the task if it runs longer than (min)
After the speci ed time period expires, the task is stopped automatically, whether it is completed or
not.
Enable this option if you want to interrupt (or stop) tasks that take too long to execute.
By default, this option is disabled. The default task execution time is 120 minutes.
Noti cation settings:
Store task history block:
On Administration Server for (days)
Application events related to execution of the task on all client devices from the task scope are
stored on the Administration Server during the speci ed number of days. When this period elapses,
the information is deleted from the Administration Server.
Store in the OS event log on device
Application events related to execution of the task are stored locally in Windows Event Log of each
client device.
Store in the OS event log on Administration Server
stored centrally in Windows Event Log of the Administration Server operating system (OS).
935
Save all events
If this option is selected, all events related to the task are saved to the event logs.
Save events related to task progress
If this option is selected, only events related to the task execution are saved to the event logs.
Save only task execution results
If this option is selected, only events related to the task results are saved to the event logs.
Notify administrator of task execution results
You can select the methods by which administrators receive noti cations about task execution results:
by email, by SMS, and by running an executable le. To con gure noti cation, click the Settings link.
By default, all noti cation methods are disabled.
Notify of errors only
If this option is enabled, administrators are only noti ed when a task execution completes with an error.
If this option is disabled, administrators are noti ed after every task execution completion.
Security settings
Task scope settings

Depending on how the task scope is determined, the following settings are present:
Devices
If the scope of a task is determined by an administration group, you can view this group. No changes are
available here. However, you can set Exclusions from task scope.
If the scope of a task is determined by a list of devices, you can modify this list by adding and removing
devices.
Device selection
You can change the device selection to which the task is applied.
Exclusions from task scope
You can specify groups of devices to which the task is not applied. Groups to be excluded can only be
subgroups of the administration group to which the task is applied.
Revision history
936
Download updates to the Administration Server repository task settings
Sources of updates

HTTP(S) servers at Kaspersky from which Kaspersky applications download database and application
module updates. By default, the Administration Server communicates with Kaspersky update servers
and downloads updates by using the HTTPS protocol. You can con gure the Administration Server to
use the HTTP protocol instead of HTTPS.


servers.
folder sources of update, an Administration Server does not use a proxy server for downloading updates.
Other settings
937
After the Administration Server receives updates, it copies them to the speci ed folders. Use this option if
you want to manually manage the distribution of updates on your network.
For example, you may want to use this option in the following situation: the network of your organization
consists of several independent subnets, and devices from each of the subnets do not have access to
other subnets. However devices in all of the subnets have access to a common network share. In this case,
you set Administration Server in one of the subnets to download updates from Kaspersky update servers,
enable this option, and then specify this network share. In downloaded updates to the repository tasks for
other Administration Servers, specify the same network share as the update source.
The tasks of downloading updates to client devices and secondary Administration Servers start only after
those updates are copied from the main update folder to additional update folders.
This option must be enabled if client devices and secondary Administration Servers download updates
from additional network folders.
Settings section, Content of updates block

Download di les

Update veri cation section

Verify updates before distributing
Administration Server downloads updates from the source, saves them to a temporary repository, and runs
the task de ned in the Update veri cation task eld. If the task completes successfully, the updates are
copied from the temporary repository to a shared folder on the Administration Server and then distributed
to all devices for which the Administration Server acts as the source of updates (tasks with the When new
updates are downloaded to the repository schedule type are started). The task of downloading updates
to the repository is nished only after completion of the Update veri cation task.
Update veri cation task
This task veri es downloaded updates before they are distributed to all devices for which the
Administration Server acts as the source of updates.
In this eld, you can specify the Update veri cation task created earlier. Alternatively, you can create a new
Update veri cation task.
938
Download updates to the repositories of distribution points task settings
Sources of updates

HTTP(S) servers at Kaspersky from which Kaspersky applications download database and application
module updates.


servers.
folder sources of update, a distribution point does not use a proxy server for downloading updates, even if
you enabled the option Use proxy server of the Network Agent policy settings for the distribution point.
Other settings → Folder for storing updates
You can specify the following setting in the Settings section, in the Content of updates block only after a task is
created.
Download di les
939
moment.
940

applicable Microsoft Windows updates that was received from the source of Microsoft updates earlier
and that is stored in the device's cache.
Connecting to the source of Microsoft updates can be resource-consuming. You might want to disable
this option if you set regular connection to this source of updates in another task or in the properties
of Network Agent policy, in the section Software updates and vulnerabilities. If you do not want to
disable this option, then, to reduce the Server overload, you can con gure the task schedule to
randomize delay for task starts within 360 minutes.
getting updates:
Windows Update Agent on a managed device connects to the Update Server to get updates only
if the Connect to the update server to update data option is enabled and the Active option, in
the Windows Update search mode settings group, is selected.
enabled and the Passive option, in the Windows Update search mode settings group, is selected,
or if the Connect to the update server to update data option is disabled and the Active option,
in the Windows Update search mode settings group, is selected.
If this option is enabled, Kaspersky Security Center searches for vulnerabilities and required updates for
third-party applications (applications made by software vendors other than Kaspersky and Microsoft) in
Windows Registry and in the folders speci ed under Specify paths for advanced search of applications
in le system. The full list of supported third-party applications is managed by Kaspersky.
updates for third-party applications. For example, you may want to disable this option if you have di erent
tasks with di erent settings for Microsoft Windows updates and updates of third-party applications.
Specify paths for advanced search of applications in le system
941
Kaspersky Security Center Remote Diagnostics Utility. Traces are written to two les in turn; the total size
of both les is determined by the Maximum size, in MB, of advanced diagnostics les value. When both
les are full, Network Agent starts writing to them again. The les with traces are stored in the
%WINDIR%\Temp folder. These les are accessible in the remote diagnostics utility, you can download or
delete them there.
When creating a task, you do not have to enable advanced diagnostics. You may want to use this feature
later if, for example, a task run fails on some of the devices and you want to get additional information
during another task run.
Install required updates and x vulnerabilities task settings
Specify rules for installing updates
These rules are applied to installation of updates on client devices. If rules are not speci ed, the task has
nothing to perform. For information about operations with rules, refer to Rules for update installation.

942
If this option is enabled, before installing an update the application automatically installs all general system
components (prerequisites) that are required to install the update. For example, these prerequisites can be
operating system updates
If this option is enabled, updates are allowed when they result in installation of a new version of a software
application.
manually or through another task. For example, you may use this option if your company infrastructure is
not supported by a new software version or if you want to check an upgrade in a test infrastructure.
Upgrading an application may cause malfunction of dependent applications installed on client devices.
Microsoft updates are downloaded to the system Windows storage. Updates of third-party applications
(applications made by software vendors other than Kaspersky and Microsoft) are downloaded to the
folder speci ed in the Folder for downloading updates eld.
delete them there.
943
You can specify settings in the sections listed below only after a task is created. For a full description of the task
settings, see General task settings.
General. In this section, general information about the task is displayed. Also, you can specify to which devices
the Install required updates and x vulnerabilities task should apply:

Server.
Updates to install
In the Updates to install section, you can view the list of updates that the task installs. Only updates that
match the applied task settings are shown.
Test installation of updates:
Do not scan. Select this option if you do not want to perform a test installation of updates.
Run scan on selected devices. Select this option if you want to test updates installation on selected
devices. Click the Add button and select devices on which you need to perform test installation of updates.
Run scan on devices in the speci ed group. Select this option if you want to test updates installation on a
group of devices. In the Specify a test group eld, specify a group of devices on which you want to perform
a test installation.
944
Run scan on speci ed percentage of devices. Select this option if you want to test updates installation on
some portion of devices. In the Percentage of test devices out of all target devices eld, specify the
percentage of devices on which you want to perform a test installation of updates.
Global list of subnets

This section provides information about the global list of subnets that you can use in the rules.
To store the information about subnets of your network, you can set up a global list of subnets for each
Administration Server you use. This list helps you match pairs {IP address, mask} and physical units such as branch
o ices. You can use subnets from this list in the networking rules and settings.
Adding subnets to the global list of subnets

You can add subnets with their descriptions to the global list of subnets.
To add a subnet to the global list of subnets:
3. In the Properties window that opens, in the Sections pane select List of global subnets.

The New subnet window opens.
5. Fill in the following elds:
General settings
The subnet IP address for the subnet you are adding.
Subnet mask
The subnet mask for the subnet you are adding.
Name
The name of the subnet. It must be unique within the global list of subnets. If you enter the name that
already exists in the list, an index will be added, for example: ~~1, ~~2.
Description
945
Description may contain some additional information about the branch o ice which has this subnet.
This text will appear in all lists where this subnet is present, for example, in the list of tra ic limitation
rules.
This eld is not obligatory and may be left empty.
6. Click OK.
The subnet appears in the list of subnets.
Viewing and modifying subnet properties in the global list of subnets

You can view and modify the properties of subnets in the global list of subnets.
To view or modify properties of a subnet in the global list of subnets:
3. In the Properties window that opens, in the left Sections pane, select List of global subnets.
4. In the list, select the subnet that you want.
5. Click the Properties button.

The New subnet window opens.
6. If necessary, change the settings of the subnet.
7. Click OK.
If you have made changes, they will be stored.
Usage of Network Agent for Windows, for macOS and for Linux: comparison
The Network Agent usage varies depending on the operating system of the device. The Network Agent policy and
installation package settings also di er depending on the operating system. The table below compares Network
Agent features and usage scenarios available for Windows, macOS, and Linux operating systems.
Network Agent feature comparison
Network Agent feature Windows macOS Linux
Installation
Automatic generating of
the Network Agent
installation package after
the installation of
Kaspersky Security
Center
Installing in forced mode,
946
using special options in
the remote installation
task of Kaspersky
Security Center
Installing by sending
device users links to
stand-alone packages
generated by Kaspersky
Security Center
Automatic installing of
updates and patches for
Kaspersky Security
Center components
Using tools provided by

Kaspersky Security
Center for deployment
of Network Agent by
capturing and copying
the hard drive image
Installing by cloning an
image of the
administrator's hard drive
with the operating
system and Network
Agent using third-party
tools
Installing with third-party

tools for remote
installation of
applications
Installing manually, by
running application
installers on devices
Installing Network Agent

in silent mode

in silent mode
Manually connecting a
client device to the
klmover utility
Automatic distributing of
a key
Distribution point
Using as distribution
point
Automatic assignment of
distribution points Without using Network Location Awareness
(NLA).
947
Without using
Network
Location
Awareness (NLA).
O line model of update

download
Network polling
IP range polling
IP range
polling
Windows
network
polling
Active
Directory
polling
Running KSN proxy

service on a distribution
point side
Downloading updates via

Kaspersky update (If one or more devices running Linux or
servers to the macOS are within the scope of the
distribution points Download updates to the repositories of
repositories that distribution points task, the task completes
distribute updates to with the Failed status, even if it has
managed devices successfully completed on all Windows
devices.)
Push installation of Restricted: it is not possible to perform push Restricted: it is

applications installation on Windows devices by using not possible to
macOS distribution points. perform push
installation on
Windows devices
by using Linux
distribution
points.
Using as a push server
Handling third-party applications
Remote installation of
applications on devices
Software updates
Con guring operating

system updates in a
Network Agent policy
Viewing information
about software
vulnerabilities
Scanning applications
for vulnerabilities
Inventory of software
948
installed on devices
Virtual machines

on a virtual machine
Optimization settings for

virtual desktop
infrastructure (VDI)
Support of dynamic
virtual machines
Other
Auditing actions on a
remote client device by
using Windows Desktop
Sharing
Monitoring the anti-virus

protection status
Managing device
restarts
Support of le system
rollback
Using a Network Agent

as connection gateway
Connection Manager
Network Agent switching

from one Administration
Server to another
(automatically by
network location)
Checking the connection

between a client device
and the Administration
Server. klnagchk utility
Remotely connecting to
the desktop of a client By using the Virtual Network Computing
device (VNC) system.
Downloading a stand-
alone installation
package through the
Migration Wizard
Zeroconf polling
949
This section describes operations that you can perform by using Kaspersky Security Center Web Console.
About Kaspersky Security Center Web Console

Kaspersky Security Center 14 Web Console (hereinafter also referred to as Kaspersky Security Center Web
Console) is a web application designed to manage the status of the security system of a network protected by
Using the application, you can do the following:
Manage the status of the organization's security system.
Install Kaspersky applications on devices on your network and manage installed applications.
Manage policies created for devices on your network.
Manage user accounts.
Manage tasks for applications installed on your network devices.
View reports on the security system status.
Manage the delivery of reports to system administrators and other IT experts.
Kaspersky Security Center Web Console provides a web interface that ensures interaction between your device
and Administration Server over a browser. Administration Server is an application designed for managing Kaspersky
applications installed on your network devices. Administration Server connects to devices on your network over
channels protected with Secure Socket Layer (SSL). When you connect to Kaspersky Security Center Web
Console by using your browser, the browser establishes a connection with Kaspersky Security Center Web
Console Server.
You operate Kaspersky Security Center Web Console as follows:
1. Use a browser to connect to Kaspersky Security Center Web Console, where the web portal interface is
displayed.
2. Use web portal controls to choose a command that you want to run. Kaspersky Security Center Web Console
performs the following operations:
If you select a command used for receiving information (for example, to view a list of devices), Kaspersky
Security Center Web Console generates a request for information to Administration Server, receives the
necessary data, and sends it to the browser in an easy-to-view format.
If you have chosen a command used for management (for example, remote installation of an application),
Kaspersky Security Center Web Console receives the command from the browser and sends it to
Administration Server. Then the application receives the result from Administration Server and sends it to
the browser in an easy-to-view format.
950
Kaspersky Security Center Web Console is a multi-language application. You can change the interface language at
any time, without reopening the application. When you install Kaspersky Security Center Web Console together
with Kaspersky Security Center, Kaspersky Security Center Web Console has the same interface language as the
installation le. When you install only Kaspersky Security Center Web Console, the application has the same
interface language as your operating system. If Kaspersky Security Center Web Console does not support the
language of the installation le or operating system, English is set by default.
Mobile Device Management is not supported in Kaspersky Security Center Web Console. However, if you added
mobile devices to an administration group by using Microsoft Management Console, these devices are also
displayed in Kaspersky Security Center Web Console.
Hardware and software requirements for Kaspersky Security Center Web

Console
CPU: 4 cores, operating frequency of 2.5 GHz
RAM: 8 GB
Available disk space: 40 GB
Microsoft Windows (64-bit versions only):
Microsoft Windows 10 Enterprise 2019 LTSC
Microsoft Windows 10 Pro RS5 (October 2018 Update, 1809)
Microsoft Windows 10 Pro for Workstations RS5 (October 2018 Update, 1809)
Microsoft Windows 10 Enterprise RS5 (October 2018 Update, 1809)
Microsoft Windows 10 Education RS5 (October 2018 Update, 1809)

951
Microsoft Windows 10 Home 20H1 (May 2020 Update)
Microsoft Windows 10 Pro 20H1 (May 2020 Update)
Microsoft Windows 10 Enterprise 20H1 (May 2020 Update)
Microsoft Windows 10 Education 20H1 (May 2020 Update)
Microsoft Windows 10 Home 20H2 (October 2020 Update)
Microsoft Windows 10 Pro 20H2 (October 2020 Update)
Microsoft Windows 10 Enterprise 20H2 (October 2020 Update)
Microsoft Windows 10 Education 20H2 (October 2020 Update)
Microsoft Windows 11 Home
Microsoft Windows 11 Pro
Microsoft Windows 11 Enterprise
Microsoft Windows 11 Education
Windows Server 2012 Server Core
Windows Server 2012 Datacenter
Windows Server 2012 Essentials
Windows Server 2012 Foundation
Windows Server 2012 Standard
Windows Server 2012 R2 Server Core
952
Windows Server 2012 R2 Datacenter
Windows Server 2012 R2 Essentials
Windows Server 2012 R2 Foundation
Windows Server 2012 R2 Standard
Windows Server 2016 Datacenter (LTSB)
Windows Server 2016 Standard (LTSB)
Windows Server 2016 Server Core (Installation Option) (LTSB)
Linux (64-bit versions only):
Debian GNU/Linux 11.х (Bullseye)
Debian GNU/Linux 10.х (Buster)
Debian GNU/Linux 9.х (Stretch)
Ubuntu Server 20.04 LTS (Focal Fossa)
Ubuntu Server 18.04 LTS (Bionic Beaver)
CentOS 7.x
953
SUSE Linux Enterprise Desktop 15 (Service Pack 3) ARM
Astra Linux Common Edition (operational update 2.12)
ALT Server 10
ALT Server 9.2
Oracle Linux 8
Oracle Linux 7
RED OS 7.3 Server
RED OS 7.3 Certi ed Edition
Among virtualization platforms, Kernel-based Virtual Machine is supported for the following operating systems:
Client devices
For a client device, use of Kaspersky Security Center Web Console requires only a browser.
The hardware and software requirements for the device are identical to the requirements of the browser that is
used with Kaspersky Security Center Web Console.
Browsers:
Mozilla Firefox Extended Support Release 91.8.0 or later (91.8.0 released on April 5, 2022)
Mozilla Firefox Release 99.0 or later (99.0 released on April 5, 2022)
954
Google Chrome 100.0.4896.88 or later (o icial build)
Microsoft Edge 100 or later
Deployment diagram of Kaspersky Security Center Administration Server

and Kaspersky Security Center Web Console
The gure below shows the deployment diagram of Kaspersky Security Center Administration Server and
Deployment diagram of Kaspersky Security Center Administration Server and Kaspersky Security Center Web Console
Management plug-ins for Kaspersky applications installed on protected devices (one plug-in for each application)
are deployed together with Kaspersky Security Center Web Console Server.
As an administrator, you access Kaspersky Security Center Web Console by using a browser on your workstation.
When you perform speci c actions in Kaspersky Security Center Web Console, Kaspersky Security Center Web
Console Server communicates with Kaspersky Security Center Administration Server through OpenAPI. Kaspersky
Security Center Web Console Server requests the required information from Kaspersky Security Center
Administration Server and displays the results of your operations in Kaspersky Security Center Web Console.
955
The table below lists the ports that must be open on the device where Kaspersky Security Center Web Console
Server (also referred to as Kaspersky Security Center Web Console) is installed.
Port
Service name Protocol Port purpose Scop
number
2001 KSCWebConsolePlugin HTTPS API port that is used by the Running

management plug-in processes to node.exe
receive requests from the process
KSCWebConsoleManagementService manage
plug-ins
1329, KSCWebConsoleManagementService HTTPS API ports that are used to receive Updating
2003 requests from the KSCWebConsole Kaspers
service running on the same device Security
Center W
Console
compon
2005 KSCWebConsole HTTPS API port that is used to receive Running

requests from the node.exe
KSCWebConsoleManagementService process
service running on the same device Kaspers
Security
Center W
Console
3333 Kaspersky OSMP KAS Service HTTPS OAuth2.0 authorization endpoint port Identity
Access
Manage
4004 Kaspersky OSMP Facade Service HTTPS OAuth2.0 identity provider port Identity
Access
Manage
4444 Kaspersky OSMP KAS Service HTTPS OAuth2.0 Token introspection Identity
endpoint port Access
Manage
8200 HTTP API port that is used to generate Installing

certi cates by means of HashiCorp Kaspers
Vault (for more details, see the Security
HashiCorp Vault website ) Center W
Console
updating
Kaspers
Security
Center W
Console
compon
4150, HTTPS API ports of the Message Broker that Interact

4151, are used for communication between between
KSCWebConsoleMessageQueue
4152 processes of both Kaspersky Security Kaspers
Center Web Console and Security
management plug-ins Center W
Console
956
manage
plug-ins
The table below lists the ports that do not have to be open on the device where Kaspersky Security Center Web
Console Server is installed. However, Kaspersky Security Center Web Console uses these ports for Identity and
Access Manager.
Ports used by Kaspersky Security Center Web Console for Identity and Access Manager
Port Service
number name
4445 Kaspersky HTTPS Main Identity and Access Manager port that receives Identity
OSMP con guration from Kaspersky Security Center Web Console and
KAS for OAuth2.0 authorization endpoint port (for more Access
Service information about OAuth 2.0, see the OAuth website ) Manager
2444 Kaspersky HTTPS Port for the con guration of Identity and Access Manager Identity
OSMP and
Facade Access
Service Manager
2445 Kaspersky HTTPS Port for the connection of Kaspersky OSMP KAS Service to Identity
OSMP Kaspersky OSMP Facade Service and
Facade Access
Service Manager
Scenario: Installation and initial setup of Kaspersky Security Center Web

Console
This scenario describes how to install Kaspersky Security Center 14 Administration Server and Kaspersky Security
Center Web Console, perform initial setup of the Administration Server by using the Quick Start Wizard, and install
Kaspersky applications on managed devices by using the Protection Deployment Wizard.
Installation and initial setup of Kaspersky Security Center Web Console proceeds in stages:
1 Installing a database management system (DBMS)
Install the DBMS that will be used by Kaspersky Security Center or use an existing one.
2 Installing Administration Server, Administration Console, Network Agent
Administration Console and the server version of Network Agent are installed together with Administration
Server.
During the installation of Kaspersky Security Center 14 Administration Server, specify whether you want to install
Kaspersky Security Center Web Console on the same device. If you choose to install both components on the
same device, you do not have to install Kaspersky Security Center Web Console separately, because it is
installed automatically. If you want to install Kaspersky Security Center Web Console on a di erent device, then,
after installing Kaspersky Security Center 14 Administration Server, proceed to installing Kaspersky Security
Center Web Console.
3 Installing Kaspersky Security Center Web Console
If you did not choose to install Kaspersky Security Center Web Console together with the Kaspersky Security
Center Administration Server on the previous step, install Kaspersky Security Center Web Console separately.
You can install Kaspersky Security Center Web Console on a di erent device or the same device where
4 Performing initial setup

957
When Administration Server installation is complete, at the rst connection to the Administration Server the
Quick Start Wizard starts automatically. Perform initial con guration of Administration Server according to the
existing requirements. During the initial con guration stage, the Wizard uses the default settings to create the
policies and tasks that are required for protection deployment. However, the default settings may be less than
optimal for the needs of your organization. If necessary, you can edit the settings of policies and tasks.
5 Licensing of Kaspersky Security Center (optional)
Kaspersky Security Center with support of Administration Console basic functionality does not require a license.
You need a commercial license if you want to use one or several of the additional features, including Vulnerability
and Patch Management, Mobile Device Management, and Integration with the SIEM systems. You can add a key
le or activation code for these features at the corresponding step of the Quick Start Wizard or manually.
6 Discovery of networked devices
This stage is handled by the Quick Start Wizard. You can also discover the devices manually. Kaspersky Security
Center receives the addresses and names of all devices detected on the network. You can then use Kaspersky
Security Center to install Kaspersky applications and software from other vendors on the detected devices.
Kaspersky Security Center regularly starts device discovery, which means that if any new instances appear on
the network, they will be detected automatically.
7 Arranging devices into administration groups
This stage is handled by the Quick Start Wizard, but you can also move the detected devices into groups
manually.
8 Installing Network Agent and security applications on networked devices
Deployment of protection on an enterprise network entails installation of Network Agent and security
applications (for example, Kaspersky Endpoint Security for Windows) on devices that have been detected by
Administration Server during the device discovery.
To install the applications remotely, run the Protection Deployment Wizard.
Security applications protect devices against viruses and other programs that pose a threat. Network Agent
ensures communication between the device and Administration Server. Network Agent settings are con gured
automatically by default.
Before you start installing Network Agent and the security applications on networked devices, make sure that
these devices are accessible (turned on).
9 Deploying license keys to client devices
Deploy license keys to client devices to activate managed security applications on those devices.
10 Installing Kaspersky Security for Mobile (optional)
If you plan to manage corporate mobile devices, follow the instructions provided in the Kaspersky Security for
Mobile Help for information about deployment of Kaspersky Endpoint Security for Android.
11 Con guring Kaspersky application policies
To apply di erent application settings to di erent devices you can use device-centric security management
and/or user-centric security management. Device-centric security management can be implemented by using
policies and tasks. You can apply tasks only to those devices that meet speci c conditions. To set the conditions
for ltering devices, use device selections and tags.
12 Monitoring the network protection status
You can monitor your network by using widgets on the dashboard, generate reports from Kaspersky applications,
con gure and view selections of events received from the applications on the managed devices, and view
noti cation lists.
958
Installation
This section describes installation of Kaspersky Security Center and Kaspersky Security Center Web Console.
Installing a database management system

Install the database management system (DBMS) that will be used by Kaspersky Security Center. For this purpose,
choose a supported DBMS. You can select, for example, Microsoft SQL Server, MySQL, or MariaDB.
For information about how to install the selected DBMS, refer to its documentation.
If you install MariaDB or MySQL, use the recommended settings to ensure the DBMS functions properly.
Con guring the MariaDB x64 server for working with Kaspersky Security
Center 14
Kaspersky Security Center 14 supports MariaDB DBMS. For more information about supported versions of
MariaDB, see section Hardware and software requirements.
If you use the MariaDB server for Kaspersky Security Center, enable support of InnoDB and MEMORY storage and
of UTF-8 and UCS-2 encodings.
Recommended settings for the my.ini le
To con gure the my.ini le:
1. Open the my.ini le in a text editor.
2. Add the following lines into the [mysqld] section of the my.ini le:
sort_buffer_size=10M
join_buffer_size=100M
join_buffer_space_limit=300M
join_cache_level=8
tmp_table_size=512M
max_heap_table_size=512M
key_buffer_size=200M
innodb_buffer_pool_size=< value >
innodb_thread_concurrency=20
innodb_flush_log_at_trx_commit=0
innodb_lock_wait_timeout=300
max_allowed_packet=32M
max_connections=151
max_prepared_stmt_count=12800
table_open_cache=60000
table_open_cache_instances=4
table_definition_cache=60000
959
The value of the innodb_buffer_pool_size must be no less than 80 percent of the expected KAV database
size. Note that the speci ed memory is allocated at server startup. If the database size is smaller than the
speci ed bu er size, only the required memory is allocated. If you use MariaDB 10.4.3 or older, the actual size of
allocated memory is approximately 10 percent greater than the speci ed bu er size.
It is recommended to use the parameter value innodb_flush_log_at_trx_commit=0, because the values "1"
or "2" negatively a ect the operating speed of MariaDB.
By default, the optimizer add-ons join_cache_incremental, join_cache_hashed, and join_cache_bka are

enabled. If these add-ons are not enabled, you must enable them.
To check whether optimizer add-ons are enabled:
1. In the MariaDB client console, execute the command:

SELECT @@optimizer_switch;
2. Check that its output contains the following lines:

join_cache_incremental=on
join_cache_hashed=on
join_cache_bka=on
If these lines are present and have the value on, then the optimizer add-ons are enabled.
If these lines are missing or have the value off, do the following:
optimizer_switch='join_cache_incremental=on'
optimizer_switch='join_cache_hashed=on'
optimizer_switch='join_cache_bka=on'
The add-ons join_cache_incremental, join_cache_hash, and join_cache_bka are enabled.
Con guring the MySQL x64 server for working with Kaspersky Security
Center 14
If you use the MySQL server for Kaspersky Security Center, enable support of InnoDB and MEMORY storage and
of UTF-8 and UCS-2 encodings.
Recommended settings for the my.ini le
To con gure the my.ini le:
sort_buffer_size = 10M
join_buffer_size = 20M
tmp_table_size = 600M
max_heap_table_size = 600M
key_buffer_size = 200M
innodb_buffer_pool_size = the real value must be no less than 80% of the expected KAV
database size
960
innodb_thread_concurrency = 20
innodb_flush_log_at_trx_commit = 0 (in most cases, the server uses small
transactions)
innodb_lock_wait_timeout = 300
max_allowed_packet = 32M
max_connections = 151
max_prepared_stmt_count = 12800
table_open_cache = 60000
table_open_cache_instances = 4
table_definition_cache = 60000
Note that the memory speci ed in the innodb_buffer_pool_size value is allocated at server startup. If the
database size is smaller than the speci ed bu er size, only the required memory is allocated. The actual size of
allocated memory is approximately 10 percent greater than the speci ed bu er size. Refer to the MySQL
documentation for details.
It is recommended to use the parameter value innodb_flush_log_at_trx_commit = 0, because the values
"1" or "2" negatively a ect the operating speed of MySQL.
Installing Kaspersky Security Center Web Console

This section describes how to install Kaspersky Security Center Web Console Server (also referred to as
Kaspersky Security Center Web Console) separately. Before installation, you must install a database management
system and the Kaspersky Security Center Administration Server. You can install Kaspersky Security Center Web
Console either on the same device where Kaspersky Security Center is installed, or on a di erent one.
To install Kaspersky Security Center Web Console:
1. Under an account with administrative privileges, run the ksc-web-console-<version number>.<build number>.exe
installation le.
This starts the Setup Wizard.
2. Select a language for the Setup Wizard.
3. In the welcome window, click Next.
4. In the License Agreement window, read and accept the terms of the End User License Agreement. The
installation continues after you accept the EULA, otherwise, the Next button is unavailable.
5. In the Destination folder window, select a folder where Kaspersky Security Center Web Console will be
installed (by default, %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center Web Console). If such a
folder does not exist, it is created automatically during the installation.
You can change the destination folder by using the Browse button.
6. In the Kaspersky Security Center Web Console connection settings window, specify the following
information:
The address of Kaspersky Security Center Web Console (by default, 127.0.0.1).
The port that Kaspersky Security Center Web Console will use for incoming connections, that is, the port
that gives access to Kaspersky Security Center Web Console from a browser (by default, 8080).
We recommend that you leave the address and the port number as they are.
If you want, you can click Test to make sure that the selected port is available.
961
If you want to enable logging of Kaspersky Security Center Web Console activities, select the appropriate
option. If you do not select this option, Kaspersky Security Center Web Console log les will not be created.
7. In the Account settings window, specify the account names and passwords.
We recommend that you use default accounts.
8. In the Client certi cate window, select one of the following:
Generate new certi cate. This option is recommended if you do not have a browser certi cate.
Choose existing. You can select this option if you already have a browser certi cate; in this case, specify
the path to it.
If you choose to generate a new certi cate, when you open Kaspersky Security Center Web Console, the
browser may inform you that the connection to Kaspersky Security Center Web Console is not private and
the Kaspersky Security Center Web Console certi cate is invalid. This warning appears because the
Kaspersky Security Center Web Console certi cate is self-signed and automatically generated by
Kaspersky Security Center. To remove this warning, create a certi cate that is trusted in your infrastructure
and that meets the requirements for custom certi cates. Next, select the Choose existing option in the
Client certi cate window, and then specify the path to your custom certi cate.
Certi cates in the PFX format are not supported by Kaspersky Security Center Web Console. To use such
a certi cate, you must rst convert it to the supported PEM format by using an OpenSSL-based cross-
platform utility, such as OpenSSL for Windows.
9. In the Trusted Administration Servers window, make sure that your Administration Server is on the list and
click Next to proceed to the last window of the installer.
If you need to add a new Administration Server to the list, click the Add button. In the opened window, specify
the properties of a new trusted Administration Server:
Administration Server name

The Administration Server name that will be displayed in the login window of Kaspersky Security Center
Web Console.

The IP address of the device where you install Administration Server.
Administration Server port

The OpenAPI port that Kaspersky Security Center Web Console uses to connect to Administration Server
(default value is 13299).

The certi cate le is stored on the device where Administration Server is installed. The default path to the
Administration Server certi cate:
For Windows—%ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\1093\cert
For Linux—/var/opt/kaspersky/klnagent_srv/1093/cert/
If you install Kaspersky Security Center Web Console on the same device where Administration Server is
installed, use one of the paths given above. Otherwise, copy the certi cate le from device where
Administration Server is installed to the device where you install Kaspersky Security Center Web Console,
and then specify the local path to the certi cate.
962
10. In the Identity and Access Manager (IAM) window, specify whether you want to install Identity and Access
Manager (also referred to as IAM). If you choose to install Identity and Access Manager, specify the following
port numbers:
KAS administrator port. By default, port 4445 is used to receive con guration from the Kaspersky Security
Center Web Console for OAuth2.0 authorization endpoint port.
Facade administrator port. By default, port 2444 is used for the con guration of Identity and Access
Manager.
Facade interaction port. By default, port 2445 is used for the connection of Kaspersky OSMP KAS Service
to Kaspersky OSMP Facade Service.
If you want, you can change the default port numbers. You will not be able to change them in the future via
11. In the last window of the installer, click Install to begin the installation.
After the installation successfully completes, a shortcut appears on your desktop, and you can log in to Kaspersky
The Administration Server Quick Start Wizard starts if you did not run it in the Microsoft Management Console
based Administration Console.
Troubleshooting
If Kaspersky Security Center Web Console is not displayed in your browser at the URL you typed, try the following:
1. Check that you speci ed the correct host name or IP address of the device on which Kaspersky Security
Center Web Console is installed.
2. Check that the device that you want to operate has access to the device on which Kaspersky Security Center
Web Console is installed.
3. Check that rewall settings on the device on which Kaspersky Security Center Web Console is installed allow
incoming connections through port 8080 and for application node.exe.
4. In Windows, open Services. Check that the Kaspersky Security Center Web Console service is running.
5. Check that you can access Kaspersky Security Center by using Administration Console.
6. In Windows, open Event Viewer, and then select Applications and Services Logs → Kaspersky Event Log.
Make sure that the log does not contain errors.
Installation of Kaspersky Security Center Web Console on Linux platforms

This section explains how to install Kaspersky Security Center Web Console Server (also referred to as Kaspersky
Security Center Web Console) on devices running the Linux operating system (see the list of supported Linux
distributions).
963
Installing Kaspersky Security Center Web Console on Linux platforms
This section describes how to install Kaspersky Security Center Web Console Server (also referred to as
Kaspersky Security Center Web Console) on devices running the Linux operating system. Before installation, you
must install a database management system and the Kaspersky Security Center Administration Server.
Use one of the following installation les that corresponds to the Linux distribution installed on your device:
For Debian—ksc-web-console-[build_number].x86_64.deb
For RPM-based operating systems—ksc-web-console-[build_number].x86_64.rpm
For ALT 8 SP—ksc-web-console-[build_number]-alt8p.x86_64.rpm
You receive the installation le by downloading it from the Kaspersky website.
To install Kaspersky Security Center Web Console:
1. Make sure that the device on which you want to install Kaspersky Security Center Web Console is running one
of the supported Linux distributions.
2. Read the End User License Agreement (EULA). If the Kaspersky Security Center distribution kit does not
include a TXT le with the text of the EULA, you can download the le from the Kaspersky website . If you do
not accept the terms of the License Agreement, do not install the application.
3. Create a response le that contains the parameters for connecting Kaspersky Security Center Web Console
to the Administration Server. Name this le ksc-web-console-setup.json, and then place it in the following
directory: /etc/ksc-web-console-setup.json.
Example of a response le containing the minimal set of parameters and the default address and port:
{
"address": "127.0.0.1",
"port": 8080,
"trusted":
"127.0.0.1|13299|/var/opt/kaspersky/klnagent_srv/1093/cert/klserver.cer|KSC
Server",
"acceptEula": true
}
When you install Kaspersky Security Center Web Console on the Linux ALT operating system, you must
specify a port number other than 8080, because port 8080 is used by the operating system.
Kaspersky Security Center Web Console cannot be updated by using the same .rpm installation le. If you
want to change settings in a response le and use this le to reinstall the application, you must rst remove
the application, and then install it again with the new response le.
4. Under an account with root privileges, use the command line to run the setup le with the .deb or .rpm
extension, depending on your Linux distribution.
To install or upgrade Kaspersky Security Center Web Console from a .deb le, run the following command:
$ sudo dpkg -i ksc-web-console-[build_number].deb
964
To install Kaspersky Security Center Web Console from an .rpm le, run the following command:
$ sudo rpm -ivh --nodeps ksc-web-console-[build_number].x86_64.rpm
To upgrade from a previous version of Kaspersky Security Center Web Console, run one of the following
commands:
For devices running RPM-based operating system:

$ sudo rpm -Uvh --nodeps --force ksc-web-console-[build_number].x86_64.rpm
For devices running Debian-based operating system:

$ sudo dpkg -i ksc-web-console-[build_number].x86_64.deb
This starts unpacking of the setup le. Please wait until the installation is complete. Kaspersky Security Center
Web Console is installed to the following directory: /var/opt/kaspersky/ksc-web-console.
When the installation is complete, you can use your browser to open and log in to Kaspersky Security Center
Web Console.
Kaspersky Security Center Web Console installation parameters

For installing Kaspersky Security Center Web Console Server on devices running Linux, you must create a
response le in the JSON format, which contains parameters for connecting Kaspersky Security Center Web
Console to the Administration Server.
Example of a response le containing the minimal set of parameters and the default address and port:
{
"address": "127.0.0.1",
"port": 8080,
"defaultLangId": 1049,
"enableLog": false,
"trusted": "127.0.0.1|13299|/var/opt/kaspersky/klnagent_srv/1093/cert/klserver.cer|KSC
Server",
"acceptEula": true,
"certPath": "/var/opt/kaspersky/klnagent_srv/1093/cert/klserver.cer",
"webConsoleAccount": "Group1 : User1",
"managementServiceAccount": "Group1 : User2",
"serviceWebConsoleAccount": "Group1 : User3",
"pluginAccount": "Group1 : User4",
"messageQueueAccount": "Group1 : User5"
}
When you install Kaspersky Security Center Web Console on the Linux ALT operating system, you must
specify a port number other than 8080, because port 8080 is used by the operating system.
The table below describes the parameters that can be speci ed in a response le.
Parameters for installing Kaspersky Security Center Web Console on devices running Linux
Parameter Description Available va
address Address of Kaspersky Security String value.

Center Web Console Server
(required).
port Number of port that Kaspersky Numerical value.
965
Security Center Web Console
Server uses to connect to the
Administration Server (required).
defaultLangId Language of user interface (by Numerical code of the language:

default, 1033).
German: 1031
English: 1033
Spanish: 3082
Spanish (Mexico): 2058
French: 1036
Japanese: 1041
Kazakh: 1087
Polish: 1045
Portuguese (Brazil): 1046
Russian: 1049
Turkish: 1055
Simpli ed Chinese: 4
Traditional Chinese: 31748
If no value is speci ed, then English lang
enableLog Whether or not to enable Boolean value:

true—Logging is enabled (selected
Console activity logging.
false—Logging is disabled.
trusted List of trusted Administration String value in the following format:

Servers allowed to connect to
" server address | port | certific
Console (required). Each Example:
Administration Server must be "X.X.X.X|13299|/cert/server-1.c
de ned with the following 1 ||Y.Y.Y.Y|13299|/cert/server-2
parameters:
OpenAPI port that is used by

Web Console to connect to
the Administration Server (by
default, 13299)
Path to the certi cate of the

966
that will be displayed in the
login window
The parameters are separated

with vertical bars. If several
Administration Servers are
speci ed, separate them with two
vertical bars (pipes).
acceptEula Whether or not you want to Boolean value:

true—I have fully read, understand,
License Agreement (EULA). The
User License Agreement.
le containing the terms of the
EULA is downloaded together with
the installation le (required). false—I do not accept the terms of
(selected by default).
certDomain If you want to generate a new String value.

certi cate, use this parameter to
specify the domain name for which
a new certi cate is to be
generated.
certPath If you want to use an existing String value.

Specify the path
specify the path to the certi cate
"/var/opt/kaspersky/klnagent_sr
le.
to use the existing certi cate. For a cus
where this custom certi cate is stored.
keyPath If you want to use an existing String value.

specify path to the key le.
webConsoleAccount Name of the account under which String value in the following format: " gr
the KSCWebConsole service is
Example: " Group1 : User1 ".
run.
If no value is speci ed, the Kaspersky Se
installer creates a new account with the
user_management_%uid%.
managementServiceAccount Name of the privileged account String value in the following format: " gr
under which the
KSCWebConsoleManagement
service is run. If no value is speci ed, the Kaspersky Se
user_nodejs_%uid%.
serviceWebConsoleAccount Name of the account under which String value in the following format: " gr
the KSCSvcWebConsole service
is run.
user_svc_nodejs_%uid%.
pluginAccount Name of the account under which String value in the following format: " gr
the KSCWebConsolePlugin
service is run.
user_web_plugin_%uid%.
967
messageQueueAccount Name of the account under which String value in the following format: " gr
the
KSCWebConsoleMessageQueue
service is run. If no value is speci ed, the Kaspersky Se
user_message_queue_%uid%.
If you specify the webConsoleAccount, managementServiceAccount, serviceWebConsoleAccount,

pluginAccount, or messageQueueAccount parameters, make sure that the custom user accounts belong
to the same security group. If these parameters are not speci ed, the Kaspersky Security Center Web
Console installer creates a default security group, and then creates user accounts with default names in this
group.
Installing Kaspersky Security Center Web Console connected to

Administration Server installed on failover cluster nodes
This section describes how to install Kaspersky Security Center Web Console Server (hereinafter also referred to
as Kaspersky Security Center Web Console), that connects to Administration Server installed on Kaspersky or
Microsoft failover cluster nodes. Prior to installing Kaspersky Security Center Web Console, install a database
management system and Kaspersky Security Center Administration Server on Kaspersky failover cluster nodes or
on Microsoft failover cluster nodes.
If you use a Microsoft failover cluster, we do not recommend installing Kaspersky Security Center Web
Console on a failover cluster node. In case of node failure, you will lose access to Administration Server.
To install Kaspersky Security Center Web Console that connects to Administration Server installed on failover
cluster nodes:
1. Perform the steps of the Kaspersky Security Center Web Console installation, starting from step 1 to step 8.
2. At step 9, in the Trusted Administration Servers window, click the Add button to add a failover cluster as a
trusted Administration Server.
In the opened window, specify the following properties:

The cluster name that will be displayed in the login window of Kaspersky Security Center Web Console.

Depending on the failover cluster type, specify the cluster address:
Kaspersky failover cluster. Specify the IP address of the secondary network adapter as the cluster
address if you created the adapter when preparing the cluster nodes. Otherwise, specify the IP address
of the third-party load balancer that you use.
Microsoft failover cluster. Specify the cluster address that you obtained when creating the Microsoft
failover cluster.
Administration Server port
968
The OpenAPI port that Kaspersky Security Center Web Console uses to connect to Administration Server
(default value is 13299).

The Administration Server certi cate is located in the shared data storage of the Kaspersky failover cluster
or the Microsoft failover cluster. The default path to the certi cate le: <shared data
folder>\1093\cert\klserver.cer. Copy the certi cate le from the shared data storage to the device where
you install Kaspersky Security Center Web Console. Specify the local path to the Administration Server
certi cate.
3. Continue with the standard installation of Kaspersky Security Center Web Console.
After the installation is complete, a shortcut appears on your desktop and you can log in to Kaspersky Security
Center Web Console.
If you use a Kaspersky failover cluster, you can go to DISCOVERY & DEPLOYMENT → UNASSIGNED DEVICES to
view the information about the cluster nodes and the le server.
Upgrading Kaspersky Security Center Web Console

If you want to use a newer version of Kaspersky Security Center Web Console without removing your currently
installed instance, you can use the standard upgrade procedure provided in the Kaspersky Security Center Web
Console installer.
To upgrade Kaspersky Security Center Web Console:
1. Under an account with administrator rights, run the ksc-web-console-<version number>.<build number>.exe
installation le, where <build number> stands for a Kaspersky Security Center Web Console build whose number
is later than that of your currently installed instance.
2. In the Setup Wizard window that opens, select a language, and then click OK.
3. In the welcome window, select the Upgrade option, and then click Next.
4. In the License Agreement window, read and accept the terms of the End User License Agreement. The
installation continues after you accept the EULA; otherwise, the Next button is unavailable.
5. Progress through the steps of the Setup Wizard until you nish the installation. When progressing, you can also
modify the Kaspersky Security Center Web Console settings that you speci ed during the previous
installation. When you reach the Ready for Kaspersky Security Center 14 Web Console modi cation step,
click the Upgrade button. Wait until the new settings are applied and on the next step of the Setup Wizard,
click Finish. You can also click the Start Kaspersky Security Center 14 Web Console in your browser link to
start the upgraded instance of Kaspersky Security Center Web Console immediately.
Modifying the Kaspersky Security Center Web Console settings during the upgrade is only available in
Kaspersky Security Center Web Console version 12.2 or later.
Your Kaspersky Security Center Web Console instance is upgraded.
Certi cates for work with Kaspersky Security Center Web Console
969
The section describes how to issue and replace certi cates for Kaspersky Security Center Web Console and how
to renew a certi cate for Administration Server if the Server interacts with Kaspersky Security Center Web
Console.
Reissuing the certi cate for Kaspersky Security Center Web Console
Most browsers impose a limit on the validity term of a certi cate. To fall within this limit, the validity term of the
Kaspersky Security Center Web Console certi cate is limited to 397 days. You can replace an existing certi cate
received from a certi cation authority (CA) by issuing a new self-signed certi cate manually. Alternatively, you can
reissue your expired Kaspersky Security Center Web Console certi cate.
If you already use a self-signed certi cate, you can also reissue it by upgrading Kaspersky Security Center Web
Console through the standard procedure in the installer (Upgrade option).
When you open the Web Console, the browser may inform you that the connection to the Web Console is not
private and the Web Console certi cate is invalid. This warning appears because the Web Console certi cate is
self-signed and automatically generated by Kaspersky Security Center. To remove or prevent this warning, you can
do one of the following:
Specify a custom certi cate when you reissue it (recommended option). Create a certi cate that is trusted in
your infrastructure and that meets the requirements for custom certi cates.
Add the Web Console certi cate to the list of trusted browser certi cates after you reissue the certi cate.
We recommend that you use this option only if you cannot create a custom certi cate.
To issue a new certi cate when you install Kaspersky Security Center Web Console for the rst time:
1. Run the routine installation of Kaspersky Security Center Web Console.
2. When you reach the Client certi cate step of the Setup Wizard, select the Generate new certi cate option,
and then click the Next button.
3. Progress through the remaining steps of the Setup Wizard until you nish the installation.
A new certi cate for Kaspersky Security Center Web Console is issued with a validity term of 397 days.
To reissue the expired Kaspersky Security Center Web Console certi cate:
1. Under an account with administrator rights, run the ksc-web-console-<version number>.<build number>.exe
installation le.
2. In the Setup Wizard window that opens, select a language, and then click OK.
3. In the welcome window, select the Reissue certi cate option, and then click Next.
4. On the next step, wait until the recon guration of Kaspersky Security Center Web Console is complete, and
then click Finish.
The Kaspersky Security Center Web Console certi cate is reissued for another validity term of 397 days.
If you use Identity and Access Manager, you must also reissue all the TLS certi cates for the ports that Identity
and Access Manager uses. Kaspersky Security Center Web Console displays a noti cation when a certi cate
expires. You must follow the noti cation instructions.
970
Replacing certi cate for Kaspersky Security Center Web Console
By default, when you install Kaspersky Security Center Web Console Server, a browser certi cate for the
application is generated automatically. You can replace the automatically generated certi cate with a custom one.
To replace the certi cate for Kaspersky Security Center Web Console Server with a custom one:
1. On the device where Kaspersky Security Center Web Console Server is installed, run the ksc-web-console-
<version number>.<build number>.exe installation le under an account with administrative privileges.
2. On the rst page of the Wizard, select the Upgrade option.
3. On the Client certi cate page, select the Choose existing certi cate option and specify the path to the
custom certi cate.
Specifying client certi cate
4. On the last page of the Wizard, click Modify to apply the new settings.
5. After the application recon guration successfully completes, click the Finish button.
Kaspersky Security Center Web Console works with the speci ed certi cate.
Specifying certi cates for trusted Administration Servers in Kaspersky

The existing Administration Server certi cate is automatically replaced with a new one before the certi cate
expiration date. You can also replace the existing Administration Server certi cate with a custom one. Every time
the certi cate is changed, the new certi cate must be speci ed in the settings of Kaspersky Security Center Web
Console. Otherwise, Kaspersky Security Center Web Console will not be able to connect to the Administration
Server.
If Kaspersky Security Center Web Console and the Administration Server are installed on the same device,
Kaspersky Security Center Web Console receives the new certi cate automatically. If Kaspersky Security Center
Web Console is installed on a di erent device, you must specify the local path to the new Administration Server
certi cate.
971
To specify a new certi cate for the Administration Server:
1. On the device where the Administration Server is installed, copy the certi cate le, for example, to a mass
storage device.
By default, the certi cate le is stored in the following folder:
For Windows—%ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\1093\cert
For Linux—/var/opt/kaspersky/klnagent_srv/1093/cert/
2. On the device where Kaspersky Security Center Web Console is installed, place the certi cate le in a local
folder.
3. Run the ksc-web-console-<version number>.<build number>.exe installation le under an account with

administrative privileges.

5. On the Trusted Administration Servers page of the Wizard, select the required Administration Server and click
the Edit button.
Specifying trusted Administration Servers
6. In the Edit Administration Server window that opens, click the Browse button, specify the path to the new
certi cate le, and then click the Update button to apply changes.
7. On the Ready for Kaspersky Security Center 14 Web Console installation page of the Wizard, click the
Upgrade button to start the upgrade.
9. Log in to Kaspersky Security Center Web Console.
Kaspersky Security Center Web Console works with the speci ed certi cate.
Converting a PFX certi cate to the PEM format

972
To use a PFX certi cate in Kaspersky Security Center Web Console, you must rst convert it to the PEM format
by using any convenient OpenSSL-based cross-platform utility.
To convert a PFX certi cate to the PEM format in the Windows operating system:
1. In an OpenSSL-based cross-platform utility, execute the following commands:

openssl pkcs12 -in <filename.pfx> -clcerts -nokeys -out server.crt
openssl pkcs12 -in <filename.pfx> -nocerts -nodes -out key.pem
As a result, you get a public key as a .crt le and a private key as a passphrase-protected .pem le.
2. Make sure that the .crt and .pem les are generated to the same folder where the .pfx le is stored.
3. If the .crt or .pem le contains the "Bag Attributes", delete these attributes by using any convenient text editor,
and then save the le.
4. Restart the Windows service.
5. Kaspersky Security Center Web Console does not support passphrase-protected certi cates. Therefore, run
the following command in an OpenSSL-based cross-platform utility to remove a passphrase from the .pem le:
openssl rsa -in key.pem -out key-without-passphrase.pem
Do not use the same name for the input and output .pem les.
As a result, the new .pem le is unencrypted. You do not have to enter a passphrase to use it.
The .crt and .pem les are ready to use, so you can specify them in the Kaspersky Security Center Web Console
installer.
To convert a PFX certi cate to the PEM format in the Linux operating system:
1. In an OpenSSL-based cross-platform utility, execute the following commands:

openssl pkcs12 -in <filename.pfx> -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-
END CERTIFICATE-/p' > server.crt
openssl pkcs12 -in <filename.pfx> -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-
END PRIVATE KEY-/p' > key.pem
2. Make sure that the certi cate le and the private key are generated to the same directory where the .pfx le is
stored.
3. Kaspersky Security Center Web Console does not support passphrase-protected certi cates. Therefore, run
the following command in an OpenSSL-based cross-platform utility to remove a passphrase from the .pem le:
openssl rsa -in key.pem -out key-without-passphrase.pem
Do not use the same name for the input and output .pem les.
As a result, the new .pem le is unencrypted. You do not have to enter a passphrase to use it.
The .crt and .pem les are ready to use, so you can specify them in the Kaspersky Security Center Web Console
installer.
973
About migration to Kaspersky Security Center Cloud Console
You can perform migration from Kaspersky Security Center Web Console to Kaspersky Security Center Cloud
Console. After that, you get access to Administration Server and database management system (DBMS), which
are hosted in the Kaspersky infrastructure. You do not need a physical server or a DBMS—both are maintained for
you by Kaspersky experts.
You can migrate your managed devices running a Windows, Linux, or macOS operating system under the control of
Kaspersky Security Center Cloud Console. If your network includes a hierarchy of Administration Servers, you can
save it in Kaspersky Security Center Cloud Console. In addition, you can transfer:
Tasks and policies of managed applications
Global tasks
Custom device selections
Administration group structure and included devices
Tags that have been assigned to migrating devices
After you nish the migration, you can manage the devices by using Kaspersky Security Center Cloud Console. At
the same time, the transferred objects are preserved and Network Agent is re-installed on all managed devices.
For information on how to perform the migration and a list of the prerequisites, see the Kaspersky Security Center
Cloud Console Help .
Signing in to Kaspersky Security Center Web Console and signing out

You can sign in to Kaspersky Security Center Web Console after you install the Administration Server and Web
Console Server. You must know the web address of the Administration Server and the port number speci ed
during installation (by default, the port is 8080). In your browser, JavaScript must be enabled.
You can sign in to Kaspersky Security Center Web Console by using the following methods:
By using domain authentication
If you choose this method, make sure that Active Directory polling has been activated and the domain
users are added to the Administration Server.
By specifying the administrator's user name and password
Signing in by using domain authentication
To sign in to Kaspersky Security Center Web Console by using domain authentication:
1. In your browser, go to <Administration Server web address>:<Port number>.

The sign-in page is displayed.
974
2. If you added several trusted servers, in the Administration Servers list select the Administration Server that you
want to connect to.
If you only added a single Administration Server, the Administration Servers list is locked.
Click the Domain authentication button.
If one or more virtual Administration Servers are created on the Server and you want to sign in to a virtual
Server by using domain authentication:
a. Click Advanced settings.
b. Type the virtual Administration Server name that you speci ed while creating the virtual Server.
c. Click the Domain authentication button.
After sign-in, the dashboard is displayed, containing the language and theme that you used last time. You can
navigate through Kaspersky Security Center Web Console and use it to work with Kaspersky Security Center.
Signing in by specifying the administrator's user name and password
To sign in to Kaspersky Security Center Web Console by specifying the administrator's user name and password:
1. In your browser, go to <Administration Server web address>:<Port number>.

The sign-in page is displayed.
2. If you added several trusted servers, in the Administration Servers list select the Administration Server that you
want to connect to.
If you only added one Administration Server, the Administration Servers list is locked.
To sign in to the Administration Server:
a. Enter the user name and password of the local Administrator.
b. Click the Sign in button.
If one or more virtual Administration Servers are created on the Server and you want to sign in to a virtual
Server:
a. Click Advanced settings.
b. Type the virtual Administration Server name that you speci ed while creating the virtual Server.
c. Enter the user name and password of the administrator who has rights on the virtual Administration
Server.
d. Click the Sign in button.
After sign-in, the dashboard is displayed, containing the language and theme that you used last time. You can
navigate through Kaspersky Security Center Web Console and use it to work with Kaspersky Security Center.
975
Signing out
To sign out of Kaspersky Security Center Web Console,
In the main menu, go to your account settings, and then select Sign out.
Kaspersky Security Center Web Console is closed, and the sign-in page is displayed.
Identity and Access Manager in Kaspersky Security Center Web Console

This section provides information about Identity and Access Manager (also referred to as IAM).
About Identity and Access Manager

Identity and Access Manager (also referred to as IAM) is a Kaspersky Security Center Web Console component
that enables you to use a single sign-on (SSO) between Kaspersky Security Center Web Console and Kaspersky
Industrial CyberSecurity for Networks web interface. IAM uses the OAuth 2.0 protocol to ensure authorization of
Kaspersky Industrial CyberSecurity for Networks in Kaspersky Security Center Web Console.
In this case, the Kaspersky Industrial CyberSecurity for Networks, which you get access to via Kaspersky Security
Center Web Console, is referred to as a resource server, and Kaspersky Security Center Web Console and
Kaspersky Industrial CyberSecurity for Networks web interface are referred to as OAuth 2.0 clients. A resource
server is a program that works with multiple users and requires authorization. The client uses a token for
authorization on the resource server. A token is a unique sequence of bytes. When a token expires, it is
automatically reissued. IAM acts a single authorization server for multiple OAuth 2.0 clients.
You can install IAM when installing Kaspersky Security Center Web Console. You can enable it later at any time in
the Kaspersky Security Center Web Console settings. If a Kaspersky Industrial CyberSecurity Server or a
Kaspersky Industrial CyberSecurity web interface is installed on a device that is managed by the same
Administration Server, IAM detects this program and a noti cation is displayed in Kaspersky Security Center Web
Console informing you about this. You can register Kaspersky Industrial CyberSecurity for Networks and later use
SSO for both Kaspersky Security Center Web Console and Kaspersky Industrial CyberSecurity for Networks web
interface.
If you sign out of Kaspersky Security Center Web Console, your session in Kaspersky Industrial CyberSecurity for
Networks web interface will end and you will have to log in to Kaspersky Security Center Web Console again.
Enabling Identity and Access Manager: scenario
Prerequisites
Before you start, make sure that you have access to Kaspersky Industrial CyberSecurity for Networks version 3.1 or
later.
Stages
Enabling Identity and Access Manager (also referred to as IAM) proceeds in stages:
976
1 Checking the necessary ports
Make sure that ports 3333, 4004, and 4444 are opened on the device where Kaspersky Security Center Web
Console is installed. These ports are needed for using OAuth 2.0. If you want, you can change the default port
numbers in the Kaspersky Security Center Web Console settings window.
Besides the ports 3333, 4004, and 4444, Kaspersky Security Center Web Console also uses ports 4445, 2444,
and 2445 for various purposes.
2 Installing Identity and Access Manager
During the Kaspersky Security Center Web Console installation, specify that you want to install Identity and
Access Manager. If you did not do so, run the Kaspersky Security Center Web Console Setup Wizard again.
3 Con guring Identity and Access Manager
In the Kaspersky Security Center Web Console settings window, make sure that the Identity and Access
Manager (IAM) toggle button is enabled. Also, specify DNS name of the device where Kaspersky Security
Center Web Console is installed: the client applications will connect to this device.
4 Specifying the token settings
In the Kaspersky Security Center Web Console settings window, specify lifetime of tokens and authorization
timeout that Identity and Access Manager will use. You can use the default values, or you can specify your own
values according to your needs.
5 Granting certi cates
If you prefer to use the certi cates generated by the Administration Server, then in the Kaspersky Security
Center Web Console settings window, download the root certi cates for the ports used by IAM and distribute
them to the Kaspersky Security Center Web Console users' workstations. Otherwise, the users' browsers will
display error messages when trying to connect to Kaspersky Security Center Web Console.
6 Registering the Kaspersky Industrial CyberSecurity for Networks Servers and Kaspersky Industrial
CyberSecurity for Networks web interfaces
When IAM is installed, Kaspersky Security Center Web Console displays a message saying that an Industrial
CyberSecurity for Networks Server (or multiple Servers) and one or more Kaspersky Industrial CyberSecurity for
Networks web interfaces are waiting to be registered. Click this message to register your Kaspersky Industrial
CyberSecurity for Networks Server (or multiple Servers) and web interface (or multiple web interfaces).
Results
After you complete this scenario, you will be able to use SSO and IAM for Kaspersky Industrial CyberSecurity for
Networks and Kaspersky Security Center Web Console.
Con guring Identity and Access Manager in Kaspersky Security Center Web
Console
To con gure Identity and Access Manager according to your needs:
1. In Kaspersky Security Center Web Console, go to the Console settings → Integration section.
2. In the Identity and Access Manager section, make sure that Identity and Access Manager is enabled.
3. Click the Settings link in the Identity and Access Manager device network name line.
977
4. Specify DNS name of the device on which you installed Identity and Access Manager. Client applications will
connect to this device.
5. If you want, change the default token settings, certi cate settings, and port numbers by clicking the Settings
link under the relevant group of settings.
Identity and Access Manager is enabled and working according to your needs.
Registering Kaspersky Industrial CyberSecurity for Networks application in

To start working with Kaspersky Industrial CyberSecurity for Networks application via Kaspersky Security Center
Web Console, you must rst register it in Kaspersky Security Center Web Console.
To register Kaspersky Industrial CyberSecurity for Networks application:
1. Make sure that the following is done:
You have downloaded and installed the Kaspersky Industrial CyberSecurity for Networks web plug-in.
However, you can do it later while waiting for the Kaspersky Industrial CyberSecurity for Networks Server to
synchronize with the Administration Server.
You have completed the Single Sign-On (SSO) technology usage preparations scenario.
The necessary settings in the Kaspersky Industrial CyberSecurity for Networks web interface are speci ed
on Kaspersky Security Center page. For details, please refer to the Kaspersky Industrial CyberSecurity for
Networks Online Help.
You are logged in Kaspersky Security Center Web Console under an administrator account.
IAM is con gured.
2. Move the device where Kaspersky Industrial CyberSecurity for Networks Server is installed from the
Unassigned devices group to the Managed devices group:
a. In the main menu, go to DISCOVERY & DEPLOYMENT → UNASSIGNED DEVICES.
b. Select the check box next to the device where Kaspersky Industrial CyberSecurity for Networks Server is
installed.
c. Click the Move to group button.
d. In the hierarchy of administration groups, select the check box next to the Managed devices group.
e. Click the Move button.
3. Proceed to the properties of the device where the Kaspersky Industrial CyberSecurity for Networks Server is
installed.
4. On the device properties page, in the General section, select the Do not disconnect from the Administration
Server option, and then click the Save button.
5. On the device properties page, select the Applications section.

978
6. In the Applications section, select Kaspersky Network Agent.
7. If the current status of the application is Stopped, wait until it changes to Running.
This may take up to 15 minutes. If you have not yet install the Kaspersky Industrial CyberSecurity for Networks
web plug-in, you can do it now, while you are waiting.
8. In the main menu, go to the Console settings → Integration section.

In the Registration requests eld, one pending request is displayed.
9. Click the Settings link under the Registration requests eld.
10. In the list of registered clients that opens, select the check box next to the name of the Kaspersky Industrial
CyberSecurity for Networks Server, that has the Pending status, and then click the Approve button.
If you do not want to register the Kaspersky Industrial CyberSecurity for Networks Server, you can click the
Decline button and get back to this list later.
After you click the Approve button, the status changes to Approved, and then to Ready. If the status does not
change, you can click the Refresh button.
11. Close the list of registered clients and make sure that the value in the Registered clients eld has increased.
12. To add the Kaspersky Industrial CyberSecurity for Networks widget on the dashboard:
a. MONITORING & REPORTING ® DASHBOARD.
b. On the dashboard, click the Add or restore web widget button.
c. In the widget menu that opens, select Other.
d. Select the Kaspersky Industrial CyberSecurity for Networks widget.
You can now proceed to the Kaspersky Industrial CyberSecurity for Networks web interface using the link in the
widget.
After you complete the registration procedure, a new button, Kaspersky Security Center, appears on the login
page of the Kaspersky Industrial CyberSecurity for Networks web interface. You can click this button to log in to
Kaspersky Industrial CyberSecurity for Networks web interface under your Kaspersky Security Center
credentials.
Lifetime of tokens and authorization timeout for Identity and Access

Manager
When con guring Identity and Access Manager (also referred to as IAM), you must specify the settings for the
token lifetime and authorization timeout. The default settings are designed to re ect both the security standards
and the server load. However, you can change these settings according to your organization's policies.
IAM automatically re-issues a token when it is about to expire.
The table below lists the default token lifetime settings.
Token lifetime settings
Token Default Description

lifetime
979
(in
seconds)
Identity token 86400 Identity token used by the OAuth 2.0 client (that is, either Kaspersky Security
(id_token) Center Web Console or Kaspersky Industrial CyberSecurity Console). IAM
sends the ID token containing information about the user (that is, the user
pro le) to the client.
Access token 86400 Access token used by the OAuth 2.0 client to access to the resource server
(access_token) on behalf of the resource owner identi ed by IAM.
Refresh token 172800 The OAuth 2.0 client uses this token for re-issuing the Identity token and the
(refresh_token) Access token.
The table below lists the timeouts for auth_code and login_consent_request.
Authorization timeout settings
Setting Default Description

timeout (in
seconds)
Authorization code 3600 Timeout for exchanging code for the token. The OAuth 2.0 client
(auth_code) sends this code to the resource server and gets the access
token in exchange.
Login consent request 3600 Timeout for delegating user rights to the OAuth 2.0 client.
timeout
(login_consent_request)
For more information about tokens, see the OAuth website .
Downloading and distributing the IAM certi cates

By default, Identity and Access Manager uses the certi cates generated by the Administration Server to grant
browsers access to Kaspersky Security Center Web Console. However, If you want, you can use custom
certi cates. Whatever certi cate you use, you must make sure that all workstations from which Kaspersky
Security Center Web Console users access Kaspersky Security Center Web Console trust this certi cate.
To download and distribute certi cates:
1. In Kaspersky Security Center Web Console, go to the Console settings → Integration section.
2. For each certi cate, click the Settings link under the relevant group of settings, and then do one of the
following:
If you want to use the certi cate that the Administration Server generated during the installation of
1. Select Certi cate generated by Administration Server in the certi cate properties window that opens.
2. Click the Download button to download the certi cate.
3. Distribute the downloaded certi cate to all workstations from which Kaspersky Security Center Web
Console users access Kaspersky Security Center Web Console.
If you have a certi cate that you want to use:
980
1. Select Custom TLS certi cate in the certi cate properties window that opens.
2. Select the certi cate le and the private key.
4. Distribute the certi cate to all workstations from which users access Kaspersky Security Center Web
Console or Kaspersky Industrial CyberSecurity Console.
The certi cates grant users access to Kaspersky Security Center Web Console and Kaspersky Industrial
CyberSecurity Console.
You have to re-issue all the certi cates timely. The certi cates generated by the Administration Server must be re-
generated manually. The certi cates generated by the Kaspersky Security Center Web Console installer must be
re-generated by using the installer.
Disabling Identity and Access Manager

If you want, you can disable Identity and Access Manager (also referred to as IAM).
To disable IAM,
In the Kaspersky Security Center Web Console settings window, switch the IAM toggle button to disabled.
You can enable IAM any time later.
If you update Kaspersky Security Center Web Console via the installer and specify that you do not want to
install IAM, then Kaspersky Security Center Web Console will be upgraded and IAM will not be installed. All the
information about integration with Kaspersky Industrial CyberSecurity for Networks will be deleted from your
computer, as well as IAM con guration les and log les.
Con guring domain authentication by using the NTLM and Kerberos

protocols
Kaspersky Security Center 14 enables you to use domain authentication in OpenAPI by using the NTLM and
Kerberos protocols. Using domain authentication allows a Windows user to enable secure authentication in
Kaspersky Security Center Web Console without having to re-enter the password on the corporate network
(single sign-on).
Domain authentication in OpenAPI over the Kerberos protocol has the following restrictions:
The user of Kaspersky Security Center Web Console must be authenticated in Active Directory by using the
Kerberos protocol. The user must have a valid Kerberos Ticket Granting Ticket (also referred to as a TGT). A
TGT is issued automatically when you authenticate to the domain.
You must con gure Kerberos authentication in the browser. For details, refer to the documentation of the
browser you are using.
981
If you want to use domain authentication by using Kerberos protocols, your network must meet the following
conditions:
Administration Server must be run under the domain account name.
Kaspersky Security Center Web Console Server must be installed on the same device where the
You must specify the following Service Principal Names (SPN) for the Administration Server account:
"http/<server.fqnd.name>"
"http/<server>"
Here, <server> is the network name of the Administration Server device, and <server.fqnd.name> is the FQDN
name of the Administration Server device.
When connecting to the Administration Console or Kaspersky Security Center Web Console, the
Administration Server address must be speci ed exactly as the address for which the Service Principal Name
(SPN) is registered. You can specify either <server.fqnd.name> or <server>.
For a password-free login, the browser process in which the Kaspersky Security Center Web Console is open
as browser must run under a domain account.
Kerberos and NTLM protocols are only supported in OpenAPI for Kaspersky Security Center 14. They are not
supported in OpenAPI for Kaspersky Security Center Linux.
Initial setup of Kaspersky Security Center Web Console

This section describes steps you must take after the Kaspersky Security Center Web Console installation to
perform its initial setup.
Quick Start Wizard (Kaspersky Security Center Web Console)

The Wizard requires internet access. If your Administration Server does not have internet access, we
recommend that you perform all the steps of the Wizard manually through the Kaspersky Security Center
Web Console interface.
Kaspersky Security Center allows you to adjust a minimum selection of settings required to build a centralized
management system for protecting your network against security threats. This con guration is performed through
the Quick Start Wizard. When the Wizard is running, you can make the following changes to the application:
Add key les or enter activation codes that can be automatically distributed to devices within administration
groups.
Con gure interaction with Kaspersky Security Network (KSN) . If you have allowed the use of KSN, the Wizard
enables the KSN proxy server service, which ensures connection between KSN and devices.
982
Set up email delivery of noti cations of events that occur during operation of Administration Server and
managed applications (successful noti cation delivery requires that the Messenger service run on the
Administration Server and all recipient devices).
Create a protection policy for workstations and servers, as well as virus scan tasks, update download tasks, and
data backup tasks, for the top level of the hierarchy of managed devices.
The Quick Start Wizard creates policies only for those applications whose Managed devices folder does
not contain policies. The Quick Start Wizard does not create tasks if tasks with the same names have
already been created for the top level in the hierarchy of managed devices.
The application automatically prompts you to run the Quick Start Wizard after Administration Server installation,
at the rst connection to it. You can also start the Quick Start Wizard manually at any time.
To start the Quick Start Wizard manually:
1. In the main menu, click the settings icon ( ) next to the name of the Administration Server.
2. On the General tab, select the General section.
3. Click Start Quick Start Wizard.
The Wizard prompts you to perform initial con guration of the Administration Server. Follow the instructions of
the Wizard. Proceed through the Wizard by using the Next button.
Step 1. Specifying the internet connection settings

Specify the internet access settings for Administration Server. You must con gure internet access to use
Kaspersky Security Network and to download updates of anti-virus databases for Kaspersky Security Center and
Enable the Use proxy server option if you want to use a proxy server when connecting to the internet. If this
option is enabled, the elds are available for entering settings. Specify the following settings for a proxy server
connection:
Address
Port number
No proxy server will be used to connect to devices in the local network.

983
authentication.
User name
User account under which connection to the proxy server is established (this eld is available if the Proxy
server authentication check box is selected).
Password
Password set by the user under whose account the proxy server connection is established (this eld is
available if the Proxy server authentication check box is selected).
You can con gure internet access later, separately from the quick start wizard.
Step 2. Downloading required updates

The required updates are downloaded from the Kaspersky servers automatically.
Step 3. Selecting the assets to secure

Select the protection areas and operating systems that are in use on your network. When you select these
options, you specify the lters for application management plug-ins and distribution packages on Kaspersky
servers that you can download to install on client devices on your network. Select the options:
Areas
984
You can select the following protection areas:
Workstations. Select this option if you want to protect workstations in your network. By default, the
Workstation option is selected.
File Servers and Storage. Select this option if you want to protect le servers in your network.
Mobile devices. Select this option if you want to protect mobile devices owned by the company or
by the company employees. If you select this option but you have not provided a license with the
Mobile Device Management feature, a message is displayed informing you about necessity to provide
a license with the Mobile Device Management feature. If you do not provide a license, you cannot use
the Mobile device feature.
Virtualization. Select this option if you want to protect virtual machines in your network.
Kaspersky Anti-Spam. Select this option if you want to protect mail servers in your organization
from spam, fraud, and malware delivery.
Embedded Systems. Select this option if you want to protect Windows-based embedded systems,
such as Automated Teller Machine (ATM).
Industrial networks. Select this option if you want to monitor security data across your industrial
network and from network endpoints that are protected by Kaspersky applications.
Industrial endpoints. Select this option if you want to protect individual nodes within an industrial
network.
Operating systems
You can select the following platforms:

Microsoft Windows
macOS
Android
Linux
Other
For information about supported operating systems, refer to Hardware and software requirements for
You can select the Kaspersky application packages from the list of available packages later, separately from the
quick start wizard. To simplify the search for the required packages, you can lter the list of available packages by
various criteria.
Step 4. Selecting encryption in solutions
The Encryption in solutions window is displayed only if you have selected Workstations as a protection
scope.
985
Kaspersky Endpoint Security for Windows includes encryption tools for information stored on Windows-based
client devices. These encryption tools have the Advanced Encryption Standard (AES) implemented with a 256-bit
or 56-bit key length.
Download and usage of the distribution package with a 256-bit key length must be performed in compliance with
applicable laws and regulations. To download a distribution package of Kaspersky Endpoint Security for Windows
that is valid for the needs of your organization, consult the legislation of the country where the client devices of
your organization are located.
In the Encryption in solutions window, select one of the following encryption types:
Lite encryption. This encryption type uses a 56-bit key length.
Strong encryption. This encryption type uses a 256-bit key length.
You can select the distribution package for Kaspersky Endpoint Security for Windows with the required encryption
type later, separately from the quick start wizard.
Step 5. Con guring installation of plug-ins for managed applications

Select plug-ins for managed applications to install. A list of plug-ins located on Kaspersky servers is displayed. The
list is ltered according to the options selected on the previous step of the Wizard. By default, a full list includes
plug-ins of all languages. To display only plug-in of speci c language, use lter. The list of plug-ins includes the
following columns:
Name
The plug-ins depending of the protection areas and platforms that you have selected on the previous step
are selected.
Version
The list includes plug-ins of all the versions placed on Kaspersky servers. By default, the plug-ins of the
latest versions are selected.
Language
By default, the localization language of a plug-in is de ned by the Kaspersky Security Center language that
you have selected at installation. You can specify other languages in Show the Administration Console
localization language or drop-down list.
After the plug-ins are selected, click Next to start installation.
The Quick Start Wizard automatically installs the selected plug-ins. To install some plug-ins, you must accept the
terms of the EULA. Read the text of EULA displayed, select the I agree to use Kaspersky Security Network check
box and click the Install button. If you do not accept the terms of the EULA, the plug-in is not installed.
When all the selected plug-ins are installed, the Quick Start Wizard automatically takes you to the next step.
986
Step 6. Downloading distribution packages and creating installation
packages
Select the distribution packages to download.
Distributives of managed applications may require a speci c minimum version of Kaspersky Security Center to
be installed.
After you have selected an encryption type for Kaspersky Endpoint Security for Windows, a list of distribution
packages of both encryption types is displayed. A distribution package with the selected encryption type is
selected in the list. You can select distribution packages of any encryption type. The distribution package language
corresponds to the Kaspersky Security Center language. If a distribution package of Kaspersky Endpoint Security
for Windows for the Kaspersky Security Center language does not exist, the English distribution package is
selected.
To nish downloading of some distribution packages you must accept EULA. When you click the Accept button,
the text of EULA is displayed. To proceed to the next step of the Wizard, you must accept the terms and
conditions of the EULA and the terms and conditions of Kaspersky Privacy Policy. If you do not accept the terms
and conditions, the downloading of the package is canceled.
After you have accepted the terms and conditions of the EULA and the terms and conditions of Kaspersky Privacy
Policy, the downloading of the distribution packages continues. Later, you can use installation packages to deploy
Kaspersky applications on client devices.
Step 7. Con guring Kaspersky Security Network

Security Network knowledge base. Select one of the following options:
Network.
You can set up access to Kaspersky Security Network (KSN) later, separately from the quick start wizard.
987
Select one of the following Kaspersky Security Center activation options:
By entering your activation code
Activation code is a unique sequence of 20 alphanumeric characters. You enter an activation code to add a
key that activates Kaspersky Security Center. You receive the activation code through the email address
that you speci ed after purchasing Kaspersky Security Center.
To activate the application with an activation code, you need Internet access to establish connection with
By specifying a key le
Key le is a le with the .key extension provided to you by Kaspersky. A key le is intended for adding a key
that activates the application.
You receive your key le through the email address that you speci ed after purchasing Kaspersky Security
Center.
To activate the application using a key le, you do not have to connect to Kaspersky activation servers.
By postponing the application activation
The application will operate with basic functionality, without Mobile Device Management and without
Vulnerability and Patch Management.
If you chose to postpone application activation, you can add a license key later at any time by selecting
OPERATIONS → LICENSING.
When working with Kaspersky Security Center deployed from a paid AMI or for a Usage-based monthly billed SKU,
you cannot specify a key le or enter a code.
Step 9. Specifying the third-party update management settings
This step is not displayed if you do not have the Vulnerability and Patch Management license and the Find
vulnerabilities and required updates task already exists.
For third-party software updates, select one of the following options:
Search for required updates

988
The Find vulnerabilities and required updates task is created.
Find and install required updates
The Find vulnerabilities and required updates and Install required updates and x vulnerabilities tasks are
created automatically, if you do not have ones.
This option is only available under the Vulnerability and Patch Management license.
For Windows Update updates, select one of the following options:
Use the update sources de ned in the domain policy
Client devices will download Windows Update updates according to your domain policy settings. Network
Agent policy is created automatically, if you do not have one.
Client devices will download Windows Update updates from the Administration Server. The Perform
Windows Update synchronization task and Network Agent policy are created automatically, if you do not
have ones.
This option is only available under the Vulnerability and Patch Management license.
Step 10. Creating a basic network protection con guration

You can check a list of policies and tasks that are created.
Wait for the creation of policies and tasks to complete before proceeding to the next step of the Wizard.

Con gure the delivery of noti cations about events registered during the operation of Kaspersky applications on
client devices. These settings will be used as the default settings for application policies.
settings:
SMTP server address
989
SMTP server port
Use TLS
990
You can specify TLS settings of connection with an SMTP server:
Do not use TLS

Use TLS if supported by the SMTP server

You can select this option if you want to use a TLS connection to an SMTP server. If the SMTP server
does not support TLS, Administration Server connects the SMTP server without using TLS.
Always use TLS, check server certi cate validity

You can select this option if you want to use TLS authentication settings. If the SMTP server does not
support TLS, Administration Server cannot connect the SMTP server.
If you select Always use TLS, check server certi cate validity value, you can specify a certi cate for
authentication of the SMTP server and choose whether you want to enable communication through
any version of TLS or only through TLS 1.2 or later versions. Also, you can specify a certi cate for client
authentication on the SMTP server.
You can specify certi cates for a TLS connection by clicking the Specify certi cates link:

authority.

types:
X-509 certi cate:

each other and the order of loading of the les is not signi cant. When both les are loaded, you
must specify the password for decoding the private key. The password can have an empty value if
pkcs12 container:
You must upload a single le that contains the certi cate and its private key. When the le is loaded,
you must then specify the password for decoding the private key. The password can have an empty
value if the private key is not encoded.
You can test the new email noti cation settings by clicking the Send test message button.
You can con gure event noti cations later, separately from the quick start wizard.
991
Step 12. Performing a network poll
The Administration Server performs an initial poll. During the poll, a progress bar is displayed. When the poll is
complete, the View detected devices link becomes available. You can click this link to view network devices
detected by Administration Server. To return to the Quick Start Wizard, press the Escape key.

On the Quick Start Wizard completion page, select the Run Protection Deployment Wizard check box if you want
to start automatic installation of anti-virus applications or Network Agent on devices on your network.
To close the Wizard, click the Finish button.

This section describes how to connect out-of-o ice devices (that is, managed devices that are located outside of
the main network) to Administration Server.

This scenario describes how to connect managed devices that are located outside of the main network to
Prerequisites
The scenario has the following prerequisites:
A demilitarized zone (DMZ) is organized in your organization's network.
Kaspersky Security Center Administration Server is deployed on the corporate network.
Stages
This device will be used as a connection gateway. The device that you select must meet the requirements for
connection gateways.
2 Installing Network Agent in the connection gateway role
We recommend that you use a local installation to install Network Agent on the selected device.
By default, the installation le is located at: \\<server name>\KLSHARE\PkgInst\NetAgent_<version number>
992
In the Connection gateway window of the Network Agent Setup Wizard, select Use Network Agent as a
connection gateway in DMZ. This mode simultaneously activates the connection gateway role and tells Network
Agent to wait for connections from Administration Server, rather than establish connections to Administration
Server.
Alternatively, you can install Network Agent on a Linux device and con gure Network Agent to work as a
connection gateway, but pay attention to the list of limitations of Network Agent running on Linux devices.
3 Allowing connections in rewalls on the connection gateway
To make sure that Administration Server can actually connect to the connection gateway in the DMZ, allow
connections to TCP port 13000 in all rewalls between Administration Server and the connection gateway.
If the connection gateway has no real IP address on the internet, but instead is located behind Network Address
Translation (NAT), con gure a rule to forward connections through NAT.
4 Creating an administration group for external devices
Create a new group under the Managed devices group. This new group will contain external managed devices.
5 Connecting the connection gateway to Administration Server
The connection gateway that you have con gured is waiting for a connection from Administration Server.
However, Administration Server does not list the device with the connection gateway among managed devices.
This is because the connection gateway has not tried to establish a connection to Administration Server.
Therefore, you need a special procedure to ensure that Administration Server initiates a connection to the
connection gateway.
Do the following:
1. Add the connection gateway as a distribution point.
2. Move the connection gateway from the Unassigned devices group to the group that you have created for
external devices.
The connection gateway is connected and con gured.
6 Connecting external desktop computers to Administration Server
Usually, external desktop computers are not moved inside the perimeter. Therefore, you need to con gure them
to connect to Administration Server through the gateway when installing Network Agent.
7 Setting up updates for external desktop computers
If updates of security applications are con gured to be downloaded from Administration Server, external
computers download updates through the connection gateway. This has two disadvantages:
This is unnecessary tra ic, which takes up bandwidth of the company's internet communication channel.
This is not necessarily the quickest way to get updates. It is very likely that it would be cheaper and faster for
external computers to receive updates from Kaspersky update servers.
Do the following:
1. Move all external computers to the separate administration group that you created earlier.
2. Exclude the group with external devices from the update task.
3. Create a separate update task for the group with external devices.
8 Connecting traveling laptops to Administration Server
993
Traveling laptops are within the network sometimes and outside the network at other times. For e ective
management, you need them to connect to Administration Server di erently depending on their location. For
e icient use of tra ic, they also need to receive updates from di erent sources, depending on their location.
You need to con gure rules for out-of-o ice users: connection pro les and network location descriptions. Each
rule de nes the Administration Server instance to which traveling laptops must connect, depending on their
location and the Administration Server instance from which they must receive updates.
Scenario: Connecting out-of-o ice devices through a secondary

If you want to connect managed devices that are located outside of the main network to Administration Server,
you can do it by using a secondary Administration Server located in the demilitarized zone (DMZ).
Prerequisites
A DMZ is organized in your organization's network.
Kaspersky Security Center Administration Server is deployed on the internal network of the organization.
Stages
In the DMZ, select a client device that will be used as a secondary Administration Server.
2 Installing Kaspersky Security Center Administration Server
Install Kaspersky Security Center Administration Server on this client device.
3 Creating a hierarchy of Administration Servers
If you place a secondary Administration Server in the DMZ, the secondary Administration Server must receive a
connection from the primary Administration Server. To do this, add a new Administration Server as secondary so
that the primary Administration Server connects to the secondary Administration Server through port 13000.
Administration Servers. Kaspersky Security Center Web Console connects to an Administration Server through
port 13299.
4 Connecting out-of-o ice managed devices to the secondary Administration Server
You can connect out-of-o ice devices to the Administration Server in the DMZ in the same way that the
connection is established between Administration Server and managed devices that are located in the main
network. Out-of-o ice managed devices initiate the connection through port 13000.
994
Some managed devices are always located outside of the main network (for example, computers in a company's
employees). Some devices travel outside the perimeter from time to time (for example, laptops of users who visit
regional branches or a customer's o ice).
You still need to monitor and manage the protection of out-of-o ice devices—receive actual information about
their protection status and keep the security applications on them in the up-to-date state. This is necessary
because, for example, if such a device is compromised while being away from the main network, it could become a
platform for propagating threats as soon as it connects to the main network. To connect out-of-o ice devices to
Administration Server, you can use two methods:
Connection gateway in the demilitarized zone (DMZ)

See the data tra ic scheme: Administration Server on LAN, managed devices on the Internet, connection
gateway in use

See the data tra ic scheme: Administration Server in DMZ, managed devices on Internet
A connection gateway in the DMZ
A recommended method for connecting out-of-o ice devices to Administration Server is organizing a DMZ in the
organization's network and installing a connection gateway in the DMZ. External devices will connect to the
connection gateway, and Administration Server inside the network will initiate a connection to the devices via the
connection gateway.
As compared to the other method, this one is more secure:
You do not need to open access to Administration Server from outside the network.
A compromised connection gateway does not pose a high risk to the safety of the network devices. A
connection gateway does not actually manage anything itself and does not establish any connections.
Also, a connection gateway does not require many hardware resources.
However, this method has a more complicated con guration process:
To act a device as a connection gateway in the DMZ, you need to install Network Agent and connect it to
Administration Server in a speci c way.
You will not be able to use the same address for connecting to Administration Server for all situations. From
outside the perimeter, you will need to use not just a di erent address (connection gateway address), but also a
di erent connection mode: through a connection gateway.
You also need to de ne di erent connection settings for laptops in di erent locations.
Administration Server in the DMZ
Another method is installing a single Administration Server in the DMZ.

995
This con guration is less secure than the other method. To manage external laptops in this case, Administration
Server must accept connections from any address on the internet. It will still manage all devices in the internal
network, but from the DMZ. Therefore, a compromised Server could cause an enormous amount of damage,
despite the low likelihood of such an event.
The risk gets signi cantly lower if Administration Server in the DMZ does not manage devices in the internal
network. Such a con guration can be used, for example, by a service provider to manage the devices of customers.
You might want to use this method in the following cases:
If you are familiar with installing and con guring Administration Server, and do not want to perform another
procedure to install and con gure a connection gateway.
If you need to manage more devices. The maximum capacity of Administration Server is 100,000 devices, while
a connection gateway can support up to 10,000 devices.
This solution also has possible di iculties:
Administration Server requires more hardware resources and one more database.
Information about devices will be stored in two unrelated databases (for Administration Server inside the
network and another one in the DMZ), which complicates monitoring.
To manage all devices, Administration Server needs to be joined into a hierarchy, which complicates not only
monitoring but also management. A secondary Administration Server instance imposes limitations on the
possible structures of administration groups. You have to decide how and which tasks and policies to distribute
to a secondary Administration Server instance.
Con guring external devices to use Administration Server in the DMZ from the outside and to use the primary
Administration Server from the inside is not simpler than to just con gure them to use a conditional connection
through a gateway.
High security risks. A compromised Administration Server instance makes it easier to compromise its managed
laptops. If this happens, the hackers just need to wait for one of the laptops to return to the corporate network
so that they can continue their attack on the local area network.

Desktop computers that are always outside of the main network (for example, computers in the company's
employees) cannot be connected to Administration Server directly. They must be connected to Administration
Server via a connection gateway that is installed in the demilitarized zone (DMZ). This con guration is made when
installing Network Agent on those computers.
To connect external desktop computers to Administration Server:
1. Create a new installation package for Network Agent.
2. Open the properties of the created installation package and go to Settings → Advanced, and then select the
Connect to Administration Server by using a connection gateway option.
996
The Connect to Administration Server by using a connection gateway setting is incompatible with the
Use Network Agent as a connection gateway in DMZ setting. You cannot enable both of these settings
at the same time.
3. In the Connection gateway address eld, specify the public address of the connection gateway.
If the connection gateway is located behind Network Address Translation (NAT) and does not have its own
public address, con gure a NAT gateway rule for forwarding connections from the public address to the internal
address of the connection gateway.
4. Create a stand-alone installation package based on the created installation package.
5. Deliver the stand-alone installation package to the target computers, either electronically or on a removable
drive.
6. Install Network Agent from the stand-alone package.
External desktop computers are connected to Administration Server.

to Administration Server: the external Administration Server address for the internet connection and the internal
To do this, add a pro le for connection to Administration Server from the internet in the Network Agent policy
properties (in the Application settings → Network → Connection pro les → Administration Server connection
pro les section). In the pro le creation window, disable the Use to receive updates only option and make sure
that the Synchronize connection settings with the Administration Server settings speci ed in this pro le
option is selected. If you use a connection gateway to access Administration Server (for example, in a Kaspersky
Security Center con guration as that described in Internet access: Network Agent as connection gateway in
DMZ), you must specify the address of the connection gateway in the corresponding eld of the connection
pro le.
997
In this case, create a pro le for connection to Administration Server in the Network Agent policy properties for
each of the o ices, except for the home o ice where the original home Administration Server is located. Specify
the addresses of Administration Servers in connection pro les and enable or disable the Use to receive updates
only option:
Server.
An Administration Server connection pro le is available only on devices running Windows and macOS.
To create a pro le for connecting Network Agent to Administration Server for out-of-o ice users:
1. If you want to create a connection pro le for a group of managed devices, open the Network Agent policy of
this group. To do this, do the following:
a. In the main menu, go to DEVICES → POLICIES & PROFILES.
b. Click the current path link.
c. In the window that opens, select a required administration group.

After that, the current path is changed.
d. Add the Network Agent policy for the group of managed devices. If you have already created it, click the
Network Agent policy name to open the policy properties.
2. If you want to create a connection pro le for a speci c managed device, do the following:
a. In the main menu, go to DEVICES → MANAGED DEVICES.
b. Click the name of the managed device.
c. In the managed device properties window that opens, go to the Applications tab.
d. Click the name of the Network Agent policy to which only the selected managed device applies.
3. In the properties window that opens, go to Application settings → Network → Connection pro les.
4. In the Administration Server connection pro les section, click the Add button.
By default, the list of connection pro les contains the <O line mode> and <Home Administration Server>
pro les. Pro les cannot be edited or removed.
998
The <O line mode> pro le does not specify any Server for connection. Therefore, Network Agent, when
switched to that pro le, does not attempt to connect to any Administration Server while applications installed
on client devices run under out-of-o ice policies. The <O line mode> pro le can be used if devices are
disconnected from the network.
The <Home Administration Server> pro le speci es the connection for the Administration Server that was
selected during Network Agent installation. The <Home Administration Server> pro le is applied when a device
is reconnected to the home Administration Server after it was running on an external network for some time.
5. In the Con gure pro le window that opens, con gure the connection pro le:
Pro le name
In the entry eld you can view or change the connection pro le name.
Address of the Administration Server to which the client device must connect during pro le activation.
Port number
SSL port
Port number for connection if using the SSL protocol.
Use SSL connection
If this option is enabled, the connection is established through a secure port, by using SSL protocol.
By default, this option is enabled. We recommend that you do not disable this option so your
connection remains secured.
option is selected, elds are available for entering settings. Specify the following settings for a proxy server
connection:
Address
Port number
authentication.
999
User name
User account under which connection to the proxy server is established (this eld is available if the
Proxy server authentication check box is selected).
Password
Password set by the user under whose account the proxy server connection is established (this eld
is available if the Proxy server authentication check box is selected).
Connection gateway address
Address of the gateway through which client devices connect to the Administration Server.
Select this check box to allow the applications installed on a client device to use policy pro les for
devices in out-of-o ice mode, as well as out-of-o ice policies, at any connection attempt if the
Administration Server is not available. If no out-of-o ice policy has been de ned for the application,
the active policy will be used.
Use to receive updates only
If this option is enabled, the pro le will only be used for downloading updates by applications installed
on the client device. For other operations, connection to the Administration Server will be established
with the initial connection settings de ned during Network Agent installation.
Synchronize connection settings with the Administration Server settings speci ed in this pro le
If this option is enabled, Network Agent connects to Administration Server using the settings speci ed
in the pro le properties.
If this option is disabled, Network Agent connects to Administration Server using the original settings
that have been speci ed during installation.
This option is available if the Use to receive updates only option is disabled.
A pro le for connecting Network Agent to Administration Server is created for out-of-o ice users. When
Network Agent connects to Administration Server by using this pro le, applications installed on the client device
will use policies for devices in out-of-o ice mode or out-of-o ice policies.

1000
Kaspersky Security Center provides the option of switching Network Agent on a client device to other
Administration Servers if the following settings of the network have been changed:
Condition for DHCP server address—The IP address of the network Dynamic Host Con guration Protocol
(DHCP) server has changed.
Condition for default connection gateway address—The address of the main network gateway has changed.
Condition for DNS domain—The DNS su ix of the subnet has changed.
Condition for DNS server address—The IP address of the network DNS server has changed.
Condition for WINS server address—The IP address of the network WINS server has changed. This setting is
available only for devices running Windows.
Condition for name resolvability—The DNS or NetBIOS name of the client device has changed.
Condition for subnet—Changes the subnet address and mask.
Condition for Windows domain accessibility—Changes the status of the Windows domain to which the client
device is connected. This setting is available only for devices running Windows.
Condition for SSL connection address accessibility—The client device can or cannot (depending on the
option that you select) establish an SSL connection with a speci ed Server (name:port). For each server, you
can additionally specify an SSL certi cate. In this case, the Network Agent veri es the Server certi cate in
addition to checking the capability of an SSL connection. If the certi cate does not match, the connection
fails.
This feature is supported only for Network Agents installed on devices running Windows or macOS.
The initial settings of the Network Agent connection to Administration Server are de ned when installing the
Network Agent. Afterwards, if rules for switching the Network Agent to other Administration Servers have been
created, the Network Agent responds to changes in the network settings as follows:
If the network settings comply with one of the rules created, Network Agent connects to the Administration
Server speci ed in this rule. Applications installed on client devices switch to out-of-o ice policies, provided
such behavior is enabled by a rule.
If none of the rules apply, Network Agent reverts to the default settings of connection to the Administration
Server speci ed during the installation. Applications installed on client devices switch back to active policies.
If the Administration Server is not accessible, Network Agent uses out-of-o ice policies.
Network Agent switches to the out-of-o ice policy only if the Enable out-of-o ice mode when
Administration Server is not available option is enabled in the Network Agent policy settings.
The settings of Network Agent connection to Administration Server are saved in a connection pro le. In the
connection pro le, you can create rules for switching client devices to out-of-o ice policies, and you can
con gure the pro le so that it could only be used for downloading updates.
1001
Network Agent-switching by network location is available only on devices running Windows and macOS.
To create a rule for Network Agent switching from one Administration Server to another if network settings
change:
1. If you want to create a rule for a group of managed devices, open the Network Agent policy of this group. To do
this, do the following:
a. In the main menu, go to DEVICES → POLICIES & PROFILES.
b. Click the current path link.
c. In the window that opens, select a required administration group.

