Kaspersky Security for Windows

Server

© 2021 AO Kaspersky Lab

1
Contents
About Kaspersky Security for Windows Server
What's new
Sources of information about Kaspersky Security for Windows Server
Sources for independent retrieval of information
Discussing Kaspersky applications in the community
Kaspersky Security for Windows Server
Distribution kit
Hardware and software requirements
Requirements for the server on which Kaspersky Security for Windows Server is deployed
Requirements for protected network attached storage
Requirements for the device on which the Application Console is installed
Functional requirements and limitations
Installation and uninstallation
Kaspersky Security Center management tools comparison and limitations
Tra ic Security
File Integrity Monitor
Firewall Management
Other limitations
Kaspersky Endpoint Agent
Installing and removing the application
Kaspersky Security for Windows Server software component codes for the Windows Installer service
Kaspersky Security for Windows Server software components
"Administration tools" software component
System changes after Kaspersky Security for Windows Server installation
Kaspersky Security for Windows Server processes
Installation and uninstallation settings and command line options for the Windows Installer service
Kaspersky Security for Windows Server install and uninstall logs
Installation planning
Selecting administration tools
Selecting the installation type
Installing and uninstalling the application using a wizard
Installing using the Setup Wizard
Kaspersky Security for Windows Server installation
Kaspersky Security for Windows Server Console installation
Kaspersky Security Microsoft Outlook Add-in installation
Advanced settings after installation of the Application Console on another device
Allowing anonymous remote access to COM applications
Allowing network connections for the Kaspersky Security for Windows Server remote management process
Adding outbound rule for Windows Firewall
Actions to perform after Kaspersky Security for Windows Server installation
Starting and con guring Kaspersky Security for Windows Server Database Update task
Critical Areas Scan
Modifying the set of components and repairing Kaspersky Security for Windows Server
Uninstalling using the Setup Wizard
Kaspersky Security for Windows Server uninstallation
Kaspersky Security for Windows Server Console uninstallation
2
 Kaspersky Security Microsoft Outlook Add-in uninstallation
Installing and uninstalling the application from the command line
About installing and uninstalling Kaspersky Security for Windows Server from command line
Example commands for installing Kaspersky Security for Windows Server
Actions to perform after Kaspersky Security for Windows Server installation
Adding / removing components. Sample commands
Kaspersky Security for Windows Server uninstallation. Sample commands
Return codes
Installing and uninstalling the application using Kaspersky Security Center
General information about installing via Kaspersky Security Center
Rights to install or uninstall Kaspersky Security for Windows Server
Installing Kaspersky Security for Windows Server via Kaspersky Security Center
Actions to perform after Kaspersky Security for Windows Server installation
Installing the Application Console via Kaspersky Security Center
Uninstalling Kaspersky Security for Windows Server via Kaspersky Security Center
Installing and uninstalling via Active Directory group policies
Installing Kaspersky Security for Windows Server via Active Directory group policies
Actions to perform after Kaspersky Security for Windows Server installation
Uninstalling Kaspersky Security for Windows Server via Active Directory group policies
Checking Kaspersky Security for Windows Server functions. Using the EICAR test virus
About the EICAR test virus
Checking the Real-Time File Protection and On-Demand Scan features
Application interface
Application licensing
About the End User License Agreement
About the license
About license certi cate
About the key
About the key le
About activation code
About subscription
About data provision
About activating the application through Cloud Console
Activating the application with a key le
Activating the application with an activation code
Viewing information about the current license
Functional limitations when the license expires
Renewing the license
Deleting the key
Working with the Administration Plug-in
Managing Kaspersky Security for Windows Server from Kaspersky Security Center
Managing application settings
Navigation
Opening the general settings via the policy
Opening the general settings in the application properties window
Con guring general application settings in Kaspersky Security Center
Con guring scalability and the interface in Kaspersky Security Center
Con guring security settings in Kaspersky Security Center