After that, the current path is changed.
d. Add the Network Agent policy for the group of managed devices. If you have already created it, click the
Network Agent policy name to open the policy properties.
2. If you want to create a rule for a speci c managed device, do the following:
a. In the main menu, go to DEVICES → MANAGED DEVICES.
b. Click the name of the managed device.
c. In the managed device properties window that opens, go to the Applications tab.
d. Click the name of the Network Agent policy to which only the selected managed device applies.
3. In the properties window that opens, go to Application settings → Network → Connection pro les.
4. In the Network location settings section, click the Add button.
5. In the properties window that opens, con gure the network location description and switching rule. Specify the
following network location description settings:
Description
The name of a network location description cannot be longer than 255 characters nor contain special
symbols, such as ("*<>?\/:|).
Use connection pro le
In the drop-down list you can specify the connection pro le that Network Agent uses to connect to
the Administration Server. This pro le will be used when the network location description conditions are
met. The connection pro le contains the settings for Network Agent connection to the Administration
Server; it also de nes when client devices must switch to out-of-o ice policies. The pro le is used only
for downloading updates.
Description enabled
Select this check box to enable the use of the new network location description.
1002
6. Select conditions for the Network Agent switching rule:
Condition for DHCP server address—The IP address of the network Dynamic Host Con guration Protocol
(DHCP) server has changed.
Condition for default connection gateway address—The address of the main network gateway has
changed.
Condition for DNS domain—The DNS su ix of the subnet has changed.
Condition for DNS server address—The IP address of the network DNS server has changed.
Condition for WINS server address—The IP address of the network WINS server has changed. This setting
is available only for devices running Windows.
Condition for name resolvability—The DNS or NetBIOS name of the client device has changed.
Condition for subnet—Changes the subnet address and mask.
Condition for Windows domain accessibility—Changes the status of the Windows domain to which the
client device is connected. This setting is available only for devices running Windows.
Condition for SSL connection address accessibility—The client device can or cannot (depending on the
option that you select) establish an SSL connection with a speci ed Server (name:port). For each server,
you can additionally specify an SSL certi cate. In this case, the Network Agent veri es the Server
certi cate in addition to checking the capability of an SSL connection. If the certi cate does not match, the
connection fails.
The conditions in a rule are combined by using the logical AND operator. To trigger a switching rule by the
network location description, all of the rule switching conditions must be met.
7. In the condition section, specify when Network Agent should be switched to another Administration Server. For
this purpose, click the Add button, and then set the condition value.
Also, the Matches at least one value from the list option is enabled by default. You can disable this option if
you want the condition to be met with all speci ed values.
A new switching rule by the network location description is created; any time its conditions are met, the Network
Agent uses the connection pro le speci ed in the rule to connect to the Administration Server.
Protection Deployment Wizard

To install Kaspersky applications, you can use the Protection Deployment Wizard. The Protection Deployment
Wizard enables remote installation of applications either through specially created installation packages or directly
from a distribution package.
Protection Deployment Wizard performs the following actions:
Downloads an installation package for application installation (if it was not created earlier). The installation
package is located at DISCOVERY & DEPLOYMENT → DEPLOYMENT & ASSIGNMENT → INSTALLATION
PACKAGES. You can use this installation package for the application installation in the future.
1003
Creates and runs a remote installation task for speci c devices or for an administration group. The newly
created remote installation task is stored in the Tasks section. You can later start this task manually. The task
type is Install application remotely.
If you want to install Network Agent on devices with the SUSE Linux Enterprise Server 15 operating system,
Starting Protection Deployment Wizard

To start the Protection Deployment Wizard manually,
In the main menu, click DISCOVERY & DEPLOYMENT → DEPLOYMENT & ASSIGNMENT → PROTECTION
DEPLOYMENT WIZARD.
The Protection Deployment Wizard starts. Proceed through the Wizard by using the Next button.
Step 1. Selecting the installation package

Select the installation package of the application that you want to install.
If the installation package of the required application is not listed, click the Add button and then select the
application from the list.
Step 2. Selecting a method for distribution of key le or activation code

Select a method for the distribution of the key le or the activation code:
Do not add license key to installation package
The key is automatically distributed to all devices with which it is compatible:

If automatic distribution has been enabled in the key properties.
If the Add key task has been created.
Add license key to installation package
The key is distributed to devices together with the installation package.
We do not recommend that you distribute the key using this method because the shared Read access
rights are enabled to the repository of installation packages.
1004
If the installation package already includes a key le or an activation code, this window is displayed, but it only
contains the license key details.
Step 3. Selecting Network Agent version

If you selected the installation package of an application other than Network Agent, you also have to install
Network Agent, which connects the application with Kaspersky Security Center Administration Server.
Select the latest version of Network Agent.
Step 4. Selecting devices

Specify a list of devices on which the application will be installed:
Install on managed devices
If this option is selected, the remote installation task is created for a group of devices.
Select devices for installation
selections.
version.
Step 5. Specifying the remote installation task settings

On the Remote installation task settings page, specify the settings for remote installation of the application.
In the Force installation package download settings group, specify how les that are required for the application
installation are distributed to client devices:
Using Network Agent
If this option is enabled, installation packages are delivered to client devices by Network Agent installed on
those client devices.
If this option is disabled, installation packages are delivered using the operating system tools of client
devices.
We recommend that you enable this option if the task has been assigned to devices with Network Agents
installed.
1005
If this option is enabled, installation packages are transmitted to client devices using operating system
tools through distribution points. You can select this option if there is at least one distribution point on the
network.
If the Using Network Agent option is enabled, the les are delivered using operating system tools only if
Network Agent tools are unavailable.
By default, this option is enabled for remote installation tasks that have been created on a virtual
If this option is enabled, les are transmitted to client devices by using operating system tools of client
devices through the Administration Server. You can enable this option if no Network Agent is installed on
the client device, but the client device is in the same network as the Administration Server.
De ne the additional settings:
Do not re-install application if it is already installed
If this option is enabled, the selected application will not be re-installed if it has already been installed on
this client device.
If this option is disabled, the application will be installed anyway.
Assign package installation in Active Directory group policies
If this option is enabled, an installation package is installed by using the Active Directory group policies.
This option is available if the Network Agent installation package is selected.
Step 6. Restart management

Specify the action to be performed if the operating system must be restarted when you install the application:
Restart the device
1006
Client devices are always restarted automatically if a restart is required for completion of the operation.
This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or
restart).
con rmation). This option is most suitable for workstations where users must be able to select the most
convenient time for a restart.
speci ed frequency.
1440 minutes.
Restart after (min)
1440 minutes.
Running applications may prevent a restart of the client device. For example, if a document is being edited
in a word processing application and is not saved, the application does not allow the device to restart.
If this option is enabled, such applications on a locked device are forced to close before the device restart.
As a result, users may lose their unsaved changes.
Step 7. Removing incompatible applications before installation

This step is only present if the application that you deploy is known to be incompatible with some other
applications.
Select the option if you want Kaspersky Security Center to automatically remove applications that are
incompatible with the application you deploy.
1007
The list of incompatible applications is also displayed.
If you do not select this option, the application will only be installed on devices that have no incompatible
applications.
Step 8. Moving devices to Managed devices

Specify whether devices must be moved to an administration group after Network Agent installation.
Do not move devices
The devices remain in the groups in which they are currently located. The devices that have not been
placed in any group remain unassigned.
Move unassigned devices to group
The devices are moved to the administration group that you select.
The Do not move devices option is selected by default. For security reasons, you might want to move the devices
manually.
Step 9. Selecting accounts to access devices

If necessary, add the accounts that will be used to start the remote installation task:
If this option is selected, you do not have to specify the account under which the application installer will
be run. The task will run under the account under which the Administration Server service is running.
Select this option if Network Agent is not installed on the devices for which you assign the remote
installation task. In this case, you can specify a user account to install the application.
To specify the user account under which the application installer will be run, click the Add button, select
Local Account, and then specify the user account credentials.
1008
Step 10. Starting installation
This page is the nal step of the Wizard. At this step, the Remote installation task has been successfully created
and con gured.
By default, the Run the task after the Wizard nishes option is not selected. If you select this option, the Remote
installation task will start immediately after you complete the Wizard. If you do not select this option, the Remote
installation task will not start. You can later start this task manually.
Click OK to complete the nal step of the Protection Deployment Wizard.
Con guring Administration Server

This section describes the con guration process and properties of Kaspersky Security Center Administration
Server.
Con guring the connection of Kaspersky Security Center Web Console to

To set the connection ports of Administration Server:
1. At the top of the screen, click the settings icon ( ) next to the name of the required Administration Server.
2. On the General tab, select the Connection ports section.
The application displays the main connection settings of the selected server.
Kaspersky Security Center Web Console is connected to Administration Server through SSL port TCP 13299. The
same port can be used by klakaut automation objects.
Port TCP 14000 can be used for connecting Kaspersky Security Center Web Console, distribution points,
secondary Administration Servers, and klakaut automation objects, as well as for receiving data from client
devices.
Normally, SSL port TCP 13000 can only be used by Network Agent, a secondary Administration Server, and the
primary Administration Server in DMZ. In some cases, Kaspersky Security Center Web Console may have to be
connected through SSL port 13000:
If a single SSL port is likely to be used both for Kaspersky Security Center Web Console and for other activities
(receiving data from client devices, connecting distribution points, connecting secondary Administration
Servers).
If a klakaut automation object is not connected to Administration Server directly but through a distribution
point in the DMZ.
1009
The history of connections and attempts to connect to the Administration Server during its operation can be
saved to a log le. The information in the le allows you to track not only connections inside your network
infrastructure, but unauthorized attempts to access the server as well.
To log events of connection to the Administration Server:
1. In the main menu, click the settings icon ( ) next to the name of the required Administration Server.
2. On the General tab, select the Connection ports section.
3. Enable the Log Administration Server connection events option.
All further events of inbound connections to the Administration Server, authentication results, and SSL errors
will be saved to the le %ProgramData%\KasperskyLab\adminkit\logs\sc.syslog.

remains.
To limit the number of events that can be stored in the events repository on the Administration Server:
2. On the General tab, select the Events repository section. Specify the maximum number of events stored in
the database.
Additionally, you can change the settings of any task to save events related to the task progress, or save only task
execution results. In doing so, you will reduce the number of events in the database, increase the speed of
execution of scenarios associated with analysis of the event table in the database, and lower the risk that critical
events will be overwritten by a large number of events.
1010
Connection settings of UEFI protection devices
A UEFI protection device is a device with Kaspersky Anti-Virus for UEFI integrated at the BIOS level. Integrated
protection ensures device security from the moment the system starts, while protection on devices without
integrated software begins functioning only after the security application starts. Kaspersky Security Center
supports management of these devices.
To modify the connection settings of UEFI protection devices:
2. On the General tab, select the Additional ports section.
3. Modify the relevant settings:
The UEFI protection devices can now connect to the Administration Server.
Creating a hierarchy of Administration Servers: adding a secondary

Adding secondary Administration Server (performed on the future primary Administration

Server)
You can add an Administration Server as a secondary Administration Server, thus establishing a
"primary/secondary" hierarchy.
To add a secondary Administration Server that is available for connection through Kaspersky Security Center Web
Console:
1. Make sure that port 13000 of the future primary Administration Server is available for receipt of connections
from secondary Administration Servers.
2. On the future primary Administration Server, click the settings icon ( ).
3. On the properties page that opens, select the Administration Servers tab.
1011
4. Select the check box next to the name of th administration group to which you want to add the Administration
Server.
5. In the menu line, click Connect secondary Administration Server.

The Connect secondary Administration Server Wizard starts.
6. On the rst page of the Wizard, ll in the following elds:
Secondary Administration Server display name
A name by which the secondary Administration Server will be displayed in the hierarchy. If you want, you
can enter the IP address as a name, or you can use a name like, for example, "Secondary Server for
group 1".
Secondary Administration Server address (optional)
Specify the IP address or the domain name of the secondary Administration Server.
Administration Server SSL port
Specify the number of the SSL port on the primary Administration Server. The default port number is
13000.
Administration Server API port
Specify the number of the port on the primary Administration Server for receiving connections over
OpenAPI. The default port number is 13299.
Connect primary Administration Server to secondary Administration Server in DMZ
Select this option if the secondary Administration Server is in a demilitarized zone (DMZ).
If this option is selected, the primary Administration Server initiates connection to the secondary
Administration Server. Otherwise, the secondary Administration Server initiates connection to the
primary Administration Server.
7. Specify the connection settings:
Enter the address of the future primary Administration Server.
If the future secondary Administration Server uses a proxy server, enter the proxy server address and user
credentials to connect to the proxy server.
8. Enter the credentials of the user that has access rights on the future secondary Administration Server.
Make sure that two-step veri cation is disabled for the account that you specify. If two-step veri cation is
enabled for this account, then you can create the hierarchy from the future secondary Server only (see
instructions below). This is a known issue.
1012
If the connection settings are correct, the connection with the future secondary Server is established and the
"primary/secondary" hierarchy is built. If the connection has failed, check the connection settings or specify the
certi cate of the future secondary Server manually.
The connection may also fail because the future secondary Server is authenticated with a self-signed
certi cate that was automatically generated by Kaspersky Security Center. As a result, the browser might block
downloading the self-signed certi cate. If this is the case, you can do one of the following:
For the future secondary Server, create a certi cate that is trusted in your infrastructure and that meets the
requirements for custom certi cates.
Add the self-signed certi cate of the future secondary Server to the list of trusted browser certi cates. We
recommend that you use this option only if you cannot create a custom certi cate. For the information about
adding a certi cate to the list of trusted certi cates, refer to the documentation of your browser.
After the Wizard nishes, the "primary/secondary" hierarchy is built. Connection between the primary and
secondary Administration Servers is established through port 13000. The tasks and policies from the primary
Administration Server are received and applied. The secondary Administration Server is displayed on the primary
Administration Server, in the administration group to which it was added.
Adding secondary Administration Server (performed on the future secondary Administration

Server)
If you could not connect to the future secondary Administration Server (for example, because it was temporarily
disconnected or unavailable), you are still able to add a secondary Administration Server.
To add as secondary an Administration Server that is not available for connection through Kaspersky Security
Center Web Console:
1. Send the certi cate le of the future primary Administration Server to the system administrator of the o ice
where the future secondary Administration Server is located. (You can, for example, write the le to an external
device, such as a ash drive, or send it by email.)
The certi cate le is located on the future primary Administration Server, at
2. Prompt the system administrator in charge of the future secondary Administration Server to do the following:
a. Click the settings icon ( ).
b. On the properties page that opens, proceed to the Hierarchy of Administration Servers section of the
General tab.
c. Select the This Administration Server is secondary in the hierarchy option.
d. In the Primary Administration Server address eld, enter the network name of the future primary
e. Select the previously saved le with the certi cate of the future primary Administration Server by clicking
Browse.
f. If necessary, select the Connect primary Administration Server to secondary Administration Server in
DMZ check box.
g. If the connection to the future secondary Administration Server is performed through a proxy server, select
the Use proxy server option and specify the connection settings.
1013
h. Click Save.
The "primary/secondary" hierarchy is built. The primary Administration Server starts receiving connection from
the secondary Administration Server using port 13000. The tasks and policies from the primary Administration
Server are received and applied. The secondary Administration Server is displayed on the primary Administration
Server, in the administration group where it was added.
Viewing the list of secondary Administration Servers

To view the list of the secondary (including virtual) Administration Servers:
In the main menu, click the name of the Administration Server, which is next to the settings icon ( ).
The drop-down list of the secondary (including virtual) Administration Servers is displayed.
You can proceed to any of these Administration Servers by clicking its name.
The administration groups are shown, too, but they are grayed and not available for management in this menu.
If you are connected to your primary Administration Server in Kaspersky Security Center Web Console, and can
not connect to a virtual Administration Server that is managed by a secondary Administration Server, you can use
one of the following ways:
Modify the existing Kaspersky Security Center Web Console installation to add the secondary Server to the
list of trusted Administration Servers . Then you will be able to connect to the virtual Administration Server in
1. On the device where Kaspersky Security Center Web Console is installed, run the ksc-web-console-
2. The Setup Wizard will start.
4. On the Modi cation type page, select the Edit connection settings option.
5. On the Trusted Administration Servers page, add the required secondary Administration Server.
Use Kaspersky Security Center Web Console to connect directly to the secondary Administration Server
where the virtual Server was created. Then you will be able to switch to the virtual Administration Server in
Use MMC-based Administration Console to connect directly to the virtual Server.
1014
Deleting a hierarchy of Administration Servers
If you no longer want to have a hierarchy of Administration Servers, you can disconnect them from this hierarchy.
To delete a hierarchy of Administration Servers:
1. At the top of the screen, click the settings icon ( ) next to the name of the primary Administration Server.
2. On the page that opens, proceed to the Administration Servers tab.
3. In the administration group from which you want to delete the secondary Administration Server, select the
secondary Administration Server.
4. On the menu line, click Delete.
5. In the window that opens, click OK to con rm that you want to delete the secondary Administration Server.
The former primary Administration Server and the former secondary Administration Server are now independent
of each other. The hierarchy no longer exists.

The Administration Server maintenance allows you to reduce the database volume, and improve the performance
and operation reliability of the application. We recommend that you maintain the Administration Server at least
every week.
The Administration Server maintenance is performed using the dedicated task. The application performs the
following actions when maintaining the Administration Server:
Checks the database for errors.
Re-organizes database indexes.
Updates the database statistics.
Shrinks the database (if necessary).
The Administration Server maintenance task does not support MariaDB. If this DBMS is used in your network,
administrators will have to maintain MariaDB on their own.
The Administration Server maintenance task is created automatically when you install Kaspersky Security Center.
If the Administration Server maintenance task is deleted, you can create it manually.
To create the Administration Server maintenance task:
1. In the main menu, go to DEVICES → TASKS.

1015
3. In the New task window of the Wizard, select Administration Server maintenance as the task type and click
the Next button.
The newly created task is displayed in the list of tasks. Only one Administration Server maintenance task can be
running for a single Administration Server. If an Administration Server maintenance task has already been created
for an Administration Server, no new Administration Server maintenance task can be created.

You can con gure the Kaspersky Security Center Web Console interface to display and hide sections and
interface elements, depending on the features being used.
To con gure the Kaspersky Security Center Web Console interface in accordance with the currently used set of
features:
1. In the main menu, click the account menu.
2. In the drop-down menu, select Interface options.
3. In the Interface options window that opens, enable or disable the required options.
4. Click Save.
After that, the console displays sections in the main menu in accordance with enabled options. For example, if
you enable Show EDR alerts, the MONITORING & REPORTING → ALERTS section appears in the main menu.
Managing virtual Administration Servers

This section describes the following actions to manage virtual Administration Servers:
Create virtual Administration Servers
Enable and disable virtual Administration Servers
Assign an administrator for a virtual Administration Server
Change the Administration Server for client devices
Delete virtual Administration Servers
Creating a virtual Administration Server

You can create virtual Administration Servers and add them to administration groups.
To create and add a virtual Administration Server:
1016
3. Select the administration group to which you want to add a virtual Administration Server.
The virtual Administration Server will manage devices from the selected group (including the subgroups).
4. On the menu line, click New virtual Administration Server.
5. On the page that opens, de ne the properties of the new virtual Administration Server:
Name of virtual Administration Server.
Administration Server connection address

You can specify the name or the IP address of your Administration Server.
6. From the list of users, select the virtual Administration Server administrator. If you want, you can edit one of the
existing accounts before assigning it the administrator's role, or create a new user account.
7. Click Save.
The new virtual Administration Server is created, added to the administration group and displayed on the
Administration Servers tab.
If you are connected to your primary Administration Server in Kaspersky Security Center Web Console, and can
not connect to a virtual Administration Server that is managed by a secondary Administration Server, you can use
one of the following ways:
Modify the existing Kaspersky Security Center Web Console installation to add the secondary Server to the
list of trusted Administration Servers . Then you will be able to connect to the virtual Administration Server in
1. On the device where Kaspersky Security Center Web Console is installed, run the ksc-web-console-
2. The Setup Wizard will start.
4. On the Modi cation type page, select the Edit connection settings option.
5. On the Trusted Administration Servers page, add the required secondary Administration Server.
Use Kaspersky Security Center Web Console to connect directly to the secondary Administration Server
where the virtual Server was created. Then you will be able to switch to the virtual Administration Server in
Use MMC-based Administration Console to connect directly to the virtual Server.
1017
Enabling and disabling a virtual Administration Server
When you create a new virtual Administration Server, it is enabled by default. You can disable or enable it again at
any time. Disabling or enabling a virtual Administration Server is equal to switching o or on a physical
To enable or disable a virtual Administration Server:
3. Select the virtual Administration Server that you want to enable or disable.
4. On the menu line, click the Enable / disable virtual Administration Server button.
The virtual Administration Server state is changed to enabled or disabled, depending on its previous state. The
updated state is displayed next to the Administration Server name.
Deleting a virtual Administration Server

When you delete a virtual Administration Server, all of the objects created on the Administration Server, including
policies and tasks, will be deleted as well. The managed devices from the administration groups that were managed
by the virtual Administration Server will be removed from the administration groups. To return the devices under
management of Kaspersky Security Center, run the network polling, and then move the found devices from the
Unassigned devices group to the administration groups.
To delete a virtual Administration Server:
3. Select the virtual Administration Server that you want to delete.
4. On the menu line, click the Delete button.
The virtual Administration Server is deleted.

You can change the Administration Server that manages client devices to a di erent Server using the Change
Administration Server task. After the task completion, the selected client devices will be put under the
management of the Administration Server that you specify. You can switch the device management between the
following Administration Servers:
Primary Administration Server and one of its virtual Administration Servers
1018
Two virtual Administration Servers of the same primary Administration Server
To change the Administration Server that manages client devices to a di erent Server:
2. Click Add.
The Add Task Wizard starts. Proceed through the Wizard by using the Next button.
3. For the Kaspersky Security Center application, select the Change Administration Server task type.
4. Specify the name for the task that you are creating.
A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
5. Select devices to which the task will be assigned.
6. Select the Administration Server that you want to use to manage the selected devices.
7. Specify the account settings:
Default account
Specify account
Account
Password
8. If on the Finish task creation page you enable the Open task details when creation is complete option, you
can modify the default task settings. If you do not enable this option, the task is created with the default
settings. You can modify the default settings later, at any time.
9. Click the Finish button.

The task is created and displayed in the list of tasks.
10. Click the name of the created task to open the task properties window.
11. In the task properties window, specify the general task settings according to your needs.
1019
The task is created and con gured.
After the task is complete, the client devices for which it was created are put under the management of the
Administration Server speci ed in the task settings.
Enabling account protection from unauthorized modi cation

You can enable an additional option to protect a user account from unauthorized modi cation. If this option is
enabled, modifying user account settings requires authorization of the user with the rights for modi cation.
To enable or disable account protection from unauthorized modi cation:
1. In the main menu, go to USERS & ROLES → USERS.
2. Click the name of the internal user account for which you want to specify account protection from
unauthorized modi cation.
3. In the user settings window that opens, select the Account protection tab.
4. On the Account protection tab, select the Request authentication to check the permission to modify user
accounts option, if you want to request credentials every time when account settings are changed or modi ed.
Otherwise, select the Allow users to modify this account without additional authentication option.
Account protection from unauthorized modi cation is enabled for a user account.

This section describes how you can use two-step veri cation to reduce the risk of unauthorized access to

When two-step veri cation is enabled for an account, a single-use security code is required, in addition to the user
name and password, to log in to Administration Console or Kaspersky Security Center Web Console. With domain
authentication enabled, the user only needs to enter the single-use security code.
To use two-step veri cation, install an authenticator application that generates single-use security codes on your
mobile device or computer. You can use any application that supports the Time-based One-time Password
algorithm (TOTP), such as:
Bitrix24 OTP
1020
Yandex Key
Avanpost Authenticator
Aladdin 2FA
To check if Kaspersky Security Center supports the authenticator application that you want to use, enable two-
step veri cation for all users or for a particular user.
One of the steps suggests that you specify the security code generated by the authenticator application. If it
succeeds, then Kaspersky Security Center supports the selected authenticator.
We highly recommend that you install an authenticator application on more than one device. Save the secret
key or QR code and keep it in a safe place. This will help you to restore access to Kaspersky Security Center
Web Console in case you lose access to your mobile device.
To secure the usage of Kaspersky Security Center, you can enable two-step veri cation for your own account and
enable two-step veri cation for all users.
You can exclude accounts from two-step veri cation. This can be necessary for service accounts that cannot
receive a security code for authentication.
Rules and Limitations
To be able to activate two-step veri cation for all users and deactivate two-step veri cation for particular users:
area.
Enable two-step veri cation for your account.
To be able to deactivate two-step veri cation for all users:
area.
Log in to Kaspersky Security Center Web Console by using two-step veri cation.
If two-step veri cation is enabled for a user account on Kaspersky Security Center Administration Server
version 13 or later, the user will not be able to log in to the Kaspersky Security Center Web Console versions
12, 12.1 or 12.2.
Reissuing the secret key
Any user can reissue the secret key used for two-step veri cation. When a user logs in to the Administration
Server with the reissued secret key, the new secret key is saved for the user account. If the user enters the new
secret key incorrectly, the new secret key is not saved, and the current secret key remains valid.
1021
A security code has an identi er referred to as issuer name. The security code issuer name is used as an identi er
of the Administration Server in the authenticator application. The security code issuer name has a default value
that is the same as the name of the Administration Server. You can change the name of the security code issuer
name. If you change the security code issuer name, you must issue a new secret key and pass it to the
Scenario: Con guring two-step veri cation for all users

This scenario describes how to enable two-step veri cation for all users and how to exclude user accounts from
two-step veri cation. If you did not enable two-step veri cation for your account before you enable it for other
users, the application opens the window for enabling two-step veri cation for your account, rst. This scenario
also describes how to enable two-step veri cation for your own account.
If you enabled two-step veri cation for your account, you may proceed to the stage of enabling of two-step
veri cation for all users.
Prerequisites
Before you start:
Make sure that your user account has the Modify object ACLs right of the General features: User permissions
functional area for modifying security settings for other users' accounts.
Make sure that the other users of Administration Server install an authenticator application on their devices.
Stages
Enabling two-step veri cation for all users proceeds in stages:
1 Installing an authenticator application on a device

You can install any application that supports the Time-based One-time Password algorithm (TOTP), such as:
Bitrix24 OTP
Yandex Key
2 Synchronizing the authenticator application time with the time of the device on which Administration
Server is installed
Ensure that the time set in the authenticator application is synchronized with the time of Administration Server.
3 Enabling two-step veri cation for your account and receiving the secret key for your account
For MMC-based Administration Console: Enabling two-step veri cation for your own account
1022
For Kaspersky Security Center Web Console: Enabling two-step veri cation for your own account
After you enable two-step veri cation for your account, you can enable two-step veri cation for all users.
4 Enabling two-step veri cation for all users
Users with two-step veri cation enabled must use it to log in to Administration Server.
For MMC-based Administration Console: Enabling two-step veri cation for all users
For Kaspersky Security Center Web Console: Enabling two-step veri cation for all users
5 Editing the name of a security code issuer
If you have several Administration Servers with similar names, you may have to change the security code issuer
names for better recognition of di erent Administration Servers.
For MMC-based Administration Console: Editing the name of a security code issuer
For Kaspersky Security Center Web Console: Editing the name of a security code issuer
6 Excluding user accounts for which you do not need to enable two-step veri cation
If required, you can exclude users from two-step veri cation. Users with excluded accounts do not have to use
two-step veri cation to log in to Administration Server.
For MMC-based Administration Console: Excluding accounts from two-step veri cation
For Kaspersky Security Center Web Console: Excluding accounts from two-step veri cation
Results
Upon completion of this scenario:
Two-step veri cation is enabled for all user accounts of the Administration Server, except for user accounts
that were excluded.

You can enable two-step veri cation only for your own account.
Before you enable two-step veri cation for your account, ensure that an authenticator application is installed
on your mobile device. Ensure that the time set in the authenticator application is synchronized with the time
set of the device on which Administration Server is installed.
To enable two-step veri cation for a user account:
1023
2. Click the name of your account.
3. In the user settings window that opens, select the Authentication security tab.
4. On the Authentication security tab:
a. Select the Request user name, password, and security code (two-step veri cation) option. Click the
Save button.
b. In the two-step veri cation window that opens, click View how to set up two-step veri cation.
Enter the secret key in the authenticator application or click View QR code and scan the QR code by the
authenticator application on your mobile device to receive one-time security code.
c. In the two-step veri cation window, specify the security code generated by the authenticator application,
and then click the Check and apply button.
You can enable two-step veri cation for all users of Administration Server if your account has the Modify
object ACLs right in the General features: User permissions functional area and if you are authenticated by
using two-step veri cation.
To enable two-step veri cation for all users:
2. On the Authentication security tab of the properties window, switch the toggle button of the two-step
veri cation for all users option to the enabled position.
3. If you did not enable two-step veri cation for your account, the application opens the window for enabling
two-step veri cation for your own account.
a. In the two-step veri cation window, click View how to set up two-step veri cation.
b. Enter the secret key in the authenticator application manually or click View QR code and scan the QR code
by the authenticator application on your mobile device to receive one-time security code.
c. In the two-step veri cation window, specify the security code generated by the authenticator application,
and then click the Check and apply button.
Two-step veri cation is enabled for all users. From now on, users of the Administration Server, including the users
that were added after enabling two-step veri cation for all users, have to con gure two-step veri cation for their
accounts, except for users that are excluded from two-step veri cation.
1024
You can disable two-step veri cation for your own account, as well as for an account of any other user.
You can disable two-step veri cation of another user's account if your account has the Modify object ACLs
right in the General features: User permissions functional area.
To disable two-step veri cation for a user account:
2. Click the name of the internal user account for whom you want to disable two-step veri cation. This may be
your own account or an account of any other user.
4. On the Account protection tab, select the Request only user name and password option if you want to
disable two-step veri cation for a user account.
Two-step veri cation is disabled for the user account.

You can disable two-step veri cation for all users if two-step veri cation is enabled for your account and your
account has the Modify object ACLs right in the General features: User permissions functional area. If two-step
veri cation is not enabled for your account, you must enable two-step veri cation for your account before
disabling it for all users.
To disable two-step veri cation for all users:
2. On the Authentication security tab of the properties window, switch the toggle button of the two-step
veri cation for all users option to disabled position.
3. Enter the credentials of your account in the authentication window.
Two-step veri cation is disabled for all users.

You can exclude user accounts from two-step veri cation if you have the Modify object ACLs right in the General
features: User permissions functional area.
1025
If a user account is excluded from the list of two-step veri cation for all users, this user does not have to use two-
step veri cation.
Excluding accounts from two-step veri cation can be necessary for service accounts that cannot pass the
security code during authentication.
If you want to exclude some user accounts from two-step veri cation:
1. You must perform Active Directory polling in order to refresh the list of Administration Server users, if you want
to exclude Active Directory accounts.
3. On the Authentication security tab of the properties window, in the two-step veri cation exclusions table
click the Add button.
4. In the window that opens:
a. Select the user accounts that you want to exclude.
b. Click the OK button.
The selected user accounts are excluded from two-step veri cation.
Generating a new secret key

You can generate a new secret key for a two-step veri cation for your account only if you are authorized by using
two-step veri cation.
To generate a new secret key for a user account:
2. Click the name of the user account for whom you want to generate a new secret key for two-step veri cation.
4. In the Account protection tab, click the Generate a new secret key link.
5. In the two-step veri cation window that opens, specify a new security key generated by the authenticator
application.
6. Click the Check and apply button.
A new secret key is generated for the user.
If you lose your mobile device, you can install an authenticator application on another mobile device and generate a
new secret key to restore access to Kaspersky Security Center Web Console.
1026
You can have several identi ers (they are called issuers) for di erent Administration Servers. You can change the
name of a security code issuer in case, for example, if the Administration Server already uses a similar name of
security code issuer for another Administration Server. By default, the name of a security code issuer is the same
as the name of the Administration Server.
After you change the security code issuer name you have to reissue a new secret key and pass it to the
To specify a new name of security code issuer:
3. On the Account protection tab, click the Edit link.

The Edit Security code issuer section opens.
4. Specify a new security code issuer name.
A new security code issuer name is speci ed for the Administration Server.

Data backup allows you to move Administration Server from one device to another without data loss. Through
backup, you can restore data when moving the Administration Server database to another device, or when
upgrading to a newer version of Kaspersky Security Center.
Note that the installed management plug-ins are not backed up. After you restore Administration Server data
from a backup copy, you need to download and reinstall plug-ins for managed applications.
Before you back up the Administration Server data, check whether a virtual Administration Server is added to
the administration group. If a virtual Administration Server is added, make sure that an administrator is
assigned to this virtual Administration Server before the backup. You cannot grant the administrator access
rights to the virtual Administration Server after the backup. Note that if the administrator account credentials
are lost, you will not be able to assign a new administrator to the virtual Administrator Server.
You can create a backup copy of Administration Server data in one of the following ways:
By creating and running a data backup task through Administration Console.
1027
By running the klbackup utility on the device that has Administration Server installed. This utility is included in
the Kaspersky Security Center distribution kit. After the installation of Administration Server, the utility is
located in the root of the destination folder speci ed at the application installation.
The following data is saved in the backup copy of Administration Server:
Database of Administration Server (policies, tasks, application settings, events saved on the Administration
Server).
Con guration details of the structure of administration groups and client devices.
Repository of distribution packages of applications for remote installation.
Administration Server certi cate.
Recovery of Administration Server data is only possible using the klbackup utility.

Backup tasks are Administration Server tasks; they are created through the Quick Start Wizard. If a backup task
created by the Quick Start Wizard has been deleted, you can create one manually.

3. In the New task window of the Wizard, select the task type named Backup of Administration Server data.
The Backup of Administration Server data task can only be created in a single copy. If the Administration
Server data backup task has already been created for the Administration Server, it is not displayed in the task
type selection window of the Backup Task Creation Wizard.
Moving Administration Server to another device

If you need to use Administration Server on a new device, you can move it in one of the following ways:
Move Administration Server and the database server to a new device.
Keep the database server on the previous device and move only Administration Server to a new device.
To move Administration Server and the database server to a new device:
1. On the previous device, create a backup of Administration Server data.

1028
To do this, you can run the data backup task through Kaspersky Security Center Web Console or run the
klbackup utility.
If you use SQL Server as a DBMS for Administration Server, you can migrate the data from SQL Server to
MySQL or MariaDB DBMS. To do this, run the klbackup utility in interactive mode to create a data backup.
Enable the Migrate to MySQL/MariaDB format option in the Backup settings window of the Backup and
restore wizard. Kaspersky Security Center will create a backup compatible with MySQL and MariaDB. After
that, you can restore the data from the backup into MySQL or MariaDB.
You can also enable the Migrate to Azure format option to if you want to migrate the data from SQL
Server to Azure SQL DBMS.
2. Select a new device on which to install the Administration Server. Make sure that the hardware and software on
the selected device meet the requirements for Administration Server, Kaspersky Security Center Web
Console, and Network Agent. Also, check that ports used on Administration Server are available.
3. On the new device, install the database management system (DBMS) that the Administration Server will use.
When you select a DBMS, consider the number of devices covered by the Administration Server.
4. Run the custom installation of the Administration Server on the new device.
5. Install Administration Server components into the same folder where the Administration Server is installed on
the previous device. Click the Browse button to specify the le path.
The Custom installation window
6. Con gure the database server connection settings.
1029
Example of the Connection settings window for Microsoft SQL Server
Depending on where you need to locate the database server, do one of the following:
Move the database server to the new device
1. Click the Browse button next to the SQL Server instance name eld, and then select the new
2. Enter the new database name in the Database name eld.

Note that the new database name must match the name of database from the previous device. The
names of databases must be identical, so that you can use the Administration Server backup. The
default database name is KAV.
Keep the database server on the previous device
1. Click the Browse button next to the SQL Server instance name eld, and then select the previous
Note that the previous device must be available for connection with the new Administration Server.
2. Enter the previous database name in the Database name eld.
7. After the installation is complete, recover Administration Server data on the new device by using the klbackup
utility.
If you use SQL Server as a DBMS on the previous and new devices, note that the version of SQL Server
installed on the new device must be the same or later than the version of SQL Server installed on the
previous device. Otherwise, you cannot recover Administration Server data on the new device.
8. Open Kaspersky Security Center Web Console and connect to the Administration Server.
9. Verify that all the client devices are connected to the Administration Server.
10. Uninstall the Administration Server and the database server from the previous device.
1030
You can also use Administration Console to move Administration Server and a database server to another
device.
Kaspersky applications deployment through Kaspersky Security Center

Web Console
This section describes Kaspersky applications deployment on client devices in your organization by means of
Scenario: Kaspersky applications deployment through Kaspersky Security

Center Web Console
This scenario explains how to deploy Kaspersky applications through Kaspersky Security Center Web Console. You
can use the Quick Start Wizard and Protection Deployment Wizard, or you can complete all necessary steps
manually.
Prerequisites
The following applications are available for deployment by using Kaspersky Security Center Web Console:
Kaspersky applications deployment proceeds in stages:
1 Downloading management plug-in for the application
This stage is handled by the Quick Start Wizard. If you choose not to run the Wizard, download the plug-in for
Kaspersky Endpoint Security for Windows manually.
Mobile Help to download and install the management plug-ins for Kaspersky Endpoint Security for Android.
2 Downloading and creating installation packages
This stage is handled by the Quick Start Wizard.
The Quick Start Wizard allows you to download the installation package with the management plug-in. If you did
not select this option when running the Wizard, or if you did not run the Wizard at all, you must download the
package manually.
If you cannot install Kaspersky applications by means of Kaspersky Security Center on some devices, for
example, on remote employees' devices, you can create stand-alone installation packages for applications. If you
use stand-alone packages to install Kaspersky applications, you do not have to create and run a remote
installation task, nor create and con gure tasks for Kaspersky Endpoint Security for Windows.
3 Creating, con guring, and running the remote installation task
1031
For Kaspersky Endpoint Security for Windows, this stage is part of the Protection Deployment Wizard, which
starts automatically after the Quick Start Wizard has nished. If you choose not to run the Protection
Deployment Wizard, you must create this task manually and con gure it manually.
You also can manually create several remote installation tasks for di erent administration groups or di erent
device selections. You can deploy di erent versions of one application in these tasks.
Make sure that all the devices on your network are discovered; then run the remote installation task (or tasks).
If you want to install Network Agent on devices with the SUSE Linux Enterprise Server 15 operating system,
4 Creating and con guring tasks for the managed application
The Install update task of Kaspersky Endpoint Security for Windows must be con gured.
This stage is part of the Quick Start Wizard: the task is created and con gured automatically with the default
settings. If you did not run the Wizard, you must create this task manually and con gure it manually. If you use the
Quick Start Wizard, make sure that the schedule for the task meets your requirements. (By default, the
scheduled start for the task is set to Manually, but you might want to choose another option.)
Other Kaspersky applications might have other default tasks. Please refer to the documentation of the
corresponding applications for details.
Make sure that the schedule for each task that you create meets your requirements.
5 Installing Kaspersky Security for Mobile (optional)
Mobile Help for information about deployment of Kaspersky Endpoint Security for Android.
6 Creating policies
Create the policy for each application manually or (in case of Kaspersky Endpoint Security for Windows) through
the Quick Start Wizard. You can use the default settings of the policy; you can also modify the default settings
of the policy according to your needs at any time.
7 Verifying the results
Make sure that deployment was completed successfully: you have policies and tasks for each application, and
these applications are installed on the managed devices.
Results
All required policies and tasks for the selected applications are created.
The schedules of tasks are con gured according to your needs.
The selected applications are deployed, or scheduled to be deployed, on the selected client devices.
Getting plug-ins for Kaspersky applications

To deploy a Kaspersky application, such as Kaspersky Endpoint Security for Windows, you must download the
management plug-in for the application.
1032
To download a management plug-in for a Kaspersky application:
1. In the Console settings drop-down list, select Web plug-ins.
2. In the window that opens, click the Add button.

The list of available plug-ins is displayed.
3. In the list of available plug-ins, select the plug-in you want to download (for example, Kaspersky Endpoint
Security 11 for Windows) by clicking on its name.
A plug-in description page is displayed.
4. On the plug-in description page, click Install plug-in.
5. When the installation is complete, click OK.
The management plug-in is downloaded with the default con guration and displayed in the list of management
plug-ins.
You can add plug-ins and update downloaded plug-ins from a le. You can download management plug-ins and web
management plug-ins from the Kaspersky Technical Support webpage .
To download or update plug-in from a le:
Click Add from le to download a plug-in from a le.
Click Update from le to download an update of a plug-in from a le.
3. Specify the le and signature of the le.
4. Download the speci ed les.
The management plug-in is downloaded from the le and displayed in the list of management plug-ins.
Updating plug-ins for Kaspersky applications

Update management plug-ins for Kaspersky applications to make sure the plug-ins work properly.
To update a management plug-in for a Kaspersky application:

In the window that opens the list of installed plug-ins is displayed.
2. Select the plug-in that you want to update.
3. Click the Update plug-in button.

The list of available updates for the selected plug-in is displayed.
1033
4. In the list of available plug-in updates, select the update you want to install by clicking on its name.
A plug-in update description page is displayed.
5. On the plug-in update description page, click Install plug-in.
6. When the downloading and installation is complete, click OK.
The management plug-in update is downloaded and installed for the selected plug-in.
Downloading and creating installation packages for Kaspersky applications

You can create installation packages for Kaspersky applications from Kaspersky web servers if your Administration
Server has access to the internet.
To download and create installation package for Kaspersky application:
In the main menu, go to DISCOVERY & DEPLOYMENT → DEPLOYMENT & ASSIGNMENT →

INSTALLATION PACKAGES.
In the main menu, go to OPERATIONS → REPOSITORIES → INSTALLATION PACKAGES.
You can also view noti cations about new packages for Kaspersky applications in the list of onscreen
noti cations. If there are noti cations about a new package, you can click the link next to the noti cation and
proceed to the list of available installation packages.
2. Click Add.
3. On the rst page of the Wizard, select Create an installation package for a Kaspersky application.
A list of available installation packages on Kaspersky web servers appears. The list contains installation
packages only for those applications that are compatible with the current version of Kaspersky Security
Center.
4. Click the name of an installation package, for example, Kaspersky Endpoint Security for Windows (11.1.0).
A window opens with information about the installation package.
You can download and use an installation package which includes cryptographic tools that implement
strong encryption, if it complies with applicable laws and regulations. To download the installation package
of Kaspersky Endpoint Security for Windows valid for the needs of your organization, consult the
legislation of the country where the client devices of your organization are located.
5. Read the information and click the Download and create installation package button.
If a distribution package can not be converted to an installation package, the Download distribution package
button instead of the Download and create installation package is displayed.
The downloading of the installation package to Administration Server starts. You can close the Wizard's window
or proceed to the next step of the instruction. If you close the Wizard's window, the download process will
continue in background mode.
1034
If you want to track an installation package download process:
a. In the main menu, go to OPERATIONS → REPOSITORIES → INSTALLATION PACKAGES → In progress ().
b. Track the operation progress in the Download progress column and the Download status column of the
table.
When the process is complete, the installation package is added to the list on the Downloaded tab. If the
download process stops and the download status switches to Accept EULA, then click the installation package
name, and then proceed to the next step of the instruction.
If the size of data contained in the selected distribution package exceeds the current limit, an error
message is displayed. You can change the limit value and then proceed with the installation package
creation.
6. For some Kaspersky applications, during the download process the Show EULA button is displayed. If it is
displayed, do the following:
a. Click the Show EULA button to read the End User License Agreement (EULA).
b. Read the EULA that is displayed on the screen, and click Accept.
The downloading continues after you accept the EULA. If you click Decline, the download is stopped.
7. When the downloading is complete, click the Close button.
The selected installation package is downloaded to the Administration Server shared folder, to the Packages
subfolder. After downloading, the installation package is displayed in the list of installation packages.
Changing the limit on the size of custom installation package data

The total size of data unpacked during creation of a custom installation package is limited. The default limit is 1 GB.
If you attempt to upload an archive le that contains data exceeding the current limit, an error message is
displayed. You might have to increase this limit value when creating installation packages from large distribution
packages.
To change the limit value for the custom installation package size:
1. Open the system registry of the Administration Server device (for example, locally, using the regedit
command in the Start → Run menu).
For 32-bit systems:

For 64-bit systems:

3. Right-click the hive, and then select New → DWORD (32-bit) value.
A new DWORD key is created.
1035
4. Assign key the MaxArchivePkgSize name.
5. Double-click the new DWORD key to edit.
6. Set the required limit value:
a. Select any base: hexadecimal or decimal.
b. Specify the number of bytes corresponding to the selected base.
For example, if the required limit is 2 GB, you can specify the decimal value 2147483648 or the hexadecimal value
0x80000000.
7. Click OK.
The limit on the size of custom installation package data is changed.
Downloading distribution packages for Kaspersky applications

In Kaspersky Security Center Web Console, you can download and save distribution packages for Kaspersky
applications. You can use the distribution packages to install the applications manually, without using Kaspersky
Security Center.
To download and save distribution packages for Kaspersky applications:
1. On the Operations tab, select Kaspersky applications → Current application versions.

A list of available distribution packages, plug-ins, and patches opens. Kaspersky Security Center displays only
those items that are compatible with its current version.
2. In the list, click the name of the package that you want to download.
The description of the package opens.
3. Read the description and click the Download and create installation package button.
If a distribution package cannot be converted to an installation package, the Download distribution package
button is displayed instead of the Download and create installation package.
The download of the installation package to Administration Server starts.
The selected installation or distribution package is downloaded to the Administration Server shared folder, to
the Packages subfolder. After it is downloaded, the installation package is displayed in the list of installation
packages.
Checking that Kaspersky Endpoint Security is deployed successfully

To ensure that you have correctly deployed Kaspersky applications, such as Kaspersky Endpoint Security:
1. Using Kaspersky Security Center Web Console, make sure that you have the following:
A policy for Kaspersky Endpoint Security and/or other security applications that you use.
1036
Tasks for Kaspersky Endpoint Security for Windows: Quick virus scan task and Install update task (if you use
Kaspersky Endpoint Security for Windows).
Tasks for other security applications that you use.
2. On one of the managed devices, selected for installation, make sure of the following:
Kaspersky Endpoint Security or another Kaspersky security application is installed.
In Kaspersky Endpoint Security, the File Threat Protection, Web Threat Protection, and Mail Threat
Protection settings match the policy that you created for this device.
Kaspersky Endpoint Security service can be stopped and started manually.
Group tasks can be stopped and started manually.

You and device users in your organization can use stand-alone installation packages to install applications on
devices manually.
A stand-alone installation package is an executable le (installer.exe) that you can store on Web Server, in a shared
folder, send by email, or transfer to a client device by another method. On the client device, the user can run the
received le locally to install an application without involving Kaspersky Security Center. You can create stand-
alone installation packages for Kaspersky applications and for third-party applications for Windows, macOS, and
Linux platforms. To create a stand-alone installation package for a third-party application, you must create a
custom installation package.
Be sure that the stand-alone installation package is not available for unauthorized persons.
To create a stand-alone installation package:

2. In the list of installation packages, select an installation package and, above the list, click the Deploy button.
3. Select the Using a stand-alone package option.

Stand-alone Installation Package Creation Wizard starts. Proceed through the Wizard by using the Next button.
4. On the rst page of the Wizard, make sure that the Install Network Agent together with this application
option is enabled if you want to install Network Agent together with the selected application.
By default, this option is enabled. We recommend enabling this option if you are not sure whether Network
Agent is installed on the device. If Network Agent is already installed on the device, after the stand-alone
installation package with Network Agent is installed, Network Agent will be updated to the newer version.
1037
If you disable this option, Network Agent will not be installed on the device and the device will be unmanaged.
If a stand-alone installation package for the selected application already exists on Administration Server, the
Wizard informs you about this fact. In this case, you must select one of the following actions:
Create stand-alone installation package. Select this option if, for example, you want to create a stand-
alone installation package for a new application version and also want to retain a stand-alone installation
package that you created for a previous application version. The new stand-alone installation package is
placed in another folder.
Use existing stand-alone installation package. Select this option if you want to use an existing stand-alone
installation package. The process of package creation will not be started.
Rebuild existing stand-alone installation package. Select this option if you want to create a stand-alone
installation package for the same application again. The stand-alone installation package is placed in the
same folder.
5. On the Move to list of managed devices page of the Wizard, by default the Do not move devices option is
enabled. If you do not want to move the client device to any administration group after Network Agent
installation, leave this option enabled.
If you want to move the client device after Network Agent installation, select the Move unassigned devices to
this group option and specify an administration group to which you want to move the client device. By default,
the device is moved to the Managed devices group.
6. On the next page of the Wizard, when the process of the stand-alone installation package creation is nished,
click the FINISH button.
The Stand-alone Installation Package Creation Wizard closes.
The stand-alone installation package is created and placed in the PkgInst subfolder of the Administration Server
shared folder. You can view the list of stand-alone packages by clicking the View the list of stand-alone
packages button above the list of installation packages.
Viewing the list of stand-alone installation packages

You can view the list of stand-alone installation packages and properties of each stand-alone installation package.
To view the list of stand-alone installation packages for all installation packages:
Above the list, click the View the list of stand-alone packages button.
In the list of stand-alone installation packages, their properties are displayed as follows:
Package name. Stand-alone installation package name that is automatically formed as the application name
included in the package and the application version.
Application name. Application name included in the stand-alone installation package.
Application version.
Network Agent installation package name. The property is displayed only if Network Agent is included in the
stand-alone installation package.
1038
Network Agent version. The property is displayed only if Network Agent is included in the stand-alone
Size. File size in MB.
Group. Name of the group to which the client device is moved after Network Agent installation.
Created. Date and time of the stand-alone installation package creation.
Modi ed. Date and time of the stand-alone installation package modi cation.
Path. Full path to the folder where the stand-alone installation package is located.
Web address. Web address of the stand-alone installation package location.
File hash. The property is used to certify that the stand-alone installation package was not changed by third-
party persons and a user has the same le you have created and transferred to the user.
To view the list of stand-alone installation packages for speci c installation package:
Select the installation package in the list and, above the list, click the View the list of stand-alone packages
button.
In the list of stand-alone installation packages, you can do the following:
Publish a stand-alone installation package on the Web Server by clicking the Publish button. Published stand-
alone installation package is available for downloading for users whom you sent the link to the stand-alone
Cancel publication of a stand-alone installation package on the Web Server by clicking the Unpublish button.
Unpublished stand-alone installation package is available for downloading only for you and other administrators.
Download a stand-alone installation package to your device by clicking the Download button.
Send email with the link to a stand-alone installation package by clicking the Send by email button.
Remove a stand-alone installation package by clicking the Remove button.

You can use custom installation packages to do the following:
To install any application (such as a text editor) on a client device, for example, by means of a task.
To create a stand-alone installation package.
A custom installation package is a folder with a set of les. The source to create a custom installation package is an
archive le. The archive le contains a le or les that must be included in the custom installation package. While
creating a custom installation package, you can specify command-line parameters, for example, to install the
application in silent mode.
1039
If you have an active license key for the Vulnerability and Patch Management (VAPM) feature, you can convert
your default installation settings for the relevant custom installation package and use the values
recommended by Kaspersky experts. The settings are automatically converted during the creation of the
custom installation package only if the corresponding executable le is included in the Kaspersky database of
third-party applications.
To create a custom installation package:

2. Click Add.
3. On the rst page of the Wizard, select Create an installation package from a le.
4. On the next page of the Wizard, specify the package name and click the Browse button.
A standard Windows Open window in your browser opens to let you choose a le to create the installation
package.
5. Choose an archive le located on the available disks.

You can upload a ZIP, CAB, TAR, or TAR.GZ archive le. It is not possible to create an installation package from an
SFX (self-extracting archive) le.
If you want the settings to be converted during the package installation, make sure the Convert settings
to recommended values for applications recognized by Kaspersky Security Center after the Wizard
nishes check box is selected, and then click Next.
File upload to the Kaspersky Security Center 14 Administration Server starts.
If you enabled the use of the recommended installation settings, Kaspersky Security Center 14 checks
whether the executable le is included in the Kaspersky database of third-party applications. If the check
is successful, you get a noti cation informing you that the le is recognized. The settings are converted
and the custom installation package is created. No further actions are required. Click the Finish button to
close the Wizard.
6. On the next page of the Wizard, select a le (from the list of les that are extracted from the chosen archive
le) and specify the command-line parameters of an executable le.
You can specify command-line parameters to install the application from the installation package in a silent
mode. Specifying command-line parameters is optional.
The process to create the installation package is started.
The Wizard informs you when the process is nished.
If the installation package is not created, an appropriate message is displayed.
1040
7. Click the Finish button to close the Wizard.
The installation package that you created is downloaded to the Packages subfolder of the Administration Server
shared folder. After downloading, the installation package appears in the list of installation packages.
In the list of installation packages available on Administration Server, by clicking the link with the name of a custom
installation package, you can:
View the following properties of an installation package:
Name. Custom installation package name.
Source. Application vendor name.
Application. Application name packed into the custom installation package.
Version. Application version.
Language. Language of the application packed into the custom installation package.
Size (MB). Size of the installation package.
Operating system. Type of the operating system for which the installation package is intended.
Created. Installation package creation date.
Modi ed. Installation package modi cation date.
Type. Type of the installation package.
Change the package name and command-line parameters. This feature is available only for packages that are
not created on the basis of Kaspersky applications.
If you have converted the package installation settings to the recommended values for the custom package
creation process, two additional sections may appear on the Settings tab of the custom installation package
properties: Settings and Installation procedure.
The Settings section contains the following properties, shown in a table:
Name. This column shows the name assigned to an installation parameter.
Type. This column shows the type of an installation parameter.
Value. This column shows the type of data de ned by an installation parameter (Bool, Filepath, Numeric, Path, or
String).
The Installation procedure section contains a table that describes the following properties of the update included
in the custom installation package:
Name. The name of the update.
Description. The description of the update.
1041
Source. The source of the update, that is, whether it was released by Microsoft or by a di erent third-party
developer.
Type. The type of the update, that is, whether it is intended for a driver or an application.
Category. The Windows Server Update Services (WSUS) category displayed for Microsoft updates (Critical
Updates, De nition Updates, Drivers, Feature Packs, Security Updates, Service Packs, Tools, Update Rollups,
Updates, or Upgrade).
Importance level according to MSRC. The importance level of the update de ned by Microsoft Security
Response Center (MSRC).
Importance level. The importance level of the update de ned by Kaspersky.
Patch importance level (for patches intended for Kaspersky applications). The importance level of the patch
if it is intended for a Kaspersky application.
Article. The identi er (ID) of the article in the Knowledge Base describing the update.
Bulletin. The ID of the security bulletin describing the update.
Not assigned for installation. Displays whether the update has the Not assigned for installation status.
To be installed. Displays whether the update has the To be installed status.
Installing. Displays whether the update has the Installing status.
Installed. Displays whether the update has the Installed status.
Failed. Displays whether the update has the Failed status.
Restart is required. Displays whether the update has the Restart is required status.
Registered. Displays the date and time when the update was registered.
Installed in interactive mode. Displays whether the update requires interaction with the user during installation.
Revoked. Displays the date and time when the update was revoked.
Update approval status. Displays whether the update is approved for installation.
Revision. Displays the current revision number of the update.
Update ID. Displays the ID of the update.
Application version. Displays the version number that the application will be updated to.
Superseded. Displays other update(s) that can supersede the update.
Superseding. Displays other update(s) that can be superseded by the update.
You must accept the terms of the License Agreement. Displays whether the update requires acceptance of
the terms of an End User License Agreement (EULA).
Vendor. Displays the name of the update vendor.
1042
Application family. Displays the name of the family of applications to which the update belongs.
Application. Displays the name of the application to which the update belongs.
Language. Displays the language of the update localization.
Not assigned for installation (new version). Displays whether the update has the Not assigned for installation
(new version) status.
Requires prerequisites installation. Displays whether the update has the Requires prerequisites installation
status.
Download mode. Displays the mode of the update download.
Is a patch. Displays whether the update is a patch.
Not installed. Displays whether the update has the Not installed status.

Kaspersky Security Center allows you to create installation packages for Kaspersky applications and for third-
party applications, as well as distribute installation packages to client devices and install applications from the
packages. To optimize the load on the primary Administration Server, you can distribute installation packages to
secondary Administration Servers. After that, the secondary Servers transmit the packages to client devices, and
then you can perform the remote installation of the applications on your client devices.
To distribute installation packages to secondary Administration Servers:
1. Make sure that the secondary Administration Servers are connected to the primary Administration Server.

The list of tasks is displayed.

The New task wizard starts. Follow the steps of the wizard.
4. On the New task page, from the Application drop-down list, select Kaspersky Security Center. Then, from
the Task type drop-down list, select Distribute installation package, and then specify the task name.
5. Select the devices to which the task is assigned in one of the following ways:
If you want to create a task for all secondary Administration Servers in a speci c administration group,
select this group, and then create a group task for it.
If you want to create a task for speci c secondary Administration Servers, select these Servers, and then
create a task for them.
6. On the Distributed installation packages page, select the installation packages that are to be copied to the
7. Specify an account to run the Distribute installation package task under this account. You can use your
account and keep the Default account option enabled. Alternatively, you can specify that the task should be
1043
run under another account that has the necessary access rights. To do this, select the Specify account option,
and then enter the credentials of that account.
8. On the Finish task creation page, you can enable the Open task details when creation is complete option to
open the task properties window, and then modify the default task settings. Otherwise, you can con gure the
task settings later, at any time.

The task created for distributing installation packages to the secondary Administration Servers is displayed in
the task list.
10. You can run the task manually or wait for it to launch according to the schedule that you speci ed in the task
settings.
After the task is complete, the selected installation packages are copied to the speci ed secondary

Kaspersky Security Center allows you to install applications on devices remotely, using remote installation tasks.
Those tasks are created and assigned to devices through a dedicated Wizard. To assign a task to devices more
quickly and easily, you can specify devices in the Wizard window in one of the following ways:
For correct remote installation on a device with no Network Agent installed, the following ports must be
opened: a) TCP 139 and 445; b) UDP 137 and 138. By default, these ports are opened on all devices included in
the domain. They are opened automatically by the remote installation preparation utility.
Installing an application on speci c devices

This section contains information on how to install an application remotely on an administration group, devices with
speci c IP addresses, or a selection of managed devices.
To install an application on speci c devices:
2. Click Add.
1044
3. In the Task type eld, select Install application remotely.
4. Select one of the following options:
infected.
selections.
version.

The Add Task Wizard creates a task for remote installation of the application selected in the Wizard on
speci ed devices. If you selected the Assign task to an administration group option, the task is a group one.
6. Run the task manually or wait for it to launch according to the schedule that you speci ed in the task settings.
When the remote installation task is completed, the selected application is installed on the speci ed devices.

Kaspersky Security Center allows you to install Kaspersky applications on managed devices by using Active
You can install applications by using Active Directory group policies only from installation packages that
include Network Agent.
To install an application by using Active Directory group policies:
1. Run the Protection Deployment Wizard. Follow the instructions of the Wizard.
2. On the Remote installation task settings page of the Protection Deployment Wizard, enable the Assign
package installation in Active Directory group policies option.
1045
3. On the Select accounts to access devices page, select the Account required (Network Agent is not used)
option.
4. Add the account with administrator privileges on the device where Kaspersky Security Center is installed or the
account included in the Group Policy Creator Owners domain group.
5. Grant the permissions to the selected account:
a. Go to Control Panel → Administrative Tools and open Group Policy Management.
b. Click the node with the required domain.
c. Click the Delegation section.
d. In the Permission drop-down list, select Link GPOs.
e. Click Add.
f. In the Select User, Computer, or Group window that opens, select the necessary account.
g. Click OK to close the Select User, Computer, or Group window.
h. In the Groups and users list, select the account that you have just added, and then click Advanced →
Advanced.
i. In the Permission entries list, double-click the account that you have just added.
j. Grant the following permissions:
Create Group objects
Delete Group objects
Create group Policy Container objects
Delete group Policy Container objects
k. Click OK to save the changes.
6. De ne other settings by following the instructions of the Wizard.
7. Run the created remote installation task manually or wait for its scheduled start.
The following remote installation sequence starts:
1. When the task is running, the following objects are created in each domain that includes any client devices from
the speci ed set:
Group policy object (GPO) under the name Kaspersky_AK{GUID}.
A security group that corresponds to the GPO. This security group includes client devices covered by the
task. The content of the security group de nes the scope of the GPO.
2. Kaspersky Security Center installs the selected Kaspersky applications on client devices directly from Share,
that is, the shared network folder of the application. In the Kaspersky Security Center installation folder, an
auxiliary subfolder will be created that contains the .msi le for the application to be installed.
1046
3. When new devices are added to the task scope, they are added to the security group after the next start of
the task. If the Run missed tasks option is selected in the task schedule, devices are added to the security
group immediately.
4. When devices are deleted from the task scope, they are deleted from the security group after the next start of
the task.
5. When a task is deleted from Active Directory, the GPO, the link to the GPO, and the corresponding security
group are deleted, too.
If you want to apply another installation schema using Active Directory, you can con gure the required settings
manually. For example, this may be required in the following cases:
When the anti-virus protection administrator does not have rights to make changes to the Active Directory of
certain domains
When the original installation package has to be stored on a separate network resource
When it is necessary to link a GPO to speci c Active Directory units
The following options for using an alternative installation scheme through Active Directory are available:
If installation is to be performed directly from the Kaspersky Security Center shared folder, in the GPO
properties you must specify the .msi le located in the exec subfolder of the installation package folder for the
required application.
If the installation package has to be located on another network resource, you must copy the whole exec folder
content to it, because in addition to the le with .msi extension the folder contains con guration les
generated when the package was created. To install the license key with the application, copy the key le to this
folder as well.

To install an application on secondary Administration Servers:
Servers.
2. Make sure that the installation package corresponding to the application being installed is available on each of
the selected secondary Administration Servers. If you cannot nd the installation package on any of the
secondary Servers, distribute it. For this purpose, create a task with the Distribute installation package task
type.
3. Create a task for a remote application installation on secondary Administration Servers. Select the Install
application on secondary Administration Server remotely task type.
The Add Task Wizard creates a task for remote installation of the application selected in the Wizard on speci c
4. Run the task manually or wait for it to launch according to the schedule that you speci ed in the task settings.
When the remote installation task is complete, the selected application is installed on the secondary
1047
Specifying settings for remote installation on Unix devices
When you install an application on a Unix device by using a remote installation task, you can specify Unix-speci c
settings for the task. These settings are available in the task properties after the task is created.
To specify Unix-speci c settings for a remote installation task:
2. Click the name of the remote installation task for which you want to specify the Unix-speci c settings.
The task properties window opens.
3. Go to Application settings → Unix-speci c settings.
Set a password for the root account (only for deployment through SSH)
If the sudo command cannot be used on the target device without specifying the password, select this
option, and then specify the password for the root account. Kaspersky Security Center transmits the
password in an encrypted form to the target device, decrypts the password, and then starts the
installation procedure on behalf of the root account with the speci ed password.
Kaspersky Security Center does not use the account or the speci ed password to create an SSH
connection.
Specify the path to a temporary folder with Execute permissions on the target device (only for deployment
through SSH)
If the /tmp directory on the target device does not have the execute permission, select this option, and
then specify the path to the directory with the execute permission. Kaspersky Security Center uses the
speci ed directory as a temporary directory to access via SSH. The application places the installation
package in the directory and runs the installation procedure.
The speci ed task settings are saved.

Management of mobile device protection through Kaspersky Security Center is carried out by using the Mobile
Device Management feature, which requires a dedicated license. If you are intending to manage mobile devices
owned by employees in your organization, enable and con gure Mobile Device Management.
1048
Mobile Device Management enables you to manage Android devices of the employees. The protection is provided
by the Kaspersky Endpoint Security for Android mobile app installed on the devices. This mobile app ensures
protection of mobile devices against web threats, viruses and other programs that pose threats. For centralized
management through Kaspersky Security Center Web Console, you must install the following web management
plug-ins on the device where Kaspersky Security Center Web Console is installed:
Kaspersky Security for Mobile Plug-in
Kaspersky Endpoint Security for Android Plug-in
For information about protection deployment and management of mobile devices, see Kaspersky Security for
Mobile Help .
Modifying the Mobile Device Management settings in the Kaspersky Security Center Web
Console
To modify the Mobile Device Management settings:
2. On the General tab, select the Additional ports section.
3. Modify the relevant settings:
If this option is enabled, the port for mobile devices will be open on the Administration Server.
You can use the port for mobile devices only if the Mobile Device Management component is installed.
If this option is disabled, the port for mobile devices on the Administration Server will not be used.
Number of the port used for connection of mobile devices to the Administration Server. The default
port number is 13292.
The mobile devices can now connect to the Administration Server.
1049
party software incompatible with the application being installed. Kaspersky Security Center provides several ways
of removing the third-party applications.
Removing incompatible applications by using the installer
This option is available in Microsoft Management Console-based Administration Console only.
The installer method of removing incompatible applications is supported by various types of installation. Before
the security application installation, all incompatible applications are removed automatically if the properties
window of the installation package of this security application (Incompatible applications section) has the
Uninstall incompatible applications automatically option selected.
Removing incompatible applications when con guring remote installation of an application
You can enable the Uninstall incompatible applications automatically option when you con gure remote
installation of a security application. In Microsoft Management Console (MMC) based Administration Console, this
option is available in the Remote Installation Wizard. In Kaspersky Security Center Web Console, you can nd this
option in the Protection Deployment Wizard. When this option is enabled, Kaspersky Security Center removes
incompatible applications before installing a security application on a managed device.
Administration Console: Installing applications using Remote Installation Wizard
Kaspersky Security Center Web Console: Removing incompatible applications before installation
To remove incompatible applications, use the Uninstall application remotely task. This task should be run on
devices before the security application installation task. For example, in the installation task you can select On
completing another task as the schedule type where the other task is Uninstall application remotely.
How-to instructions for Administration Console: Creating a task.

This section describes search and discovery of networked devices.
Kaspersky Security Center allows you to nd devices on the basis of speci ed criteria. You can save search results
to a text le.
1050
The search and discovery feature allows you to nd the following devices:
Managed devices in administration groups of Kaspersky Security Center Administration Server and its
Unassigned devices managed by Kaspersky Security Center Administration Server and its secondary

You must perform device discovery before installation of the security applications. When all networked devices are
discovered, you can receive information about them and manage them through policies. Regular network polls are
needed to discover if there are any new devices and whether previously discovered devices are still on the
network.
Discovery of networked devices proceeds in stages:
1 Initial device discovery
The Quick Start Wizard guides you through initial device discovery, and helps you nd networked devices such
as computers, tablets, and mobile phones. You can also perform device discovery manually.
2 Con guring future polls
Decide which type(s) of discovery you want to use regularly. Make sure that this type is enabled and that the poll
schedule meets the needs of your organization. When con guring the poll schedule, use the recommendations
for network polling frequency.
3 Setting up rules for adding discovered devices to administration groups (optional)
If new devices appear on your network, they are discovered during regular polls and are automatically included in
the Unassigned devices group. If you want, you can set up the rules for automatically moving these devices to
the Managed devices group. You can also establish retention rules.
If you skip this rule-setting stage, all the newly discovered devices go to the Unassigned devices group and stay
there. If you want, you can move these devices to the Managed devices group manually. If you move the devices
to the Managed devices group manually, you can analyze information about each device and decide whether
you want to move it to an administration group, and, if so, to which group.
Results
Kaspersky Security Center Administration Server discovers the devices that are on the network and provides
you with information about them.
Future polls are set up and are conducted according to the speci ed schedule.
The newly discovered devices are arranged according to the con gured rules. (Or, if no rules are con gured, the
devices stay in the Unassigned devices group).
1051
Device discovery
This section describes the types of device discovery available in Kaspersky Security Center and provides
information using each type.
The Administration Server receives information about the structure of the network and devices on this network
through regular polling. The information is recorded to the Administration Server database. Administration Server
can use the following types of polling:
Windows network polling. The Administration Server can perform two kinds of Windows network poll: quick
and full. During a quick poll, the Administration Server only retrieves information from the list of the NetBIOS
names of devices in all network domains and workgroups. During a full poll, more information is requested from
each client device, such as operating system name, IP address, DNS name, and NetBIOS name. By default, both
quick poll and full poll are enabled. Windows network polling may fail to discover devices, for example, if the
ports UDP 137, UDP 138, TCP 139 are closed on the router or by the rewall.
Active Directory polling. The Administration Server retrieves information about the Active Directory unit
structure and about DNS names of the devices from Active Directory groups. By default, this type of polling is
enabled. We recommend that you use Active Directory polling if you use Active Directory; otherwise, the
Administration Server does not discover any devices. If you use Active Directory but some of the networked
devices are not listed as members, these devices cannot be discovered by Active Directory polling.
IP range polling. The Administration Server polls the speci ed IP ranges using ICMP packets or the NBNS
protocol and compiles a complete set of data on devices within those IP ranges. By default, this type of polling
is disabled. It is not recommended to use this type of polling if you use Windows network polling and/or Active
Directory polling.
Zeroconf polling. A distribution point that polls the IPv6 network by using zero-con guration networking (also
referred to as Zeroconf). By default, this type of polling is disabled. You can use Zeroconf polling if the
distribution point runs Linux.
If you set up and enabled device moving rules, the newly discovered devices are automatically included in the
Managed devices group. If no moving rules have been enabled, the newly discovered devices are automatically
included in the Unassigned devices group.
You can modify device discovery settings for each type. For example, you may want to modify the polling schedule
or to set whether to poll the entire Active Directory forest or only a speci c domain.
About Windows network polling
During a quick poll, the Administration Server only retrieves information from the list of the NetBIOS names of
devices in all network domains and workgroups. During a full poll, the following information is requested from each
client device:
1052
Operating system name
IP address
DNS name
NetBIOS name
Both quick polls and full polls require the following:
Ports UDP 137/138, TCP 139, UDP 445, TCP 445 must be available in the network.
The SMB protocol is enabled.
on the client devices:
On at least one device, if the number of networked devices does not exceed 32.
On at least one device for each 32 networked devices.
The full poll can run only if the quick poll has run at least once.
Viewing and modifying the settings for Windows network polling
To modify the properties of Windows network polling:
1. In the main menu, go to DISCOVERY & DEPLOYMENT → DISCOVERY → WINDOWS DOMAINS.

The Windows domain properties window opens.
3. Enable or disable Windows network polling by using the Enable Windows network polling toggle button.
4. Con gure the poll schedule. By default, the quick polling runs every 15 minutes and the full polling runs every 60
minutes.
Every N days
The polling runs regularly, with the speci ed interval in days, starting from the speci ed date and time.
Every N minutes
By days of week
1053
Run missed tasks
scheduled.
The properties are saved and applied to all of the discovered Windows domains and workgroups.
Running the poll manually
To run the poll immediately,
Click Start quick poll or Start full poll.
When the polling is complete, you can view the list of discovered devices on the WINDOWS DOMAINS page by
selecting the check box next to a domain name, and then clicking the Devices button.

Use Active Directory polling if you use Active Directory; otherwise, it is recommended to use other poll types. If
you use Active Directory but some of the networked devices are not listed as members, these devices cannot be
discovered by using Active Directory polling.
Kaspersky Security Center sends a request to the domain controller and receives the Active Directory device
structure. Active Directory polling is performed hourly.
Viewing and modifying the settings for Active Directory polling
1054
To view and modify the settings for Active Directory polling:
1. In the main menu, go to DISCOVERY & DEPLOYMENT → DISCOVERY → ACTIVE DIRECTORY.

The Active Directory properties window opens.
3. In the Active Directory properties window, you can de ne the following settings:
a. Turn Active Directory polling on or o by using the toggle button.
b. Change the polling schedule.

c. Con gure advanced settings to select the polling scope:
Active Directory domain to which the Kaspersky Security Center belongs
Domain forest to which the Kaspersky Security Center belongs
Speci ed list of Active Directory domains
To add a domain to the polling scope, select a domain option, click the Add button, and then specify
the address of the domain controller and the name and password of the account for accessing it.
4. To apply the new settings, click the Save button.
The new settings are applied to the Active Directory polling.
click Start poll.
Viewing the results of Active Directory polling
To view the results of Active Directory polling:
1. In the main menu, go to DISCOVERY & DEPLOYMENT → DISCOVERY → ACTIVE DIRECTORY.

The list of discovered organizational units is displayed.
2. If you want, select an organizational unit, and then click the Devices button.
The list of devices in the organizational unit is displayed.
You can search the list and lter the results.
IP range polling
1055
Initially, Kaspersky Security Center gets IP ranges for polling from the network settings of the device on which it is
installed. If the device address is 192.168.0.1 and the subnet mask is 255.255.255.0, Kaspersky Security Center
includes the network 192.168.0.0/24 in the list of polling address automatically. Kaspersky Security Center polls all
addresses from 192.168.0.1 to 192.168.0.254.
It is not recommended to use IP range polling if you use Windows network polling and/or Active Directory polling.
Kaspersky Security Center can poll IP ranges by reverse DNS lookup or by using the NBNS protocol:
Reverse DNS lookup

Kaspersky Security Center attempts to perform reverse name resolution for every IP address from the
speci ed range to a DNS name using standard DNS requests. If this operation succeeds, the server sends an
ICMP ECHO REQUEST (the same as the ping command) to the received name. If the device responds, the
information about it is added to the Kaspersky Security Center database. The reverse name resolution is
necessary to exclude the network devices that can have an IP address but are not computers, for example,
network printers or routers.
This polling method relies upon a correctly con gured local DNS service. It must have a reverse lookup zone. In
the networks where Active Directory is used, such a zone is maintained automatically. But in these networks, IP
subnet polling does not provide more information than Active Directory polling. Moreover, administrators of
small networks often do not con gure the reverse lookup zone because it is not necessary for the work of
many network services. For these reasons, IP subnet polling is disabled by default.
NBNS protocol
If the reverse name resolution is not possible in your network for some reason, Kaspersky Security Center uses
the NBNS protocol to poll the IP ranges. If a request to an IP address returns a NetBIOS name, the information
about this device is added to the Kaspersky Security Center database.
Viewing and modifying the settings for IP range polling
To view and modify the properties of IP range polling:
1. In the main menu, go to DISCOVERY & DEPLOYMENT → DISCOVERY → IP RANGES.

The IP polling properties window opens.
3. Enable or disable IP polling by using the Allow polling toggle button.
4. Con gure the poll schedule. By default, IP polling runs every 420 minutes (seven hours).
When specifying the polling interval, make sure that this setting does not exceed the value of the IP address
lifetime parameter. If an IP address is not veri ed by polling during the IP address lifetime, this IP address is
automatically removed from the polling results. By default, the life span of the polling results is 24 hours,
because dynamic IP addresses (assigned using Dynamic Host Con guration Protocol (DHCP)) change every 24
hours.
Every N days
1056
The polling runs regularly, with the speci ed interval in days, starting from the speci ed date and time.
Every N minutes
By days of week
Run missed tasks
scheduled.
The properties are saved and applied to all IP ranges.
click Start poll.
Adding and modifying an IP range

Initially, Kaspersky Security Center gets IP ranges for polling from the network settings of the device on which it is
installed. If the device address is 192.168.0.1 and the subnet mask is 255.255.255.0, Kaspersky Security Center
includes the network 192.168.0.0/24 in the list of polling address automatically. Kaspersky Security Center polls all
addresses from 192.168.0.1 to 192.168.0.254. You can modify the automatically de ned IP ranges or add custom IP
ranges.
1057
You can create a range only for IPv4 addresses. If you enable Zeroconf polling, Kaspersky Security Center will
poll the whole network.
To add a new IP range:
2. To add a new IP range, click the Add button.
3. In the window that opens, specify the following settings:
IP range name
A name of the IP range. You might want to specify the IP range itself as its name, for example,
"192.168.0.0/24".
IP interval or subnet address and mask
Set the IP range by specifying either the start and end IP addresses or the subnet address and subnet
mask. You can also select one of the already existing IP ranges by clicking the Browse button.
IP address lifetime (hours)
When specifying this parameter make sure that it exceeds the polling interval set in the polling
schedule. If an IP address is not veri ed by polling during the IP address lifetime, this IP address is
automatically removed from the polling results. By default, the life span of the polling results is 24 hours,
because dynamic IP addresses (assigned using Dynamic Host Con guration Protocol (DHCP)) change
every 24 hours.
4. Select Enable IP range polling if you want to poll the subnet or interval that you have added. Otherwise, the
subnet or interval that you have added will not be polled.
The new IP range is added to the list of IP ranges.
You can run polling of each IP range separately by using the Start poll button. When the polling is complete, you
can view the list of discovered devices by using the Devices button. By default, the life span of the polling results is
24 hours and it is equal to the IP address lifetime setting.
To add a subnet to an existing IP range:
2. Click the name of the IP range to which you want to add a subnet.
3. In the window that opens, click the Add button.
4. Specify a subnet by using either its address and mask, or by using the rst and last IP address in the IP range.
Or, add an existing subnet by clicking the Browse button.

1058
The new subnet is added to the IP range.
The new settings of the IP range are saved.
You can add as many subnets as you need. Named IP ranges are not allowed to overlap, but unnamed subnets
inside an IP range have no such restrictions. You can enable and disable polling independently for every IP range.
Zeroconf polling
This polling type is supported only for Linux-based distribution points.
A distribution point can poll networks that have devices with IPv6 addresses. In this case, IP ranges are not
speci ed and the distribution point polls the whole network by using zero-con guration networking (referred to as
Zeroconf). To start using Zeroconf, you must install the avahi-browse utility on the distribution point.
To enable IPv6 network polling:
3. In the window that opens, switch on the Use Zeroconf to poll IPv6 networks toggle button.
After that, the distribution point starts to poll your network. In this case, the speci ed IP ranges are ignored.

After Windows network polling is complete, the found devices are placed into subgroups of the Unassigned
devices administration group. This administration group can be found at DISCOVERY & DEPLOYMENT →
DISCOVERY → WINDOWS DOMAINS. The WINDOWS DOMAINS folder is the parent group. It contains child
groups named after the corresponding domains and workgroups that have been found during the poll. The parent
group may also contain the administration group of mobile devices. You can con gure the retention rules of the
unassigned devices for the parent group and for each of the child groups. The retention rules do not depend on
the device discovery settings and work even if the device discovery is disabled.
The device retention rules do not a ect the devices that have one or more drives encrypted with full disk
encryption. Such devices are not deleted automatically—you can only delete them manually. If you need to delete a
device with an encrypted drive, rst decrypt the drive, and then delete the device.
To con gure retention rules for unassigned devices:
1. In the main menu, go to DISCOVERY & DEPLOYMENT → DISCOVERY → WINDOWS DOMAINS.
To con gure settings of the parent group, click the Properties button.
The Windows domain properties window opens.
1059
To con gure settings of a child group, click its name.
The child group properties window opens.
removed from the group. By default, this option is also distributed to the child groups. The default time
interval is 7 days.
If this option is enabled, the retention period for the devices in the current group is inherited from the
parent group and cannot be changed.
This option is available only for child groups.
4. Click the Accept button.

This section describes the features of Kaspersky Security Center related to working with the license keys of
Kaspersky Security Center allows you to perform centralized distribution of license keys for Kaspersky applications
on client devices, monitor their use, and renew licenses.
When adding a license key using Kaspersky Security Center, the settings of the license key are saved on the
Administration Server. Based on this information, the application generates a license key usage report and noti es
the administrator of license expirations and violation of license restrictions that are set in the properties of license
keys. You can con gure noti cations of the use of license keys within the Administration Server settings.
1060
The Kaspersky applications installed on managed devices must be licensed by applying a key le or activation code
to each of the applications. A key le or activation code can be deployed in the following ways:
The installation package of a managed application
The Add license key task for a managed application
Manual activation of a managed application
You can add a new active or reserve license key by any of the methods listed above. A Kaspersky application uses
an active key at the current moment and stores a reserve key to apply after the active key expires. The application
for which you add a license key de nes whether the key is active or reserve. The key de nition does not depend on
the method that you use to add a new license key.
Kaspersky Security Center allows you to automatically deploy available license keys to devices. For example, three
license keys are stored in the Administration Server repository. You have selected the Automatically distribute
license key to managed devices check box for all three license keys. A Kaspersky security application—for
example, Kaspersky Endpoint Security for Windows—is installed on the organization's devices. A new device is
discovered to which a license key must be deployed. The application determines, for instance, that two of the
license keys from the repository can be deployed to the device: license key named Key_1 and license key named
Key_2. One of these license keys is deployed to the device. In this case, it cannot be predicted which of the two
license keys will be deployed to the device because automatic deployment of license keys does not provide for any
administrator activity.
devices exceeds the license limit, all devices that were not covered by the license will be assigned Critical status.
or
1061
For security reasons, this option is not recommended. A key le or activation code added to an installation
package may be compromised.
If you install a managed application using an installation package, you can specify an activation code or key le in
this installation package or in the policy of the application. The license key will be deployed to managed devices at
the next synchronization of the device with the Administration Server.
or
Kaspersky Security Center Web Console: Adding a license key to an installation package
Deployment through the Add license key task for a managed application
If you opt for using the Add license key task for a managed application, you can select the license key that must be
deployed to devices and select the devices in any convenient way—for example, by selecting an administration
group or a device selection.
or
You can activate the installed Kaspersky application locally, by using the tools provided in the application interface.
Please refer to the documentation of the installed application.
1062
To add a license key to the Administration Server repository:
1. In the main menu, go to OPERATIONS → LICENSING → KASPERSKY LICENSES.
3. Choose what you want to add:
Add key le
Click the Select key le button and browse to the .key le that you want to add.
Enter activation code

Specify the activation code in the text eld and click the Send button.
4. Click the Close button.
The license key or several license keys are added to the Administration Server repository.

Kaspersky Security Center Web Console enables you to distribute a license key to client devices through the
License key distribution task.
Before deployment, add the license key to the Administration Server repository.
To distribute a license key to client devices:
2. Click Add.
3. Select the application for which you want to add a license key.
4. From the Task type list, select an add key task.
5. Follow the Wizard instructions.
6. If you want to modify the default task settings, enable the Open task details when creation is complete
option on the Finish task creation page. If you do not enable this option, the task is created with the default
7. Click the Create button.

1063
8. To run the task, select it in the task list and click the Start button.
When the task is performed, the license key is deployed to the selected devices.

Kaspersky Security Center allows automatic distribution of license keys to managed devices if they are located in
the license keys repository on the Administration Server.
To distribute a license key to managed devices automatically:
2. Click the name of the license key that you want to distribute to devices automatically.
3. In the license key properties window that opens, select the Automatically distribute license key to managed
devices check box.
The license key will be automatically distributed to all compatible devices.
License key distribution is performed by means of Network Agent. No license key distribution tasks are created for
the application.
During automatic distribution of a license key, the licensing limit on the number of devices is taken into account.
The licensing limit is set in the properties of the license key. If the licensing limit is reached, distribution of this
license key on devices ceases automatically.
If you select the Automatically distribute license key to managed devices check box in the license key properties
window, a license key is distributed on your network immediately. If you do not select this option, you can manually
distribute a license key later.

To view the list of the license keys added to the Administration Server repository:
In the main menu, go to OPERATIONS → LICENSING → KASPERSKY LICENSES.
The displayed list contains the key les and activation codes added to the Administration Server repository.
To view detailed information about a license key:
2. Click the name of the required license key.
In the license key properties window that opens, you can view:
1064
On the General tab—The main information about the license key
On the Devices tab—The list of client devices where the license key was used for activation of the installed
Kaspersky application
To view which license keys are deployed to a speci c client device:
1. In the main menu, go to DEVICES → MANAGED DEVICES.
2. Click the name of the required device.
3. In the device properties window that opens, select the Applications tab.
4. Click the name of the application for which you want to view the information about the license key.
5. In the application properties window that opens, select the General tab, and then open the License section.
The main information about the active and reserve license keys is displayed.
To de ne the up-to-date settings of virtual Administration Server license keys, the Administration Server
sends a request to Kaspersky activation servers at least once per day.
Deleting a license key from the repository

When you delete the active license key for an additional feature of Administration Server, for example Vulnerability
and Patch Management or Mobile Device Management, the corresponding feature becomes unavailable. If a
reserve license key has been added, the reserve license key automatically becomes the active license key after the
former active license key is deleted.
When you delete the active license key deployed to a managed device, the application will continue working on the
managed device.
To delete a key le or activation code from the Administration Server repository:
2. Select the key le or activation code that you want to delete from the repository.
4. Con rm the operation by clicking the OK button.
The selected key le or activation code is deleted from the repository.
You can add a deleted license key again or add a new license key.
1065
If you decide to stop protecting some of your client devices, you can revoke the End User License Agreement
(EULA) for any managed Kaspersky application. You must uninstall the selected application before revoking its
EULA.
The EULAs that were accepted on a virtual Administration Server can be revoked on the virtual Administration
Server or on the primary Administration Server. The EULAs that were accepted on a primary Administration Server
can be revoked only on the primary Administration Server.
To revoke a EULA for managed Kaspersky applications:
1. Open the Administration Server properties window and on the General tab select the End User License
Agreements section.
A list of EULAs—accepted upon creation of installation packages, at the seamless installation of updates, or
upon deployment of Kaspersky Security for Mobile—is displayed.
2. In the list, select the EULA that you want to revoke.

You can view the following properties of the EULA:
Date when the EULA was accepted
Name of the user who accepted the EULA
3. Click the acceptance date of any EULA to open its properties window that displays the following data:
Name of the user who accepted the EULA
Date when the EULA was accepted
Unique identi er (UID) of the EULA
Full text of the EULA
List of objects (installation packages, seamless updates, mobile apps) linked to the EULA, and their
respective names and types
4. In the lower part of the EULA properties window, click the Revoke License Agreement button.
If there exist any objects (installation packages and their respective tasks) that prevent the EULA from
being revoked, the corresponding noti cation is displayed. You cannot proceed with revocation until you
delete these objects.
In the window that opens, you are informed that you must rst uninstall the Kaspersky application
corresponding to the EULA.
5. Click the button to con rm revocation.
The EULA is revoked. It is no longer displayed in the list of License Agreements in the End User License
Agreements section. The EULA properties window closes; the application is no longer installed.
Renewing licenses for Kaspersky applications
1066
You can renew a Kaspersky application license that has expired or is about to expire (in less than 30 days).
To renew an expired license or a license that is about to expire:
1. Do either of the following:
In the main menu, go to OPERATIONS → LICENSING → KASPERSKY LICENSES.
In the main menu, go to MONITORING & REPORTING → DASHBOARD, and then click the View expiring
licenses link next to a noti cation.
The KASPERSKY LICENSES window opens, where you can view and renew licenses.
2. Click the Renew license link next to the required license.
By clicking a license renewal link, you agree to transfer to Kaspersky the following information about
Kaspersky Security Center: its version, the localization you are using, the software license ID (that is, the ID
of the license you are renewing), and whether you purchased the license via a partner company or not.
3. In the window of the license renewal service that opens follow the instructions to renew a license.
The license is renewed.
In Kaspersky Security Center Web Console, the noti cations are displayed when a license is about to expire,
according to the following schedule:
30 days before the expiration
24 hours before the expiration
When a license has expired
Using Kaspersky Marketplace to choose Kaspersky business solutions

MARKETPLACE is a section in the main menu that enables you to view the entire range of Kaspersky business
solutions, select the ones you need, and proceed to the purchase at the Kaspersky website. You can use lters to
view only those solutions that t your organization and the requirements for your information security system.
When you select a solution, Kaspersky Security Center redirects you to the related webpage at the Kaspersky
website to learn more about that solution. Each webpage enables you to proceed to the purchase or contains
instructions on the purchase process.
In the MARKETPLACE section, you can lter Kaspersky solutions by using the following criteria:
Number of devices (endpoints, servers, and other types of assets) that you want to protect:
50–250
250–1000
1067
More than 1000
Maturity level of your organization's information security team:
Foundations
This level is typical for enterprises that only have an IT team. The maximum possible number of threats is
blocked automatically.
Optimum
This level is typical for enterprises that have a speci c IT security function within the IT team. At this level,
companies require solutions that enable them to counter commodity threats and threats that circumvent
existing preventive mechanisms.
Expert
This level is typical for enterprises with complex and distributed IT environments. The IT security team is
mature or the company has an SOC (Security Operations Center) team. The required solutions enable the
companies to counter complex threats and targeted attacks.
Types of assets that you want to protect:
Endpoints: workstations of employees, physical and virtual machines, embedded systems
Servers: physical and virtual servers
Cloud: public, private, or hybrid cloud environments; cloud services
Network: local area network, IT infrastructure
Service: security-related services provided by Kaspersky
To nd and purchase a Kaspersky business solution:
1. In the main menu, go to MARKETPLACE.

By default, the section displays all available Kaspersky business solutions.
2. To view only those solutions that suit your organization, select the required values in the lters.
3. Click the solution that you want to purchase or you want to learn more about.
You will be redirected to the solution webpage. You can follow the on-screen instructions to proceed to the
purchase.

This section contains information about manual con guration of policies and tasks, about user roles, about building
an administration group structure and hierarchy of tasks.
1068
The Quick Start Wizard creates policies and tasks with the default settings. These settings may turn out to be
sub-optimal or even disallowed by the organization. Therefore, we recommend that you ne-tune these policies
and tasks and create other policies and tasks, if they are necessary for your network.
Prerequisites
Installed Kaspersky Security Center Administration Server
Installed Kaspersky Security Center Web Console
Completed the Kaspersky Security Center main installation scenario
Completed the Quick Start Wizard or manually created the following policies and tasks in the Managed
devices administration group:
Con guring network protection proceeds in stages:
1 Setup and propagation of Kaspersky application policies and policy pro les
To con gure and propagate settings for Kaspersky applications installed on the managed devices, you can use
two di erent security management approaches—device-centric or user-centric. These two approaches can
also be combined.
2 Con guring tasks for remote management of Kaspersky applications
Check the tasks created with the Quick Start Wizard and ne-tune them, if necessary.
How-to instructions: Setting up the group task for updating Kaspersky Endpoint Security.
If necessary, create additional tasks to manage the Kaspersky applications installed on the client devices.
Information about events during the operation of managed applications is transferred from a client device and
registered in the Administration Server database. To reduce the load on the Administration Server, evaluate and
limit the maximum number of events that can be stored in the database.
How-to instructions: Setting the maximum number of events.
Results
Upon completion of this scenario, your network will be protected by con guration of Kaspersky applications, tasks,
and events received by the Administration Server:
The Kaspersky applications are con gured according to the policies and policy pro les.
The applications are managed through a set of tasks.
The maximum number of events that can be stored in the database is set.
1069
When the network protection con guration is complete, you can proceed to con guring regular updates to
Kaspersky databases and applications.

You can manage security settings from the standpoint of device features and from the standpoint of user roles.
The rst approach is called device-centric security management and the second is called user-centric security
management. To apply di erent application settings to di erent devices you can use either or both types of
management in combination. To implement device-centric security management, you can use tools provided in
Microsoft Management Console-based Administration Console or Kaspersky Security Center Web Console. User-
centric security management can be implemented through Kaspersky Security Center Web Console only.
Device-centric security management enables you to apply di erent security application settings to managed
devices depending on device-speci c features. For example, you can apply di erent settings to devices allocated
in di erent administration groups. You can also di erentiate the devices by usage of those devices in Active
Directory, or their hardware speci cations.
User-centric security management enables you to apply di erent security application settings to di erent user
roles. You can create several user roles, assign an appropriate user role to each user, and de ne di erent
application settings to the devices owned by users with di erent roles. For example, you may want to apply
di erent application settings to devices of accountants and human resources (HR) specialists. As a result, when
user-centric security management is implemented, each department—accounts department and HR department—
has its own settings con guration for Kaspersky applications. A settings con guration de nes which application
settings can be changed by users and which are forcibly set and locked by the administrator.
By using user-centric security management you can apply speci c application settings to individual users. This
may be required when an employee has a unique role in the company or when you want to monitor security
incidents related to devices of a speci c person. Depending on the role of this employee in the company, you can
expand or limit the rights of this person to change application settings. For example, you might want to expand the
rights of a system administrator who manages client devices in a local o ice.
You can also combine the device-centric and user-centric security management approaches. For example, you can
con gure a speci c application policy for each administration group, and then create policy pro les for one or
several user roles of your enterprise. In this case the policies and policy pro les are applied in the following order:
1. The policies created for device-centric security management are applied.
2. They are modi ed by the policy pro les according to the policy pro le priorities.
3. The policies are modi ed by the policy pro les associated with user roles.

When you complete this scenario, the applications will be con gured on all of the managed devices in accordance
with the application policies and policy pro les that you de ne.
Prerequisites
1070
Before you start, make sure that you have installed Kaspersky Security Center Administration Server and
Kaspersky Security Center Web Console (optional). If you installed Kaspersky Security Center Web Console, you
might also want to consider user-centric security management as an alternative or additional option to the device-
centric approach.
Stages
The scenario of device-centric management of Kaspersky applications consists of the following steps:
the default policy for the following applications:
Kaspersky Endpoint Security for Windows—for Windows-based client devices
Kaspersky Endpoint Security for Linux—for Linux-based client devices
If you completed the con guration process by using this Wizard, you do not have to create a new policy for this
application. Proceed to the manual setup of Kaspersky Endpoint Security policy.
Administration Console: Creating a policy
Kaspersky Security Center Web Console: Creating a policy
2 Creating policy pro les (optional)
If you want devices within a single administration group to run under di erent policy settings, create policy
pro les for those devices. A policy pro le is a named subset of policy settings. This subset is distributed on
target devices together with the policy, supplementing it under a speci c condition called the pro le activation
condition. Pro les only contain settings that di er from the "basic" policy, which is active on the managed device.
By using pro le activation conditions, you can apply di erent policy pro les, for example, to the devices located
in a speci c unit or security group of Active Directory, having a speci c hardware con guration, or marked with
speci c tags. Use tags to lter devices that meet speci c criteria. For example, you can create a tag called
Windows, mark all devices running Windows operating system with this tag, and then specify this tag as an
activation condition for a policy pro le. As a result, Kaspersky applications installed on all devices running
Windows will be managed by their own policy pro le.
1071
By default, the Administration Server automatically synchronizes with managed devices every 15 minutes. You
command. Also the synchronization is forced after you create or change a policy or a policy pro le. During the
synchronization, the new or changed policies and policy pro les are propagated to the managed devices.
If you use Kaspersky Security Center Web Console, you can check whether the policies and policy pro les were
delivered to a device. Kaspersky Security Center speci es the delivery date and time in the properties of the
device.
Administration Console: Forced synchronization
Kaspersky Security Center Web Console: Forced synchronization
Results
When the device-centric scenario is complete, the Kaspersky applications are con gured according to the
settings speci ed and propagated through the hierarchy of policies.
The con gured application policies and policy pro les will be applied automatically to the new devices added to the
Policy setup and propagation: User-centric approach

This section describes the scenario of user-centric approach to the centralized con guration of Kaspersky
applications installed on the managed devices. When you complete this scenario, the applications will be
con gured on all of the managed devices in accordance with the application policies and policy pro les that you
de ne.
This scenario can be implemented through Kaspersky Security Center Web Console version 13 or later.
Prerequisites
Before you start, make sure that you have successfully installed Kaspersky Security Center Administration Server
and Kaspersky Security Center Web Console, and completed the main installation scenario. You might also want to
consider device-centric security management as an alternative or additional option to the user-centric approach.
Learn more about two management approaches.
Process
The scenario of user-centric management of Kaspersky applications consists of the following steps:
1072
the default policy for Kaspersky Endpoint Security. If you completed the con guration process by using this
Wizard, you do not have to create a new policy for this application. Proceed to the manual setup of Kaspersky
Endpoint Security policy.
How-to instructions: Creating a policy
2 Specifying owners of the devices
Assign the managed devices to the corresponding users.
How-to instructions: Assigning a user as a device owner
3 De ning user roles typical for your enterprise
Think about di erent kinds of work that the employees of your enterprise typically perform. You must divide all
employees in accordance with their roles. For example, you can divide them by departments, professions, or
positions. After that you will need to create a user role for each group. Keep in mind that each user role will have
its own policy pro le containing application settings speci c for this role.
4 Creating user roles
Create and con gure a user role for each group of employees that you de ned on the previous step or use the
prede ned user roles. The user roles will contain set of rights of access to the application features.
How-to instructions: Creating a user role
5 De ning the scope of each user role
For each of the created user roles, de ne users and/or security groups and administration groups. Settings
associated with a user role apply only to devices that belong to users who have this role, and only if these
devices belong to groups associated with this role, including child groups.
How-to instructions: Editing the scope of a user role
6 Creating policy pro les
Create a policy pro le for each user role in your enterprise. The policy pro les de ne which settings will be
applied to the applications installed on users' devices depending on the role of each user.
How-to instructions: Creating a policy pro le
7 Associating policy pro les with the user roles
Associate the created policy pro les with the user roles. After that: the policy pro le becomes active for a user
that has the speci ed role. The settings con gured in the policy pro le will be applied to the Kaspersky
applications installed on the user's devices.
How-to instructions: Associating policy pro les with roles
1073
By default, the Administration Server automatically synchronizes with managed devices every 15 minutes. During
the synchronization, the new or changed policies and policy pro les are propagated to the managed devices. You
command. When synchronization is complete, the policies and policy pro les are delivered and applied to the
installed Kaspersky applications.
You can check whether the policies and policy pro les were delivered to a device. Kaspersky Security Center
speci es the delivery date and time in the properties of the device.
How-to instructions: Forced synchronization
Results
When the user-centric scenario is complete, the Kaspersky applications are con gured according to the settings
speci ed and propagated through the hierarchy of policies and policy pro les.
For a new user, you will have to create a new account, assign the user one of the created user roles, and assign the
devices to the user. The con gured application policies and policy pro les will be automatically applied to the
devices of this user.

To con gure the Network Agent policy:
1. In the main menu, go to DEVICES → POLICIES & PROFILES.
2. Click the name of the Network Agent policy.
General
On this tab, you can modify the policy status and specify the inheritance of policy settings:
Under Policy status, you can select one of the policy modes:
Active

Inactive
1074
Event con guration
On this tab, you can con gure event logging and event noti cation. Events are distributed according to
importance level in the following sections on the Event con guration tab:
Functional failure
Warning
Info
In each section, the event type list shows the types of events and the default event storage term on the
Administration Server (in days). After you click the event type, you can specify the settings of event logging and
noti cations about events selected in the list. By default, common noti cation settings speci ed for the entire
Administration Server are used for all event types. However, you can change speci c settings for required event
types.
For example, in the Warning section, you can con gure the Incident has occurred event type. Such events may
to install applications and download updates remotely). To con gure the Incident has occurred event, click it and
specify where to store the occurred events and how to notify about them.
If Network Agent detected an incident, you can manage this incident by using the settings of a managed
device.
Application settings
Settings
In the Settings section, you can con gure the Network Agent policy:
Distribute les through distribution points only
1075
If this option is enabled, Network Agents on managed devices retrieve updates from distribution points
only.
If this option is disabled, Network Agents on managed devices retrieve updates from distribution points or
from Administration Server.
Note that the security applications on managed devices retrieve updates from the source set in the
update task for each security application. If you enable the Distribute les through distribution
points only option, make sure that Kaspersky Security Center is set as an update source in the
update tasks.
Maximum size of event queue, in MB
In this eld you can specify the maximum space on the drive that an event queue can occupy.
The default value is 2 megabytes (MB).
Application is allowed to retrieve policy's extended data on device
Network Agent installed on a managed device transfers information about the applied security application
policy to the security application (for example, Kaspersky Endpoint Security for Windows). You can view
the transferred information in the security application interface.
Network Agent transfers the following information:
Time of the policy delivery to the managed device
Name of the active or out-of-o ice policy at the moment of the policy delivery to the managed device
Name and full path to the administration group that contained the managed device at the moment of
the policy delivery to the managed device
List of active policy pro les

You can use the information to ensure the correct policy is applied to the device and for
troubleshooting purposes. By default, this option is disabled.
Protect the Network Agent service against unauthorized removal or termination, and prevent changes to the
settings
1076
If this option is enabled, by clicking the Modify button you can specify the password for the klmover utility
and Network Agent remote uninstallation.
Repositories
In the Repositories section, you can select the types of objects whose details will be sent from Network Agent to
Administration Server. If modi cation of some settings in this section is prohibited by the Network Agent policy,
you cannot modify these settings.
Details of installed applications
If this option is enabled, information about applications installed on client devices is sent to the
Include information about patches
Information about patches of applications installed on client devices is sent to the Administration Server.
Enabling this option may increase the load on the Administration Server and DBMS, as well as cause
increased volume of the database.
Details of Windows Update updates
If this option is enabled, information about Microsoft Windows Update updates that must be installed on
client devices is sent to the Administration Server.
Sometimes, even if the option is disabled, updates are displayed in the device properties in the Available
updates section. This might happen if, for example, the devices of the organization had vulnerabilities that
could be xed by these updates.
Details of software vulnerabilities and corresponding updates
If this option is enabled, information about vulnerabilities in third-party software (including Microsoft
software), detected on managed devices, and about software updates to x third-party vulnerabilities (not
including Microsoft software) is sent to the Administration Server.
Selecting this option (Details of software vulnerabilities and corresponding updates) increases the
network load, Administration Server disk load, and Network Agent resource consumption.
To manage software updates of Microsoft software, use the Details of Windows Update updates option.
Hardware registry details
1077
Network Agent installed on a device sends information about the device hardware to the Administration
Server. You can view the hardware details in the device properties.
Hardware details fetched from virtual machines may be incomplete depending on the hypervisor used.
Software updates and vulnerabilities
In the Software updates and vulnerabilities section, you can con gure search and distribution of Windows
updates, as well as enable scanning of executable les for vulnerabilities. The settings in the Software updates
and vulnerabilities section are available only on devices running Windows:
If this option is enabled, Windows updates are downloaded to the Administration Server. The
Administration Server provides downloaded updates to Windows Update on client devices in centralized
mode through Network Agents.
If this option is disabled, the Administration Server is not used for downloading Windows updates. In this
case, client devices receive Windows updates on their own.
You can limit Windows updates that users can install on their devices manually by using Windows Update.
1078
In the Windows Update search mode settings group, you can select the update search mode:
Active
Passive
Disabled
Scan executable les for vulnerabilities when running them
1079
If this option is enabled, executable les are scanned for vulnerabilities when they are run.
Restart management
In the Restart management section, you can specify the action to be performed if the operating system of a
managed device has to be restarted for correct use, installation, or uninstallation of an application. The settings in
the Restart management section are available only on devices running Windows:
Do not restart the operating system
Restart the operating system automatically if necessary
Client devices are always restarted automatically if a restart is required for completion of the operation.
This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or
restart).
con rmation). This option is most suitable for workstations where users must be able to select the most
convenient time for a restart.
Repeat the prompt every (min)
speci ed frequency.
1440 minutes.
Force restart after (min)
1440 minutes.
1080
restart.
Windows Desktop Sharing
In the Windows Desktop Sharing section, you can enable and con gure the audit of the administrator's actions
performed on a remote device when desktop access is shared. The settings in the Windows Desktop Sharing
section are available only on devices running Windows:
Enable audit
If this option is enabled, audit of the administrator's actions is enabled on the remote device. Records of
the administrator's actions on the remote device are logged:
In the event log on the remote device
In a le with the syslog extension located in the Network Agent installation folder on the remote
device
In the event database of Kaspersky Security Center

Audit of the administrator's actions is available when the following conditions are met:
The Vulnerability and Patch Management license is in use
The administrator has the right to start shared access to the desktop of the remote device
If this option is disabled, the audit of the administrator's actions is disabled on the remote device.
Masks of les to monitor when read
The list contains le masks. When the audit is enabled, the application monitors the administrator's reading
les that match the masks and saves information about les read. The list is available if the Enable audit
check box is selected. You can edit le masks and add new ones to the list. Each new le mask should be
speci ed in the list on a new line.
Masks of les to monitor when modi ed
The list contains masks of les on the remote device. When audit is enabled, the application monitors
changes made by the administrator in les that match masks, and saves information about those
modi cations. The list is available if the Enable audit check box is selected. You can edit le masks and add
new ones to the list. Each new le mask should be speci ed in the list on a new line.
1081
Manage patches and updates
In the Manage patches and updates section, you can con gure download and distribution of updates, as well as
installation of patches, on managed devices:
If this option is enabled, Kaspersky patches that have the Unde ned approval status are automatically
installed on managed devices immediately after they are downloaded from update servers.
If this option is disabled, Kaspersky patches that have been downloaded and tagged with the Unde ned
status will be installed only after you change their status to Approved.
Download updates and anti-virus databases from Administration Server in advance (recommended)
If this option is enabled, the o line model of update download is used. When the Administration Server
receives updates, it noti es Network Agent (on devices where it is installed) of the updates that will be
required for managed applications. When Network Agent receives information about these updates, it
downloads the relevant les from the Administration Server in advance. At the rst connection with
Network Agent, the Administration Server initiates an update download. After Network Agent downloads
all the updates to a client device, the updates become available for applications on that device.
When a managed application on a client device attempts to access Network Agent for updates, Network
Agent checks whether it has all required updates. If the updates are received from the Administration
Server not more than 25 hours before they were requested by the managed application, Network Agent
does not connect to the Administration Server but supplies the managed application with updates from
the local cache instead. Connection with the Administration Server may not be established when Network
Agent provides updates to applications on client devices, but connection is not required for updating.
If this option is disabled, the o line model of update download is not used. Updates are distributed
according to the schedule of the update download task.
Connectivity
The Connectivity section includes three subsections:
Network
Connection pro les
Connection schedule
In the Network subsection, you can con gure the connection to Administration Server, enable the use of a UDP
port, and specify the UDP port number.
In the Connect to Administration Server settings group, you can con gure connection to the Administration
Server and specify the time interval for synchronization between client devices and the Administration Server:
Synchronization interval (min)
1082
Network Agent synchronizes the managed device with the Administration Server. We recommend that
you set the synchronization interval (also referred to as the heartbeat) to 15 minutes per 10,000
managed devices.
If the synchronization interval is set to less than 15 minutes, synchronization is performed every 15
minutes. If synchronization interval is set to 15 minutes or more, synchronization is performed at the
speci ed synchronization interval.
Compress network tra ic
If this option is enabled, the speed of data transfer by Network Agent is increased by means of a
decrease in the amount of information being transferred and a consequent decreased load on the
The workload on the CPU of the client computer may increase.
By default, this check box is enabled.
If this option is enabled, a UDP port, necessary for the work of Network Agent, is added to the
Microsoft Windows Firewall exclusion list.
Use SSL connection
via SSL.
Use connection gateway on distribution point (if available) under default connection settings
If this option is enabled, the connection gateway on the distribution point is used under the settings
speci ed in the administration group properties.
Use UDP port
UDP port number
1083
In this eld you can enter the UDP port number. The default port number is 15000.
If the client device runs Windows XP Service Pack 2, the integrated rewall blocks UDP port 15000. This
port should be opened manually.
Use distribution point to force connection to Administration Server
Select this option if you selected the Use this distribution point as a push server option in the
distribution point settings window. Otherwise, the distribution point will not act as a push server.
In the Connection pro les subsection, you can specify the network location settings and enable out-of-o ice
mode when Administration Server is not available. The settings in the Connection pro les section are available
only on devices running Windows and macOS:
Network location settings
Network location settings de ne the characteristics of the network to which the client device is
connected and specify rules for Network Agent switching from one Administration Server connection
pro le to another when those network characteristics are altered.
Administration Server connection pro les
In this section, you can view and add pro les for Network Agent connection to the Administration Server. In
this section, you can also create rules for switching Network Agent to di erent Administration Servers
when the following events occur:
When the client device connects to a di erent local network
When the device loses connection with the local network of the organization
When the connection gateway address is changed or the DNS server address is modi ed
device use policy pro les for devices in out-of-o ice mode, as well as out-of-o ice policies. If no out-of-
o ice policy has been de ned for the application, the active policy will be used.
In the Connection schedule subsection, you can specify the time intervals during which Network Agent sends
data to the Administration Server:
Connect when necessary
1084
If this option is selected, the connection is established when Network Agent has to send data to the
Connect at speci ed time intervals
If this option is selected, Network Agent connects to the Administration Server at a speci ed time. You
can add several connection time periods.
Network polling by distribution points
In the Network polling by distribution points section, you can con gure automatic polling of the network. The
polling settings are available only on devices running Windows. You can use the following options to enable the
polling and set its frequency:
Windows network
If the option is enabled, the Administration Server automatically polls the network according to the
schedule that you con gured by clicking the Set quick polling schedule and Set full polling schedule links.
If this option is disabled, the Administration Server polls the network with the interval speci ed in the
Frequency of network polls (min) eld.
The device discovery interval for Network Agent versions prior to 10.2 can be con gured in the Frequency
of polls from Windows domains (min) (for quick Windows network poll) and Frequency of network polls
(min) (for full Windows network poll) elds.
Zeroconf
If this option is enabled, the distribution point automatically polls the network with IPv6 devices by using
zero-con guration networking (also referred to as Zeroconf). In this case, the enabled IP range polling is
ignored, because the distribution point polls the whole network.
To start to use Zeroconf, the following conditions must be ful lled:
The distribution point must run Linux.
You must install the avahi-browse utility on the distribution point.

If this option is disabled, the distribution point does not poll networks with IPv6 devices.
IP ranges
If the option is enabled, the distribution point automatically polls IP ranges according to the schedule that
you con gured by clicking the Set polling schedule link.
If this option is disabled, the distribution point does not poll IP ranges.
The frequency of IP range polling for Network Agent versions prior to 10.2 can be con gured in the Poll
interval (min) eld. The eld is available if the option is enabled.
1085
Active Directory
If the option is enabled, the distribution point automatically polls Active Directory according to the
schedule that you con gured by clicking the Set polling schedule link.
If this option is disabled, the Administration Server does not poll Active Directory.
The frequency of Active Directory polling for Network Agent versions prior to 10.2 can be con gured in the
Poll interval (min) eld. The eld is available if this option is enabled.
Network settings for distribution points
In the Network settings for distribution points section, you can specify the internet access settings:
Use proxy server
Address
Port number
authentication.
User name
Password
KSN Proxy (distribution points)
In the KSN Proxy (distribution points) section, you can con gure the application to use the distribution point to
forward KSN requests from the managed devices:
1086
By default, this option is disabled. Enabling this option takes e ect only if the Use Administration Server
as a proxy server and I agree to use Kaspersky Security Network options are enabled in the
Administration Server properties window.
You can assign a node of an active-passive cluster to a distribution point and enable KSN proxy server on
this node.
The distribution point forwards KSN requests from the managed devices to the Administration Server.
The distribution point forwards KSN requests from managed devices to the KSN Cloud or Private KSN. The
KSN requests generated on the distribution point itself are also sent directly to the KSN Cloud or Private
KSN.
The distribution points that have Network Agent version 11 (or earlier) installed cannot access Private KSN
directly. If you want to recon gure the distribution points to send KSN requests to Private KSN, enable the
Forward KSN requests to Administration Server option for each distribution point.
The distribution points that have Network Agent version 12 (or later) installed can access Private KSN
directly.
Port
UDP port
Updates (distribution points)
In the Updates (distribution points) section, you can enable the downloading di les feature, so distribution
points take updates in the form of di les from Kaspersky update servers.
Revision history
On this tab, you can view the list of the policy revisions and roll back changes made to the policy, if necessary.
1087
Feature comparison by the Network Agent operating systems
The table below shows which Network Agent policy settings you can use to con gure Network Agent with a
speci c operating system.
Network Agent policy settings: comparison by operating systems
Policy section Windows Mac Linux
General
Event
con guration
Settings
Only the Maximum size of event queue, in MB
and Application is allowed to retrieve policy's
extended data on device options are available.
Repositories
Only the Details of installed applications and
Hardware registry details options are available.
Software
updates and
vulnerabilities
Restart
management
Windows
Desktop
Sharing
Manage
patches and
updates
Network →
Connectivity Except the Open Network Agent ports in
Microsoft Windows Firewall option.
Network →
Connection
pro les
Network →
Connection
schedule
Network
polling by Only the Windows network, IP Only the Zeroconf and IP ranges options are
distribution ranges, and Active Directory available.
points options are available.
Network
settings for
distribution
points
KSN Proxy
(distribution
points)
Updates
1088
(distribution
points)
Revision
history

created by the Quick Start Wizard of Kaspersky Security Center Web Console. Setup is performed in the policy
properties window.
Con guring Kaspersky Security Network

Kaspersky Security Network (KSN) is the infrastructure of cloud services that contains information about the
reputation of les, web resources, and software. Kaspersky Security Network enables Kaspersky Endpoint Security
for Windows to respond faster to di erent kinds of threats, enhances the performance of the protection
components, and decreases the likelihood of false positives. For more information about Kaspersky Security
Network, see the Kaspersky Endpoint Security for Windows Help .
To specify recommended KSN settings:
2. Click the policy of Kaspersky Endpoint Security for Windows.

The properties window of the selected policy opens.
3. In the policy properties, go to Application settings → Advanced Threat Protection → Kaspersky Security
Network.
4. Make sure that the Use KSN Proxy option is enabled. Using this option helps to redistribute and optimize tra ic
on the network.
5. [optional] Enable use of KSN servers if the KSN proxy service is not available. KSN servers may be located either
on the side of Kaspersky (when Global KSN is used) or on the side of third parties (when Private KSN is used).
6. Click OK.
The recommended KSN settings are speci ed.
Checking the list of the networks protected by Firewall

Make sure that Kaspersky Endpoint Security for Windows Firewall protects all your networks. By default, Firewall
protects networks with the following types of connection:
1089
Public network. Anti-virus applications, rewalls, or lters do not protect devices in such a network.
Local network. Access to les and printers is restricted for devices in this network.
Trusted network. Devices in such a network are protected from attacks and unauthorized access to les and
data.
If you con gured a custom network, make sure that Firewall protects it. For this purpose, check the list of the
networks in the Kaspersky Endpoint Security for Windows policy properties. The list may not contain all the
networks.
For more information about Firewall, see the Kaspersky Endpoint Security for Windows Help .

3. In the policy properties, go to Application settings → Essential Threat Protection → Firewall.
4. Under Available networks, click the Network settings link.

The Network connections window opens. This window displays the list of networks.
5. If the list has a missing network, add it.
Excluding software details from the Administration Server memory

We recommend that Administration Server does not save information about software modules that are started on
the network devices. As a result, the Administration Server memory does not overrun.
You can disable saving this information in the Kaspersky Endpoint Security for Windows policy properties.
To disable saving information about installed software modules:

3. In the policy properties, go to Application settings → General Settings → Reports and Storage.
4. Under Data transfer to Administration Server, disable the About started applications check box if it is still
enabled in the top-level policy.
When this check box is selected, the Administration Server database saves information about all versions of all
software modules on the networked devices. This information may require a signi cant amount of disk space in
the Kaspersky Security Center database (dozens of gigabytes).
The information about installed software modules is no longer saved to the Administration Server database.
1090
Saving important policy events in the Administration Server database
To avoid the Administration Server database over ow, we recommend that you save only important events to the
database.
To con gure registration of important events in the Administration Server database:

3. In the policy properties, open the Event con guration tab.
4. In the Critical section, click Add event and select check boxes next to the following events only:
End User License Agreement violated
Activation error
Active threat detected. Advanced Disinfection should be started
Disinfection impossible
Previously opened dangerous link detected
Process terminated
Access denied (local bases)
Access denied (KSN)
Local update error

1091
5. Click OK.
6. In the Functional failure section, click Add event and select check box next to the event Invalid task settings.
Settings not applied.
7. Click OK.
8. In the Warning section, click Add event and select check boxes next to the following events only:
Protection components are disabled
Legitimate software that can be used by intruders to damage your computer or personal data was detected
(local bases)
Legitimate software that can be used by intruders to damage your computer or personal data was detected
(KSN)
Object deleted
Object disinfected
File was restored from quarantine on the Kaspersky Anti Targeted Attack Platform server by the
administrator
File was quarantined on the Kaspersky Anti Targeted Attack Platform server by administrator
Message to administrator about application startup prohibition
Message to administrator about device access prohibition
Message to administrator about web page access prohibition
9. Click OK.
10. In the Info section, click Add event and select check boxes next to the following events only:
A backup copy of the object was created
Application startup prohibited in test mode
11. Click OK.
Registration of important events in the Administration Server database is con gured.
1092
The optimal and recommended schedule option for Kaspersky Endpoint Security is When new updates are
downloaded to the repository when the Use automatically randomized delay for task starts check box is
selected.
Granting o line access to the external device blocked by Device Control

In Device Control component of Kaspersky Endpoint Security for Windows policy, you can manage user access to
external devices that are installed on or connected to the client device (for example, hard drives, cameras, or Wi-Fi
modules). This lets you protect the client device from infection when such external devices are connected, and
prevent loss or leaks of data.
If you need to grant temporary access to the external device blocked by Device Control but it is not possible to
add the device to the list of trusted devices, you can grant temporary o line access to the external device. O line
access means that the client device has no access to the network.
You can grant o line access to the external device blocked by Device Control only if the Allow request for
temporary access option is enabled in the settings of Kaspersky Endpoint Security for Windows policy, in the
Application settings → Security Controls → Device Control section.
Granting o line access to the external device blocked by Device Control includes the following stages:
1. In the Kaspersky Endpoint Security for Windows dialog window, device user who wants to have access to the
blocked external device, generates a request access le and sends it to the Kaspersky Security Center
administrator.
2. Getting this request, the Kaspersky Security Center administrator creates an access key le and send it to the
device user.
3. In the Kaspersky Endpoint Security for Windows dialog window, the device user activates the access key le
and obtains temporary access to the external device.
To grant temporary access to the external device blocked by Device Control:

The list of managed devices is displayed.
2. In this list, select the user's device that requests access to the external device blocked by Device Control.
You can select only one device.
3. Above the list of managed devices, click the ellipsis button ( ), and then click the Grant access to the device
in o line mode button.
4. In the Application settings window that opens, in the Device Control section, click the Browse button.
5. Select the request access le that you have received from the user, and then click the Open button. The le
should have the AKEY format.
The details of the locked device to which the user has requested access is displayed.
1093
6. Specify the value of the Access duration setting.
This setting de nes the length of time for which you grant the user access to the locked device. The default
value is the value that was speci ed by the user when creating the request access le.
7. Specify the value of the Activation period setting.

This setting de nes the time period during which the user can activate access to the blocked device by using
the provided access key.

This opens the standard Save access key window of Microsoft Windows.
9. Select the destination folder in which you want to save the le containing the access key for the blocked
device.
As a result, when you send the user the access key le and the user activates it in the Kaspersky Endpoint
Security for Windows dialog window, the user has temporary access to the blocked device for the speci c
period.
Removing applications or software updates remotely

To remove applications or software updates remotely from selected devices:
2. Click Add.
3. For the Kaspersky Security Center application, select the Uninstall application remotely task type.
6. Select what kind of software you want to remove, and then select speci c applications, updates, or patches
that you want to remove:
Uninstall managed application
A list of Kaspersky applications is displayed. Select the application that you want to remove.
Uninstall incompatible application
A list of applications incompatible with Kaspersky security applications or Kaspersky Security Center is
displayed. Select the check boxes next to the applications that you want to remove.
Uninstall application from applications registry
1094
By default, Network Agents send the Administration Server information about the applications installed
on the managed devices. The list of installed applications is stored in the applications registry.
To select an application from the applications registry:
a. Click the Application to uninstall eld, and then select the application that you want to remove.
b. Specify the uninstallation options:
Uninstallation mode
Select how you want to remove the application:
De ne uninstallation command automatically

If the application has an uninstallation command de ned by the application vendor,
Kaspersky Security Center uses this command. We recommend that you select this
option.
Specify uninstallation command

Select this option if you want to specify your own command for the application
uninstallation.
We recommend that you rst try to remove the application by using the De ne
uninstallation command automatically option. If the uninstallation through the
automatically de ned command fails, then use your own command.
Type an installation command into the eld, and then specify the following option:
Use this command for uninstallation only if the default command was not autodetected
Kaspersky Security Center checks whether or not the selected application has an
uninstallation command de ned by the application vendor. If the command is found,
Kaspersky Security Center will use it instead of the command speci ed in the
Command for application uninstallation eld.
We recommend that you enable this option.
Perform restart after successful application uninstallation
If the application requires the operating system to be restarted on the managed device
after successful uninstallation, the operating system is restarted automatically.
Uninstall the speci ed application update, patch, or third-party application
1095
A list of updates, patches, and third-party applications is displayed. Select the item that you want to
remove.
The displayed list is a general list of applications and updates, and it does not correspond to the
applications and updates installed on the managed devices. Before selecting an item, we recommend
that you ensure that the application or update is installed on the devices de ned in the task scope. You
can view the list of devices on which the application or update is installed, via the properties window.
To view the list of devices:
a. Click the name of the application or update.

The properties window opens.
b. Open the Devices section.

You can also view the list of installed applications and updates in the device properties window.
7. Specify how client devices will download the Uninstallation utility:
Using Network Agent
The les are delivered to client devices by Network Agent installed on those client devices.
If this option is disabled, the les are delivered using Microsoft Windows tools.
We recommend that you enable this option if the task has been assigned to devices that have Network
Agents installed.
The les are transmitted to client devices by using the Administration Server operating system tools.
You can enable this option if no Network Agent is installed on the client device, but the client device is
on the same network as the Administration Server.
The les are transmitted to client devices by using operating system tools through distribution points.
You can enable this option if there is at least one distribution point on the network.
If the Using Network Agent option is enabled, the les are delivered by using operating system tools
only if Network Agent tools are unavailable.
Maximum number of concurrent downloads
The maximum allowed number of client devices to which Administration Server can simultaneously
transmit the les. The larger this number, the faster the application will be uninstalled, but the load on
Administration Server is higher.
Maximum number of uninstallation attempts
1096
If, when running the Uninstall application remotely task, Kaspersky Security Center fails to uninstall an
application on a managed device within the number of installer runs speci ed by the parameter,
Kaspersky Security Center stops delivering the Uninstallation utility to this managed device and does
not start the installer on the device anymore.
The Maximum number of uninstallation attempts parameter allows you to save the resources of the
managed device, as well as reduce tra ic (uninstallation, MSI le run, and error messages).
Recurring task start attempts may indicate a problem on the device and which prevents uninstallation.
The administrator should resolve the problem within the speci ed number of uninstallation attempts
and then restart the task (manually or by a schedule).
If uninstallation is not achieved eventually, the problem is considered unresolvable and any further task
starts are seen as costly in terms of unnecessary consumption of resources and tra ic.
When the task is created, the attempts counter is set to 0. Each run of the installer that returns an
error on the device increments the counter reading.
If the number of attempts speci ed in the parameter has been exceeded and the device is ready for
application uninstallation, you can increase the value of the Maximum number of uninstallation
attempts parameter and start the task to uninstall the application. Alternatively, you can create a new
Uninstall application remotely task.
Verify operating system type before downloading
Before transmitting the les to client devices, Kaspersky Security Center checks if the Installation
utility settings are applicable to the operating system of the client device. If the settings are not
applicable, Kaspersky Security Center does not transmit the les and does not attempt to install the
application. For example, to install some application to devices of an administration group that includes
devices running various operating systems, you can assign the installation task to the administration
group, and then enable this option to skip devices that run an operating system other than the required
one.
This parameter is displayed if in the previous step you selected Uninstall managed application, and
then speci ed Kaspersky Security Center Network Agent in the Application to uninstall eld.
If you previously set the password for Network Agent remote uninstallation in Network Agent policy
settings, select the Use uninstallation password check box, and then enter the uninstallation password
in the Password eld. If you did not set the password for Network Agent remote uninstallation, do not
select the check box.
8. Specify the operating system restart settings:
Restart the device
1097
speci ed frequency.
1440 minutes.
Restart after (min)
1440 minutes.
restart.
9. If necessary, add the accounts that will be used to start the remote uninstallation task:
If this option is selected, you do not have to specify the account under which the application installer
will be run. The task will run under the account under which the Administration Server service is running.
1098
Select this option if Network Agent is not installed on the devices for which you assign the Uninstall
application remotely task.
Specify the user account under which the application installer will be run. Click the Add button, select
Account, and then specify the user account credentials.

13. In the task properties window, specify the general task settings.
15. Run the task manually or wait for it to launch according to the schedule you speci ed in the task settings.
Upon completion of the remote uninstallation task, the selected application will be removed from the selected
devices.
Rolling back an object to a previous revision

You can roll back changes made to an object, if necessary. For example, you may have to revert the settings of a
policy to their state on a speci c date.
To roll back changes made to an object:
1. In the object's properties window, open the Revision history tab.
2. In the list of object revisions, select the revision that you want to roll back changes for.
3. Click the Roll back button.
4. Click OK to con rm the operation.
The object is now rolled back to the selected revision. The list of object revisions displays a record of the action
that was taken. The revision description displays information about the number of the revision to which you
reverted the object.
Rolling back operation is available only for policy and task objects.
1099
Tasks
This section describes tasks used by Kaspersky Security Center.
About tasks
Tasks for a speci c application can be created using Kaspersky Security Center Web Console only if the
management plug-in for that application is installed on Kaspersky Security Center Web Console Server.
The tasks that are performed on the Administration Server include the following:
Downloading of updates to the repository

Local tasks can be modi ed either by the administrator, using Administration Console tools, or by the user of a
remote device (for example, through the security application interface). If a local task has been modi ed

group.
tasks.
1100
Execution results of tasks are saved in the operating system event log on each device, in the operating system
event log on the Administration Server, and in the Administration Server database.
About task scope

The scope of a task is the set of devices on which the task is performed. The types of scope are as follows:
For a local task, the scope is the device itself.
For an Administration Server task, the scope is the Administration Server.
For a group task, the scope is the list of devices included in the group.
When creating a global task, you can use the following methods to specify its scope:
Specifying certain devices manually.

You can use an IP address (or IP range), NetBIOS name, or DNS name as the device address.
Importing a list of devices from a TXT le with the device addresses to be added (each address must be placed
on an individual line).
If you import a list of devices from a le or create a list manually, and if devices are identi ed by their names, the
database. Moreover, the information must have been entered when those devices were connected or during
device discovery.
Specifying a device selection.

Over time, the scope of a task changes as the set of devices included in the selection change. A selection of
devices can be made on the basis of device attributes, including software installed on a device, and on the basis
of tags assigned to devices. Device selection is the most exible way to specify the scope of a task.
Tasks for device selections are always run on a schedule by the Administration Server. These tasks cannot be
run on devices that lack connection to the Administration Server. Tasks whose scope is speci ed by using other
methods are run directly on devices and therefore do not depend on the device connection to the
Tasks for device selections are not run on the local time of a device; instead, they are run on the local time of the
Administration Server. Tasks whose scope is speci ed by using other methods are run on the local time of a device.
Creating a task
To create a task:
2. Click Add.
The Add Task Wizard starts. Follow its instructions.
1101
Starting a task manually

The application starts tasks according to the schedule settings speci ed in the properties of each task. You can
start a task manually at any time.
To start a task manually:
2. In the task list, select the check box next to the task that you want to start.
3. Click the Start button.
The task starts. You can check the task status in the Status column or by clicking the Result button.
Viewing the task list

You can view the list of tasks that are created in Kaspersky Security Center.
To view the list of tasks,
In the main menu, go to DEVICES → TASKS.
The list of tasks is displayed. The tasks are grouped by the names of applications to which they are related. For
example, the Uninstall application remotely task is related to the Administration Server, and the Find
vulnerabilities and required updates task refers to the Network Agent.
To view properties of a task,
Click the name of the task.
The task properties window is displayed with several named tabs. For example, the Task type is displayed on the
General tab, and the task schedule—on the Schedule tab.
1102
This section contains the settings that you can view and con gure for most of your tasks. The list of settings
available depends on the task you are con guring.
Operating system restart settings:
Restart the device
speci ed frequency.
1440 minutes.
Restart after (min)
1440 minutes.
1103
restart.
Task scheduling settings:
Scheduled start setting:
Every N hours
Every N days
Every N weeks
speci ed time.
Every N minutes
1104
Weekly
By days of week
Monthly
Manually
On virus outbreak

1105
Run missed tasks
business hours.
Devices to which the task will be assigned:
devices.
1106
infected.
selections.
version.
Account settings:
Default account
Specify an account
Account
Password
Group task settings:
1107

Server.
Advanced scheduling settings:
Activate the device before the task is started through Wake-on-LAN (min)
The operating system on the device starts at the speci ed time before the task is started. The default
time period is ve minutes.
Enable this option if you want the task to run on all of the client devices from the task scope, including
those devices that are turned o when the task is about to start.
If you want the device to be automatically turned o after the task is complete, enable the Shut down
the devices after completing the task option. This option can be found in the same window.
Turn o device after task completion
For example, you may want to enable this option for an install update task that installs updates to client
devices each Friday after business hours, and then turns o these devices for the weekend.
Stop task if it has been running longer than (min)
not.
1108
Noti cation settings:
Store task history block:
Store in the Administration Server database for (days)
stored on the Administration Server during the speci ed number of days. When this period elapses,
the information is deleted from the Administration Server.
Application events related to execution of the task are stored locally in Windows Event Log of each
client device.
stored centrally in Windows Event Log of the Administration Server operating system (OS).
Save all events
If this option is selected, all events related to the task are saved to the event logs.
Save events related to task progress
If this option is selected, only events related to the task execution are saved to the event logs.
Save only task execution results
If this option is selected, only events related to the task results are saved to the event logs.
Notify administrator of task execution results
You can select the methods by which administrators receive noti cations about task execution results:
by email, by SMS, and by running an executable le. To con gure noti cation, click the Settings link.
By default, all noti cation methods are disabled.
Notify of errors only
1109
If this option is enabled, administrators are only noti ed when a task execution completes with an error.
If this option is disabled, administrators are noti ed after every task execution completion.
Security settings.
Task scope settings.

Depending on how the task scope is determined, the following settings are present:
Devices
If the scope of a task is determined by an administration group, you can view this group. No changes are
available here. However, you can set Exclusions from task scope.
If the scope of a task is determined by a list of devices, you can modify this list by adding and removing
devices.
Device selection
You can change the device selection to which the task is applied.
Exclusions from task scope
You can specify groups of devices to which the task is not applied. Groups to be excluded can only be
subgroups of the administration group to which the task is applied.
Revision history.
Starting the Change Tasks Password Wizard

For a non-local task, you can specify an account under which the task must be run. You can specify the account
during task creation or in the properties of an existing task. If the speci ed account is used in accordance with
security instructions of the organization, these instructions might require changing the account password from
time to time. When the account password expires and you set a new one, the tasks will not start until you specify
the new valid password in the task properties.
The Change Tasks Password Wizard enables you to automatically replace the old password with the new one in all
tasks in which the account is speci ed. Alternatively, you can change this password manually in the properties of
each task.
To start the Change Tasks Password Wizard:
1. On the DEVICES tab, select TASKS.
2. Click Manage credentials of accounts for starting tasks.
1110
Specify new credentials that are currently valid in your system (for example, in Active Directory). When you switch
to the next step of the Wizard, Kaspersky Security Center checks if the speci ed account name matches the
account name in the properties of each non-local task. If the account names match, the password in the task
properties will be automatically replaced with the new one.
To specify the new account, select an option:
Use current account
The Wizard uses the name of the account under which you are currently signed in to Kaspersky Security
Center Web Console. Then manually specify the account password in the Current password to use in
tasks eld.
Specify a di erent account
Specify the name of the account under which the tasks must be started. Then specify the account
password in the Current password to use in tasks eld.
If you ll in the Previous password (optional; if you want to replace it with the current one) eld, Kaspersky
Security Center replaces the password only for those tasks in which both the account name and the old password
are found. The replacement is performed automatically. In all other cases you have to choose an action to take in

If you did not specify the previous password in the rst step of the Wizard or if the speci ed old password has not
matched the passwords in the task properties, you must choose an action to take for the tasks found.
To choose an action for a task:
1. Select the check box next to the task for which you want to choose an action.
2. Perform one of the following:
To remove the password in the task properties, click Delete credentials.

The task is switched to run under the default account.
To replace the password with a new one, click Enforce the password change even if the old password is
wrong or not provided.
To cancel the password change, click No action is selected.
The chosen actions are applied after you move to the next step of the Wizard.
1111
On the last step of the Wizard, view the results for each of the found tasks. To complete the Wizard, click the
Finish button.

This section describes how to manage devices in the administration groups.

To view the settings of a managed device:
1. Select DEVICES → MANAGED DEVICES.

2. In the list of managed devices, click the link with the name of the required device.
The properties window of the selected device is displayed.
The following tabs are displayed in the upper part of the properties window representing the main groups of the
settings:
General
1112
This tab comprises the following sections:
The General section displays general information about the client device. Information is provided on
the basis of data received during the last synchronization of the client device with the Administration
Server:
Name
In this eld, you can view and modify the client device name in the administration group.
Description
In this eld, you can enter an additional description for the client device.
Device status
Status of the client device assigned on the basis of the criteria de ned by the administrator
for the status of anti-virus protection on the device and the activity of the device on the
network.
Full group name
Administration group, which includes the client device.
Protection last updated
Date the anti-virus databases or applications were last updated on the device.
Connected to Administration Server
Date and time Network Agent installed on the client device last connected to the
Last visible
Date and time the device was last visible on the network.
Network Agent version
Version of the installed Network Agent.
Created
Date of the device creation within Kaspersky Security Center.
Device owner
1113
Name of the device owner. You can assign or remove a user as a device owner by clicking the
Manage device owner link.
If this option is enabled, continuous connectivity between the managed device and the
Administration Server is maintained. You may want to use this option if you are not using push
servers, which provide such connectivity.
If this option is disabled and push servers are not in use, the managed device only connects
to the Administration Server to synchronize data or to transmit information.
The maximum total number of devices with the Do not disconnect from the Administration
Server option selected is 300.
This option is disabled by default on managed devices. This option is enabled by default on
the device where the Administration Server is installed and stays enabled even if you try to
disable it.
The Network section displays the following information about the network properties of the client
device:
IP address
Device IP address.
Windows domain
Windows domain or workgroup, which contains the device.
DNS name
Name of the DNS domain of the client device.
NetBIOS name
Windows network name of the client device.
IPv6 address
The System section provides information about the operating system installed on the client device:
Operating system
CPU architecture
Device name
The virtual machine manufacturer.
1114
Dynamic virtual machine as part of VDI
This row displays whether the client device is a dynamic virtual machine as part of VDI.
The Protection section provides the following information about the current status of anti-virus
protection on the client device:
Visible
Visibility status of the client device.
Device status
Status of the client device assigned on the basis of the criteria de ned by the administrator
for the status of anti-virus protection on the device and the activity of the device on the
network.
Status description
Status of the client device protection and connection to Administration Server.
Protection status
This eld shows the current status of real-time protection on the client device.
When the status changes on the device, the new status is displayed in the device properties
window only after the client device is synchronized with the Administration Server.
Last full scan
Date and time the last virus scan was performed on the client device.
Virus detected
Total number of threats detected on the client device since installation of the anti-virus
application ( rst scan), or since the last reset of the threat counter.
Objects that have failed disinfection
Number of unprocessed les on the client device.

This eld ignores the number of unprocessed les on mobile devices.
Disk encryption status
The current status of le encryption on the local drives of the device.
The Device status de ned by application section provides information about the device status that
is de ned by the managed application installed on the device. This device status can di er from the
1115
one de ned by Kaspersky Security Center.
Applications
This tab lists all Kaspersky applications installed on the client device. You can click the application name to
view general information about the application, a list of events that have occurred on the device, and the
application settings.
Active policies and policy pro les
This tab lists the policies and policy pro les which are currently active on the managed device.
Tasks
In the Tasks tab, you can manage client device tasks: view the list of existing tasks, create new ones,
remove, start, and stop tasks, modify their settings, and view execution results. The list of tasks is provided
based on data received during the last session of client synchronization with the Administration Server.
The Administration Server requests the task status details from the client device. If connection is not
established, the status is not displayed.
Events
The Events tab displays events logged on the Administration Server for the selected client device.
Incidents
In the Incidents tab, you can view, edit, and create incidents for the client device. Incidents can be created
either automatically, through managed Kaspersky applications installed on the client device, or manually by
the administrator. For example, if some users regularly move malware from their removable drives to
devices, the administrator can create an incident. The administrator can provide a brief description of the
case and recommended actions (such as disciplinary actions to be taken against a user) in the text of the
incident, and can add a link to the user or users.
An incident for which all of the required actions have been taken is called processed. The presence of
unprocessed incidents can be chosen as the condition for a change of the device status to Critical or
Warning.
This section contains a list of incidents that have been created for the device. Incidents are classi ed by
severity level and type. The type of an incident is de ned by the Kaspersky application, which creates the
incident. You can highlight processed incidents in the list by selecting the check box in the Processed
column.
Tags
In the Tags tab, you can manage the list of keywords that are used for nding client devices: view the list of
existing tags, assign tags from the list, con gure auto-tagging rules, add new tags and rename old tags, and
remove tags.
Advanced
1116
This tab comprises the following sections:
Applications registry. In this section, you can view the registry of applications installed on the client
device and their updates; you can also set up the display of the applications registry.
Information about installed applications is provided if Network Agent installed on the client device
sends required information to the Administration Server. You can con gure sending of information to
the Administration Server in the properties window of Network Agent or its policy, in the
Repositories section. Information about installed applications is provided only for devices running
Windows.
Network Agent provides information about the applications based on data received from the system
registry.
Clicking an application name opens a window that contains the application details and a list of the
update packages installed for the application.
Executable les. This section displays executable les found on the client device.
Distribution points. This section provides a list of distribution points with which the device interacts.
Export to le
Click the Export to le button to save to a le a list of distribution points with which the
device interacts. By default, the application exports the list of devices to a CSV le.
Properties
Click the Properties button to view and con gure the distribution point with which the
device interacts.
Hardware registry. In this section, you can view information about hardware installed on the client
device.
Available updates. This section displays a list of software updates found on this device but not
installed yet.
Software vulnerabilities. This section provides information about vulnerabilities in third-party

applications installed on client devices.
To save the vulnerabilities to a le, select the check boxes next to the vulnerabilities that you want to
save, and then click the Export rows to CSV le button or Export rows to TXT le button.
The section contains the following settings:
Show only vulnerabilities that can be xed
If this option is enabled, the section displays vulnerabilities that can be xed by using a patch.
If this option is disabled, the section displays both vulnerabilities that can be xed by using a
patch, and vulnerabilities for which no patch has been released.
Vulnerability properties
1117
Click a software vulnerability name in the list to view the properties of the selected software
vulnerability in a separate window. In the window, you can do the following:
Ignore software vulnerability on this managed device (in Administration Console or in
Kaspersky Security Center Web Console).
View the list of recommended xes for the vulnerability.
Manually specify the software updates to x the vulnerability (in Administration Console
or in Kaspersky Security Center Web Console).
View vulnerability instances.
View the list of existing tasks to x vulnerability and create new tasks to x vulnerability.
Remote diagnostics. In this section, you can perform remote diagnostics of client devices.

Immediately after Kaspersky Security Center installation, the hierarchy of administration groups contains only one
administration group, called Managed devices. When creating a hierarchy of administration groups, you can add
devices, including virtual machines, to the Managed devices group, and add nested groups (see the gure below).
Viewing administration groups hierarchy
To create an administration group:
1. In the main menu, go to DEVICES → HIERARCHY OF GROUPS.
2. In the administration group structure, select the administration group that is to include the new administration
group.
4. In the Name of the new administration group window that opens, enter a name for the group, and then click
the Add button.
A new administration group with the speci ed name appears in the hierarchy of administration groups.
The application allows creating a hierarchy of administration groups based on the structure of Active Directory or
the domain network's structure. Also, you can create a structure of groups from a text le.
1118
To create a structure of administration groups:
2. Click the Import button.
Adding devices to an administration group manually

You can move devices to administration groups automatically by creating device moving rules or manually by
moving devices from one administration group to another or by adding devices to a selected administration group.
This section describes how to manually add devices to an administration group.
To add manually one or more devices to a selected administration group:
2. Click the Current path: <current path> link above the list.
3. In the window that opens, select the administration group to which you want to add the devices.
4. Click the Add devices button.

The Move Devices Wizard starts.
5. Make a list of the devices that you want to add to the administration group.
You can add only devices for which information has already been added to the Administration Server
database either upon connection of the device or after device discovery.
Select how you want to add devices to the list:
Click the Add devices button, and then specify the devices in one of the following ways:
Select devices from the list of devices detected by the Administration Server.
Specify a device IP address or an IP range.
Specify the NetBIOS name or DNS name of a device.
The device name eld must not contain space characters or the following prohibited characters: \ /
*;:`~!@#$^&()=+[]{}|,<>%
Click the Import devices from le button to import a list of devices from a .txt le. Each device address or
name must be speci ed on a separate line.
The le must not contain space characters or the following prohibited characters: \ / * ; : ` ~ ! @ # $ ^ & (
)=+[]{}|,<>%
1119
6. View the list of devices to be added to the administration group. You can edit the list by adding or removing
devices.
7. After making sure that the list is correct, click the Next button.
The Wizard processes the device list and displays the result. The successfully processed devices are added to
the administration group and are displayed in the list of devices under names generated by Administration
Server.
Moving devices to an administration group manually

You can move devices from one administration group to another, or from the group of unassigned devices to an
To move one or several devices to a selected administration group:
1. Open the administration group from which you want to move the devices. To do this, perform one of the
following:
To open an administration group, go to DEVICES → MANAGED DEVICES, click the path link in the Current
path eld, and select an administration group in the left-side pane that opens.
To open the UNASSIGNED DEVICES group, go to DISCOVERY & DEPLOYMENT → UNASSIGNED

DEVICES.
2. Select the check boxes next to the devices that you want to move to a di erent group.
3. Click the Move to group button.
4. In the hierarchy of administration groups, select the check box next to the administration group to which you
want to move the selected devices.
5. Click the Move button.
The selected devices are moved to the selected administration group.
Creating device moving rules

You can set up device moving rules, that is, rules that automatically allocate devices to administration groups.
To create a moving rule:
1. In the main menu, go to the DEVICES → MOVING RULES tab.
2. Click Add.
3. In the window that opens, specify the following information on the General tab:
Rule name
1120
Enter a name for the new rule.
If you are copying a rule, the new rule gets the same name as the source rule, but an index in () format is
added to the name, for example: (1).
Select the administration group into which the devices are to be moved automatically.
Apply rule
You can select one of the following options:

Run once for each device
The rule is applied once for each device that matches your criteria.
Run once for each device, then at every Network Agent reinstallation
The rule is applied once for each device that matches your criteria, then only when Network Agent
is reinstalled on these devices.
Apply rule continuously

The rule is applied according to the schedule which the Administration Server sets up
automatically (usually every several hours).
Move only devices that do not belong to an administration group
If this option is enabled, only unassigned devices will be moved to the selected group.
If this option is disabled, devices that already belong to other administration groups, as well as
unassigned devices, will be moved to the selected group.
Enable rule
If this option is enabled, the rule is enabled and starts working after it is saved.
If this option is disabled, the rule is created, but not enabled. It will not work until you enable this option.
4. On the Rule conditions tab, specify at least one criterion by which the devices are moved to an administration
group.
5. Click Save.
The moving rule is created. It is displayed in the list of moving rules.
The higher the position is on the list, the higher the priority of the rule. To increase or decrease the priority of a
moving rule, move the rule up or down in the list, respectively, using the mouse.
If the device attributes meet the conditions of multiple rules, the device is moved to the target group of the rule
with the highest priority (that is, has the highest rank in the list of rules).
1121
Copying device moving rules
You can copy moving rules, for example, if you want to have several identical rules for di erent target
To copy an existing a moving rule:
1. In the main menu, go to the DEVICES → MOVING RULES tab.

You can also select DISCOVERY & DEPLOYMENT → DEPLOYMENT & ASSIGNMENT, and then select
MOVING RULES on the menu.
The list of moving rules is displayed.
2. Select the check box next to the rule you want to copy.
3. Click Copy.
4. In the window that opens, change the following information on the General tab—or make no changes if you only
want to copy the rule without changing its settings:
Rule name
Enter a name for the new rule.

If you are copying a rule, the new rule gets the same name as the source rule, but an index in () format is
added to the name, for example: (1).
Select the administration group into which the devices are to be moved automatically.
Apply rule
You can select one of the following options:

Run once for each device
The rule is applied once for each device that matches your criteria.
Run once for each device, then at every Network Agent reinstallation
The rule is applied once for each device that matches your criteria, then only when Network Agent
is reinstalled on these devices.
Apply rule continuously

The rule is applied according to the schedule which the Administration Server sets up
automatically (usually every several hours).
Move only devices that do not belong to an administration group
1122
If this option is enabled, only unassigned devices will be moved to the selected group.
If this option is disabled, devices that already belong to other administration groups, as well as
unassigned devices, will be moved to the selected group.
Enable rule
If this option is enabled, the rule is enabled and starts working after it is saved.
If this option is disabled, the rule is created, but not enabled. It will not work until you enable this option.
5. On the Rule conditions tab, specify at least one criterion for the devices that you want to be moved
automatically.
6. Click Save.
The new moving rule is created. It is displayed in the list of moving rules.
Conditions for a device moving rule

When you create or copy a rule to move client devices to administration groups, on the Rule conditions tab you
set conditions for moving the devices. To determine which devices to move, you can use the following criteria:
Tags assigned to client devices.
Network parameters. For example, you can move devices with IP addresses from a speci ed range.
Managed applications installed on client devices, for instance, Network Agent or Administration Server.
Virtual machines, which are the client devices.
Information about the Active Directory organizational unit (OU) with the client devices.
Information about a cloud segment with the client devices.
Below, you can nd the description on how to specify this information in a device moving rule.
If you specify several conditions in the rule, the AND logical operator works and all the conditions apply at the
same time. If you do not select any options or keep some elds blank, such conditions do not apply.
Tags tab
On this tab, you can con gure a device moving rule based on device tags that were previously added to the
descriptions of client devices. To do this, select the required tags. Also, you can enable the following options:
1123
If this option is enabled, all devices with the speci ed tags are excluded from a device moving rule. If this
option is disabled, the device moving rule applies to devices with all the selected tags.
If this option is enabled, a device moving rule applies to client devices with at least one of the selected
tags. If this option is disabled, the device moving rule applies to devices with all the selected tags.
Network tab
On this tab, you can specify the network data of devices that a device moving rule considers:
Device name on the Windows network
Windows domain
A device moving rule applies to all devices included in the speci ed Windows domain.
DNS name of the device
DNS domain name of the client device that you want to move. Fill this eld if your network includes a DNS
server.
If case sensitive collation is set for the database that you use for Kaspersky Security Center, keep
case when you specify a device DNS name. Otherwise, the device moving rule will not work.
DNS domain
A device moving rule applies to all devices included in the speci ed main DNS su ix. Fill this eld if your
network includes a DNS server.
IP range
IP address for connection to Administration Server
1124
If this option is enabled, you can set the IP addresses by which client devices are connected to
Administration Server. To do this, specify the IP range that includes all necessary IP addresses.
Connection pro le changed

Yes. A device moving rule only applies to client devices with a changed connection pro le.
No. The device moving rule only applies to the client devices whose connection pro le has not
changed.
No value is selected. The condition does not apply.

Yes. A device moving rule only applies to client devices managed by other Administration Servers.
These Servers are di erent from the Server on which you con gure the device moving rule.
No. The device moving rule only applies to client devices managed by the current Administration
Server.
Applications tab
On this tab, you can con gure a device moving rule based on the managed applications and operating systems
installed on client devices:
Network Agent is installed

Yes. A device moving rule only applies to client devices with Network Agent installed.
No. The device moving rule only applies to client devices on which Network Agent is not installed.
Applications
Specify what managed applications should be installed on client devices, so a device moving rule applies to
these devices. For example, you can select Kaspersky Security Center 14 Network Agent or Kaspersky
Security Center 14 Administration Server.
If you do not select any managed application, the condition does not apply.
1125
You can cull client devices based on the operating system version. For this purpose, specify operating
systems that should be installed on the client devices. As a result, a device moving rule applies to the client
devices with the selected operating systems.
If you do not enable this option, the condition does not apply. By default, the option is disabled.
You can cull client devices by the operating system bit sizes. In the Operating system bit size eld, you can
select one of the following values:
Unknown
x86
AMD64
IA64
To check the operating system bit size of the client devices:
1. In the main menu, go to the DEVICES → MANAGED DEVICES section.
2. Click the Columns settings button ( ) on the right.
3. Select the Operating system bit size option, and then click the Save button.
After that, the operating system bit size is displayed for every managed device.
User certi cate

Installed. A device moving rule only applies to mobile devices with a mobile certi cate.
Not installed. The device moving rule only applies to mobile devices without a mobile certi cate.
You can specify whether the selected operating system must have an equal, earlier, or later build number.
You can also con gure a device moving rule for all build numbers except the speci ed one.
Operating system release number

1126
You can specify whether the selected operating system must have an equal, earlier, or later release number.
You can also con gure a device moving rule for all release numbers except the speci ed one.
Virtual machines tab
On this tab, you can con gure a device moving rule according to whether client devices are virtual machines or
part of a virtual desktop infrastructure (VDI):
In the drop-down list, you can select one of the following:

N/A. The condition does not apply.
No. Move devices that are not virtual machines.
Yes. Move devices that are virtual machines.
In the drop-down list, you can select one of the following:

N/A. The condition does not apply.
No. Move devices that are not part of VDI.
Yes. Move devices that are part of VDI.
Active Directory tab
On this tab, you can specify that it is necessary to move devices included in the Active Directory OU. You can also
move devices from all child OUs of the speci ed Active Directory OU:
If this option is enabled, a device moving rule applies to devices from the Active Directory organizational
unit speci ed in the list under the option.
1127
Move devices from child units to corresponding subgroups
Delete subgroups that are not present in Active Directory
If this option is enabled, a device moving rule applies to devices from the Active Directory group speci ed
in the list under the option.
Cloud segments tab
On this tab, you can specify that it is necessary to move devices that belong to speci c cloud segments:
If you select this option, a device moving rule applies to the client devices that belong to a cloud segment.
You can select the required cloud segment up to a subnet in the list under the option.
By default, the option is disabled.
If you select this option, a device moving rule applies not only to the selected cloud segment, but also to
the child objects of this segment.
By default, the option is disabled.
1128
environment.
cloud environment.
API.
If client devices within a group are inactive, you can get noti cations about it. You can also automatically delete
such devices.
To view or con gure the actions when the devices in the group show inactivity:
2. Click the name of the required administration group.

The administration group properties window opens.
3. In the properties window, go to the Settings tab.
4. In the Inheritance section, enable or disable the following options:
The settings in this section will be inherited from the parent group in which the client device is included.
If this option is enabled, the settings under Device activity on the network are locked from any
changes.
This option is available only if the administration group has a parent group.
Force inheritance of settings in child groups
5. In the Device activity section, enable or disable the following options:
1129
Notify the administrator if the device has been inactive for longer than (days)
If this option is enabled, the administrator receives noti cations about inactive devices. You can specify
the time interval after which the Device has remained inactive on the network in a long time event is
created. The default time interval is 7 days.
removed from the group. The default time interval is 60 days.
6. Click Save.

Kaspersky Security Center assigns a status to each managed device. The particular status depends on whether
the conditions de ned by the user are met. In some cases, when assigning a status to a device, Kaspersky Security
Center takes into consideration the device's visibility ag on the network (see the table below). If Kaspersky
Security Center does not nd a device on the network within two hours, the visibility ag of the device is set to
Not Visible.
The statuses are the following:
Critical or Critical / Visible
Warning or Warning / Visible
OK or OK / Visible
The table below lists the default conditions that must be met to assign the Critical or Warning status to a device,
with all possible values.
Conditions for assigning a status to a device
Condition Condition description Available

values
Security Network Agent is installed on the device, but a security application is not
Toggle
application is installed.
button is on.
not installed
Toggle
button is
o .
Too many Some viruses have been found on the device by a task for virus More than 0.
viruses detection, for example, the Virus scan task, and the number of viruses
detected found exceeds the speci ed value.
Real-time The device is visible on the network, but the real-time protection level
Stopped.
1130
protection di ers from the level set (in the condition) by the administrator for the Paused.
level di ers device status.
from the level Running.
set by the
Administrator
Virus scan The device is visible on the network and a security application is installed More than 1
has not been on the device, but neither the Malware scan task nor a local scan task has day.
performed in been run within the speci ed time interval. The condition is applicable only
a long time to devices that were added to the Administration Server database 7 days
ago or earlier.
Databases The device is visible on the network and a security application is installed More than 1
are outdated on the device, but the anti-virus databases have not been updated on day.
this device within the speci ed time interval. The condition is applicable
only to devices that were added to the Administration Server database 1
day ago or earlier.
Not Network Agent is installed on the device, but the device has not More than 1
connected in connected to an Administration Server within the speci ed time interval, day.
a long time because the device was turned o .
Active The number of unprocessed objects in the ACTIVE THREATS folder More than 0
threats are exceeds the speci ed value. items.
detected
Restart is The device is visible on the network, but an application requires the More than 0
required device restart longer than the speci ed time interval and for one of the minutes.
selected reasons.
Incompatible The device is visible on the network, but software inventory performed
Toggle
applications through Network Agent has detected incompatible applications installed
button is
are installed on the device.
o .
Toggle
button is on.
Software The device is visible on the network and Network Agent is installed on the
Critical.
vulnerabilities device, but the Find vulnerabilities and required updates task has
have been detected vulnerabilities with the speci ed severity level in applications
High.
detected installed on the device.
Medium.
Ignore if the
vulnerability
cannot be
xed.
Ignore if an
update is
assigned for
installation.
License The device is visible on the network, but the license has expired.
Toggle
expired
button is
o .
1131
Toggle
button is on.
License The device is visible on the network, but the license will expire on the More than 0
expires soon device in less than the speci ed number of days. days.
Check for The device is visible on the network, but the Perform Windows Update More than 1
Windows synchronization task has not been run within the speci ed time interval. day.
Update
updates has
not been
performed in
a long time
Invalid Network Agent is installed on the device, but the device encryption result
Does not
encryption is equal to the speci ed value.
comply with
status
the policy
due to the
user's
refusal (for
external
devices
only).
Does not
comply with
the policy
due to an
error.
Restart is
required
when
applying the
policy.
No
encryption
policy is
speci ed.
Not
supported.
When
applying the
policy.
Mobile The mobile device settings are other than the settings that were
Toggle
device speci ed in the Kaspersky Endpoint Security for Android policy during the
button is
settings do check of compliance rules.
o .
not comply
with the
Toggle
policy
button is on.
Unprocessed Some unprocessed incidents have been found on the device. Incidents
Toggle
1132
incidents can be created either automatically, through managed Kaspersky button is
detected applications installed on the client device, or manually by the o .
administrator.
Toggle
button is on.
Device The status of the device is de ned by the managed application.

Toggle
status
button is
de ned by
o .
application
Toggle
button is on.
Device is out Free disk space on the device is less than the speci ed value or the More than 0
of disk space device could not be synchronized with the Administration Server. The MB.
Critical or Warning status is changed to the OK status when the device is
successfully synchronized with the Administration Server and free space
on the device is greater than or equal to the speci ed value.
Device has During device discovery, the device was recognized as visible on the
Toggle
become network, but more than three attempts to synchronize with the
button is
unmanaged Administration Server failed.
o .
Toggle
button is on.
Protection is The device is visible on the network, but the security application on the More than 0
disabled device has been disabled for longer than the speci ed time interval. minutes.
Security The device is visible on the network and a security application is installed
Toggle
application is on the device but is not running.
button is
not running
o .
Toggle
button is on.
Kaspersky Security Center allows you to set up automatic switching of the status of a device in an administration
group when speci ed conditions are met. When speci ed conditions are met, the client device is assigned one of
the following statuses: Critical or Warning. When speci ed conditions are not met, the client device is assigned the
OK status.
Di erent statuses may correspond to di erent values of one condition. For example, by default, if the Databases
are outdated condition has the More than 3 days value, the client device is assigned the Warning status; if the
value is More than 7 days, the Critical status is assigned.
If you upgrade the Kaspersky Security Center from the previous version, the values of the Databases are
outdated condition for assigning the status to Critical or Warning do not change.
When Kaspersky Security Center assigns a status to a device, for some conditions (see the Condition
description column) the visibility ag is taken into consideration. For example, if a managed device was
assigned the Critical status because the Databases are outdated condition was met, and later the visibility
ag was set for the device, then the device is assigned the OK status.
1133
In the Policies folder, in the context menu of an Administration Server policy, select Properties.
Select Properties in the context menu of an administration group.
2. In the Properties window that opens, in the Sections pane, select Device status.
3. In the right pane, in the Set to Critical if these are speci ed section, select the check box next to a condition
in the list.

5. Click OK.
In the Policies folder, in the context menu of the Administration Server policy, select Properties.
Select Properties in the context menu of the administration group.
2. In the Properties window that opens, in the Sections pane select Device status.
3. In the right pane, in the Set to Warning if these are speci ed section, select the check box next to a condition
in the list.

5. Click OK.
1134
on the device. Remote connection to a device through the Network Agent is possible even if the TCP and UDP
ports of the client device are closed.
Upon establishing the connection with the device, the administrator gains full access to information stored on this
device and can manage applications installed on it.
Remote connection must be allowed in the operating system settings of the target managed device. For
example, in Windows 10, this option is called Allow Remote Assistance connections to this computer (you
can nd this option at Control Panel → System and Security → System → Remote settings). If you have a
license for the Vulnerability and Patch Management feature, you can enable this option forcibly when you
establish connection to a managed device. If you do not have the license, enable this option locally on the
target managed device. If this option is disabled, remote connection is not possible.
To establish remote connection to a device, you must have two utilities:
Kaspersky utility named klsctunnel. This utility must be stored on the administrator's workstation. You use this
utility for tunneling the connection between a client device and the Administration Server.
Kaspersky Security Center allows tunneling TCP connections from Administration Console via the
Administration Server and then via Network Agent to a speci ed port on a managed device. Tunneling is
designed for connecting a client application on a device with Administration Console installed to a TCP port on
a managed device—if no direct connection is possible between Administration Console and the target device.
Standard Microsoft Windows component named Remote Desktop Connection. Connection to a remote
desktop is established through the standard Windows utility mstsc.exe in accordance with the utility's settings.
Connection to the current remote desktop session of the user is established without the user's knowledge.
Once the administrator connects to the session, the device user is disconnected from the session without an
advance noti cation.
To connect to the desktop of a client device:
1. In MMC-based Administration Console, in the context menu of the Administration Server, select Properties.
2. In the Administration Server properties window that opens, go to Administration Server connection settings
→ Connection ports.
3. Make sure that the Open RDP port for Kaspersky Security Center 14 Web Console option is enabled.
4. In Kaspersky Security Center Web Console, go to DEVICES → MANAGED DEVICES.
5. In the Current path eld above the list of managed devices, click the path link.
1135
6. In the left-side pane that opens, select the administration group that contains the device to which you want to
obtain access.
7. Select the check box next to the name of the device to which you want to obtain access.
8. Click the Connect to Remote Desktop button.

The Remote Desktop (Windows only) window opens.
9. Enable the Allow remote desktop connection on managed device option. In this case, the connection will be
established even if remote connections are currently prohibited in the operating system settings on the
managed device.
This option is only available if you have a license for the Vulnerability and Patch Management feature.
10. Click the Download button to download the klsctunnel utility.
11. Click the Copy to clipboard button to copy the text from the text eld. This text is a Binary Large Object
(BLOB) that contains settings required to establish connection between the Administration Server and the
managed device.
A BLOB is valid for 3 minutes. If it has expired, reopen the Remote Desktop (Windows only) window to
generate a new BLOB.
12. Run the klsctunnel utility.

The utility window opens.
13. Paste the copied text into the text eld.
14. If you use a proxy server, select the Use proxy server check box, and then specify the proxy server connection
settings.
15. Click the Open port button.

The Remote Desktop Connection login window opens.
16. Specify the credentials of the account under which you are currently logged in to Kaspersky Security Center
Web Console.
17. Click the Connect button.
When connection to the device is established, the desktop is available in the Remote Desktop Connection
window of Microsoft Windows.

on the device. Remote connection to a device through the Network Agent is possible even if the TCP and UDP
ports of the client device are closed.
The administrator can connect to an existing session on a client device without disconnecting the user in this
session. In this case, the administrator and the session user on the device share access to the desktop.
1136
To establish remote connection to a device, you must have two utilities:
Kaspersky utility named klsctunnel. This utility must be stored on the administrator's workstation. You use this
utility for tunneling the connection between a client device and the Administration Server.
Kaspersky Security Center allows tunneling TCP connections from Administration Console via the
Administration Server and then via Network Agent to a speci ed port on a managed device. Tunneling is
designed for connecting a client application on a device with Administration Console installed to a TCP port on
a managed device—if no direct connection is possible between Administration Console and the target device.
Windows Desktop Sharing. When connecting to an existing session of the remote desktop, the session user on
the device receives a connection request from the administrator. No information about remote activity on the
device and its results will be saved in reports created by Kaspersky Security Center.
The administrator can con gure an audit of user activity on a remote client device. During the audit, the
application saves information about les on the client device that have been opened and/or modi ed by the
administrator.
To connect to the desktop of a client device through Windows Desktop Sharing, the following conditions must be
met:
Microsoft Windows Vista or later is installed on the administrator's workstation. The type of operating system
of the device hosting Administration Server imposes no restrictions on connection through Windows Desktop
Sharing.
To check whether the Windows Desktop Sharing feature is included in your Windows edition, make sure that
there is CLSID\{32BE5ED2-5C86-480F-A914-0FF8885A1B3F} key in the Windows Registry.
Microsoft Windows Vista or later is installed on the client device.
Kaspersky Security Center uses a license for Vulnerability and patch management.
To connect to the desktop of a client device through Windows Desktop Sharing:
1. In MMC-based Administration Console, in the context menu of the Administration Server, select Properties.
2. In the Administration Server properties window that opens, go to Administration Server connection settings
→ Connection ports.
3. Make sure that the Open RDP port for Kaspersky Security Center 14 Web Console option is enabled.
4. In Kaspersky Security Center Web Console, go to DEVICES → MANAGED DEVICES.
6. In the left-side pane that opens, select the administration group that contains the device to which you want to
obtain access.
7. Select the check box next to the name of the device to which you want to obtain access.
8. Click the Windows Desktop Sharing button.
1137
The Windows Desktop Sharing Wizard opens.
9. Click the Download button to download the klsctunnel utility, and wait for the download process to complete.
If you already have the klsctunnel utility, skip this step.
10. Click the Next button.
11. Select the session on the device to which you want to connect, and then click the Next button.
12. On the target device, in the dialog box that opens, the user must allow a desktop sharing session. Otherwise,
the session is not possible.
After the device user con rms the desktop sharing session, the next page of the Wizard opens.
13. Click the Copy to clipboard button to copy the text from the text eld. This text is a Binary Large OBject
(BLOB) that contains settings required to establish connection between the Administration Server and the
managed device.
A BLOB is valid for 3 minutes. If it has expired, generate a new BLOB.
14. Run the klsctunnel utility.

The utility window opens.
15. Paste the copied text into the text eld.
16. If you use a proxy server, select the Use proxy server check box, and then specify the proxy server connection
settings.
17. Click the Open port button.
Desktop sharing starts in a new window. If you want to interact with the device, click the menu icon ( ) in the
upper-left corner of the window, and then select Interactive mode.
Device selections
Device selections are a tool for ltering devices according to speci c conditions. You can use device selections to
manage several devices: for example, to view a report about only these devices or to move all of these devices to
another group.
Kaspersky Security Center provides a broad range of prede ned selections (for example, Devices with Critical
status, Protection is disabled, Active threats are detected). Prede ned selections cannot be deleted. You can
also create and con gure additional user-de ned selections.
In user-de ned selections, you can set the search scope and select all devices, managed devices, or unassigned
devices. Search parameters are speci ed in the conditions. In the device selection you can create several
conditions with di erent search parameters. For example, you can create two conditions and specify di erent IP
ranges in each of them. If several conditions are speci ed, a selection displays the devices that meet any of the
conditions. By contrast, search parameters within a condition are superimposed. If both an IP range and the name
of an installed application are speci ed in a condition, only those devices will be displayed where both the
application is installed and the IP address belongs to the speci ed range.
1138
Viewing the device list from a device selection
Kaspersky Security Center allows you to view the list of devices from a device selection.
To view the device list from the device selection:
1. In the main menu, go to the DEVICES → DEVICE SELECTIONS or DISCOVERY & DEPLOYMENT → DEVICE
SELECTIONS section.
2. In the selection list, click the name of the device selection.

The page displays a table with information about the devices included in the device selection.
3. You can group and lter the data of the device table as follows:
Click the settings icon ( ), and then select the columns to be displayed in the table.
Click the lter icon ( ), and then specify and apply the lter criterion in the invoked menu.
The ltered table of devices is displayed.
You can select one or several devices in the device selection and click the New task button to create a task that
will be applied to these devices.
To move the selected devices of the device selection to another administration group, click the Move to group
button, and then select the target administration group.

To create a device selection:
1. In the main menu, go to DEVICES → DEVICE SELECTIONS.

A page with a list of device selections is displayed.

The Device selection settings window opens.
3. Enter the name of the new selection.
4. Specify the group that contains the devices to be included in the device selection:
Find any devices—Searching for devices that meet the selection criteria and included in the Managed
Devices or UNASSIGNED DEVICES group.
Find managed devices—Searching for devices that meet the selection criteria and included in the Managed
Devices group.
Find unassigned devices—Searching for devices that meet the selection criteria and included in the
UNASSIGNED DEVICES group.
You can enable the Include data from secondary Administration Servers check box to enable searching for
devices that meet the selection criteria and managed by secondary Administration Servers.

1139
6. In the window that opens, specify conditions that must be met for including devices in this selection, and then
click the OK button.
The device selection is created and added to the list of device selections.

To con gure a device selection:
1. In the main menu, go to DEVICES → DEVICE SELECTIONS.

A page with a list of device selections is displayed.
2. Select the relevant user-de ned device selection, and click the Properties button.
The Device selection settings window opens.
3. On the General tab, click the New condition link.
4. Specify conditions that must be met for including devices in this selection.
The settings are applied and saved.
Below are descriptions of the conditions for assigning devices to a selection. Conditions are combined by using
the OR logical operator: the selection will contain devices that comply with at least one of the listed conditions.
General
In the General section, you can change the name of the selection condition and specify whether that condition
must be inverted:
Invert selection condition
If this option is enabled, the speci ed selection condition will be inverted. The selection will include all devices
that do not meet the condition.
Network infrastructure
In the Network subsection, you can specify the criteria that will be used to include devices in the selection
according to their network data:
Device name
Windows domain
1140
Description
Within a word:
Example:
Example:
Example:
your query.
Example:
Example:
Virtual query.
Example:
IP range
1141

Yes. A device moving rule only applies to client devices managed by other Administration Servers.
These Servers are di erent from the Server on which you con gure the device moving rule.
No. The device moving rule only applies to client devices managed by the current Administration
Server.
In the Active Directory subsection, you can con gure criteria for including devices into a selection based on their
Active Directory data:
eld.
entry eld.
In the Network activity subsection, you can specify the criteria that will be used to include devices in the selection
according to their network activity:
Acts as a distribution point
search:
1142
search:
search:
Device is visible
1143
search:
In the Cloud segments subsection, you can con gure criteria for including devices in a selection according to their
respective cloud segments:
If this option is enabled, you can choose devices from the AWS, Azure, and Google cloud segments.
If the Include child objects option is also enabled, the search is run on all child objects of the selected
segment.
Yes. The device is detected by using the AWS, Azure, or Google API.
No. The device cannot be detected by using the AWS, Azure, or Google API. That is, the device is either
API.
Device statuses
In the Managed device status subsection, you can con gure criteria for including devices into a selection based
on the description of the devices status from a managed application:
Device status
Real-time protection status
1144
In the Status of components in managed applications subsection, you can con gure criteria for including devices
in a selection according to the statuses of components in managed applications:
In the Status-a ecting problems in managed applications subsection, you can specify the criteria that will be
used to include devices in the selection according to the list of possible problems detected by a managed
application. If at least one problem that you select exists on a device, the device will be included in the selection.
When you select a problem listed for several applications, you have the option to select this problem in all of the
lists automatically.
You can select check boxes for descriptions of statuses from the managed application; upon receipt of these
statuses, the devices will be included in the selection. When you select a status listed for several applications, you
have the option to select this status in all of the lists automatically.
System details
In the Operating system section, you can specify the criteria that will be used to include devices in the selection
according to their operating system type.
Platform type
1145
the speci ed one.
Operating system release number
In the Virtual machines section, you can set up the criteria to include devices in the selection according to
whether these are virtual machines or part of virtual desktop infrastructure (VDI):

Unde ned.
drop-down list.
1146
Unde ned.
In the Hardware registry subsection, you can con gure criteria for including devices into a selection based on
their installed hardware:
Hardware details fetched from virtual devices may be incomplete depending on the hypervisor used.
Device
Vendor
Device name
Name of the device in the Windows network. The device with the speci ed name is included in the
selection.
Description
in the selection.
Device vendor
Name of the device manufacturer. Devices produced by the manufacturer speci ed in this eld are
You can enter the manufacturer's name in the properties window of a device.
Serial number
All hardware units with the serial number speci ed in this eld will be included in the selection.
1147
Inventory number
User
All hardware units of the user speci ed in this eld will be included in the selection.
Location
Location of the device or hardware unit (for example, at the HQ or a branch o ice). Computers or other
devices that are deployed at the location speci ed in this eld will be included in the selection.
You can describe the location of a device in any format in the properties window of that device.
CPU clock rate, in MHz, from
The minimum clock rate of a CPU. Devices with a CPU that matches the clock rate range speci ed in the
entry elds (inclusive) will be included in the selection.
CPU clock rate, in MHz, to
The maximum clock rate of a CPU. Devices with a CPU that matches the clock rate range speci ed in the
entry elds (inclusive) will be included in the selection.
Number of virtual CPU cores, from
The minimum number of virtual CPU cores. Devices with a CPU that matches the range of the virtual cores
number speci ed in the entry elds (inclusive) will be included in the selection.
Number of virtual CPU cores, to
The maximum number of virtual CPU cores. Devices with a CPU that matches the range of the virtual cores
number speci ed in the entry elds (inclusive) will be included in the selection.
Hard drive volume, in GB, from
The minimum volume of the hard drive on the device. Devices with a hard drive that matches the volume
range speci ed in the entry elds (inclusive) will be included in the selection.
Hard drive volume, in GB, to
The maximum volume of the hard drive on the device. Devices with a hard drive that matches the volume
range speci ed in the entry elds (inclusive) will be included in the selection.
RAM size, in MB, from
The minimum size of the device RAM. Devices with RAM that matches the size range speci ed in the entry
1148
RAM size, in MB, to
The maximum size of the device RAM. Devices with RAM that matches the size range speci ed in the entry
Third-party software details
In the Applications registry subsection, you can set up the criteria to search for devices according to applications
installed on them:
Application name
Application version
Vendor
Application status
Find by update
Name of incompatible security application
Application tag
1149
If this option is enabled, the selection includes devices with descriptions that contain none of the selected
tags.
If this option is disabled, the criterion is not applied.

In the Vulnerabilities and updates subsection, you can specify the criteria that will be used to include devices in
the selection according to their Windows Update source:
Details of Kaspersky applications
In the Kaspersky applications subsection, you can con gure criteria for including devices in a selection based on
the selected managed application:
Application name
workstation.
Application version
Application status
1150
Center:
Security Center.
In the Anti-virus protection subsection, you can set up the criteria for including devices in a selection based on
their protection status:
Databases released
Database records count
If this option is enabled, you can search for client devices by number of database records. In the entry
elds you can set the lower and upper threshold values for anti-virus database records.
1151
Last scanned
Threats detected
In the Encryption subsection, you can con gure the criterion for including devices in a selection based on the
selected encryption algorithm:
Encryption algorithm
Advanced Encryption Standard (AES) symmetrical block cipher algorithm. In the drop-down list, you can select
the encryption key size (56-bit, 128-bit, 192-bit, or 256-bit).
The Application components subsection contains the list of components of those applications that have
corresponding management plug-ins installed in Kaspersky Security Center Web Console.
In the Application components subsection, you can specify criteria for including devices in a selection according
to the statuses and version numbers of the components that refer to the application that you select:
Status
1152
You can select one of the following statuses: N/A, Stopped, Paused, Starting, Running, Failed, Not installed,
Not supported by license. If the selected component of the application installed on a managed device has
the speci ed status, the device is included in the device selection.
Failed—An error has occurred during the component operation.
Not supported by license—The license does not cover the selected component.
Unlike other statuses, the N/A status is not sent by applications. This option shows that the applications
have no information about the selected component status. For example, this can happen when the
selected component does not belong to any of the applications installed on the device, or when the device
is turned o .
Version
one.
Tags
In the Tags section, you can con gure criteria for including devices into a selection based on key words (tags) that
were previously added to the descriptions of managed devices:
If this option is enabled, the search results will show devices with descriptions that contain at least one of the
selected tags.
selected tags.
To add tags to the criterion, click the Add button, and select tags by clicking the Tag entry eld. Specify whether
to include or exclude the devices with the selected tags in the device selection.
1153
Must be included
characters.
Must be excluded
characters.
Users
In the Users section, you can set up the criteria to include devices in the selection according to the accounts of
users who have logged in to the operating system.
If this option is enabled, you can select the user account for con guring the criterion. The search results
include devices on which the selected user performed the last login to the system.
Exporting the device list from a device selection

Kaspersky Security Center allows you to save information about devices from a device selection in a CSV or a TXT
le.
To export the device list from the device selection to a le:
1. Open the table with the devices from the device selection.
2. You can export the information about devices from the table in one of the following ways:
Export the selected devices.

Select the check boxes next to the required devices, and then click the Export rows to CSV le or Export
rows to TXT le button, depending on the format you prefer for export. All information about the selected
devices included in the table will be exported to a TXT or CSV le.
Export all devices displayed on the current page.

Click the Export rows to CSV le or Export rows to TXT le button, depending on the format you prefer
for export. You do not need to select devices from the table. All information about devices displayed on the
current page will be exported to a TXT le.
1154
Note that if you applied a lter criterion to the device table, only the ltered data from the displayed columns
will be exported to a CSV or TXT le.

When working with a device selection, you can remove devices from administration groups right in this selection,
without switching to the administration groups from which these devices must be removed.
To remove devices from administration groups:
1. In the main menu, go to DEVICES → DEVICE SELECTIONS or DISCOVERY & DEPLOYMENT → DEVICE
SELECTIONS.
2. In the selection list, click the name of the device selection.

The page displays a table with information about the devices included in the device selection.
3. Select the devices that you want to remove, and then click Delete.
The selected devices are removed from their respective administration groups.
Device tags
This section describes device tags, and provides instructions for creating and modifying them as well as for
tagging devices manually or automatically.
About device tags

Kaspersky Security Center allows you to tag devices. A tag is the label of a device and it can be used for grouping,
describing, or nding devices. Tags assigned to devices can be used for creating selections, for nding devices,
and for distributing devices among administration groups.
You can tag devices manually or automatically. You may use manual tagging when you want to tag an individual
device. Auto-tagging is performed by Kaspersky Security Center in accordance with the speci ed tagging rules.
Devices are tagged automatically when speci ed rules are met. An individual rule corresponds to each tag. Rules
are applied to the network properties of the device, operating system, applications installed on the device, and
other device properties. For example, if you have a hybrid infrastructure of physical machines, Amazon EC2
instances, and Microsoft Azure virtual machines, you can set up a rule that will assign the [Azure] tag to all
Microsoft Azure virtual machines. Then, you can use this tag when creating a device selection; and this will help you
sort all Microsoft Azure virtual machines and assign them a task.
A tag is automatically removed from a device in the following cases:
When the device stops meeting conditions of the rule that assigns the tag.
When the rule that assigns the tag is disabled or deleted.
1155
The list of tags and the list of rules on each Administration Server are independent of all other Administration
Servers, including a primary Administration Server or subordinate virtual Administration Servers. A rule is applied
only to devices from the same Administration Server on which the rule is created.
Creating a device tag

To create a device tag:
1. In the main menu, go to DEVICES → TAGS → DEVICE TAGS.
2. Click Add.
A new tag window opens.
3. In the Tag eld, enter the tag name.
4. Click Save to save the changes.
The new tag appears in the list of device tags.
Renaming a device tag

To rename a device tag:
2. Click the name of the tag that you want to rename.

A tag properties window opens.
3. In the Tag eld, change the tag name.
The updated tag appears in the list of device tags.
Deleting a device tag

To delete a device tag:
2. In the list, select the device tag that you want to delete.
4. In the window that opens, click Yes.
The device tag is deleted. The deleted tag is automatically removed from all of the devices to which it was
assigned.
1156
The tag that you have deleted is not removed automatically from auto-tagging rules. After the tag is
deleted, it will be assigned to a new device only when the device rst meets the conditions of a rule that
assigns the tag.
The deleted tag is not removed automatically from the device if this tag is assigned to the device by an
application or Network Agent. To remove the tag from your device, use the klsc ag utility.
Viewing devices to which a tag is assigned

To view devices to which a tag is assigned:
2. Click the View devices link next to the tag for which you want to view assigned devices.
If you do not see the View devices link next to a tag, the tag is not assigned to any devices.
The list of devices that appears shows only those devices to which the tag is assigned.
To return to the list of device tags, click the Back button of your browser.
Viewing tags assigned to a device

To view tags assigned to a device:
2. Click the name of the device whose tags you want to view.
3. In the device properties window that opens, select the Tags tab.
The list of tags assigned to the selected device is displayed.
You can assign another tag to the device or remove an already assigned tag. You can also see all device tags that
exist on the Administration Server.
Tagging a device manually

To assign a tag to a device manually:
1. View tags assigned to the device to which you want to assign another tag.
2. Click Add.
3. In the window that opens, do one of the following:
1157
To create and assign a new tag, select Create new tag, and then specify the name of the new tag.
To select an existing tag, select Assign existing tag, and then select the necessary tag in the drop-down list.
The selected tag is assigned to the device.
Removing an assigned tag from a device

To remove a tag from a device:
2. Click the name of the device whose tags you want to view.
3. In the device properties window that opens, select the Tags tab.
4. Select the check box next to the tag that you want to remove.
5. At the top of the list, click the Unassign tag button.
6. In the window that opens, click Yes.
The tag is removed from the device.
The unassigned device tag is not deleted. If you want, you can delete it manually.
You cannot manually remove tags assigned to the device by applications or Network Agent. To remove
these tags, use the klsc ag utility.
Viewing rules for tagging devices automatically

To view rules for tagging devices automatically,
Do any of the following:
In the main menu, go to DEVICES → TAGS → AUTO-TAGGING RULES .
In the main menu, go to DEVICES → TAGS, and then click the Set up auto-tagging rules link.
View tags assigned to a device and then click the Settings button.
The list of rules for auto-tagging devices appears.
1158
Editing a rule for tagging devices automatically
To edit a rule for tagging devices automatically:
1. View rules for tagging devices automatically.
2. Click the name of the rule that you want to edit.

A rule settings window opens.
3. Edit the general properties of the rule:
a. In the Rule name eld, change the rule name.

The name cannot be more than 256 characters long.
b. Do any of the following:
Enable the rule by switching the toggle button to Rule enabled.
Disable the rule by switching the toggle button to Rule disabled.
4. Do any of the following:
If you want to add a new condition, click the Add button, and specify the settings of the new condition in
the window that opens.
If you want to edit an existing condition, click the name of the condition that you want to edit, and then edit
the condition settings.
If you want to delete a condition, select the check box next to the name of the condition that you want to
delete, and then click Delete.
5. Click OK in the conditions settings window.
The edited rule is shown in the list.
Creating a rule for tagging devices automatically

To create a rule for tagging devices automatically:
2. Click Add.
A new rule settings window opens.
3. Con gure the general properties of the rule:
a. In the Rule name eld, enter the rule name.

1159
b. Do one of the following:
Enable the rule by switching the toggle button to Rule enabled.
Disable the rule by switching the toggle button to Rule disabled.
c. In the Tag eld, enter the new device tag name or select one of the existing device tags from the list.
4. In the conditions section, click the Add button to add a new condition.
A new condition settings window open.
5. Enter the condition name.

The name cannot be more than 256 characters long. The name must be unique within a rule.
6. Set up the triggering of the rule according to the following conditions. You can select multiple conditions.
Network—Network properties of the device, such as the device name on the Windows network, or device
inclusion in a domain or an IP subnet.
If case sensitive collation is set for the database that you use for Kaspersky Security Center, keep case
when you specify a device DNS name. Otherwise, the auto-tagging rule will not work.
Applications—Presence of Network Agent on the device, operating system type, version, and architecture.
Virtual machines—Device belongs to a speci c type of virtual machine.
Active Directory—Presence of the device in an Active Directory organizational unit and membership of the
device in an Active Directory group.
Applications registry—Presence of applications of di erent vendors on the device.

If necessary, you can set multiple conditions for a single rule. In this case, the tag will be assigned to a device if it
meets at least one condition.
The newly created rule is enforced on devices managed by the selected Administration Server. If the settings of
a device meet the rule conditions, the device is assigned the tag.
Later, the rule is applied in the following cases:
Automatically and periodically, depending on the server workload
After you edit the rule
When you run the rule manually
After the Administration Server detects a change in the settings of a device that meets the rule conditions or
the settings of a group that contains such device
1160
You can create multiple tagging rules. A single device can be assigned multiple tags if you have created multiple
tagging rules and if the respective conditions of these rules are met simultaneously. You can view the list of all
assigned tags in the device properties.
Running rules for auto-tagging devices

When a rule is run, the tag speci ed in properties of this rule is assigned to devices that meet conditions speci ed
in properties of the same rule. You can run only active rules.
To run rules for auto-tagging devices:
2. Select check boxes next to active rules that you want to run.
3. Click the Run rule button.
The selected rules are run.
Deleting a rule for tagging devices automatically

To delete a rule for tagging devices automatically:
2. Select the check box next to the rule that you want to delete.
3. Click Delete.
4. In the window that opens, click Delete again.
The selected rule is deleted. The tag that was speci ed in properties of this rule is unassigned from all of the
devices that it was assigned to.
The unassigned device tag is not deleted. If you want, you can delete it manually.
Managing device tags by using the klsc ag utility

This section provides information on how to assign or remove device tags by using the klsc ag utility.
Assigning a device tag

Note that you must run the klsc ag utility on the client device to which you want to assign a tag.
To assign a tag to your device by using the klsc ag utility:
1161
2. Enter the following command:

klscflag -ssvset -pv 1103/1.0.0.0 -s KLNAG_SECTION_TAGS_INFO -n KLCONN_HOST_TAGS -sv
"[\"TAG NAME\"]" -svt ARRAY_T -ss "|ss_type = \"SS_PRODINFO\";"
where TAG NAME is the name of the tag you want to assign to your device, for example:
klscflag -ssvset -pv 1103/1.0.0.0 -s KLNAG_SECTION_TAGS_INFO -n KLCONN_HOST_TAGS -sv "
[\" ENTERPRISE \"]" -svt ARRAY_T -ss "|ss_type = \"SS_PRODINFO\";"
The speci ed tag is assigned to your device. To make sure that the tag is assigned successfully, view tags assigned
to the device.
Alternatively, you can assign device tags manually.

Removing a device tag
If a tag has been assigned to your device by an application or Network Agent, you cannot remove this tag manually.
In this case, use the klsc ag utility to remove the assigned tag from the device.
Note that you must run the klsc ag utility on the client device from which you want to remove a tag.
To remove a tag from the device by using the klsc ag utility:
2. Enter the following command:

klscflag -ssvset -pv 1103/1.0.0.0 -s KLNAG_SECTION_TAGS_INFO -n KLCONN_HOST_TAGS -sv "
[]" -svt ARRAY_T -ss "|ss_type = \"SS_PRODINFO\";"
The tag is removed from the device.