3
 Con guring connection settings using Kaspersky Security Center
Con guring scheduled start of local system tasks
Con guring Quarantine and Backup settings in Kaspersky Security Center
Creating and con guring policies
Creating a policy
Kaspersky Security for Windows Server policy settings sections
Con guring a policy
Creating and con guring tasks using Kaspersky Security Center
About task creation in Kaspersky Security Center
Creating a task using Kaspersky Security Center
Con guring local tasks in the Application settings window of the Kaspersky Security Center
Con guring group tasks in Kaspersky Security Center
Activation of the Application task
Update tasks
Application Integrity Control
Con guring crash diagnostics settings in Kaspersky Security Center
Managing task schedules
Con guring the task start schedule settings
Enabling and disabling scheduled tasks
Reports in Kaspersky Security Center
Working with the Kaspersky Security for Windows Server Console
About the Kaspersky Security for Windows Server Console
Kaspersky Security for Windows Server Console interface
Kaspersky Security for Windows Server Console window
System Tray Icon in the noti cation area
Managing Kaspersky Security for Windows Server via the Application Console on another device
Con guring general application settings via the Application Console
Managing Kaspersky Security for Windows Server tasks
Kaspersky Security for Windows Server task categories
Starting / pausing / resuming / stopping tasks manually
Managing task schedules
Con guring the task start schedule settings
Enabling and disabling scheduled tasks
Using user accounts to start tasks
About using accounts to start tasks
Specifying a user account to start a task
Importing and exporting settings
About importing and exporting settings
Exporting settings
Importing settings
Using security settings templates
About security settings templates
Creating a security settings template
Viewing security settings in a template
Applying a security settings template
Deleting a security settings template
Viewing the protection status and Kaspersky Security for Windows Server information
Working with the Web Plug-in from Web Console and Cloud Console

4
 Managing Kaspersky Security for Windows Server from Web Console and Cloud Console
Web Plug-in limitations
Managing application settings
Con guring general application settings in Web Plug-in
Con guring scalability and interface in Web Plug-in
Con guring security settings in Kaspersky Security Center Web Console
Con guring connection settings in Web Plug-in
Con guring scheduled start of local system tasks
Con guring Quarantine and Backup settings in Web Plug-in
Creating and con guring policies
Creating a policy
Kaspersky Security for Windows Server policy settings sections
Creating and con guring tasks using Kaspersky Security Center
About task creation in Web Plug-in
Creating a task in Web Plug-in
Con guring group tasks in Web Plug-in
Con guring Activation of the Application task in Web Plug-in
Con guring Update tasks in Web Plug-in
Con guring crash diagnostics settings in Web Plug-in
Managing task schedules
Con guring the task start schedule settings
Enabling and disabling scheduled tasks
Reports in Kaspersky Security Center
Compact Diagnostic Interface
About the Compact Diagnostic Interface
Reviewing the Kaspersky Security for Windows Server status via the Compact Diagnostic Interface
Reviewing security event statistics
Reviewing current application activity
Con guring writing of dump and trace les
Updating Kaspersky Security for Windows Server databases and software modules
About Update tasks
About Software Modules Update
About Databases Update
Schemes for updating anti-virus application databases and modules used within an organization
Con guring Update tasks
Con guring settings for working with Kaspersky Security for Windows Server update sources
Optimizing disk I/O when running the Database Update task
Con guring Copying Updates task settings
Con guring Software Modules Update task settings
Rolling back Kaspersky Security for Windows Server database updates
Rolling back application module updates
Update task statistics
Isolating objects and copying backups
Isolating probably infected objects. Quarantine
About quarantining probably infected objects
Viewing quarantine objects
Sorting quarantined objects
Filtering quarantined objects