In Kaspersky Security Center Web Console, you can create policies for Kaspersky applications. This section
describes policies and policy pro les, and provides instructions for creating and modifying them.
About policies and policy pro les

A policy is a set of Kaspersky application settings that are applied to an administration group and its subgroups.
You can install several Kaspersky applications on the devices of an administration group. Kaspersky Security
Center provides a single policy for each Kaspersky application in an administration group. A policy has one of the
following statuses (see the table below):
The status of the policy

1162
Status Description
Active The current policy that is applied to the device. Only one policy may be active for a Kaspersky
application in each administration group. Devices apply the settings values of an active policy for
a Kaspersky application.
Inactive A policy that is not currently applied to a device.
Out- If this option is selected, the policy becomes active when the device leaves the corporate
of- network.
o ice
Policies function according to the following rules:
Multiple policies with di erent values can be con gured for a single application.
Only one policy can be active for the current application.
You can activate an inactive policy when a speci c event occurs. For example, you can enforce stricter anti-
virus protection settings during virus outbreaks.
A policy can have child policies.
Generally, you can use policies as preparations for emergency situations, such as a virus attack. For example, if
there is an attack via ash drives, you can activate a policy that blocks access to ash drives. In this case, the
current active policy automatically becomes inactive.
In order to prevent maintaining multiple policies, for example, when di erent occasions assume changing of several
settings only, you may use policy pro les.
A policy pro le is a named subset of policy settings values that replaces the settings values of a policy. A policy
pro le a ects the e ective settings formation on a managed device. E ective settings are a set of policy
settings, policy pro le settings, and local application settings that are currently applied for the device.
Policy pro les function according to the following rules:
A policy pro le takes an e ect when a speci c activation condition occurs.
Policy pro les contain values of settings that di er from the policy settings.
Activation of a policy pro le changes the e ective settings of the managed device.
A policy can include a maximum of 100 policy pro les.
About lock and locked settings

Each policy setting has a lock button icon ( ). The table below shows lock button statuses:
Lock button statuses
Status Description
If an open lock is displayed next to a setting and the toggle button is disabled, the setting is not
speci ed in the policy. A user can change these settings in the managed application interface.
These type of settings are called unlocked.
If a closed lock is displayed next to a setting and the toggle button is enabled, the setting is applied
1163
to the devices where the policy is enforced. A user cannot modify the values of these settings in
the managed application interface. These type of settings are called locked.
We highly recommend that you close locks for the policy settings that you want to apply on the managed
devices. The unlocked policy settings can be reassigned by Kaspersky application settings on a managed
device.
You can use a lock button for performing the following actions:
Locking settings for an administration subgroup policy
Locking settings of a Kaspersky application on a managed device
Thus, a locked setting is used for implementing e ective settings on a managed device.
A process of e ective settings implementation includes the following actions:
Managed device applies settings values of Kaspersky application.
Managed device applies locked settings values of a policy.
A policy and managed Kaspersky application contain the same set of settings. When you con gure policy settings,
the Kaspersky application settings change values on a managed device. You cannot adjust locked settings on a
managed device (see the gure below):
Locks and Kaspersky application settings
Inheritance of policies and policy pro les

This section provides information about the hierarchy and inheritance of policies and policy pro les.
If di erent devices need di erent settings, you can organize devices into administration groups.
1164
You can specify a policy for a single administration group. Policy settings can be inherited. Inheritance means
receiving policy settings values in subgroups (child groups) from a policy of a higher-level (parent) administration
group.
Hereinafter, a policy for a parent group is also referred to as a parent policy. A policy for a subgroup (child group) is
also referred to as a child policy.
By default, at least one managed devices group exists on Administration Server. If you want to create custom
groups, they are created as subgroups (child groups) within the managed devices group.
Policies of the same application act on each other, according to a hierarchy of administration groups. Locked
settings from a policy of a higher-level (parent) administration group will reassign policy settings values of a
subgroup (see the gure below).
Policy pro les in a hierarchy of policies

Policy pro les have the following priority assignment conditions:
A pro le's position in a policy pro le list indicates its priority. You can change a policy pro le priority. The highest
position in a list indicates the highest priority (see the gure below).
1165
Priority de nition of a policy pro le
Activation conditions of policy pro les do not depend on each other. Several policy pro les can be activated
simultaneously. If several policy pro les a ect the same setting, the device takes the setting value from the
policy pro le with the highest priority (see the gure below).
Managed device con guration ful lls activation conditions of several policy pro les
Policy pro les in a hierarchy of inheritance
Policy pro les from di erent hierarchy level policies comply with the following conditions:
A lower-level policy inherits policy pro les from a higher-level policy. A policy pro le inherited from a higher-level
policy obtains higher priority than the original policy pro le's level.
You cannot change a priority of an inherited policy pro le (see the gure below).
1166
Inheritance of policy pro les
Policy pro les with the same name
If there are two policies with the same names in di erent hierarchy levels, these policies function according to the
following rules:
Locked settings and the pro le activation condition of a higher-level policy pro le changes the settings and
pro le activation condition of a lower-level policy pro le (see the gure below).
Child pro le inherits settings values from a parent policy pro le
Unlocked settings and the pro le activation condition of a higher-level policy pro le do not change the settings
and pro le activation condition of a lower-level policy pro le.
1167
How settings are implemented on a managed device
Implementation of e ective settings on a managed device can be described as follows:
The values of all settings that have not been locked are taken from the policy.
Then they are overwritten with the values of managed application settings.
And then the locked settings values from the e ective policy are applied. Locked settings values change the
values of unlocked e ective settings.
Managing policies
This section describes managing policies and provides information about viewing the list of policies, creating a
policy, modifying a policy, copying a policy, moving a policy, forced synchronization, viewing the policy distribution
status chart, and deleting a policy.
Viewing the list of policies

You can view lists of policies created for the Administration Server or for any administration group.
To view a list of policies:
2. In the administration group structure, select the administration group for which you want to view the list of
policies.
The list of policies appears in tabular format. If there are no policies, the table is empty. You can show or hide the
columns of the table, change their order, view only lines that contain a value that you specify, or use search.
Creating a policy
You can create policies; you can also modify and delete existing policies.
To create a policy:
2. Click Add.
The Select application window opens.
3. Select the application for which you want to create a policy.
4. Click Next.
The new policy settings window opens with the General tab selected.
1168
5. If you want, change the default name, default status, and default inheritance settings of the policy.
6. Select the Application settings tab.

Or, you can click Save and exit. The policy will appear in the list of policies, and you can edit its settings later.
7. On the Application settings tab, in the left pane, select the category that you want and in the results pane on
the right, edit the settings of the policy. You can edit policy settings in each category (section).
The set of settings depends on the application for which you create a policy. For details, refer to the following:
Administration Server con guration
Kaspersky Endpoint Security for Windows documentation
For details about settings of other security applications, refer to the documentation for the corresponding
application.
When editing the settings, you can click Cancel to cancel the last operation.
8. Click Save to save the policy.
The policy will appear in the list of policies.
Modifying a policy
To modify a policy:
2. Click the policy that you want to modify.

The policy settings window opens.
3. Specify the general settings and settings of the application for which you create a policy. For details, refer to
the following:
Administration Server con guration
Kaspersky Endpoint Security for Windows documentation
For details about settings of other security applications, refer to the documentation for that application.
4. Click Save.
The changes made to the policy will be saved in the policy properties, and will appear in the Revision history
section.
1169
General
In the General tab, you can modify the policy status and specify the inheritance of policy settings:
Active

Out-of-o ice
Inactive
Event con guration
The Event con guration tab allows you to con gure event logging and event noti cation. Events are distributed
by importance level on the following tabs:
Critical
The Critical section is not displayed in the Network Agent policy properties.
Functional failure
1170
Warning
Info
In each section, the list shows the types of events and the default event storage term on the Administration
Server (in days). Clicking an event type lets you specify the following settings:
Event registration
You can specify how many days to store the event and select where to store the event:
Export to SIEM system using Syslog
Event noti cations

You can select if you want to be noti ed about the event in one of the following ways:
Notify by email
Notify by SMS
Notify by running an executable le or script
Notify by SNMP
By default, the noti cation settings speci ed on the Administration Server properties tab (such as recipient
address) are used. If you want, you can change these settings in the Email, SMS, and Executable le to be run
tabs.
Revision history
The Revision history tab allows you to view the list of the policy revisions and roll back changes made to the policy,
if necessary.
Enabling and disabling a policy inheritance option

To enable or disable the inheritance option in a policy:
1. Open the required policy.
2. Open the General tab.
3. Enable or disable policy inheritance:
If you enable Inherit settings from parent policy in a child policy and an administrator locks some settings in
the parent policy, then you cannot change these settings in the child policy.
If you disable Inherit settings from parent policy in a child policy, then you can change all of the settings in
the child policy, even if some settings are locked in the parent policy.
1171
If you enable Force inheritance of settings in child policies in the parent group, this enables the Inherit
settings from parent policy option for each child policy. In this case, you cannot disable this option for any
child policy. All of the settings that are locked in the parent policy are forcibly inherited in the child groups,
and you cannot change these settings in the child groups.
4. Click the Save button to save changes or click the Cancel button to reject changes.
By default, the Inherit settings from parent policy option is enabled for a new policy.
If a policy has pro les, all of the child policies inherit these pro les.
Copying a policy
You can copy policies from one administration group to another.
To copy a policy to another administration group:
2. Select the check box next to the policy (or policies) that you want to copy.
3. Click the Copy button.

On the right side of the screen, the tree of the administration groups appears.
4. In the tree, select the target group, that is, the group to which you want to copy the policy (or policies).
5. Click the Copy button at the bottom of the screen.
The policy (policies) will be copied to the target group with all its pro les. The status of each copied policy in the
target group will be Inactive. You can change the status to Active at any time.
If a policy with the name identical to that of the newly moved policy already exists in the target group, the name of
the newly moved policy is expanded with the (<next sequence number>) index, for example: (1).
Moving a policy
You can move policies from one administration group to another. For example, you want to delete a group, but you
want to use its policies for another group. In this case, you may want move the policy from the old group to the new
one before deleting the old group.
To move a policy to another administration group:
2. Select the check box next to the policy (or policies) that you want to move.
3. Click the Move button.

On the right side of the screen, the tree of the administration groups appears.
4. In the tree, select the target group, that is, the group to which you want to move the policy (or policies).
1172
5. Click the Move button at the bottom of the screen.
If a policy is not inherited from the source group, it is moved to the target group with all its pro les. The status of
the policy in the target group is Inactive. You can change the status to Active at any time.
If a policy is inherited from the source group, it remains in the source group. It is copied to the target group with
all its pro les. The status of the policy in the target group is Inactive. You can change the status to Active at any
time.
If a policy with the name identical to that of the newly moved policy already exists in the target group, the name of
the newly moved policy is expanded with the (<next sequence number>) index, for example: (1).
Viewing the policy distribution status chart

In Kaspersky Security Center, you can view the status of policy application on each device in a policy distribution
status chart.
To view the policy distribution status on each device:
2. Select check box next to the name of the policy for which you want to view the distribution status on devices.
3. In the menu that appears, select the Distribution link.

The <Policy name> distribution results window opens.
4. In the <Policy name> distribution results window that opens, the Status description of the policy is displayed.
You can change number of results displayed in the list with policy distribution. The maximum number of devices is
100000.
To change the number of devices displayed in the list with policy distribution results:
1. In the main menu, go to the Interface options section in the toolbar.
2. In the Limit of devices displayed in policy distribution results, enter the number of devices (up to 100000).
By default, the number is 5000.
3. Click Save.
The settings are saved and applied.

To make a policy perform automatic activation at a Virus outbreak event:
The Administration Server properties window opens, with the General tab selected.
1173
2. Select the Virus outbreak section.
3. In the right pane, click the Con gure policies to activate when a Virus outbreak event occurs link.
The Policy activation window opens.
4. In the section relating to the component that detects a virus outbreak—Anti-Virus for workstations and le
servers, Anti-Virus for mail servers, or Anti-Virus for perimeter defense—select the option button next to the
entry you want, and then click Add.
A window opens with the Managed devices administration group.
5. Click the chevron icon ( ) next to Managed devices.

A hierarchy of administration groups and their policies is displayed.
6. In the hierarchy of administration groups and their policies, click the name of a policy or policies that are
activated when a virus outbreak is detected.
To select all policies in the list or in a group, select the check box next to the required name.

The window with the hierarchy of administration groups and their policies is closed.
The selected policies are added to the list of policies that are activated when a virus outbreak is detected. The
selected policies are activated at the virus outbreak, independent whether they are active or inactive.
If a policy has been activated on the Virus outbreak event, you can return to the previous policy only by using
the manual mode.
Deleting a policy
You can delete a policy if you do not need it anymore. You can delete only a policy that is not inherited in the
speci ed administration group. If a policy is inherited, you can only delete it in the upper-level group for which it
was created.
To delete a policy:
2. Select the check box next to the policy that you want to delete, and click Delete.
The Delete button becomes unavailable (dimmed) if you select an inherited policy.
The policy is deleted together with all its pro les.
1174
This section describes managing policy pro les and provides information about viewing the pro les of a policy,
changing a policy pro le priority, creating a policy pro le, modifying a policy pro le, copying a policy pro le, creating
a policy pro le activation rule, and deleting a policy pro le.
Viewing the pro les of a policy

To view pro les of a policy:
2. Click the name of the policy whose pro les you want to view.
The policy properties window opens with the General tab selected.
3. Open the Policy pro les tab.
The list of policy pro les appears in tabular format. If the policy does not have pro les, an empty table appears.
Changing a policy pro le priority

To change a policy pro le priority:
1. Proceed to the list of pro les of a policy that you want.

The list of policy pro les appears.
2. On the Policy pro les tab, select the check box next to the policy pro le for which you want to change priority.
3. Set a new position of the policy pro le in the list by clicking Prioritize or Deprioritize.
The higher a policy pro le is located in the list, the higher its priority.
Priority of the selected policy pro le is changed and applied.

To create a policy pro le:
1. Proceed to the list of pro les of the policy that you want.
The list of policy pro les appears. If the policy does not have pro les, an empty table appears.
2. Click Add.
3. If you want, change the default name and default inheritance settings of the pro le.
4. Select the Application settings tab.

Alternatively, you can click Save and exit. The pro le that you have created appears in the list of policy pro les,
and you can edit its settings later.
1175
5. On the Application settings tab, in the left pane, select the category that you want and in the results pane on
the right, edit the settings for the pro le. You can edit policy pro le settings in each category (section).
When editing the settings, you can click Cancel to cancel the last operation.
6. Click Save to save the pro le.
The pro le will appear in the list of policy pro les.
The capability to edit a policy pro le is only available for policies of Kaspersky Endpoint Security for Windows.
To modify a policy pro le:

2. On the Policy pro les tab, click the policy pro le that you want to modify.
The policy pro le properties window opens.
3. Con gure the pro le in the properties window:
If necessary, on the General tab, change the pro le name and enable or disable the pro le.
Edit the pro le activation rules.
Edit the application settings.
For details about settings of security applications, please see the documentation of the corresponding
application.
4. Click Save.
The modi ed settings will take e ect either after the device is synchronized with the Administration Server (if the
policy pro le is active), or after an activation rule is triggered (if the policy pro le is inactive).
Copying a policy pro le

You can copy a policy pro le to the current policy or to another, for example, if you want to have identical pro les
for di erent policies. You can also use copying if you want to have two or more pro les that di er in only a small
number of settings.
To copy a policy pro le:

The list of policy pro les appears. If the policy does not have pro les, an empty table appears.
2. On the Policy pro les tab, select the policy pro le that you want to copy.
1176
3. Click Copy.
4. In the window that opens, select the policy to which you want to copy the pro le.
You can copy a policy pro le to the same policy or to a policy that you specify.
5. Click Copy.
The policy pro le is copied to the policy that you selected. The newly copied pro le gets the lowest priority. If
you copy the pro le to the same policy, the name of the newly copied pro le will be expanded with the () index,
for example: (1), (2).
Later, you can change the settings of the pro le, including its name and its priority; the original policy pro le will not
be changed in this case.

To create a policy pro le activation rule:

2. On the Policy pro les tab, click the policy pro le for which you need to create an activation rule.
If the list of policy pro les is empty, you can create a policy pro le.
3. On the Activation rules tab, click the Add button.

The window with policy pro le activation rules opens.
4. Specify a name for the rule.
5. Select the check boxes next to the conditions that must a ect activation of the policy pro le that you are
creating:
General rules for policy pro le activation
Select this check box to set up policy pro le activation rules on the device depending on the status of
the device o line mode, rule for connection to Administration Server, and tags assigned to the device.
For this option, specify at the next step:
Device status
De nes the condition for device presence on the network:

Online—The device is on the network, and so the Administration Server is available.
O line—The device is on an external network, which means that the Administration Server is
not available.
N/A—The criterion will not be applied.
Rule for Administration Server connection is active on this device
1177
Choose the condition of policy pro le activation (whether the rule is executed or not) and select the
rule name.
The rule de nes the network location of the device for connection to the Administration Server,
whose conditions must be met (or must not be met) for activation of the policy pro le.
A network location description of devices for connection to an Administration Server can be
created or con gured in a Network Agent switching rule.
Rules for speci c device owner

Device owner
Enable this option to con gure and enable the rule for pro le activation on the device according to
its owner. In the drop-down list under the check box, you can select a criterion for the pro le
activation:
The device belongs to the speci ed owner ("=" sign).
The device does not belong to the speci ed owner ("#" sign).
con gured. You can specify the device owner when the option is enabled. If this option is
disabled, the pro le activation criterion is not applied. By default, this option is disabled.
Device owner is included in an internal security group
Enable this option to con gure and enable the rule of pro le activation on the device by the owner's
membership in an internal security group of Kaspersky Security Center. In the drop-down list under
the check box, you can select a criterion for the pro le activation:
The device owner is a member of the speci ed security group ("=" sign).
The device owner is not a member of the speci ed security group ("#" sign).
con gured. You can specify a security group of Kaspersky Security Center. If this option is
disabled, the pro le activation criterion is not applied. By default, this option is disabled.
Rules for hardware speci cations
memory volume and the number of logical processors.
RAM size, in MB
1178
Enable this option to con gure and enable the rule of pro le activation on the device by the RAM
volume available on that device. In the drop-down list under the check box, you can select a criterion
for the pro le activation:
The device RAM size is less than the speci ed value ("<" sign).
The device RAM size is greater than the speci ed value (">" sign).
con gured. You can specify the RAM volume on the device. If this option is disabled, the pro le
Number of logical processors
Enable this option to con gure and enable the rule of pro le activation on the device by the number
of logical processors on that device. In the drop-down list under the check box, you can select a
criterion for the pro le activation:
The number of logical processors on the device is less than or equal to the speci ed value ("<"
sign).
The number of logical processors on the device is greater than or equal to the speci ed value
(">" sign).
con gured. You can specify the number of logical processors on the device. If this option is disabled,
Rules for role assignment

Activate policy pro le by speci c role of device owner
Select this option to con gure and enable the rule of pro le activation on the device depending on the
owner's role. Add the role manually from the list of existing roles.
con gured.
Rules for tag usage
Select this check box to set up rules for policy pro le activation on the device depending on the tags
assigned to the device. You can activate the policy pro le to the devices that either have the selected
tags or do not have them.
Tag
In the list of tags, specify the rule for device inclusion in the policy pro le by selecting the check
boxes next to the relevant tags.
You can add new tags to the list by entering them in the eld over the list and clicking the Add
button.
The policy pro le includes devices with descriptions containing all the selected tags. If check boxes
are cleared, the criterion is not applied. By default, these check boxes are cleared.
1179
Enable this option if you have to invert your selection of tags.

If this option is enabled, the policy pro le includes devices with descriptions that contain none of
the selected tags. If this option is disabled, the criterion is not applied.
Rules for Active Directory usage
presence of the device in an Active Directory organizational unit (OU), or on membership of the device
(or its owner) in an Active Directory security group.
Device owner's membership in Active Directory security group
If this option is enabled, the policy pro le is activated on the device whose owner is a member of the
speci ed security group. If this option is disabled, the pro le activation criterion is not applied. By
default, this option is disabled.
Device membership in Active Directory security group
If this option is enabled, the policy pro le is activated on the device. If this option is disabled, the
pro le activation criterion is not applied. By default, this option is disabled.
Device allocation in Active Directory organizational unit
If this option is enabled, the policy pro le is activated on the device which is included in the speci ed
Active Directory organizational unit (OU). If this option is disabled, the pro le activation criterion is
not applied.
The number of additional pages of the Wizard depends on the settings that you select at the rst step. You can
modify policy pro le activation rules later.
6. Check the list of the con gured parameters. If the list is correct, click Create.
The pro le will be saved. The pro le will be activated on the device when activation rules are triggered.
Policy pro le activation rules created for the pro le are displayed in the policy pro le properties on the Activation
rules tab. You can modify or remove any policy pro le activation rule.
Multiple activation rules can be triggered simultaneously.

1180
To delete a policy pro le:

2. On the Policy pro les tab, select the check box next to the policy pro le that you want to delete, and click
Delete.
3. In the window that opens, click Delete again.
The policy pro le is deleted. If the policy is inherited by a lower-level group, the pro le remains in that group, but
becomes the policy pro le of that group. This is done to eliminate signi cant change in settings of the managed
applications installed on the devices of lower-level groups.

Data encryption reduces the risk of unintentional leakage in case your laptop or hard drive is stolen or lost, or upon
access by unauthorized users and applications.
The following Kaspersky applications support encryption:
You can show or hide some of the interface elements related to the encryption management feature by using the
user interface settings.
Encryption of data in Kaspersky Endpoint Security for Windows
You can manage the following types of encryption:
BitLocker Drive Encryption on devices running a Windows operating system for servers
Kaspersky Disk Encryption on devices running a Windows operating system for workstation
By using these components of Kaspersky Endpoint Security for Windows, you can, for example, enable or disable
encryption, view the list of encrypted drives, or generate and view reports about encryption.
You con gure encryption by de ning policies of Kaspersky Endpoint Security for Windows in Kaspersky Security
Center. Kaspersky Endpoint Security for Windows performs encryption and decryption according to the active
policy. For detailed instructions on how to con gure rules and a description of encryption features, see the
Kaspersky Endpoint Security for Windows Help .
Encryption of data in Kaspersky Endpoint Security for Mac
You can use FileVault encryption on devices running macOS. While working with Kaspersky Endpoint Security for
Mac, you can enable or disable this encryption.
1181
You con gure encryption by de ning policies of Kaspersky Endpoint Security for Mac in Kaspersky Security
Center. Kaspersky Endpoint Security for Mac performs encryption and decryption according to the active policy.
For a detailed description of encryption features, see the Kaspersky Endpoint Security for Mac Help .
Viewing the list of encrypted drives

In Kaspersky Security Center, you can view details about encrypted drives and devices that are encrypted at the
drive level. After the information on a drive is decrypted, the drive is automatically removed from the list.
To view the list of encrypted drives,
In the main menu, go to the OPERATIONS → DATA ENCRYPTION AND PROTECTION → ENCRYPTED DRIVES
section.
If the section is not on the menu, this means that it is hidden. In the user interface settings, enable the Show data
encryption and protection option to display the section.
You can export the list of encrypted drives to a CSV or TXT le. To do this, click the Export rows to CSV le or
Export rows to TXT le button.

When running data encryption or decryption tasks on devices, Kaspersky Endpoint Security for Windows sends
Kaspersky Security Center information about events of the following types:
Cannot encrypt or decrypt a le, or create an encrypted archive, due to a lack of free disk space.
Cannot encrypt or decrypt a le, or create an encrypted archive, due to license issues.
Cannot encrypt or decrypt a le, or create an encrypted archive, due to missing access rights.
The application has been prohibited from accessing an encrypted le.
Unknown errors.
To view a list of events that occurred during data encryption on devices,
In the main menu, go to the OPERATIONS → DATA ENCRYPTION AND PROTECTION → ENCRYPTION
EVENTS section.
If the section is not on the menu, this means that it is hidden. In the user interface settings, enable the Show data
encryption and protection option to display the section.
You can export the list of encrypted drives to a CSV or TXT le. To do this, click the Export rows to CSV le or
Export rows to TXT le button.
Alternatively, you can examine the list of encryption events for every managed device.
To view the encryption events for a managed device:
1182
1. In the main menu, go to the DEVICES → MANAGED DEVICES section.
2. Click on the name of a managed device.
3. On the General tab, go to the Protection section.
4. Click the View data encryption errors link.

You can generate the following reports:
Report on encryption status of mass storage devices. This report contains information about the device
encryption status for all groups of devices.
Report on rights of access to encrypted drives. This report contains information about the status of user
accounts that have been granted access to encrypted drives.
Report on le encryption errors. This report contains information about errors that occurred when data
encryption or decryption tasks were run on devices.
Report on blockage of access to encrypted les. This report contains information about blocking application
access to encrypted les.
You can generate any report in the MONITORING & REPORTING → REPORTS section. Alternatively, you can
generate some of the encryption reports in the ENCRYPTED DRIVES section and the ENCRYPTION EVENTS
section.
To generate encryption reports in the ENCRYPTED DRIVES section:
1. Make sure that you enabled the Show data encryption and protection option in the Interface options.
2. Select OPERATIONS → DATA ENCRYPTION AND PROTECTION, and in the drop-down list select
ENCRYPTED DRIVES.
3. To generate an encryption report, click the name of the report that you want to generate:
Report on encryption status of mass storage devices
Report on rights to access encrypted drives
The report generation starts.
To generate Report on le encryption errors in the ENCRYPTION EVENTS section:
1. Make sure that you enabled the Show data encryption and protection option in the Interface options.
2. Select OPERATIONS → DATA ENCRYPTION AND PROTECTION, and in the drop-down list select
ENCRYPTION EVENTS.
3. To generate the encryption report, click the Report on le encryption errors link.
The report generation starts.
1183
Granting access to an encrypted drive in o line mode
A user can request access to an encrypted device, for example, when Kaspersky Endpoint Security for Windows is
not installed on the managed device. After you receive the request, you can create an access key le and send it to
the user. All of the use cases and detailed instructions are provided in the Kaspersky Endpoint Security for
Windows Help.
To grant access to an encrypted drive in o line mode:
1. Get a request access le from a user (a le with the FDERTC extension). Follow the instructions in the
Kaspersky Endpoint Security for Windows Help to generate the le in Kaspersky Endpoint Security for
Windows.
2. In the main menu, go to the OPERATIONS → DATA ENCRYPTION AND PROTECTION → ENCRYPTED
DRIVES section.
A list of encrypted drives appears.
3. Select the drive to which the user requested access.
4. Click the Grant access to the device in o line mode button.
5. In the window that opens, select the plug-in corresponding to the Kaspersky application that was used to
encrypt the selected drive.
If a drive is encrypted with a Kaspersky application that is not supported by Kaspersky Security Center
Web Console, use Microsoft Management Console-based Administration Console to grant the o line
access.
6. Follow the instructions provided in the Kaspersky Endpoint Security for Windows Help (see expanding blocks
at the end of the section).
After that, the user applies the received le to access the encrypted drive and read data stored on the drive.
Users and user roles

This section describes users and user roles, and provides instructions for creating and modifying them, for
assigning roles and groups to users, and for associating policy pro les with roles.
About user roles

A user role (also referred to as a role) is an object containing a set of rights and privileges. A role can be associated
with settings of Kaspersky applications installed on a user device. You can assign a role to a set of users or to a set
of security groups at any level in the hierarchy of administration groups.
You can associate user roles with policy pro les. If a user is assigned a role, this user gets security settings
necessary to perform job functions.
1184
A user role can be associated with users of devices in a speci c administration group.
User role scope
A user role scope is a combination of users and administration groups. Settings associated with a user role apply
only to devices that belong to users who have this role, and only if these devices belong to groups associated with
this role, including child groups.
Advantage of using roles
An advantage of using roles is that you do not have to specify security settings for each of the managed devices
or for each of the users separately. The number of users and devices in a company may be quite large, but the
number of di erent job functions that require di erent security settings is considerably smaller.
Di erences from using policy pro les
Policy pro les are properties of a policy that is created for each Kaspersky application separately. A role is
associated with many policy pro les created for di erent applications. Therefore, a role is a method of uniting
settings for a certain user type in one place.
Con guring access rights to application features. Role-based access

control
Kaspersky Security Center provides facilities for role-based access to the features of Kaspersky Security Center
and managed Kaspersky applications.
You can con gure access rights to application features for Kaspersky Security Center users in one of the following
ways:
By con guring the rights for each user or group of users individually.
By creating standard user roles with a prede ned set of rights and assigning those roles to users depending on
their scope of duties.
Application of user roles is intended to simplify and shorten routine procedures of con guring users' access rights
to application features. Access rights within a role are con gured in accordance with the standard tasks and the
users' scope of duties.
User roles can be assigned names that correspond to their respective purposes. You can create an unlimited
number of roles in the application.
required rights yourself.

The table below shows the Kaspersky Security Center features with the access rights to manage the associated
tasks, reports, settings, and perform the associated user actions.
1185
To perform the user actions listed in the table, a user has to have the right speci ed next to the action.
Read, Modify, and Execute rights are applicable to any task, report, or setting. In addition to these rights, a user
has to have the Perform operations on device selections right to manage tasks, reports, or settings on device
selections.
All tasks, reports, settings, and installation packages that are missing in the table belong to the General
features: Basic functionality functional area.
Functional Right User action: right Task Report Oth

area required to
perform the action
General Modify Add device to None None None

features: an
Management administration
of group: Modify
administration
groups
Delete device
from an
administration
group: Modify
Add an
administration
group to
another
administration
group: Modify
Delete an
administration
group from
another
administration
group: Modify
General Read Get read access None None None

features: to all objects: Read
Access
objects
regardless of
their ACLs
General Read Device moving "Download "Report on None

features: rules (create, updates to the protection
Basic modify, or Administration status"
Modify
functionality delete) for the Server
Execute virtual Server: repository" "Report on
Modify, threats"
Perform "Deliver reports"
Perform
operations on "Report on
operations on
device "Distribute most heavily
device
selections installation infected
selections
package" devices"
1186
Get Mobile "Install "Report on
(LWNGT) application on status of anti-
protocol secondary virus
custom Administration databases"
certi cate: Servers
Read remotely" "Report on
errors"
Set Mobile
(LWNGT) "Report on
protocol network
custom attacks"
certi cate:
Write "Summary
report on mail
Get NLA- system
de ned protection
network list: applications
Read installed"
Add, modify, or "Summary

delete NLA- report on
de ned perimeter
network list: defense
Modify applications
installed"
View Access
Control List of "Summary
groups: Read report on
types of
View the applications
Kaspersky installed"
Event Log:
Read "Report on
users of
infected
devices"
"Report on
incidents"
"Report on
events"
"Report on
activity of
distribution
points"
"Report on
Secondary
Administration
Servers"
"Report on
Device
Control
events"
1187
"Report on
vulnerabilities"
"Report on
prohibited
applications"
"Report on
Web Control"
"Report on
encryption
status of
managed
devices"
"Report on
encryption
status of
mass storage
devices"
"Report on le
encryption
errors"
"Report on
blockage of
access to
encrypted
les"
"Report on
rights to
access
encrypted
devices"
"Report on
e ective user
permissions"
"Report on
rights"
General Read View deleted None None None

features: objects in the
Deleted Recycle Bin:
Modify
objects Read
Delete objects
from the
Recycle Bin:
Modify
General Delete events Change events None None Setting
1188
features: Edit event registration Virus
Event noti cation settings: Edit outb
processing settings event logging sett
settings num
Edit event virus
logging Change events dete
settings noti cation requ
settings: Edit crea
Modify event virus
noti cation outb
settings even
Delete events: Virus

Delete events outb
sett
perio
time
evalu
of vi
dete
The
max
num
even
store
the
data
Perio
time
stor
even
from
dele
devi
General Read Specify ports "Backup of None None

features: of Administration
Operations on Administration Server data"
Modify
Administration Server for the
Server network agent
Execute "Databases
connection: maintenance"
Modify
Modify object
ACLs
Specify ports
of Activation
Perform
Proxy launched
operations on
on the
device
Administration
selections
Server: Modify
Specify ports
of Activation
Proxy for
Mobile
launched on
the
1189
Administration
Server: Modify
Specify ports
of the Web
Server for
distribution of
standalone
packages:
Modify
Specify ports
of the Web
Server for
distribution of
MDM pro les:
Modify
Specify SSL
ports of the
Administration
Server for
connection via
Kaspersky
Security
Center Web
Console:
Modify
Specify ports
of the
Administration
Server for
mobile
connection:
Modify
Specify the
maximum
number of
events stored
in the
Administration
Server
database:
Modify
Specify the
maximum
number of
events that can
be sent by the
Administration
Server: Modify
Specify time
period during
which events
can be sent by
1190
the
Administration
Server: Modify
General Manage Approve or decline None "Report on Installat

features: Kaspersky installation of the license key package
Kaspersky patches patch: Manage usage by "Kasper
software Kaspersky virtual
deployment patches Administration
Read
Server"
Modify
"Report on
Execute Kaspersky
software
versions"
Perform
operations on
device "Report on
selections incompatible
applications"
"Report on
versions of
Kaspersky
software
module
updates"
"Report on
protection
deployment"
General Export key le Export key le: None None None

features: Key Export key le
management
Modify
Modify
Administration
Server license
key settings:
Modify
General Read Create reports None None None

features: regardless of
Enforced their ACLs:
Modify
report Write
management
Execute
reports
regardless of
their ACLs:
Read
General Con gure Register, update, None None None

features: hierarchy of or delete
Hierarchy of Administration secondary
Servers Administration
1191
Administration Servers:
Servers Con gure
hierarchy of
Administration
Servers
General Modify object Change None None None

features: User ACLs Security
permissions properties of
any object:
Modify object
ACLs
Manage user
roles: Modify
object ACLs
Manage
internal users:
Modify object
ACLs
Manage
security
groups: Modify
object ACLs
Manage aliases:
Modify object
ACLs
General Manage virtual Get list of None "Report on None

features: Administration virtual results of
Virtual Servers Administration installation of
Administration Servers: Read third-party
Servers software
Read
updates"
Get
Modify information on
the virtual
Execute Administration
Server: Read
Perform
operations on Create, update,
device or delete a
selections virtual
Administration
Server:
Manage virtual
Administration
Servers
Move a virtual
Administration
Server to
another group:
Manage virtual
Administration
Servers
1192
Set
administration
virtual Server
permissions:
Manage virtual
Administration
Servers
Mobile device Connect new Get Key None None None

management: devices Management
General Service restore
Send only data: Read
information
commands to Delete user
mobile devices certi cates:
Manage
Send certi cates
commands to
mobile devices Get user
certi cate
Manage public part:
certi cates Read
Read Check if Public

Key
Modify Infrastructure
is enabled:
Read
Check Public
Key
Infrastructure
account: Read
Get Public Key

Infrastructure
templates:
Read
Get Public Key

Infrastructure
templates by
Extended Key
Usage
certi cate:
Read
Check if Public
Key
Infrastructure
certi cate is
revoked: Read
Update user
certi cate
issuance
settings:
1193
Manage
certi cates
Get user
certi cate
issuance
settings: Read
Get packages
by application
name and
version: Read
Set or cancel
user
certi cate:
Manage
certi cates
Renew user
certi cate:
Manage
certi cates
Set user
certi cate tag:
Manage
certi cates
Run generation
of MDM
installation
package;
cancel
generation of
MDM
installation
package:
Connect new
devices
System Start RDP Create None "Report on device None

management: sessions desktop users"
Connectivity sharing session:
Connect to The right to
existing RDP create
sessions desktop
sharing
Initiate session
tunneling
Create RDP
Save les from session:
devices to the Connect to
administrator's existing RDP
workstation sessions
Read Create tunnel:

Initiate
1194
Modify tunneling
Execute Save content

network list:
Perform Save les from
operations on devices to the
device administrator's
selections workstation
System Read Get or export None "Report on None

management: hardware hardware
Hardware inventory registry"
Modify
inventory object: Read
Execute "Report on
Add, set or con guration
Perform delete changes"
operations on hardware
device inventory "Report on
selections object: Write hardware"
System Read View CISCO None None None

management: settings: Read
Network
Modify
access control
Change CISCO
settings: Write
System Deploy PXE Deploy PXE "Create installation None Installat

management: servers servers: Deploy package upon package
Operating PXE servers reference device Image"
system OS image"
Read
deployment
View a list of
Modify PXE servers:
Read
Execute
Start or stop
Perform the installation
operations on process on PXE
device clients:
selections Execute
Manage drivers
for WinPE and
operating
system images:
Modify
System Read View third- "Perform "Report on None

management: party patch Windows software
Vulnerability properties: Update updates"
Modify
and patch Read synchronization"
management
Execute
Change third- "Install Windows
party patch Update
updates"
1195
Perform properties: "Fix
operations on Modify vulnerabilities"
device
selections "Install required
updates and x
vulnerabilities"
System Read View third- None None Installat

management: party package
Remote Vulnerability "Cus
Modify
installation and Patch appl
Execute Management
based "VAP
installation pack
Perform
package
operations on
properties:
device
Read
selections
Change third-
party
Vulnerability
and Patch
Management
based
installation
package
properties:
Modify
System Read None None "Report on None

management: installed
Software applications"
Modify
inventory
Execute "Report on
applications
Perform registry
operations on history"
device
selections "Report on
status of
licensed
applications
groups"
"Report on
third-party
software
license keys"

User roles assigned to Kaspersky Security Center users provide them with sets of access rights to application
features.
1196
required rights yourself. Some of the prede ned user roles available in Kaspersky Security Center can be
associated with speci c job positions, for example, Auditor, Security O icer, Supervisor (these roles are present
in Kaspersky Security Center starting from the version 11). Access rights of these roles are pre-con gured in
accordance with the standard tasks and scope of duties of the associated positions. The table below shows how
roles can be associated with speci c job positions.
Examples of roles for speci c job positions
Role Comment
Auditor Permits all operations with all types of reports, all viewing operations, including viewing deleted
objects (grants the Read and Write permissions in the Deleted objects area). Does not permit
other operations. You can assign this role to a person who performs the audit of your
organization.
Supervisor Permits all viewing operations; does not permit other operations. You can assign this role to a
security o icer and other managers in charge of the IT security in your organization.
Security Permits all viewing operations, permits reports management; grants limited permissions in the
O icer System management: Connectivity area. You can assign this role to an o icer in charge of
the IT security in your organization.
The table below shows the access rights assigned to each prede ned user role.
Access rights of prede ned user roles
Role Description
Administration Permits all operations in the following functional areas:

Server General features:
Administrator
Basic functionality
Event processing
System management:
Connectivity
Hardware inventory
Software inventory
Administration Grants the Read and Execute rights in all of the following functional areas:
Server Operator General features:
Basic functionality
System management:
Connectivity
1197
Hardware inventory
Software inventory
Auditor Permits all operations in the functional areas, in General features:

Deleted objects
You can assign this role to a person who performs the audit of your organization.
Installation Permits all operations in the following functional areas:

Administrator General features:
Basic functionality
System management:
Remote installation
Software inventory
Grants the Read and Execute rights in the General features: Virtual Administration
Servers functional area.
Installation Grants the Read and Execute rights in all of the following functional areas:
Operator General features:
Basic functionality
Kaspersky software deployment (also grants the Manage Kaspersky patches

right in this area)
System management:
Remote installation
Software inventory
1198
Kaspersky Permits all operations in the following functional areas:
Endpoint Security
General features: Basic functionality
Administrator
Kaspersky Grants the Read and Execute rights in all of the following functional areas:
Operator
Main Administrator Permits all operations in functional areas, except for the following areas, in General
features:
Main Operator Grants the Read and Execute (where applicable) rights in all of the following functional
areas:
General features:
Basic functionality
Deleted objects
Operations on Administration Server
System management, including all features
Mobile Device Permits all operations in the following functional areas:

Management General features: Basic functionality
Administrator
Mobile Device Grants the Read and Execute rights in the General features: Basic functionality
Management functional area.
Operator Grants Read and Send only information commands to mobile devices in the Mobile
Device Management: General functional area.
Security O icer Permits all operations in the following functional areas, in General features:
1199
Grants the Read, Modify, Execute, Save les from devices to the administrator's
workstation, and Perform operations on device selections rights in the System
management: Connectivity functional area.
You can assign this role to an o icer in charge of the IT security in your organization.
Self Service Portal Permits all operations in the Mobile Device Management: Self Service Portal
User functional area. This feature is not supported in Kaspersky Security Center 11 and later
version.
Supervisor Grants the Read right in the General features: Access objects regardless of their
ACLs and General features: Enforced report management functional areas.
You can assign this role to a security o icer and other managers in charge of the IT
security in your organization.
Vulnerability and Permits all operations in the General features: Basic functionality and System
Patch management (including all features) functional areas.
Management
Administrator
Vulnerability and Grants the Read and Execute (where applicable) rights in the General features: Basic
Patch functionality and System management (including all features) functional areas.
Management
Operator

To add a new internal user account to Kaspersky Security Center:
2. Click Add.
3. In the New entity window that opens, specify the settings of the new user account:
Keep the default option User.
Name.
Password for the user connection to Kaspersky Security Center.

Numbers (0-9)
1200
To see the characters that you entered, click and hold the Show button.
one hour. You can unblock the user account only by changing the password.
Full name
Description
Email address
Phone
The new user account appears in the list of users and user groups.
Creating a user group

To create a user group:
2. Click Add.
3. In the New entity window opens, select Group.
4. Specify the following settings for the new user group:
Group name
Description
The new user group appears in the list of users and user groups.

To edit an internal user account in Kaspersky Security Center:
1201
2. Click the name of the user account that you want to edit.
3. In the user settings window that opens, on the General tab, change the settings of the user account:
Description
Full name
Email address
Main phone
Set new password for the user connection to Kaspersky Security Center.
Numbers (0-9)
allowed password entry attempts is 10. You can change the allowed number of attempts; however, for
security reasons, we do not recommend that you decrease this number. If the user enters an invalid
password the speci ed number of times, the user account is blocked for one hour. You can unblock the
user account only by changing the password.
If necessary, switch the toggle button to Disabled to prohibit the user from connecting to the application.
You can disable an account, for example, after an employee leaves the company.
4. On the Authentication security tab, you can specify the security settings for this account.
5. On the Groups tab, you can add the user to security groups.
6. On the Devices tab, you can assign devices to the user.
7. On the Roles tab, you can assign roles to the user.
The updated user account appears in the list of users and security groups.
1202
Editing a user group
You can edit only internal groups.
To edit a user group:
2. Click the name of the user group that you want to edit.
3. In the group settings window that opens, change the settings of the user group:
Name
Description
The updated user group appears in the list of users and user groups.
Adding user accounts to an internal group
You can add only accounts of internal users to an internal group.
To add user accounts to an internal group:
2. Select check boxes next to user accounts that you want to add to a group.
3. Click the Assign group button.
4. In the Assign group window that opens, select the group to which you want to add user accounts.
5. Click the Assign button.
The user accounts are added to the group.
Assigning a user as a device owner
For information about assigning a user as a mobile device owner, see Kaspersky Security for Mobile Help .
1203
To assign a user as a device owner:
2. Click the name of the user account that you want to assign as a device owner.
3. In the user settings window that opens, select the Devices tab.
4. Click Add.
5. From the device list, select the device that you want to assign to the user.
6. Click OK.
The selected device is added to the list of devices assigned to the user.
You can perform the same operation at DEVICES → MANAGED DEVICES, by clicking the name of the device that
you want to assign, and then clicking the Manage device owner link.
Deleting a user or a security group
You can delete only internal users or internal security groups.
To delete a user or a security group:
2. Select the check box next to the user or the security group that you want to delete.
3. Click Delete.
4. In the window that opens, click OK.
The user or the security group is deleted.
Creating a user role

To create a user role:
1. In the main menu, go to USERS & ROLES → Roles.
2. Click Add.
3. In the New role name window that opens, enter the name of the new role.
5. In the role properties window that opens, change the settings of the role:
1204
On the General tab, edit the role name.
You cannot edit the name of a prede ned role.
On the Settings tab, edit the role scope and policies and pro les associated with the role.
On the Access rights tab, edit the rights for access to Kaspersky applications.
The new role appears in the list of user roles.
Editing a user role

To edit a user role:
2. Click the name of the role that you want to edit.
3. In the role properties window that opens, change the settings of the role:
On the General tab, edit the role name.

You cannot edit the name of a prede ned role.
On the Settings tab, edit the role scope and policies and pro les associated with the role.
On the Access rights tab, edit the rights for access to Kaspersky applications.
The updated role appears in the list of user roles.
Editing the scope of a user role

A user role scope is a combination of users and administration groups. Settings associated with a user role apply
only to devices that belong to users who have this role, and only if these devices belong to groups associated with
this role, including child groups.
To add users, security groups, and administration groups to the scope of a user role, you can use either of the
following methods:
Method 1:
2. Select check boxes next to the users and security groups that you want to add to the user role scope.
3. Click the Assign role button.

The Role Assignment Wizard starts. Proceed through the Wizard by using the Next button.
1205
4. On the Select role page of the Wizard, select the user role that you want to assign.
5. On the De ne scope page of the Wizard, select the administration group that you want to add to the user role
scope.
6. Click the Assign role button to close the Wizard.
The selected users or security groups and the selected administration group are added to the scope of the user
role.
Method 2:
2. Click the name of the role for which you want to de ne the scope.
3. In the role properties window that opens, select the Settings tab.
4. In the Role scope section, click Add.

The Role Assignment Wizard starts. Proceed through the Wizard by using the Next button.
5. On the De ne scope page of the Wizard, select the administration group that you want to add to the user role
scope.
6. On the Select users page of the Wizard, select users and security groups that you want to add to the user role
scope.
7. Click the Assign role button to close the Wizard.
8. Close the role properties window.
The selected users or security groups and the selected administration group are added to the scope of the user
role.
Deleting a user role

To delete a user role:
2. Select the check box next to the name of the role that you want to delete.
3. Click Delete.
The user role is deleted.
Associating policy pro les with roles

1206
You can associate user roles with policy pro les. In this case, the activation rule for this policy pro le is based on
the role: the policy pro le becomes active for a user that has the speci ed role.
For example, the policy bars any GPS navigation software on all devices in an administration group. GPS navigation
software is necessary only on a single device in the Users administration group—the device owned by a courier. In
this case, you can assign a "Courier" role to its owner, and then create a policy pro le allowing GPS navigation
software to run only on the devices whose owners are assigned the "Courier" role. All the other policy settings are
preserved. Only the user with the role "Courier" will be allowed to run GPS navigation software. Later, if another
worker is assigned the "Courier" role, the new worker also can run navigation software on your organization's
device. Running GPS navigation software will still be prohibited on other devices in the same administration group.
To associate a role with a policy pro le:
2. Click the name of the role that you want to associate with a policy pro le.
The role properties window opens with the General tab selected.
3. Select the Settings tab, and scroll down to the Policies & Pro les section.
4. Click Edit.
5. To associate the role with:
An existing policy pro le—Click the chevron icon ( ) next to the required policy name, and then select the
check box next to the pro le with which you want to associate the role.
A new policy pro le:
a. Select the check box next to the policy for which you want to create a pro le.
b. Click New policy pro le.
c. Specify a name for the new pro le and con gure the pro le settings.
d. Click the Save button.
e. Select the check box next to the new pro le.
6. Click Assign to role.
The pro le is associated with the role and appears in the role properties. The pro le applies automatically to any
device whose owner is assigned the role.
Managing objects in Kaspersky Security Center Web Console

This section contains information about object revision management. Kaspersky Security Center allows you to
track object modi cation. Every time you save changes made to an object, a revision is created. Each revision has a
number.
Application objects that support revision management include:
1207
Policies
Tasks
User accounts
By default, the object revision description is blank. To add a description to a revision, select the relevant revision
and click the Description button. In the Object revision description window, enter some text for the revision
description.

Kaspersky Security Center allows you to track object modi cation. Every time you save changes made to an
object, a revision is created. Each revision has a number.
You can add a description for the revision to simplify the search for revisions in the list.
To add a description for a revision:
2. In the list of object revisions, select the revision for which you need to add a description.
1208
3. Click the Edit description button.
The Description window opens.
4. In the Description window, enter some text for the revision description.
By default, the object revision description is blank.
The description is added for the revision of the object.
Deleting an object
You can delete objects such as policies, tasks, installation packages, internal users, and internal user groups if you
have Modify permission, which is in the Basic functionality category of rights.
To delete an object:
1. Select the object or several objects you want to delete.
3. Click the OK button to con rm the deletion of the selected objects.
The selected object or objects will be deleted, and the information about it will be stored in the database.

This section describes how to use an online service infrastructure named Kaspersky Security Network (KSN). The
section provides the details on KSN, as well as instructions on how to enable KSN, con gure access to KSN, and
view the statistics of the use of KSN proxy server.
About KSN
Kaspersky Security Network (KSN) is an online service infrastructure that provides access to the online Knowledge
Base of Kaspersky, which contains information about the reputation of les, web resources, and software. The use
of data from Kaspersky Security Network ensures faster responses by Kaspersky applications to threats, improves
the e ectiveness of some protection components, and reduces the risk of false positives. KSN allows you to use
Kaspersky reputation databases to retrieve information about applications installed on managed devices.
Kaspersky Security Center supports the following KSN infrastructure solutions:
Global KSN is a solution that allows you to exchange information with Kaspersky Security Network. If you
participate in KSN, you agree to send to Kaspersky, in automatic mode, information about the operation of
Kaspersky applications installed on client devices that are managed through Kaspersky Security Center.
Information is transferred in accordance with the current KSN access settings. Kaspersky analysts additionally
analyze received information and include it in the reputation and statistical databases of Kaspersky Security
Network. Kaspersky Security Center uses this solution by default.
Private KSN is a solution that allows users of devices with Kaspersky applications installed to obtain access to
reputation databases of Kaspersky Security Network, and other statistical data, without sending data to KSN
1209
from their own computers. Kaspersky Private Security Network (Private KSN) is designed for corporate
User devices are not connected to the internet.
Transmission of any data outside the country or outside the corporate LAN is prohibited by law or restricted
by corporate security policies.
You can set up access settings of Kaspersky Private Security Network in the KSN Proxy settings section of
The application prompts you to join KSN while running the Quick Start Wizard. You can start or stop using KSN at
any moment when using the application.
the updated KSN Statement or decline it. If you decline it, you keep using KSN in accordance with the previous
version of KSN Statement that you accepted before.
When KSN is enabled, Kaspersky Security Center checks if the KSN servers are accessible. If access to the servers
using system DNS is not possible, the application uses public DNS. This is necessary to make sure the level of
security is maintained for the managed devices.
Client devices managed by the Administration Server interact with KSN through KSN proxy server. KSN proxy
server provides the following features:
You can con gure the KSN proxy server in the KSN Proxy settings section of the Administration Server properties
window.
Setting up access to KSN

You can set up access to Kaspersky Security Network (KSN) on the Administration Server and on a distribution
point.
To set up Administration Server access to KSN:
1. Click the settings icon ( ) next to the name of the required Administration Server.
2. On the General tab, select the KSN Proxy settings section.
3. Switch the toggle button to the Enable KSN Proxy on Administration Server ENABLED position.
Data is sent from client devices to KSN in accordance with the Kaspersky Endpoint Security policy, which is
active on those client devices. If this check box is cleared, no data will be sent to KSN from the Administration
Server and client devices through Kaspersky Security Center. However, client devices can send data to KSN
directly (bypassing Kaspersky Security Center), in accordance with their respective settings. The Kaspersky
Endpoint Security policy, which is active on client devices, determines which data will be sent directly
(bypassing Kaspersky Security Center) from those devices to KSN.
1210
4. Switch the toggle button to the Use Kaspersky Security Network ENABLED position.
If this option is enabled, client devices send patch installation results to Kaspersky. When enabling this option,
make sure to read and accept the terms of the KSN Statement.
If you are using Private KSN , switch the toggle button to the Use Kaspersky Private Security Network
ENABLED position and click the Select le with KSN Proxy settings button to download the settings of
Private KSN ( les with the extensions pkcs7 and pem). After the settings are downloaded, the interface displays
the provider's name and contacts, as well as the creation date of the le with the settings of Private KSN.
When you enable Private KSN, pay attention to the distribution points con gured to send KSN requests
directly to the Cloud KSN. The distribution points that have Network Agent version 11 (or earlier) installed
will continue to send KSN requests to the Cloud KSN. To recon gure the distribution points to send KSN
requests to Private KSN, enable the Forward KSN requests to Administration Server option for each
distribution point. You can enable this option in the distribution point properties or in the Network Agent
policy.
When you switch the toggle button to the Use Kaspersky Private Security Network ENABLED position, a
message appears with details about Private KSN.
The following Kaspersky applications support Private KSN:
Kaspersky Security for Virtualization 3.0 Agentless Service Pack 2
Kaspersky Security for Virtualization 3.0 Service Pack 1 Light Agent
If you enable Private KSN in Kaspersky Security Center, these applications receive information about
supporting Private KSN. In the settings window of the application, in the Kaspersky Security Network
subsection of the Advanced Threat Protection section, KSN provider: Private KSN is displayed. Otherwise,
KSN provider: Global KSN is displayed.
If you use application versions earlier than Kaspersky Security for Virtualization 3.0 Agentless Service Pack
2 or earlier than Kaspersky Security for Virtualization 3.0 Service Pack 1 Light Agent when running Private
KSN, we recommend that you use secondary Administration Servers for which the use of Private KSN has
not been enabled.
Kaspersky Security Center does not send any statistical data to Kaspersky Security Network if Private
KSN is con gured in the KSN Proxy settings section of the Administration Server properties window.
5. If you have the proxy server settings con gured in the Administration Server properties, but your network
architecture requires that you use Private KSN directly, enable the Ignore proxy server settings when
connecting to Private KSN option. Otherwise, requests from the managed applications cannot reach Private
KSN.
6. Con gure the Administration Server connection to the KSN proxy service:
Under Connection settings, for the TCP port, specify the number of the TCP port that will be used for
connecting to the KSN proxy server. The default port to connect to the KSN proxy server is 13111.
1211
If you want the Administration Server to connect to the KSN proxy server through a UDP port, enable the
Use UDP port option and specify a port number for the UDP port. By default, this option is disabled, and
TCP port is used. If this option is enabled, the default UDP port to connect to the KSN proxy server is 15111.
7. Switch the toggle button to the Connect secondary Administration Servers to KSN through primary
Administration Server ENABLED position.
If this option is enabled, secondary Administration Servers use the primary Administration Server as the KSN
proxy server. If this option is disabled, secondary Administration Servers connect to KSN on their own. In this
case, managed devices use secondary Administration Servers as KSN proxy servers.
Secondary Administration Servers use the primary Administration Server as a proxy server if in the right
pane of the KSN Proxy settings section, in the properties of secondary Administration Servers the toggle
button is switched to the Enable KSN Proxy on Administration Server ENABLED position.
The KSN access settings will be saved.
You can also set up distribution point access to KSN, for example, if you want to reduce the load on the
Administration Server. The distribution point that acts as a KSN proxy server sends KSN requests from managed
devices to Kaspersky directly, without using the Administration Server.
To set up distribution point access to Kaspersky Security Network (KSN):
1. Make sure that the distribution point is assigned manually.
3. On the General tab, select the Distribution points section.
4. Click the name of the distribution point to open its properties window.
5. In the distribution point properties window, in the KSN Proxy section, enable the Enable KSN Proxy on
distribution point side option, and then enable the Access KSN Cloud/Private KSN directly over the internet
option.
6. Click OK.
The distribution point will act as a KSN proxy server.

To enable KSN:
3. Switch the toggle button to the Enable KSN Proxy on Administration Server ENABLED position.
The KSN proxy server is enabled.
1212
4. Switch the toggle button to the Use Kaspersky Security Network ENABLED position.
KSN will be enabled.
If the toggle button is enabled, client devices send patch installation results to Kaspersky. When enabling this
toggle button, you should read and accept the terms of the KSN Statement.
To disable KSN:
3. Switch the toggle button to the Enable KSN Proxy on Administration Server DISABLED position to disable
the KSN proxy service, or switch the toggle button to the Use Kaspersky Security Network DISABLED
position.
If one of these toggle buttons is disabled, client devices will send no patch installation results to Kaspersky.
If you are using Private KSN, switch the toggle button to the Use Kaspersky Private Security Network
DISABLED position.
KSN will be disabled.

When you enable Kaspersky Security Network (KSN), you must read and accept the KSN Statement. You can view
the accepted KSN Statement at any time.
To view the accepted KSN Statement:
3. Click the View Kaspersky Security Network Statement link.
In the window that opens, you can view the text of the accepted KSN Statement.

the updated KSN Statement or decline it. If you decline it, you will continue using KSN in accordance with the
version of the KSN Statement that you previously accepted.
After updating or upgrading Administration Server, the updated KSN Statement is displayed automatically. If you
decline the updated KSN Statement, you can still view and accept it later.
1213
To view and then accept or decline an updated KSN Statement:
1. Click the View noti cations link in the upper-right corner of the main application window.
The Noti cations window opens.
2. Click the View the updated KSN Statement link.

The Kaspersky Security Network Statement update window opens.
3. Read the KSN Statement, and then make your decision by clicking one of the following buttons:
I accept the updated KSN Statement
Use KSN under the old Statement
Depending on your choice, KSN keeps working in accordance with the terms of the current or updated KSN
Statement. You can view the text of the accepted KSN Statement in the properties of Administration Server at
any time.

On a managed device assigned to work as a distribution point, you can enable KSN proxy server. A managed device
works as KSN proxy server when the ksnproxy service is running on the device. You can check, turn on, or turn o
this service on the device locally.
You can assign a Windows-based or a Linux-based device as a distribution point. The method of distribution point
checking depends on the operating system of this distribution point.
To check whether the Windows-based distribution point works as KSN proxy server:
1. On the distribution point device, in Windows, open Services (All Programs → Administrative Tools →
Services).
2. In the list of services, check whether the ksnproxy service is running.

If the ksnproxy service is running, then Network Agent on the device participates in Kaspersky Security
Network and works as KSN proxy server for the managed devices included in the scope of the distribution
point.
If you want, you may turn o the ksnproxy service. In this case, Network Agent on the distribution point stops
participating in Kaspersky Security Network. This requires local administrator rights.
To check whether the Linux-based distribution point works as KSN proxy server:
1. On the distribution point device, display the list of running processes.
2. In the list of running processes, check whether the /opt/kaspersky/ksc64/sbin/ksnproxy process is

running.
If /opt/kaspersky/ksc64/sbin/ksnproxy process is running, then Network Agent on the device participates in

Kaspersky Security Network and works as the KSN proxy server for the managed devices included in the scope of
1214
Scenario: Upgrading Kaspersky Security Center and managed security
applications
This section describes the main brief scenario for Kaspersky Security Center and managed security applications
upgrade.
The Kaspersky Security Center and managed security applications upgrade proceeds in stages:
1 Checking the hardware and software requirements
Ensure your hardware meets the requirements and install the required updates.
2 Planning the resources
Assess how much disk space your database occupies. Make sure that you have enough disk space to store the
backup copy of the Administration Server settings and the database.
3 Getting the installer le for Kaspersky Security Center
Get the executable le for the current version of Kaspersky Security Center and save it on the device that will
work as the Administration Server. Read the Release Notes of the version of Kaspersky Security Center that you
want to use.
4 Creating a backup copy of the previous version
Use the data backup and recovery utility to create a backup copy of the Administration Server data. You can also
create a backup task.
It is recommended to export the list of installed plug-ins.
5 Running the installer
Run the executable le for the latest version of Kaspersky Security Center. When running the le, specify that
you have a backup copy and specify its location. Your data will be restored from the backup.
6 Upgrading the managed applications
You can upgrade the application if there is a newer version available. Read the list of supported Kaspersky
applications and make sure that your version of Kaspersky Security Center is compatible with this application.
Then perform the upgrade of the application as described in its release notes.
Results
Upon completion of the upgrade scenario, make sure that new version of Administration Server is successfully
installed in Microsoft Management Console. Click Help → About Kaspersky Security Center. The version is
displayed.
To make sure that you are using the new version of Administration Server in Kaspersky Security Center Web
Console, at the top of the screen click the settings icon ( ) next to the name of the Administration Server. In the
Administration Server properties window that opens, on the General tab, select the General section. The version
is displayed.
If you need to recover Administration Server data, follow the steps described in the following topic: Data backup
and recovery in interactive mode.
If you upgraded a managed security application, make sure that it is correctly installed on the managed device(s).
For more information, please refer to the documentation of this application.
1215
Updating Kaspersky databases and applications
This section describes steps you must take to regularly update the following:

This section provides a scenario for regular updating of Kaspersky databases, software modules, and applications.
After you complete the Con guring network protection scenario, you must maintain the reliability of the
protection system to make sure that the Administration Servers and managed devices are kept protected against
various threats, including viruses, network attacks, and phishing attacks.
Network protection is kept up-to-date by regular updates of the following:
When you complete this scenario, you can be sure of the following:
Your network is protected by the most recent Kaspersky software, including Kaspersky Security Center
components and security applications.
The anti-virus databases and other Kaspersky databases critical for the network safety are always up-to-date.
Prerequisites
The managed devices must have a connection to the Administration Server. If they do not have a connection,
consider updating Kaspersky databases, software modules, and applications manually or directly from the
Kaspersky update servers .
Administration Server must have a connection to the internet.
1. Deployed the Kaspersky security applications to the managed devices according to the scenario of deploying
Kaspersky applications through Kaspersky Security Center Web Console.
2. Created and con gured all required policies, policy pro les, and tasks according to the scenario of con guring
network protection.
3. Assigned an appropriate amount of distribution points in accordance with the number of managed devices and
the network topology.
Updating Kaspersky databases and applications proceeds in stages:
1 Choosing an update scheme

1216
There are several schemes that you can use to install updates to Kaspersky Security Center components and
security applications. Choose the scheme or several schemes that meet the requirements of your network best.
2 Creating the task for downloading updates to the repository of the Administration Server
This task is created automatically by the Kaspersky Security Center Quick Start Wizard. If you did not run the
Wizard, create the task now.
Server, as well as to update Kaspersky databases and software modules for Kaspersky Security Center. After
the updates are downloaded, they can be propagated to the managed devices.
If your network has assigned distribution points, the updates are automatically downloaded from the
Administration Server repository to the repositories of the distribution points. In this case the managed devices
included in the scope of a distribution point download the updates from the repository of the distribution point
instead of the Administration Server repository.
Administration Console: Creating the task for downloading updates to the repository of the Administration
Server
Kaspersky Security Center Web Console: Creating the task for downloading updates to the repository of the
3 Creating the task for downloading updates to the repositories of distribution points (optional)
By default, the updates are downloaded to the distribution points from the Administration server. You can
con gure Kaspersky Security Center to download the updates to the distribution points directly from Kaspersky
update servers. Download to the repositories of distribution points is preferable if the tra ic between the
When your network has assigned distribution points and the Download updates to the repositories of
distribution points task is created, the distribution points download updates from Kaspersky update servers, and
not from the Administration Server repository.
Administration Console: Creating the task for downloading updates to the repositories of distribution points
Kaspersky Security Center Web Console: Creating the task for downloading updates to the repositories of
distribution points
4 Con guring distribution points
When your network has assigned distribution points, make sure that the Deploy updates option is enabled in the
properties of all required distribution points. When this option is disabled for a distribution point, the devices
included in the scope of the distribution point download updates from the repository of the Administration
Server.
If you want the managed devices to receive updates only from the distribution points, enable the Distribute les
through distribution points only option in the Network Agent policy.
5 Optimizing the update process by using the o line model of update download or di les (optional)
You can optimize the update process by using the o line model of update download (enabled by default) or by
using di les. For each network segment, you have to choose which of these two features to enable, because
they cannot work simultaneously.
When the o line model of update download is enabled, Network Agent downloads the required updates to the
managed device once the updates are downloaded to the Administration Server repository, before the security
application requests the updates. This enhances the reliability of the update process. To use this feature, enable
the Download updates and anti-virus databases from Administration Server in advance (recommended)
1217
If you do not use the o line model of update download, you can optimize tra ic between the Administration
Server and the managed devices by using di les. When this feature is enabled, the Administration Server or a
distribution point downloads di les instead of entire les of Kaspersky databases or software modules. A di
le describes the di erences between two versions of a le of a database or software module. Therefore, a di
le occupies less space than an entire le. This results in decrease in the tra ic between the Administration
Server or distribution points and the managed devices. To use this feature, enable the Download di les option
in the properties of the Download updates to the Administration Server repository task and/or the Download
updates to the repositories of distribution points task.
Using di les for updating Kaspersky databases and software modules
Administration Console: Enabling and disabling the o line model of update download
Kaspersky Security Center Web Console: Enabling and disabling the o line model of update download
6 Verifying downloaded updates (optional)
Before installing the downloaded updates, you can verify the updates through the Update veri cation task. This
task sequentially runs the device update tasks and virus scan tasks con gured through settings for the speci ed
collection of test devices. Upon obtaining the task results, the Administration Server starts or blocks the update
propagation to the remaining devices.
The Update veri cation task can be performed as part of the Download updates to the repository of the
Administration Server task. In the properties of the Download updates to the repository of the Administration
Server task, enable the Verify updates before distributing option in the Administration Console or the Run
update veri cation option in Kaspersky Security Center Web Console.
Administration Console: Verifying downloaded updates
Kaspersky Security Center Web Console: Verifying downloaded updates
7 Approving and declining software updates
Approved or Declined. The approved updates are always installed. If an update requires reviewing and accepting
the terms of the End User License Agreement, then you rst need to accept the terms. After that the update
can be propagated to the managed devices. The unde ned updates can only be installed on Network Agent and
other Kaspersky Security Center components in accordance with the Network Agent policy settings. The
updates for which you set Declined status will not be installed on devices. If a declined update for a security
application was previously installed, Kaspersky Security Center will try to uninstall the update from all devices.
Updates for Kaspersky Security Center components cannot be uninstalled.
Kaspersky Security Center Web Console: Approving and declining software updates
8 Con guring automatic installation of updates and patches for Kaspersky Security Center components
The downloaded updates and patches for Network Agent and other Kaspersky Security Center components are
installed automatically. If you have left the Automatically install applicable updates and patches for
components that have the Unde ned status option enabled in the Network Agent properties, then all updates
will be installed automatically after they are downloaded to the repository (or several repositories). If this option
is disabled, Kaspersky patches that have been downloaded and tagged with the Unde ned status will be installed
only after you change their status to Approved.
1218
Administration Console: Enabling and disabling automatic updating and patching for Kaspersky Security
Center components
Kaspersky Security Center Web Console: Enabling and disabling automatic updating and patching for
Kaspersky Security Center components
9 Installation of updates for the Administration Server
Software updates for the Administration Server do not depend on the update statuses. They are not installed
automatically and must be preliminarily approved by the administrator on the Monitoring tab in the
Administration Console (Administration Server <server name> → Monitoring) or on the NOTIFICATIONS
section in Kaspersky Security Center Web Console (MONITORING & REPORTING → NOTIFICATIONS). After
that, the administrator must explicitly run installation of the updates.
10 Con guring automatic installation of updates for the security applications
Create the Update tasks for the managed applications to provide timely updates to the applications, software
modules and Kaspersky databases, including anti-virus databases. To ensure timely updates, we recommend that
you select the When new updates are downloaded to the repository option when con guring the task
schedule.
If your network includes IPv6-only devices and you want to regularly update the security applications installed on
these devices, make sure that the Administration Server (version no earlier than 13.2) and the Network Agent
(version no earlier than 13.2) are installed on managed devices.
By default, updates for Kaspersky Endpoint Security for Windows and Kaspersky Endpoint Security for Linux are
installed only after you change the update status to Approved. You can change the update settings in the
Update task.
If an update requires reviewing and accepting the terms of the End User License Agreement, then you rst need
to accept the terms. After that the update can be propagated to the managed devices.
Administration Console: Automatic installation of Kaspersky Endpoint Security updates on devices
Kaspersky Security Center Web Console: Automatic installation of Kaspersky Endpoint Security updates on
devices
Results
Upon completion of the scenario, Kaspersky Security Center is con gured to update Kaspersky databases and
installed Kaspersky applications after the updates are downloaded to the repository of the Administration Server
or to the repositories of distribution points. You can then proceed to monitoring the network status.

To be sure that the protection of your Administration Servers and managed devices is up-to-date, you must
provide timely updates of the following:
Before downloading Kaspersky databases and software modules, Kaspersky Security Center checks if
Kaspersky servers are accessible. If access to the servers using system DNS is not possible, the application
uses public DNS. This is necessary to make sure anti-virus databases are updated and the level of security
is maintained for the managed devices.
1219
Depending on the con guration of your network, you can use the following schemes of downloading and
distributing the required updates to the managed devices:
By using a single task: Download updates to the Administration Server repository
By using two tasks:
The Download updates to the Administration Server repository task
The Download updates to the repositories of distribution points task
Directly from Kaspersky update servers to Kaspersky Endpoint Security on the managed devices
Using the Download updates to the Administration Server repository task
In this scheme, Kaspersky Security Center downloads updates through the Download updates to the
Administration Server repository task. In small networks that contain less than 300 managed devices in a single
network segment or less than 10 managed devices in each network segment, the updates are distributed to the
managed devices directly from the Administration Server repository (see gure below).
Updating by using the Download updates to the Administration Server repository task without distribution points
By default, the Administration Server communicates with Kaspersky update servers and downloads updates
by using the HTTPS protocol. You can con gure the Administration Server to use the HTTP protocol instead
of HTTPS.
If your network contains more than 300 managed devices in a single network segment or if your network consists
of several network segments with more than 9 managed devices in each network segment, we recommend that
you use distribution points to propagate the updates to the managed devices (see gure below). Distribution
points reduce the load on the Administration Server and optimize tra ic between the Administration Server and
the managed devices. You can calculate the number and con guration of distribution points required for your
network.
In this scheme, the updates are automatically downloaded from the Administration Server repository to the
repositories of the distribution points. The managed devices included in the scope of a distribution point download
the updates from the repository of the distribution point instead of the Administration Server repository.
1220
Updating by using the Download updates to the Administration Server repository task with distribution points
When the Download updates to the Administration Server repository task is complete, the following updates are
Kaspersky databases and software modules for Kaspersky Security Center

These updates are installed automatically.
Kaspersky databases and software modules for the security applications on the managed devices
These updates are installed through the Update task for Kaspersky Endpoint Security for Windows.
Updates for the Administration Server

These updates are not installed automatically. The administrator must explicitly approve and run installation of
the updates.
Local administrator rights are required for installing patches on the Administration Server.
Updates for the components of Kaspersky Security Center

By default, these updates are installed automatically. You can change the settings in the Network Agent policy.
Updates for the security applications

By default, Kaspersky Endpoint Security for Windows installs only those updates that you approve. (You can
approve updates via the Administration Console or via Kaspersky Security Center Web Console). The updates
are installed through the Update task and can be con gured in the properties of this task.
The Download updates to the repository of the Administration Server task is not available on virtual
Administration Servers. The repository of the virtual Administration Server displays updates downloaded to
You can con gure the updates to be veri ed for operability and errors on a set of test devices. If the veri cation is
successful, the updates are distributed to other managed devices.
1221
Each Kaspersky application requests required updates from Administration Server. Administration Server
aggregates these requests and downloads only those updates that are requested by any application. This ensures
that the same updates are not downloaded multiple times and that unnecessary updates are not downloaded at
all. When running the Download updates to the Administration Server repository task, Administration Server sends
the following information to Kaspersky update servers automatically in order to ensure the downloading of relevant
versions of Kaspersky databases and software modules:
Application ID and version
Application installation ID
Active key ID
Download updates to the repository of the Administration Server task run ID
None of the transmitted information contains personal or other con dential data. AO Kaspersky Lab protects
information in accordance with requirements established by law.
Using two tasks: the Download updates to the Administration Server repository task and the
Download updates to the repositories of distribution points task
You can download updates to the repositories of distribution points directly from the Kaspersky update servers
instead of the Administration Server repository, and then distribute the updates to the managed devices (see
gure below). Download to the repositories of distribution points is preferable if the tra ic between the
Updating by using the Download updates to the Administration Server repository task and the Download updates to the repositories of distribution
points task
By default, the Administration Server and distribution points communicate with Kaspersky update servers and
download updates by using the HTTPS protocol. You can con gure the Administration Server and/or
distribution points to use the HTTP protocol instead of HTTPS.
To implement this scheme, create the Download updates to the repositories of distribution points task in addition
to the Download updates to the Administration Server repository task. After that the distribution points will
download updates from Kaspersky update servers, and not from the Administration Server repository.
1222
Windows devices.
The Download updates to the Administration Server repository task is also required for this scheme, because this
task is used to download Kaspersky databases and software modules for Kaspersky Security Center.
If the client devices do not have a connection to the Administration Server, you can use a local folder or a shared
resource as a source for updating Kaspersky databases, software modules, and applications. In this scheme, you
need to copy required updates from the Administration Server repository to a removable drive, then copy the
updates to the local folder or the shared resource speci ed as an update source in the settings of Kaspersky
Endpoint Security (see gure below).
Updating through a local folder, a shared folder, or an FTP server
For more information about sources of updates in Kaspersky Endpoint Security, see the following Helps:
Directly from Kaspersky update servers to Kaspersky Endpoint Security on the managed
devices
On the managed devices, you can con gure Kaspersky Endpoint Security to receive updates directly from
Kaspersky update servers (see gure below).
Updating security applications directly from Kaspersky update servers
1223
In this scheme, the security application does not use the repositories provided by Kaspersky Security Center. To
receive updates directly from Kaspersky update servers, specify Kaspersky update servers as an update source in
the interface of the security application. For more information about these settings, see the following Helps:
If Administration Server has no internet connection, you can con gure the Download updates to the
Administration Server repository task to download updates from a local or network folder. In this case, you must
copy the required update les to the speci ed folder from time to time. For example, you can copy the required
update les from one of the following sources:
Administration Server that has an internet connection (see the gure below)
Because an Administration Server downloads only the updates that are requested by the security applications,
the sets of security applications managed by the Administration Servers—the one that has an internet
connection and the one that does not—must match.
If the Administration Server that you use to download updates has version 13.2 or earlier, open properties of the
Download updates to the Administration Server repository task, and then enable the Download updates by
using the old scheme option.
Updating through a local or network folder if Administration Server has no internet connection

Because this utility uses the old scheme to download updates, open properties of the Download updates to
the Administration Server repository task, and then enable the Download updates by using the old scheme
option.
Creating the Download updates to the Administration Server repository

task
1224
The Download updates to the Administration Server repository task of the Administration Server is created
automatically by the Kaspersky Security Center Quick Start Wizard. You can create only one Download updates to
the Administration Server repository task. Therefore, you can create a Download updates to the Administration
Server repository task only if this task was removed from the Administration Server tasks list.
Server. The list of updates includes:
Updates to databases and software modules for Administration Server
Updates to databases and software modules for Kaspersky security applications
Updates to Kaspersky Security Center components
Updates to Kaspersky security applications
After the updates are downloaded, they can be propagated to the managed devices.
Before distributing updates to the managed devices, you can run the Update veri cation task. This allows you
to make sure that Administration Server will install the downloaded updates properly and a security level will
not decrease because of the updates. To verify them before distributing, con gure the Run update
veri cation option in the Download updates to the Administration Server repository task settings.
To create the Download updates to the Administration Server repository task:
2. Click Add.
3. For the Kaspersky Security Center application, select the Download updates to the Administration Server
repository task type.
4. Specify the name for the task that you are creating. A task name cannot be more than 100 characters long and

8. In the task properties window, on the Application settings tab, specify the following settings:
Sources of updates
1225

application module updates. By default, the Administration Server communicates with Kaspersky
update servers and downloads updates by using the HTTPS protocol. You can con gure the
Administration Server to use the HTTP protocol instead of HTTPS.


servers.
folder sources of update, an Administration Server does not use a proxy server for downloading
updates.
In case a shared folder that contains updates is password-protected, enable the Specify account for
access to shared folder of the update source (if any) option and enter the account credentials
required for access.
Other settings:
1226
After the Administration Server receives updates, it copies them to the speci ed folders. Use this
option if you want to manually manage the distribution of updates on your network.
For example, you may want to use this option in the following situation: the network of your
organization consists of several independent subnets, and devices from each of the subnets do not
have access to other subnets. However devices in all of the subnets have access to a common
network share. In this case, you set Administration Server in one of the subnets to download
updates from Kaspersky update servers, enable this option, and then specify this network share. In
downloaded updates to the repository tasks for other Administration Servers, specify the same
network share as the update source.
The tasks of downloading updates to client devices and secondary Administration Servers start only
after those updates are copied from the main update folder to additional update folders.
This option must be enabled if client devices and secondary Administration Servers download
updates from additional network folders.
Content of updates:
Download di les

will fail.

For example, your Administration Server 1 does not have an internet connection. In this case, you
may download updates by using an Administration Server 2 that has an internet connection, and
then place the updates to a local or network folder to use it as an update source for the
Administration Server 1. If the Administration Server 2 has version 13.2 or earlier, enable the
Download updates by using the old scheme option in the task for the Administration Server 1.
Run update veri cation
1227
Administration Server downloads updates from the source, saves them to a temporary repository, and
runs the task de ned in the Update veri cation task eld. If the task completes successfully, the
updates are copied from the temporary repository to a shared folder on the Administration Server and
then distributed to all devices for which the Administration Server acts as the source of updates (tasks
with the When new updates are downloaded to the repository schedule type are started). The task of
downloading updates to the repository is nished only after completion of the Update veri cation task.
9. In the task properties window, on the Schedule tab, create a schedule for task start. If necessary, specify the
following settings:
Scheduled start:
Manually
Every N minutes
Every N hours
Every N days
Every N weeks
speci ed time.
1228
Weekly
By days of week
Monthly
On virus outbreak

1229
Run missed tasks
business hours.
Stop task if it has been running longer than (min)
not.
When Administration Server performs the Download updates to the Administration Server repository task,
folder of Administration Server. If you create this task for an administration group, it will only be applied to Network
Agents included in the speci ed administration group.
1230
Updates are distributed to client devices and secondary Administration Servers from the shared folder of

When Administration Server performs the Download updates to the Administration Server repository task,
folder of Administration Server. You can view the downloaded updates in the UPDATES FOR KASPERSKY
DATABASES AND SOFTWARE MODULES section.
To view the list of downloaded updates,
In the main menu, go to OPERATIONS → KASPERSKY APPLICATIONS → UPDATES FOR KASPERSKY

DATABASES AND SOFTWARE MODULES.
A list of available updates appears.

Before installing updates to the managed devices, you can rst check the updates for operability and errors
through the Update veri cation task. The Update veri cation task is performed automatically as part of the
Download updates to the Administration Server repository task. The Administration Server downloads updates
from the source, saves them in the temporary repository, and runs the Update veri cation task. If the task
completes successfully, the updates are copied from the temporary repository to the Administration Server
shared folder. They are distributed to all client devices for which the Administration Server is the source of
updates.
If, as a result of the Update veri cation task, updates located in the temporary repository are incorrect or if the
Update veri cation task completes with an error, such updates are not copied to the shared folder. The
Administration Server retains the previous set of updates. Also, the tasks that have the When new updates are
downloaded to the repository schedule type are not started then. These operations are performed at the next
start of the Download updates to the Administration Server repository task if scanning of the new updates
completes successfully.
A set of updates is considered invalid if any of the following conditions is met on at least one test device:
An update task error occurred.
The real-time protection status of the security application changed after the updates were applied.
An infected object was detected during running of the on-demand scan task.
A runtime error of a Kaspersky application occurred.
If none of the listed conditions is true for any test device, the set of updates is considered valid, and the Update
veri cation task is considered to have completed successfully.
Before you start to create the Update veri cation task, perform the prerequisites:
1. Create an administration group with several test devices. You will need this group to verify the updates.
1231
We recommend using devices with the most reliable protection and the most popular application con guration
across the network. This approach increases the quality and probability of virus detection during scans, and
minimizes the risk of false positives. If viruses are detected on test devices, the Update veri cation task is
considered unsuccessful.
2. Create the update and virus scan tasks for an application supported by Kaspersky Security Center, for
example, Kaspersky Endpoint Security for Windows or Kaspersky Security for Windows Server. When creating
the update and virus scan tasks, specify the administration group with the test devices.
The Update veri cation task sequentially runs the update and virus scan tasks on test devices to check that all
updates are valid. In addition, when creating the Update veri cation task, you need to specify the update and
virus scan tasks.
3. Create the Download updates to the Administration Server repository task.
To make Kaspersky Security Center verify downloaded updates before distributing them to client devices:
2. Click the Download updates to the Administration Server repository task.
3. In the task properties window that opens, go to the Application settings tab, and then enable the Run update
veri cation option.
4. If the Update veri cation task exists, click the Select task button. In the window that opens, select the Update
veri cation task in the administration group with test devices.
5. If you did not create the Update veri cation task earlier, do the following:
a. Click the New task button.
b. In the New task wizard that opens, specify the task name if you want to change the preset name.
c. Select the administration group with test devices, which you created earlier.
d. First, select the update task of a required application supported by Kaspersky Security Center, and then
select the virus scan task.
After that, the following options appear. We recommend leaving them enabled:
Restart the device after database update
After anti-virus databases are updated on a device, we recommend rebooting the device.
By default, the option is enabled.
Check real-time protection status after database update and device restart
If this option is enabled, the Update veri cation task checks whether updates downloaded to the
Administration Server repository are valid, and if the protection level decreased after the anti-virus
database update and device restart.
e. Specify an account from which the Update veri cation task will be run. You can use your account and leave
the Default account option enabled. Alternatively, you can specify that the task should be run under
another account that has the necessary access rights. To do this, select the Specify account option, and
then enter the credentials of that account.
1232
6. Click Save to close the properties window of the Download updates to the Administration Server repository
task.
The automatic update veri cation is enabled. Now, you can run the Download updates to the Administration Server
repository task, and it will start from update veri cation.
Creating the task for downloading updates to the repositories of

distribution points
The Downloading updates to the repositories of distribution points task works only on distribution point
devices running Windows. Distribution point devices running Linux or macOS cannot download updates from
Kaspersky update servers.If at least one device running Linux or macOS is within the task scope, the task will
have the Failed status. Even if the task is completed successfully on all Windows devices, it will return an error
on the remaining devices.
You can create the Download updates to the repositories of distribution points task for an administration group.
This task will run for distribution points included in the speci ed administration group.
You can use this task, for example, if tra ic between the Administration Server and the distribution point(s) is more
expensive than tra ic between the distribution point(s) and Kaspersky update servers, or if your Administration
Server does not have internet access.
This task is required to download updates from Kaspersky update servers to the repositories of distribution points.
The list of updates includes:
Updates to databases and software modules for Kaspersky security applications
Updates to Kaspersky Security Center components
Updates to Kaspersky security applications
After the updates are downloaded, they can be propagated to the managed devices.
To create the Download updates to the repositories of distribution points task, for a selected administration
group:

3. For the Kaspersky Security Center application, in the Task type eld select Download updates to the
repositories of distribution points.
5. Select an option button to specify the administration group, the device selection, or the devices to which the
task applies.
6. At the Finish task creation step, if you want to modify the default task settings, enable the Open task details
when creation is complete option. If you do not enable this option, the task is created with the default
1233

9. On the Application settings tab of the task properties window, specify the following settings:
Sources of updates

application module updates.


servers.
folder sources of update, a distribution point does not use a proxy server for downloading updates,
even if you enabled the option Use proxy server of the Network Agent policy settings for the
distribution point.
Download di les

1234
will fail.

For example, a distribution point is con gured to take the updates from a local or network folder.
In this case, you may download updates by using an Administration Server that has an internet
connection, and then place the updates to the local folder on the distribution point. If the
Administration Server has version 13.2 or earlier, enable the Download updates by using the old
scheme option in the Download updates to the repositories of distribution points task.
10. Create a schedule for task start. If necessary, specify the following settings:
Scheduled start
Manually
Every N minutes
Every N hours
Every N days
1235
Every N weeks
speci ed time.
Weekly
By days of week
Monthly
On virus outbreak
1236

Run missed tasks
business hours.
1237
task.
When the Download updates to the repositories of distribution points task is performed, updates for databases
and software modules are downloaded from the update source and stored in the shared folder. Downloaded
updates will only be used by distribution points that are included in the speci ed administration group and that
have no update download task explicitly set for them.
Enabling and disabling automatic updating and patching for Kaspersky

Updates and patches for the Administration Server can be installed only manually, after obtaining explicit
approval from the administrator.
Automatic installation of updates and patches for Kaspersky Security Center components is enabled by default
during Network Agent installation on the device. You can disable it during Network Agent installation, or disable it
later by using a policy.
To disable automatic updating and patching for Kaspersky Security Center components during local installation of
Network Agent on a device:
1. Start local installation of Network Agent on the device.
2. At the Advanced settings step, clear the Automatically install applicable updates and patches for
components that have Unde ned status check box.
Network Agent with disabled automatic updating and patching for Kaspersky Security Center components will
be installed on the device. You can enable automatic updating and patching later by using a policy.
To disable automatic updating and patching for Kaspersky Security Center components during Network Agent
installation on the device through an installation package:
1. In the main menu, go to OPERATIONS → REPOSITORIES → INSTALLATION PACKAGES.
2. Click the Kaspersky Security Center Network Agent <version number> package.
1238
3. In the properties window, open the Settings tab.
4. Turn o the Automatically install applicable updates and patches for components that have the Unde ned
status toggle button.
Network Agent with disabled automatic updating and patching for Kaspersky Security Center components will
be installed from this package. You can enable automatic updating and patching later by using a policy.
If this check box was selected (or cleared) during Network Agent installation on the device, you can subsequently
enable (or disable) automatic updating by using the Network Agent policy.
To enable or disable automatic updating and patching for Kaspersky Security Center components by using the
Network Agent policy:
2. Click the Network Agent policy.
3. In the policy properties window, open the Application settings tab.
4. In the Manage patches and updates section, turn on or o the Automatically install applicable updates and
patches for components that have the Unde ned status toggle button to enable or disable, respectively,
automatic updating and patching.
5. Set the lock ( ) for this toggle button.
The policy will be applied to the selected devices, and automatic updating and patching for Kaspersky Security
Center components will be enabled (or disabled) on these devices.
Automatic installation of updates for Kaspersky Endpoint Security for

Windows
You can con gure automatic updates of databases and software modules of Kaspersky Endpoint Security for
Windows on client devices.
To con gure download and automatic installation of updates of Kaspersky Endpoint Security for Windows on
devices:

3. For the Kaspersky Endpoint Security for Windows application, select Update as the task subtype.
5. Choose the task scope.
6. Specify the administration group, the device selection, or the devices to which the task applies.
1239
7. At the Finish task creation step, if you want to modify the default task settings, enable the Open task details
when creation is complete option. If you do not enable this option, the task is created with the default

10. On the Application settings tab of the task properties window, de ne the update task settings in local or
mobile mode:
Local mode: Connection is established between the device and the Administration Server.
Mobile mode: No connection is established between Kaspersky Security Center and the device (for
example, when the device is not connected to the internet).
11. Enable the update sources that you want to use to update databases and application modules for Kaspersky
Endpoint Security for Windows. If required, change positions of the sources in the list by using the Move up and
Move down buttons. If several update sources are enabled, Kaspersky Endpoint Security for Windows tries to
connect to them one after another, starting from the top of the list, and performs the update task by retrieving
the update package from the rst available source.
12. Enable the Install approved application module updates option to download and install software module
updates together with the application databases.
If the option is enabled, Kaspersky Endpoint Security for Windows noti es the user about available software
module updates and includes software module updates in the update package when running the update task.
Kaspersky Endpoint Security for Windows installs only those updates for which you have set the Approved
status; they will be installed locally through the application interface or through Kaspersky Security Center.
You can also enable the Automatically install critical application module updates option. If any updates are
available for software modules, Kaspersky Endpoint Security for Windows automatically installs those that have
Critical status; the remaining updates will be installed after you approve them.
If updating the software module requires reviewing and accepting the terms of the License Agreement and
Privacy Policy, the application installs updates after the terms of the License Agreement and Privacy Policy
have been accepted by the user.
13. Select the Copy updates to folder check box in order for the application to save downloaded updates to a
folder, and then specify the folder path.
14. Schedule the task. To ensure timely updates, we recommend that you select the When new updates are
downloaded to the repository option.
15. Click Save.
When the Update task is running, the application sends requests to Kaspersky update servers.
Some updates require installation of the latest versions of management plug-ins.

1240
The settings of an update installation task may require approval of updates that are to be installed. You can
approve updates that must be installed and decline updates that must not be installed.
For example, you may want to rst check the installation of updates in a test environment and make sure that they
do not interfere with the operation of devices, and only then allow the installation of these updates on client
devices.
1. In the main menu, go to OPERATIONS → KASPERSKY APPLICATIONS, and in the drop-down list select
SEAMLESS UPDATES.
minimum version.
3. Click Approve to approve the selected updates or Decline to decline the selected updates.
The updates to which you assign Approved status are placed in a queue for installation.
The updates to which you assign Declined status are uninstalled (if possible) from all devices on which they were
previously installed. Also, they will not be installed on other devices in future.
Some updates for Kaspersky applications cannot be uninstalled. If you set Declined status for them,
Kaspersky Security Center will not uninstall these updates from the devices on which they were previously
installed. However, these updates will never be installed on other devices in future.
If you set Declined status for third-party software updates, these updates will not be installed on devices for
which they were planned but have not yet been installed. Updates will remain on devices on which they were
already installed. If you have to delete the updates, you can manually delete them locally.
Updating Administration Server

You can install Administration Server updates by using Update Administration Server Wizard.
To install an Administration Server update:
1. In the main menu, go to OPERATIONS → KASPERSKY APPLICATIONS → SEAMLESS UPDATES.
2. Run the Update Administration Server Wizard in one of the following ways:
1241
Click the name of an Administration Server update in the list of updates, and in the window that opens, click
the Run Update Administration Server Wizard link.
Click the Run Update Administration Server Wizard link in the noti cation eld at the top of the window.
3. In the Update Administration Server Wizard window, select one of the following to specify when to install an
update:
Install now. Select this option if you want to install the update now.
Postpone installation. Select this option if you want to install the update later. In this case, a noti cation
about this update will be displayed.
Ignore update. Select this option if you do not want to install an update and do not want to receive
noti cations about this update.
4. Select the Create backup copy of Administration Server before update installation option if you want to
create a backup of Administration Server before installing the update.
5. Click the OK button to nish the Wizard.
In the backup process is interrupted, the update installation process is also interrupted.
We recommend that you avoid disabling the o line model of update download. Disabling it may cause failures
in update delivery to devices. In certain cases, a Kaspersky Technical Support specialist may recommend that
you disable the Download updates and anti-virus databases from Administration Server in advance option.
Then, you will have to make sure that the task for receiving updates for Kaspersky applications has been set
up.
To enable or disable the o line model of update download for an administration group:
2. Click Groups.
3. In the administration group structure, select the administration group for which you need to enable the o line
model of update download.
4. Click the Network Agent policy.

By default, settings of child policies are inherited from parent policies and cannot be modi ed. If the policy
that you want to modify is inherited, you rst need to create a new policy for Network Agent in the
required administration group. In the newly created policy, you can modify the settings that are not locked
in the parent policy.
5. In the Application settings tab, select the Manage patches and updates section.
1242
6. Enable or disable the Download updates and anti-virus databases from Administration Server in advance
(recommended) option to enable or disable, respectively, the o line model of update download.
The o line model of update download will be enabled or disabled.
Updating Kaspersky databases and software modules on o line devices

Updating Kaspersky databases and software modules on managed devices is an important task for maintaining
protection of the devices against viruses and other threats. Administrators usually con gure regular updates
through usage of the Administration Server repository or repositories of distribution points.
When you need to update databases and software modules on a device (or a group of devices) that is not
connected to the Administration Server (primary or secondary), a distribution point or the internet, you have to
use alternative sources of updates, such as an FTP server or a local folder. In this case you have to deliver the les
of the required updates by using a mass storage device, such as a ash drive or an external hard drive.
You can copy the required updates from:
The Administration Server.

To be sure the Administration Server repository contains the updates required for the security application
installed on an o line device, at least one of the managed online devices must have the same security
application installed. This application must be con gured to receive the updates from the Administration Server
repository through the Download updates to the Administration Server repository task.
Any device that has the same security application installed and con gured to receive the updates from the
Administration Server repository, a distribution point repository, or directly from the Kaspersky update servers.
Below is an example of con guring updates of databases and software modules by copying them from the
Administration Server repository.
To update Kaspersky databases and software modules on o line devices:
1. Connect the removable drive to the device where the Administration Server is installed.
2. Copy the updates les to the removable drive.

By default, the updates are located at: \\<server name>\KLSHARE\Updates.
Alternatively, you can con gure Kaspersky Security Center to regularly copy the updates to the folder that you
select. For this purpose, use the Copy downloaded updates to additional folders option in the properties of
the Download updates to the Administration Server repository task. If you specify a folder located on a ash
drive or an external hard drive as a destination folder for this option, this mass storage device will always contain
the latest version of the updates.
3. On o line devices, con gure the security application (for example, Kaspersky Endpoint Security for Windows )
to receive updates from a local folder or a shared resource, such as an FTP server or a shared folder.
4. Copy the updates les from the removable drive to the local folder or the shared resource that you want to use
as an update source.
5. On the o line device that requires update installation, start the update task of Kaspersky Endpoint Security for
Windows.
1243
After the update task is complete, the Kaspersky databases and software modules are up-to-date on the
device.
Backing up and restoring web plug-ins

Kaspersky Security Center Web Console allows you to back up the current state of a web plug-in to be able to
restore the saved state later. For example, you can back up a web plug-in before updating it to a newer version.
After the update, if the newer version does not meet your requirements or expectations, you can restore the
previous version of the web plug-in from the backup.
To back up web plug-ins:
1. In the main menu, go to Console settings → Web plug-ins.

The Console settings window opens.
2. On the Web plug-ins tab, select the web plug-ins that you want to back up, and then click the Create backup
copy button.
The selected web plug-ins are backed up. You can view the created backups on the Backups tab.
To restore a web plug-in from a backup:
1. In the main menu, go to Console settings → Backups.

2. On the Backups tab, select the backup of the web plug-in that you want to restore, and then click the Restore
from backup button.
The web plug-in is restored from the selected backup.

Sets the scope of policies

There is an alternate way of applying relevant settings on devices, by using policy pro les. In this case, you set
the scope of policies with tags, device locations in Active Directory organizational units, or membership in
Active Directory security groups.
Sets the scope of group tasks

Sets access rights to devices, virtual Administration Servers, and secondary Administration Servers
Assigns distribution points
1244
Depending on the organizational schema and network topology, the following standard con gurations can be
applied to the structure of administration groups:
Single o ice
Multiple small remote o ices

narrow channels.
you must disable automatic assignment of distribution points, and then assign one or several devices to act as
spanning all devices on the organization's network. In this case, each Network Agent will connect to the
utility.

This standard con guration provides for a number of small remote o ices, which may communicate with the head
o ice over the internet. Each remote o ice is located behind the NAT, that is, connection from one remote o ice
to another is not possible because o ices are isolated from one another.
1245
One or multiple distribution points must be assigned to each administration group that correspond to an o ice.
group.
moment.
About assigning distribution points

You can assign a managed device as a distribution point manually or automatically.
If you assign managed device as a distribution point manually, you can select any device in your network.
If you assign distribution points automatically, Kaspersky Security Center can select only the managed device that
meets the following conditions:
The device has at least 50 GB of free disk space.
The managed device is connected with Kaspersky Security Center directly (not through the gateway).
The managed device is not a laptop.
If your network does not have devices that meet the speci ed conditions, Kaspersky Security Center will
not assign any device as a distribution point automatically.

on its own which devices must be assigned distribution points.
3. Select the Automatically assign distribution points option.

1246
Assigning distribution points manually

Kaspersky Security Center allows you to manually assign devices to act as distribution points.
on its own which devices must be assigned distribution points. However, if you have to opt out of assigning
distribution points automatically for any reason (for example, if you want to use exclusively assigned servers), you
can assign distribution points manually after you calculate their number and con guration.
To manually assign a device to act as distribution point:
3. Select the Manually assign distribution points option.
4. Click the Assign button.
5. Select the device that you want to make a distribution point.

When selecting a device, keep in mind the operation features of distribution points and the requirements set
for the device that acts as distribution point.
6. Select the administration group that you want to include in the scope of the selected distribution point.

points section.
8. Click the newly added distribution point in the list to open its properties window.
9. Con gure the distribution point in the properties window:
The General section contains the setting of interaction between the distribution point and client devices:
SSL port
1247
The number of the SSL port for encrypted connection between client devices and the distribution
point using SSL.
Use multicast
If this option is enabled, IP multicasting will be used for automatic distribution of installation
packages to client devices within the group.
IP multicasting decreases the time required to install an application from an installation package to a
group of client devices, but increases the installation time when you install an application to a single
client device.
IP multicast address
IP address that will be used for multicasting. You can de ne an IP address in the range of 224.0.0.0 –
239.255.255.255
By default, Kaspersky Security Center automatically assigns a unique IP multicast address within the
given range.
IP multicast port number
Number of the port for IP multicasting.

By default, the port number is 15001. If the device with Administration Server installed is speci ed as
the distribution point, port 13001 is used for SSL connection by default.
Gateway address for remote devices
The IPv4 address through which remote devices connect to the distribution point.
Deploy updates
Updates are distributed to managed devices from the following sources:

disabled.
If you use distribution points to deploy updates, you can save tra ic because you reduce the
number of downloads. Also, you can relieve the load on the Administration Server and relocate the
load between the distribution points. You can calculate the number of distribution points for your
network to optimize the tra ic and load.
If you disable this option, the number of update downloads and load on the Administration Server
may increase. By default, this option is enabled.
Deploy installation packages
1248
Installation packages are distributed to managed devices from the following sources:
disabled.
If you use distribution points to deploy installation packages, you can save tra ic because you
reduce the number of downloads. Also, you can relieve the load on the Administration Server and
relocate the load between the distribution points. You can calculate the number of distribution
points for your network to optimize the tra ic and load.
If you disable this option, the number of installation package downloads and load on the
Administration Server may increase. By default, this option is enabled.
Run push server
In Kaspersky Security Center, a distribution point can work as a push server for the devices
managed through the mobile protocol and for the devices managed by Network Agent. For example,
a push server must be enabled if you want to be able to force synchronization of KasperskyOS
devices with Administration Server. A push server has the same scope of managed devices as the
distribution point on which the push server is enabled. If you have several distribution points
assigned for the same administration group, you can enable push server on each of the distribution
points. In this case, Administration Server balances the load between the distribution points.
Push server port
The port number for the push server. You can specify the number of any unoccupied port.
In the Scope section, specify the scope to which the distribution point will distribute updates
(administration groups and / or network location).
Only devices running a Windows operating system can determine their network location. Network
location cannot be determined for devices running other operating systems.
If the distribution point works on a machine other than Administration Server, in the Source of updates
section, you can select a source of updates for the distribution point:
Source of updates
Select a source of updates for the distribution point:

To allow the distribution point to receive updates from the Administration Server, select
Retrieve from Administration Server.
To allow the distribution point to receive updates by using a task, select Use update download
task, and then specify a Download updates to the repositories of distribution points task:
If such a task already exists on the device, select the task in the list.
If no such task yet exists on the device, click the Create task link to create a task. The Add
Task Wizard starts. Follow the instructions of the Wizard.
1249
Download di les
In the Internet connection settings subsection, you can specify the internet access settings:
Use proxy server
If this check box is selected, in the entry elds you can con gure the proxy server connection.
Address of the proxy server.
Port number
authentication.
User name
User account under which connection to the proxy server is established.
Password
In the KSN Proxy section, you can con gure the application to use the distribution point to forward KSN
requests from the managed devices:
1250
By default, this option is disabled. Enabling this option takes e ect only if the Use Administration
Server as a proxy server and I agree to use Kaspersky Security Network options are enabled in
You can assign a node of an active-passive cluster to a distribution point and enable KSN proxy
server on this node.
The distribution point forwards KSN requests from the managed devices to the Administration
Server.
The distribution point forwards KSN requests from managed devices to the KSN Cloud or Private
KSN. The KSN requests generated on the distribution point itself are also sent directly to the KSN
Cloud or Private KSN.
The distribution points that have Network Agent version 11 (or earlier) installed cannot access
Private KSN directly. If you want to recon gure the distribution points to send KSN requests to
Private KSN, enable the Forward KSN requests to Administration Server option for each
distribution point.
The distribution points that have Network Agent version 12 (or later) installed can access Private
KSN directly.
Ignore proxy server settings when connecting to Private KSN
Enable this option, if you have the proxy server settings con gured in the distribution point
properties or in the Network Agent policy, but your network architecture requires that you use
Private KSN directly. Otherwise, requests from the managed applications cannot reach Private KSN.
This option is available if you select the Access KSN Cloud/Private KSN directly over the internet
option.
Port
Use UDP port
If you need the managed devices to connect to KSN proxy server through a UDP port, enable the
Use UDP port option and specify a UDP port number. By default, this option is enabled.
UDP port
1251
The number of the UDP port that the managed devices will use to connect to KSN proxy server. The
default UDP port to connect to the KSN proxy server is 15111.
If the distribution point works on a machine other than Administration Server, in the Connection gateway
section, you can con gure the distribution point to act as a gateway for connection between Network
Agent instances and Administration Server:
Connection gateway
If a direct connection between Administration Server and Network Agents cannot be established
due to organization of your network, you can use the distribution point to act as the connection
gateway between Administration Server and Network Agents.
Enable this option if you need the distribution point to act as a connection gateway between
Network Agents and Administration Server. By default, this option is disabled.
Establish connection to gateway from Administration Server (if gateway is in DMZ)
If Administration Server is located outside the demilitarized zone (DMZ), on local area network,
Network Agents installed on remote devices cannot connect to Administration Server. You can use
a distribution point as the connection gateway with reverse connectivity (Administration Server
establishes a connection to distribution point).
Enable this option if you need to connect Administration Server to the connection gateway in DMZ.
Open local port for Kaspersky Security Center 14 Web Console
Enable this option if you need the connection gateway in DMZ to open a port for Web Console that
is in DMZ or on the internet. Specify the port number that will be used for the connection from Web
Console to the distribution point. The default port number is 13299.
This option is available if you enable the Establish connection to gateway from Administration
Server (if gateway is in DMZ) option.
Open port for mobile devices (SSL authentication of the Administration Server only)
Enable this option if you need the connection gateway to open a port for mobile devices and
specify the port number that mobile devices will use for connection to distribution point. The
default port number is 13292. When establishing the connection, only Administration Server is
authenticated.
Open port for mobile devices (two-way SSL authentication)
1252
Enable this option if you need connection gateway to open a port that will be used for two-way
authentication of Administration Server and mobile devices. Specify the following parameters:
Port number that mobile devices will use for connection to the distribution point. The default
port number is 13293.
DNS domain names of the connection gateway that will be used by mobile devices. Separate
domain names with commas. The speci ed domain names will be included in the distribution
point certi cate. If the domain names used by mobile devices do not match the common name
in the distribution point certi cate, mobile devices do not connect to the distribution point.
The default DNS domain name is the FQDN name of the connection gateway.
Con gure the polling of Windows domains, Active Directory, and IP ranges by the distribution point:
Windows domains
You can enable device discovery for Windows domains and set the schedule for the discovery.
Active Directory
You can enable network polling for Active Directory and set the schedule for the poll.
If you select the Enable Active Directory polling check box, you can select one of the following
options:
Poll current Active Directory domain.
Poll Active Directory domain forest.
Poll selected Active Directory domains only. If you select this option, add one or more Active
Directory domains to the list.
IP ranges
You can enable device discovery for IPv4 ranges and IPv6 networks.
If you enable the Enable range polling option, you can add scanned ranges and set the schedule for
them. You can add IP ranges to the list of scanned ranges.
If you enable the Use Zeroconf to poll IPv6 networks option, the distribution point automatically
polls the IPv6 network by using zero-con guration networking (also referred to as Zeroconf). In this
case, the speci ed IP ranges are ignored because the distribution point polls the whole network. The
Use Zeroconf to poll IPv6 networks option is available if the distribution point runs Linux. To use
Zerocong IPv6 polling, you must install the avahi-browse utility on the distribution point.
In the Advanced section, specify the folder that the distribution point must use to store distributed data:
Use default folder
If you select this option, the application uses the Network Agent installation folder on the
distribution point.
Use speci ed folder
1253
If you select this option, in the eld below, you can specify the path to the folder. It can be a local
folder on the distribution point, or it can be a folder on any device on the corporate network.
The user account used on the distribution point to run Network Agent must have read/write access
to the speci ed folder.
The selected devices act as distribution points.
Modifying the list of distribution points for an administration group

You can view the list of distribution points assigned to a speci c administration group and modify the list by adding
or removing distribution points.
To view and modify the list of distribution points assigned to an administration group:
3. In the left-side pane that opens, select an administration group for which you want to view the assigned
distribution points.
This enables the DISTRIBUTION POINTS menu item.
4. In the main menu, go to DEVICES → DISTRIBUTION POINTS.
5. To add new distribution points for the administration group, click the Assign button above the list of managed
devices and select devices from the pane that opens.
6. To remove the assigned distribution points, select devices from the list and click the Unassign button.
Depending on your modi cations, the new distribution points are added to the list or existing distribution points
are removed from the list.
managed devices, in some cases you might want to run the synchronization for a speci ed device forcibly. You can
run forced synchronization for the following devices:
Devices that have Network Agent installed
Devices running KasperskyOS

Before running forced synchronization for a KasperskyOS device, ensure that the device is included in a
distribution point scope and that a push server is enabled on the distribution point.
iOS devices
1254
Android devices
Before running forced synchronization for an Android device, you must con gure Google Firebase Cloud
Messaging.
Synchronizing a single device
To force synchronization between the Administration Server and a managed device:
2. Click the name of the device that you want to synchronize with the Administration Server.
A property window opens with the General section selected.
3. Click the Force synchronization button.
The application synchronizes the selected device with the Administration Server.
Synchronizing multiple devices
To force synchronization between the Administration Server and multiple managed devices:
1. Open the device list of an administration group or a device selection:
In the main menu, go to DEVICES → MANAGED DEVICES, click the path link in the Current path eld
above the list of managed devices, then select the administration group that contains devices to
synchronize.
Run a device selection to view the device list.
2. Select the check boxes next to the devices that you want to synchronize with the Administration Server.
3. Above the list of managed devices, click the ellipsis button ( ), and then click the Force synchronization
button.
The application synchronizes the selected devices with the Administration Server.
4. In the device list, check that the time of last connection to the Administration Server has changed, for the
selected devices, to the current time. If the time has not changed, update the page content by clicking the
Refresh button.
The selected devices are synchronized with the Administration Server.
Viewing the time of a policy delivery
After changing a policy for a Kaspersky application on the Administration Server, the administrator can check
whether the changed policy has been delivered to a speci c managed device. A policy can be delivered during a
regular synchronization or a forced synchronization.
To view the date and time that an application policy was delivered to a managed device:
2. Click the name of the device that you want to synchronize with the Administration Server.
1255
A property window opens with the General section selected.
3. Select the Applications tab.
4. Select the application for which you want to view the policy synchronization date.
The application policy window opens with the General section selected and the policy delivery date and time
displayed.
Enabling a push server

In Kaspersky Security Center, a distribution point can work as a push server for the devices managed through the
mobile protocol and for the devices managed by Network Agent. For example, a push server must be enabled if
you want to be able to force synchronization of KasperskyOS devices with Administration Server. A push server
has the same scope of managed devices as the distribution point on which the push server is enabled. If you have
several distribution points assigned for the same administration group, you can enable push server on each of the
distribution points. In this case, Administration Server balances the load between the distribution points.
You might want to use distribution points as push servers to make sure that there is continuous connectivity
between a managed device and the Administration Server. Continuous connectivity is needed for some
operations, such as running and stopping local tasks, receiving statistics for a managed application, or creating a
tunnel. If you use a distribution point as a push server, you do not have to use the Do not disconnect from the
Administration Server option on managed devices or send packets to the UDP port of the Network Agent.
A push server supports the load of up to 50,000 simultaneous connections.
To enable push server on a distribution point:
3. Click the name of the distribution point on which you want to enable the push server.
The distribution point properties window opens.
4. On the General section, enable the Run push server option.
5. In the Push server port eld, type the port number. You can specify number of any unoccupied port.
6. In the Address for remote hosts eld, specify the IP address or the name of the distribution point device.
The push server is enabled on the selected distribution point.

This section describes the features of Kaspersky Security Center that are related to the management of third-
party applications installed on client devices.
1256
About third-party applications
Kaspersky Security Center can help you to update third-party software, installed on client devices, and x the
vulnerabilities of the third-party software. Kaspersky Security Center can update third-party software from the
current version to the latest version only. The following list represents the third-party software that you can
update with Kaspersky Security Center:
The list of third-party software can be updated and extended with new applications. You can check whether
you can update the third-party software (installed on users' devices) with Kaspersky Security Center by
viewing the list of available updates in the Kaspersky Security Center Web Console.
7-Zip Developers: 7-Zip
Adobe Systems:
Adobe Acrobat DC
Adobe Acrobat Reader DC
Adobe Acrobat
Adobe Reader
Adobe Shockwave Player
AIMPDevTeam: AIMP
ALTAP: Altap Salamander
Apache Software Foundation: Apache Tomcat
Apple:
Apple iTunes
Apple QuickTime
Armory Technologies, Inc.: Armory
Cerulean Studios: Trillian Basic
Ciphrex Corporation: mSIGNA
Cisco: Cisco Jabber
Code Sector: TeraCopy
Codec Guide:
K-Lite Codec Pack Basic
K-Lite Codec Pack Full

1257
K-Lite Codec Pack Mega
K-Lite Codec Pack Standard
DbVis Software AB: DbVisualizer
Decho Corp.:
Mozy Enterprise
Mozy Home
Mozy Pro
Dominik Reichl: KeePass Password Safe
Don HO [email protected]: Notepad++
DoubleGIS: 2GIS
Dropbox, Inc.: Dropbox
EaseUs: EaseUS Todo Backup Free
Electrum Technologies GmbH: Electrum
Enter Srl: Iperius Backup
Eric Lawrence: Fiddler
EverNote: EverNote
Exodus Movement Inc: Exodus
EZB Systems: UltraISO
Famatech:
Radmin
Remote Administrator
Far Manager: FAR Manager
FastStone Soft: FastStone Image Viewer
FileZilla Project: FileZilla
Firebird Developers: Firebird
Foxit Corporation:
Foxit Reader
Foxit Reader Enterprise
1258
Free Download Manager.ORG: Free Download Manager
GIMP project: GIMP
GlavSoft LLC.: TightVNC
GNU Project: Gpg4win
Google:
Google Earth
Google Chrome
Google Chrome Enterprise
Google Earth Pro
Inkscape Project: Inkscape
IrfanView: IrfanView
iterate GmbH: Cyberduck
Logitech: SetPoint
LogMeIn, Inc.:
LogMeIn
Hamachi
LogMeIn Rescue Technician Console
Martin Prikryl: WinSCP
Mozilla Foundation:
Mozilla Firefox
Mozilla Firefox ESR
Mozilla SeaMonkey
Mozilla Thunderbird
New Cloud Technologies Ltd: MyO ice Standard. Home Edition
OpenO ice.org: OpenO ice
Open Whisper Systems: Signal
Opera Software: Opera
Oracle Corporation:
1259
Oracle Java JRE
Oracle VirtualBox
PDF44: PDF24 MSI/EXE
Piriform:
CCleaner
Defraggler
Recuva
Speccy
Postgresql: PostgreSQL
RealNetworks: RealPlayer Cloud
RealVNC:
RealVNC Server
RealVNC Viewer
Right Hemisphere Inc.: SAP Visual Enterprise Viewer (Complete/Minimum)
Simon Tatham: PuTTY
Skype Technologies: Skype for Windows
Sober Lemur S.a.s.:
PDFsam Basic
PDFsam Visual
Softland: FBackup
Splashtop Inc.: Splashtop Streamer
Stefan Haglund, Fredrik Haglund, Florian Schmitz: CDBurnerXP
Sublime HQ Pty Ltd: Sublime Text
TeamViewer GmbH:
TeamViewer Host
TeamViewer
Telegram Messenger LLP: Telegram Desktop
The Document Foundation:
1260
LibreO ice
LibreO ice HelpPack
The Git Development Community:
Git for Windows
Git LFS
The Pidgin developer community: Pidgin
TortoiseSVN Developers: TortoiseSVN
VideoLAN: VLC media player
VMware:
VMware Player
VMware Workstation
WinRAR Developers: WinRAR
WinZip: WinZip
Wireshark Foundation: Wireshark
Wrike: Wrike
Zimbra: Zimbra Desktop

This section describes the features of Kaspersky Security Center that are related to the installation of updates for
the third-party applications installed on client devices.

This section provides a scenario for updating third-party software installed on the client devices. The third-party
software includes applications from Microsoft and other software vendors. Updates for Microsoft applications are
provided by the Windows Update service.
Prerequisites
Administration Server must have a connection to the internet to install updates of third-part software other than
Microsoft software.
1261
By default, internet connection is not required for Administration Server to install Microsoft software updates on
the managed devices. For example, the managed devices can download the Microsoft software updates directly
from Microsoft Update servers or from Windows Server with Microsoft Windows Server Update Services (WSUS)
deployed in your organization's network. Administration Server must be connected to the internet when you use
Administration Server as WSUS server.
Stages
Updating third-party software proceeds in stages:
1 Searching for required updates
To nd the third-party software updates required for the managed devices, run the Find vulnerabilities and
required updates task. When this task is complete, Kaspersky Security Center receives the lists of detected
The Find vulnerabilities and required updates task is created automatically by the Administration Server Quick
Start Wizard. If you did not run the Wizard, create the task or run the Quick Start Wizard now.
2 Analyzing the list of found updates
View the SOFTWARE UPDATES list and decide which updates you want to install. To view detailed information
about each update, click the update name in the list. For each update in the list, you can also view the statistics
on the update installation on client devices.
Administration Console: Viewing information about available updates
Kaspersky Security Center Web Console: Viewing information about available third-party software updates
3 Con guring installation of updates
When Kaspersky Security Center received the list of the third-party software updates, you can install them on
client devices by using the Install required updates and x vulnerabilities task or the Install Windows Update
updates task. Create one of these tasks. You can create these tasks on the TASKS tab or by using the
SOFTWARE UPDATES list.
To install some software updates you must accept the End User License Agreement (EULA) for the installation
software. If you decline the EULA, the software update will not be installed.
You can start an update installation task by schedule. When specifying the task schedule, make sure that the
update installation task starts after the Find vulnerabilities and required updates task is complete.
Administration Console: Fixing vulnerabilities in applications, Viewing information about available updates
1262
Kaspersky Security Center Web Console: Creating the Install required updates and x vulnerabilities task,
Creating the Install Windows Update updates task, Viewing information about available third-party software
updates
To be sure that the update list is always up-to-date, schedule the Find vulnerabilities and required updates task
to run the task automatically from time to time. The default frequency is once a week.
same frequency as the Find vulnerabilities and required updates task or less often. When scheduling the Install
Windows Update updates task, note that for this task you must de ne the list of updates every time before
starting this task.
When scheduling the tasks, make sure that an update installation task starts after the Find vulnerabilities and
5 Approving and declining software updates (optional)
If you have created the Install required updates and x vulnerabilities task, you can specify rules for update
installation in the task properties. If you have created the Install Windows Update updates task, skip this step.
For each rule, you can de ne the updates to install depending on the update status: Unde ned, Approved or
Declined. For example, you may want to create a speci c task for servers and set a rule for this task to allow
installation of only Windows Update updates and only those ones that have Approved status. After that you
manually set the Approved status for those updates that you want to install. In this case the Windows Update
updates that have the Unde ned or Declined status will not be installed on the servers that you speci ed in the
task.
Approved or Declined in the SOFTWARE UPDATES list (OPERATIONS → PATCH MANAGEMENT →
SOFTWARE UPDATES).
Kaspersky Security Center Web Console: Approving and declining third-party software updates
6 Con guring Administration Server to work as Windows Server Update Services (WSUS) server (optional)
By default, Windows Update updates are downloaded to the managed devices from Microsoft servers. You can
change this setting to use the Administration Server as WSUS server. In this case, the Administration Server
synchronizes the update data with Windows Update at the speci ed frequency and provides updates in
centralized mode to Windows Update on networked devices.
To use the Administration Server as WSUS server, create the Perform Windows Update synchronization task and
select the Use Administration Server as WSUS server check box in the Network Agent policy.
Administration Console: Synchronizing updates from Windows Update with Administration Server,
Kaspersky Security Center Web Console: Creating the Perform Windows Update synchronization task
7 Running an update installation task
1263
Start the Install required updates and x vulnerabilities task or the Install Windows Update updates task. When
you start these tasks, updates are downloaded and installed on managed devices. After the task is complete,
make sure that it has the Completed successfully status in the task list.
8 Create the report on results of update installation of third-party software (optional)
To view detailed statistics on the update installation, create the Report on results of installation of third-party
software updates.
Results
If you have created and con gured the Install required updates and x vulnerabilities task, the updates are installed
on the managed devices automatically. When new updates are downloaded to the Administration Server
repository, Kaspersky Security Center checks whether they meet the criteria speci ed in the update rules. All new
updates that meet the criteria will be installed automatically at the next task run.
If you have created the Install Windows Update updates task, only those updates speci ed in the Install Windows
Update updates task properties are installed. In future, if you want to install new updates downloaded to the
Administration Server repository, you must add the required updates to the list of updates in the existing task or
create a new Install Windows Update updates task.
About third-party software updates

Kaspersky Security Center enables you to manage updates of third-party software installed on managed devices
and x vulnerabilities in Microsoft applications and other software makers' products through installation of required
updates.
Kaspersky Security Center searches for updates through the Find vulnerabilities and required updates task. When
this task is complete, Administration Server receives the lists of detected vulnerabilities and required updates for
the third-party software installed on the devices that you speci ed in the task properties. After viewing
information about available updates, you can install them on devices.
Kaspersky Security Center updates some applications by removing the previous version of the application
and installing the new one.
A user interaction may be required when you update a third-party application or x a vulnerability in a third-party
application on a managed device. For example, the user may be prompted to close the third-party application if it's
currently open.
1264
Tasks for installing third-party software updates
When metadata of the third-party software updates is downloaded to the repository, you can install the updates
on client devices by using the following tasks:
The Install required updates and x vulnerabilities task

When this task is complete, the updates are installed on the managed devices automatically. When metadata of
new updates is downloaded to the Administration Server repository, Kaspersky Security Center checks
whether the updates meet the criteria speci ed in the update rules. All new updates that meet the criteria will
be downloaded and installed automatically at the next task run.
The Install Windows Update updates task

When this task is complete, only those updates that are speci ed in the task properties are installed. In future,
if you want to install new updates downloaded to the Administration Server repository, you must add the
required updates to the list of updates in the existing task or create a new Install Windows Update updates task.
Using Administration Server as WSUS server
Information about available updates for Microsoft Windows is provided by the Windows Update service. The
Administration Server can be used as the Windows Server Update Services (WSUS) server. To use Administration
Server as the WSUS server, you create the Perform Windows Update synchronization task and select the Use
Administration Server as WSUS server option in the Network Agent policy. After you have con gured data
synchronization with Windows Update, Administration Server provides updates to Windows Update services on
devices in centralized mode and with the set frequency.

You can install third-party software updates on managed devices by creating and running one of the following
tasks:
Install required updates and x vulnerabilities

The Install required updates and x vulnerabilities task can be created only if you have a license for the
Vulnerability and Patch Management feature. You can use this task to install both Windows Update updates
provided by Microsoft and updates of other vendors' products.
Install Windows Update updates

You can use the Install Windows Update updates task to install Windows Update updates only.
1265
As an option, you can create a task to install the required updates in the following ways:
By opening the update list and specifying which updates to install.

As a result, a new task to install the selected updates is created. As an option, you can add the selected
updates to an existing task.
By running the Update Installation Wizard.
The Update Installation Wizard is only available under the Vulnerability and Patch Management license.
The Wizard simpli es creation and con guration of an update installation task, and allows you to eliminate the
creation of redundant tasks that contain the same updates to install.
Installing third-party software updates by using the update list
To install third-party software updates by using the list of updates:
1. Open one of the lists of updates:
To open the general update list, go to OPERATIONS → PATCH MANAGEMENT → SOFTWARE UPDATES.
To open the update list for a managed device, go to DEVICES → MANAGED DEVICES → <device name> →
Advanced → Available updates.
To open the update list for a speci c application, go to OPERATIONS → THIRD-PARTY APPLICATIONS →
APPLICATIONS REGISTRY → <application name> → Available updates.
2. Select the check boxes next to the updates that you want to install.
3. Click the Install updates button.

To install some software updates, you must accept the End User License Agreement (EULA). If you decline the
EULA, the software update is not installed.
New task
The Add Task Wizard starts. If you have the Vulnerability and Patch Management license, the Install required
updates and x vulnerabilities task is preselected. If you do not have the license, the Install Windows Update
updates task is preselected. Follow the steps of the Wizard to complete the task creation.
Install update (add rule to speci ed task)

Select a task to which you want to add the selected updates. If you have the Vulnerability and Patch
Management license, select the Install required updates and x vulnerabilities task. A new rule to install the
selected updates will be automatically added to the selected task. If you do not have the license, select the
Install Windows Update updates task. The selected updates will be added to the task properties.
1266
The task properties window opens. Click the Save button to save the changes.
If you have chosen to create a task, the task is created and displayed in the task list at DEVICES → TASKS. If
you have chosen to add the updates to an existing task, the updates are saved in the task properties.
To install third-party software updates, start the Install required updates and x vulnerabilities task or the Install
Windows Update updates task. You can start any of these tasks manually or specify schedule settings in the
properties of the task that you start. When specifying the task schedule, make sure that the update installation
task starts after the Find vulnerabilities and required updates task is complete.
Installing third-party software updates by using the Update Installation Wizard
The Update Installation Wizard is only available under the Vulnerability and Patch Management license.
To create a task to install third-party software updates by using the Update Installation Wizard:
1. Select OPERATIONS → PATCH MANAGEMENT, and in the drop-down list select SOFTWARE UPDATES.
2. Select the check box next to the update that you want to install.

The Update Installation Wizard starts. The Select the update installation task page displays the list of all
existing tasks of the following types:
Fix vulnerabilities
You cannot modify the tasks of the last two types to install new updates. To install new updates, you can only
use the Install required updates and x vulnerabilities tasks.
4. If you want the Wizard to display only those tasks that install the update that you selected, then enable the
Show only tasks that install this update option.
5. Choose what you want to do:
To start a task, select the check box next to the task name, and then click the Start button.
To add a new rule to an existing task:
a. Select the check box next to the task name, and then click the Add rule button.
b. On the page that opens, con gure the new rule:
Installation rule for updates of this importance level
1267
Sometimes software updates may impair the user experience with the software. In such cases,
you may decide to install only those updates that are critical for the software operation and to
skip other updates.
If this option is enabled, the updates x only those vulnerabilities for which the severity level set
by Kaspersky is equal to or higher than the severity of the selected update (Medium, High, or
Critical). Vulnerabilities with a severity level lower than the selected value are not xed.
Installation rule for updates of this importance level according to MSRC
skip other updates.
If this option is enabled (available only for Windows Update updates), the updates x only those
vulnerabilities for which the severity level set by Microsoft Security Response Center (MSRC) is
equal to or higher than the value selected in the list (Low, Medium, High, or Critical).
Installation rule for updates by this vendor
This option is available only for updates of third-party applications. Kaspersky Security Center
installs only those updates that relate to the applications made by the same vendor as the
selected update. Declined updates and updates to the applications made by other vendors are
not installed.
Installation rule for updates of the type
Installation rule for the selected update
Approve selected updates
The selected update will be approved for installation. Enable this option if some applied rules of
update installation allow installation of approved updates only.
1268
Keep this option enabled if you agree with the installation of interim application versions when
this is required for installing the selected updates.
If this option is disabled, only the selected versions of applications are installed. Disable this
option if you want to update applications in a straightforward manner, without attempting to
install successive versions incrementally. If installing the selected updates is not possible without
installing previous versions of applications, the updating of the application fails.
For example, you have version 3 of an application installed on a device and you want to update it
to version 5, but version 5 of this application can be installed only over version 4. If this option is
enabled, the software rst installs version 4, and then installs version 5. If this option is disabled,
the software fails to update the application.
c. Click the Add button.
To create a task:
Installation rule for updates of this importance level
skip other updates.
Installation rule for updates of this importance level according to MSRC
skip other updates.
If this option is enabled (available only for Windows Update updates), the updates x only those
vulnerabilities for which the severity level set by Microsoft Security Response Center (MSRC) is
equal to or higher than the value selected in the list (Low, Medium, High, or Critical).
Installation rule for updates by this vendor
1269
This option is available only for updates of third-party applications. Kaspersky Security Center
installs only those updates that relate to the applications made by the same vendor as the
selected update. Declined updates and updates to the applications made by other vendors are
not installed.
Installation rule for updates of the type
Installation rule for the selected update
Approve selected updates
Keep this option enabled if you agree with the installation of interim application versions when
this is required for installing the selected updates.
If this option is disabled, only the selected versions of applications are installed. Disable this
option if you want to update applications in a straightforward manner, without attempting to
install successive versions incrementally. If installing the selected updates is not possible without
installing previous versions of applications, the updating of the application fails.
For example, you have version 3 of an application installed on a device and you want to update it
to version 5, but version 5 of this application can be installed only over version 4. If this option is
enabled, the software rst installs version 4, and then installs version 5. If this option is disabled,
the software fails to update the application.
If you have chosen to start a task, you can close the Wizard. The task will complete in background mode. No
further actions are required.
If you have chosen to add a rule to an existing task, the task properties window opens. The new rule is already
added to the task properties. You can view or modify the rule or other task settings. Click the Save button to
save the changes.
If you have chosen to create a task, you continue to create the task in the Add Task Wizard. The new rule that
you added in the Update Installation Wizard is displayed in the Add Task Wizard. When you complete the Wizard,
the Install required updates and x vulnerabilities task is added to the task list.
Creating the Find vulnerabilities and required updates task
1270
Through the Find vulnerabilities and required updates task, Kaspersky Security Center receives the lists of
detected vulnerabilities and required updates for the third-party software installed on the managed devices.
The Find vulnerabilities and required updates task is created automatically when the Quick Start Wizard is running.
If you did not run the Wizard, you can create the task manually.
To create the Find vulnerabilities and required updates task:
2. Click Add.
3. For the Kaspersky Security Center application, select the Find vulnerabilities and required updates task type.

9. In the task properties window, specify the general task settings.
10. On the Application settings tab, specify the following settings:
moment.
1271

applicable Microsoft Windows updates that was received from the source of Microsoft updates earlier
and that is stored in the device's cache.
this option if you set regular connection to this source of updates in another task or in the properties
of Network Agent policy, in the section Software updates and vulnerabilities. If you do not want to
disable this option, then, to reduce the Server overload, you can con gure the task schedule to
randomize delay for task starts within 360 minutes.
getting updates:
Windows Update Agent on a managed device connects to the Update Server to get updates only
if the Connect to the update server to update data option is enabled and the Active option, in
the Windows Update search mode settings group, is selected.
enabled and the Passive option, in the Windows Update search mode settings group, is selected,
or if the Connect to the update server to update data option is disabled and the Active option,
in the Windows Update search mode settings group, is selected.
If this option is enabled, Kaspersky Security Center searches for vulnerabilities and required updates
for third-party applications (applications made by software vendors other than Kaspersky and
Microsoft) in Windows Registry and in the folders speci ed under Specify paths for advanced search
of applications in le system. The full list of supported third-party applications is managed by
Kaspersky.
updates for third-party applications. For example, you may want to disable this option if you have
di erent tasks with di erent settings for Microsoft Windows updates and updates of third-party
applications.
Specify paths for advanced search of applications across the le system
1272
If the task results contain a warning of the 0x80240033 "Windows Update Agent error 80240033 ("License
terms could not be downloaded.")" error, you can resolve this issue through the Windows Registry.

The Find vulnerabilities and required updates task is created automatically when the Quick Start Wizard is running.
If you did not run the Wizard, you can create the task manually.
In addition to the general task settings, you can specify the following settings when creating the Find vulnerabilities
and required updates task or later, when con guring the properties of the created task:
1273
moment.
Windows Update Agent on a managed device connects to the source of Microsoft updates. The following
servers can act as a source of Microsoft updates:

If this option is enabled, Windows Update Agent on a managed device connects to the source of Microsoft
updates to refresh the information about applicable Microsoft Windows updates.
applicable Microsoft Windows updates that was received from the source of Microsoft updates earlier and
that is stored in the device's cache.
this option if you set regular connection to this source of updates in another task or in the properties of
Network Agent policy, in the section Software updates and vulnerabilities. If you do not want to disable
this option, then, to reduce the Server overload, you can con gure the task schedule to randomize delay
for task starts within 360 minutes.
Combination of the following options of the settings of Network Agent policy de nes the mode of getting
updates:
Windows Update Agent on a managed device connects to the Update Server to get updates only if
the Connect to the update server to update data option is enabled and the Active option, in the
Windows Update search mode settings group, is selected.
Windows updates that was received from the source of Microsoft updates earlier and that is stored
in the device's cache, if the Connect to the update server to update data option is enabled and the
Passive option, in the Windows Update search mode settings group, is selected, or if the Connect
to the update server to update data option is disabled and the Active option, in the Windows
Update search mode settings group, is selected.
1274
If this option is enabled, Kaspersky Security Center searches for vulnerabilities and required updates for
third-party applications (applications made by software vendors other than Kaspersky and Microsoft) in
Windows Registry and in the folders speci ed under Specify paths for advanced search of applications
in le system. The full list of supported third-party applications is managed by Kaspersky.
updates for third-party applications. For example, you may want to disable this option if you have di erent
tasks with di erent settings for Microsoft Windows updates and updates of third-party applications.
Specify paths for advanced search of applications across the le system
Specify the folders to which applications are installed. By default, the list contains system folders to which
most of the applications are installed.
delete them there.
Recommendations on the task schedule
When scheduling the Find vulnerabilities and required updates task, make sure that two options—Run missed
tasks and Use automatically randomized delay for task starts—are enabled.
By default, the Find vulnerabilities and required updates task is set to start at 6:00 PM. If the organization's
workplace rules provide for shutting down all devices at this time, the Find vulnerabilities and required updates task
will run after the devices are turned on again, that is, in the morning of the next day. Such activity may be
undesirable because a vulnerability scan may increase the load on CPUs and disk subsystems. You must set up the
most convenient schedule for the task based on the workplace rules adopted in the organization.
1275
The Install required updates and x vulnerabilities task is only available under the Vulnerability and Patch
Management license.
updates and x multiple vulnerabilities according to certain rules.
To install updates or x vulnerabilities by using the Install required updates and x vulnerabilities task, you can do
one of the following:
Run the Update Installation Wizard or the Vulnerability Fix Wizard.
Create an Install required updates and x vulnerabilities task.
Add a rule for update installation to an existing Install required updates and x vulnerabilities task.
To create the Install required updates and x vulnerabilities task:
2. Click Add.
3. For the Kaspersky Security Center application, select the Install required updates and x vulnerabilities task
type.
6. Specify the rules for update installation, and then specify the following settings:
1276

devices.
1277
Restart the device
speci ed frequency.
1440 minutes.
Restart after (min)
1440 minutes.
1278


This feature is only available under the Vulnerability and Patch Management license.
When installing software updates or xing software vulnerabilities by using the Install required updates and x
vulnerabilities task, you must specify rules for the update installation. These rules determine the updates to install
and the vulnerabilities to x.
The exact settings depend on whether you add a rule for all updates, for Windows Update updates, or for updates
of third-party applications (applications made by software vendors other than Kaspersky and Microsoft). When
adding a rule for Windows Update updates or updates of third-party applications, you can select speci c
applications and application versions for which you want to install updates. When adding a rule for all updates, you
can select speci c updates that you want to install and vulnerabilities that you want to x by means of installing
updates.
You can add a rule for update installation in the following ways:
By adding a rule while creating a new Install required updates and x vulnerabilities task.
By adding a rule on the Application Settings tab in the properties window of an existing Install required
updates and x vulnerabilities task.
Through the Update Installation Wizard or the Vulnerability Fix Wizard.
1279
To add a new rule for all updates:

The Rule Creation Wizard starts. Proceed through the Wizard by using the Next button.

approval status.
updates.
software updates.
1280
vulnerabilities.
applications.
6. On the Name page, specify the name for the rule that you are adding. You can later change this name in the
After the Rule Creation Wizard completes its operation, the new rule is added and displayed in the rule list in the
Add Task Wizard or in the task properties.
To add a new rule for Windows Update updates:

1281
approval status.
updates.
updates.
not xed.
To add a new rule for updates of third-party applications:

1282

approval status.
updates.
Creating the Install Windows Update updates task

The Install Windows Update updates task allows you to install software updates provided by the Windows Update
service on managed devices.
If you do not have the Vulnerability and Patch Management license, you cannot create new tasks of the Install
Windows Update updates type. To install new updates, you can add them to an existing Install Windows Update
updates task. We recommend that you use the Install required updates and x vulnerabilities task instead of the
Install Windows Update updates task. The Install required updates and x vulnerabilities task enables you to install
multiple updates and x multiple vulnerabilities automatically, according to the rules that you de ne. In addition, this
task enables you to install updates from software vendors other than Microsoft.
1283
To create the Install Windows Update updates task:
2. Click Add.
3. For the Kaspersky Security Center application, select the Install Windows Update updates task type.

The list of updates opens.
7. Select the Windows Update updates that you want to install, and then click OK.
Restart the device
1284
speci ed frequency.
1440 minutes.
Restart after (min)
1440 minutes.
restart.
Default account
Specify account
Account
Password
1285

Viewing information about available third-party software updates

You can view the list of available updates for third-party software, including Microsoft software, installed on client
devices.
To view a list of available updates for third-party applications installed on client devices:
1. Select OPERATIONS → PATCH MANAGEMENT.
2. Select SOFTWARE UPDATES in the drop-down list.
You can specify a lter to view the list of software updates. Click the Filter icon ( ) in the upper right corner of
the software updates list to manage the lter. You can also select one of preset lters from the Preset lters
drop-down list above the software vulnerabilities list.
To view the properties of an update:
1. Click the name of the required software update.
2. The properties window of the update opens, displaying information grouped on the following tabs:
General
1286
This tab displays general details of the selected update:
Update approval status (can be changed manually by selecting a new status in the drop-down list)
Windows Server Update Services (WSUS) category to which the update belongs
Date and time the update was registered
Date and time the update was created
Importance level of the update
Installation requirements imposed by the update
Application family to which the update belong
Application to which the update applies
Number of the update revision
Attributes
This tab displays a set of attributes that you can use to obtain more information about the selected
update. This set di ers depending on whether the update is published by Microsoft or by a third-party
vendor.
The tab displays the following information for a Microsoft update:
Importance level of the update according to the Microsoft Security Response Center (MSRC)
Link to the article in the Microsoft Knowledge Base describing the update
Link to the article in the Microsoft Security Bulletin describing the update
Update identi er (ID)
The tab displays the following information for a third-party update:
Whether the update is a patch or a full distribution package
Localization language of the update
Whether the update is installed automatically or manually
Whether the update was revoked after being applied
Link for downloading the update
Devices
This tab displays a list of devices on which the selected update has been installed.
Fixed vulnerabilities
1287
This tab displays a list of vulnerabilities that the selected update can x.
Crossover of updates
This tab displays possible crossovers between various updates published for the same application, that
is, whether the selected update can supersede other updates or, vice versa, be superseded by other
updates (available for Microsoft updates only).
Tasks to install this update
This tab displays a list of tasks whose scope includes installation of the selected update. The tab also
enables you to create a new remote installation task for the update.
To view the statistics of an update installation:
1. Select the check box next to the required software update.
2. Click the Statistics of update installation statuses button.
The diagram of the update installation statuses is displayed. Clicking a status opens a list of devices on which
the update has the selected status.
You can view information about available software updates for third-party software, including Microsoft software,
installed on the selected managed device running Windows.
To view a list of available updates for third-party software installed on the selected managed device:
1. Select DEVICES → MANAGED DEVICES.

2. In the list of managed devices, click the link with the name of the device for which you want to view third-party
software updates.
3. In the properties window of the selected device, select the Advanced tab.
4. In the left pane, select the Available updates section. If you want to view only installed updates, enable the
Show installed updates option.
The list of available third-party software updates for the selected device is displayed.
Exporting the list of available software updates to a le

You can export the list of updates for third-party software, including Microsoft software, that is displayed at the
moment to the CSV or TXT les. You can use these les, for example, to send them to your information security
manager or to store them for purposes of statistics.
To export to a text le the list of available updates for third-party software installed on all managed devices:
1288
1. On the OPERATIONS tab, in the PATCH MANAGEMENT drop-down list, select SOFTWARE UPDATES.
The page displays a list of available updates for third-party software installed on all managed devices.
2. Click the Export rows to TXT le or Export rows to CSV le button, depending on the format you prefer for
export.
The le containing the list of available updates for third-party software, including Microsoft software, is
downloaded to the device that you use at the moment.
To export to a text le the list of available updates for third-party software installed on the selected managed
device:
1. Open the list of available third-party software updates on the selected managed device.
2. Select the software updates you want to export.

Skip this step if you want to export a complete list of software updates.
If you want to export a complete list of software updates, only updates displaying on the current page will be
exported.
If you want to export only installed updates, select the Show installed updates check box.
export.
The le containing the list of updates for third-party software, including Microsoft software, installed on the
selected managed device is downloaded to the device you are using at the moment.
Approving and declining third-party software updates

When you con gure the Install required updates and x vulnerabilities task, you can create a rule that requires a
speci c status of updates that are to be installed. For example, an update rule can allow installation of the
following:
Only approved updates
Only approved and unde ned updates
All updates irrespective of the update statuses
You can approve updates that must be installed and decline updates that must not be installed.
1. In the main menu, go to OPERATIONS → PATCH MANAGEMENT, and in the drop-down list select SOFTWARE
UPDATES.
1289
3. Click Approve to approve the selected updates or Decline to decline the selected updates.
The selected updates have the statuses that you de ned.
As an option, you can change the approval status in the properties of a speci c update.
To approve or decline an update in its properties:
1. In the main menu, go to OPERATIONS → PATCH MANAGEMENT, and then select SOFTWARE UPDATES in
the drop-down list.
2. Click the name of the update that you want to approve or decline.
The update properties window opens.
3. In the General section, select a status for the update by changing the Update approval status option. You can
select the Approved, Declined, or Unde ned status.
4. Click the Save button to save the changes.
The selected update has the status that you de ned.
If you set Declined status for third-party software updates, these updates will not be installed on devices for
which they were planned but have not yet been installed. Updates will remain on devices on which they were
already installed. If you have to delete them, you can manually delete them locally.
Creating the Perform Windows Update synchronization task
The Perform Windows Update synchronization task is only available under the Vulnerability and Patch
Management license.
The Perform Windows Update synchronization task is required if you want to use the Administration Server as a
WSUS server. In this case, the Administration Server downloads Windows updates to the database, and provides
the updates to Windows Update on client devices, in the centralized mode through Network Agents. If the network
does not use a WSUS server, each client device downloads Microsoft updates from external servers
independently.
The Perform Windows Update synchronization task only downloads metadata from Microsoft servers. Kaspersky
Security Center downloads the updates when you run an update installation task and only those updates that you
select for installation.
1290
When running the Perform Windows Update synchronization task, the application receives a list of current
updates from a Microsoft update server. Next, Kaspersky Security Center compiles a list of updates that have
become outdated. At the next start of the Find vulnerabilities and required updates task, Kaspersky Security
Center ags all outdated updates and sets the deletion time for them. At the next start of the Perform Windows
Update synchronization task, all updates agged for deletion 30 days ago are deleted. Kaspersky Security Center
also checks for outdated updates that were agged for deletion more than 180 days ago, and then deletes those
older updates.
When the Perform Windows Update synchronization task completes and outdated updates are deleted, the
database may still have the hash codes pertaining to the les of deleted updates, as well as corresponding les in
the %AllUsersPro le%\Application Data\KasperskyLab\adminkit\1093\.working\wus les les (if they were
downloaded earlier). You can run the Administration Server maintenance task to delete these outdated records
from the database and corresponding les.
To create the Perform Windows Update synchronization task:
2. Click Add.
3. For the Kaspersky Security Center application, select the Perform Windows Update synchronization task
type.
5. Enable the Download express installation les option if you want the express update les to be downloaded
when running the task.
When Kaspersky Security Center synchronizes updates with Microsoft Windows Update Servers, information
about all les is saved in the Administration Server database. All les required for an update are also
downloaded to the drive during interaction with the Windows Update Agent. In particular, Kaspersky Security
Center saves information about express update les to the database and downloads them when necessary.
Downloading express update les leads to decreased free space on the drive.
To avoid a decrease in disk space volume and to reduce tra ic, disable the Download express installation les
option.
6. Select the applications for which you want to download updates.

If the All applications check box is selected, updates will be downloaded for all existing applications, and for all
applications that may be released in the future.
7. Select the categories of updates that you want to download to the Administration Server.
If the All categories check box is selected, updates will be downloaded for all existing updates categories, and
for all categories that may appear in the future.
8. Select the localization languages for the updates that you want to download to the Administration Server.
Download all languages, including new ones
If this option is selected, all the available localization languages of updates will be downloaded to
Administration Server. By default, this option is selected.
Download selected languages
1291
If this option is selected, you can select from the list localization languages of updates that should be
downloaded to Administration Server.
9. Specify which account to use when running the task. Select one of the following options:
Default account
Specify account

Updating third-party applications automatically

Some third-party applications can be updated automatically. The application vendor de nes whether or not the
application supports the auto-update feature. If a third-party application installed on a managed device supports
auto-update, you can specify the auto-update setting in the application properties. After you change the auto-
update setting, Network Agents apply the new setting on each managed device on which the application is
installed.
The auto-update setting is independent of the other objects and settings of the Vulnerability and Patch
Management feature. For example, this setting does not depend on an update approval status or the update
installation tasks, such as Install required updates and x vulnerabilities, Install Windows Update updates, and Fix
vulnerabilities.
To con gure the auto-update setting for a third-party application:
1. In the main menu, go to OPERATIONS → THIRD-PARTY APPLICATIONS → APPLICATIONS REGISTRY.
2. Click the name of the application for which you want to change the auto-update setting.
To simplify the search, you can lter the list by the Automatic Updates status column.
1292
The application properties window opens.
3. In the General section, select a value for the following setting:

Automatic Updates status
Unde ned
The auto-update feature is disabled. Kaspersky Security Center installs third-party application updates
by using the tasks: Install required updates and x vulnerabilities, Install Windows Update updates, and
Fix vulnerabilities.
Allowed
After the vendor releases an update for the application, this update is installed on the managed devices
automatically. No additional actions are required.
Blocked
The application updates are not installed automatically. Kaspersky Security Center installs third-party
application updates by using the tasks: Install required updates and x vulnerabilities, Install Windows
Update updates, and Fix vulnerabilities.
4. Click the Save button to save the changes.
The auto-update setting is applied to the selected application.

This section describes the features of Kaspersky Security Center that relate to xing vulnerabilities in the
software installed on managed devices.

This section provides a scenario for nding and xing vulnerabilities on the managed devices running Windows. You
can nd and x software vulnerabilities in the operating system and in third-party software, including Microsoft
software.
Prerequisites
There are managed devices running Windows in your organization.
1293
Stages
Finding and xing software vulnerabilities proceeds in stages:
1 Scanning for vulnerabilities in the software installed on the managed devices
To nd vulnerabilities in the software installed on the managed devices, run the Find vulnerabilities and required
updates task. When this task is complete, Kaspersky Security Center receives the lists of detected
The Find vulnerabilities and required updates task is created automatically by Kaspersky Security Center Quick
Start Wizard. If you did not run the Wizard, start it now or create the task manually.
2 Analyzing the list of detected software vulnerabilities
View the Software vulnerabilities list and decide which vulnerabilities are to be xed. To view detailed
information about each vulnerability, click the vulnerability name in the list. For each vulnerability in the list, you
can also view the statistics on the vulnerability on managed devices.
Administration Console: Viewing information about software vulnerabilities, Viewing statistics of

vulnerabilities on managed devices
Kaspersky Security Center Web Console: Viewing information about software vulnerabilities, Viewing
statistics of vulnerabilities on managed devices
3 Con guring vulnerabilities x
When the software vulnerabilities are detected, you can x the software vulnerabilities on the managed devices
by using the Install required updates and x vulnerabilities task or the Fix vulnerabilities task.
updates and x multiple vulnerabilities according to certain rules. Note that this task can be created only if you
have the license for the Vulnerability and Patch Management feature. To x software vulnerabilities the Install
required updates and x vulnerabilities task uses recommended software updates.
The Fix vulnerabilities task does not require the license option for the Vulnerability and Patch Management
feature. To use this task, you must manually specify user xes for vulnerabilities in third-party software listed in
the task settings. The Fix vulnerabilities task uses recommended xes for Microsoft software and user xes for
third-party software.
You can start Vulnerabilities Fix Wizard that creates one of these tasks automatically, or you can create one of
these tasks manually.
Administration Console: Selecting user xes for vulnerabilities in third-party software, Fixing vulnerabilities in
applications
1294
Kaspersky Security Center Web Console: Selecting user xes for vulnerabilities in third-party software, Fixing
vulnerabilities in third-party software, Creating the Install required updates and x vulnerabilities task
To be sure that the vulnerabilities list is always up-to-date, schedule the Find vulnerabilities and required updates
task to run it automatically from time to time. The recommended average frequency is once a week.
same frequency as the Find vulnerabilities and required updates task or less often. When scheduling the Fix
vulnerabilities task, note that you have to select xes for Microsoft software or specify user xes for third-party
software every time before starting the task.
When scheduling the tasks, make sure that a task to x vulnerability starts after the Find vulnerabilities and
5 Ignoring software vulnerabilities (optional)
If you want, you can ignore software vulnerabilities to be xed on all managed devices or only on the selected
managed devices.
Administration Console: Ignoring software vulnerabilities
Kaspersky Security Center Web Console: Ignoring software vulnerabilities
6 Running a vulnerability x task
Start the Install required updates and x vulnerabilities task or the Fix vulnerability task. When the task is
complete, make sure that it has the Completed successfully status in the task list.
7 Create the report on results of xing software vulnerabilities (optional)
To view detailed statistics on the vulnerabilities x, generate the Report on vulnerabilities. The report displays
information about software vulnerabilities that are not xed. Thus you can have an idea about nding and xing
vulnerabilities in third-party software, including Microsoft software, in your organization.
8 Checking con guration of nding and xing vulnerabilities in third-party software
Obtained and reviewed the list of software vulnerabilities on managed devices
Ignored software vulnerabilities if you wanted
Con gured the task to x vulnerabilities
Scheduled the tasks to nd and to x software vulnerabilities so that they start sequentially
Checked that the task to x software vulnerabilities was run
Results
1295
If you have created and con gured the Install required updates and x vulnerabilities task, the vulnerabilities are
xed on the managed devices automatically. When the task is run, it correlates the list of available software
updates to the rules speci ed in the task settings. All software updates that meet the criteria in the rules will be
downloaded to the Administration Server repository and will be installed to x software vulnerabilities.
If you have created the Fix vulnerabilities task, only software vulnerabilities in Microsoft software are xed.

Kaspersky Security Center detects and xes software vulnerabilities on managed devices running Microsoft
Windows families operating systems. Vulnerabilities are detected in the operating system and in third-party
software, including Microsoft software.
Finding software vulnerabilities
To nd software vulnerabilities, Kaspersky Security Center uses characteristics from the database of known
vulnerabilities. This database is created by Kaspersky specialists. It contains information about vulnerabilities, such
as vulnerability description, vulnerability detect date, vulnerability severity level. You can nd the details of
software vulnerabilities on Kaspersky website .
Kaspersky Security Center uses the Find vulnerabilities and required updates task to nd software vulnerabilities.
Fixing software vulnerabilities
To x software vulnerabilities Kaspersky Security Center uses software updates issued by the software vendors.
The software updates metadata is downloaded to the Administration Server repository as a result of the following
tasks run:
Download updates to the Administration Server repository. This task is intended to download updates
metadata for Kaspersky and third-party software. This task is created automatically by the Kaspersky Security
Center Quick Start Wizard. You can create the Download updates to the Administration Server repository task
manually.
Perform Windows Update synchronization. This task is intended to download updates metadata for Microsoft
software.
Software updates to x vulnerabilities can be represented as full distribution packages or patches. Software
updates that x software vulnerabilities are named xes. Recommended xes are those that are recommended for
installation by Kaspersky specialists. User xes are those that are manually speci ed for installation by users. To
install a user x, you have to create an installation package containing this x.
If you have the Kaspersky Security Center license with the Vulnerability and Patch Management feature, to x
software vulnerabilities you can use Install required updates and x vulnerabilities task. This task automatically xes
multiple vulnerabilities installing recommended xes. For this task, you can manually con gure certain rules to x
multiple vulnerabilities.
If you do not have the Kaspersky Security Center license with the Vulnerability and Patch Management feature, to
x software vulnerabilities, you can use the Fix vulnerabilities task. By means of this task, you can x vulnerabilities
by installing recommended xes for Microsoft software and user xes for other third-party software.
1296
software if EULA acceptance is requested. If you decline the EULA, the software vulnerability is not xed.

After you obtain the software vulnerabilities list, you can x software vulnerabilities on managed devices that are
running Windows. You can x software vulnerabilities in the operating system and in third-party software, including
Microsoft software, by creating and running the Fix vulnerabilities task or the Install required updates and x
vulnerabilities task.
As an option, you can create a task to x software vulnerabilities in the following ways:
By opening the vulnerability list and specifying which vulnerabilities to x.

As a result, a new task to x software vulnerabilities is created. As an option, you can add the selected
vulnerabilities to an existing task.
By running the Vulnerability Fix Wizard.
The Vulnerability Fix Wizard is only available under the Vulnerability and Patch Management license.
The Wizard simpli es creation and con guration of a vulnerability x task and allows you to eliminate the
creation of redundant tasks that contain the same updates to install.
Fixing software vulnerabilities by using the vulnerability list
To x software vulnerabilities:
1. Open one of the lists of vulnerabilities:
1297
To open the general vulnerability list, go to OPERATIONS → PATCH MANAGEMENT → Software
vulnerabilities.
To open the vulnerability list for a managed device, go to DEVICES → MANAGED DEVICES → <device
name> → Advanced → Software vulnerabilities.
To open the vulnerability list for a speci c application, go to OPERATIONS → THIRD-PARTY

APPLICATIONS → APPLICATIONS REGISTRY → <application name> → Vulnerabilities.
A page with a list of vulnerabilities in the third-party software is displayed.
2. Select one or more vulnerabilities in the list, and then click the Fix vulnerability button.
If a recommended software update to x one of the selected vulnerabilities is absent, an informative message
is displayed.
software, if EULA acceptance is requested. If you decline the EULA, the software vulnerability is not xed.
New task
The Add Task Wizard starts. If you have the Vulnerability and Patch Management license, the Install required
updates and x vulnerabilities task is preselected. If you do not have the license, the Fix vulnerabilities task is
preselected. Follow the steps of the Wizard to complete the task creation.
Fix vulnerability (add rule to speci ed task)

Select a task to which you want to add the selected vulnerabilities. If you have the Vulnerability and Patch
Management license, select the Install required updates and x vulnerabilities task. A new rule to x the
selected vulnerabilities will be automatically added to the selected task. If you do not have the license,
select the Fix vulnerabilities task. The selected vulnerabilities will be added to the task properties.
The task properties window opens. Click the Save button to save the changes.
If you have chosen to create a task, the task is created and displayed in the task list at DEVICES → TASKS. If
you have chosen to add the vulnerabilities to an existing task, the vulnerabilities are saved in the task properties.
To x the third-party software vulnerabilities, start the Install required updates and x vulnerabilities task or the Fix
vulnerabilities task. If you have created the Fix vulnerabilities task, you must manually specify the software updates
to x the software vulnerabilities listed in the task settings.
Fixing software vulnerabilities by using the Vulnerability Fix Wizard
The Vulnerability Fix Wizard is only available under the Vulnerability and Patch Management license.
To x software vulnerabilities by using the Vulnerability Fix Wizard:
1. On the OPERATIONS tab, in the PATCH MANAGEMENT drop-down list, select Software vulnerabilities.
A page with a list of vulnerabilities in the third-party software installed on managed devices is displayed.
2. Select the check box next to the vulnerability that you want to x.
1298
The Vulnerability Fix Wizard starts. The Select the vulnerability x task page displays the list of all existing
tasks of the following types:
Fix vulnerabilities
You cannot modify the last two types of tasks to install new updates. To install new updates, you can only use
the Install required updates and x vulnerabilities task.
4. If you want the Wizard to display only those tasks that x the vulnerability that you selected, then enable the
Show only tasks that x this vulnerability option.
5. Choose what you want to do:
To start a task, select the check box next to the task name, and then click the Start button.
To add a new rule to an existing task:
a. Select the check box next to the task name, and then click the Add rule button.
Rule for xing vulnerabilities of this severity level
skip other updates.
Rule for xing vulnerabilities by means of updates of the same type as the update de ned as
recommended for the selected vulnerability (available only for Microsoft software vulnerabilities)
Rule for xing vulnerabilities in applications from the selected vendor (available only for third-
party software vulnerabilities)
Rule for xing a vulnerability in all versions of the selected application (available only for third-
Rule for xing the selected vulnerability
1299
To create a task:
Rule for xing vulnerabilities of this severity level
skip other updates.
Rule for xing vulnerabilities by means of updates of the same type as the update de ned as
recommended for the selected vulnerability (available only for Microsoft software vulnerabilities)
Rule for xing vulnerabilities in applications from the selected vendor (available only for third-
Rule for xing a vulnerability in all versions of the selected application (available only for third-
Rule for xing the selected vulnerability
If you have chosen to start a task, you can close the Wizard. The task will complete in background mode. No
further actions are required.
If you have chosen to add a rule to an existing task, the task properties window opens. The new rule is already
added to the task properties. You can view or modify the rule or other task settings. Click the Save button to
save the changes.
If you have chosen to create a task, you continue to create the task in the Add Task Wizard. The new rule that
you added in the Vulnerability Fix Wizard is displayed in the Add Task Wizard. When you complete the Wizard, the
Install required updates and x vulnerabilities task is added to the task list.
1300
Creating the Fix vulnerabilities task
The Fix vulnerabilities task allows you x software vulnerabilities on managed devices that are running Windows.
You can x software vulnerabilities in third-party software, including Microsoft software.
If you do not have the Vulnerability and Patch Management license, you cannot create new tasks of the Fix
vulnerabilities type. To x new vulnerabilities, you can add them to an existing Fix vulnerabilities task. We
recommend that you use the Install required updates and x vulnerabilities task instead of the Fix vulnerabilities
task. The Install required updates and x vulnerabilities task enables you to install multiple updates and x multiple
vulnerabilities automatically, according to the rules that you de ne.
To create the Fix vulnerabilities task:
2. Click Add.
3. For the Kaspersky Security Center application, select the Fix vulnerabilities task type.

The list of vulnerabilities opens.
7. Select the vulnerabilities that you want to x, and then click OK.
Microsoft software vulnerabilities usually have recommended xes. No additional actions are required for them.
For vulnerabilities in software from other vendors, you rst need to specify a user x for each vulnerability that
you want to x. After that, you will be able to add those vulnerabilities into the Fix vulnerabilities task.
Restart the device
1301
speci ed frequency.
1440 minutes.
Restart after (min)
1440 minutes.
restart.
Default account
1302
Specify account
Account
Password

The Install required updates and x vulnerabilities task is only available under the Vulnerability and Patch
Management license.
updates and x multiple vulnerabilities according to certain rules.
To install updates or x vulnerabilities by using the Install required updates and x vulnerabilities task, you can do
one of the following:
Run the Update Installation Wizard or the Vulnerability Fix Wizard.
Create an Install required updates and x vulnerabilities task.
Add a rule for update installation to an existing Install required updates and x vulnerabilities task.
To create the Install required updates and x vulnerabilities task:
1303
2. Click Add.
3. For the Kaspersky Security Center application, select the Install required updates and x vulnerabilities task
type.
6. Specify the rules for update installation, and then specify the following settings:

devices.
1304
Restart the device
1305
speci ed frequency.
1440 minutes.
Restart after (min)
1440 minutes.


1306
This feature is only available under the Vulnerability and Patch Management license.
When installing software updates or xing software vulnerabilities by using the Install required updates and x
vulnerabilities task, you must specify rules for the update installation. These rules determine the updates to install
and the vulnerabilities to x.
The exact settings depend on whether you add a rule for all updates, for Windows Update updates, or for updates
of third-party applications (applications made by software vendors other than Kaspersky and Microsoft). When
adding a rule for Windows Update updates or updates of third-party applications, you can select speci c
applications and application versions for which you want to install updates. When adding a rule for all updates, you
can select speci c updates that you want to install and vulnerabilities that you want to x by means of installing
updates.
You can add a rule for update installation in the following ways:
By adding a rule while creating a new Install required updates and x vulnerabilities task.
By adding a rule on the Application Settings tab in the properties window of an existing Install required
updates and x vulnerabilities task.
Through the Update Installation Wizard or the Vulnerability Fix Wizard.
To add a new rule for all updates:


approval status.
1307
updates.
software updates.
1308
vulnerabilities.
applications.
To add a new rule for Windows Update updates:


approval status.
updates.
1309
updates.
not xed.
To add a new rule for updates of third-party applications:


approval status.
1310
updates.

To use the Fix vulnerabilities task, you must manually specify the software updates to x the vulnerabilities in third-
party software listed in the task settings. The Fix vulnerabilities task uses recommended xes for Microsoft
software and user xes for other third-party software. User xes are software updates to x vulnerabilities that
the administrator manually speci es for installation.
To select user xes for vulnerabilities in third-party software:
The page displays the list of software vulnerabilities detected on client devices.
2. In the list of software vulnerabilities, click the link with the name of the software vulnerability for which you want
to specify a user x.
3. In the left pane, select the User xes and other xes section.
The list of user xes for the selected software vulnerability is displayed.
4. Click Add.
The list of available installation packages is displayed. The list of displayed installation packages corresponds to
the OPERATIONS → REPOSITORIES → INSTALLATION PACKAGES list. If you have not created an installation
package containing a user x for selected vulnerability, you can create the package now by starting the New
Package Wizard.
5. Select an installation package (or packages) containing a user x (or user xes) for the vulnerability in third-
party software.
6. Click Save.
The installation packages containing user xes for the software vulnerability are speci ed. When the Fix
vulnerabilities task is started, the installation package will be installed, and the software vulnerability will be xed.
1311
Viewing information about software vulnerabilities detected on all managed
devices
After you have scanned software on managed devices for vulnerabilities, you can view the list of software
vulnerabilities detected on all managed devices.
To view the list of software vulnerabilities detected on all managed devices,
On the OPERATIONS tab, in the PATCH MANAGEMENT drop-down list, select Software vulnerabilities.
The page displays the list of software vulnerabilities detected on client devices.
You can also generate and view Report on vulnerabilities.
You can specify a lter to view the list of software vulnerabilities. Click the Filter icon ( ) in the upper right corner
of the software vulnerabilities list to manage the lter. You can also select one of preset lters from the Preset
lters drop-down list above the software vulnerabilities list.
You can obtain detailed information about any vulnerability from the list.
To obtain information about a software vulnerability:
In the list of software vulnerabilities, click the link with the name of the vulnerability.
The properties window of the software vulnerability opens.
Viewing information about software vulnerabilities detected on the selected

managed device
You can view information about software vulnerabilities detected on the selected managed device running
Windows.
To view a list of software vulnerabilities detected on the selected managed device:

2. In the list of managed devices, click the link with the name of the device for which you want to view detected
software vulnerabilities.
3. In the properties window of the selected device, select the Advanced tab.
4. In the left pane, select the Software vulnerabilities section.

If you want to view only software vulnerabilities that can be xed, select the Show only vulnerabilities that can
be xed option.
1312
The list of software vulnerabilities detected on the selected managed device is displayed.
To view the properties of the selected software vulnerability,
Click the link with the name of the software vulnerability in the list of software vulnerabilities.
The properties window of the selected software vulnerability is displayed.

You can view statistics for each software vulnerability on managed devices. Statistics is represented as a diagram.
The diagram displays the number of devices with the following statuses:
Ignored on: <number of devices>. The status is assigned if, in the vulnerability properties, you have manually set
the option to ignore the vulnerability.
Fixed on: <number of devices>. The status is assigned if the task to x the vulnerability has successfully
completed.
Fix scheduled on: <number of devices>. The status is assigned if you have created the task to x the
vulnerability but the task is not performed yet.
Patch applied on: <number of devices>. The status is assigned if you have manually selected a software update
to x the vulnerability but this software updated has not xed the vulnerability.
Fix required on: <number of devices>. The status is assigned if the vulnerability was xed only on the part of
managed devices, and it is required to be xed on the rest part of managed devices.
To view the statistics of a vulnerability on managed devices:
2. Select the check box next to the required vulnerability.
3. Click the Statistics of vulnerability on devices button.
A diagram of the vulnerability statuses is displayed. Clicking a status opens a list of devices on which the
vulnerability has the selected status.
Exporting the list of software vulnerabilities to a le

You can export the displayed list of vulnerabilities to the CSV or TXT les. You can use these les, for example, to
send them to your information security manager or to store them for purposes of statistics.
To export the list of software vulnerabilities detected on all managed devices to a text le:
1313
export.
The le containing the list of software vulnerabilities is downloaded to the device that you use at the moment.
To export the list of software vulnerabilities detected on selected managed device to a text le:
1. Open the list of software vulnerabilities detected on selected managed device.
2. Select the software vulnerabilities you want to export.

Skip this step if you want to export a complete list of software vulnerabilities detected on the managed device.
If you want to export complete list of software vulnerabilities detected on the managed device, only
vulnerabilities displaying on the current page will be exported.
export.
The le containing the list of software vulnerabilities detected on the selected managed device is downloaded
to the device you are using at the moment.

You can ignore software vulnerabilities to be xed. The reasons to ignore software vulnerabilities might be, for
example, the following:
You do not consider the software vulnerability critical to your organization.
You understand that the software vulnerability x can damage data related to the software that required the
vulnerability x.
You are sure that the software vulnerability is not dangerous for your organization's network because you use
other measures to protect your managed devices.
You can ignore a software vulnerability on all managed devices or only on selected managed devices.
To ignore a software vulnerability on all managed devices:
The page displays the list of software vulnerabilities detected on managed devices.
2. In the list of software vulnerabilities, click the link with the name of the software vulnerability you want to ignore.
The software vulnerability properties window opens.
3. On the General tab, enable the Ignore vulnerability option.

The software vulnerability properties window closes.
The software vulnerability is ignored on all managed devices.
To ignore a software vulnerability on the selected managed device:

1314
1. On the DEVICES tab, select the MANAGED DEVICES tab.
2. In the list of managed devices, click the link with the name of the device on which you want to ignore a software
vulnerability.
The device properties window is opened.
3. In the device properties window, select the Advanced tab.
4. In the left pane, select the Software vulnerabilities section.

The list of software vulnerabilities detected on the device is displayed.
5. In the list of software vulnerabilities, select the vulnerability you want to ignore on the selected device.
The software vulnerability properties window opens.
6. In the software vulnerability properties window, on the General tab, enable the Ignore vulnerability option.

The software vulnerability properties window closes.
8. Close the device properties window.
The software vulnerability is ignored on the selected device.
The ignored software vulnerability will not be xed after completion of the Fix vulnerabilities task or Install required
updates and x vulnerabilities task. You can exclude ignored software vulnerabilities from the list of vulnerabilities
by means of the lter.
Managing applications run on client devices

This section describes the features of Kaspersky Security Center related to the management of applications run
on client devices.

You can manage applications startup on user devices. You can allow or block applications to be run on managed
devices. This functionality is realized by the Application Control component. You can manage applications installed
on Windows or Linux devices.
For Linux-based operating systems, Application Control component is available starting from Kaspersky
Endpoint Security 11.2 for Linux.
Prerequisites
1315
The policy of Kaspersky Endpoint Security for Windows or Kaspersky Endpoint Security for Linux is created
and is active.
Stages
The Application Control usage scenario proceeds in stages:
1 Forming and viewing the list of applications on client devices
This stage helps you nd out what applications are installed on managed devices. You can view the list of
applications and decide which applications you want to allow and which you want to prohibit, according to your
organization's security policies. The restrictions can be related to the information security polices in your
organization. You can skip this stage if you know exactly what applications are installed on managed devices.
Administration Console: Viewing application registry
Kaspersky Security Center Web Console: Obtaining and viewing a list of applications installed on client
devices
2 Forming and viewing the list of executable les on client devices
This stage helps you nd out what executable les are found on managed devices. View the list of executable
les and compare it with the lists of allowed and prohibited executable les. The restrictions on executable les
usage can be related to the information security polices in your organization. You can skip this stage if you know
exactly what executable les are installed on managed devices.
Administration Console: Inventory of executable les
Kaspersky Security Center Web Console: Obtaining and viewing a list of executable les stored on client
devices
3 Creating application categories for the applications used in your organization
Analyze the lists of applications and executable les stored on managed devices. Basing on the analysis, create
application categories. It is recommended to create a "Work applications" category that covers the standard set
of applications that are used at your organization. If di erent user groups use di erent sets of applications in
their work, a separate application category can be created for each user group.
Depending the set of criteria to create an application category, you can create application categories of three
types.
Administration Console: Creating an application category with content added manually, Creating an
application category that includes executable les from selected devices, Creating application category that
includes executable les from a speci c folder.
Kaspersky Security Center Web Console: Creating application category with content added manually,
Creating application category that includes executable les from selected devices, Creating application
category that includes executable les from a speci c folder.
4 Con guring Application Control in the Kaspersky Endpoint Security policy
Con gure the Application Control component in the Kaspersky Endpoint Security policy using the application
categories you have created on the previous stage.
1316
Administration Console: Con guring application startup management on client devices
Kaspersky Security Center Web Console: Con guring Application Control in the Kaspersky Endpoint
Security for Windows policy
5 Turning on Application Control component in test mode
To ensure that Application Control rules do not block applications required for user's work, it is recommended to
enable testing of Application Control rules and analyze their operation after creating new rules. When testing is
enabled, Kaspersky Endpoint Security for Windows will not block applications whose startup is forbidden by
Application Control rules, but will instead send noti cations about their startup to the Administration Server.
When testing Application Control rules, it is recommended to perform the following actions:
Determine the testing period. Testing period can vary from several days to two months.
Examine the events resulting from testing the operation of Application Control.
the Kaspersky Endpoint Security for Windows policy. Follow this instruction and enable the Test Mode option in
6 Changing the application categories settings of Application Control component
If necessary, make changes to the Application Control settings. Based on the test results, you can add
executable les related to events of the Application Control component to an application category with content
added manually.
Administration Console: Adding event-related executable les to the application category
Kaspersky Security Center Web Console: Adding event-related executable les to the application category
7 Applying the rules of Application Control in operation mode
After Application Control rules are tested and con guration of application categories is complete, you can apply
the rules of Application Control in operation mode.
the Kaspersky Endpoint Security for Windows policy. Follow this instruction and disable the Test Mode option in
8 Verifying Application Control con guration
Created application categories.
Con gured Application Control using the application categories.
Applied the rules of Application Control in operation mode.
Results
When the scenario is complete, applications startup on managed devices is controlled. The users can start only
those applications that are allowed in your organization and cannot start applications that are prohibited in your
organization.
1317
About Application Control
The Application Control component monitors users' attempts to start applications and regulates the startup of
applications by using Application Control rules.
Application Control component is available for Kaspersky Endpoint Security for Windows and for Kaspersky
Security for Virtualization Light Agent. All the instructions in this section describe con guration of Application
Control for Kaspersky Endpoint Security for Windows.
Startup of applications whose settings do not match any of the Application Control rules is regulated by the
selected operating mode of the component:
Denylist. The mode is used if you want to allow the startup of all applications except the applications speci ed
in block rules. This mode is selected by default.
Allowlist. The mode is used if you want to block the startup of all applications except the applications speci ed
in allow rules.
The Application Control rules are implemented through application categories. You create application categories
de ning speci c criteria. In Kaspersky Security Center there are three types of application categories:
Category with content added manually. You de ne conditions, for example, le metadata, le hashcode, le
certi cate, KL category, le path, to include executable les in the category.
Category that includes executable les from selected devices. You specify a device whose executable les are
automatically included in the category.
Category that includes executable les from selected folder. You specify a folder from which executable les
are automatically included in the category.
Obtaining and viewing a list of applications installed on client devices

Kaspersky Security Center inventories all software installed on managed client devices running Windows.
Network Agent compiles a list of applications installed on a device and then transmits this list to Administration
To save the device resources, Network Agent by default starts receiving information about installed applications 10
minutes after the Network Agent service starts.
To view the list of applications installed on managed devices:
In the OPERATIONS → THIRD-PARTY APPLICATIONS drop-down list, select Applications registry.
The page displays the list of applications installed on managed devices.
1318
Obtaining and viewing a list of executable les stored on client devices

You can obtain a list of executable les stored on managed devices. To inventory executable les, you must create
an inventory task.
The feature of inventorying executable les is available for the following applications:
Kaspersky Security for Virtualization 4.0 Light Agent and later versions
installed.
To create an inventory task for executable les on client devices:

The list of tasks is displayed.

3. On the New task page, in the Application drop-down list, select Kaspersky Endpoint Security for Windows or
Kaspersky Endpoint Security for Linux, depending on the operating system type of the client devices.
4. In the Task type drop-down list, select Inventory.
5. On the Finish task creation page, click the Finish button.
After the Add Task Wizard has nished, the Inventory task is created and con gured. If you want, you can
change the settings for the created task. The newly created task is displayed in the list of tasks.
For a detailed description of the inventory task, refer to the following Helps:
Kaspersky Security for Virtualization Light Agent
After the Inventory task is performed, the list of executable les stored on managed devices is formed, and you
can view the list.
1319
During inventory, executable les in the following formats are detected: MZ, COM, PE, NE, SYS, CMD, BAT, PS1,
JS, VBS, REG, MSI, CPL, DLL, JAR, and HTML.
To view the list of executable les stored on client devices:
In the OPERATIONS → THIRD-PARTY APPLICATIONS drop-down list, select EXECUTABLE FILES.
The page displays the list of executable les stored on client devices.
To send the executable le of the managed device to Kaspersky:
1. In the main menu, go to OPERATIONS → THIRD-PARTY APPLICATIONS → EXECUTABLE FILES.
2. Click the link of the executable le that you want to send to Kaspersky.
3. In the window that opens, go to the Devices section, and then select the checkbox of the managed device
from which you want to send the executable le.
Before you send the executable le, make sure that the managed device has a direct connection to the
Administration Server, by selecting the Do not disconnect from the Administration Server checkbox.
4. Click the Send to Kaspersky button.
The selected executable le is downloaded for further sending to Kaspersky.
Creating application category with content added manually

You can specify a set of criteria as a template of executable les for which you want to allow or block a start in
your organization. On the basis of executable les corresponding to the criteria, you can create an application
To create an application category with content added manually:
1. In the OPERATIONS → THIRD-PARTY APPLICATIONS drop-down list, select APPLICATION CATEGORIES.

The page with a list of application categories is displayed.

The New Category Wizard starts. Follow the steps of the Wizard.
3. On the Select category creation method page of the Wizard, select the Category with content added
manually. Data of executable les is manually added to the category option.
4. On the Conditions page of the Wizard, click the Add button to add a condition criterion to include les in the
creating category.
5. On the Condition criteria page, select a rule type for the creation of category from the list:
From KL category
1320
If this option is selected, you can specify a Kaspersky application category as the condition of adding
applications to the user category. The applications from the speci ed Kaspersky category will be added
Select certi cate from repository
If this option is selected, you can specify certi cates from the storage. Executable les that have been
signed in accordance with the speci ed certi cates will be added to the user category.
Specify path to application (masks supported)
If this option is selected, you can specify the path to the folder on the client device containing the
executable les that are to be added to the user application category.
Removable drive
If this option is selected, you can specify the type of the medium (any drive or removable drive) on
which the application is run. Applications that have been run on the selected drive type are added to
Hash, metadata, or certi cate:
Select from list of executable les
If this option is selected, you can use the list of executable les on the client device to select and
add applications to the category.
Select from applications registry
If this option is selected, application registry is displayed. You can select an application from the
registry and specify the following le metadata:
File name.
File version. You can specify precise value of the version or describe a condition, for example
"greater than 5.0".
Application name.
Application version. You can specify precise value of the version or describe a condition, for
example "greater than 5.0".
Vendor.
Specify manually
1321
If this option is selected, you must specify le hash, or metadata, or certi cate as the condition of
adding applications to the user category.
File Hash
Information about computed hash values is stored in the Administration Server database. Storage
of hash values does not increase the database size signi cantly.
SHA-256 is a cryptographic hash function: no vulnerabilities have been found in its algorithm, and so
it is considered the most reliable cryptographic function nowadays. Kaspersky Endpoint Security 10
Service Pack 2 for Windows and later versions support SHA-256 computing. Computing of the MD5
hash function is supported by all versions earlier than Kaspersky Endpoint Security 10 Service Pack 2
for Windows.
category:
If all instances of security applications installed on your network are Kaspersky Endpoint
Security 10 Service Pack 2 for Windows or later versions, select the SHA-256 check box. We
do not recommend that you add any categories created according to the criterion of the
SHA-256 hash of an executable le for versions earlier than Kaspersky Endpoint Security 10
Service Pack 2 for Windows. This may result in failures in the security application operation. In
this case, you can use the MD5 cryptographic hash function for les of the category.
If di erent devices on your network use both earlier and later versions of Kaspersky Endpoint
Security 10, select both the SHA-256 check box and the MD5 hash check box.
Metadata
If this option is selected, you can specify le metadata as le name, le version, vendor. The
metadata will be sent to Administration Server. Executable les that contain the same metadata will
be added to the application category.
Certi cate
If this option is selected, you can specify certi cates from the storage. Executable les that have
been signed in accordance with the speci ed certi cates will be added to the user category.
From le or from MSI package / archived folder
If this option is selected, you can specify an MSI installer le as the condition of adding applications
to the user category. The application installer metadata will be sent to Administration Server. The
applications for which the installer metadata is the same as for the speci ed MSI installer are added
The selected criterion is added to the list of conditions.

You can add as many criteria for the creating application category as you need.
6. On the Exclusions page of the Wizard, click the Add button to add an exclusive condition criterion to exclude
les from the category that is being created.
7. On the Condition criteria page, select a rule type from the list, in the same way that you selected a rule type
for category creation.
1322
When the Wizard nishes, the application category is created. It is displayed in the list of application categories.
You can use the created application category when you con gure Application Control.
Creating application category that includes executable les from selected

devices
You can use executable les from selected devices as a template of executable les that you want to allow or
block. Based on executable les from selected devices, you can create an application category and use it in the
Application Control component con guration.
To create application category that includes executable les from selected devices:


The New Category Wizard starts. Proceed through the Wizard by using the Next button.
3. On the Select category creation method page of the Wizard, specify the category name and select the
Category that includes executable les from selected devices. These executable les are processed
automatically and their metrics are added to the category option.
4. Click Add.
5. In the window that opens, select a device or devices whose executable les will be used to create the
application category.
Hash value computing algorithm
1323
Windows.
category:
Synchronize data with Administration Server repository
Select this option if you want that Administration Server periodically to check changes in the speci ed
folder (or folders).
If you enable this option, specify the period (in hours) to check changes in the speci ed folder (folders).
By default, scan interval is 24 hours.
File type
In this section, you can specify le type that is used to create the application category.
All les. All les are taken into consideration when creating the category. By default, this option is
selected.
Only les outside the application categories. Only les outside the application categories are taken
into consideration when creating the category.
Folders
1324
In this section you can specify which folders from the selected device (devices) contain les that are
used to create the application category.
All folders. All folders are taken into consideration for the creating category. By default, this option is
selected.
Speci ed folder. Only speci ed folder is taken into consideration for the creating category. If you
select this option you must specify path to the folder.
You can use the created application category when you con gure Application Control.
Creating application category that includes executable les from selected

folder
You can use executable les from a selected folder as a standard of executable les that you want to allow or block
in your organization. On the basis of executable les from the selected folder, you can create an application
To create an application category that includes executable les from the selected folder:


3. On the Select category creation method page of the Wizard, specify the category name and select the
Category that includes executable les from a speci c folder. Executable les of applications copied to
the speci ed folder are automatically processed and their metrics are added to the category option.
4. Specify the folder whose executable les will be used to create the application category.
Include dynamic-link libraries (DLL) in this category
The application category includes dynamic-link libraries ( les in DLL format), and the Application
Control component logs the actions of such libraries running in the system. Including DLL les in the
category may lower the performance of Kaspersky Security Center.
Include script data in this category
The application category includes data on scripts, and scripts are not blocked by Web Threat
Protection. Including the script data in the category may lower the performance of Kaspersky Security
Center.
1325
Hash value computing algorithm : Calculate SHA-256 for les in this category (supported by Kaspersky
Endpoint Security 10 Service Pack 2 for Windows and later versions) / Calculate MD5 for les in this
category (supported by versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for
Windows)
Windows.
category:
Force folder scan for changes
If this option is enabled, the application regularly checks the folder of category content addition for
changes. You can specify the frequency of checks (in hours) in the entry eld next to the check box. By
default, the time interval between forced checks is 24 hours.
If this option is disabled, the application does not force any checks of the folder. The Server attempts
to access les if they have been modi ed, added, or deleted.
You can use the application category at Application Control con guration.
1326
Viewing the list of application categories
You can view the list of con gured application categories and the settings of each application category.
To view the list of application categories,
On the OPERATIONS tab, in the THIRD-PARTY APPLICATIONS drop-down list, select APPLICATION
CATEGORIES.
To view properties of an application category,
Click the name of the application category.
The properties window of the application category is displayed. The properties are grouped on several tabs.
Con guring Application Control in the Kaspersky Endpoint Security for

Windows policy
After you create Application Control categories, you can use them for con guring Application Control in
Kaspersky Endpoint Security for Windows policies.
To con gure Application Control in the Kaspersky Endpoint Security for Windows policy:

A page with a list of policies is displayed.
2. Click the Kaspersky Endpoint Security for Windows policy.

3. Go to Application settings → Security Controls → Application Control.

The Application Control window with the Application Control settings is displayed.
4. The Application Control option is enabled by default. Ensure that the Application Control DISABLED toggle
button is switched to the disabled position.
5. In the Application Control Settings block settings, enable the operation mode to apply the Application
Control rules and allow Kaspersky Endpoint Security for Windows to block startup of applications.
If you want to test the Application Control rules, in the Application Control Settings section, enable test
mode. In test mode, Kaspersky Endpoint Security for Windows does not block startup of applications, but logs
information about triggered rules in the report. Click the View report link to view this information.
6. Enable the Control DLL modules load option if you want Kaspersky Endpoint Security for Windows to monitor
the loading of DLL modules when applications are started by users.
Information about the module and the application that loaded the module will be saved to a report.
1327
Kaspersky Endpoint Security for Windows monitors only the DLL modules and drivers loaded after the Control
DLL modules load option is selected. Restart the computer after selecting the Control DLL modules load
option if you want Kaspersky Endpoint Security for Windows to monitor all DLL modules and drivers, including
those loaded before Kaspersky Endpoint Security for Windows is started.
7. (Optional) In the Message templates block, change the template of the message that is displayed when an
application is blocked from starting and the template of the email message that is sent to you.
8. In the Application Control Mode block settings, select the Denylist or Allowlist mode.
By default, the Denylist mode is selected.
9. Click the Rules Lists Settings link.

The Denylists and allowlists window opens to let you add an application category. By default, the Denylist tab
is selected if the Denylist mode is selected, and the Allowlist tab is selected if the Allowlist mode is selected.
10. In the Denylists and allowlists window, click the Add button.
The Application Control rule window opens.
11. Click the Please choose a category link.

The Application Category window opens.
12. Add the application category (or categories) that you created earlier.
You can edit the settings of a created category by clicking the Edit button.
You can create a new category by clicking the Add button.
You can delete a category from the list by clicking the Delete button.
13. After the list of application categories is complete, click the OK button.
The Application Category window closes.
14. In the Application Control rule window, in the Subjects and their rights section, create a list of users and
groups of users to apply the Application Control rule.
15. Click the OK button to save the settings and to close the Application Control rule window.
16. Click the OK button to save the settings and to close the Denylists and allowlists window.
17. Click the OK button to save the settings and to close the Application Control window.
18. Close the window with the Kaspersky Endpoint Security for Windows policy settings.
Application Control is con gured. After the policy is propagated to the client devices, the startup of executable
les is managed.

After you con gure Application Control in the Kaspersky Endpoint Security for Windows policies, the following
events will be displayed in the list of events:
1328
Application startup prohibited (Critical event). This event is displayed if you have con gured Application
Control to apply rules.
Application startup prohibited in test mode (Info event). This event is displayed if you have con gured
Application Control to test rules.
Message to administrator about application startup prohibition (Warning event). This event is displayed if
you have con gured Application Control to apply rules and a user has requested access to the application that
is blocked at startup.
It is recommended to create event selections to view events related to Application Control operation.
You can add executable les related to Application Control events to an existing application category or to a new
application category. You can add executable les only to an application category with content added manually.
To add executable les related to Application Control events to an application category:
1. In the main menu, go to MONITORING & REPORTING → EVENT SELECTIONS.

The list of event selections is displayed.
2. Select the event selection to view events related to Application Control and start this event selection.
If you have not created event selection related to Application Control, you can select and start a prede ned
selection, for example, Recent events.
The list of events is displayed.
3. Select the events whose associated executable les you want to add to the application category, and then click
the Assign to category button.
4. On the Wizard page, specify the relevant settings:
In the Action on executable le related to the event section, select one of the following options:
Add to a new application category
Select this option if you want to create a new application category based on event-related
executable les.
If you have selected this option, specify a new category name.
Add to an existing application category
Select this option if you want to add event-related executable les to an existing application
category.
By default, this option is not selected.
If you have selected this option, select the application category with content added manually to
which you want to add executable les.
In the Rule type section, select one of the following options:
Rules for adding to inclusions
1329
Rules for adding to exclusions
In the Parameter used as a condition section, select one of the following options:
Certi cate details (or SHA-256 hashes for les without a certi cate)
example, di erent versions of the same application may be signed with the same certi cate, or
several di erent applications from the same vendor may be signed with the same certi cate. When
you select a certi cate, several versions of an application or several applications from the same
vendor may end up in the category.
Each le has its own unique SHA-256 hash function. When you select an SHA-256 hash function,
only one corresponding le, for example, the de ned application version, ends up in the category.
Select this option if you want to add to the category rules the certi cate details of an executable
le (or the SHA-256 hash function for les without a certi cate).
Certi cate details ( les without a certi cate will be skipped)
example, di erent versions of the same application may be signed with the same certi cate, or
several di erent applications from the same vendor may be signed with the same certi cate. When
you select a certi cate, several versions of an application or several applications from the same
vendor may end up in the category.
Select this option if you want to add the certi cate details of an executable le to the category
rules. If the executable le has no certi cate, this le will be skipped. No information about this le
will be added to the category.
Only SHA-256 ( les without a hash will be skipped)
Each le has its own unique SHA-256 hash function. When you select an SHA-256 hash function,
only one corresponding le, for example, the de ned application version, ends up in the category.
Select this option if you want to add only the details of the SHA-256 hash function of the
executable le.
Only MD5 (discontinued mode, only for Kaspersky Endpoint Security 10 Service Pack 1 version)
Each le has its own unique MD5 hash function. When you select an MD5 hash function, only one
corresponding le, for example, the de ned application version, ends up in the category.
Select this option if you want to add only the details of the MD5 hash function of the executable le.
Computing of the MD5 hash function is supported by Kaspersky Endpoint Security 10 Service Pack 1
for Windows and all earlier versions.
5. Click OK.
When the Wizard nishes, executable les related to the Application Control events are added to the existing
application category or to a new application category. You can view settings of the application category that you
have modi ed or created.
1330
Creating an installation package of a third-party application from the
Kaspersky database
Kaspersky Security Center Web Console allows you to perform remote installation of third-party applications by
using installation packages. Such third-party applications are included in a dedicated Kaspersky database. This
database is created automatically when you run the Download updates to the repository of the Administration
Server task for the rst time.
To create an installation package of a third-party application from the Kaspersky database:
1. In Kaspersky Security Center Web Console, open DISCOVERY & DEPLOYMENT → DEPLOYMENT &
ASSIGNMENT → INSTALLATION PACKAGES.
3. On the New Package Wizard page that opens, select the Select an application from the Kaspersky database
to create an installation package option, and then click Next.
4. In the list of applications that opens, select the relevant application, and then click Next.
5. Select the relevant localization language in the drop-down list, and then click Next.
This step is only displayed if the application o ers multiple language options.
6. If you are prompted to accept a License Agreement for the installation, on the End User License Agreement
page that opens, click the link to read the License Agreement on the vendor's website, and then select the I
con rm that I have fully read, understand, and accept the terms and conditions of this End User License
Agreement check box.
7. On the Name of the new installation package page that opens, in the Package name eld, enter the name for
the installation package, and then click Next.
Wait until the newly created installation package is uploaded to Administration Server. When the New Package
Wizard displays the message informing you the package creation process was successful, click Finish.
The newly created installation package appears on the list of installation packages. You can select this package
when creating or recon guring the Install application remotely task.
Viewing and modifying the settings of an installation package of a third-

party application from the Kaspersky database
If you have previously created any installation packages of third-party applications listed in the Kaspersky
database, you can subsequently view and modify the settings of these packages.
Modifying the settings of an installation package of a third-party application from the Kaspersky database is
only available under the Vulnerability and Patch Management license.
1331
To view and modify the settings of an installation package of a third-party application from the Kaspersky
database:
1. In Kaspersky Security Center Web Console, open DISCOVERY & DEPLOYMENT → DEPLOYMENT &
ASSIGNMENT → INSTALLATION PACKAGES.
2. In the list of installation packages that opens, click the name of the relevant package.
3. On the properties page that opens, modify the settings, if necessary.
The settings that you modi ed are saved.
Settings of an installation package of a third-party application from the

Kaspersky database
The settings of an installation package of a third-party application are grouped on the following tabs:
Only a part of the settings listed below are displayed by default so you can add the corresponding columns by
clicking the Filter button and selecting relevant column names from the list.
General tab:
Entry eld that contains the name of the installation package that can be edited manually
Application
The name of the third-party application for which the installation package is created.
Version
The version number of the third-party application for which the installation package is created.
Size
The size of the third-party installation package (in kilobytes).
Created
The date and time the third-party installation package was created.
Path
The path to the network folder where the third-party installation package is stored.
Installation procedure tab:
1332
prerequisites can be operating system updates.
Table that displays the update properties and containing the following columns:
Name
The name of the update.
Description
The description of the update.
Source
The source of the update, that is, whether it was released by Microsoft or by a di erent third-party
developer.
Type
The type of the update, that is, whether it is intended for a driver or an application.
Category
The Windows Server Update Services (WSUS) category displayed for Microsoft updates (Critical
Updates, De nition Updates, Drivers, Feature Packs, Security Updates, Service Packs, Tools, Update
Rollups, Updates, or Upgrade).
Importance level according to MSRC
The importance level of the update de ned by Microsoft Security Response Center (MSRC).
Importance level
The importance level of the update de ned by Kaspersky.
Patch importance level (for patches intended for Kaspersky applications)
The importance level of the patch if it is intended for a Kaspersky application.
Article
The identi er (ID) of the article in the Knowledge Base describing the update.
1333
Bulletin
The ID of the security bulletin describing the update.
Not assigned for installation (new version)
Displays whether the update has the Not assigned for installation status.
To be installed
Displays whether the update has the To be installed status.
Installing
Displays whether the update has the Installing status.
Installed
Displays whether the update has the Installed status.
Failed
Displays whether the update has the Failed status.
Restart is required
Displays whether the update has the Restart is required status.
Registered
Displays the date and time when the update was registered.
Installed in interactive mode
Displays whether the update requires interaction with the user during installation.
Revoked
Displays the date and time when the update was revoked.
Update approval status
Displays whether the update is approved for installation.
Revision
Displays the current revision number of the update.
Update ID
1334
Displays the ID of the update.
Application version
Displays the version number to which the application is to be updated.
Superseded
Displays other update(s) that can supersede the update.
Superseding
Displays other update(s) that can be superseded by the update.
You must accept the terms of the License Agreement
Displays whether the update requires acceptance of the terms of an End User License Agreement
(EULA).
Description URL
Displays the name of the update vendor.
Application family
Displays the name of the family of applications to which the update belongs.
Application
Displays the name of the application to which the update belongs.
Localization language
Displays the language of the update localization.
Not assigned for installation (new version)
Displays whether the update has the Not assigned for installation (new version) status.
Requires prerequisites installation
Displays whether the update has the Requires prerequisites installation status.
Download mode
Displays the mode of the update download.
Is a patch
1335
Displays whether the update is a patch.
Not installed
Displays whether the update has the Not installed status.
Settings tab that displays the installation package settings—with their names, descriptions, and values—used
as command-line parameters during installation. If the package provides no such settings, the corresponding
message is displayed. You can modify the values of these settings.
Revision history tab that displays the installation package revisions and containing the following columns:
Revision
Displays the number of the installation packages revision.
Time
Displays the time when the revision was created.
User
Displays the name of the user account under which the revision was created.
Action
Lists the action(s) performed on the installation package within the revision.
Description
Displays the text description added for the revision.
Application tags
This section describes application tags, and provides instructions for creating and modifying them as well as for
tagging third-party applications.
About application tags

Kaspersky Security Center enables you to tag third-party applications (applications made by software vendors
other than Kaspersky). A tag is the label of an application that can be used for grouping or nding applications. A
tag assigned to applications can serve as a condition in device selections.
For example, you can create the [Browsers] tag and assign it to all browsers such as Microsoft Internet Explorer,
Google Chrome, Mozilla Firefox.
1336
Creating an application tag
To create an application tag:
1. In the main menu, go to OPERATIONS → THIRD-PARTY APPLICATIONS → APPLICATION TAGS.
2. Click Add.
A new tag window opens.
3. Enter the tag name.
The new tag appears in the list of application tags.
Renaming an application tag

To rename an application tag:
2. Select the check box next to the tag that you want to rename, and then click Edit.
A tag properties window opens.
3. Change the tag name.
The updated tag appears in the list of application tags.
Assigning tags to an application

To assign one or several tags to an application:
2. Click the name of the application to which you want to assign tags.
3. Select the Tags tab.

The tab displays all application tags that exist on the Administration Server. For tags assigned to the selected
application, the check box in the Tag assigned column is selected.
4. For tags that you want to assign, select check boxes in the Tag assigned column.
1337
The tags are assigned to the application.
Removing assigned tags from an application

To remove one or several tags from an application:
2. Click the name of the application from which you want to remove tags.
3. Select the Tags tab.

The tab displays all application tags that exist on the Administration Server. For tags assigned to the selected
application, the check box in the Tag assigned column is selected.
4. For tags that you want to remove, clear check boxes in the Tag assigned column.
The tags are removed from the application.
The removed application tags are not deleted. If you want, you can delete them manually.
Deleting an application tag

To delete an application tag:
2. In the list, select the application tag that you want to delete.
The application tag is deleted. The deleted tag is automatically removed from all of the applications to which it
was assigned.

This section describes the monitoring and reporting capabilities of Kaspersky Security Center. These capabilities
give you an overview of your infrastructure, protection statuses, and statistics.
After Kaspersky Security Center deployment or during the operation, you can con gure the monitoring and
reporting features to best suit your needs.
1338
This section provides a scenario for con guring the monitoring and reporting feature in Kaspersky Security Center.
Prerequisites
After you deploy Kaspersky Security Center in an organization's network you can start to monitor it and generate
reports on its functioning.
Monitoring and reporting in an organization's network proceeds in stages:
1 Con guring the switching of device statuses
Get acquainted with the settings for device statuses depending on speci c conditions. By changing these
settings, you can change the number of events with Critical or Warning importance levels. When con guring the
switching of device statuses, be sure of the following:
New settings do not con ict with the information security policies of your organization.
You are able to react to important security events in your organization's network in a timely manner.
2 Con guring noti cations about events on client devices
Con gure noti cation (by email, by SMS, or by running an executable le) of events on client devices
3 Changing the response of your security network to the Virus outbreak event
You can change the speci c thresholds in the Administration Server properties. You can also create a stricter
policy that will be activated or create a task that will be run at the occurrence of this event.
4 Performing recommended actions for Critical and Warning noti cations
Perform recommended actions for your organization's network
5 Reviewing the security status of your organization's network
Review the Protection status widget
Generate and review the Report on protection status
Generate and review the Report on errors
6 Locating client devices that are not protected
Review the New devices widget
Generate and review the Report on protection deployment
7 Checking protection of client devices
1339
Generate and review reports from the Protection status and Threat statistics categories
Start and review the Critical event selection
Information about events that occur during operation of managed applications is transferred from a client
device and registered in the Administration Server database. To reduce the load on the Administration Server,
evaluate and limit the maximum number of events that can be stored in the database.
Limiting the maximum number of events
9 Reviewing license information
Add the License key usage widget to the dashboard and review it
Generate and review the Report on usage of license keys
Results
Upon completion of the scenario, you are informed about protection of your organization's network and, thus, can
plan actions for further protection.
About types of monitoring and reporting

Information on security events in an organization's network is stored in the Administration Server database. Based
on the events, Kaspersky Security Center Web Console provides the following types of monitoring and reporting
in your organization's network:
Dashboard
Reports
Event selections
Noti cations
Dashboard
The dashboard allows you to monitor security trends on your organization's network by providing you with a
graphical display of information.
Reports
1340
Event selections
Noti cations
Noti cations alert you about events and help you to speed up your responses to these events by performing
recommended actions or actions you consider as appropriate.
Dashboard and widgets

This section contains information about the dashboard and the widgets that the dashboard provides. The section
includes instructions on how to manage widgets and con gure widget settings.
Using the dashboard

The dashboard allows you to monitor security trends on your organization's network by providing you with a
graphical display of information.
The dashboard is available in the Kaspersky Security Center Web Console, in the MONITORING & REPORTING
section, by clicking DASHBOARD.
The dashboard provides widgets that can be customized. You can choose a large number of di erent widgets,
presented as pie charts or donut charts, tables, graphs, bar charts, and lists. The information displayed in widgets is
automatically updated, the update period is one to two minutes. The interval between updates varies for di erent
widgets. You can refresh data on a widget manually at any time by means of the settings menu.
By default, widgets include information about all events stored in the database of Administration Server.
Kaspersky Security Center Web Console has a default set of widgets for the following categories:
Protection status
Deployment
Updating
1341
Threat statistics
Other
Some widgets have text information with links. You can view detailed information by clicking a link.
When con guring the dashboard, you can add widgets that you need, hide widgets that you do not need, change
the size or appearance of widgets, move widgets, and change their settings.
Adding widgets to the dashboard

To add widgets to the dashboard:
1. In the main menu, go to MONITORING & REPORTING → DASHBOARD.
2. Click the Add or restore web widget button.
3. In the list of available widgets, select the widgets that you want to add to the dashboard.
Widgets are grouped by category. To view the list of widgets included in a category, click the chevron icon ( )
next to the category name.
The selected widgets are added at the end of the dashboard.
You can now edit the representation and parameters of the added widgets.
Hiding a widget from the dashboard

To hide a displayed widget from the dashboard:
2. Click the settings icon ( ) next to the widget that you want to hide.
3. Select Hide web widget.
4. In the Warning window that opens, click OK.
The selected widget is hidden. Later, you can add this widget to the dashboard again.
Moving a widget on the dashboard

To move a widget on the dashboard:
1342
2. Click the settings icon ( ) next to the widget that you want to move.
3. Select Move.
4. Click the place to which you want to move the widget. You can select only another widget.
The places of the selected widgets are swapped.
Changing the widget size or appearance

For widgets that display a graph, you can change its representation—a bar chart or a line chart. For some widgets,
you can change their size: compact, medium, or maximum.
To change the widget representation:
2. Click the settings icon ( ) next to the widget that you want to edit.
To display the widget as a bar chart, select Chart type: Bars.
To display the widget as a line chart, select Chart type: Lines.
To change the area occupied by the widget, select one of the values:
Compact
Compact (bar only)
Medium (donut chart)
Medium (bar chart)
Maximum
The representation of the selected widget is changed.
Changing widget settings

To change settings of a widget:
2. Click the settings icon ( ) next to the widget that you want to change.
3. Select Show settings.
4. In the widget settings window that opens, change the widget settings as required.
1343
The settings of the selected widget are changed.
The set of settings depends on the speci c widget. Below are some of the common settings:
Web widget scope (the set of objects for which the widget displays information)—for example, an
administration group or device selection.
Select task (the task for which the widget displays information).
Time interval (the time interval during which the information is displayed in the widget)—between the two
speci ed dates; from the speci ed date to the current day; or from the current day minus the speci ed number
of days to the current day.
Set to Critical if these are speci ed and Set to Warning if these are speci ed (the rules that determine the
color of a tra ic light).
About the Dashboard-only mode

You can con gure the Dashboard-only mode for employees who do not manage the network but who want to view
the network protection statistics in Kaspersky Security Center (for example, a top manager). When a user has this
mode enabled, only a dashboard with a prede ned set of widgets is displayed to the user. Thus, he or she can
monitor the statistics speci ed in the widgets, for example, the protection status of all managed devices, the
number of recently detected threats, or the list of the most frequent threats in the network.
When a user works in the Dashboard-only mode, the following restrictions are applied:
The main menu is not displayed to the user, so he or she cannot change the network protection settings.
The user cannot perform any actions with widgets, for example, add or hide them. Therefore, you need to put all
widgets required for the user on the dashboard and con gure them, for instance, set the rule of counting
objects or specify the time interval.
You cannot assign the Dashboard-only mode to yourself. If you want to work in this mode, contact a system
administrator, Managed Service Provider (MSP), or a user with the Modify object ACLs right in the General
features: User permissions functional area.
Con guring the Dashboard-only mode

Before you begin to con gure the Dashboard-only mode, make sure that the following prerequisites are met:
You have the Modify object ACLs right in the General features: User permissions functional area. If you do
not have this right, the tab for con guring the mode will be missing.
The user has the Read right in the General features: Basic functionality functional area.
If a hierarchy of Administration Servers is arranged in your network, for con guring the Dashboard-only mode
go to the Server where the user account is available in the USERS & ROLES → USERS section. It can be a
primary server or physical secondary server. It is not possible to adjust the mode on a virtual server.
1344
To con gure the Dashboard-only mode:
2. Click the user account name for which you want to adjust the dashboard with widgets.
3. In the account settings window that opens, select the Dashboard tab.
On the tab that opens, the same dashboard is displayed for you as for the user.
4. If the Display the console in Dashboard-only mode option is enabled, switch the toggle button to disable it.
When this option is enabled, you are also unable to change the dashboard. After you disable the option, you can
manage widgets.
5. Con gure the dashboard appearance. The set of widgets prepared on the Dashboard tab is available for the
user with the customizable account. He or she cannot change any settings or size of the widgets, add, or
remove any widgets from the dashboard. Therefore, adjust them for the user, so he or she can view the
network protection statistics. For this purpose, on the Dashboard tab you can perform the same actions with
widgets as in the MONITORING & REPORTING → DASHBOARD section:
Add new widgets to the dashboard.
Hide widgets that the user doesn't need.
Move widgets into a speci c order.
Change the size or appearance of widgets.
Change the widget settings.
6. Switch the toggle button to enable the Display the console in Dashboard-only mode option.
After that, only the dashboard is available for the user. He or she can monitor statistics but cannot change the
network protection settings and dashboard appearance. As the same dashboard is displayed for you as for the
user, you are also unable to change the dashboard.
If you keep the option disabled, the main menu is displayed for the user, so he or she can perform various
actions in Kaspersky Security Center, including changing security settings and widgets.
7. Click the Save button when you nish con guring the Dashboard-only mode. Only after that will the prepared
dashboard be displayed to the user.
8. If the user wants to view statistics of supported Kaspersky applications and needs access rights to do so,
con gure the rights for the user. After that, Kaspersky applications data is displayed for the user in the widgets
of these applications.
Now the user can log in to Kaspersky Security Center under the customized account and monitor the network
protection statistics in the Dashboard-only mode.
Reports
This section describes how to use reports, manage custom report templates, use report templates to generate
new reports, and create report delivery tasks.
1345
Using reports
Reports are available in the Kaspersky Security Center Web Console, in the MONITORING & REPORTING section,
by clicking REPORTS.
By default, reports include information for the last 30 days.
Kaspersky Security Center has a default set of reports for the following categories:
Protection status
Deployment
Updating
Threat statistics
Other
You can create custom report templates, edit report templates, and delete them.
You can create reports that are based on existing templates, export reports to les, and create tasks for report
delivery.

To create a report template:
1. In the main menu, go to MONITORING & REPORTING → REPORTS.
2. Click Add.
The New Report Template Wizard starts. Proceed through the Wizard by using the Next button.
3. On the rst page of the Wizard, enter the report name and select the report type.
4. On the Scope page of the Wizard, select the set of client devices (administration group, device selection,
selected devices, or all networked devices) whose data will be displayed in reports that are based on this report
template.
5. On the Reporting period page of the Wizard, specify the report period. Available values are as follows:
1346
This page may not appear for some reports.
6. Click OK to close the Wizard.
Click the Save and run button to save the new report template and to run a report based on it.
The report template is saved. The report is generated.
Click the Save button to save the new report template.

The report template is saved.
You can use the new template for generating and viewing reports.

You can view and edit basic properties of a report template, for example, the report template name or the elds
displayed in the report.
To view and edit properties of a report template:
2. Select the check box next to the report template whose properties you want to view and edit.
As an alternative, you can rst generate the report, and then click the Edit button.
3. Click the Open report template properties button.

The Editing report <Report name> window opens with the General tab selected.
4. Edit the report template properties:
General tab:
Report template name
Maximum number of entries to display
If this option is enabled, the number of entries displayed in the table with detailed report data does
not exceed the speci ed value.
Report entries are rst sorted according to the rules speci ed in the Fields → Details elds section
of the report template properties, and then only the rst of the resulting entries are kept. The
heading of the table with detailed report data shows the displayed number of entries and the total
available number of entries that match other report template settings.
If this option is disabled, the table with detailed report data displays all available entries. We do not
recommend that you disable this option. Limiting the number of displayed report entries reduces
the load on the database management system (DBMS) and reduces the time required for generating
and exporting the report. Some of the reports contain too many entries. If this is the case, you may
nd it di icult to read and analyze them all. Also, your device may run out of memory while
generating such a report and, consequently, you will not be able to view the report.
By default, this option is enabled. The default value is 1000.
1347
Group
Click the Settings button to change the set of client devices for which the report is created. For some
types of the reports, the button may be unavailable. The actual settings depend on the settings
speci ed during creation of the report template.
Time interval
Click the Settings button to modify the report period. For some types of the reports, the button may be
unavailable. Available values are as follows:
Include data from secondary and virtual Administration Servers
If this option is enabled, the report includes the information from the secondary and virtual
Administration Servers that are subordinate to the Administration Server for which the report
template is created.
Disable this option if you want to view data only from the current Administration Server.
Up to nesting level
The report includes data from secondary and virtual Administration Servers that are located under
the current Administration Server on a nesting level that is less than or equal to the speci ed value.
The default value is 1. You may want to change this value if you have to retrieve information from
secondary Administration Servers located at lower levels in the tree.
Data wait interval (min)
Before generating the report, the Administration Server for which the report template is created
waits for data from secondary Administration Servers during the speci ed number of minutes. If no
data is received from a secondary Administration Server at the end of this period, the report runs
anyway. Instead of the actual data, the report shows data taken from the cache (if the Cache data
from secondary Administration Servers option is enabled), or N/A (not available) otherwise.
The default value is 5 (minutes).
Cache data from secondary Administration Servers
Secondary Administration Servers regularly transfer data to the Administration Server for which the
report template is created. There, the transferred data is stored in the cache.
If the current Administration Server cannot receive data from a secondary Administration Server
while generating the report, the report shows data taken from the cache. The date when the data
was transferred to the cache is also displayed.
Enabling this option allows you to view the information from secondary Administration Servers even
if the up-to-date data cannot be retrieved. However, the displayed data can be obsolete.
1348
Cache update frequency (h)
Secondary Administration Servers at regular intervals transfer data to the Administration Server for
which the report template is created. You can specify this period in hours. If you specify 0 hours,
data is transferred only when the report is generated.
The default value is 0.
Transfer detailed information from secondary Administration Servers
In the generated report, the table with detailed report data includes data from secondary
Administration Servers of the Administration Server for which the report template is created.
Enabling this option slows the report generation and increases tra ic between Administration
Servers. However, you can view all data in one report.
Instead of enabling this option, you may want to analyze detailed report data to detect a faulty
secondary Administration Server, and then generate the same report only for that faulty
Fields tab
Select the elds that will be displayed in the report, and use the Move up button and Move down button to
change the order of these elds. Use the Add button or Edit button to specify whether the information in
the report must be sorted and ltered by each of the elds.
In the Filters of Details elds section, you can also click the Convert lters button to start using the
extended ltering format. This format enables you to combine ltering conditions speci ed in various elds
by using the logical OR operation. After you click the button, the Convert lters panel opens on the right.
Click the Convert lters button to con rm conversion. You can now de ne a converted lter with
conditions from the Details elds section that are applied by using the logical OR operation.
Conversion of a report to the format supporting complex ltering conditions will make the report
incompatible with the previous versions of Kaspersky Security Center (11 and earlier). Also, the
converted report will not contain any data from secondary Administration Servers running such
incompatible versions.
6. Close the Editing report <Report name> window.
The updated report template appears in the list of report templates.
Exporting a report to a le
You can export a report to an XML, HTML, or PDF le.
To export a report to a le:
2. Select the check box next to the report that you want to export to a le.
3. Click the Export report button.

1349
4. In the window that opens, change the report le name in the Name eld. By default, the le name coincides with
the name of the selected report template.
5. Select the report le type: XML, HTML, or PDF.
6. Click the Export report button.

The report in selected format will be downloaded to your device—to the default folder of your device—or a
standard Save as window in your browser will open to let you save the le where you want.
The report is saved to the le.
Generating and viewing a report

To create and view a report:
2. Click the name of the report template that you want to use to create a report.
A report using the selected template is generated and displayed.
Report data is displayed according to the localization set for the Administration Server.
The report displays the following data:
On the Summary tab:
The name and type of report, a brief description and the reporting period, as well as information about the
group of devices for which the report is generated.
Graph chart showing the most representative report data.
Consolidated table with calculated report indicators.
On the Details tab, a table with detailed report data is displayed.

You can create a task that will deliver selected reports.
To create a report delivery task:
2. [Optional] Select the check boxes next to the report templates for which you want to create a report delivery
task.
3. Click the New report delivery task button.

1350
4. The Add Task Wizard starts. Proceed through the Wizard by using the Next button.
5. On the rst page of the Wizard, enter the task name. The default name is Deliver reports (<N>), where <N> is
the sequence number of the task.
6. On the task settings page of the Wizard, specify the following settings:
a. Report templates to be delivered by the task. If you selected them at step 2, skip this step.
b. The report format: HTML, XLS, or PDF.
c. Whether the reports are to be sent by email, together with email noti cation settings.
d. Whether the reports are to be saved to a folder, whether previously saved reports in this folder are to be
overwritten, and whether a speci c account is to be used to access the folder (for a shared folder).
7. If you want to modify other task settings after the task is created, on the Finish task creation page of the
Wizard enable the Open task details when creation is complete option.
8. Click the Create button to create the task and close the Wizard.
The report delivery task is created. If you enabled the Open task details when creation is complete option,
the task settings window opens.
Deleting report templates

To delete one or several report templates:
2. Select check boxes next to the report templates that you want to delete.
4. In the window that opens, click OK to con rm your selection.
The selected report templates are deleted. If these report templates were included in the report delivery tasks,
they are also removed from the tasks.
Events and event selections

This section provides information about events and event selections, about the types of events that occur in
Kaspersky Security Center components, and about managing frequent events blocking.
Using event selections

1351
Event selections are available in the Kaspersky Security Center Web Console, in the MONITORING & REPORTING
section, by clicking EVENT SELECTIONS.
By default, event selections include information for the last seven days.
Kaspersky Security Center has a default set of event (prede ned) selections:
Events with di erent importance levels:
Critical events
Functional failures
Warnings
Informational messages
User requests (events of managed applications)
Recent events (over the last week)
Audit events.
You can also create and con gure additional user-de ned selections. In user-de ned selections, you can lter
events by the properties of the devices they originated from (device names, IP ranges, and administration groups),
by event types and severity levels, by application and component name, and by time interval. It is also possible to
include task results in the search scope. You can also use a simple search eld where a word or several words can
be typed. All events that contain any of the typed words anywhere in their attributes (such as event name,
description, component name) are displayed.
Both for prede ned and user-de ned selections, you can limit the number of displayed events or the number of
records to search. Both options a ect the time it takes Kaspersky Security Center to display the events. The
larger the database is, the more time-consuming the process can be.
You can do the following:
Edit properties of event selections
Generate event selections
View details of event selections
Delete event selections
Delete events from the Administration Server database
1352
To create an event selection:
2. Click Add.
3. In the New event selection window that opens, specify the settings of the new event selection. Do this in one
or more of the sections in the window.

The con rmation window opens.
5. To view the event selection result, keep the Go to selection result check box selected.
6. Click Save to con rm the event selection creation.
If you kept the Go to selection result check box selected, the event selection result is displayed. Otherwise, the
new event selection appears in the list of event selections.
Editing an event selection

To edit an event selection:
2. Select the check box next to the event selection that you want to edit.

An event selection settings window opens.
4. Edit the properties of the event selection.
For prede ned event selections, you can edit only the properties on the following tabs: General (except
for the selection name), Time, and Access rights.
For user-de ned selections, you can edit all properties.
The edited event selection is shown in the list.
Viewing a list of an event selection
1353
To view an event selection:
2. Select the check box next to the event selection that you want to start.
If you want to con gure sorting in the event selection result, do the following:
a. Click the Recon gure sorting and start button.
b. In the displayed Recon gure sorting for event selection window, specify the sorting settings.
c. Click the name of the selection.
Otherwise, if you want to view the list of events as they are sorted on the Administration Server, click the
name of the selection.
The event selection result is displayed.
Viewing details of an event
To view details of an event:
1. Start an event selection.
2. Click the time of the required event.

The Event properties window opens.
3. In the displayed window, you can do the following:
View the information about the selected event
Go to the next event and the previous event in the event selection result
Go to the device on which the event occurred
Go to the administration group that includes the device on which the event occurred
For an event related to a task, go to the task properties
Exporting events to a le
To export events to a le:
2. Select the check box next to the required event.

1354
3. Click the Export to le button.
The selected event is exported to a le.
Viewing an object history from an event

From an event of creation or modi cation of an object that supports revision management, you can switch to the
revision history of the object.
To view an object history from an event:
2. Select the check box next to the required event.
3. Click the Revision history button.
The revision history of the object is opened.
Deleting events
To delete one or several events:
2. Select the check boxes next to the required events.
The selected events are deleted and cannot be restored.
Deleting event selections
You can delete only user-de ned event selections. Prede ned event selections cannot be deleted.
To delete one or several event selections:
2. Select the check boxes next to the event selections that you want to delete.
3. Click Delete.
1355
The event selection is deleted.
Setting the storage term for an event

in the Administration Server database. You might need to store some events for a longer or shorter period of time
than speci ed by default values. You can change the default settings of the storage term for an event.
If you are not interested in storing some events in the database of Administration Server, you can disable the
appropriate setting in the Administration Server policy and Kaspersky application policy, or in the Administration
Server properties (only for Administration Server events). This will reduce the number of event types in the
database.
The longer the storage term for an event, the faster the database reaches its maximum capacity. However, a longer
storage term for an event lets you perform monitoring and reporting tasks for a longer period of time.
To set the storage term for an event in the database of Administration Server:
1. Select DEVICES → POLICIES & PROFILES.
To con gure the storage term of the events of Network Agent or of a managed Kaspersky application, click
the name of the corresponding policy.
The policy properties page opens.
To con gure Administration Server events, at the top of the screen, click the settings icon ( ) next to the
name of the required Administration Server.
If you have a policy for the Administration Server, you can click the name of this policy instead.
The Administration Server properties page (or the Administration Server policy properties page) opens.
3. Select the Event con guration tab.

A list of event types related to the Critical section is displayed.
4. Select the Functional failure, Warning, or Info section.
5. In the list of event types in the right pane, click the link for the event whose storage term you want to change.
In the Event registration section of the window that opens, the Store in the Administration Server database
for (days) option is enabled.
6. In the edit box below this toggle button, enter the number of days to store the event.
7. If you do not want to store an event in the Administration Server database, disable the Store in the
Administration Server database for (days) option.
If you con gure Administration Server events in Administration Server properties window and if event
settings are locked in the Kaspersky Security Center Administration Server policy, you cannot rede ne the
storage term value for an event.
1356
8. Click OK.
The properties window of the policy is closed.
From now on, when Administration Server receives and stores the events of the selected type, they will have the
changed storage term. Administration Server does not change the storage term of previously received events.
Event types
Each Kaspersky Security Center component has its own set of event types. This section lists types of events that
occur in Kaspersky Security Center Administration Server, Network Agent, iOS MDM Server, and Exchange Mobile
Device Server. Types of events that occur in Kaspersky applications are not listed in this section.

For each event type, its display name, identi er (ID), alphabetic code, description, and the default storage term are
provided.
Event type display name. This text is displayed in Kaspersky Security Center when you con gure events and
when they occur.
Event type ID. This numerical code is used when you process events by using third-party tools for event
analysis.
Event type (alphabetic code). This code is used when you browse and process events by using public views
that are provided in the Kaspersky Security Center database and when events are exported to a SIEM system.
Description. This text contains the situations when an event occurs and what you can do in such a case.
Default storage term. This is the number of days during which the event is stored in the Administration Server
database and is displayed in the list of events on Administration Server. After this period elapses, the event is
deleted. If the event storage term value is 0, such events are detected but are not displayed in the list of events
on Administration Server. If you con gured to save such events to the operating system event log, you can nd
them there.
You can change the storage term for events:
Administration Console: Setting the storage term for an event
Kaspersky Security Center Web Console: Setting the storage term for an event
Other data may include the following elds:
event_id: unique number of the event in the database, generated and assigned automatically; not to be
confused with Event type ID.
task_id: the ID of the task that caused the event (if any)
severity: one of the following severity levels (in the ascending order of severity):
0) Invalid severity level
1) Info
2) Warning
3) Error
1357
4) Critical

This section contains information about the events related to the Administration Server.

The table below shows the event types of Kaspersky Security Center Administration Server that have the Critical
importance level.
Event type Event type Event type Description Default

display name ID storage
term
License limit 4099 KLSRV_EV_LICENSE_CHECK_MORE_110 Once a day 180

has been Kaspersky Security days
exceeded Center checks
whether a licensing
restriction is
exceeded.
Events of this type
occur when
Administration
Server detects that
some licensing limits
are exceeded by
Kaspersky
on client devices and
if the number of
currently used
licensing units
covered by a single
license exceeds 110%
of the total number
of units covered by
the license.
occurs, client
devices are
protected.
You can respond to
the event in the
following ways:
Look through the
managed devices
list. Delete
devices that are
not in use.
Provide a license
for more devices
(add a valid
activation code
1358
or a key le to
Administration
Server).
Kaspersky Security
Center determines
the rules to generate
events when a
licensing restriction
is exceeded.
Virus 26 (for File GNRL_EV_VIRUS_OUTBREAK Events of this type 180

objects detected on
several managed
devices exceeds the
threshold within a
You can respond to
the event in the
following ways:
Con gure the
threshold in the
Administration
Server
properties.
Create a stricter
policy that will be
activated, or
create a task that
will be run, at the
occurrence of
this event.
Virus 27 (for Mail GNRL_EV_VIRUS_OUTBREAK Events of this type 180

objects detected on
several managed
devices exceeds the
threshold within a
You can respond to
the event in the
following ways:
Con gure the
threshold in the
Administration
Server
properties.
Create a stricter
policy that will be
activated, or
create a task that
1359
will be run, at the
occurrence of
this event.
Virus 28 (for GNRL_EV_VIRUS_OUTBREAK Events of this type 180

outbreak rewall) occur when the days
number of malicious
objects detected on
several managed
devices exceeds the
threshold within a
You can respond to
the event in the
following ways:
Con gure the
threshold in the
Administration
Server
properties.
Create a stricter
policy that will be
activated, or
create a task that
will be run, at the
occurrence of
this event.
Device has 4111 KLSRV_HOST_OUT_CONTROL Events of this type 180

become occur if a managed days
unmanaged device is visible on
the network but has
not connected to
Administration
Server for a speci c
period of time.
Find out what
prevents the proper
functioning of
Network Agent on
the device. Possible
causes include
network issues and
removal of Network
Agent from the
device.
Device 4113 KLSRV_HOST_STATUS_CRITICAL Events of this type 180

status is occur when a days
Critical managed device is
assigned the Critical
status. You can
con gure the
conditions under
which the device
1360
status is changed to
Critical.
The key le 4124 KLSRV_LICENSE_BLACKLISTED Events of this type 180
has been occur when days
added to the Kaspersky has added
denylist the activation code
or key le that you
use to the denylist.
Contact Technical
Support for more
details.
Limited 4130 KLSRV_EV_LICENSE_SRV_LIMITED_MODE Events of this type 180

functionality occur when days
mode Kaspersky Security
Center starts to
operate with basic
functionality, without
Vulnerability and
Patch Management
and without Mobile
Device Management
features.
Following are causes
of, and appropriate
responses to, the
event:
License term has
expired. Provide a
license to use the
full functionality
mode of
Kaspersky
Security Center
(add a valid
activation code
or a key le to
Administration
Server).
Administration
Server manages
more devices
than speci ed by
the license limit.
Move devices
from the
administration
groups of an
Administration
Server to those
of another
Administration
Server (if the
license limit of
the other
Administration
Server allows).
1361
License 4129 KLSRV_EV_LICENSE_SRV_EXPIRE_SOON Events of this type 180
expires soon occur when the days
commercial license
expiration date is
approaching.
Once a day
Kaspersky Security
Center checks
whether a license
expiration date is
approaching. Events
of this type are
published 30 days, 15
days, 5 days and 1
day before the
license expiration
date. You cannot
change the number
of days. If the
Administration
Server is turned o
on the speci ed day
before the license
expiration date, the
event will not be
published until the
next day.
When the
commercial license
expires, Kaspersky
Security Center
provides only basic
functionality.
You can respond to
the event in the
following ways:
Make sure that a
reserve license
key is added to
Administration
Server.
If you use a
subscription,
make sure to
renew it. An
unlimited
subscription is
renewed
automatically if it
has been prepaid
to the service
provider by the
due date.
Certi cate 4132 KLSRV_CERTIFICATE_EXPIRED Events of this type 180
1362
has expired occur when the days
Administration
Server certi cate for
Mobile Device
Management expires.
You need to update
the expired
certi cate.
You can con gure
automatic updates
of certi cates by
selecting the
Reissue certi cate
automatically if
possible check box
in the certi cate
issuance settings.
Updates for 4142 KLSRV_SEAMLESS_UPDATE_REVOKED Events of this type 180

Kaspersky occur if seamless days
software updates have been
modules revoked (Revoked
have been status is displayed
revoked for these updates)
by Kaspersky
technical specialists;
for example, they
must be updated to
a newer version. The
event concerns
Kaspersky Security
Center patches and
does not concern
modules of managed
Kaspersky
applications. The
event provides the
reason that the
seamless updates
are not installed.

The table below shows the event types of Kaspersky Security Center Administration Server that have the
Functional failure importance level.

ID term
Runtime error 4125 KLSRV_RUNTIME_ERROR Events of this type occur 180

because of unknown days
issues.
1363
Most often these are
DBMS issues, network
issues, and other
software and hardware
issues.
Details of the event can
be found in the event
description.
Limit of 4126 KLSRV_INVLICPROD_EXCEDED Administration Server 180

installations generates events of this days
has been type periodically (every
exceeded for hour). Events of this type
one of the occur if in Kaspersky
licensed Security Center you
applications manage license keys of
groups third-party applications
and if the number of
installations has
exceeded the limit set by
the license key of the
third-party application.
ways:
Look through the
managed devices list.
Delete the third-party
application from
devices on which the
use.
Use a third-party
license for more
devices.

keys of third-party
functionality of licensed
applications groups. A
group includes third-
party applications that
meet criteria set by you.
Failed to poll 4143 KLSRV_KLCLOUD_SCAN_ERROR Events of this type occur Not

the cloud when Administration stored
segment Server fails to poll a
network segment in a
cloud environment. Read
the details in the event
description and respond
accordingly.
Failed to copy 4123 KLSRV_UPD_REPL_FAIL Events of this type occur 180

the updates to when software updates days
are copied to an
1364
the speci ed additional shared
folder folder(s).
ways:
Check whether the
user account that is
employed to gain
access to the
folder(s) has write
permission.

name and/or a
password to the
folder(s) changed.
Check the internet

connection, as it
might be the cause of
the event. Follow the
instructions to update
databases and
software modules.
No free disk 4107 KLSRV_DISK_FULL Events of this type occur 180

space when the hard drive of days
the device on which
installed runs out of free
space.
Free up disk space on the
device.
Shared folder 4108 KLSRV_SHARED_FOLDER_UNAVAILABLE Events of this type occur 180

is not available if the shared folder of days
not available.
ways:
Check whether the
(where the shared
folder is located) is
turned on and
available.

name and/or a
password to the
folder is/are changed.
Check the network

connection.
1365
The 4109 KLSRV_DATABASE_UNAVAILABLE Events of this type occur 180
Administration if the Administration days
Server Server database
database is becomes unavailable.
unavailable
ways:
Check whether the
remote server that
has SQL Server
installed is available.
View the DBMS logs

to discover the
reason for
database
unavailability. For
example, because of
preventive
maintenance a remote
server with SQL
Server installed might
be unavailable.
No free space 4110 KLSRV_DATABASE_FULL Events of this type occur 180

in the when there is no free days
Administration space in the
Server Administration Server
database database.
does not function when
its database has reached
its capacity and when
further recording to the
database is not possible.
Following are the causes
of this event, depending
on the DBMS that you
use, and appropriate
You use the SQL
Server Express
Edition DBMS:
In the SQL Server
Express
documentation,
review the database
size limit for the
version you use.
Probably your
database has
exceeded the
1366
Limit the number of
database.
In the Administration
Server database
there are too many
events sent by the
Application Control
component. You can
change the settings
of the Kaspersky
Endpoint Security for
Windows policy
relating to Application
Control event storage
in the Administration
Server database.
You use a DBMS other

than SQL Server
Express Edition:
Do not limit the
number of events to
store in the
database.
Reduce the list of
database.
Review the
information on DBMS
selection.

The table below shows the events of Kaspersky Security Center Administration Server that have the Warning
importance level.

ID term
A frequent KLSRV_EVENT_SPAM_EVENTS_DETECTED Events of this type 90

event has occur when days
been detected Administration Server
detects a frequent
event on a managed
device. Refer to the
following section for
1367
details: Blocking
frequent events.
License limit 4098 KLSRV_EV_LICENSE_CHECK_100_110 Once a day Kaspersky 90

has been Security Center checks days
exceeded whether a licensing
Events of this type
occur when
detects that some
licensing limits are
exceeded by Kaspersky
on client devices and if
the number of
currently used licensing
units covered by a
single license
constitute 100% to
110% of the total
number of units
covered by the license.
occurs, client devices
are protected.
ways:
Look through the
managed devices
list. Delete devices
that are not in use.
Provide a license for

more devices (add a
valid activation
code or a key le to
Administration
Server).
Kaspersky Security
Center determines the
rules to generate
events when a licensing
Device has 4103 KLSRV_EVENT_HOSTS_NOT_VISIBLE Events of this type 90

remained occur when a managed days
inactive on the device shows inactivity
network for a for some time.
long time Most often, this
happens when a
managed device is
decommissioned.
ways:
1368
Manually remove
the device from the
list of managed
devices.
Specify the time

the Device has
remained inactive
on the network for
a long time event is
created by using
Administration
Console or by using
Kaspersky Security
Center Web
Console.
Specify the time

the device is
automatically
removed from the
group by using
Administration
Console or by using
Kaspersky Security
Center Web
Console.
Con ict of 4102 KLSRV_EVENT_HOSTS_CONFLICT Events of this type 90

device names occur when days
considers two or more
managed devices as a
single device.
Most often this
happens when a cloned
hard drive was used for
software deployment
on managed devices
and without switching
the Network Agent to
the dedicated disk
cloning mode on a
reference device.
To avoid this issue,
switch Network Agent
to the disk cloning
mode on a reference
device before cloning
the hard drive of this
device.
Device status 4114 KLSRV_HOST_STATUS_WARNING Events of this type 90

is Warning occur when a managed days
device is assigned the
Warning status. You
1369
can con gure the
conditions under which
the device status is
changed to Warning.
Limit of 4127 KLSRV_INVLICPROD_FILLED Events of this type 90

installations occur when the number days
will soon be of installations for
exceeded for third-party applications
one of the included in a licensed
licensed applications group
applications reaches 90% of the
groups maximum allowed value
speci ed in the license
key properties.
ways:
If the third-party
use on some of the
managed devices,
delete the
application from
these devices.
If you expect that

the number of
installations for the
third-party
application will
exceed the allowed
maximum in the near
future, consider
obtaining a third-
party license for a
greater number of
devices in advance.

keys of third-party
functionality of
groups.
Certi cate 4133 KLSRV_CERTIFICATE_REQUESTED Events of this type 90

has been occur when a days
requested certi cate for Mobile
Device Management
fails to be
automatically reissued.
Automatic reissue
was initiated for a
certi cate for which
the Reissue
1370
certi cate
automatically if
possible option is
disabled. This might
be due to an error
that occurred
during creation of
the certi cate.
Manual reissue of
the certi cate
might be required.
If you use an
integration with a
public key
infrastructure, the
cause might be a
missing SAM-
Account-Name
attribute of the
account used for
integration with PKI
and for issuance of
the certi cate.
Review the account
properties.
Certi cate 4134 KLSRV_CERTIFICATE_REMOVED Events of this type 90

has been occur when an days
removed administrator removes
any type of certi cate
(General, Mail, VPN) for
Mobile Device
Management.
After removing a
certi cate, mobile
devices connected via
this certi cate will fail
to connect to
This event might be
helpful when
investigating
malfunctions
associated with the
management of mobile
devices.
APNs 4135 KLSRV_APN_CERTIFICATE_EXPIRED Events of this type Not

certi cate has occur when an APNs stored
expired certi cate expires.
You need to manually
renew the APNs
certi cate and install it
on an iOS MDM Server.
APNs 4136 KLSRV_APN_CERTIFICATE_EXPIRES_SOON Events of this type Not

certi cate occur when there are stored
1371
expires soon fewer than 14 days left
before the APNs
certi cate expires.
When the APNs
certi cate expires, you
need to manually renew
the APNs certi cate
and install it on an iOS
MDM Server.
We recommend that
you schedule the APNs
certi cate renewal in
advance of the
expiration date.
Failed to send 4138 KLSRV_GCM_DEVICE_ERROR Events of this type 90

the FCM occur when Mobile days
message to Device Management is
the mobile con gured to use
device Google Firebase Cloud
Messaging (FCM) for
connecting to
managed mobile
devices with an
Android operating
system and FCM
Server fails to handle
some of the requests
received from
It means that some of
the managed mobile
devices will not receive
a push noti cation.
Read the HTTP code in
the details of the event
description and
For more information
on the HTTP codes
received from FCM
Server and related
errors, please refer to
the Google Firebase
service documentation
(see chapter
"Downstream message
error response codes").
HTTP error 4139 KLSRV_GCM_HTTP_ERROR Events of this type 90

sending the occur when Mobile days
FCM message Device Management is
to the FCM con gured to use
server Google Firebase Cloud
Messaging (FCM) for
connecting managed
mobile devices with the
Android operating
system and FCM
1372
Server reverts to the
Administration Server a
request with a HTTP
code other than 200
(OK).
Problems on the
FCM server side.
Read the HTTP
code in the details
of the event
description and
respond
accordingly. For
more information on
the HTTP codes
received from FCM
Server and related
errors, please refer
to the Google
Firebase service
documentation (see
chapter
"Downstream
message error
response codes").
Problems on the
proxy server side (if
you use proxy
server). Read the
HTTP code in the
details of the event
description and
respond
accordingly.
Failed to send 4140 KLSRV_GCM_GENERAL_ERROR Events of this type 90

the FCM occur due to days
message to unexpected errors on
the FCM the Administration
server Server side when
working with the
Google Firebase Cloud
Messaging HTTP
protocol.
Read the details in the
event description and
If you cannot nd the
solution to an issue on
your own, we
recommend that you
contact Kaspersky
Technical Support.
1373
Little free 4105 KLSRV_NO_SPACE_ON_VOLUMES Events of this type 90
space on the occur when the hard days
hard drive drive of the device on
which Administration
Server is installed
almost runs out of free
space.
Free up disk space on
the device.
Little free 4106 KLSRV_NO_SPACE_IN_DATABASE Events of this type 90

space in the occur if space in the days
Administration Administration Server
Server database is too limited.
database If you do not remedy
the situation, soon the
database will reach its
capacity and
will not function.
Following are the
causes of this event,
depending on the
DBMS that you use,
and the appropriate
responses to the event.
You use the SQL
Server Express Edition
DBMS:
In the SQL Server
Express
documentation,
review the database
size limit for the
version you use.
Probably your
Administration
Server database is
about to reach the
Limit the number of

events to store in
the Administration
Server database.
In the
Administration
Server database
there are too many
events sent by the
Application Control
component. You can
change the settings
of the Kaspersky
Endpoint Security
for Windows policy
1374
relating to
Application Control
event storage in the
Administration
Server database.
You use a DBMS
other than SQL
Server Express
Edition:
Do not limit the

number of events to
store in the
Administration
Server database
Reduce the list of

events to store in
the Administration
Server database
Review the information

on DBMS selection.
Connection to 4116 KLSRV_EV_SLAVE_SRV_DISCONNECTED Events of this type 90

the secondary occur when a days
Server has secondary
been Administration Server
interrupted is interrupted.
Read the Kaspersky
Event Log on the
device where the
secondary
is installed and respond
accordingly.
Connection to 4118 KLSRV_EV_MASTER_SRV_DISCONNECTED Events of this type 90

the primary occur when a days
Server has primary Administration
been Server is interrupted.
interrupted Read the Kaspersky
Event Log on the
device where the
primary Administration
Server is installed and
New updates 4141 KLSRV_SEAMLESS_UPDATE_REGISTERED Events of this type 90

for Kaspersky occur when days
software Administration Server
modules have registers new updates
been for the Kaspersky
registered software installed on
managed devices that
require approval to be
installed.
1375
Approve or decline the
updates by using
or using Kaspersky
Security Center Web
Console.
The limit on 4145 KLSRV_EVP_DB_TRUNCATING Events of this type Not

the number of occur when deletion of stored
events in the old events from the
database is Administration Server
exceeded, database has started
deletion of after the
events has Administration Server
started database capacity is
reached.
ways:
Change the
maximum number of
events stored in the
Administration
Server database
Reduce the list of

events to store in
the Administration
Server database
The limit on 4146 KLSRV_EVP_DB_TRUNCATED Events of this type Not

the number of occur when old events stored
events in the have been deleted
database is from the
exceeded, the Administration Server
events have database after the
been deleted Administration Server
database capacity is
reached.
ways:
Change the allowed
maximum number of
events to be stored
in the
Administration
Server database
Reduce the list of

events to store in
the Administration
Server database
1376
The table below shows the events of Kaspersky Security Center Administration Server that have the Info
importance level.
Event type display Event Event type Default Remarks

name type storage
ID term
Over 90% of the 4097 KLSRV_EV_LICENSE_CHECK_90 30

license key is used days
up
New device has been 4100 KLSRV_EVENT_HOSTS_NEW_DETECTED 30

detected days
Device has been 4101 KLSRV_EVENT_HOSTS_NEW_REDIRECTED 30

automatically added days
to the group
Device has been 4104 KLSRV_INVISIBLE_HOSTS_REMOVED 30

removed from the days
group: inactive on
the network for a
long time
Limit of installations 4128 KLSRV_INVLICPROD_EXPIRED_SOON 30

will soon be days
exceeded (more
than 95% is used up)
for one of the
groups
Files have been 4131 KLSRV_APS_FILE_APPEARED 30

found to send to days
Kaspersky for
analysis
FCM Instance ID has 4137 KLSRV_GCM_DEVICE_REGID_CHANGED 30

changed on this days
mobile device
Updates have been 4122 KLSRV_UPD_REPL_OK 30

successfully copied days
to the speci ed
folder
Connection to the 4115 KLSRV_EV_SLAVE_SRV_CONNECTED 30

secondary days
Administration
Server has been
established
Connection to the 4117 KLSRV_EV_MASTER_SRV_CONNECTED 30

primary days
Administration
Server has been
established
Databases have 4144 KLSRV_UPD_BASES_UPDATED 30

been updated days
Audit: Connection to 4147 KLAUD_EV_SERVERCONNECT 30

the Administration days
1377
Server has been
established
Audit: Object has 4148 KLAUD_EV_OBJECTMODIFY 30 This event tracks

been modi ed days changes in the
following objects:
Administration
group
Security
group
User
Package
Task
Policy
Server
Virtual Server
Audit: Object status 4150 KLAUD_EV_TASK_STATE_CHANGED 30 For example, this

has changed days event occurs
when a task has
failed with an
error.
Audit: Group 4149 KLAUD_EV_ADMGROUP_CHANGED 30

settings have been days
modi ed
Audit: Connection to 4151 KLAUD_EV_SERVERDISCONNECT 30

Administration days
Server has been
terminated
Audit: Object 4152 KLAUD_EV_OBJECTPROPMODIFIED 30 This event tracks

properties have days changes in the
been modi ed following
properties:
User
License
Server
Virtual server
Audit: User 4153 KLAUD_EV_OBJECTACLMODIFIED 30

permissions have days
been modi ed
1378
This section contains information about the events related to Network Agent.

The table below shows the event types of Kaspersky Security Center Network Agent that have the Functional
failure severity level.

display type storage
name ID term
Update 7702 KLNAG_EV_PATCH_INSTALL_ERROR Events of this type occur if 30

installation automatic updating and days
error patching for Kaspersky
was not successful. The
event does not concern
updates of the managed
A Windows issue on the
Administration Server might
be a reason for this event. If
the description mentions any
issue of Windows
con guration, resolve this
issue.
Failed to 7697 KLNAG_EV_3P_PATCH_INSTALL_ERROR Events of this type occur if 30

install the Vulnerability and Patch days
third-party Management and Mobile
software Device Management
update features are in use, and if
update of third-party
software was not successful.
Check whether the link to
the third-party software is
valid. Read the event
description.
Failed to 7717 KLNAG_EV_WUA_INSTALL_ERROR Events of this type occur if 30

install the Windows Updates were not days
Windows successful. Con gure
Update Windows Updates in a
updates Network Agent policy.
Look for the error in the
Microsoft Knowledge Base.
Contact Microsoft Technical
Support if you cannot
resolve the issue yourself.
1379
The table below shows the events of Kaspersky Security Center Network Agent that have the Warning severity
level.

type ID storage
term
Warning has been returned during 7701 KLNAG_EV_PATCH_INSTALL_WARNING 30

installation of the software module days
update
Third-party software update 7696 KLNAG_EV_3P_PATCH_INSTALL_WARNING 30

installation has completed with a days
warning
Third-party software update 7698 KLNAG_EV_3P_PATCH_INSTALL_SLIPPED 30

installation has been postponed days
Incident has occurred 549 GNRL_EV_APP_INCIDENT_OCCURED 30

days
KSN Proxy has started. Failed to 7718 KSNPROXY_STARTED_CON_CHK_FAILED 30

check KSN for availability days

The table below shows the events of Kaspersky Security Center Network Agent that have the Info severity level.

type storage
ID term
Update for software modules 7699 KLNAG_EV_PATCH_INSTALLED_SUCCESSFULLY 30

successfully
Installation of the software 7700 KLNAG_EV_PATCH_INSTALL_STARTING 30

module update has started days
Application has been 7703 KLNAG_EV_INV_APP_INSTALLED 30

installed days
Application has been 7704 KLNAG_EV_INV_APP_UNINSTALLED 30

uninstalled days
Monitored application has 7705 KLNAG_EV_INV_OBS_APP_INSTALLED 30

been installed days
Monitored application has 7706 KLNAG_EV_INV_OBS_APP_UNINSTALLED 30

been uninstalled days
Third-party application has 7707 KLNAG_EV_INV_CMPTR_APP_INSTALLED 30

been installed days
1380
New device has been added 7708 KLNAG_EV_DEVICE_ARRIVAL 30
days
Device has been removed 7709 KLNAG_EV_DEVICE_REMOVE 30

days
New device has been 7710 KLNAG_EV_NAC_DEVICE_DISCOVERED 30

detected days
Device has been authorized 7711 KLNAG_EV_NAC_HOST_AUTHORIZED 30

days
Windows Desktop Sharing: 7712 KLUSRLOG_EV_FILE_READ 30

File has been read days
Windows Desktop Sharing: 7713 KLUSRLOG_EV_FILE_MODIFIED 30

File has been modi ed days
Windows Desktop Sharing: 7714 KLUSRLOG_EV_PROCESS_LAUNCHED 30

Application has been started days
Windows Desktop Sharing: 7715 KLUSRLOG_EV_WDS_BEGIN 30

Started days
Windows Desktop Sharing: 7716 KLUSRLOG_EV_WDS_END 30

Stopped days
Third-party software update 7694 KLNAG_EV_3P_PATCH_INSTALLED_SUCCESSFULLY 30

successfully
Third-party software update 7695 KLNAG_EV_3P_PATCH_INSTALL_STARTING 30

installation has started days
KSN Proxy has started. KSN 7719 KSNPROXY_STARTED_CON_CHK_OK 30

availability check has days
completed successfully
KSN Proxy has stopped 7720 KSNPROXY_STOPPED 30

days

This section contains information about the events related to iOS MDM Server.

The table below shows the events of Kaspersky Security Center iOS MDM Server that have the Functional failure
severity level.

storage
term
Failed to request the list of pro le PROFILELIST_COMMAND_FAILED 30
1381
days
Failed to install the pro le INSTALLPROFILE_COMMAND_FAILED 30

days
Failed to remove the pro le REMOVEPROFILE_COMMAND_FAILED 30

days
Failed to request the list of PROVISIONINGPROFILELIST_COMMAND_FAILED 30

provisioning pro les days
Failed to install provisioning pro le INSTALLPROVISIONINGPROFILE_COMMAND_FAILED 30

days
Failed to remove the provisioning REMOVEPROVISIONINGPROFILE_COMMAND_FAILED 30

pro le days
Failed to request the list of digital CERTIFICATELIST_COMMAND_FAILED 30

certi cates days
Failed to request the list of installed INSTALLEDAPPLICATIONLIST_COMMAND_FAILED 30

applications days
Failed to request general information DEVICEINFORMATION_COMMAND_FAILED 30

about the mobile device days
Failed to request security information SECURITYINFO_COMMAND_FAILED 30

days
Failed to lock the mobile device DEVICELOCK_COMMAND_FAILED 30

days
Failed to reset the password CLEARPASSCODE_COMMAND_FAILED 30

days
Failed to wipe data from the mobile ERASEDEVICE_COMMAND_FAILED 30

device days
Failed to install the app INSTALLAPPLICATION_COMMAND_FAILED 30

days
Failed to set the redemption code for APPLYREDEMPTIONCODE_COMMAND_FAILED 30

the app days
Failed to request the list of managed MANAGEDAPPLICATIONLIST_COMMAND_FAILED 30

apps days
Failed to remove the managed app REMOVEAPPLICATION_COMMAND_FAILED 30

days
Roaming settings have been rejected SETROAMINGSETTINGS_COMMAND_FAILED 30

days
Error has occurred in the app PRODUCT_FAILURE 30

operation days
Command result contains invalid data MALFORMED_COMMAND 30

days
Failed to send the push noti cation SEND_PUSH_NOTIFICATION_FAILED 30

days
Failed to send the command SEND_COMMAND_FAILED 30

days
Device not found DEVICE_NOT_FOUND 30

days
1382
The table below shows the events of Kaspersky Security Center iOS MDM Server that have the Warning severity
level.

storage
term
Attempt to connect a locked mobile device has INACTICE_DEVICE_TRY_CONNECTED 30 days

been detected
Pro le has been removed MDM_PROFILE_WAS_REMOVED 30 days
Attempt to re-use a client certi cate has been CLIENT_CERT_ALREADY_IN_USE 30 days

detected
Inactive device has been detected FOUND_INACTIVE_DEVICE 30 days
Redemption code is required NEED_REDEMPTION_CODE 30 days
Pro le has been included in a policy removed from UMDM_PROFILE_WAS_REMOVED 30 days

the device

The table below shows the events of Kaspersky Security Center iOS MDM Server that have the Info severity level.

storage
term
New mobile device has been NEW_DEVICE_CONNECTED 30

connected days
List of pro les has been PROFILELIST_COMMAND_SUCCESSFULL 30

successfully requested days
Pro le has been successfully INSTALLPROFILE_COMMAND_SUCCESSFULL 30

installed days
Pro le has been successfully REMOVEPROFILE_COMMAND_SUCCESSFULL 30

removed days
List of provisioning pro les PROVISIONINGPROFILELIST_COMMAND_SUCCESSFULL 30

requested
Provisioning pro le has been INSTALLPROVISIONINGPROFILE_COMMAND_SUCCESSFULL 30

successfully installed days
Provisioning pro le has been REMOVEPROVISIONINGPROFILE_COMMAND_SUCCESSFULL 30

successfully removed days
1383
List of digital certi cates has CERTIFICATELIST_COMMAND_SUCCESSFULL 30
List of installed applications INSTALLEDAPPLICATIONLIST_COMMAND_SUCCESSFULL 30

requested
General information about DEVICEINFORMATION_COMMAND_SUCCESSFULL 30

the mobile device has been days
successfully requested
Security information has SECURITYINFO_COMMAND_SUCCESSFULL 30

Mobile device has been DEVICELOCK_COMMAND_SUCCESSFULL 30

successfully locked days
The password has been CLEARPASSCODE_COMMAND_SUCCESSFULL 30

successfully reset days
Data has been wiped from the ERASEDEVICE_COMMAND_SUCCESSFULL 30

mobile device days
App has been successfully INSTALLAPPLICATION_COMMAND_SUCCESSFULL 30

installed days
Redemption code has been APPLYREDEMPTIONCODE_COMMAND_SUCCESSFULL 30

successfully set for the app days
The list of managed apps has MANAGEDAPPLICATIONLIST_COMMAND_SUCCESSFULL 30

Managed app has been REMOVEAPPLICATION_COMMAND_SUCCESSFULL 30

removed successfully days
Roaming settings have been SETROAMINGSETTINGS_COMMAND_SUCCESSFUL 30

successfully applied days

This section contains information about the events related to an Exchange Mobile Device Server.

The table below shows the events of Kaspersky Security Center Exchange Mobile Device Server that have the
Functional failure severity level.

storage
term
Failed to wipe data from the mobile device WIPE_FAILED 30

days
Cannot delete information about mobile device DEVICE_REMOVE_FAILED 30

connection to mailbox days
1384
Failed to apply the ActiveSync policy to the POLICY_APPLY_FAILED 30
mailbox days
Application operation error PRODUCT_FAILURE 30

days
Failed to modify the state of ActiveSync CHANGE_ACTIVE_SYNC_STATE_FAILED 30

functionality days

The table below shows the events of Kaspersky Security Center Exchange Mobile Device Server that have the Info
severity level.
Event type display name Event type Default storage term
New mobile device has connected NEW_DEVICE_CONNECTED 30 days
Data has been wiped from the mobile device WIPE_SUCCESSFULL 30 days

This section provides information about managing frequent events blocking and about removing blocking of
frequent events.

A managed application, for example, Kaspersky Endpoint Security for Windows, installed on a single or several
managed devices can send a lot of events of the same type to the Administration Server. Receiving frequent
events may overload the Administration Server database and overwrite other events. Administration Server starts
blocking the most frequent events when the number of all the received events exceeds the speci ed limit for the
database.
Administration Server blocks the frequent events from receiving automatically. You cannot block the frequent
events yourself, or choose which events to block.
If you want to nd out if an event is blocked, you can view the noti cation list or you can check if this event is
present in the Blocking frequent events section of the Administration Server properties. If the event is blocked,
you can do the following:
If you want to prevent overwriting the database, you can continue blocking such type of events from receiving.
If you want, for example, to nd the reason of sending the frequent events to the Administration Server, you
can unblock frequent events and continue receiving the events of this type anyway.
If you want to continue receiving the frequent events until they become blocked again, you can remove from
blocking the frequent events.
1385
Administration Server blocks the automatic receiving of frequent events, but you can unblock and continue to
receive frequent events. You can also block receiving frequent events that you unblocked before.
To manage frequent events blocking:
2. On the General tab, select the Blocking frequent events section.
3. In the Blocking frequent events section:
If you want to unblock the receiving of frequent events:
a. Select the frequent events you want to unblock, and then click the Exclude button.
b. Click the Save button.
If you want to block receiving frequent events:
a. Select the frequent events you want to block, and then click the Block button.
b. Click the Save button.
Administration Server receives the unblocked frequent events and does not receive the blocked frequent events.

You can remove blocking for frequent events and start receiving them until Administration Server blocks these
frequent events again.
To remove blocking for frequent events:
2. On the General tab, select the Blocking frequent events section.
3. In the Blocking frequent events section, select the frequent event types for which you want to remove
blocking.
4. Click the Remove from blocking button.
The frequent event is removed from the list of frequent events. Administration Server will receive events of this
type.
Receiving events from Kaspersky Security for Microsoft Exchange Servers

1386
Information about events during the operation of managed applications, such as Kaspersky Endpoint Security for
Windows, is transferred from managed devices and registered in the Administration Server database. By default,
the events from Kaspersky Security for Microsoft Exchange Servers version 9.0 MR6 and earlier are not registered
in the Administration Server database. If Kaspersky Security for Microsoft Exchange Servers version 9.0 MR6 and
earlier is installed on the managed devices in your organization and you want to receive events from this
application, enable the event registration for this application by using the klsc ag utility.
To enable the event registration for Kaspersky Security for Microsoft Exchange Servers:
1. On the Administration Server device, run the Windows command prompt under an account with administrator
rights.
2. Change your current directory to the Kaspersky Security Center installation folder (usually, C:\Program Files
(x86)\Kaspersky Lab\Kaspersky Security Center).
3. Run one of the following commands:
For the Administration Server installed on a Microsoft failover cluster:

klscflag.exe --stp cluster -fset -pv klserver -n
KLSRV_EVP_ENABLE_HOST_EVENT_BODY_VALIDATION -t d -v 0
For the Administration Server installed on a Kaspersky failover cluster node:

klscflag.exe --stp klfoc -fset -pv klserver -n
KLSRV_EVP_ENABLE_HOST_EVENT_BODY_VALIDATION -t d -v 0
For the Administration Server that is not working on a cluster:

klscflag.exe -fset -pv klserver -n KLSRV_EVP_ENABLE_HOST_EVENT_BODY_VALIDATION -t d
-v 0
The event registration for Kaspersky Security for Microsoft Exchange Servers is enabled.
For Kaspersky Security for Microsoft Exchange Servers, you cannot set the storage term for the events or select
which events must be saved in the Administration Server repository. You can set the maximum number of events
that can be saved in the repository. This setting is applied to the events received from all of the Kaspersky
applications.
Noti cations and device statuses

This section contains information on how to view noti cations, con gure noti cation delivery, use device statuses,
and enable changing device statuses.
Using noti cations

Noti cations alert you about events and help you to speed up your responses to these events by performing
recommended actions or actions you consider as appropriate.
Depending on the noti cation method chosen, the following types of noti cations are available:
Onscreen noti cations
1387
Noti cations by SMS
Noti cations by email
Noti cations by executable le or script
Onscreen noti cations
Onscreen noti cations alert you to events grouped by importance levels (Critical, Warning, and Informational).
Onscreen noti cation can have one of two statuses:
Reviewed. It means you have performed recommended action for the noti cation or you have assigned this
status for the noti cation manually.
Not Reviewed. It means you have not performed recommended action for the noti cation or you have not
assigned this status for the noti cation manually.
By default, the list of noti cations include noti cations in the Not Reviewed status.
You can monitor your organization's network viewing onscreen noti cations and responding to them in a real time.
Noti cations by email, by SMS, and by executable le or a script
Kaspersky Security Center provides the capability to monitor your organization's network by sending noti cations
about any event that you consider important. For any event you can con gure noti cations by email, by SMS, or by
running an executable le or a script.
Upon receiving noti cations by email or by SMS, you can decide on your response to an event. This response
should be the most appropriate for your organization's network. By running an executable le or a script, you
prede ne a response to an event. You can also consider running an executable le or a script as a primary response
to an event. After the executable le runs, you can take other steps to respond to the event.
Viewing onscreen noti cations

You can view noti cations onscreen in three ways:
In the MONITORING & REPORTING → NOTIFICATIONS section. Here you can view noti cations relating to
prede ned categories.
In a separate window that can be opened no matter which section you are using at the moment. In this case you
can mark noti cations as reviewed.
In the Noti cations by selected severity level widget on the MONITORING & REPORTING → DASHBOARD
section. In the widget, you can view only noti cations of events that are at the Critical and Warning importance
levels.
You can perform actions, for example, you can response to an event.
To view noti cations from prede ned categories:
1. In the main menu, go to MONITORING & REPORTING → NOTIFICATIONS.
1388
The All noti cations category is selected in the left pane, and in the right pane all the noti cations are
displayed.
2. In the left pane, select one of the categories:
Deployment
Devices
Protection
Updates (this includes noti cations about Kaspersky applications available for download and noti cations
about anti-virus database updates that have been downloaded)
Exploit Prevention
Administration Server (this includes events concerning only Administration Server)
Useful links (this includes links to Kaspersky resources, for example, Kaspersky Technical Support, Kaspersky
forum, license renewal page, or the Kaspersky IT Encyclopedia)
Kaspersky news (this includes information about releases of Kaspersky applications)
A list of noti cations of the selected category is displayed. The list contains the following:
Icon related to the topic of the noti cation: deployment ( ), protection ( ), updates ( ), device management (
), Exploit Prevention ( ), Administration Server ( ).
Noti cation importance level. Noti cations of the following importance levels are displayed: Critical
noti cations ( ), Warning noti cations ( ), Info noti cations. Noti cations in the list are grouped by
importance levels.
Noti cation. This contains a description of the noti cation.
Action. This contains a link to a quick action that we recommend you perform. For example, by clicking this link,
you can proceed to the repository and install security applications on devices, or view a list of devices or a list
of events. After you perform the recommended action for the noti cation, this noti cation is assigned the
Reviewed status.
Status registered. This contains the number of days or hours that have passed from the moment when the
noti cation was registered on the Administration Server.
To view onscreen noti cations in a separate window by importance level:
1. In the upper-right corner of Kaspersky Security Center Web Console, click the ag icon ( ).
If the ag icon has a red dot, there are noti cations that have not been reviewed.
A window opens listing the noti cations. By default, the All noti cations tab is selected and the noti cations
are grouped by importance level: Critical, Warning, and Info.
2. Select the System tab.

The list of Critical ( ) and Warning ( ) importance levels noti cations is displayed. The noti cation list includes
the following:
1389
Color marker. Critical noti cations are marked in red. Warning noti cations are marked in yellow.
Icon indicating the topic of the noti cation: deployment ( ), protection ( ), updates ( ), device
management ( ), Exploit Prevention ( ), Administration Server ( ).
Description of the noti cation.
Flag icon. The ag icon is gray if noti cations have been assigned the Not Reviewed status. When you select
the gray ag icon and assign the Reviewed status to a noti cation, the icon changes color to white.
Link to the recommended action. When you perform the recommended action after clicking the link, the
noti cation gets the Reviewed status.
Number of days that have passed since the date when the noti cation was registered on the Administration
Server.
3. Select the More tab.

The list of Info importance level noti cations is displayed.
The organization of the list is the same as for the list on the System tab (see the description above). The only
di erence is the absence of a color marker.
You can lter noti cations by the date interval when they were registered on Administration Server. Use the
Show lter check box to manage the lter.
To view onscreen noti cations in the widget:
1. In the DASHBOARD section, select Add or restore web widget.
2. In the window that opens, click the Other category, select the Noti cations by selected severity level widget,
and click Add.
The widget now appears on the DASHBOARD tab. By default, the noti cations of Critical importance level are
displayed on the widget.
You can click the Settings button on the widget and change the widget settings to view noti cations of the
Warning importance level. Or, you can add another widget: Noti cations by selected severity level, with a
Warning importance level.
The list of noti cations on the widget is limited by its size and includes two noti cations. These two
noti cations relate to the latest events.
The noti cation list in the widget includes the following:
Icon related to the topic of the noti cation: deployment ( ), protection ( ), updates ( ), device management (
), Exploit Prevention ( ), Administration Server ( ).
Description of the noti cation with a link to the recommended action. When you perform a recommended
action after clicking the link, the noti cation gets the Reviewed status.
Number of days or number of hours that have passed since the date when the noti cation was registered on
Link to other noti cations. Upon clicking this link, you are transferred to the view of noti cations in the
NOTIFICATIONS section of the MONITORING & REPORTING section.
1390
Kaspersky Security Center assigns a status to each managed device. The particular status depends on whether
the conditions de ned by the user are met. In some cases, when assigning a status to a device, Kaspersky Security
Center takes into consideration the device's visibility ag on the network (see the table below). If Kaspersky
Security Center does not nd a device on the network within two hours, the visibility ag of the device is set to
Not Visible.
The statuses are the following:
Critical or Critical / Visible
Warning or Warning / Visible
OK or OK / Visible
The table below lists the default conditions that must be met to assign the Critical or Warning status to a device,
with all possible values.
Conditions for assigning a status to a device
Condition Condition description Available

values
Security Network Agent is installed on the device, but a security application is not Toggle
application is installed. button is on.
not installed
Toggle
button is
o .
Too many Some viruses have been found on the device by a task for virus More than 0.
viruses detection, for example, the Virus scan task, and the number of viruses
detected found exceeds the speci ed value.
Real-time The device is visible on the network, but the real-time protection level Stopped.
protection di ers from the level set (in the condition) by the administrator for the
level di ers device status.
Paused.
from the level
set by the
Administrator Running.
Virus scan The device is visible on the network and a security application is installed More than 1
has not been on the device, but neither the Malware scan task nor a local scan task has day.
performed in been run within the speci ed time interval. The condition is applicable only
a long time to devices that were added to the Administration Server database 7 days
ago or earlier.
Databases The device is visible on the network and a security application is installed More than 1
are outdated on the device, but the anti-virus databases have not been updated on day.
this device within the speci ed time interval. The condition is applicable
only to devices that were added to the Administration Server database 1
day ago or earlier.
Not Network Agent is installed on the device, but the device has not More than 1
connected in connected to an Administration Server within the speci ed time interval, day.
1391
a long time because the device was turned o .
Active The number of unprocessed objects in the ACTIVE THREATS folder More than 0
threats are exceeds the speci ed value. items.
detected
Restart is The device is visible on the network, but an application requires the More than 0
required device restart longer than the speci ed time interval and for one of the minutes.
selected reasons.
Incompatible The device is visible on the network, but software inventory performed Toggle
applications through Network Agent has detected incompatible applications installed button is
are installed on the device. o .
Toggle
button is on.
Software The device is visible on the network and Network Agent is installed on the Critical.
vulnerabilities device, but the Find vulnerabilities and required updates task has
have been detected vulnerabilities with the speci ed severity level in applications
High.
detected installed on the device.
Medium.
Ignore if the
vulnerability
cannot be
xed.
Ignore if an
update is
assigned for
installation.
License The device is visible on the network, but the license has expired. Toggle
expired button is
o .
Toggle
button is on.
License The device is visible on the network, but the license will expire on the More than 0
expires soon device in less than the speci ed number of days. days.
Check for The device is visible on the network, but the Perform Windows Update More than 1
Windows synchronization task has not been run within the speci ed time interval. day.
Update
updates has
not been
performed in
a long time
Invalid Network Agent is installed on the device, but the device encryption result Does not
encryption is equal to the speci ed value. comply with
status the policy
due to the
user's
refusal (for
1392
external
devices
only).
Does not
comply with
the policy
due to an
error.
Restart is
required
when
applying the
policy.
No
encryption
policy is
speci ed.
Not
supported.
When
applying the
policy.
Mobile The mobile device settings are other than the settings that were Toggle
device speci ed in the Kaspersky Endpoint Security for Android policy during the button is
settings do check of compliance rules. o .
not comply
with the
Toggle
policy
button is on.
Unprocessed Some unprocessed incidents have been found on the device. Incidents Toggle
incidents can be created either automatically, through managed Kaspersky button is
detected applications installed on the client device, or manually by the o .
administrator.
Toggle
button is on.
Device The status of the device is de ned by the managed application. Toggle
status button is
de ned by o .
application
Toggle
button is on.
Device is out Free disk space on the device is less than the speci ed value or the More than 0
of disk space device could not be synchronized with the Administration Server. The MB.
Critical or Warning status is changed to the OK status when the device is
successfully synchronized with the Administration Server and free space
on the device is greater than or equal to the speci ed value.
1393
Device has During device discovery, the device was recognized as visible on the Toggle
become network, but more than three attempts to synchronize with the button is
unmanaged Administration Server failed. o .
Toggle
button is on.
Protection is The device is visible on the network, but the security application on the More than 0
disabled device has been disabled for longer than the speci ed time interval. minutes.
Security The device is visible on the network and a security application is installed Toggle
application is on the device but is not running. button is
not running o .
Toggle
button is on.
Kaspersky Security Center allows you to set up automatic switching of the status of a device in an administration
group when speci ed conditions are met. When speci ed conditions are met, the client device is assigned one of
the following statuses: Critical or Warning. When speci ed conditions are not met, the client device is assigned the
OK status.
Di erent statuses may correspond to di erent values of one condition. For example, by default, if the Databases
are outdated condition has the More than 3 days value, the client device is assigned the Warning status; if the
value is More than 7 days, the Critical status is assigned.
If you upgrade the Kaspersky Security Center from the previous version, the values of the Databases are
outdated condition for assigning the status to Critical or Warning do not change.
When Kaspersky Security Center assigns a status to a device, for some conditions (see the Condition
description column) the visibility ag is taken into consideration. For example, if a managed device was
assigned the Critical status because the Databases are outdated condition was met, and later the visibility
ag was set for the device, then the device is assigned the OK status.

2. In the list of groups that opens, click the link with the name of a group for which you want to change switching
the device statuses.
3. In the properties window that opens, select the Device status tab.
4. In the left pane, select Critical.
5. In the right pane, in the Set to Critical if these are speci ed section, enable the condition to switch a device to
the Critical status.
1394
6. Select the radio button next to the condition in the list.
7. In the upper-left corner of the list, click the Edit button.

Values cannot be set for every condition.
9. Click OK.
2. In the list of groups that opens, click the link with the name of a group for which you want to change switching
the device statuses.
3. In the properties window that opens, select the Device status tab.
4. In the left pane, select Warning.
5. In the right pane, in the Set to Warning if these are speci ed section, enable the condition to switch a device
to the Warning status.
6. Select the radio button next to the condition in the list.
7. In the upper-left corner of the list, click the Edit button.

Values cannot be set for every condition.
9. Click OK.
Con guring noti cation delivery

You can con gure noti cation about events occurring in Kaspersky Security Center. Depending on the noti cation
method chosen, the following types of noti cations are available:
Email—When an event occurs, Kaspersky Security Center sends a noti cation to the email addresses speci ed.
SMS—When an event occurs, Kaspersky Security Center sends a noti cation to the phone numbers speci ed.
1395
Executable le—When an event occurs, the executable le is run on the Administration Server.
To con gure noti cation delivery of events occurring in Kaspersky Security Center:
The Administration Server properties window opens with the General tab is selected.
2. Click the Noti cation section, and in the right pane select the tab for the noti cation method you want:
Email
1396
The Email tab allows you to con gure event noti cation by email.

port number is 25.
noti cations to the SMTP server in ascending order of MX records priority.
If you enable the Use ESMTP authentication option, you can specify the ESMTP authentication
settings in the User name and Password elds. By default, the option is disabled, and the ESMTP
authentication settings are not available.
Do not use TLS
You can specify certi cates for a TLS connection by clicking the Specify certi cates link:
authority.
1397
types:
X-509 certi cate:
key is not encoded.
pkcs12 container:
In the Subject eld, specify the email subject. You can leave this eld empty.
In the Subject template drop-down list, select the template for your subject. A variable determined by
the selected template is placed automatically in the Subject eld. You can construct an email subject
selecting several subject templates.
In the Sender email address: If this setting is not speci ed, the recipient address will be used
instead. Warning: We do not recommend using a ctitious email address eld, specify the sender
email address. If you leave this eld empty, by default, the recipient address is used. It is not
recommended to use ctitious email addresses.
with more relevant details about the event.
If the noti cation text contains a percent sign (%), you have to type it twice in a row to allow
message sending. For example, "CPU load is 100%%".
SMS
1398
The SMS tab allows you to con gure the transmission of SMS noti cations about various events to a
cell phone. SMS messages are sent through a mail gateway.

port number is 25.
If the Use ESMTP authentication option is enabled, you can specify the ESMTP authentication
settings in the User name and Password elds. By default, the option is disabled, and the ESMTP
authentication settings are not available.
Do not use TLS
You can specify SMTP server certi cate le by clicking the Specify certi cates link:
authority.
In the Subject eld, specify the email subject.
In the Subject template drop-down list, select the template for your subject. A variable according to
the selected template is put in the Subject eld. You can construct an email subject selecting several
subject templates.
In the Sender email address: If this setting is not speci ed, the recipient address will be used
instead. Warning: We do not recommend using a ctitious email address eld, specify the sender
email address. If you leave this eld empty, by default, the recipient address is used. It is not
recommended to use ctitious email addresses.
1399
In the Phone numbers of SMS message recipients eld, specify the cell phone numbers of the SMS
noti cation recipients.
In the Noti cation message eld, specify a text with information about the event that the application
sends when an event occurs. This text can include substitute parameters, such as event name, device
name, and domain name.
If the noti cation text contains a percent sign (%), you have to type it twice in a row to allow
message sending. For example, "CPU load is 100%%".
Click the Send test message to check whether you con gured noti cations properly: the application
sends a test noti cation to the recipient that you speci ed.
In the Executable le to be run on the Administration Server when an event occurs eld, specify the
folder and the name of the le to be run. Before specifying the le, prepare the le and specify the
placeholders that de ne the event details to be sent in the noti cation message. The folder and the le
that you specify must be located on the Administration Server.
3. On the tab, de ne the noti cation settings.
The saved noti cation delivery settings are applied to all events that occur in Kaspersky Security Center.
You can override noti cation delivery settings for certain events in the Event con guration section of the
Administration Server settings, of a policy's settings, or of an application's settings.

Kaspersky Security Center can notify the administrator about events on client devices by running an executable
le. The executable le must contain another executable le with placeholders of the event to be relayed to the
administrator.
Placeholders for describing an event
Placeholder Placeholder description
%SEVERITY% Event importance level
%COMPUTER% Name of the device where the event occurred
%DOMAIN% Domain
%EVENT% Event
1400
%DESCR% Event description
%RISE_TIME% Time created
%KLCSAK_EVENT_TASK_DISPLAY_NAME% Task name
%KL_PRODUCT% Kaspersky Security Center Network Agent
%KL_VERSION% Network Agent version number
%HOST_IP% IP address
%HOST_CONN_IP% Connection IP address
Example:
Event noti cations are sent by an executable le (such as script1.bat) inside which another executable le
(such as script2.bat) with the %COMPUTER% placeholder is launched. When an event occurs, the script1.bat
le is run on the administrator's device, which, in turn, runs the script2.bat le with the %COMPUTER%
placeholder. The administrator then receives the name of the device where the event occurred.
Kaspersky announcements
This section describes how to use, con gure, and disable Kaspersky announcements.
About Kaspersky announcements

The Kaspersky announcements section (MONITORING & REPORTING → Kaspersky announcements) keeps you
informed by providing information related to your version of Kaspersky Security Center and the managed
applications installed on the managed devices. Kaspersky Security Center periodically updates the information in
the section by removing outdated announcements and adding new information.
Kaspersky Security Center shows only those Kaspersky announcements that relate to the currently connected
Administration Server and the Kaspersky applications installed on the managed devices of this Administration
Server. The announcements are shown individually for any type of Administration Server—primary, secondary, or
virtual.
Administration Server must have an internet connection to receive Kaspersky announcements.
The announcements include information of the following types:
Security-related announcements
Security-related announcements are intended to keep the Kaspersky applications installed in your network up-
to-date and fully functional. The announcements may include information about critical updates for Kaspersky
applications, xes for found vulnerabilities, and ways to x other issues in Kaspersky applications. Security-
related announcements are enabled by default. If you do not want to receive the announcements, you can
disable this feature.
To show you the information that corresponds to your network protection con guration, Kaspersky Security
Center sends data to Kaspersky cloud servers and receives only those announcements that relate to the
Kaspersky applications installed in your network. The data set that can be sent to the servers is described in
the End User License Agreement that you accept when you install Kaspersky Security Center Administration
Server.
1401
Marketing announcements
Marketing announcements include information about special o ers for your Kaspersky applications,
advertisements, and news from Kaspersky. Marketing announcements are disabled by default. You receive this
type of announcements only if you enabled Kaspersky Security Network (KSN). You can disable marketing
announcements by disabling KSN.
To show you only relevant information that might be helpful in protecting your network devices and in your
everyday tasks, Kaspersky Security Center sends data to Kaspersky cloud servers and receives the appropriate
announcements. The data set that can be sent to the servers is described in the Processed Data section of the
KSN Statement.
New information is divided into the following categories, according to importance:
1. Critical info
2. Important news
3. Warning
4. Info
When new information appears in the Kaspersky announcements section, Kaspersky Security Center Web
Console displays a noti cation label that corresponds to the importance level of the announcements. You can click
the label to view this announcement in the Kaspersky announcements section.
You can specify the Kaspersky announcements settings, including the announcement categories that you want to
view and where to display the noti cation label.
Specifying Kaspersky announcements settings

In the Kaspersky announcements section, you can specify the Kaspersky announcements settings, including the
categories of the announcements that you want to view and where to display the noti cation label.
To con gure Kaspersky announcements:
1. In the main menu, go to MONITORING & REPORTING → KASPERSKY ANNOUNCEMENTS.
2. Click the Settings link.

The Kaspersky announcement settings window opens.
Select the importance level of the announcements that you want to view. The announcements of other
categories will not be displayed.
Select where you want to see the noti cation label. The label can be displayed in all console sections, or in
the MONITORING & REPORTING section and its subsections.

The Kaspersky announcement settings are speci ed.
1402
The Kaspersky announcements section (MONITORING & REPORTING → Kaspersky announcements) keeps you
informed by providing information related to your version of Kaspersky Security Center and managed applications
installed on the managed devices. If you do not want to receive Kaspersky announcements, you can disable this
feature.
The Kaspersky announcements include two types of information: security-related announcements and marketing
announcements. You can disable the announcements of each type separately.
To disable security-related announcements:
2. On the General tab, select the Kaspersky announcements section.
3. Switch the toggle button to the Security-related announcements DISABLED position.

Kaspersky announcements are disabled.
Marketing announcements are disabled by default. You receive marketing announcements only if you enabled
Kaspersky Security Network (KSN). You can disable this type of announcement by disabling KSN.
To disable marketing announcements:
3. Disable the Use Kaspersky Security Network ENABLED option.

Marketing announcements are disabled.
Viewing information about the detects of threats

You can enable or disable displaying information about alerts.
To enable or disable displaying the ALERTS section in the main menu:
1. In the main menu, go to your account settings and select Interface options.
2. In the Interface options window that opens, enable or disable the Show EDR alerts option.
3. Click Save.
1403
The console displays the ALERTS subsection in the MONITORING & REPORTING section of the main menu. In the
ALERTS subsection, you can view information about the detects of threats on the endpoint devices. If you add a
license key for EDR Optimum , then Kaspersky Security Center Web Console automatically displays ALERTS
subsection in the MONITORING & REPORTING section of the main menu. Also, you can add a widget that displays
information about alerts. Also, if you installed the plug-in EDR Optimum, you can view detailed information about
detected threats by clicking more details link.
Use the Filter menu to lter alerts by date and eld values.
The Object type eld contains the following values:
unknown
Phishing link
virus
Trojan
malicious tool
backdoor
worm
other application
Adware
Pornware
Dangerous packed program
Dangerous behavior
The Automatic response eld contains the following values:
Malicious object detected
Object deleted
Object disinfected
Object failed to disinfect
Object moved to Quarantine
Password-protected archive detected
Virus detected
Downloading and deleting les from Quarantine and Backup
1404
This section gives information on how to download and how to delete les from Quarantine and Backup in
Downloading les from Quarantine and Backup

You can download les from Quarantine and Backup only if one of the two conditions is met: either the Do not
disconnect from the Administration Server option is enabled in the settings of the device, or a connection
gateway is in use. Otherwise, the downloading is not possible.
To save a copy of le from Quarantine or Backup to a hard drive:
If you want to save a copy of le from Quarantine, go to OPERATIONS → REPOSITORIES →

QUARANTINE.
If you want to save a copy of le from Backup, go to OPERATIONS → REPOSITORIES → BACKUP.
2. In the window that opens, select a le that you want to download and click Download.
The download starts. A copy of the le that had been placed in Quarantine on the client device is saved to the
speci ed folder.
About removing objects from the Quarantine, Backup, or Active threats

repositories
When Kaspersky security applications installed on client devices place objects to the Quarantine, Backup, or
Active threats repositories, they send the information about the added objects to the QUARANTINE, BACKUP, or
ACTIVE THREATS sections in Kaspersky Security Center. When you open one of these sections, select an object
from the list and click the Remove button, Kaspersky Security Center performs one of the following actions or
both actions:
Removes the selected object from the list
Deletes the selected object from the repository
The action to perform is de ned by the Kaspersky application that placed the selected object to the repository.
The Kaspersky application is speci ed in the Entry added by eld. Refer to the documentation of the Kaspersky
application for details about which action is to be performed.
Kaspersky Security Center Web Console activity logging

Kaspersky Security Center Web Console activity logging can help to investigate the causes of a software
malfunction. When you contact Kaspersky Technical Support about a Kaspersky Security Center Web Console
malfunction, Kaspersky Technical Support specialists can request Kaspersky Security Center Web Console log
les from you. Kaspersky Security Center Web Console log les are stored in the <Kaspersky Security Center Web
Console installation folder>/logs folder the entire time you use the application. Log les are not sent to Kaspersky
Technical Support specialists automatically.
1405
To enable Kaspersky Security Center Web Console activity logging,
Select the Enable logging of Kaspersky Security Center 14 Web Console activities check box in the
Kaspersky Security Center 14 Web Console connection settings window of the Kaspersky Security Center
Web Console Setup Wizard.
The log les are in text format.
The log le names are in the format logs-<component name>.<device name>-< le revision number>.YYYY-MM-DD,
where:
<component name> is the name of the Kaspersky Security Center component or is the Kaspersky Security
Center Web Console management plug-in name.
<device name> is the name of the device on which the <component name> is running.
< le revision number> is the number of the log le created for the <component name> that is in operation on the
<device name>. Within one day, several log les for the same <component name> and <device name> can be
created. The maximum size of a log le is 50 megabytes (MB). When the maximum le size is reached, a new log
le is created. A new log le < le revision number> is incremented by 1.
YYYY, MM, and DD are the year, month, and day when the log was rst created. When a new day starts a new log
le is created.
Integration between Kaspersky Security Center and other solutions

This section describes how to con gure access from Kaspersky Security Center Web Console to another
Kaspersky application, such as Kaspersky Managed Detection and Response. Also this section describes how to
con gure export to SIEM systems.
Con guring access to KATA/KEDR Web Console

Kaspersky Anti Targeted Attack (KATA) and Kaspersky Endpoint Detection and Response (KEDR) are two
functional blocks of Kaspersky Anti Targeted Attack Platform . You can manage these functional blocks through
Web Console for Kaspersky Anti Targeted Attack Platform (KATA / KEDR Web Console). If you use both Kaspersky
Security Center Web Console and KATA / KEDR Web Console, you can con gure access to KATA / KEDR Web
Console directly from the interface of Kaspersky Security Center Web Console.
To con gure access to KATA / KEDR Web Console:
1. In the Console settings drop-down list, select Integration.

2. Select the Integration tab.
3. On the Integration tab, select the KATA section.
4. Enter the URL of KATA / KEDR Web Console in the URL to KATA/KEDR Web Console eld.
1406
The Advanced management drop-down list is added to the main application window. You can use this menu to
open KATA / KEDR Web Console. After you click Advanced Cybersecurity, a new tab opens in your browser with
the URL that you speci ed.
Establishing a background connection

To enable Kaspersky Security Center Web Console perform its background tasks, you have to establish a
background connection between Kaspersky Security Center Web Console and Administration Server. You can
establish this connection only if your account has the Modify object ACLs right of the General features: User
permissions functional area.
If you install plug-in of Kaspersky Endpoint Security for Windows 12.0, or if you update the Kaspersky Endpoint
Security for Windows plug-in from the version earlier than 11.7 and a background connection is not established yet,
a noti cation is displayed that you have to establish a background connection. Also, you will have to grant the
service account with the rights of the General features: Operations on Administration Server functional area.
To establish a background connection:

3. On the Integration tab, select the Integration section.
4. Switch the toggle button for establishing a background connection to the position: Establish a background
connection for integration ENABLED.
5. In the opened The service that establishes a background connection will be started on the Kaspersky
Security Center Web Console Server section, click the OK button.
The background connection between Kaspersky Security Center Web Console and Administration Server is
established. Administration Server creates an account for the background connection and this account is used as
a service account to maintain interaction between Kaspersky Security Center and another Kaspersky application
or solution. The name of this service account contains the NWCSvcUser pre x.
Administration Server automatically changes the password of the service account once every 30 days, for security
reasons. You cannot delete the service account manually. Administration Server deletes this account automatically
when you disable a cross-service connection. Administration Server creates a single service account for each
Administration Console and assigns all the service accounts to the security group with the name
ServiceNwcGroup. Administration Server creates this security group automatically during the Kaspersky Security
Center installation process. You cannot delete this security group manually.
Exporting events to SIEM systems

This section describes how to con gure export of events to the SIEM systems.
1407
Kaspersky Security Center allows con guring by one of the following methods: export to any SIEM system that
use Syslog format, export to QRadar, Splunk, ArcSight SIEM systems that use LEEF and CEF formats or export of
events to SIEM systems directly from the Kaspersky Security Center database. When you complete this scenario,
Administration Server sends events to SIEM system automatically.
Prerequisites
Before you start con guration export of events in the Kaspersky Security Center:
Learn more about the methods of event export.
Make sure that you have the values of system settings.
You can perform the steps of this scenario in any order.
The process of export of events to SIEM system consists of the following steps:
Con guring SIEM system to receive events from Kaspersky Security Center
How-to instructions: Con guring event export in a SIEM system
Selecting events you want to export to SIEM system:
Administration Console: Marking events of a Kaspersky application for export in Syslog format, Marking general
events for export in Syslog format
Kaspersky Security Center Web Console: Marking events of a Kaspersky application for export in Syslog format,
Con guring export of events to SIEM system using one of the following methods:
Using TCP/IP, UDP or TLS over TCP protocols.

Administration Console: Con guring export of events to SIEM systems
Kaspersky Security Center Web Console: Con guring export of events to SIEM systems
Using export of events directly from the Kaspersky Security Center database (A set of public views is provided
in the Kaspersky Security Center database; you can nd the description of these public views in the klakdb.chm
document.)
Results
After con guring export of events to SIEM system you can view export results if you selected events which you
want to export.
Before you begin
1408
When setting up automatic export of events in the Kaspersky Security Center, you must specify some of the SIEM
system settings. It is recommended that you check these settings in advance in order to prepare for setting up
To successfully con gure automatic sending of events to a SIEM system, you must know the following settings:
The IP address of the server on which the currently used SIEM system is installed. Check this value in your
SIEM system settings.
server. You specify this value in the Kaspersky Security Center settings and in the receiver settings of your
SIEM system.
Protocol
Protocol used for transferring messages from Kaspersky Security Center to your SIEM system. You
specify this value in the Kaspersky Security Center settings and in the receiver settings of your SIEM
system.

in the Administration Server database. You can export this information to external SIEM systems. Exporting event
information to external SIEM systems enables administrators of SIEM systems to promptly respond to security
system events that occur on managed devices or administration groups.
Event types
In Kaspersky Security Center, there are the following types of events:
General events. These events occur in all managed Kaspersky applications. An example of a general event is
Virus outbreak. General events have strictly de ned syntax and semantics. General events are used, for
instance, in reports and dashboards.
Managed Kaspersky applications-speci c events. Each managed Kaspersky application has its own set of
events.
Event sources
Events can be generated by the following applications:
Kaspersky Security Center components:
1409
Network Agent
iOS MDM Server
Managed Kaspersky applications

For details about the events generated by Kaspersky managed applications, refer to the documentation of the
corresponding application.
You can view the full list of events that can be generated by an application on the Event con guration tab in the
application policy. For Administration Server, you can additionally view the event list in the Administration Server
properties.
Importance level of events
Each event has its own importance level. Depending on the conditions of its occurrence, an event can be assigned
various importance levels. There are four importance levels of events:
A critical event is an event that indicates the occurrence of a critical problem that may lead to data loss, an
operational malfunction, or a critical error.
A functional failure is an event that indicates the occurrence of a serious problem, error or malfunction that
occurred during operation of the application or while performing a procedure.
A warning is an event that is not necessarily serious, but nevertheless indicates a potential problem in the
future. Most events are designated as warnings if the application can be restored without loss of data or
functional capabilities after such events occur.
An info event is an event that occurs for the purpose of informing about successful completion of an
operation, proper functioning of the application, or completion of a procedure.
Each event has a de ned storage term, during which you can view or modify it in Kaspersky Security Center. Some
events are not saved in the Administration Server database by default because their de ned storage term is zero.
Only events that will be stored in the Administration Server database for at least one day can be exported to
external systems.
About event export

You can use event export within centralized systems that deal with security issues on an organizational and
technical level, provide security monitoring services, and consolidate information from di erent solutions. These
are SIEM systems, which provide real-time analysis of security alerts and events generated by network hardware
and applications, or Security Operation Centers (SOCs).
These systems receive data from many sources, including networks, security, servers, databases, and applications.
SIEM systems also provide functionality to consolidate monitored data in order to help you avoid missing critical
events. In addition, the systems perform automated analysis of correlated events and alerts in order to notify the
administrators of immediate security issues. Alerting can be implemented through a dashboard or can be sent
through third-party channels such as email.
1410
an event sender—Kaspersky Security Center and an event receiver—SIEM system. To successfully export events,
you must con gure this in your SIEM system and in the Kaspersky Security Center Administration Console. It does
not matter which side you con gure rst. You can con gure the transmission of events in the Kaspersky Security
Center and then con gure the receipt of events by the SIEM system, or vice versa.
Methods for sending events from Kaspersky Security Center
There are three methods for sending events from Kaspersky Security Center to external systems:
Sending events over the Syslog protocol to any SIEM system

Using the Syslog protocol, you can relay any events that occur on the Kaspersky Security Center
Administration Server and in Kaspersky applications that are installed on managed devices. The Syslog protocol
is a standard message-logging protocol. You can use it to export events to any SIEM system.
For this purpose, you need to mark the events that you want to relay to the SIEM system. You can mark the
events in Administration Console or Kaspersky Security Center Web Console. Only marked events will be
relayed to the SIEM system. If you marked nothing, no events will be relayed.
Sending events over the CEF and LEEF protocols to QRadar, Splunk, and ArcSight systems
You can use the CEF and LEEF protocols to export general events. When exporting events over the CEF and
LEEF protocols, you do not have the capability to select speci c events to export. Instead, all general events
are exported. Unlike the Syslog protocol, the CEF and LEEF protocols are not universal. CEF and LEEF are
intended for the appropriate SIEM systems (QRadar, Splunk, and ArcSight). Therefore, when you choose to
export events over one of these protocols, you use the required parser in the SIEM system.
Directly from the Kaspersky Security Center database to any SIEM system
This method of exporting events can be used to receive events directly from public views of the database by
means of SQL queries. The results of a query are saved to an XML le that can be used as input data for an
external system. Only events available in public views can be exported directly from the database.
Receipt of events by the SIEM system
The SIEM system must receive and correctly parse events received from Kaspersky Security Center. For these
purposes, you must properly con gure the SIEM system. The con guration depends on the speci c SIEM system
utilized. However, there are a number of general steps in the con guration of all SIEM systems, such as con guring
the receiver and the parser.

an event sender—Kaspersky Security Center and an event receiver—SIEM system. You must con gure the export
of events in your SIEM system and in the Kaspersky Security Center.
The settings that you specify in the SIEM system depend on the particular system that you are using. Generally, for
all SIEM systems you must set up a receiver and, optionally, a message parser to parse received events.
1411
Setting up the receiver
To receive events sent by Kaspersky Security Center, you must set up the receiver in your SIEM system. In general,
the following settings must be speci ed in the SIEM system:
Export protocol or input type
It is the message transfer protocol, either TCP/IP or UDP. This protocol must be the same as the protocol
you speci ed in Kaspersky Security Center.
Port
Port number to connect to Kaspersky Security Center. This port must be the same as the port you
speci ed in Kaspersky Security Center.
Message protocol or source type
The protocol used to export events to the SIEM system. It can be one of the standard protocols: Syslog,
CEF, or LEEF. The SIEM system selects the message parser according to the protocol you specify.
Depending on the SIEM system that you use, you may have to specify some additional receiver settings.
The gure below shows the receiver setup screen in ArcSight.
Receiver setup in ArcSight
Message parser
Exported events are passed to SIEM systems as messages. These messages must be properly parsed so that
information on the events can be used by the SIEM system. Message parsers are part of the SIEM system; they are
used to split the contents of the message into the relevant elds, such as event ID, severity, description,
parameters and so on. This enables the SIEM system to process events received from Kaspersky Security Center
so that they can be stored in the SIEM system database.
1412
Each SIEM system has a set of standard message parsers. Kaspersky also provides message parsers for some
SIEM systems, for example, for QRadar and ArcSight. You can download these message parsers from the websites
of the corresponding SIEM systems. When con guring the receiver, you can select to use one of the standard
message parsers or a message parser from Kaspersky.

This section describes how to mark events for further export to SIEM systems in Syslog format.
After enabling automatic export of events, you must select which events will be exported to the external SIEM
system.
You can con gure export of events in the Syslog format to an external system based on one of the following
conditions:
Marking general events. If you mark events to export in a policy, in the settings of an event, or in the
Administration Server settings, the SIEM system will receive the marked events that occurred in all applications
managed by the speci c policy. If exported events were selected in the policy, you will not be able to rede ne
them for an individual application managed by this policy.
Marking events for a managed application. If you mark events to export for a managed application installed on a
managed device, the SIEM system will receive only the events that occurred in this application.
Marking events of a Kaspersky application for export in the Syslog format

If you want to export events that occurred in a speci c managed application installed on the managed devices,
mark the events for export in the application policy. In this case, the marked events are exported from all of the
devices included in the policy scope.
To mark events for export for a speci c managed application:
2. Click the policy of the application for which you want to mark events.
3. Go to the Event con guration section.
4. Select the check boxes next to the events that you want to export to a SIEM system.
5. Click the Mark for export to SIEM system by using Syslog button.
You can also mark an event for export to a SIEM system in the Event registration section, which opens by
clicking the link of the event.
1413
6. A check mark ( ) appears in the Syslog column of the event or events that you marked for export to the SIEM
system.
The marked events from the managed application are ready to be exported to a SIEM system.
You can mark which events to export to a SIEM system for a speci c managed device. If previously exported
events were marked in an application policy, you will not be able to rede ne the marked events for a managed
device.
To mark events for export for a managed device:

2. Click the link with the name of the required device in the list of managed devices.
3. Go to the Applications section.
4. Click the link with the name of the required application in the list of applications.
5. Go to the Event con guration section.
6. Select the check boxes next to the events that you want to export to SIEM.
7. Click the Mark for export to SIEM system by using Syslog button.
Also, you can mark an event for export to a SIEM system in the Event registration section, that opens by
system.
From now on, Administration Server sends the marked events to the SIEM system if export to the SIEM system is
con gured.

You can mark general events that Administration Server will export to SIEM systems by using the Syslog format.
To mark general events for export to a SIEM system:
Click the settings icon ( ) next to the name of the required Administration Server.
In the main menu, go to DEVICES → POLICIES & PROFILES, and then click a link of a policy.
2. In the window that opens, go to the Event con guration tab.
1414
3. Click Mark for export to SIEM system by using Syslog.
Also, you can mark an event for export to SIEM system in the Event registration section, that opens by
system.
From now on, Administration Server sends the marked events to the SIEM system if export to the SIEM system is
con gured.

You can use the CEF and LEEF formats to export to SIEM systems general events, as well as the events
transferred by Kaspersky applications to the Administration Server. The set of export events is prede ned, and
you cannot select the events to be exported.
Select the format of export on the basis of the SIEM system used. The table below shows SIEM systems and the
corresponding formats of export.
Formats of event export to a SIEM system
SIEM system Format of export
QRadar LEEF
ArcSight CEF
Splunk CEF
LEEF (Log Event Extended Format)—A customized event format for IBM Security QRadar SIEM. QRadar can
integrate, identify, and process LEEF events. LEEF events must use UTF-8 character encoding. You can nd
detailed information on LEEF protocol in IBM Knowledge Center .
CEF (Common Event Format)—An open log management standard that improves the interoperability of
security-related information from di erent security and network devices and applications. CEF enables you to
use a common event log format so that data can easily be integrated and aggregated for analysis by an
enterprise management system.
Automatic export means that Kaspersky Security Center sends general events to the SIEM system. Automatic
export of events starts immediately after you enable it. This section explains in detail how to enable automatic
event export.

You can use the Syslog format to export to SIEM systems the events that occur in Administration Server and other
Kaspersky applications installed on managed devices.
1415
Syslog is a standard for message logging protocol. It permits separation of the software that generates messages,
the system that stores them, and the software that reports and analyzes them. Each message is labeled with a
facility code, indicating the software type that generates the message, and is assigned a severity level.
The Syslog format is de ned by Request for Comments (RFC) documents published by the Internet Engineering
Task Force (internet standards). The RFC 5424 standard is used to export the events from Kaspersky Security
Center to external systems.
In Kaspersky Security Center, you can con gure export of the events to the external systems using the Syslog
format.
The export process consists of two steps:
1. Enabling automatic event export. At this step, Kaspersky Security Center is con gured so that it sends events
to the SIEM system. Kaspersky Security Center starts sending events immediately after you enable automatic
export.
2. Selecting the events to be exported to the external system. At this step, you select which event to export to
the SIEM system.
Con guring Kaspersky Security Center for export of events to a SIEM

system
This article describes how to con gure export of events to SIEM systems.
To con gure export to SIEM systems in the Kaspersky Security Center Web Console:

3. On the Integration tab, select the SIEM section.
4. Click the Settings link.

The Export settings section opens.
5. Specify the settings in the Export settings section:
The IP address of the server on which the currently used SIEM system is installed. Check this value in
your SIEM system settings.
SIEM system port
server. You specify this value in the Kaspersky Security Center settings and in the receiver settings of
your SIEM system.
Protocol
1416
Select the protocol to be used for transferring messages to the SIEM system. You can select either the
TCP/IP, UDP, or TLS over TCP protocol.
Specify the following TLS settings if you select the TLS over TCP protocol:
Server authentication
In the Server authentication eld, you can select the Trusted certi cates or SHA ngerprints
values:
Trusted certi cates. You can receive a le with the list of certi cates from a trusted
certi cation authority (CA) and upload the le to Kaspersky Security Center. Kaspersky Security
Center checks whether the certi cate of the SIEM system server is also signed by a trusted CA
or not.
To add a trusted certi cate, click the Browse for CA certi cates le button, and then upload
the certi cate.
SHA ngerprints. You can specify SHA-1 thumbprints of the SIEM system certi cates in
Kaspersky Security Center. To add a SHA-1 thumbprint, enter it in the Thumbprints eld, and
then click the Add button.
By using the Add client authentication setting, you can generate a certi cate to authenticate
Kaspersky Security Center. Thus, you will use a self-signed certi cate issued by Kaspersky
Security Center. In this case, you can use both a trusted certi cate and a SHA ngerprint to
authenticate the SIEM system server.
Add Subject Name/Subject Alternative Name

Subject name is a domain name for which the certi cate is received. Kaspersky Security Center
cannot connect to the SIEM system server if the domain name of the SIEM system server does not
match the subject name of the SIEM system server certi cate. However, the SIEM system server
can change its domain name if the name has changed in the certi cate. In this case, you can specify
subject names in the Add Subject Name/Subject Alternative Name eld. If any of the speci ed
subject names matches the subject name of the SIEM system certi cate, Kaspersky Security
Center validates the SIEM system server certi cate.
Add client authentication

For client authentication, you can insert your certi cate or generate it in Kaspersky Security Center.
Insert certi cate. You can use a certi cate that you received from any source, for example, from
any trusted CA. You must specify the certi cate and its private key by using one of the following
certi cate types:
X.509 certi cate PEM. Upload a le with a certi cate in the File with certi cate eld, and a
le with a private key in the File with key eld. Both les do not depend on each other and the
order of loading the les is not signi cant. When both les are uploaded, specify the
password for decoding the private key in the Password or certi cate veri cation eld. The
password can have an empty value if the private key is not encoded.
X.509 certi cate PKCS12. Upload a single le that contains a certi cate and its private key in
the File with certi cate eld. When the le is uploaded, specify the password for decoding
the private key in the Password or certi cate veri cation eld. The password can have an
empty value if the private key is not encoded.
Generate key. You can generate a self-signed certi cate in Kaspersky Security Center. As a
result, Kaspersky Security Center stores the generated self-signed certi cate, and you can pass
1417
the public part of the certi cate or SHA1- ngerprint to the SIEM system.
Data format
You can select Syslog, CEF or LEEF formats, depending on the requirements of the SIEM system.
If you select Syslog format, you must specify:
Maximum size of event message in bytes
Specify the maximum size (in bytes) of one message relayed to the SIEM system. Each event is relayed
in one message. If the actual length of a message exceeds the speci ed value, the message is
truncated and data may be lost. The default size is 2048 bytes. This eld is available only if you selected
the Syslog format in the Protocol eld.
6. Switch the option to the Automatically export events to SIEM system database ENABLED position.
Export to SIEM system is con gured.

You can retrieve events directly from the Kaspersky Security Center database without having to use the
Kaspersky Security Center interface. You can either query the public views directly and retrieve the event data or
create your own views on the basis of existing public views and address them to get the data you need.
Public views
For your convenience, a set of public views is provided in the Kaspersky Security Center database. You can nd
the description of these public views in the klakdb.chm document.
The v_akpub_ev_event public view contains a set of elds that represent the event parameters in the database. In
the klakdb.chm document you can also nd information on public views corresponding to other Kaspersky Security
Center entities, for example, devices, applications, or users. You can use this information in your queries.
This section contains instructions for creating an SQL query by means of the klsql2 utility and a query example.
To create SQL queries or database views, you can also use any other program for working with databases.
Information on how to view the parameters for connecting to the Kaspersky Security Center database, such as
instance name and database name, is given in the corresponding section.

This section describes how to download and use the klsql2 utility, and how to create an SQL query by using this
utility. When you create an SQL query by means of the klsql2 utility, you do not have to provide database name and
access parameters, because the query addresses Kaspersky Security Center public views directly.
1418
To use the klsql2 utility:
1. Locate the klsql2 utility in the installation folder of Kaspersky Security Center. Do not use klsql2 utility versions
intended for older Kaspersky Security Center versions.
2. Create the src.sql le in any text editor and place the le in the same folder with the utility.
3. In the src.sql le, type the SQL query that you want, and then save the le.
4. On the device with Kaspersky Security Center Administration Server installed, in the command line, type the
following command to run the SQL query from the src.sql le and save the results to the result.xml le:
klsql2 -i src.sql -o result.xml
5. Open the newly created result.xml le to view the query results.
You can edit the src.sql le and create any query to the public views. Then, from the command line, execute your
query and save the results to a le.

This section shows an example of an SQL query, created by means of the klsql2 utility.
The following example illustrates retrieval of the events that occurred on devices during the last seven days, and
display of the events ordered by the time they occur, the most recent events are displayed rst.
Example:
SELECT
e.nId, /* event identifier */
e.tmRiseTime, /* time, when the event occurred */
e.strEventType, /* internal name of the event type */
e.wstrEventTypeDisplayName, /* displayed name of the event */
e.wstrDescription, /* displayed description of the event */
e.wstrGroupName, /* name of the group, where the device is located */
h.wstrDisplayName, /* displayed name of the device, on which the event occurred */
CAST(((h.nIp) & 255) AS varchar(4)) as strIp /* IP-address of the device, on which
the event occurred */
FROM v_akpub_ev_event e
INNER JOIN v_akpub_host h ON h.nId=e.nHostId
WHERE e.tmRiseTime>=DATEADD(Day, -7, GETUTCDATE())
ORDER BY e.tmRiseTime DESC

It can be helpful to know a database name if you need, for example, send an SQL query and connect to the
database from your SQL script editor.
To view the name of the Kaspersky Security Center database:
1419
2. In the Administration Server properties window, in the Sections pane select Advanced and then Details of
current database.
3. In the Details of current database section, note the following database properties (see gure below):
Instance name
Name of the current Kaspersky Security Center database instance. The default value is
.\KAV_CS_ADMIN_KIT.
Database name
Name of the Kaspersky Security Center SQL database. The default value is KAV.
Section with information about the current Administration Server database
Use the database name to address the database in your SQL queries.

You can control for successful completion of the event export procedure. To do this, check whether messages
with export events are received by your SIEM system.
1420
If the events sent from Kaspersky Security Center are received and properly parsed by your SIEM system,
con guration on both sides is done properly. Otherwise, check the settings you speci ed in Kaspersky Security
Center against the con guration in your SIEM system.
The gure below shows the events exported to ArcSight. For example, the rst event is a critical Administration
Server event: "Device status is Critical".
The representation of export events in the SIEM system varies according to the SIEM system you use.
Example of events
Working with Kaspersky Security Center Web Console in a cloud

environment
This section provides information about Kaspersky Security Center Web Console features related to deployment
and maintenance of Kaspersky Security Center in cloud environments, such as Amazon Web Services, Microsoft
Azure, or Google Cloud.
To work within a cloud environment, you need a special license. If you do not have such a license, the interface
elements related to cloud devices are not displayed.
Cloud Environment Con guration Wizard in Kaspersky Security Center Web

Console
To con gure Kaspersky Security Center by using this Wizard, you must have the following:
Speci c credentials for a cloud environment:
An IAM role that has been granted the right to poll the cloud segment or an IAM user account that has been
granted the right to poll the cloud segment (for work with Amazon Web Services)
Azure Application ID, password, and subscription (for work with Microsoft Azure)
Google client email, Project ID, and private key (for work with Google Cloud)
1421
Plug-in for Kaspersky Endpoint Security for Linux (Web Console plug-in)
Plug-in for Kaspersky Endpoint Security for Windows (Web Console plug-in)
Network Agent for Windows
Network Agent for Linux
Installation package for Kaspersky Endpoint Security for Linux
Installation package for Kaspersky Security for Windows Server
The Cloud Environment Con guration Wizard starts automatically at the rst connection to Administration Server
through Administration Console if you deploy Kaspersky Security Center from a ready-to-use image. You can also
start the Cloud Environment Con guration Wizard manually at any time.
To start the Cloud Environment Con guration Wizard manually,
In the main menu, go to DISCOVERY & DEPLOYMENT → DEPLOYMENT & ASSIGNMENT → Cloud
Environment Con guration Wizard.
The Wizard starts.
An average work session with this Wizard lasts about 15 minutes.
Step 1. Licensing the application
This step is displayed only if you are using a BYOL AMI and you have not activated the application with a
Kaspersky Security for Virtualization license or a Kaspersky Hybrid Cloud Security license.
Specify the license key and click Next to proceed.
The license key is added to the Administration Server storage.
If you run the Wizard again, this step is not displayed.
Step 2. Selecting the cloud environment and authorization
This section describes features applicable only to Kaspersky Security Center 12.1 or a later version.
Specify the following settings:
Cloud environment
1422
Select the cloud environment in which you are deploying Kaspersky Security Center: AWS, Azure, or
Google Cloud.
If you plan to work with more than one cloud environment, select one environment and then run the Wizard
again.
Connection name
Enter your credentials to receive authorization in the cloud environment that you speci ed.
AWS
If you selected AWS as the cloud segment type, you need an IAM role or an AWS IAM access key for further polling
of the cloud segment.
AWS IAM role assigned to an EC2 instance

Select this option if you have an IAM role with the required rights for the Administration Server.
AWS IAM user

Select this option if you have an AWS IAM access key. Enter your key data:
Access key ID
Secret key
Azure
If you selected Azure as the cloud segment type, specify the following settings for the connection that will be
used for further polling of the cloud segment:
1423

Security Center.
Google Cloud
If you selected Google Cloud as the cloud segment type, specify the following settings for the connection that will
be used for further polling the cloud segment:
Client email address
Project ID
Private key
1424
The connection that you speci ed is saved in the application settings.
The Cloud Environment Con guration Wizard allows you to specify only one segment. Later, you can specify more
connections to manage other cloud segments.
Click Next to proceed.
Step 3. Segment polling, con guring synchronization with Cloud and

choosing further actions
At this step, cloud segment polling starts, and a special administration group for cloud devices is automatically
created. The devices found during polling are placed into this group. The cloud segment polling schedule is
con gured (every 5 minutes by default; you can change this setting later).
A Synchronize with Cloud automatic moving rule is also created. For each subsequent scan of the cloud network,
virtual devices detected will be moved to the corresponding subgroup within the Managed devices\Cloud group.
De ne the following settings:
Synchronize administration groups with cloud structure
If this option is enabled, the Cloud group is automatically created within the Managed devices group and a
cloud device discovery is started. The instances and virtual machines detected during each cloud network
scan are placed into the Cloud group. The structure of the administration subgroups within this group
matches the structure of your cloud segment (in AWS, availability zones and placement groups are not
represented in the structure; in Azure, subnets are not represented in the structure). Devices that have not
been identi ed as instances in the cloud environment are in the Unassigned devices group. This group
structure allows you to use group installation tasks to install anti-virus applications on instances, as well as
set up di erent policies for di erent groups.
If this option is disabled, the Cloud group is also created and the cloud device discovery is also started;
however, subgroups matching the cloud segment structure are not created within the group. All detected
instances are in the Cloud administration group so they are displayed in a single list. If your work with
Kaspersky Security Center requires synchronization, you can modify the properties of the Synchronize
with Cloud rule and enforce it. Enforcing this rule alters the structure of subgroups in the Cloud group so
that it matches the structure of your cloud segment.
Deploy protection
1425
If this option is selected, the Wizard creates a task to install security applications on instances. After the
Wizard nishes, the Protection Deployment Wizard automatically starts on the devices in your cloud
segments, and you will be able to install Network Agent and security applications on those devices.
Kaspersky Security Center can perform the deployment with its native tools. If you do not have
permissions to install the applications on EC2 instances or Azure virtual machines, you can con gure the
Remote installation task manually and specify an account with the required permissions. In this case, the
Remote installation task will not work for the devices discovered using AWS API or Azure. This task will only
work for the devices discovered using Active Directory polling, Windows domains polling, or IP range polling.
If this option is not selected, the Protection Deployment Wizard is not started and tasks for installing
security applications on instances are not created. You can manually perform both actions later.
If you select the Deploy protection option, the Restarting devices section becomes available. In this section, you
must choose what to do when the operating system of a target device has to be restarted. Select whether to
restart instances if the device operating system has to be restarted during installation of applications:
Do not restart
Restart
For Google Cloud, you can only perform deployment with Kaspersky Security Center native tools. If you
selected Google Cloud, the Deploy protection option is not available.
Step 4. Con guring Kaspersky Security Network for Kaspersky Security

Center
Security Network (KSN) knowledge base. Select one of the following options:
1426
Network.
Kaspersky recommends participation in Kaspersky Security Network.
KSN agreements for managed applications may also be displayed. If you agree to use Kaspersky Security Network,
the managed application will send data to Kaspersky. If you do not agree to participate in Kaspersky Security
Network, the managed application will not send data to Kaspersky. (You can change this setting later in the
application policy.)
Step 5. Creating an initial con guration of protection

You can check a list of policies and tasks that are created.
Wait for the creation of policies and tasks to complete, and then click Next to proceed. On the last page of the
Wizard, click the Finish button to exit.
Network segment polling via Kaspersky Security Center Web Console

Information about the structure of the network (and devices in it) is received by Administration Server through
regular polling of cloud segments by using AWS API, Azure API, or Google API tools. Kaspersky Security Center
uses this information to update the contents of the Unassigned devices and Managed devices folders. If you have
con gured devices to be moved to administration groups automatically, detected devices are included in
To allow the Administration Server to poll cloud segments, you must have the corresponding rights that are
provided with an IAM role or IAM user account (in AWS), or with Application ID and password (in Azure), or with a
Google client email, Google project ID, and private key (in Google Cloud).
You can add and delete connections, as well as set the polling schedule, for each cloud segment.

To add a connection for cloud segment polling to the list of available connections:
1. In the main menu, go to DISCOVERY & DEPLOYMENT → DISCOVERY → CLOUD.
2. In the window that opens, click Properties.
3. In the Settings window that opens, click Add.

The Cloud segment settings window opens.
4. Specify the name of the cloud environment for the connection that will be used for further polling of the cloud
segment:
1427
Cloud environment
Select the cloud environment in which you are deploying Kaspersky Security Center: AWS, Azure, or
Google Cloud.
If you plan to work with more than one cloud environment, select one environment and then run the
Wizard again.
Connection name
Segment".
5. Enter your credentials to receive authorization in the cloud environment that you speci ed.
If you selected AWS, specify the following settings:
Use AWS IAM role
services.
AWS IAM user account credentials
Select this option if you have an IAM user account with the necessary permissions and you can
enter a key ID and secret key.
If you speci ed that you have AWS IAM user account credentials, specify the following:
Access key ID
The IAM access key ID is a sequence of alphanumeric characters. You received the key ID when
you created the IAM user account.
The eld is available if you selected an AWS IAM access key for authorization instead of an IAM
role.
Secret key
The characters of the secret key are displayed as asterisks. After you begin entering the secret
key, the Show button is displayed. Click and hold this button for the necessary amount of time to
view the characters you entered.
The eld is available if you selected an AWS IAM access key for authorization instead of an IAM
role.
1428
If you selected Azure, specify the following settings:

Security Center.
If you selected Google Cloud, specify the following settings:
Client email address
Project ID
Private key
Private key is the sequence of characters that you received as your private key when you registered
your project at Google Cloud. You might want to copy and paste this sequence to avoid mistakes.
1429
6. If you want, click Set polling schedule and change the default settings.
The connection is saved in the application settings.
After the new cloud segment is polled for the rst time, the subgroup corresponding to that segment appears in
the Managed devices\Cloud administration group.
If you specify incorrect credentials, no instances will be found during cloud segment polling and a new
subgroup will not appear in the Managed devices\Cloud administration group.
Deleting a connection for cloud segment polling

If you no longer have to poll a speci c cloud segment, you can delete the connection corresponding to it from the
list of available connections. You can also delete a connection if, for example, permissions to poll a cloud segment
have been transferred to another user who has di erent credentials.
To delete a connection:
3. In the Settings window that opens, click the name of the segment that you want to delete.
4. Click Delete.
5. In the window that opens, click the OK button to con rm your selection.
The connection is deleted. The devices in the cloud segment corresponding to this connection are automatically
deleted from the administration groups.
Con guring the polling schedule via Kaspersky Security Center Web
Console
Cloud segment polling is performed according to schedule. You can set the polling frequency.
The polling frequency is automatically set at 5 minutes by the Cloud Environment Con guration Wizard. You can
change this value at any time and set a di erent schedule. However, it is not recommended to con gure polling to
run more frequently than every 5 minutes, because this could lead to errors in the API operation.
To con gure a cloud segment polling schedule:
3. In the Settings window that opens, click the name of the segment for which you want to con gure a polling
schedule.
1430
This opens the Cloud segment settings window.
4. In the Cloud segment settings window, click the Set polling schedule button.
This opens the Schedule window.
5. In the Schedule window, de ne the following settings:
Scheduled start
Every N days
The polling runs regularly, with the speci ed interval in days, starting from the speci ed date and
time.
Every N minutes
By days of week
Start interval (min)
Specify what N is equal to (for minutes or days).
Starting from
Specify when to start the rst poll.
Run missed tasks
1431
scheduled.
The polling schedule for the segment is con gured and saved.
Viewing the results of cloud segment polling via Kaspersky Security Center
Web Console
You can view the results of cloud segment polling, that is, view the list of cloud devices managed by the
To view the results of cloud segment polling,
In the main menu, go to DISCOVERY & DEPLOYMENT → DISCOVERY → CLOUD.
This displays the cloud segments available for polling.
Viewing the properties of cloud devices via Kaspersky Security Center Web
Console
You can view the properties of each cloud device.
To view the properties of a cloud device:
2. Click the name of the device whose properties you want to view.
A properties window opens with the General section selected.
3. If you want to view the properties speci c for cloud devices, select the System section in the properties
window.
The properties are displayed depending on the cloud platform of the device.
For the devices in AWS, the following properties are displayed:
Device discovered using API (value: AWS)
Cloud Region
1432
Cloud VPC
Cloud availability zone
Cloud subnet
Cloud placement group (this unit is only displayed if the instance belongs to a placement group; otherwise,
it is not displayed)
For the devices in Azure, the following properties are displayed:
Device discovered using API (value: Microsoft Azure)
Cloud Region
Cloud subnet
For the devices in Google Cloud, the following properties are displayed:
Device discovered using API (value: Google Cloud)
Cloud Region
Cloud VPC
Cloud availability zone
Cloud subnet
Synchronization with Cloud: con guring the moving rule

During the Cloud Environment Con guration Wizard operation, the Synchronize with Cloud rule is created
automatically. This rule allows you to automatically move devices detected in each poll from the Unassigned
devices group to the Managed devices\Cloud group, to make these devices available for centralized management.
By default, the rule is active after it is created. You can disable, modify, or enforce the rule at any time.
To edit the properties of the Synchronize with Cloud rule and/or enforce the rule:
1. In the main menu, go to DISCOVERY & DEPLOYMENT → DEPLOYMENT & ASSIGNMENT → MOVING
RULES.
This opens a list of moving rules.
2. In the list of moving rules, select Synchronize with cloud.

This opens the rule properties window.
3. If necessary, specify the following settings in the Rule conditions tab, in the Cloud segments tab:
The rule only applies to devices that are in the selected cloud segment. Otherwise, the rule applies to all
devices that have been discovered.
1433
The rule applies to all devices in the selected segment and in all nested cloud subsections. Otherwise,
the rule only applies to devices that are in the root segment.
If this option is enabled, devices from nested objects are automatically moved to the subgroups that
correspond to their structure.
If this option is disabled, devices from nested objects are automatically moved to the root of the Cloud
subgroup without any further branching.
If this option is enabled, when the structure of the Managed devices\Cloud group has no subgroups
that will match the section containing the device, Kaspersky Security Center creates such subgroups.
For example, if a new subnet is discovered during device discovery, a new group with the same name will
be created under the Managed devices\Cloud group.
If this option is disabled, Kaspersky Security Center does not create any new subgroups. For example, if
a new subnet is discovered during network poll, a new group with the same name will not be created
under the Managed devices\Cloud group, and the devices that are in that subnet will be moved into
the Managed devices\Cloud group.
If this option is enabled, the application deletes from the Cloud group all the subgroups that do not
match any existing cloud objects.
If this option is disabled, subgroups that do not match any of the existing cloud objects are retained.
If you enabled the Synchronize administration groups with cloud structure option when using the Cloud
Environment Con guration Wizard, the Synchronize with cloud rule is created with the Create subgroups
corresponding to containers of newly detected devices and Delete subgroups for which no match is found
in the cloud segments options enabled.
If you did not enable the Synchronize administration groups with cloud structure option, the Synchronize
with cloud rule is created with these options disabled (cleared). If your work with Kaspersky Security Center
requires that the structure of subgroups in the Managed devices\Cloud subgroup matches the structure of
cloud segments, enable the Create subgroups corresponding to containers of newly detected devices and
Delete subgroups for which no match is found in the cloud segments options in the rule properties, and then
enforce the rule.
4. In the Device discovered by using the API drop-down list, select one of the following values:
No. The device cannot be detected by using AWS, Azure, or Google API, that is, it is either outside the cloud
environment, or it is in the cloud environment but it cannot be detected by using an API for some reason.
AWS. The device is discovered by using AWS API, that is, the device de nitely is in the AWS cloud
environment.
1434
Azure. The device is discovered by using Azure API, that is, the device de nitely is in the Azure cloud
environment.
Google Cloud. The device is discovered by using Google API, that is, the device de nitely is in the Google
cloud environment.
No value. This criterion cannot be applied.
5. If necessary, set up other rule properties in the other sections.
The moving rule is con gured.
Creating Backup of the Administration Server data task by using a cloud

DBMS
Backup tasks are Administration Server tasks. You create a backup task if you want to use a DBMS located in a
cloud environment (AWS or Azure).
2. Click Add.
3. On the rst page of the Wizard, in the Application list, select Kaspersky Security Center 14, and in the Task
type list, select Backup of Administration Server data.
4. On the corresponding page of the Wizard, specify the following information:
If you are working with a database in AWS:
S3 bucket name
Access key ID
You received the key ID (sequence of alphanumeric characters) when you created the IAM user
account for working with S3 bucket storage instance.
Secret key
1435
If you are working with a database in Microsoft Azure:
Azure password

Available in the properties of your storage account, in the Access Keys section. You can use any of
the keys (key1 or key2).
The task is created and displayed in the list of tasks. If you enable the Open task details when creation is
complete option, you can modify the default task settings immediately after the task is created. If you do not
enable this option, the task is created with the default settings. You can modify the default settings later, at any
time.
Remote diagnostics of client devices

You can use remote diagnostics for remote execution of the following operations on client devices:
Enabling and disabling tracing, changing the tracing level, and downloading the trace le
1436
Downloading system information and application settings
Starting diagnostics and downloading diagnostics reports
You can use event logs and diagnostics reports downloaded from a client device to troubleshoot problems on your
own. Also, if you contact Kaspersky Technical Support, a Technical Support specialist might ask you to download
trace les, dump les, event logs, and diagnostics reports from a client device for further analysis at Kaspersky.
The remote diagnostics is performed using Administration Server.
Opening the remote diagnostics window

To perform remote diagnostics on a client device, you rst have to open the remote diagnostics window.
To open the remote diagnostics window:
1. To select the device for which you want to open the remote diagnostics window, perform one of the following:
If the device belongs to an administration group, go to DEVICES → MANAGED DEVICES.
If the device belongs to the Unassigned devices group, go to DISCOVERY & DEPLOYMENT →
UNASSIGNED DEVICES.
2. Click the name of the required device.
3. In the device properties window that opens, select the Advanced tab.
4. In the window that opens, click Remote diagnostics.

This opens the Remote diagnostics window of a client device.
Enabling and disabling tracing for applications

You can enable and disable tracing for applications, including Xperf tracing.
Enabling and disabling tracing
To enable or disable tracing on a remote device:
1. Open the remote diagnostics window of a client device.
2. In the remote diagnostics window, click Remote diagnostics.
3. In the Statuses and logs window that opens, select the Kaspersky applications section.
1437
This opens the list of Kaspersky applications installed on the device.
4. In the application list, select the application for which you want to enable or disable tracing.
The list of remote diagnostics options is displayed.
5. If you want to enable tracing:
a. In the Tracing section of the list, click Enable tracing.
b. In the Modify tracing level window that opens, we recommend that you keep the default values of the
settings. When required, a Technical Support specialist will guide you through the con guration process. The
following settings are available:
Tracing level
The tracing level de nes the amount of detail that the trace le contains.
Rotation-based tracing
The application overwrites the tracing information to prevent excessive increase in the size of the
trace le. Specify the maximum number of les to be used to store the tracing information, and the
maximum size of each le. If the maximum number of trace les of the maximum size are written, the
oldest trace le is deleted so that a new trace le can be written.
This setting is available for Kaspersky Endpoint Security only.
c. Click Save.
The tracing is enabled for the selected application. In some cases, the security application and its task must be
restarted in order to enable tracing.
6. If you want to disable tracing for the selected application, click Disable tracing.
The tracing is disabled for the selected application.
Enabling Xperf tracing
For Kaspersky Endpoint Security, a Technical Support specialist may ask you to enable Xperf tracing for
information about the system performance.
To enable and con gure Xperf tracing:
4. In the list of applications, select Kaspersky Endpoint Security for Windows.

The list of remote diagnostics options for Kaspersky Endpoint Security for Windows is displayed.
5. In the Xperf tracing section of the list, click Enable Xperf tracing.
1438
If Xperf tracing is already enabled, the Disable Xperf tracing button is displayed instead.
6. In the Change Xperf tracing level window that opens, depending on the request from the Technical Support
specialist, do the following:
a. Select one of the following tracing levels:
Light level
A trace le of this type contains the minimum amount of information about the system.
Deep level
A trace le of this type contains more detailed information than trace les of the Light type and
may be requested by Technical Support specialists when a trace le of the Light type is not enough
for the performance evaluation. A Deep trace le contains technical information about the system
including information about hardware, operating system, list of started and nished processes and
applications, events used for performance evaluation, and events from Windows System
Assessment Tool.
b. Select one of the following Xperf tracing types:
Basic type
The tracing information is received during operation of the Kaspersky Endpoint Security application.
On-restart type
The tracing information is received when the operating system starts on the managed device. This
tracing type is e ective when the issue that a ects the system performance occurs after the
device is turned on and before Kaspersky Endpoint Security starts.
You may also be asked to enable the Rotation le size, in MB option to prevent excessive increase in the
size of the trace le. Then specify the maximum size of the trace le. When the le reaches the maximum
size, the oldest tracing information is overwritten with new information.
c. De ne the rotation le size.
d. Click Save.
Xperf tracing is enabled and con gured.
To disable Xperf tracing:
1439
4. In the list of applications, select Kaspersky Endpoint Security for Windows.

The tracing options for Kaspersky Endpoint Security for Windows are displayed.
5. In the Xperf tracing section of the list, click Disable Xperf tracing.
If Xperf tracing is already disabled, then the Enable Xperf tracing button is displayed instead.
Xperf tracing is disabled.
Downloading trace les of an application

To download a trace le of an application:
In the Tracing section, click the Trace les button.
This opens the Device tracing logs window, where a list of trace les is displayed.
4. In the list of trace les, select the le that you want.
Download the selected le by clicking the Download entire le.
Download a portion of the selected le:
a. Click Download a portion.
b. In the window that opens, specify the name and the le portion to download, according to your needs.
c. Click Download.
The selected le, or its portion, is downloaded to the location that you specify.
Deleting trace les

You can delete trace les that are no longer needed.
To delete a trace le:
2. In the remote diagnostics window that opens, click Remote diagnostics.
1440
3. In the Statuses and logs window that opens, make sure that the Operating system logs section is selected.
4. In the Trace les section, click the Windows Update logs button or Remote installation logs button,
depending on which trace les you want to delete.
This opens the list of trace les.
5. In the list of trace les, select the le that you want to delete.
6. Click the Remove button.
The selected trace le is deleted.

To download application settings from a client device:
3. In the Statuses and logs window that opens, make sure that the Operating system logs is selected in the right
pane.
In the System Info section, click the Download le button to download the system information about the
client device.
In the Application settings section, click the Download le button to download information about the
settings of the applications installed on the device.
The information is downloaded to the location that you specify as a le.

To download an event log from a remote device:
2. In the remote diagnostics window, click Device logs.
3. In the All device logs window, select the relevant log.
Download the selected log by clicking Download entire le.
Download a portion of the selected log:
a. Click Download a portion.
b. In the window that opens, specify the name and the le portion to download, according to your needs.
1441
c. Click Download.
The selected event log, or a portion of it, is downloaded to the location that you specify.
Starting, stopping, restarting the application

You can start, stop, and restart applications on a client device.
To start, stop, or restart an application:
4. In the list of applications, select the application that you want to start, stop, or restart.
5. Select an action by clicking one of the following buttons:
Stop application
This button is available only if the application is currently running.
Restart application
This button is available only if the application is currently running.
Start application
This button is available only if the application is not currently running.
Depending on the action that you have selected, the required application is started, stopped, or restarted on the
client device.
If you restart the Network Agent, a message is displayed stating that the current connection of the device to the
Administration Server will be lost.
Running the remote diagnostics of an application and downloading the

results
To start diagnostics for an application on a remote device and download the results:
4. In the list of applications, select the application for which you want to run remote diagnostics.
The list of remote diagnostics options is displayed.
1442
5. In the Diagnostics report section of the list, click the Run diagnostics button.
This starts the remote diagnostics process and generates a diagnostics report. When the diagnostics process
is complete, the Download diagnostics report button becomes available.
6. Download the report by clicking the Download diagnostics report button.
The report is downloaded to the location that you speci ed.
Running an application on a client device

You may have to run an application on the client device, if a Kaspersky support specialist requests it.
You do not have to install the application on that device.
To run an application on the client device:
3. In the Statuses and logs window that opens, select the Running a remote application section.
4. In the Running a remote application window, in the Application les section, do one of the following, according
to what a Kaspersky specialist asks you to do:
Select a ZIP archive containing the application that you want to run on the client device by clicking the
Browse button.
The ZIP archive must include the utility folder. This folder contains the executable le to be run on a
remote device.
Specify a command-line application and its arguments, if necessary. To do this, ll in the Executable le in
an archive to be run on a remote device and Command-line arguments elds.
5. Click the Upload and run button to run the speci ed application on a client device.
6. Follow the instructions of the specialist.

An application dump le allows you to view parameters of the application running on a client device at a point in
time. This le also contains information about modules that were loaded for an application.
Generating dump les is available only for 32-bit processes running on Windows-based client devices. For 64-
bit processes this feature is not supported.
To create a dump le for an application:

1443
3. In the Statuses and logs window that opens, select the Running a remote application section.
4. In the Generating the process dump le section, specify the executable le of the application for which you
want to generate a dump le.
5. Click the Download dump le button to save the dump le for the speci ed application.
If the speci ed application is not running on the client device, the error message will be displayed.
Changing the language of the Kaspersky Security Center Web Console

interface
You can select the language of the Kaspersky Security Center Web Console interface.
To change the interface language:
1. In the main menu, go to your account settings, and then select Language.
2. Select one of the supported localization languages.
1444
API Reference Guide
This Kaspersky Security Center OpenAPI reference guide is designed to assist in the following tasks:
Automation and customization. You can automate tasks that you might not want to handle manually by using
Administration Console. You can also implement custom scenarios that are not yet supported in Administration
Console. For example, as an administrator, you can use Kaspersky Security Center OpenAPI to create and run
scripts that will facilitate developing the structure of administration groups and keep that structure up-to-date.
Custom development. For example, you can develop an alternative MMC-based Administration Console for
your clients, which permits a limited set of actions.
In the OpenAPI reference guide, you can use the search eld in the right part of the screen to locate the
information you need.
OPENAPI REFERENCE GUIDE
Samples of scripts
The OpenAPI reference guide contains samples of the Python scripts listed in the table below. The samples show
how you can call OpenAPI methods and automatically accomplish various tasks for protecting your network, for
instance, create a "primary/secondary" hierarchy, run tasks in Kaspersky Security Center, or assign distribution
points. You can run the samples as is or create your own scripts based on the samples.
To call the OpenAPI methods and run scripts:
1. Download the KlAkOAPI.tar.gz archive . This archive includes the KlAkOAPI package and samples (you can copy
them from the archive or the OpenAPI reference guide).
2. Install the KlAkOAPI package from the KlAkOAPI.tar.gz archive on a device where Administration Server is
installed.
You can call the OpenAPI methods, run the samples and your own scripts only on devices where Administration
Server and the KlAkOAPI package are installed.
Matching between user scenarios and samples of Kaspersky Security Center OpenAPI methods
Sample Purpose of the sample Scenario
Log KlAkParams You can extract and process data by using the Monitoring and
KlAkParams data structure. The sample shows how to reporting
work with this data structure.
The sample output may be present in di erent ways. You
can get the data to send an HTTP method or to use it in
your code.
Create and delete a You can add a secondary Administration Server and
"primary/secondary" establish a "primary/secondary" hierarchy. Alternately, you Creating a
hierarchy can disconnect the secondary Administration Server hierarchy of
from the hierarchy. Administration
Servers:
adding a
secondary
Administration
Server
1445
Deleting a
hierarchy of
Administration
Servers
Create the group You can poll the Active Directory unit and form a Creating
hierarchy with a hierarchy of discovered device groups. administration
structure based on the groups
Active Directory unit
Create the group You can form a hierarchy of the managed device groups Creating
hierarchy with a based on the Active Directory unit polled earlier. If new administration
structure based on the devices appear in the Active Directory after the last groups
cached Active polling, they are not added into the group because they
Directory unit are not in the saved polling results.
Download network list You can connect to Network Agent on the needed Adjustment of
les via connection device by using a connection gateway, and then distribution
gateway to the download a le with the network list to your device. points and
speci ed device connection
gateways
Install a license key You can connect to the primary Administration Server, Licensing of
stored in the primary download a required license key from it, and transmit this managed
Administration Server key to all the secondary Administration Servers included applications
repository onto the in a hierarchy.
secondary
Administration
Servers
Create a report of You can create di erent reports . For instance, you can Generating and
e ective user rights generate the report of e ective user rights by using this viewing a report
sample. This report describes the rights that a user has,
depending on his or her group and role.
You can download the report in the HTML, PDF, or Excel
format.
Start a task for a You can connect to Network Agent on the needed Starting a task
device device by using a connection gateway, and then run the manually
necessary task.
Create IP subnets You can create an IP subnet based on the Active Con guring
based on Active Directory unit that you use. network
Directory Site and protection
Services
The sample launches polling of the speci ed IP range
and deletes discovered subnets to avoid their
con ict with a new subnet. Therefore, do not run this
sample in the network where it is important to keep
subnets.
After polling, the sample refers to the Active Directory,

examines every device in it, and creates the IP subnet. To
do this, the sample uses masks and IP addresses of all
devices.
Register distribution You can assign managed devices as distribution points Updating
points for devices in a (previously known as update agents). Kaspersky
group databases and
applications
1446
Enumerate all groups You can perform various actions with administration Con guring
groups. The sample shows how to do the following: Administration
Server
Get an identi er of the "Managed devices" root group
Move through the group hierarchy
Retrieve the full, expanded hierarchy of groups, along

with their names and nesting
Enumerate tasks, query You can nd out the following information: Monitoring task
task statistics, and run a Task progress history execution
task
Current task status
Number of tasks in di erent statuses
You can also run a task. By default, the sample runs a task
after it outputs statistics.
Create and run a task You can create a task. Specify the following task Creating a task
parameters in the sample:
Type
Method of run
Name
Device group for which the task will be used
By default, the sample creates a task with the "Show

message" type. You can run this task for all managed
devices of Administration Server. If necessary, you can
specify your own task parameters .
Enumerate license You can get a list of all the active license keys for Viewing
keys Kaspersky applications installed on managed devices of information about
Administration Server. The list contains detailed data license keys in use
about every license key, such as a name, type, or
expiration date.
Create and nd an You can create an account for further work. Selecting the
internal user account to start
Administration
Server
Create a custom You can create the application category with the needed Creating an
category parameters . application
category with
content added
manually
Enumerate users by You can use the SrvView class to request detailed Managing user
using SrvView information from the Administration Server. For accounts
instance, you can get a list of users by using this sample.
Applications interacting with Kaspersky Security Center via OpenAPI
1447
Some applications interact with Kaspersky Security Center via OpenAPI. Such applications include, for example,
Kaspersky Anti Targeted Attack Platform or Kaspersky Security for Virtualization. This can also be a custom client
application developed by you based on OpenAPI.
Applications interacting with Kaspersky Security Center via OpenAPI connect to Administration Server. If you have
con gured an allowlist of IP addresses for connecting to the Administration Server, add IP addresses of devices
where applications using Kaspersky Security Center OpenAPI are installed. To nd out whether the application
that you use works by OpenAPI, see Help of this application.
1448
Best Practices for Service Providers
This section provides information about how to con gure and use Kaspersky Security Center.
This section contains recommendations on how to deploy, con gure, and use the application, as well as describes
ways of resolving typical issues in the application operation.

When planning the deployment of Kaspersky Security Center components on an organization's network, you must
take into account the size and scope of the project; speci cally, the following factors:
Number of MSP clients
One Administration Server can support a maximum of 100,000 devices. If the total number of devices on an
organization's network exceeds 100,000, multiple Administration Servers must be deployed on the service provider
side and combined into a hierarchy for convenient centralized management.
Up to 500 virtual servers can be created on a single Administration Server, so an individual Administration Server is
required for each 500 MSP clients.
At the stage of deployment planning, the assignment of the special certi cate X.509 to the Administration Server
must be considered. Assignment of the X.509 certi cate to the Administration Server may be useful in the
following cases (partial list):
Inspecting secure socket layer (SSL) tra ic by means of an SSL termination proxy
Specifying required values in certi cate elds
Providing the required encryption strength of a certi cate

To allow devices on the client network to access Administration Server over the internet, you have to make
available the following Administration Server ports:
13000 TCP—Administration Server TLS port for connecting Network Agents deployed on the client network
8061 TCP—HTTPS port for publishing stand-alone packages using Administration Console tools
8060 TCP—HTTP port for publishing stand-alone packages using Administration Console tools
13292 TCP—TLS port required only if there are mobile devices that need to be managed
If you need to provide clients with basic options of network administration through Kaspersky Security Center
Web Console, you also have to open the Kaspersky Security Center Web Console port 8080 TCP (HTTPS port).
1449
Kaspersky Security Center standard con guration
One or several Administration Servers are deployed on the MSPs' servers. The number of Administration Servers
can be selected either based on available hardware, or on the total number of MSP clients served or total number
of managed devices.
One Administration Server can support up to 100,000 devices. You must consider the possibility of increasing the
number of managed devices in the near future: it may be useful to connect a slightly smaller number of devices to
a single Administration Server.
Up to 500 virtual servers can be created on a single Administration Server, so an individual Administration Server is
required for each 500 MSP clients.
If multiple Servers are used, it is recommended that you combine them into a hierarchy. Using a hierarchy of
Administration Servers allows you to avoid dubbed policies and tasks, handle the whole set of managed devices, as
if they are managed by a single Administration Server: i.e., search for devices, build selections of devices, and
create reports.
On each virtual server that corresponds to an MSP client, you must assign one or several distribution point(s). If
MSP clients and the Administration Server are linked through the internet, it may be useful to create a Download
updates to the repositories of distribution points task for the distribution points, so that they will download
updates directly from Kaspersky servers, not from the Administration Server.
If some devices in the MSP client network have no direct internet access, you have to switch the distribution
points to the connection gateway mode. In this case, Network Agents on devices on the MSP client network will be
connected, for further synchronization, to the Administration Server—but through the gateway, not directly.
As the Administration Server, most probably, will not be able to poll the on the MSP client network, it may be useful
to turn this function over to a distribution point.
The Administration Server will not be able to send noti cations to port 15000 UDP to managed devices located
behind the NAT on the MSP client network. To resolve this issue, it may be useful to enable the mode of continuous
connection to the Administration Server in the properties of devices acting as distribution points and running in
connection gateway mode (Do not disconnect from the Administration Server check box). The continuous
connection mode is available if the total number of distribution points does not exceed 300.

Device with Network Agent installed can be used as distribution point. In this mode, Network Agent can perform
the following functions:
Distribute updates (these can be retrieved either from the Administration Server or from Kaspersky servers). In
the latter case, the Download updates to the repositories of distribution points task must be created for the
device serving as the distribution point.
Install software (including initial deployment of Network Agents) on other devices.
Deployment of distribution points on an organization's network pursues the following objectives:
Reduce the load on the Administration Server if it functions as the update source.
1450
Optimize internet tra ic since, in this case, each device on the MSP client network does not have to access
Kaspersky servers or the Administration Server for updates.
Provide the Administration Server access to devices behind the NAT (relative to the Administration Server) of
the MSP client network, which allows the Administration Server to perform the following actions:
Send noti cations to devices over UDP on the IPv4 or IPv6 network
Poll the IPv4 or IPv6 network
Perform initial deployment
Act as a push server
A distribution point is assigned for an administration group. In this case, the distribution point's scope includes all
devices within the administration group and all of its subgroups. However, the device acting as the distribution
point does not have to be included in the administration group to which it has been assigned.
You can make a distribution point function as a connection gateway. In this case, devices in the scope of this
distribution point will be connected to the Administration Server through the gateway, not directly. You can use this
mode in scenarios that do not allow the establishment of a direct connection between devices with Network
Agent and an Administration Server.

An MSP may run multiple Administration Servers. It can be inconvenient to administer several separate
Administration Servers, so a hierarchy can be applied. A "primary/secondary" con guration for two Administration
Servers provides the following options:
A secondary Administration Server inherits policies and tasks from the primary Administration Server, thus
preventing duplication of settings.
Selections of devices on the primary Administration Server can include devices from secondary Administration
Servers.
Reports on the primary Administration Server can contain data (including detailed information) from secondary

On the basis of a physical Administration Server, multiple virtual Administration Servers can be created, which will
be similar to secondary Administration Servers. Compared to the discretionary access model, which is based on
access control lists (ACLs), the virtual Administration Server model is more functional and provides a larger degree
of isolation. In addition to a dedicated structure of administration groups for assigned devices with policies and
tasks, each virtual Administration Server features its own group of unassigned devices, own sets of reports,
selected devices and events, installation packages, moving rules, etc. For maximum mutual isolation of MSP clients,
we recommend that you choose virtual Administration Servers as the functionality to be used. In addition, creating
a virtual Administration Server for each MSP client allows you to provide clients basic options of network
administration through Kaspersky Security Center 14 Web Console.
1451
Virtual Administration Servers are very similar to secondary Administration Servers, but with the following
distinctions:
A virtual Administration Server lacks most global settings and its own TCP ports.
A virtual Administration Server has no secondary Administration Servers.
A virtual Administration Server has no other virtual Administration Servers.
A physical Administration Server views devices, groups, events, and objects on managed devices (items in
Quarantine, applications registry, etc.) of all its virtual Administration Servers.
A virtual Administration Server can only scan the network with distribution points connected.

Deployment and initial setup

Kaspersky Security Center is a distributed application. Kaspersky Security Center includes the following
applications:
Administration Server—The core component, designed for managing devices of an organization and storing
data in a DBMS.
Administration Console—The basic tool for the administrator. Administration Console is shipped together with
Administration Server, but it can also be installed individually on one or several devices run by the administrator.
Kaspersky Security Center Web Console—A web interface for Administration Server designed for basic
operations. You can install this component on any device that meets the hardware and software requirements.
Network Agent—Designed for managing the security application installed on a device, as well as getting
information about that device. Network Agents are installed on devices of an organization.
1452
Deployment of Kaspersky Security Center on an organization's network is performed as follows:
Installation of Administration Server
Installation of Kaspersky Security Center Web Console
Installation of Administration Console on the administrator's device
Installation of Network Agent and the security application on devices of the enterprise

This section contains recommendations on how to install Administration Server. This section also provides
scenarios for using a shared folder on the Administration Server device in order to deploy Network Agent on client
devices.
Creating accounts for the Administration Server services on a failover

cluster
By default, the installer automatically creates non-privileged accounts for services of Administration Server. This
behavior is the most convenient for Administration Server installation on an ordinary device.
However, installation of Administration Server on a failover cluster requires a di erent scenario:
1. Create non-privileged domain accounts for services of Administration Server and make them members of a
global domain security group named KLAdmins.
2. In the Administration Server Installer, specify the domain accounts that have been created for the services.
Selecting a DBMS
When installing Administration Server, you can select the DBMS that Administration Server will use. When
selecting the database management system (DBMS) to be used by an Administration Server, you must take into
account the number of devices covered by the Administration Server.
The following table lists the valid DBMS options, as well as the restrictions on their use.
Restrictions on DBMS
DBMS Restrictions
SQL Server Express Edition Use this DBMS if you intend to run a single Administration Server for less
2012 or later than 10,000 devices.
Concurrent use of the SQL Server Express Edition DBMS by
Administration Server and another application is strictly forbidden.
1453
The Microsoft SQL Express database is not supported for the Perform
Windows Update synchronization task.
Local SQL Server edition, No limitations.

other than Express, 2012 or
later
Remote SQL Server edition, Only valid if both devices are in the same Windows® domain; if the domains
other than Express, 2012 or di er, a two-way trust relationship must be established between them.
later
Local or remote MySQL 5.5, Not recommended if you intend to run a single Administration Server for
5.6, or 5.7 (MySQL versions more than 10,000 devices.
5.5.1, 5.5.2, 5.5.3, 5.5.4, and 5.5.5
are no longer supported)
Local or remote MySQL 8.0.20 Not recommended if you intend to run a single Administration Server for
or later more than 50,000 devices.
Local or remote MariaDB Not recommended if you intend to run a single Administration Server for
Server 10.3, MariaDB 10.3 (build more than 20,000 devices.
10.3.22 or later)
USE KAV
GO
GO
Concurrent use of the SQL Server Express Edition DBMS by Administration Server and another application is
strictly forbidden.
1454
When installing Administration Server, you must specify the external address of the Administration Server. This
address will be used as the default address when creating installation packages of Network Agent. After that, you
will be able to change the address of the Administration Server host by using Administration Console tools; the
address will not change automatically in Network Agent installation packages that have been already created.
Con guring protection on a client organization's network

After Administration Server installation is complete, Administration Console launches and prompts you to perform
the initial setup through the relevant wizard. When the Quick Start Wizard is running, the following policies and
tasks are created in the root administration group:
Group task for scanning a device with Kaspersky Endpoint Security
Vulnerability scan task (task of Network Agent)
Updates installation and vulnerabilities x task (task of Network Agent)
Policies and tasks are created with the default settings, which may turn out to be sub-optimal or even inadmissible
for the organization. Therefore, you must check the properties of objects that have been created and modify
them manually, if necessary.
This section contains information about manual con guration of policies, tasks, and other settings of
Administration Server, and information about the distribution point, building an administration group structure and
hierarchy of tasks, and other settings.

created by the Quick Start Wizard. You can perform the setup in the policy properties window.
In the Advanced Threat Protection section, you can con gure the use of Kaspersky Security Network for
Kaspersky Endpoint Security for Windows. You can also con gure Kaspersky Endpoint Security for Windows
modules, such as Behavior Detection, Exploit Prevention, Host Intrusion Prevention, and Remediation Engine.
1455
In the Kaspersky Security Network subsection, we recommend that you enable the Use KSN Proxy option. Using
this option helps to redistribute and optimize tra ic on the network. If the Use KSN Proxy option is disabled, you
can enable direct use of KSN servers.
In the Essential Threat Protection section of the policy properties window, we recommend that you specify
additional settings in the Firewall and File Threat Protection subsections.
The Firewall subsection contains settings that allow you to control the network activity of applications on the
client devices. A client device uses a network to which one of the following statuses is assigned: public, local, or
trusted. Depending on the network status, Kaspersky Endpoint Security can allow or deny network activity on a
device. When you add a new network to your organization, you must assign an appropriate network status to it. For
example, if the client device is a laptop, we recommend that this device use the public or trusted network, because
the laptop is not always connected to the local network. In the Firewall subsection, you can check whether you
correctly assigned statuses to the networks used in your organization.
1. In the policy properties, go to Essential Threat Protection → Firewall.
2. In the Available networks section, click the Settings button.
3. In the Firewall window that opens, go to the Networks tab to view the list of networks.
In the File Threat Protection subsection, you can disable the scanning of network drives. Scanning network drives
can place a signi cant load on network drives. It is more convenient to perform indirect scanning, on le servers.
To disable scanning of network drives:
1. In the policy properties, go to Essential Threat Protection → File Threat Protection.
2. In the Security level section, click the Settings button.
3. In the File Threat Protection window that opens, on the General tab clear the All network drives check box.
In the General Settings section of the policy properties window, we recommend that you specify additional
settings in the Reports and Storage and Interface subsections.
1456
In the Reports and Storage subsection, go to the Data transfer to Administration Server section. The About
started application check box speci es whether the Administration Server database saves information about all
versions of all software modules on the networked devices. If this check box is selected, the saved information may
require a signi cant amount of disk space in the Kaspersky Security Center database (dozens of gigabytes). Clear
the About started applications check box if it is selected in the top-level policy.
If Administration Console manages the Anti-Virus protection on the organization's network in centralized mode,
disable the display of the Kaspersky Endpoint Security for Windows user interface on workstations. To do this, in
the Interface subsection, go to the Interaction with user section, and then select Do not display option.
To enable password protection on workstations, in the Interface subsection, go to the Password protection
section, click the Settings button, and then select the Enable password protection check box.

In the Event con guration section, you should disable the saving of any events on Administration Server, except
for the following ones:
On the Critical event tab:
Access denied
Disinfection not possible
License Agreement violated
Active threat detected. Start Advanced Disinfection
Activation error
1457
Process terminated
On the Functional failure tab: Invalid task settings. Settings not applied
On the Warning tab:
On the Info tab: Application startup prohibited in test mode
Information from this subsection is only applicable to Kaspersky Security Center 10 Maintenance Release 1
and later versions.
If the Administration Server acts as the update source, the optimal and recommended schedule option for
Kaspersky Endpoint Security 10 and later versions is When new updates are downloaded to the repository with
the Use automatically randomized delay for task starts check box selected.
For a group update task in Kaspersky Endpoint Security version 8 you must explicitly specify the launch delay (1
hour or longer) and select the Use automatically randomized delay for task starts check box.
If a local task for downloading updates from Kaspersky servers to the repository is created on each distribution
point, periodic scheduling will be optimal and recommended for the Kaspersky Endpoint Security group update
task. In this case, the randomization interval value should be set on 1 hour.
Manual setup of the group task for scanning a device with Kaspersky
Endpoint Security
The Quick Start Wizard creates a group task for scanning a device. By default, the task is assigned a Run on
Fridays at 7:00 PM schedule with automatic randomization, and the Run missed tasks check box is cleared.
This means that if devices in an organization are shut down on Fridays, for example, at 6:30 PM, the device scan
task will never run. You must set up the most convenient schedule for this task based on the workplace rules
adopted in the organization.

The Quick Start Wizard creates the Find vulnerabilities and required updates task for Network Agent. By default,
the task is assigned a Run on Tuesdays at 7:00 PM schedule with automatic randomization, and the Run missed
tasks check box is selected.
1458
If the organization's workplace rules provide for shutting down all devices at this time, the Find vulnerabilities and
required updates task will run after the devices are turned on again, that is, on Wednesday morning. Such activity
may be undesirable because a vulnerability scan may increase the load on CPUs and disk subsystems. You must set
up the most convenient schedule for the task based on the workplace rules adopted in the organization.
The Quick Start Wizard creates a group task for updates installation and vulnerabilities x for Network Agent. By
default, the task is set up to run every day at 01:00 AM, with automatic randomization, and the Run missed tasks
option is not enabled.
If the organization's workplace rules provide for shutting down devices overnight, the update installation will never
run. You must set up the most convenient schedule for the vulnerability scan task based on the workplace rules
adopted in the organization. It is also important to keep in mind that installation of updates may require restarting
the device.
Building a structure of administration groups and assigning distribution

points
Sets the scope of policies.

There is an alternate way of applying relevant settings on devices, by using policy pro les. In this case, the
scope of policies is set with tags, device locations in Active Directory organizational units, membership in Active
Directory security groups, etc.
Sets the scope of group tasks.

Sets access rights to devices, virtual Administration Servers, and secondary Administration Servers.
Assigns distribution points.
Depending on the organizational schema and network topology adopted by the MSP client, the following standard
con gurations can be applied to the structure of administration groups:
Single o ice
Multiple small detached o ices
Standard MSP client con guration: Single o ice
1459
narrow channels.
you must disable automatic assignment of distribution points and then assign one or several devices to act as
spanning all devices on the organization's network. In this case, each of Network Agents will connect to the
utility.
Standard MSP client con guration: Multiple small remote o ices

This standard con guration provides for a number of small remote o ices, which may be communicated with the
head o ice via the internet. Each remote o ice is located behind the NAT, that is, connection from one remote
o ice to another is not possible because o ices are isolated from one another.
One or multiple distribution points must be assigned to each administration group corresponding to an o ice.
group.
moment.
1460
This section provides information about how to apply policies to devices in administration groups. This section also
provides information about policy pro les.
In Kaspersky Security Center, you use policies for de ning a single collection of settings to multiple devices. For
example, the policy scope of application P de ned for administration group G includes managed devices with
application P installed that have been deployed in group G and all of its subgroups, except for subgroups where the
Inherit from parent group check box is cleared in the properties.
A policy di ers from any local setting by lock icons ( ) next to its settings. If a setting (or a group of settings) is
locked in the policy properties, you must, rst, use this setting (or group of settings) when creating e ective
settings and, second, you must write the settings or group of settings to the downstream policy.
Creation of the e ective settings on a device can be described as follows: the values of all settings that have not
been locked are taken from the policy, then they are overwritten with the values of local settings, and then the
resulting collection is overwritten with the values of locked settings taken from the policy.
Policies of the same application a ect each other through the hierarchy of administration groups: Locked settings
from the upstream policy overwrite the same settings from the downstream policy.
There is a special policy for out-of-o ice users. This policy takes e ect on a device when the device switches into
out-of-o ice mode. Out-of-o ice policies do not a ect other policies through the hierarchy of administration
groups.
The out-of-o ice policy will not be supported in further versions of Kaspersky Security Center. Policy pro les
will be used instead of out-of-o ice policies.
Policy pro les

Applying policies to devices only through the hierarchy of administration groups may be inconvenient in many
circumstances. It may be necessary to create several instances of a single policy that di er in one or two settings
for di erent administration groups, and synchronize the contents of those policies in the future.
To help you avoid such problems, Kaspersky Security Center supports policy pro les. A policy pro le is a named
subset of policy settings. This subset is distributed on target devices together with the policy, supplementing it
under a speci c condition called the pro le activation condition. Pro les only contain settings that di er from the
"basic" policy, which is active on the client device (computer or mobile device). Activation of a pro le modi es the
policy settings that were active on the device before the pro le was activated. Those settings take values that
The following restrictions are currently imposed on policy pro les:
A policy can include a maximum 100 pro les.
A policy pro le cannot contain other pro les.
1461
A policy pro le cannot contain noti cation settings.
Contents of a pro le
A policy pro le contains the following constituent parts:
Name Pro les with identical names a ect each other through the hierarchy of administration groups with
common rules.
Subset of policy settings. Unlike the policy, which contains all the settings, a pro le only contains settings that
are actually required (locked settings).
Activation condition is a logical expression with the device properties. A pro le is active (supplements the
policy) only when the pro le activation condition becomes true. In all other cases, the pro le is inactive and
ignored. The following device properties can be included in that logical expression:
Status of out-of-o ice mode.
Properties of network environment—Name of the active rule for Network Agent connection.
Presence or absence of speci ed tags on the device.
Device location in Active Directory unit: explicit (the device is right in the speci ed OU), or implicit (the
device is in an OU, which is within the speci ed OU at any nesting level).
Device's membership in an Active Directory security group (explicit or implicit).
Device owner's membership in an Active Directory security group (explicit or implicit).
Pro le disabling check box. Disabled pro les are always ignored and their respective activation conditions are
not veri ed.
Pro le priority. The activation conditions of di erent pro les are independent, so several pro les can be
activated simultaneously. If active pro les contain non-overlapping collections of settings, no problems will
arise. However, if two active pro les contain di erent values of the same setting, an ambiguity will occur. This
ambiguity is to be avoided through pro le priorities: The value of the ambiguous variable will be taken from the
pro le that has the higher priority (the one that is rated higher in the list of pro les).
Behavior of pro les when policies a ect each other through the hierarchy
Pro les with the same name are merged according to the policy merge rules. Pro les of an upstream policy have a
higher priority than pro les of a downstream policy. If editing settings is prohibited in the upstream policy (it is
locked), the downstream policy uses the pro le activation conditions from the upstream one. If editing settings is
allowed in the upstream policy, the pro le activation conditions from the downstream policy are used.
Since a policy pro le may contain the Device is o line property in its activation condition, pro les completely
replace the feature of policies for out-of-o ice users, which will no longer be supported.
A policy for out-of-o ice users may contain pro les, but its pro les can only be activated after the device
switches into out-of-o ice mode.
Tasks
1462
Tasks for a speci c application can be created only if the management plug-in for that application is installed.
The following tasks are performed on the Administration Server:

Local tasks can be modi ed either by the administrator, by using Administration Console tools, or by the user of
a remote device (for example, through the security application interface). If a local task has been modi ed

group
tasks.
Results of tasks are saved in the Microsoft Windows event log and the Kaspersky Security Center event log, both
1463
Device moving rules
We recommend that you automate the allocation of devices to administration groups on the virtual server that
corresponds to an MSP client, using device moving rules. A device moving rule consists of three main parts: a
name, an execution condition (logical expression with the device attributes), and a target administration group. A
rule moves a device to the target administration group if the device attributes meet the rule execution condition.
All device moving rules have priorities. The Administration Server checks the device attributes as to whether they
meet the execution condition of each rule, in ascending order of priority. If the device attributes meet the
execution condition of a rule, the device is moved to the target group, so the rule processing is complete for this
device. If the device attributes meet the conditions of multiple rules, the device is moved to the target group of
the rule with the highest priority (that is, has the highest rank in the list of rules).
Device moving rules can be created implicitly. For example, in the properties of an installation package or a remote
installation task, you can specify the administration group to which the device must be moved after Network
Agent is installed on it. Also, device moving rules can be created explicitly by the administrator of Kaspersky
Security Center, in the list of moving rules. The list is located in Administration Console, in the properties of the
Unassigned devices group.
By default, a device moving rule is intended for one-time initial allocation of devices to administration groups. The
rule moves devices from the Unassigned devices group only once. If a device once was moved by this rule, the rule
will never move it again, even if you return the device to the Unassigned devices group manually. This is the
recommended way of applying moving rules.
You can move devices that have already been allocated to some of the administration groups. To do this, in the
properties of a rule, clear the Move only devices that do not belong to an administration group check box.
Applying moving rules to devices that have already been allocated to some of the administration groups,
signi cantly increases the load on the Administration Server.
You can create a moving rule that would a ect a single device repeatedly.
We strongly recommend that you avoid moving a single device from one group to another repeatedly (for
example, in order to apply a special policy to that device, run a special group task, or update the device
through a speci c distribution point).
Such scenarios are not supported, because they increase the load on Administration Server and network tra ic to
an extreme degree. These scenarios also con ict with the operating principles of Kaspersky Security Center
(particularly in the area of access rights, events, and reports). Another solution must be found, for example,
through the use of policy pro les, tasks for device selections, assignment of Network Agents according to the
standard scenario, and so on.
The main tool for monitoring the running of applications are Kaspersky categories (hereinafter also referred to as
KL categories). KL categories help Kaspersky Security Center administrators to simplify the support of software
categorization and minimize tra ic going to managed devices.
1464
User categories must only be created for applications that cannot be classi ed in any of the existing KL
categories (for example, for custom-made software). User categories are created on the basis of an
application installation package (MSI) or a folder with installation packages.
If a large collection of software is available, which has not been categorized through KL categories, it may be useful
to create an automatically updated category. The checksums of executable les will be automatically added to this
category on every modi cation of the folder containing distribution packages.
Do not create automatically updated categories of software for the folders My Documents, %windir%,
%ProgramFiles%, and %ProgramFiles(x86)%. The pool of les in these folders is subject to frequent changes,
which leads to an increased load on Administration Server and increased network tra ic. You must create a
dedicated folder with the collection of software and periodically add new items to it.
About multi-tenant applications

Kaspersky Security Center enables administrators of service providers and tenant administrators to use Kaspersky
applications with multitenancy support. After a multi-tenant Kaspersky application is installed in the infrastructure
of a service provider, tenants can start using the application.
To separate tasks and policies related to di erent tenants, you must create a dedicated virtual Administration
Server in Kaspersky Security Center for each tenant. All tasks and policies for multi-tenant applications running for
a tenant must be created for the Managed devices administration group of the virtual Administration Server
corresponding to that tenant. The tasks created for the administration groups related to the primary
Administration Server do not a ect the devices of tenants.
Unlike service provider administrators, a tenant administrator can create and view tasks and application policies
only for the devices of the corresponding tenant. The sets of tasks and policy settings available to service provider
administrators and tenant administrators are di erent. Some of the tasks and policy settings are not available to
tenant administrators.
Within a hierarchical structure of a tenant, the policies created for multi-tenant applications are inherited to lower-
level administration groups as well as to upper-level administration groups: the policy is propagated to all client
devices that belong to the tenant.

Backup of the settings of Administration Server and its database is performed through the backup task and
klbackup utility. A backup copy includes all the main settings and objects pertaining to the Administration Server,
such as certi cates, primary keys for encryption of drives on managed devices, keys for various licenses, structure
of administration groups with all of its contents, tasks, policies, etc. With a backup copy you can recover the
operation of an Administration Server as soon as possible, spending from a dozen minutes to a couple of hours on
this.
1465
If no backup copy is available, a failure may lead to an irrevocable loss of certi cates and all Administration
Server settings. This will necessitate recon guring Kaspersky Security Center from scratch, and performing
initial deployment of Network Agent on the organization's network again. All primary keys for encryption of
drives on managed devices will also be lost, risking irrevocable loss of encrypted data on devices with
Kaspersky Endpoint Security. Therefore, do not neglect regular backups of Administration Server using the
standard backup task.
The Quick Start Wizard creates the backup task for Administration Server settings and sets it to run daily, at 4:00
AM. Backup copies are saved by default in the folder %ALLUSERSPROFILE%\Application Data\KasperskySC.
If an instance of Microsoft SQL Server installed on another device is used as the DBMS, you must modify the
backup task by specifying a UNC path, which is available for write by both the Administration Server service and
the SQL Server service, as the folder to store backup copies. This requirement, which is not obvious, derives from
a special feature of backup in the Microsoft SQL Server DBMS.
If a local instance of Microsoft SQL Server is used as the DBMS, we also recommend to save backup copies on a
dedicated medium in order to secure them against damage together with Administration Server.
Because a backup copy contains important data, the backup task and klbackup utility provide for password
protection of backup copies. By default, the backup task is created with a blank password. You must set a
password in the properties of the backup task. Neglecting this requirement causes a situation where all keys of
Administration Server certi cates, keys for licenses, and primary keys for encryption of drives on managed devices
remain unencrypted.
In addition to the regular backup, you must also create a backup copy prior to every signi cant change, including
installation of Administration Server upgrades and patches.
If you use Microsoft SQL Server as the DBMS, you can minimize the size of backup copies. To do this, enable the
Compress backup option in the SQL Server settings.
Restoration from a backup copy is performed with the utility klbackup on an operable instance of Administration
Server that has just been installed and has the same version (or later) for which the backup copy was created.
The instance of Administration Server on which the restoration is to be performed, must use a DBMS of the same
type (for example, the same SQL Server or MariaDB) and the same or later version. The version of Administration
Server can be the same (with an identical or later patch), or later.
This section describes standard scenarios for restoring settings and objects of Administration Server.

If a device with Administration Server is inoperable due to a failure, you are recommended to perform the following
actions:
The new Administration Server must be assigned the same address: NetBIOS name, FQDN, or static
IP (depending on which of them was set when Network Agents were deployed).
Install Administration Server, using a DBMS of the same type, of the same (or later) version. You can install the
same version of Server with the same (or later) patch, or a later version. After installation, do not perform the
initial setup through the Wizard.
In the Start menu, run the klbackup utility and perform restoration.
1466
If Administration Server is inoperable due to corrupted settings or database (e.g., after a power surge), you are
recommended to use the following restoration scenario:
1. Scan the le system on the damaged device.
2. Uninstall the inoperable version of Administration Server.
3. Reinstall Administration Server, using a DBMS of the same type and of the same (or later) version. You can
install the same version of Server with the same (or later) patch, or a later version. After installation, do not
perform the initial setup through the Wizard.
4. In the Start menu, run the utility klbackup and perform restoration.
It is prohibited to restore Administration Server in any way other than through the klbackup utility.
Any attempts to restore Administration Server through third-party software will inevitably lead to
desynchronization of data on nodes of the distributed application Kaspersky Security Center and, consequently,
to improper functioning of the application.

To manage devices in an organization, you have to install Network Agent on each of them. Deployment of
distributed Kaspersky Security Center on corporate devices normally begins with installation of Network Agent on
them.
In Microsoft Windows XP, Network Agent might not perform the following operations correctly: downloading
updates directly from Kaspersky servers (as a distribution point); functioning as a KSN proxy server (as a
distribution point); and detecting third-party vulnerabilities (if Vulnerability and Patch Management is used).
Initial deployment
If a Network Agent has already been installed on a device, remote installation of applications on that device is
performed through this Network Agent. The distribution package of an application to be installed is transferred
over communication channels between Network Agents and Administration Server, along with the installation
settings de ned by the administrator. To transfer the distribution package, you can use relay distribution nodes,
that is, distribution points, multicast delivery, etc. For more details on how to install applications on managed
devices with Network Agent already installed, see below in this section.
You can perform initial installation of Network Agent on devices running Windows, using one of the following
methods:
With third-party tools for remote installation of applications.
With Windows group policies: using standard Windows management tools for group policies.
1467
In forced mode, using special options in the remote installation task of Kaspersky Security Center.
By sending device users links to stand-alone packages generated by Kaspersky Security Center. Stand-alone
packages are executable modules that contain the distribution packages of selected applications with their
settings de ned.
Manually, by running application installers on devices.
On platforms other than Microsoft Windows, you have to perform initial installation of Network Agent on managed
devices either through the existing third-party tools, or manually, by sending users an archive with a pre-con gured
distribution package. You can upgrade Network Agent to a new version or install other Kaspersky applications on
non-Windows platforms, using Network Agents (already installed on devices) to perform remote installation tasks.
In this case, installation is identical to that on devices running Microsoft Windows.
When selecting a method and a strategy for deployment of applications on a managed network, you must consider
a number of factors (partial list):
Con guration of the corporate network
Presence of Windows domains on the managed network, possibility to modify Active Directory group policies in
those domains
Awareness of the user account(s) with local administrator rights on devices on which initial deployment of
Kaspersky applications has been planned (i.e., availability of a domain user account with local administrator
rights, or presence of uni ed local user accounts with administrator rights on those devices)
Connection type and bandwidth of network channels between the Administration Server and MSP client
networks, as well as the bandwidth of channels inside those networks
Security settings applied on remote devices at the start of deployment (such as use of UAC and Simple File
Sharing mode)

Before starting deployment of Kaspersky applications on a network, you must specify the installation settings, that
is, those de ned during the application installation. When installing Network Agent, you should specify, at a
minimum, an address for connection to the Administration Server and the proxy settings; some advanced settings
may also be required. Depending on the installation method that you have selected, you can de ne settings in
di erent ways. In the simplest case (manual interactive installation on a selected device), all relevant settings can
be de ned through the user interface of the Installer, so, in some cases, initial deployment can even be performed
by sending users a link to the Network Agent distribution package together with the settings (Administration
Server address, etc.) that the user must enter in the Installer interface.
This method is not recommended for use since it is inconvenient for users, entailing a high risk of errors when
de ning settings manually; it is also non-usable with silent installation of applications on device groups. In general,
the administrator must specify values for settings in centralized mode; those values can subsequently be used for
creation of stand-alone packages. Stand-alone packages are self-extracting archives that contain distribution
packages with settings de ned by the administrator. Stand-alone packages can be located on resources that allow
both downloading by end users (for example, on Kaspersky Security Center Web Server) and silent installation on
selected networked devices.
1468
The rst and main method of de ning the installation settings of applications is all-purpose and thus suitable for all
installation methods, both with Kaspersky Security Center tools, and with most third-party tools. This method
consists of creating installation packages of applications in Kaspersky Security Center.
Installation packages are generated using the following methods:
Automatically, from speci ed distribution packages, on the basis of included descriptors ( les with the kud
extension that contain rules for installation and results analysis, and other information)
From the executable les of installers or from installers in Microsoft Windows Installer (MSI) format, for
standard or supported applications
Generated installation packages are organized hierarchically as folders with subfolders and les. In addition to the
original distribution package, an installation package contains editable settings (including the installer's settings and
rules for processing such cases as necessity of restarting the operating system in order to complete installation),
as well as minor auxiliary modules.
Values of installation settings that are speci c for a selected application to be supported can be speci ed in the
Administration Console user interface when creating an installation package (more settings can be found in the
properties of an installation package that has already been created). When performing remote installation of
applications through Kaspersky Security Center tools, installation packages are delivered to target devices so that
running the installer of an application makes all administrator-de ned settings available for it. When using third-
party tools for installation of Kaspersky applications, you only have to ensure the availability of the entire
installation package on the target device, that is, the availability of the distribution package and its settings.
Installation packages are created and stored by Kaspersky Security Center in a dedicated subfolder of the shared
data folder.
For instructions about using this con guration method for Kaspersky applications before deployment through
third-party tools, see section "Deployment using group policies of Microsoft Windows."
Immediately after Kaspersky Security Center installation, a few installation packages are automatically generated;
they are ready for installation and include Network Agent packages and security application packages for
Microsoft Windows.
In some cases, using installation packages for deployment of applications on an MSP client network implies the
need to create installation packages on virtual Servers that correspond to MSP clients. Creating installation
packages on virtual Servers allows you to use di erent installation settings for di erent MSP clients. In the rst
instance, this is useful when handling Network Agent installation packages since Network Agents deployed on the
networks of di erent MSP clients use di erent addresses to connect to the Administration Server. Actually, the
connection address determines the Server to which Network Agent connects.
In addition to the possibility to create new installation packages immediately on a virtual Administration Server, the
main operation mode for installation packages on virtual Administration Servers is the "distribution" of installation
packages from the primary Administration Server to virtual ones. You can distribute selected (or all) installation
packages to selected virtual Administration Servers (including all Servers within a selected administration group)
using the corresponding Administration Server task. Also, you can select the list of installation packages of the
primary Administration Server when creating a new virtual Administration Server. The packages that you have
selected will be immediately distributed to a newly created virtual Administration Server.
1469
When distributing an installation package, its contents are not copied entirely. The le repository on a virtual
Administration Server, which corresponds to the installation package being distributed, only stores les of settings
that are speci c for that virtual Server. The main part of the installation package (including the distribution
package of the application being installed) remains unchanged; it is stored only in the primary Administration Server
repository. This allows you to increase the system performance dramatically and reduce the required disk volume.
When handling installation packages distributed to virtual Administration Servers (i.e., when running remote
installation tasks or creating stand-alone installation packages), the data from the original installation package of
the primary Administration Server is "merged" with the settings les, which correspond to the distributed package
on the virtual Administration Server.
Although the license key for an application can be set in the installation package properties, it is advisable to
avoid this license distribution method because it is easy to accidentally obtain read access to les in the
folder. You should use automatically distributed license keys or installation tasks for license keys.

Another way of con guring installation on Windows platform is to de ne MSI properties and transform les. This
method can be used when performing installation through third-party tools intended for installers in Microsoft
Installer format, as well as when performing installation through Windows group policies using standard Microsoft
tools or other third-party tools designed for handling Windows group policies.

When any tools for remote installation of applications (such as Microsoft System Center) are available in an
organization, it is convenient to perform initial deployment by using those tools.
The following actions must be performed:
Select the method for con guring installation that best suits the deployment tool to be used.
De ne the mechanism for synchronization between the modi cation of the settings of installation packages
(through the Administration Console interface) and the operation of selected third-party tools used for
deployment of applications from installation package data.
General information about the remote installation tasks in Kaspersky Security Center
Kaspersky Security Center provides a broad range of methods for remote installation of applications, which are
implemented as remote installation tasks. You can create a remote installation task both for a speci ed
administration group and for speci c devices or a selection of devices (such tasks are displayed in Administration
Console, in the Tasks folder). When creating a task, you can select installation packages (those of Network Agent
and / or another application) to be installed within this task, as well as specify certain settings that de ne the
method of remote installation.
Tasks for administration groups a ect both devices included in a speci ed group and all devices in all
subgroups within that administration group. A task covers devices of secondary Administration Servers
included in a group or any of its subgroups if the corresponding setting is enabled in the task.
1470
Tasks for speci c devices refresh the list of client devices at each run in accordance with the selection contents
at the moment the task starts. If a selection includes devices that have been connected to secondary
Administration Servers, the task will run on those devices, too.
To ensure a successful operation of a remote installation task on devices connected to secondary

Administration Servers, you must use the distribution task to distribute installation packages used by your task
to corresponding secondary Administration Servers in advance.

It is recommended that you perform the initial deployment of Network Agents through Microsoft Windows group
policies if the following conditions are met:
This device is member of an Active Directory domain.
Access to the domain controller is granted with the administrator rights, which allow you to create and modify
Active Directory group policies.
Con gured installation packages can be moved to the network hosting target managed devices (to a shared
folder that is available for reading by all target devices).
The deployment scheme allows you to wait for the next routine restart of target devices before starting
deployment of Network Agents on them (or you can force a Windows group policy to be applied to those
devices).
This deployment scheme consists of the following:
The application distribution package in Microsoft Installer format (MSI package) is located in a shared folder (a
folder where the LocalSystem accounts of target devices have read permissions).
In the Active Directory group policy, an installation object is created for the distribution package.
The installation scope is set by specifying the organizational unit (OU) and / or the security group, which
includes the target devices.
The next time a target device logs in to the domain (before device users log in to the system), all installed
applications are checked for the presence of the required application. If the application is not found, the
distribution package is downloaded from the resource speci ed in the policy and is then installed.
An advantage of this deployment scheme is that assigned applications are installed on target devices while the
operating system is loading, that is, even before the user logs in to the system. Even if a user with su icient rights
removes the application, it will be reinstalled at the next launch of the operating system. This deployment scheme's
shortcoming is that changes made by the administrator to the group policy will not take e ect until the devices are
restarted (if no additional tools are involved).
You can use group policies to install both Network Agent and other applications if their respective installers are in
Windows Installer format.
Besides, when you select this deployment method, you have to assess the load on the le resource from which
les will be copied to target devices after you apply the Windows group policy. You also have to choose the
method of delivering the con gured installation package to that resource, as well as the method of synchronizing
the relevant changes in its settings.
1471
Handling Microsoft Windows policies through the remote installation task of Kaspersky Security
Center
This deployment method is only available if access to the controller of the domain, which contains the target
devices, is possible from the Administration Server device, while the shared folder of the Administration Server
(the one storing installation packages) is accessible for reading from target devices. Owing to the above reasons,
this deployment method is not viewed as applicable to MSP.
Unassisted installation of applications through policies of Microsoft Windows
The administrator can create objects required for installation in a Windows group policy on his or her own behalf. In
this case, you have to upload the packages to a stand-alone le server and provide a link to them.
The following installation scenarios are possible:
The administrator creates an installation package and sets up its properties in Administration Console. Then the
administrator copies the entire EXEC subfolder of this package from the shared folder of Kaspersky Security
Center to a folder on a dedicated le resource of the organization. The group policy object provides a link to
the MSI le of this package stored in a subfolder on the dedicated le resource of the organization.
The administrator downloads the application distribution package (including that of Network Agent) from the
internet and uploads it to the dedicated le resource of the organization. The group policy object provides a link
to the MSI le of this package stored in a subfolder on the dedicated le resource of the organization. The
installation settings are de ned by con guring the MSI properties or by con guring MST transform les.
To perform initial deployment of Network Agents or other applications, you can force installation of selected
installation packages by using the remote installation task of Kaspersky Security Center—provided that each
device has a user account(s) with local administrator rights and at least one device with Network Agent installed
acts as a distribution point in each subnet.
In this case, you can specify target devices either explicitly (with a list), or by selecting the Kaspersky Security
Center administration group to which they belong, or by creating a selection of devices based upon a speci c
criterion. The installation start time is de ned by the task schedule. If the Run missed tasks setting is enabled in
the task properties, the task can be run either immediately after target devices are turned on, or when they are
moved to the target administration group.
Forced installation consists of delivery of installation packages to distribution points, subsequent copying of les
to the admin$ resource on each of the target devices, and remote registration of supporting services on those
devices. Delivery of installation packages to distribution points is performed through a Kaspersky Security Center
feature that ensures network interaction. The following conditions must be met in this case:
Target devices are accessible from the distribution point side.
Name resolution for target devices function properly on the network.
The administrative shares (admin$) remain enabled on target devices.
The Server system service is running on target devices (by default, it is running).
The following ports are open on target devices to allow remote access through Windows tools: TCP 139, TCP
445, UDP 137, and UDP 138.
1472
On target devices running Microsoft Windows XP, Simple File Sharing mode is disabled.
On target devices, the access sharing and security model are set as Classic – local users authenticate as
themselves, it can be in no way Guest only – local users authenticate as Guest.
Target devices are members of the domain, or uniform accounts with administrator rights are created on target
devices in advance.
Devices in workgroups can be adjusted in accordance with the above requirements by using the riprep.exe utility,
which is described on Kaspersky Technical Support website.
During installation on new devices that have not yet been allocated to any of the Kaspersky Security Center
administration groups, you can open the remote installation task properties and specify the administration group
to which devices will be moved after Network Agent installation.
When creating a group task, keep in mind that each group task a ects all devices in all nested groups within a
selected group. Therefore, you must avoid duplicating installation tasks in subgroups.
Automatic installation is a simpli ed way to create tasks for forced installation of applications. To do this, open the
administration group properties, open the list of installation packages and select the ones that must be installed on
devices in this group. As a result, the selected installation packages will be automatically installed on all devices in
this group and all of its subgroups. The time interval over which the packages will be installed depends on the
network throughput and the total number of networked devices.
To allow forced installation, you should make sure that distribution points are present in each of the isolated
subnets hosting target devices.
Note that this installation method places a signi cant load on devices acting as distribution points. Therefore, it is
recommended that you select powerful devices with high-performance storage units as distribution points.
Moreover, the free disk space in the partition with the %ALLUSERSPROFILE%\Application
Data\KasperskyLab\adminkit folder must exceed, by many times, the total size of the distribution packages of
installed applications.

The above-described methods of initial deployment of Network Agent and other applications cannot always be
implemented because it is not possible to meet all of the applicable conditions. In such cases, you can create a
common executable le called a stand-alone installation package through Kaspersky Security Center, using
installation packages with the relevant installation settings that have been prepared by the administrator. A stand-
alone installation package can be published either on an internal Web Server (included in Kaspersky Security
Center) if this is deemed reasonable (outside access to that Web Server has been con gured for target device
users), or on an exclusively deployed Web Server included in Kaspersky Security Center 14 Web Console. You can
also copy stand-alone packages to another Web Server.
You can use Kaspersky Security Center to send selected users an email message containing a link to the stand-
alone package le on the currently used Web Server, prompting them to run the le (either in interactive mode, or
with the "-s" key for silent installation). You can attach the stand-alone installation package to an email message
and then send it to the users of devices that have no access to the Web Server. The administrator can also copy
the stand-alone package to an external device, deliver it to a relevant device, and then run it later.
You can create a stand-alone package from a Network Agent package, a package of another application (for
example, the security application), or both. If the stand-alone package has been created from Network Agent and
another application, installation starts with Network Agent.
1473
When creating a stand-alone package with Network Agent, you can specify the administration group to which new
devices (those that have not been allocated to any of the administration groups) will be automatically moved when
Network Agent installation completes on them.
Stand-alone packages can run in interactive mode (by default), displaying the result for installation of applications
they contain, or they can run in silent mode (when run with the key "-s"). Silent mode can be used for installation
from scripts, for example, from scripts con gured to run after an operating system image is deployed. The result of
installation in silent mode is determined by the return code of the process.

Administrators or experienced users can install applications manually in interactive mode. They can use either
original distribution packages or installation packages generated from them and stored in the shared folder of
Kaspersky Security Center. By default, installers run in interactive mode and prompt users for all required values.
However, when running the process setup.exe from the root of an installation package with the key "-s", the installer
will be running in silent mode and with the settings that have been de ned when con guring the installation
package.
When running setup.exe from the root of an installation package, the package will rst be copied to a
temporary local folder, and then the application installer will be run from the local folder.

If an operable Network Agent connected to the primary Administration Server (or to any of its secondary Servers)
is installed on a device, you can upgrade Network Agent on this device, as well as install, upgrade, or remove any
supported applications through Network Agent.
You can enable this option by selecting the Using Network Agent check box in the properties of the remote
installation task.
If this check box is selected, installation packages with installation settings de ned by the administrator will be
transferred to target devices over communication channels between Network Agent and the Administration
Server.
To optimize the load on the Administration Server and minimize tra ic between the Administration Server and the
devices, it is useful to assign distribution points on every remote network or in every broadcasting domain (see
sections About distribution points and Building a structure of administration groups and assigning distribution
points). In this case, installation packages and the installer settings are distributed from the Administration Server
to target devices through distribution points.
Moreover, you can use distribution points for broadcasting (multicast) delivery of installation packages, which
allows reducing network tra ic signi cantly when deploying applications.
When transferring installation packages to target devices over communication channels between Network Agents
and the Administration Server, all installation packages that have been prepared for transfer will also be cached in
the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\1093\.working\FTServer folder. When using
multiple large installation packages of various types and involving a large number of distribution points, the size of
this folder may increase dramatically.
Files cannot be deleted from the FTServer folder manually. When original installation packages are deleted,
the corresponding data will be automatically deleted from the FTServer folder.
1474
All data received on the distribution points side are saved to the %ALLUSERSPROFILE%\Application
Data\KasperskyLab\adminkit\1103\$FTClTmp folder.
Files cannot be deleted from the $FTClTmp folder manually. As tasks using data from this folder complete, the
contents of this folder will be deleted automatically.
Because installation packages are distributed over communication channels between Administration Server and
Network Agents from an intermediate repository in a format optimized for network transfers, no changes are
allowed in installation packages stored in the original folder of each installation package. Those changes will not be
automatically registered by Administration Server. If you need to modify the les of installation packages manually
(although you are recommended to avoid this scenario), you must edit any of the settings of an installation
package in Administration Console. Editing the settings of an installation package in Administration Console
causes Administration Server to update the package image in the cache that has been prepared for transfer to
target devices.

Devices often need a restart to complete the remote installation of applications (particularly on Windows).
If you use the remote installation task of Kaspersky Security Center, in the Add Task Wizard or in the properties
window of the task that has been created (Operating system restart section), you can select the action to
perform when a restart is required:
Do not restart the device. In this case, no automatic restart will be performed. To complete the installation, you
must restart the device (for example, manually or through the device management task). Information about the
required restart will be saved in the task results and in the device status. This option is suitable for installation
tasks on servers and other devices where continuous operation is critical.
Restart the device. In this case, the device is always restarted automatically if a restart is required for
completion of the installation. This option is useful for installation tasks on devices that provide for regular
pauses in their operation (shutdown or restart).
Prompt user for action. In this case, the restart reminder is displayed on the screen of the client device,
prompting the user to restart it manually. Some advanced settings can be de ned for this option: text of the
message for the user, the message display frequency, and the time interval after which a restart will be forced
(without the user's con rmation). The Prompt user for action is the most suitable for workstations where users
need a possibility of selecting the most convenient time for a restart.
Suitability of databases updating in an installation package of an anti-virus

application
Before starting the protection deployment, you must keep in mind the possibility of updating anti-virus databases
(including modules of automatic patches) shipped together with the distribution package of the security
application. It is useful to update the databases in the installation package of the application before starting the
deployment (for example, by using the corresponding command in the context menu of a selected installation
package). This will reduce the number of restarts required for completion of protection deployment on target
devices. If your remote installation involves installation packages that have been relayed to virtual Servers from the
primary Administration Server, you only have to update databases in the original package on the primary Server. In
this case, you do not have to update databases in relayed packages on virtual Servers.
1475
Removing incompatible third-party security applications
party software incompatible with the application being installed. There are two main ways of removing the third-
party applications.
Automatic removal of incompatible applications by using the installer
When you run the installer, it shows a list of applications that are incompatible with a Kaspersky application:
The list of incompatible applications that is displayed in the Remote Installation Wizard
Kaspersky Security Center detects incompatible software. Accordingly, you can select the Uninstall incompatible
applications automatically check box to continue installation. If you clear this check box and do not uninstall the
incompatible software, the error occurs and the Kaspersky application is not installed.
Automatic removal of incompatible applications is supported by various types of installation.
To remove incompatible applications, use the Uninstall application remotely task. This task should be run on devices
before the security application installation task. For example, in the installation task you can select On completing
another task as the schedule type where the other task is Uninstall application remotely.
1476
Using tools for remote installation of applications in Kaspersky Security
Center for running relevant executable les on managed devices
Using the New Package Wizard, you can select any executable le and de ne the settings of the command line for
it. For this you can add to the installation package either the selected le itself or the entire folder in which this le
is stored. Then you must create the remote installation task and select the installation package that has been
created.
While the task is running, the speci ed executable le with the de ned settings of the command prompt will be run
on target devices.
If you use installers in Microsoft Windows Installer (MSI) format, Kaspersky Security Center analyzes the
installation results by means of standard tools.
If the Vulnerability and Patch Management license is available, Kaspersky Security Center (when creating an
installation package for any supported application in the corporate environment) also uses rules for installation and
analysis of installation results that are in its updatable database.
Otherwise, the default task for executable les waits for the completion of the running process, and of all its child
processes. After completion of all of the running processes, the task will be completed successfully regardless of
the return code of the initial process. To change such behavior of this task, before creating the task, you have to
manually modify the .kpd les that were generated by Kaspersky Security Center in the folder of the newly created
installation package and its subfolders.
For the task not to wait for the completion of the running process, set the value of the Wait setting to 0 in the
[SetupProcessResult] section:
Example:
Wait=0
For the task to wait only for the completion of the running process on Windows, not for the completion of all child
processes, set the value of the WaitJob setting to 0 in the [SetupProcessResult], section, for example:
Example:
WaitJob=0
For the task to complete successfully or return an error depending on the return code of the running process, list
successful return codes in the [SetupProcessResult_SuccessCodes], section, for example:
Example:
0=
3010=
In this case, any code other than those listed will result in an error returned.
To display a string with a comment on the successful completion of the task or an error in the task results, enter
brief descriptions of errors corresponding to return codes of the process in the
[SetupProcessResult_SuccessCodes] and [SetupProcessResult_ErrorCodes] sections, for example:
Example:
1477
0= Installation completed successfully
3010=A restart is required to complete the installation
1602=Installation canceled by the user
1603=Fatal error during installation
To use Kaspersky Security Center tools for managing the device restart (if a restart is required to complete an
operation), list the return codes of the process that indicate that a restart must be performed, in the
[SetupProcessResult_NeedReboot] section:
Example:
[SetupProcessResult_NeedReboot]
3010=

To monitor the Kaspersky Security Center deployment and make sure that a security application and Network
Agent are installed on managed devices, you have to check the tra ic light in the Deployment section. This tra ic
light is located in the workspace of the Administration Server node in the main window of Administration Console.
The tra ic light re ects the current deployment status. The number of devices with Network Agent and security
applications installed is displayed next to the tra ic light. When any installation tasks are running, you can monitor
their progress here. If any installation errors occur, the number of errors is displayed here. You can view the details
of any error by clicking the link.
You can also use the deployment schema in the workspace of the Managed devices folder on the Groups tab. The
chart re ects the deployment process, showing the number of devices without Network Agent, with Network
Agent, or with Network Agent and a security application.
For more details on the progress of the deployment (or the operation of a speci c installation task) open the
results window of the relevant remote installation task: Right-click the task and select Results in the context menu.
The window displays two lists: the upper one contains the task statuses on devices, while the lower one
contains task events on the device that is currently selected in the upper list.
Information about deployment errors are added to the Kaspersky Event Log on Administration Server. Information
about errors is also available in the corresponding selection of events in the Reports and noti cations folder, the
Events subfolder.

This section provides information about the les of Kaspersky Security Center installers and the installation
settings, as well as recommendations on how to install Administration Server and Network Agent in silent mode.
General information
1478
Installers of Kaspersky Security Center 14 components (Administration Server, Network Agent, and Administration
Console) are built on Windows Installer technology. An MSI package is the core of an installer. This format of
packaging allows using all of the advantages provided by Windows Installer: scalability, availability of a patching
system, transformation system, centralized installation through third-party solutions, and transparent registration
with the operating system.

The installers of Administration Server and Network Agent have the feature of working with the response le
(ss_install.xml), where the parameters for installation in silent mode without user participation are integrated. The
ss_install.xml le is located in the same folder as the MSI package; it is used automatically during installation in
silent mode. You can enable the silent installation mode with the command line key "/s".
An overview of an example run follows:
setup.exe /s
Before you start the installer in silent mode, read the End User License Agreement (EULA). If the Kaspersky
Security Center distribution kit does not include a TXT le with the text of the EULA, you can download the
le from the Kaspersky website .
The ss_install.xml le is an instance of the internal format of parameters of the Kaspersky Security Center installer.
Distribution packages contain the ss_install.xml le with the default parameters.
Please do not modify ss_install.xml manually. This le can be modi ed through the tools of Kaspersky Security
Center when editing the parameters of installation packages in Administration Console.
To modify the response le for Administration Server installation:
1. Open the Kaspersky Security Center distribution package. If you use a full package EXE le, then unpack it.
2. Form the Server folder, open the command line, and then run the following command:
setup.exe /r ss_install.xml
The Kaspersky Security Center installer starts.
3. Follow the Wizard's steps to con gure the Kaspersky Security Center installation.
When you complete the Wizard, the response le is automatically modi ed according to the new settings that
you speci ed.

You can install Network Agent with a single .msi package, specifying the values of MSI properties in the standard
way. This scenario allows Network Agent to be installed by using group policies. To avoid con icts between
parameters de ned through MSI properties and parameters de ned in the response le, you can disable the
response le by setting the property DONT_USE_ANSWER_FILE=1. The MSI le is located in the Kaspersky Security
Center distribution package, in the Packages\NetAgent\exec folder. An example of a run of the Network Agent
installer with an .msi package is as follows.
1479
Installation of Network Agent in silent mode requires acceptance of the terms of the End User License Agreement.
Use the EULA=1 parameter only if you have fully read, understand and accept the terms of the End User License
Agreement.
Example:
msiexec /i "Kaspersky Network Agent.msi" /qn DONT_USE_ANSWER_FILE=1
You can also de ne the installation parameters for an .msi package by preparing the response le in advance (one
with an .mst extension). This command appears as follows:
Example:
msiexec /i "Kaspersky Network Agent.msi" /qn TRANSFORMS=test.mst;test2.mst
You can specify several response les in a single command.

When running installation of applications through setup.exe, you can add the values of any properties of MSI to the
MSI package.
This command appears as follows:
Example:
/v"PROPERTY_NAME1=PROPERTY_VALUE1 PROPERTYNAME2=PROPERTYVALUE2"

The table below describes the MSI properties that you can con gure when installing Administration Server. All of
the parameters are optional, except for EULA and PRIVACYPOLICY.
EULA Acceptance of the terms of

1—I have fully read, understand and
the License Agreement
(required)
License Agreement.

the terms of the License Agreement
PRIVACYPOLICY Acceptance of the terms of

1—I am aware and agree that my data will
the Privacy Policy (required)
be handled and transmitted (including to
third countries) as described in the
Privacy Policy. I con rm that I have fully
read and understand the Privacy Policy.

the terms of the Privacy Policy
1480
Standard.
installation
Custom.
INSTALLDIR Application installation folder String value.
ADDLOCAL List of components to install CSAdminKitServer, NAgent,

(separated by commas) CSAdminKitConsole, NSAC, MobileSupport,
KSNProxy, SNMPAgent, GdiPlusRedist,
Minimum list of components su icient for
proper Administration Server installation:
CSAdminKitConsole, KSNProxy,
Microsoft_VC100_CRT_x86
NETRANGETYPE Network size

NRT_1_100—From 1 to 100 devices.
NRT_100_1000—From 101 to 1000

devices.
NRT_GREATER_1000—More than 1000

devices.
SRV_ACCOUNT_TYPE Way of specifying the user for

SrvAccountDefault—The user account
the operation of the
will be created automatically.
Administration Server service
SrvAccountUser—The user account is
de ned manually.
SERVERACCOUNTNAME User name for the service String value.
SERVERACCOUNTPWD User password for the service String value.
DBTYPE Database type

MySQL—A MySQL or MariaDB database
will be used.
MSSQL—A Microsoft SQL Server (SQL

Express) database will be used.
MYSQLSERVERNAME Full name of MySQL or String value.

MariaDB server
MYSQLSERVERPORT Number of port for Numerical value.

connection to MySQL or
MariaDB server
MYSQLDBNAME Name of MySQL or MariaDB String value.

server database
MYSQLACCOUNTNAME User name for connection to String value.

MySQL or MariaDB server
database
1481
MYSQLACCOUNTPWD User password for connection String value.
to MySQL or MariaDB server
database
MSSQLCONNECTIONTYPE Type of use of MSSQL

InstallMSSEE—Install from a package.
database
ChooseExisting—Use the installed
server.
MSSQLSERVERNAME Full name of SQL Server String value.

instance
MSSQLDBNAME Name of SQL Server String value.

database
MSSQLAUTHTYPE Method of authentication for

Windows.
connection to SQL Server
SQLServer.
MSSQLACCOUNTNAME User name for connection to String value.

SQL Server in SQLServer
mode
MSSQLACCOUNTPWD User password for connection String value.

to SQL Server in SQLServer
mode
CREATE_SHARE_TYPE Method of specifying the

Create—Create a new shared folder. In
shared folder
this case, the following properties must
be de ned:
SHARELOCALPATH—Path to a local
folder.
SHAREFOLDERNAME—Network
name of a folder.
Null—EXISTSHAREFOLDERNAME
property must be speci ed.
EXISTSHAREFOLDERNAME Full path to an existing shared String value.

folder

SERVERSSLPORT Number of port for Numerical value.

establishing SSL connection
to Administration Server
SERVERADDRESS Administration Server address String value.
SERVERCERT2048BITS Size of the key for the

certi cate (bits)
bit.

1482
bit.
If no value is speci ed, the size of the

key for the Administration Server
certi cate is 1024 bit.
MOBILESERVERADDRESS Address of the Administration String value.

Server for connection of
mobile devices; ignored if the
MobileSupport component
has not been selected

The table below describes the MSI properties that you can con gure when installing Network Agent. All of the
parameters are optional, except for EULA and SERVERADDRESS.
Parameters of Network Agent installation in silent mode

Agreement
understand and accept
the terms of the End User
License Agreement.
0—I do not accept the

terms of the License
not performed).
No value—I do not accept

the terms of the License
not performed).
DONT_USE_ANSWER_FILE Read installation settings from response

1—Do not use.
le
Read.
INSTALLDIR Path to the Network Agent installation String value.

folder
SERVERADDRESS Administration Server address (required) String value.
SERVERPORT Number of port for connection to Numerical value.


using SSL protocol
USESSL Whether to use SSL connection

1—Use.
1483
Do not use.
OPENUDPPORT Whether to open a UDP port

1—Open.

Do not open.
UDPPORT UDP port number Numerical value.
USEPROXY Whether to use a proxy server

1—Use.

Do not use.
PROXYLOCATION Proxy address and number of port for String value.

(PROXYADDRESS:PROXYPORT) connection to proxy server
PROXYLOGIN Account for connection to proxy server String value.
PROXYPASSWORD Password of account for connection to String value.

proxy server (Do not specify any details
of privileged accounts in the parameters
of installation packages.)
GATEWAYMODE Connection gateway use mode

0—Do not use connection
gateway.
1—Use this Network Agent

as connection gateway.
2—Connect to the
using connection gateway.
GATEWAYADDRESS Connection gateway address String value.
CERTSELECTION Method of receiving a certi cate

GetOnFirstConnection—
Receive a certi cate from
GetExistent—Select an
existing certi cate If this
option is selected, the
CERTFILE property must
be speci ed.
CERTFILE Path to the certi cate le String value.
VMVDI Enable dynamic mode for Virtual

1—Enable.
Desktop Infrastructure (VDI)
0—Do not enable.
1484
No value—Do not enable.
LAUNCHPROGRAM Whether to start the Network Agent

1—Start.
service after installation
Do not start.
NAGENTTAGS Tag for Network Agent (has priority over String value.
the tag given in the response le)
Kaspersky Security Center supports the use of virtual machines. You can install Network Agent and the security
application on each virtual machine, and you can protect virtual machines at the hypervisor level. In the rst case,
you can use either a standard security application or Kaspersky Security for Virtualization Light Agent to protect
your virtual machines. In the second case, you can use Kaspersky Security for Virtualization Agentless .
Kaspersky Security Center supports rollbacks of virtual machines to their previous state.

When installing Network Agent on a virtual machine, you are advised to consider disabling some Kaspersky
Security Center features that seem to be of little use for virtual machines.
When installing Network Agent on a virtual machine or on a template intended for generation of virtual machines,
we recommend the following actions:
If you are running a remote installation, in the properties window of the Network Agent installation package, in
the Advanced section, select the Optimize settings for VDI option.
If you are running an interactive installation through a Wizard, in the Wizard window, select the Optimize the
Network Agent settings for the virtual infrastructure option.
Selecting those options alters the settings of Network Agent so that the following features remain disabled by
default (before a policy is applied):
Usually, those features are not necessary on virtual machines because they use uniform software and virtual
hardware.
Disabling the features is invertible. If any of the disabled features is required, you can enable it through the policy
of Network Agent, or through the local settings of Network Agent. The local settings of Network Agent are
available through the context menu of the relevant device in Administration Console.
1485
Kaspersky Security Center supports dynamic virtual machines. If a virtual infrastructure has been deployed on the
organization's network, dynamic (temporary) virtual machines can be used in certain cases. The dynamic VMs are
created under unique names based on a template that has been prepared by the administrator. The user works on
a VM for a while and then, after being turned o , this virtual machine will be removed from the virtual
infrastructure. If Kaspersky Security Center has been deployed on the organization's network, a virtual machine
with installed Network Agent will be added to the Administration Server database. After you turn o a virtual
machine, the corresponding entry must also be removed from the database of Administration Server.
To make functional the feature of automatic removal of entries on virtual machines, when installing Network Agent
on a template for dynamic virtual machines, select the Enable dynamic mode for VDI option:
For remote installation—In the properties window of the installation package of Network Agent (Advanced
section)
For interactive installation—In the Network Agent Installation Wizard
Avoid selecting the Enable dynamic mode for VDI option when installing Network Agent on physical devices.
If you want events from dynamic virtual machines to be stored on the Administration Server for a while after you
remove those virtual machines, then, in the Administration Server properties window, in the Events repository
section, select the Store events after devices are deleted option and specify the maximum storage term for
events (in days).

Copying a virtual machine with installed Network Agent or creating one from a template with installed Network
Agent is identical to the deployment of Network Agents by capturing and copying a hard drive image. So, in general
case, when copying virtual machines, you need to perform the same actions as when deploying Network Agent by
copying a disk image.
However, the two cases described below showcase Network Agent, which detects the copying automatically.
Owing to the above reasons, you do not have to perform the sophisticated operations described under
"Deployment by capturing and copying the hard drive of a device":
The Enable dynamic mode for VDI option was selected when Network Agent was installed—After each restart
of the operating system, this virtual machine will be recognized as a new device, regardless of whether it has
been copied or not.
One of the following hypervisors is in use: VMware™, HyperV®, or Xen®: Network Agent detects the copying of
the virtual machine by the changed IDs of the virtual hardware.
Analysis of changes in virtual hardware is not absolutely reliable. Before applying this method widely, you must
test it on a small pool of virtual machines for the version of the hypervisor currently used in your organization.

1486
Kaspersky Security Center is a distributed application. Rolling back the le system to a previous state on a device
with Network Agent installed will lead to data desynchronization and improper functioning of Kaspersky Security
Center.
The le system (or a part of it) can be rolled back in the following cases:
When copying an image of the hard drive.
When restoring a state of the virtual machine by means of the virtual infrastructure.
When restoring data from a backup copy or a recovery point.
Scenarios under which third-party software on devices with Network Agent installed a ects the
%ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\ folder are only critical scenarios for Kaspersky
Security Center. Therefore, you must always exclude this folder from the recovery procedure, if possible.
Because the workplace rules of some organizations provide for rollbacks of the le system on devices, support for
the le system rollback on devices with Network Agent installed has been added to Kaspersky Security Center,
starting with version 10 Maintenance Release 1 (Administration Server and Network Agents must be of version 10
Maintenance Release 1 or later). When detected, those devices are automatically reconnected to the
Administration Server with full data cleansing and full synchronization.
By default, support of le system rollback detection is enabled in Kaspersky Security Center 14.
As much as possible, avoid rolling back the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\

folder on devices with Network Agent installed, because full resynchronization of data requires a large amount of
resources.
A rollback of the system state is absolutely not allowed on a device with Administration Server installed. Nor is
a rollback of the database used by Administration Server.
You can restore a state of Administration Server from a backup copy only with the standard klbackup utility.

to Administration Server: the external Administration Server address for the Internet connection and the internal
1487
To do this, you must add a pro le (for connection to Administration Server from the Internet) to the Network
Agent policy. Add the pro le in the policy properties (Connectivity section, Connection pro les subsection). In
the pro le creation window, you must disable the Use to receive updates only option and select the Synchronize
connection settings with the Administration Server settings speci ed in this pro le option. If you use a
connection gateway to access Administration Server (for example, in a Kaspersky Security Center con guration as
that described in Internet access: Network Agent as connection gateway in DMZ), you must specify the address of
the connection gateway in the corresponding eld of the connection pro le.
In this case, you must create a pro le for connection to Administration Server in the properties of the policy of
Network Agent for each of the o ices, except for the home o ice where the original home Administration Server
is located. You must specify the addresses of Administration Servers in connection pro les and enable or disable
the Use to receive updates only option:
Server.
Deploying the Mobile Device Management feature

This section provides information about initial deployment of the Mobile Device Management feature.

Depending on the method used for connection of devices to the Administration Server, two deployment schemes
are possible for Kaspersky Device Management for iOS for KES devices:
Scheme of deployment with direct connection of devices to the Administration Server
Scheme of deployment involving Forefront® Threat Management Gateway (TMG)

KES devices can connect directly to port 13292 of the Administration Server.
1488
Depending on the method used for authentication, two options are possible for connection of KES devices to the
Connecting devices with a user certi cate
Connecting devices without a user certi cate
Connecting a device with a user certi cate
When connecting a device with a user certi cate, that device is associated with the user account to which the
corresponding certi cate has been assigned through Administration Server tools.
In this case, two-way SSL authentication (mutual authentication) will be used. Both the Administration Server and
the device will be authenticated with certi cates.
Connecting a device without a user certi cate
When connecting a device without a user certi cate, that device is associated with none of the user's accounts
on the Administration Server. However, when the device receives any certi cate, the device will be associated with
the user to which the corresponding certi cate has been assigned through Administration Server tools.
When connecting that device to the Administration Server, one-way SSL authentication will be applied, which
means that only the Administration Server is authenticated with the certi cate. After the device retrieves the user
certi cate, the type of authentication will change to two-way SSL authentication (2-way SSL authentication,
mutual authentication).
Scheme for connecting KES devices to the Server involving Kerberos constrained
delegation (KCD)
The scheme for connecting KES devices to the Administration Server involving Kerberos constrained delegation
(KCD) provides for the following:
Integration with Microsoft Forefront TMG.
Use of Kerberos Constrained Delegation (hereinafter referred to as KCD) for authentication of mobile devices.
Integration with Public Key Infrastructure (hereinafter referred to as PKI) for applying user certi cates.
When using this connection scheme, please note the following:
The type of connection of KES devices to TMG must be "two-way SSL authentication", that is, a device must
connect to TMG through its proprietary user certi cate. To do this, you need to integrate the user certi cate
into the installation package of Kaspersky Endpoint Security for Android, which has been installed on the
device. This KES package must be created by the Administration Server speci cally for this device (user).
You must specify the special (customized) certi cate instead of the default server certi cate for the mobile
protocol:
1. In the Administration Server properties window, in the Settings section, select the Open port for mobile
devices check box and select Add certi cate in the drop-down list.
2. In the window that opens, specify the same certi cate that was set on TMG when the point of access to
the mobile protocol was published on the Administration Server.
1489
User certi cates for KES devices must be issued by the Certi cate Authority (CA) of the domain. Keep in mind
that if the domain includes multiple root CAs, user certi cates must be issued by the CA, which has been set in
the publication on TMG.
You can make sure the user certi cate is in compliance with the above-described requirement, using one of the
following methods:
Specify the special user certi cate in the New Installation Package Wizard and in the Certi cate Installation
Wizard.
subfolder.
Point of access to the mobile protocol on the Administration Server is set up on port 13292.
The name of the device with Administration Server is ksc.mydom.local.
Name of the external publishing of the point of access to the mobile protocol is kes4mob.mydom.global.
Domain account for Administration Server
You must create a domain account (for example, KSCMobileSrvcUsr) under which the Administration Server
service will run. You can specify an account for the Administration Server service when installing the Administration
Server or through the klsrvswch utility. The klsrvswch utility is located in the installation folder of Administration
Server. The default installation path: <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.
A domain account must be speci ed by the following reasons:
The feature for management of KES devices is an integral part of Administration Server.
To ensure a proper functioning of Kerberos Constrained Delegation (KCD), the receive side (i.e., the
Administration Server) must run under a domain account.
Service Principal Name for http/kes4mob.mydom.local
In the domain, under the KSCMobileSrvcUsr account, add an SPN for publishing the mobile protocol service on
port 13292 of the device with Administration Server. For the kes4mob.mydom.local device with Administration
Server, this will appear as follows:
setspn -a http/kes4mob.mydom.local:13292 mydom\KSCMobileSrvcUsr
1490
To delegate tra ic, you must trust the device with TMG (tmg.mydom.local) to the service de ned by the SPN
(http/kes4mob.mydom.local:13292).
To trust the device with TMG to the service de ned by the SPN (http/kes4mob.mydom.local:13292), the
3. In the Services to which this account can present delegated credentials list, add the SPN
http/kes4mob.mydom.local:13292.
Special (customized) certi cate for the publishing (kes4mob.mydom.global)
To publish the mobile protocol of Administration Server, you must issue a special (customized) certi cate for the
FQDN kes4mob.mydom.global and specify it instead of the default server certi cate in the settings of the mobile
protocol of Administration Server in Administration Console. To do this, in the properties window of the
Administration Server, in the Settings section select the Open port for mobile devices check box and then select
Add certi cate in the drop-down list.
Please note that the server certi cate container ( le with the p12 or pfx extension) must also contain a chain of
root certi cates (public keys).
Con guring publication on TMG
On TMG, for tra ic that goes from the mobile device side to port 13292 of kes4mob.mydom.global, you have to
con gure KCD on the SPN (http/kes4mob.mydom.local:13292), using the server certi cate issued for the FQND
kes4mob.mydom.global. Please note that publishing and the published access point (port 13292 of the
Administration Server) must share the same server certi cate.

To ensure timely responses of KES devices on Android to the administrator's commands, you must enable the use
of Google™ Firebase Cloud Messaging (hereinafter referred to as FCM) in the Administration Server properties.
To enable the use of FCM:
1. In Administration Console, select the Mobile Device Management node, and the Mobile devices folder.
3. In the folder properties, select the Google Firebase Cloud Messaging settings section.
4. In the Sender ID and Server key elds, specify the FCM settings: SENDER_ID and API Key.
FCM service runs in the following address ranges:
1491
From the KES device's side, access is required to ports 443 (HTTPS), 5228 (HTTPS), 5229 (HTTPS), and 5230
(HTTPS) of the following addresses:
google.com
fcm.googleapis.com
android.apis.google.com
From the Administration Server side, access is required to port 443 (HTTPS) of the following addresses:
fcm.googleapis.com
If the proxy server settings (Advanced / Con guring Internet access) have been speci ed in the Administration
Server properties in Administration Console, they will be used for interaction with FCM.
Con guring FCM: retrieving SENDER_ID and API Key
To con gure FCM, the administrator must perform the following actions:
1. Register on Google portal .
2. Go to Developers portal .
3. Create a new project by clicking the Create Project button, specify the project's name, and specify the ID.
4. Wait for the project to be created.

On the rst page of the project, in the upper part of the page, the Project Number eld shows the relevant
SENDER_ID.
5. Go to the APIs & auth / APIs section and enable Google Firebase Cloud Messaging for Android.
6. Go to the APIs & auth / Credentials section and click the Create New Key button.
7. Click the Server key button.
8. Impose restrictions (if any), click the Create button.
9. Retrieve the API Key from the properties of the newly created key (Server key eld).

Integration with Public Key Infrastructure (hereinafter referred to as PKI) is primarily intended for simplifying the
issuance of domain user certi cates by Administration Server.
The administrator can assign a domain certi cate for a user in Administration Console. This can be done using one
of the following methods:
1492
Assign the user a special (customized) certi cate from a le in the New Device Connection Wizard or in the
Certi cate Installation Wizard.
Perform integration with PKI and assign PKI to act as the source of certi cates for a speci c type of
certi cates or for all types of certi cates.
The settings of integration with PKI are available in the workspace of the Mobile Device Management /
Certi cates folder by clicking the Integrate with public key infrastructure link.
General principle of integration with PKI for issuance of domain user certi cates
In Administration Console, click the Integrate with public key infrastructure link in the workspace of the Mobile
Device Management / Certi cates folder to specify a domain account that will be used by Administration Server
to issue domain user certi cates through the domain's CA (hereinafter referred to as the account under which
integration with PKI is performed).
Please note the following:
The settings of integration with PKI provide you the possibility to specify the default template for all types of
certi cates. Note that the rules for issuance of certi cates (available in the workspace of the Mobile Device
Management / Certi cates folder by clicking the Con gure certi cate issuance rules button) allow you to
specify an individual template for every type of certi cates.
A special Enrollment Agent (EA) certi cate must be installed on the device with Administration Server, in the
certi cates repository of the account under which integration with PKI is performed. The Enrollment Agent
(EA) certi cate is issued by the administrator of the domain's CA (Certi cate Authority).
The account under which integration with PKI is performed must meet the following criteria:
It is a domain user.
It is a local administrator of the device with Administration Server from which integration with PKI is initiated.
It has the right to Log On As Service.
The device with Administration Server installed must be run at least once under this account to create a
permanent user pro le.

Kaspersky Security Center Web Server (hereinafter referred to as Web Server) is a component of Kaspersky
Security Center. Web Server is designed for publishing stand-alone installation packages, stand-alone installation
packages for mobile devices, and les from the shared folder.
Installation packages that have been created are published on Web Server automatically and then removed after
the rst download. The administrator can send the new link to the user in any convenient way, such as by email.
By clicking the link, the user can download the required information to a mobile device.
Web Server settings
1493
If ne-tuning of Web Server is required, its properties allow you to change ports for HTTP (8060) and HTTPS
(8061). In addition to changing ports, you can replace the server certi cate for HTTPS and change the FQDN of
Web Server for HTTP.
Other routine work

This section provides recommendations on routine work with Kaspersky Security Center.

devices by checking tra ic lights. The tra ic lights are shown in the workspace of the Administration Server node,
on the Monitoring tab. The tab provides six information panels with tra ic lights and logged events. A tra ic light
is a colored vertical bar on the left side of a panel. Each panel with a tra ic light corresponds to a speci c
functional scope of Kaspersky Security Center (see the table below).
Scopes covered by tra ic lights in Administration Console
Panel name Tra ic light scope
Deployment Installing Network Agent and security applications on devices on an organization's

network
Management Structure of administration groups. Network scanning. Device moving rules

scheme
Protection settings Security application functionality: protection status, virus scanning
Update Updates and patches
Monitoring Protection status
Administration Administration Server features and properties

Server
Each tra ic light can be any of these ve colors (see the table below). The color of a tra ic light depends on the
current status of Kaspersky Security Center and on events that were logged.
Color codes of tra ic lights
Status Tra ic light Tra ic light color meaning

color
Informational Green Administrator's intervention is not required.
Warning Yellow Administrator's intervention is required.
Critical Red Serious problems have been encountered. Administrator's intervention is

required to solve them.
Informational Light blue Events have been logged that are unrelated to potential or actual threats to
the security of managed devices.
The administrator's goal is to keep tra ic lights on all of the information panels on the Monitoring tab green.
The information panels also show logged events that a ect tra ic lights and the status of Kaspersky Security
Center (see the table below).
Name, description, and tra ic light colors of logged events
1494
Tra ic Event type Event type Desc
light display name
color
Red License IDS_AK_STATUS_LIC_EXPAIRED Events o

expired on %1 type occ
device(s) the com
license h
expired.
Once a d
Kaspers
Security
checks w
the licen
expired o
devices.
When th
commer
license e
Kaspers
Security
provides
basic
function
To conti
Kaspers
Security
renew yo
commer
license.
Red Security IDS_AK_STATUS_AV_NOT_RUNNING Events o

not running the secu
on: %1 applicat
device(s) installed
device is
running.
Make su
Kaspers
Endpoin
is runnin
device.
Red Protection is IDS_AK_STATUS_RTP_NOT_RUNNING Events o

disabled on: type occ
%1 device(s) the secu
applicat
device h
disabled
than the
time inte
1495
Check t
status o
protecti
device a
sure tha
protecti
compon
you nee
enabled
Red A software IDS_AK_STATUS_VULNERABILITIES_FOUND Events o

vulnerability type occ
has been the Find
detected on vulnerab
devices required
task has
vulnerab
the seve
speci e
applicat
installed
device.
Check t
available
in the So
updates
included
Applicat
manage
folder. T
contains
updates
Microso
applicat
other so
vendors
retrieved
Administ
Server, w
be distri
devices.
After vie
informat
available
install th
device.
Red Critical events IDS_AK_STATUS_EVENTS_OCCURED Events o

have been type occ
registered on Administ
the Server c
Administration events a
Server detecte
1496
Check t
events s
the Adm
Server, a
x the c
events o
one.
Red Errors have IDS_AK_STATUS_ERROR_EVENTS_OCCURED Events o

been logged in type occ
events on the unexpec
Administration are logg
Server Administ
Server s
Check t
events s
the Adm
Server, a
x the e
by one.
Red Lost IDS_AK_STATUS_ADM_LOST_CONTROL1 Events o

connection to type occ
%1 device(s) the conn
between
Administ
Server a
device is
View the
disconne
devices
reconne
Red %1 device (s) IDS_AK_STATUS_ADM_NOT_CONNECTED1 Events o

have not type occ
connected to the devi
the connect
Administration Administ
Server in a Server w
long time speci e
interval,
the devi
turned o
Make su
the devi
turned o
that Net
Agent is
Red %1 device(s) IDS_AK_STATUS_HOST_NOT_OK Events o

have a status type occ
other than OK the OK s
the devi
connect
Administ
Server c
Critical o
Warning
1497
You can
troubles
problem
the Kasp
Security
remote
diagnost
Red Databases are IDS_AK_STATUS_UPD_HOSTS_NOT_UPDATED Events o

outdated on: type occ
%1 device(s) the anti-
databas
not been
on the d
within th
speci e
interval.
Follow t
instructi
update K
databas
Red Device(s) IDS_AK_STATUS_WUA_DATA_OBSOLETE Events o

where check type occ
for Windows the Perf
Update Window
updates has synchro
not been task has
performed in a run with
long time: %1 speci e
interval.
Follow t
instructi
synchro
updates
Window
with
Administ
Server.
Red %1 plug-in(s) IDS_AK_STATUS_PLUGINS_REQUIRED2 Events o

for Kaspersky type occ
Security you nee
Center 14 addition
must be for Kasp
installed applicat
Downloa
install th
manage
plug-ins
Kaspers
applicat
the Kasp
Technica
webpag
Red Active threats IDS_AK_STATUS_NONCURED_FOUND Events o

are detected type occ
on %1 active th
device(s)
1498
detecte
manage
View inf
about th
detecte
and then
the thre
accordin
recomm
Red Task %1 has IDS_AK_STATUS_TASK_FAILED Events o

completed type occ
with an error task exe
complet
error.
Check t
properti
task, and
recon g
task.
Red Too many IDS_AK_STATUS_TOO_MANY_THREATS Events o

viruses have type occ
been detected viruses a
on: %1 detecte
device(s) manage
View inf
about th
detecte
and then
the thre
accordin
recomm
Red Virus IDS_AK_STATUS_VIRUS_OUTBREAK Events o

outbreak type occ
the num
maliciou
detecte
several m
devices
the thre
within a
period o
View inf
about th
detecte
and then
the thre
accordin
recomm
Red Databases in IDS_AK_STATUS_UPD_SERVER_NOT_UPTODATE Events o

long time not been
on the d
two day
1499
Check t
frequen
updating
virus dat
and then
the anti-
databas
Yellow Databases in IDS_AK_STATUS_UPD_SERVER_NOT_UPTODATE Events o

long time not been
on the d
more tha
but less
days.
Check t
frequen
updating
virus dat
and then
the anti-
databas
Yellow Con ict of IDS_AK_STATUS_ADM_NAME_CONFLICT Events o

NetBIOS type occ
names has the devi
been detected the sam
on devices names.
Rename
devices.
Yellow On %s IDS_AK_STATUS_ENCRYPTION_FAULTS_FOUND Events o

device(s), data type occ
encryption data enc
has switched fails on m
to the status devices.
speci ed in
the device
status
detection
criteria
Yellow License %1 IDS_AK_STATUS_LIC_EXPAIRING Events o

expires in %2 type occ
days the licen
device e
speci e
of days.
To conti
Kaspers
Security
renew yo
commer
license.
Yellow Unassigned IDS_AK_STATUS_NAGENTS_IN_UNASSIGNED Events o

devices that type occ
have Network new dev
1500
Agent discover
installed: %1 network
Move th
with Net
Agent to
groups o
manage
Yellow Network IDS_AK_STATUS_NAGENTS_NOT_RUNNING_UNTIL_REBOOT Events o

Agents on %1 type occ
device(s) Network
cannot run not runn
until restart. devices.
For the Restart
previous time, devices.
this status
was %2
Yellow Detected les IDS_AK_STATUS_NEW_APS_FILE_APPEARED Events o

must be sent type occ
to Kaspersky les that
for further probably
analysis with viru
detecte
moved t
Quarant
Send th
Kaspers
further a
Yellow Managed IDS_AK_STATUS_NO_AV Events o

Security Kaspers
application is Endpoin
installed on: is not ins
%2 device(s) all mana
devices.
Install Ka
Endpoin
on all ma
devices.
Yellow Installation IDS_AK_STATUS_RI_NEED_REBOOT Events o

task %1 has type occ
completed Kaspers
successfully Endpoin
on %2 has just
device(s); installed
restart is manage
required on Reboot
%3 device(s) devices
Kaspers
Endpoin
is installe
Yellow Malware scan IDS_AK_STATUS_SCAN_LATE Events o

has not been type occ
performed in a you nee
long time on: perform
%1 device(s)
1501
scan on
devices.
Run a vir
Yellow Device(s) with IDS_AK_STATUS_VULNERABLE_HOSTS_FOUND Events o

software type occ
vulnerabilities vulnerab
detected: %1 detecte
manage
View inf
about de
vulnerab
x them
Green Managed IDS_AK_STATUS_ADM_OK1 Events o

Unassigned new dev
device(s) detecte
detected: %1 administ
groups.
Green Security IDS_AK_STATUS_DEPLOYMENT_OK Events o

installed on all Kaspers
managed Endpoin
devices is installe
manage
Green Kaspersky IDS_AK_STATUS_GENERAL_OK Events o

Security type occ
Center is Kaspers
functioning Security
properly function
properly
Green Real-time IDS_AK_STATUS_RTP_NA Events o

protection type occ
application is the anti-
not installed applicat
installed
manage
Green Protection is IDS_AK_STATUS_RTP_OK Events o

enabled type occ
the real-
protecti
enabled
manage
Green Security IDS_AK_STATUS_SCAN_NA Events o

not installed the anti-
applicat
installed
manage
Green Malware scan IDS_AK_STATUS_SCAN_OK Events o

is running on type occ
schedule the Malw
task is ru
schedule
1502
Green Updates IDS_AK_STATUS_UPD_OK Events o
repository has type occ
been last the upda
updated: %1 reposito
updated
Light Databases in IDS_AK_STATUS_UPD_SERVER_NOT_UPTODATE Events o

blue the repository type occ
long time updated
the day.
Light The accepted IDS_AK_STATUS_ACCEPTED_KSN_AGREEMENT_OBSOLETE Events o

blue Kaspersky type occ
Security Kaspers
Network Security
Statement is Stateme
obsolete become
date.
Light Kaspersky IDS_AK_STATUS_APPLICABLE_KL_PATCHES_NOT_APPROVED Events o

blue software type occ
not been has not
approved approve
applicab
patches
manage
Kaspers
product
Light Kaspersky IDS_AK_STATUS_APPLICABLE_KL_PATCHES_REVOKED Events o

blue application type occ
been revoked has not
declined
revoked
Light End User IDS_AK_STATUS_KL_MOBILE_EULAS_NOT_ACCEPTED Events o

Kaspersky has not
mobile accepte
software has User Lic
not been Agreem
accepted Kaspers
software
Light End User IDS_AK_STATUS_KL_PATCHES_EULAS_NOT_ACCEPTED Events o

Kaspersky has not
software accepte
updates has User Lic
not been Agreem
accepted Kaspers
software
Light KSN End User IDS_AK_STATUS_KL_PATCHES_KSN_AGREEMENTS_NOT_ACCEPTED Events o

1503
Kaspersky has not
software accepte
updates has End Use
not been Agreem
accepted Kaspers
software
Light You must IDS_AK_STATUS_NEED_ACCEPT_EULA Events o

blue accept the type occ
License new upd
Agreement to available
install updates installati
the adm
has not
accepte
License
Agreem
Light New versions IDS_AK_STATUS_NEW_DISTRIBUTIVES_AVAILABLE Events o

blue of Kaspersky type occ
applications new vers
are available Kaspers
applicat
available
installati
manage
Light Updates are IDS_AK_STATUS_NEW_KSC_VERSIONS_AVAILABLE Events o

Kaspersky updates
Security available
Center Kaspers
components Security
compon
Light Updates are IDS_AK_STATUS_NEW_VERSIONS_AVAILABLE Events o

Kaspersky updates
applications available
Kaspers
applicat
Light Application IDS_AK_STATUS_RI_FAILED Events o

blue installation type occ
task %1 has the App
completed installati
successfully has insta
on %2 software
device(s), some de
failed on %3 the spec
device(s)
Light Running IDS_AK_STATUS_RI_RUNNING Events o

blue deployment type occ
task - %1 the Dep
(%2%%) task is ru
manage
Light Full scan has IDS_AK_STATUS_SCAN_NOT_SCANNED Events o

blue never been type occ
performed on full scan
%1 device(s) been pe
1504
on the s
number
devices.
Light Running the IDS_AK_STATUS_UPD_SRV_UPDATE_IN_PROGRESS Events o

blue update type occ
download task the Upd
(progress: %1 downloa
%%) running
manage
Remote access to managed devices

This section provides information about remote access to managed devices.
Using the "Do not disconnect from the Administration Server" option to
provide continuous connectivity between a managed device and the
If you do not use push servers, Kaspersky Security Center does not provide continuous connectivity between
managed devices and the Administration Server. Network Agents on managed devices periodically establish
connections and synchronize with the Administration Server. The interval between those synchronization sessions
is de ned in a policy of Network Agent. If an early synchronization is required, the Administration Server (or a
distribution point, if it is in use) sends a signed network packet over an IPv4 or IPv6 network to the UDP port of the
Network Agent. By default, the port number is 15000. If no connection through UDP is possible between the
Administration Server and a managed device, synchronization will run at the next regular connection of Network
Agent to the Administration Server within the synchronization interval.
Some operations cannot be performed without an early connection between Network Agent and the
Administration Server, such as running and stopping local tasks, receiving statistics for a managed application, or
creating a tunnel. To resolve this issue, if you are not using push servers, you can use the Do not disconnect from
the Administration Server option to make sure that there is continuous connectivity between a managed device
and the Administration Server.
To provide continuous connectivity between a managed device and the Administration Server:
If the managed device accesses the Administration Server directly (that is, not via a distribution point):
a. In the console tree, select the Managed devices folder.
b. In the workspace of the folder, select the managed device with which you want to provide continuous
connectivity.
c. In the context menu of the device, select Properties.

The properties window of the selected device opens.
If the managed device accesses the Administration Server through a distribution point running in gateway
mode, not directly:
1505
a. In the console tree, select the Administration Server node.
b. In the context menu of the node, select Properties.
c. In the Administration Server properties window that opens, select the Distribution points section.
d. In the list, select the necessary distribution point, and then click Properties.
The properties window of the distribution point opens.
2. In the General section of the displayed window, select the Do not disconnect from the Administration
Server option.
Continuous connectivity is established between the managed device and the Administration Server.
The maximum total number of devices with the Do not disconnect from the Administration Server option
selected is 300.
About checking the time of connection between a device and the

Upon shutting down a device, Network Agent noti es the Administration Server of this event. In Administration
Console that device is displayed as shut down. However, Network Agent cannot notify Administration Server of all
such events. The Administration Server, therefore, periodically analyzes the Connected to Administration Server
attribute (the value of this attribute is displayed in Administration Console, in the device properties, in the General
section) for each device and compares it against the synchronization interval from the current settings of Network
Agent. If a device has not responded over more than three successive synchronization intervals, that device is
marked as shut down.

managed devices, in some cases the administrator needs to know exactly whether synchronization has already
been performed for a speci ed device at the present moment.
In the context menu of managed devices in Administration Console, the All tasks menu item contains the Force
synchronization command. When Kaspersky Security Center 14 executes this command, the Administration
Server attempts to connect to the device. If this attempt is successful, forced synchronization will be performed.
Otherwise, synchronization will be forced only after the next scheduled connection between Network Agent and
About tunneling
Kaspersky Security Center allows tunneling TCP connections from Administration Console via the Administration
Server and then via Network Agent to a speci ed port on a managed device. Tunneling is designed for connecting
a client application on a device with Administration Console installed to a TCP port on a managed device—if no
direct connection is possible between Administration Console and the target device.
1506
For example, tunneling is used for connections to a remote desktop, both for connecting to an existing session,
and for creating a new remote session.
Tunneling can also be enabled by using external tools. For example, the administrator can run the putty utility, the
VNC client, and other tools in this way.
1507
Sizing Guide
This section provides information about Kaspersky Security Center sizing.
About this Guide

Kaspersky Security Center 14 (also referred to as Kaspersky Security Center) Sizing Guide is intended for
professionals who install and administer Kaspersky Security Center, as well as for those who provide technical
support to organizations that use Kaspersky Security Center.
All recommendations and calculations are given for networks on which Kaspersky Security Center manages the
protection of devices with Kaspersky software installed, including mobile devices. If mobile devices, or any other
managed devices, are to be considered separately, this is stated speci cally.
To obtain and maintain optimum performance under varying operational conditions, you must take into account the
number of networked devices, network topology, and set of Kaspersky Security Center features that you require.
This Guide provides the following information:
Calculations for the key nodes of Kaspersky Security Center (Administration Servers and distribution points):
Hardware requirements for Administration Servers and distribution points
Calculation of the number and hierarchy of Administration Servers
Calculation of the number and con guration of distribution points
Con guration of event logging in the database depending on the number of networked devices
Con guration of speci c tasks aimed at optimal performance of Kaspersky Security Center
Tra ic rate (network load) between Kaspersky Security Center Administration Server and every protected
device
Consulting this guide is recommended in the following cases:
When planning resources prior to Kaspersky Security Center installation
When planning signi cant changes to the scale of the network on which Kaspersky Security Center is deployed
When switching from using Kaspersky Security Center within a limited network segment (a test environment) to
full-scale deployment of Kaspersky Security Center on the corporate network
When making changes to the set of Kaspersky Security Center features used

The following table displays the limitations of the current version of Kaspersky Security Center.
1508
Type of limitation Value
Maximum number of managed devices per Administration Server 100,000
Maximum number of devices with the Do not disconnect from the

300
Administration Server option selected
Maximum number of administration groups 10,000
Maximum number of events to store 45,000,000
Maximum number of policies 2000
Maximum number of tasks 2000
Maximum total number of Active Directory objects (organizational units,

1,000,000
OUs) and accounts of users, devices, and security groups)
Maximum number of pro les in a policy 100
Maximum number of secondary Administration Servers on a single

500
primary Administration Server
Maximum number of virtual Administration Servers 500
Maximum number of devices that a single distribution point can cover

10,000
(distribution points can cover non-mobile devices only)
Maximum number of devices that may use a single connection gateway 10,000, including mobile devices
Maximum number of mobile devices per Administration Server 100,000 minus the number of
stationary managed devices
Calculations for Administration Servers

This section provides the software and hardware requirements for devices used as Administration Servers. Also
provided are recommendations for calculating the number and hierarchy of Administration Servers depending on
the con guration of the organization's network.
Calculation of hardware resources for the Administration Server

This section contains calculations that provide guidance for planning hardware resources for the Administration
Server. A recommendation on calculating disk space when the Vulnerability and Patch Management feature is used
is provided separately.
Hardware requirements for the DBMS and the Administration Server

The following tables give the recommended minimum hardware requirements to a DBMS and Administration Server
obtained during tests. For a complete list of operating systems and DBMSs supported, please refer to the list of
hardware and software requirements.
Administration Server and DBMS are on di erent devices, the network includes 50 000 devices
1509
Con guration of the device that has Administration Server installed
Hardware Value
CPU 4 cores, 2500 MHz
RAM 8 GB
Hard drive 300 GB, RAID recommended
Network adapter 1 Gbit
Con guration of the device that has DBMS installed
Hardware Value
RAM 16 GB
Hard drive 200 GB, SATA RAID
Administration Server and DBMS are on the same device, the network includes 50 000 devices
Con guration of the device that has Administration Server and DBMS installed
Hardware Value
RAM 16 GB
Administration Server and DBMS are on di erent devices, the network includes 100 000
devices
Con guration of the device that has Administration Server installed
Hardware Value
CPU 8 cores, 2.13 GHz
RAM 8 GB
Hard drive 1 TB, with RAID
Con guration of the device with DBMS installed
Hardware Value
CPU 8 cores, 2.53 GHz
RAM 26 GB
The tests were run under the following settings:

1510
Automatic assignment of distribution points is enabled on the Administration Server, or distribution points are
assigned manually in accordance with the recommended table.
The backup task saves backup copies to a le resource located on a dedicated server.
The synchronization interval for Network Agents is set as speci ed in the table below.
Synchronization interval for Network Agents
Synchronization interval (minutes) Number of managed devices
15 10,000
30 20,000
45 30,000
60 40,000
75 50,000
150 100,000

The approximate amount of space that must be reserved in the database can be calculated using the following
formula:
(600 * C + 2.3 * E + 2.5 * A + 1.2 * N * F), KB
where:
C is the number of devices.
E is the number of events to store.
A is the total number of Active Directory objects:
Device accounts
User accounts
Accounts of security groups
Active Directory organizational units
If scanning of Active Directory is disabled, A is considered to equal zero.
N is the average number of inventoried executable les on an endpoint device.
F is the number of endpoint devices, where executable les were inventoried.
If you plan to enable (in the Kaspersky Endpoint Security policy settings) noti cation of Administration Server on
applications that you run, you will need additional (0.03 * C) gigabytes to store in the database the information
about applications that you run.
1511
If Administration Server distributes Windows updates (thus acting as the Windows Server Update Services server),
the database will require an additional 2.5 GB.
During operation, a certain unallocated space is always present in the database. Therefore, the actual size of the
database le (by default, the KAV.MDF le, if you use SQL Server as the DBMS) often turns out to be
approximately twice as large as the amount of space occupied in the database.
It is not recommended to limit explicitly the size of the transaction log (by default, the le KAV_log.LDF, if you use
SQL Server as the DBMS). It is recommended to leave the default value of th MAXSIZE parameter. However, if you
have to limit the size of this le, take into consideration that the typical necessary value of the MAXSIZE parameter
for KAV_log.LDF is 20480 MB.
Calculation of disk space (with and without the use of the Vulnerability and
patch management feature)
Calculation of disk space without the use of the Vulnerability and patch management feature
The Administration Server disk space required for the %ALLUSERSPROFILE%\Application

Data\KasperskyLab\adminkit folder can be estimated approximately using the formula:
(724 * C + 0.15 * E + 0.17 * A), KB
where:
C is the number of devices.
E is the number of events to store.
A is the total number of Active Directory objects:
Device accounts
User accounts
Accounts of security groups
Active Directory organizational units
If scanning of Active Directory is disabled, A is considered to equal zero.
Calculation of additional disk space with the use of the Vulnerability and patch management
feature
Updates. The shared folder additionally requires at least 4 GB to store updates.
Installation packages. If some installation packages are stored on the Administration Server, the shared folder
will require an additional amount of free disk space equal to the total size of all of the available installation
packages to be installed.
Remote installation tasks. If remote installation tasks are present on the Administration Server, an additional
amount of free disk space (in the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit folder)
1512
equal to the total size of all installation packages to be installed will be required.
Patches. If Administration Server is involved in installation of patches, an additional amount of disk space will be
required:
The patches folder should have the amount of disk space equal to the total size of all patches that have
been downloaded. By default, patches are stored in the %ALLUSERSPROFILE%\Application
Data\KasperskyLab\adminkit\1093\.working\wus les folder.
You can use the klsrvswch utility to specify a di erent folder for storing patches. The klsrvswch utility is
located in the folder where Administration Server is installed. The default installation path: <Disk>:\Program
Files (x86)\Kaspersky Lab\Kaspersky Security Center.
If Administration Server is used as the WSUS server, you are advised to allocate at least 100 GB to this
folder.
The %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit folder must have an amount of disk

space equal to the total size of those patches that are referenced by existing instances of update (patch)
installation and vulnerability x tasks.
Calculation of the number and con guration of Administration Servers

To reduce the load on the primary Administration Server, you can assign a separate Administration Server to each
administration group. The number of secondary Administration Servers cannot exceed 500 for a single primary
We recommend that you create the con guration of Administration Servers in correspondence to the
con guration of your organization's network.
Recommendations for connecting dynamic virtual machines to Kaspersky

Security Center
Dynamic virtual machines (also referred to as dynamic VMs) consume more resources than static virtual machines.
For more information on dynamic virtual machines, see Support of dynamic virtual machines.
When a new dynamic VM is connected, Kaspersky Security Center creates an icon for this dynamic VM in
Administration Console and moves the dynamic VM to the administration group. After that, the dynamic VM is
added to the Administration Server database. The Administration Server is fully synchronized with Network Agent
installed on this dynamic VM.
In an organization's network, Network Agent creates the following network lists for each dynamic VM:
Hardware
Installed software
Detected vulnerabilities
Events and lists of executable les of the Application control component
The Network Agent transfers these network lists to the Administration Server. The size of the network lists
depends on components installed on the dynamic VM, and may a ect the performance of Kaspersky Security
Center and database management system (DBMS). Note that the load can grow non-linearly.
1513
After the user nishes working with the dynamic VM and turns it o , this machine is then removed from the virtual
infrastructure and entries about this machine are removed from the Administration Server database.
All these actions consume a lot of Kaspersky Security Center and Administration Server database resources, and
can reduce the performance of Kaspersky Security Center and DBMS. We recommend that you connect up to
20,000 dynamic VMs to Kaspersky Security Center.
You can connect more than 20,000 dynamic VMs to Kaspersky Security Center if the connected dynamic VMs
perform standard operations (for example, database updates) and consume no more than 80 percent of memory
and 75–80 percent of available cores.
Changing policy settings, software or operating system on the dynamic VM can reduce or increase resource
consumption. The consumption of 80–95 percent of resources is considered optimal.
Calculations for distribution points and connection gateways

This section provides the hardware requirements for devices used as distribution points together with
recommendations for calculating the number of distribution points and connection gateways depending on the
con guration of the corporate network.
Requirements for a distribution point

To handle up to 10,000 client devices, a distribution point must meet, at a minimum, the following requirements (a
con guration for a test stand is provided):
CPU: Intel® Core™ i7-7700 CPU, 3.60 GHz 4 cores.
RAM: 8 GB.
Disk: SSD 120 GB.
If any remote installation tasks are pending on the Administration Server, the device with the distribution point will
also require an amount of free disk space that is equal to the total size of the installation packages to be installed.
If one or multiple instances of the task for update (patch) installation and vulnerability x are pending on the
Administration Server, the device with the distribution point will also require additional free disk space, equal to
twice the total size of all patches to be installed.

The more client devices a network contains, the more distribution points it requires. We recommend that you not
disable automatic assignment of distribution points. When automatic assignment of distribution points is enabled,
Administration Server assigns distribution points if the number of client devices is quite large and de nes their
con guration.
Using exclusively assigned distribution points

1514
If you plan to use certain speci c devices as distribution points (that is, exclusively assigned servers), you can opt
out of using automatic assignment of distribution points. In this case, make sure that the devices that you intend
to make distribution points have su icient volume of free disk space, are not shut down regularly, and have Sleep
mode disabled.
Number of exclusively assigned distribution points on a network that contains a single network segment, based on the number of networked devices

network segment
Number of exclusively assigned distribution points on a network that contains multiple network segments, based on the number of networked devices

network segment
10–100 1
Using standard client devices (workstations) as distribution points
If you plan to use standard client devices (that is, workstations) as distribution points, we recommend that you
assign distribution points as shown in the tables below in order to avoid excessive load on the communication
channels and on Administration Server:
Number of workstations functioning as distribution points on a network that contains a single network segment, based on the number of networked
devices

network segment
More than 300 (N/300 + 1), where N is the number of networked devices; there must
be at least 3 distribution points
Number of workstations functioning as distribution points on a network that contains multiple network segments, based on the number of networked
devices

network segment
10–30 1
31–300 2
More than 300 (N/300 + 1), where N is the number of networked devices; there must be
at least 3 distribution points
If a distribution point is shut down (or not available for some other reason), the managed devices in its scope can
access the Administration Server for updates.
1515
Calculation of the number of connection gateways
If you plan to use a connection gateway, we recommend that you designate a special device for this function.
A connection gateway can cover a maximum 10,000 managed devices, including mobile devices.
Logging of information about events for tasks and policies

This section provides calculations associated with event storage in the database of the Administration Server and
o ers recommendations on how to minimize the number of events, thereby reducing the load on the
By default, the properties of each task and policy provide for storing all events related to task execution and policy
enforcement.
However, if a task is run quite frequently (for example, more than once per week) and on a fairly large number of
devices (for example, more than 10,000), the number of events may turn out to be too large and the events may
ood the database. In this case, it is recommended to select one of two options in the task settings:
Save events related to task progress. In this case, the database receives only information about task launch,
progress, and completion (successful, with a warning or error) from each device on which the task is run.
Save only task execution results. In this case, the database receives only information about task completion
(successful, with a warning or error) from each device on which the task is run.
If a policy has been de ned for a fairly large number of devices (for example, more than 10,000), the number of
events may also turn out to be large and the events may ood the database. In this case, it is recommended to
choose only the most critical events in the policy settings and enable their logging. You are advised to disable the
logging of all other events.
In doing so, you will reduce the number of events in the database, increase the speed of execution of scenarios
associated with analysis of the event table in the database, and lower the risk that critical events will be
overwritten by a large number of events.
You can also reduce the storage term for events associated with a task or a policy. The default period is 7 days for
task-related events and 30 days for policy-related events. When changing the event storage term, consider the
work procedures in place at your organization and the amount of time that the system administrator can devote to
analyzing each event.
It is advisable to modify the event storage settings in any of the following cases:
Events about changes in the intermediate states of group tasks and events about applying policies occupy a
large share of all events in the Kaspersky Security Center database.
The Kaspersky Event Log begins showing entries about automatic removal of events when the established limit
on the total number of events stored in the database is exceeded.
Choose event logging options based on the assumption that the optimal number of events coming from a single
device per day must not exceed 20. You can increase this limit slightly, if necessary, but only if the number of
devices on your network is relatively small (fewer than 10,000).
1516
Speci c considerations and optimal settings of certain tasks
Certain tasks are subject to speci c considerations related to the number of networked devices. This section
o ers recommendations on the optimal con guration of settings for such tasks.
Device discovery, the data backup task, database maintenance task, and group tasks for updating Kaspersky
Endpoint Security are part of the basic functionality of Kaspersky Security Center.
The inventory task is part of the Vulnerability and Patch Management feature and is unavailable if this feature is
not activated.
Device discovery frequency

It is not advisable to increase the default frequency of device discovery because this can create an excessive load
on domain controllers. Instead, it is recommended to schedule polling at the minimum possible frequency
permitted by the needs of your organization. Recommendations for calculating the optimal schedule are provided
in the table below.
Device discovery schedule
Number of networked devices Recommended device discovery frequency
Less than 10,000 Default frequency or less
10,000 or greater Once per day or less
Administration Server data backup task and database maintenance task

The Administration Server stops working when the following tasks are running:
Database maintenance
When these tasks are running, the database cannot receive any data.
You may have to reschedule these tasks so that they are not executed at the same time as other Administration
Server tasks.
Group tasks for updating Kaspersky Endpoint Security

If the Administration Server acts as the update source, the recommended schedule option for group update tasks
of Kaspersky Endpoint Security 10 and later versions is When new updates are downloaded to the repository
with the Use automatically randomized delay for task starts check box selected.
If a local task for downloading updates from Kaspersky servers to the repository is created on each distribution
point, periodic scheduling is recommended for the Kaspersky Endpoint Security group update task. The value of
the randomization period must be one hour in this case.
1517
Software inventory task
installed.
The number of executable les received by the Administration Server from a single device cannot exceed 150,000.
When Kaspersky Security Center reaches this limit, it cannot receive any new les.
Typically, the number of les on a common client device does not exceed 60,000. The number of executable les
on a le server can be greater than and even exceed the 150,000 threshold.
Test measurements have shown that the inventory task has the following results on a device running the Windows
7 operating system with Kaspersky Endpoint Security 11 installed and no third-party applications installed:
With the DLL modules inventory and Script les inventory check boxes cleared: approximately 3000 les.
With the DLL modules inventory and Script les inventory check boxes selected: from 10,000 to 20,000 les
depending on the number of operating system service packs installed.
With only the Script les inventory check box selected: approximately 10,000 les.
Details of network load spread among Administration Server and protected

devices
This section provides the results of test measurements of network tra ic with a description of the conditions
under which the measurements were performed. You can refer to this information when planning the network
infrastructure and the throughput capacity of network channels within your organization (or between the
Administration Server and another organization with devices to protect). Knowing the throughput capacity of the
network, you can also estimate approximately how much time di erent data transmission operations will take.
Tra ic consumption under various scenarios

The table below shows the results of measuring tests conducted on tra ic between the Administration Server and
a managed device in di erent scenarios.
By default, devices are synchronized with the Administration Server every 15 minutes or at a longer interval.
However, if you modify the settings of a policy or a task on the Administration Server, early synchronization occurs
on devices to which the policy (or task) is applicable so the new settings are transmitted to the devices.
Tra ic rate between the Administration Server and managed device
Scenario Tra ic from the Tra ic from each

Administration Server managed device to the
to each managed device Administration Server
Installing Kaspersky Endpoint Security 11.7 for Windows 390 MB 3.3 MB

with updated databases
1518
Network Agent installation 75 MB 397 KB
Concurrent installation of Network Agent and 459 MB 3.6 MB

Kaspersky Endpoint Security 11.7 for Windows
Initial update of anti-virus databases without updating 113 MB 1,8 MB

the databases in the package (if participation in
Kaspersky Security Network is disabled)
Daily update of anti-virus databases (if participation in 22 MB 373 MB

Kaspersky Security Network is enabled)
Initial synchronization before update of databases on a 382 KB 446 KB

device (transfer of policies and tasks)
Initial synchronization after updating databases on a 20 KB 157 KB

device
Synchronization with no changes on the Administration 18 KB 23 KB

Server (according to schedule)
Synchronization when a single setting in a group policy 19 KB 20 KB

is changed (as soon as the setting is altered)
Synchronization when a single setting in a group task is 14 KB 11 KB

changed (as soon as the setting is altered)
Forced synchronization 110 KB 109 KB
Virus detected event (1 virus) 44 KB 50 KB
Virus detected event (10 viruses) 58 KB 77 KB
One-time tra ic after enabling the Application Registry up to 10 KB up to 12 KB

list
Everyday tra ic when the Application Registry list is up to 840 KB up to 1 MB

enabled
Average tra ic usage per 24 hours

The average 24-hour tra ic usage between the Administration Server and a managed device is as follows:
Tra ic from the Administration Server to the managed device is 840 KB.
Tra ic from the managed device to the Administration Server is 1 MB.
The tra ic was measured under the following conditions:
The managed device had Network Agent and Kaspersky Endpoint Security for Linux installed.
The device was not assigned a distribution point.
Vulnerability and patch management was not enabled.
The frequency of synchronization with the Administration Server was 15 minutes.
1519
Contact Technical Support
This section describes how to get technical support and the terms on which it is available.
How to get technical support

If you can't nd a solution to your issue in the Kaspersky Security Center documentation or in any of the sources
of information about Kaspersky Security Center, contact Kaspersky Technical Support. Technical Support
specialists will answer all your questions about installing and using Kaspersky Security Center.
Kaspersky provides support of Kaspersky Security Center during its lifecycle (see the product support
lifecycle page ). Before contacting Technical Support, please read the support rules .
You can contact Technical Support in one of the following ways:
By visiting the Technical Support website
By sending a request to Technical Support from the Kaspersky CompanyAccount portal
Technical support via Kaspersky CompanyAccount

Kaspersky CompanyAccount is a portal for companies that use Kaspersky applications. The Kaspersky
CompanyAccount portal is designed to facilitate interaction between users and Kaspersky specialists through
online requests. You can use Kaspersky CompanyAccount to track the status of your online requests and store a
history of them as well.
You can register all of your organization's employees under a single account on Kaspersky CompanyAccount. A
single account lets you centrally manage electronic requests from registered employees to Kaspersky and also
manage the privileges of these employees via Kaspersky CompanyAccount.
The Kaspersky CompanyAccount portal is available in the following languages:
English
Spanish
Italian
German
Polish
Portuguese
Russian
French
Japanese
1520
To learn more about Kaspersky CompanyAccount, visit the Technical Support website .
1521
Sources of information about the application
Kaspersky Security Center page on the Kaspersky website
On the Kaspersky Security Center page on the Kaspersky website , you can view general information about the
application, its functions, and features.
Kaspersky Security Center page in the Knowledge Base
The Knowledge Base is a section on the Kaspersky Technical Support website.
On the Kaspersky Security Center page in the Knowledge Base, you can read articles that provide useful
information, recommendations, and answers to frequently asked questions on how to buy, install, and use the
application.
Articles in the Knowledge Base may provide answers to questions that relate both to Kaspersky Security Center as
well as to other Kaspersky applications. Articles in the Knowledge Base may also contain Technical Support news.
Discuss Kaspersky applications with the community
If your question does not require an immediate answer, you can discuss it with Kaspersky experts and other users
on our Forum .
On the Forum, you can view discussion topics, post your comments, and create new discussion topics.
An internet connection is required to access website resources.
If you cannot nd a solution to your problem, contact Technical Support.
1522
Glossary
Active key
A key that is currently used by the application.
Additional subscription key

A key that certi es the right to use the application but is not currently being used.
A component of Windows-based Kaspersky Security Center (also called MMC-based Administration Console).
This component provides a user interface for the administrative services of Administration Server and Network
Agent.
A set of devices grouped by function and by installed Kaspersky applications. Devices are grouped as a single
entity for the convenience of management. A group can include other groups. Group policies and group tasks can
be created for each installed application in the group.
A component of Kaspersky Security Center that centrally stores information about all Kaspersky applications that
are installed on the corporate network. It can also be used to manage these applications.

The certi cate that the Administration Server uses for the following purposes:
Authentication of Administration Server when connecting to MMC-based Administration Console or Kaspersky

Secure interaction between Administration Server and Network Agents on managed devices
Authentication of Administration Servers when connecting a primary Administration Server to a secondary

The certi cate is created automatically when you install the Administration Server, and then stored on the
1523
Administration Server client (Client device)
A device, server, or workstation on which Network Agent is installed and managed Kaspersky applications are
running.
Administration Server data backup

Copying of the Administration Server data for backup and subsequent restoration performed by using the backup
utility. The utility can save:
Database of the Administration Server (policies, tasks, application settings, events saved on the Administration
Server)
Con guration information about the structure of administration groups and client devices
Repository of the installation les for remote installation of applications (content of the folders: Packages,
Uninstall Updates)
Administrator rights
The level of the user's rights and privileges required for administration of Exchange objects within an Exchange
organization.
A device where Administration Console is installed or that you use to open Kaspersky Security Center Web
Console. This component provides a Kaspersky Security Center management interface.
The administrator's workstation is used to con gure and manage the server side of Kaspersky Security Center.
Using the administrator's workstation, the administrator builds and manages a centralized anti-virus protection
system for a corporate LAN based on Kaspersky applications.
Amazon EC2 instance

A virtual machine created based on an AMI image using Amazon Web Services.
Amazon Machine Image (AMI)

The template containing the software con guration necessary for running the virtual machine. Multiple instances
can be created based on a single AMI.
1524
Anti-virus databases
Databases that contain information about computer security threats known to Kaspersky as of when the anti-
virus databases are released. Entries in anti-virus databases allow malicious code to be detected in scanned
objects. Anti-virus databases are created by Kaspersky specialists and updated hourly.
Anti-virus protection service provider

An organization that provides a client organization with anti-virus protection services based on Kaspersky
solutions.
Application Shop
Component of Kaspersky Security Center. Application Shop is used for installing applications on Android devices
owned by users. Application Shop allows you to publish the APK les of applications and links to applications in
Google Play.
Authentication Agent
Interface that lets you complete authentication to access encrypted hard drives and load the operating system
after the bootable hard drive has been encrypted.
Available update
A set of updates for Kaspersky application modules, including critical updates accumulated over a certain period
of time and changes to the application's architecture.
AWS Application Program Interface (AWS API)

The application programming interface of the AWS platform that is used by Kaspersky Security Center.
Speci cally, AWS API tools are used for cloud segment polling and installing Network Agent on instances.
AWS IAM access key

A combination consisting of the key ID (which looks like "AKIAIOSFODNN7EXAMPLE") and secret key (which looks
like "wJalrXUtnFEMI/K7MDENG/bPxR CYEXAMPLEKEY"). This pair belongs to the IAM user and is used to obtain
access to AWS services.
AWS Management Console
1525
The web interface for viewing and managing AWS resources. AWS Management Console is available on the web at
https://aws.amazon.com/console/.
Backup folder
Special folder for storage of Administration Server data copies created using the backup utility.
Broadcast domain
A logical area of a network in which all nodes can exchange data using a broadcasting channel at the level of OSI
(Open Systems Interconnection Basic Reference Model).
Centralized application management

Remote application management using the administration services provided in Kaspersky Security Center.
Client administrator
A sta member of a client organization who is responsible for monitoring the anti-virus protection status.
Cloud environment
Virtual machines and other virtual resources that are based on a cloud platform and are combined into networks.
Con guration pro le

Policy that contains a collection of settings and restrictions for an iOS MDM mobile device.
Connection gateway
A connection gateway is a Network Agent acting in a special mode. A connection gateway accepts connections
from other Network Agents and tunnels them to the Administration Server through its own connection with the
Server. Unlike an ordinary Network Agent, a connection gateway waits for connections from the Administration
Server rather than establishes connections to the Administration Server.
Demilitarized zone (DMZ)

Demilitarized zone is a segment of a local network that contains servers, which respond to requests from the
global Web. In order to ensure the security of an organization's local network, access to the LAN from the
demilitarized zone is protected with a rewall.
1526
Device owner
Device owner is a user whom the administrator can contact when the need arises to perform certain operations on
a device.
Direct application management

Application management through a local interface.
Distribution point
Computer that has Network Agent installed and is used for update distribution, remote installation of applications,
getting information about computers in an administration group and/or broadcasting domain. Distribution points
are designed to reduce the load on the Administration Server during update distribution and to optimize network
tra ic. Distribution points can be assigned automatically, by the Administration Server, or manually, by the
administrator. Distribution point was previously known as update agent.
EAS device
A mobile device connected to Administration Server through the Exchange ActiveSync protocol. Devices with the
iOS, Android, and Windows Phone® operating systems can be connected and managed by using the Exchange
ActiveSync protocol.
Event repository
A part of the Administration Server database dedicated to storage of information about events that occur in
Event severity
Property of an event encountered during the operation of a Kaspersky application. There are the following severity
levels:
Critical event
Functional failure
Warning
Info
Events of the same type can have di erent severity levels depending on the situation in which the event occurred.
1527
A component of Kaspersky Security Center that allows you to connect Exchange ActiveSync mobile devices to
Forced installation
Method for remote installation of Kaspersky applications that allows you to install software on speci c client
devices. For successful forced installation, the account used for the task must have su icient rights to start
applications remotely on client devices. This method is recommended for installing applications on devices that are
running Microsoft Windows operating systems and that support this functionality.
Group task
A task de ned for an administration group and performed on all client devices included in that administration
group.
Home Administration Server

Home Administration Server is the Administration Server that was speci ed during Network Agent installation. The
home Administration Server can be used in settings of Network Agent connection pro les.
HTTPS
Secure protocol for data transfer, using encryption, between a browser and a web server. HTTPS is used to gain
access to restricted information, such as corporate or nancial data.
IAM role
Set of rights for making requests to AWS-based services. IAM roles are not linked to a speci c user or group; they
provide access rights without AWS IAM access keys. You can assign an IAM role to IAM users, EC2 instances, and
AWS-based applications or services.
IAM user
The user of AWS services. An IAM user may have the rights to perform cloud segment polling.
Identity and Access Management (IAM)

The AWS service that enables management of user access to other AWS services and resources.
1528
Incompatible application
An anti-virus application from a third-party developer or a Kaspersky application that does not support
management through Kaspersky Security Center.
Installation package
A set of les created for remote installation of a Kaspersky application by using the Kaspersky Security Center
remote administration system. The installation package contains a range of settings needed to install the
application and get it running immediately after installation. Settings correspond to application defaults. The
installation package is created using les with the .kpd and .kud extensions included in the application distribution
kit.
Internal users
The accounts of internal users are used to work with virtual Administration Servers. Kaspersky Security Center
grants the rights of real users to internal users of the application.
The accounts of internal users are created and used only within Kaspersky Security Center. No data on internal
users is transferred to the operating system. Kaspersky Security Center authenticates internal users.
iOS MDM device

A mobile device that is connected to the iOS MDM Server by using the iOS MDM protocol. Devices running the iOS
operating system can be connected and managed by means of the iOS MDM protocol.
iOS MDM pro le

Collection of settings for connecting iOS mobile devices to Administration Server. The user installs an iOS MDM
pro le to a mobile device, after which this mobile device connects to Administration Server.
iOS MDM Server

A component of Kaspersky Security Center that is installed on a client device, allowing connection of iOS mobile
devices to the Administration Server and management of iOS mobile devices through Apple Push Noti cations
(APNs).
JavaScript
1529
A programming language that expands the performance of web pages. Web pages created using JavaScript can
perform functions (for example, change the view of interface elements or open additional windows) without
refreshing the web page with new data from a web server. To view pages created by using JavaScript, enable
JavaScript support in the con guration of your browser.
Kaspersky Private Security Network (KPSN)
Kaspersky Private Security Network is a solution that gives users of devices with Kaspersky applications installed
access to reputation databases of Kaspersky Security Network and other statistical data—without sending data
from their devices to Kaspersky Security Network. Kaspersky Private Security Network is designed for corporate
Devices are not connected to the internet.
Transmission of any data outside the country or the corporate LAN is prohibited by law or corporate security
policies.
Kaspersky Security Center Administrator

The person managing application operations through the Kaspersky Security Center remote centralized
administration system.
Kaspersky Security Center Operator

A user who monitors the status and operation of a protection system managed with Kaspersky Security Center.
Kaspersky Security Center System Health Validator (SHV)

A component of Kaspersky Security Center designed for checking the operating system's operability in case of
concurrent operation of Kaspersky Security Center and Microsoft NAP.

A component of Kaspersky Security Center that is installed together with Administration Server. Web Server is
designed for transmission, over a network, of stand-alone installation packages, iOS MDM pro les, and les from a
shared folder.

An infrastructure of cloud services that provides access to the Kaspersky database with constantly updated
information about the reputation of les, web resources, and software. Kaspersky Security Network ensures faster
responses by Kaspersky applications to threats, improves the performance of some protection components, and
reduces the likelihood of false positives.
1530
HTTP(S) servers at Kaspersky from which Kaspersky applications download database and application module
updates.
KES device
A mobile device that is connected to Kaspersky Security Center Administration Server and managed through the
Kaspersky Endpoint Security for Android app.
Key le
A le in xxxxxxxx.key format that makes it possible to use a Kaspersky application under a trial or commercial
license.
License term
A time period during which you have access to the application features and rights to use additional services. The
services you can use depend on the type of the license.
Licensed applications group

A group of applications created on the basis of criteria set by the administrator (for example, by vendor), for which
statistics of installations on client devices are maintained.
Local installation
Installation of a security application on a device on a corporate network that presumes manual installation startup
from the distribution package of the security application or manual startup of a published installation package that
was pre-downloaded to the device.
Local task
A task de ned and running on a single client computer.
Managed devices
Corporate networked devices that are included in an administration group.
1531
Management plug-in
A specialized component that provides the interface for application management through Administration Console.
Each application has its own plug-in. It is included in all Kaspersky applications that can be managed by using
Manual installation
Installation of a security application on a device in the corporate network from the distribution package. Manual
installation requires the involvement of an administrator or another IT specialist. Usually manual installation is done
if remote installation has completed with an error.
MITM attack
Man in The Middle. An attack on the IT infrastructure of an organization in which a hacker hijacks the
communication link between two access points, relays it, and modi es the connection between these access
points if necessary.

A component of Kaspersky Security Center that provides access to mobile devices and allows you to manage
them through Administration Console.
Network Agent
A Kaspersky Security Center component that enables interaction between the Administration Server and
Kaspersky applications that are installed on a speci c network node (workstation or server). This component is
common to all of the company's applications for Microsoft® Windows®. Separate versions of Network Agent exist
for Kaspersky applications developed for Unix-like OS and macOS.
Network anti-virus protection

A set of technical and organizational measures that lower the risk of allowing viruses and spam to penetrate the
network of an organization, and that prevent network attacks, phishing, and other threats. Network security
increases when you use security applications and services and when you apply and adhere to the corporate data
security policy.
Network protection status

Current protection status, which de nes the safety of corporate networked devices. The network protection
status includes such factors as installed security applications, usage of license keys, and number and types of
threats detected.
1532
Patch importance level
Attribute of the patch. There are ve importance levels for Microsoft patches and third-party patches:
Critical
High
Medium
Low
Unknown
The importance level of a third-party patch or Microsoft patch is determined by the least favorable severity level
among the vulnerabilities that the patches should x.
Policy
A policy determines an application's settings and manages the ability to con gure that application on computers
within an administration group. An individual policy must be created for each application. You can create multiple
policies for applications installed on computers in each administration group, but only one policy can be applied at
a time to each application within an administration group.
Pro le
Collection of settings of Exchange mobile devices that de ne their behavior when connected to a Microsoft
Exchange Server.
Program settings
Application settings that are common to all types of tasks and govern the overall operation of the application,
such as application performance settings, report settings, and backup settings.
Protection status
Current protection status, which re ects the level of computer security.
Provisioning pro le
Collection of settings for applications' operation on iOS mobile devices. A provisioning pro le contains information
about the license; it is linked to a speci c application.
1533
Remote installation
Installation of Kaspersky applications by using the services provided by Kaspersky Security Center.
Restoration
Relocation of the original object from Quarantine or Backup to its original folder where the object had been stored
before it was quarantined, disinfected or deleted, or to a user-de ned folder.
Restoration of Administration Server data

Restoration of Administration Server data from the information saved in Backup by using the backup utility. The
utility can restore:
Database of the Administration Server (policies, tasks, application settings, events saved on the Administration
Server)
Con guration information about the structure of administration groups and client computers
Repository of the installation les for remote installation of applications (content of the folders: Packages,
Uninstall Updates)
Role group
A group of users of Exchange ActiveSync mobile devices who have been granted identical administrator rights.
Service provider's administrator

A sta member at an anti-virus protection service provider. This administrator performs installation and
maintenance jobs for anti-virus protection systems based on Kaspersky anti-virus products and also provides
technical support to customers.
Shared certi cate

A certi cate intended for identifying the user's mobile device.
SSL
A data encryption protocol used on the internet and local networks. The Secure Sockets Layer (SSL) protocol is
used in web applications to create a secure connection between a client and server.
1534
Task
Functions performed by the Kaspersky application are implemented as tasks, such as: Real-time le protection, Full
computer scan, and Database update.
Task for speci c devices

A task assigned to a set of client devices from arbitrary administration groups and performed on those devices.
Task settings
Application settings that are speci c for each task type.
UEFI protection device

Device with Kaspersky Anti-Virus for UEFI integrated at the BIOS level. Integrated protection ensures device
security from the moment the system starts, while protection on devices without integrated software begins
functioning only after the security application starts.
Update
The procedure of replacing or adding new les (databases or application modules) retrieved from the Kaspersky
update servers.

A component of Kaspersky Security Center, designed for management of the protection system of a client
organization's network.
Virtual Administration Server is a particular case of a secondary Administration Server and has the following
restrictions as compared with a physical Administration Server:
Virtual Administration Server can be created only on a primary Administration Server.
Virtual Administration Server uses the primary Administration Server database in its operation. Data backup
and restoration tasks, as well as update scan and download tasks, are not supported on a virtual Administration
Server.
Virtual Server does not support creation of secondary Administration Servers (including virtual Servers).
Virus activity threshold
1535
Maximum allowed number of events of the speci ed type within a limited time; when this number is exceeded, it is
interpreted as increased virus activity and as a threat of a virus outbreak. This feature is important during periods
of virus outbreaks because it enables administrators to respond in a timely manner to virus attack threats.
Virus outbreak
A series of deliberate attempts to infect a device with a virus.
Vulnerability
A aw in an operating system or an application that may be exploited by malware makers to penetrate the
operating system or application, and corrupt its integrity. The presence of a large number of vulnerabilities in an
operating system makes it unreliable, because viruses that penetrate the operating system may cause disruptions
in the operating system itself and in installed applications.
Windows Server Update Services (WSUS)

An application used for distribution of updates for Microsoft applications on users' computers in an organization's
network.
1536
Information about third-party code
Information about third-party code is contained in the le legal_notices.txt, in the application installation folder.
1537
Trademark notices
Registered trademarks and service marks are the property of their respective owners.
Adobe, Acrobat, Flash, Shockwave and PostScript are either registered trademarks or trademarks of Adobe in the
United States and/or other countries.
AMD, AMD64 are trademarks or registered trademarks of Advanced Micro Devices, Inc.
Amazon, Amazon Web Services, AWS, Amazon EC2, AWS Marketplace are trademarks of Amazon.com, Inc. or its
a iliates.
Apache and the Apache feather logo are trademarks of The Apache Software Foundation.
Apple, AirPlay, AirDrop, AirPrint, App Store, Apple Con gurator, AppleScript, FaceTime, FileVault, iBook, iBooks,
iCloud, iPad, iPhone, iTunes, Leopard, macOS, Mac, Mac OS, OS X, Safari, Snow Leopard, Tiger, QuickTime, and
Touch ID are trademarks of Apple Inc.
Arm is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere.
The Bluetooth word, mark and logos are owned by Bluetooth SIG, Inc.
Ubuntu, LTS are registered trademarks of Canonical Ltd.
Cisco Systems, Cisco, Cisco Jabber, IOS are registered trademarks or trademarks of Cisco Systems, Inc. and/or its
a iliates in the United States and certain other countries.
Citrix, XenServer are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be
registered in the United States Patent and Trademark O ice and in other countries.
Corel is a trademark or registered trademark of Corel Corporation and/or its subsidiaries in Canada, the United
States and/or other countries.
Cloud are, the Cloud are logo, and Cloud are Workers are trademarks and/or registered trademarks of
Cloud are, Inc. in the United States and other jurisdictions.
Dropbox is a trademark of Dropbox, Inc.
Radmin is a registered trademark of Famatech.
Firebird is a registered trademark of the Firebird Foundation.
Foxit is a registered trademark of Foxit Corporation.
FreeBSD is a registered trademark of The FreeBSD Foundation.
Google, Android, Chrome, Chromium, Dalvik, Firebase, Google Chrome, Google Earth, Google Play, Google Maps,
Hangouts, Google Public DNS, and YouTube are trademarks of Google LLC.
EulerOS, FusionCompute, FusionSphere are trademarks of Huawei Technologies Co., Ltd.
Intel, Core, Xeon are trademarks of Intel Corporation in the U.S. and/or other countries.
IBM, QRadar are trademarks of International Business Machines Corporation, registered in many jurisdictions
worldwide.
1538
Node.js is a trademark of Joyent, Inc.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Logitech is either a registered trademark or trademark of Logitech in the United States and/or other countries.
Microsoft, Active Directory, ActiveSync, BitLocker, Excel, Forefront, Internet Explorer, InfoPath, Hyper-V, Microsoft
Edge, MultiPoint, MS-DOS, O ice 365, PowerShell, PowerPoint, SharePoint, SQL Server, OneNote, Outlook, Skype,
Tahoma, Visio, Win32, Windows, Windows PowerShell, Windows Media, Windows Mobile, Windows Server, Windows
Phone, Windows Vista, and Windows Azure are trademarks of the Microsoft group of companies.
CVE is a registered trademark of The MITRE Corporation.
Mozilla, Firefox, Thunderbird are trademarks of the Mozilla Foundation in the U.S. and other countries.
Novell is a registered trademark of Novell Enterprises Inc. in the United States and other countries.
NetWare is a registered trademark of Novell Inc. in the United States and other countries.
Oracle, Java, JavaScript, and TouchDown are registered trademarks of Oracle and/or its a iliates.
Parallels, the Parallels logo, and Coherence are trademarks or registered trademarks of Parallels International
GmbH.
Chef is a trademark or registered trademark of Progress Software Corporation and/or one of its subsidiaries or
a iliates in the U.S. and/or other countries.
Puppet is a trademark or registered trademark of Puppet, Inc.
Python is a trademark or registered trademark of the Python Software Foundation.
Red Hat, Fedora, and Red Hat Enterprise Linux are trademarks or registered trademarks of Red Hat, Inc. or its
subsidiaries in the United States and other countries.
Ansible is a registered trademark of Red Hat, Inc. in the United States and other countries.
CentOS is a trademark or registered trademark of Red Hat, Inc. or its subsidiaries in the United States and other
countries.
BlackBerry is owned by Research In Motion Limited and is registered in the United States and may be pending or
registered in other countries.
SAMSUNG is a trademark of SAMSUNG in the United States or other countries.
Debian is a registered trademark of Software in the Public Interest, Inc.
Splunk, SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries.
SUSE is a registered trademark of SUSE LLC in the United States and other countries.
Symbian trademark is owned by the Symbian Foundation Ltd.
OpenAPI is a trademark of The Linux Foundation.
VMware, VMware vSphere, VMware Workstation are registered trademarks or trademarks of VMware, Inc. in the
United States and/or other jurisdictions.
1539
UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open
Company Limited.
Zabbix is a registered trademark of Zabbix SIA.
1540
Known issues
Kaspersky Security Center Web Console has a number of limitations that are not critical to operation of the
application:
If a list contains more than 20 items (in this case, the items are displayed on several pages) and you select the
Select all check box, Web Console selects only those items that are displayed on the current page.
In the Add secondary Administration Server wizard, if you specify an account with enabled two-step
veri cation for authentication on the future secondary Server, the wizard nishes with an error. To resolve this
issue, specify an account for which two-step veri cation is disabled or create the hierarchy from the future
secondary Server.
While signing in to Kaspersky Security Center Web Console, if you use domain authentication and specify a
virtual Administration Server to connect to, then you sign out, and then try to sign in to the primary
Administration Server, Kaspersky Security Center Web Console connects to the virtual Administration Server.
To connect to the primary Administration Server, reopen the browser.
If you specify proxy server settings in the Administration Server properties, and then enable the Do not use
proxy server option in the Download updates to the Administration Server repository task, this option is
ignored and the connection is established through the proxy server.
If you open Kaspersky Security Center Web Console in di erent browsers and download the Administration
Server certi cate le in the Administration Server properties window, the downloaded les have di erent
names.
An error occurs when you try to restore an object from the BACKUP repository (OPERATIONS →
REPOSITORIES → BACKUP) or send the object to Kaspersky.
A managed device that has more than one network adapter sends Administration Server information about the
MAC address of the network adapter that is not the one that is used to connect to Administration Server.
The settings locked in a parent policy of Kaspersky Endpoint Security for Linux are inherited, but not locked in
the child policies.
After upgrade to Kaspersky Security Center 14, if you switch from a primary Administration Server to a
secondary one, then back to the primary one, and then try to switch back to the secondary one, Kaspersky
Security Center Web Console cannot open the secondary Server. This issue is only reproduced if the web
plug-in for Kaspersky Endpoint Security for Windows version 11.9 is installed.
In the MMC-based Administration Console, when you create a policy for Kaspersky Industrial CyberSecurity for
Linux Nodes 1.0, Kaspersky Security Center displays an error message about a diagnostic dump creation.
Nevertheless, the policy is created successfully.
An application category that you added to the Application control feature in the Kaspersky Endpoint Security
for Linux policy can be deleted.
In a pie chart widget on the dashboard, text color is not changed to light after switching the console theme to
dark.
An incorrect status of a local task may be displayed in the task list in the device properties.
When adding more than 200 exclusions to an Adaptive Anomaly Control rule, an error message is displayed
instead of a warning message.
In the Application categories section, if the Used in policies column is shown, it cannot be hidden.
1541
In the settings of the Change Administration Server task, some options are misplaced.
In the Network Agent policy, the Connection schedule section has an incorrect heading.
The Quick/Full Windows network polling returns an empty result.
If you use the sysrep.exe utility for capturing the operating system image and adding the necessary settings,
the captured operating system is then deployed without these settings.
If you install Kaspersky Security Center Web Console with Identity and Access Manager, and then change the
Administration Server for Kaspersky Security Center Web Console, Identity and Access Manager does not get
the information about the new Administration Server.
The Restore and Send to Kaspersky buttons in the OPERATIONS → REPOSITORIES → BACKUP section do
not work.
In the Certi cates section of the Administration Server properties window, when adding a certi cate, for
example, a Web Server certi cate, the Close button ("X") obscures the Certi cate type eld, and an
unnecessary Show button is displayed.
Reloading the Administration Server service on a secondary Administration Server causes disconnection
between Kaspersky Security Center Web Console and the primary Administration Server.
Error messages of suspected Zip Slip and Zip Bomb attacks are displayed in English only.
The properties window of a role cannot be opened from the list of roles assigned to the user.
Noti cations cannot be sorted by date.
In the properties of Microsoft updates, in the Devices section, searching by "Installation status" and "IP address"
is unavailable.
Deployment of Windows 10 version 2004 through Preboot Execution Environment (PXE) is not supported.
Old lters in the event selections are not replaced by new lters; to avoid this, you can manually delete old
lters.
1542

Kaspersky Security Center 14 Windows-English

Uploaded by

Copyright:

Available Formats

Kaspersky Security Center 14 Windows-English

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Kaspersky Security Center 14 Windows-English

Uploaded by

Copyright:

Available Formats

Kaspersky Security Center 14

© 2023 AO Kaspersky Lab

What's new Con guring network protection

Hardware and software requirements Kaspersky applications.

Deployment and initial setup Monitoring and reporting

Discovering networked devices Replacing third-party security

Kaspersky applications. Centralized deployment Adjustment of distribution

Upgrading Kaspersky Security Center from a Best Practices for Service

Exporting events to SIEM systems Vulnerability and Patch

Working in a cloud environment Frequently Asked Questions

Kaspersky Endpoint Security for Business Quick

Kaspersky Security Center 14

Kaspersky Security Center 14 has several new features and improvements:

Kaspersky Security Center 13.2

Microsoft Windows 10 21H2 (October 2021 Update)

Windows Server 2022

You can use MySQL 8.0 as the database.

Kaspersky Security Center now supports the following Kaspersky applications:

Kaspersky Endpoint Detection and Response Optimum 2.0

Kaspersky Sandbox 2.0

Kaspersky Industrial CyberSecurity for Networks 3.1

Kaspersky Security Center 13.1

Kaspersky Security Center 13

You can now open any report by clicking its name.

The following features are added to Kaspersky Security Center 13:

The multi-tenancy applications folder is no longer displayed in Administration Console.

With the name "Kaspersky Security Center Administration Server"

Set to start automatically when the operating system starts

Administration Server performs the following functions:

Storage of the administration groups' structure

Storage of information about the con guration of client devices

Organization of repositories for application distribution packages

Remote installation of applications to client devices and removal of applications

Updating application databases and software modules of Kaspersky applications

Management of policies and tasks on client devices

Storage of information about events that have occurred on client devices

Generation of reports on the operation of Kaspersky applications

Naming Administration Servers in the application interface

Hierarchy of Administration Servers

Virtual Administration Servers are a particular case of secondary Administration Servers.

The hierarchy of Administration Servers can be used to do the following:

Virtual Administration Server can be created only on a primary Administration Server.

In addition, virtual Administration Server has the following restrictions:

Mobile Device Server

There are two types of Mobile Device Server:

Several mobile devices.

The syntax of the information transfer link is as follows:

https://<Web Server name>:<HTTPS port>/public/<object>

<object> is the subfolder or le to which the user has access.

With the name "Kaspersky Security Center 14 Network Agent"

Set to start automatically when the operating system starts

Using the LocalSystem account

Installation package located at Kaspersky web servers

The name of the process that Network Agent starts is klnagent.exe.

A managed device can belong to only one administration group.

You can include an administrator's workstation in an administration group as a client device.

The management plug-in provides the following:

Interface for creating and editing application tasks and settings

Transmission of events generated by the application

The status of the policy