5
 Quarantine Scan
Restoring quarantined objects
Moving objects to Quarantine
Deleting objects from Quarantine
Sending probably infected objects to Kaspersky for analysis
Con guring Quarantine settings
Quarantine statistics
Making backup copies of objects. Backup
About backing up objects before disinfection or deletion
Viewing objects stored in Backup
Sorting les in Backup
Filtering les in Backup
Restoring les from Backup
Deleting les from Backup
Con guring Backup settings
Backup statistics
Blocking access to network resources. Blocked Hosts
About the Blocked Hosts storage
Managing Blocked Hosts via the Administration Plug-in
Enabling hosts blocking
Con guring Blocked Hosts settings
Managing Blocked Hosts via the Application Console
Enabling untrusted hosts blocking
Con guring Blocked Hosts settings
Managing Blocked Hosts via the Web Plug-in
Enabling hosts blocking
Con guring Blocked Hosts settings
Event registration. Kaspersky Security for Windows Server logs
Ways to register Kaspersky Security for Windows Server events
System audit log
Sorting events in the system audit log
Filtering events in the system audit log
Deleting events from the system audit log
Task logs
About task logs
Sorting task logs
Filtering task logs
Viewing statistics and information about a Kaspersky Security for Windows Server task in task logs
Exporting information from a task log
Deleting task logs
Security log
Viewing the event log of Kaspersky Security for Windows Server in Event Viewer
Con guring log settings in Administration Plug-in
About SIEM integration
Con guring SIEM integration settings
Con guring logs and noti cations
Con guring log settings
Security log

6
 Con guring SIEM integration settings
Con guring noti cation settings
Con guring interaction with the Administration Server
Noti cation settings
Administrator and user noti cation methods
Con guring administrator and user noti cations
Starting and stopping Kaspersky Security for Windows Server
Starting the Kaspersky Security for Windows Server Administration Plug-in
Starting the Kaspersky Security for Windows Server Console from the Start menu
Starting and stopping the Kaspersky Security Service
Starting Kaspersky Security for Windows Server components in the operating system safe mode
About Kaspersky Security for Windows Server working in the operating system safe mode
Starting Kaspersky Security for Windows Server in safe mode
Kaspersky Security for Windows Server self-defense
About Kaspersky Security for Windows Server self-defense
Protection from changes to folders with installed Kaspersky Security for Windows Server components
Protection from changes to Kaspersky Security for Windows Server registry keys
Registering the Kaspersky Security Service as a protected service
Managing access permissions for Kaspersky Security for Windows Server functions
About permissions to manage Kaspersky Security for Windows Server
About permissions to manage registered services
About access permissions for the Kaspersky Security Management Service
About permissions to manage the Kaspersky Security Service
Managing access permissions via the Administration Plug-in
Con guring access permissions for Kaspersky Security for Windows Server and the Kaspersky Security Service
Password-protected access to Kaspersky Security for Windows Server functions
Managing access permissions via the Application Console
Con guring access permissions for managing Kaspersky Security for Windows Server and the Kaspersky Security
Service
Password-protected access to Kaspersky Security for Windows Server functions
Managing access permissions via the Web Plug-in
Con guring access permissions for Kaspersky Security for Windows Server and the Kaspersky Security Service
Password-protected access to Kaspersky Security for Windows Server functions
Real-Time File Protection
About the Real-Time File Protection task
About the task protection scope and security settings
About virtual protection scopes
Prede ned protection scopes
About prede ned security levels
File extensions scanned by default in the Real-Time File Protection task
Default Real-Time File Protection task settings
Managing the Real-Time File Protection task via the Administration Plug-in
Navigation
Opening policy settings for the Real-Time File Protection task
Opening the Real-Time File Protection task properties
Con guring the Real-Time File Protection task
Selecting the protection mode
Con guring Heuristic Analyzer and integration with other application components

7
 Con guring the task start schedule settings
Creating and con guring the task protection scope
Selecting prede ned security levels for On-Demand Scan tasks
Con guring security settings manually
Con guring general task settings
Con guring actions
Con guring performance
Managing Real-Time File Protection task via the Application Console
Navigation
Opening the Real-Time File Protection task settings
Opening the Real-Time File Protection task scope settings
Con guring the Real-Time File Protection task
Selecting protection mode
Con guring Heuristic Analyzer and integration with other application components
Con guring the task start schedule settings
Creating a protection scope
Con guring the view for network le resources
Creating a protection scope
Including network objects in the protection scope
Creating a virtual protection scope
Con guring security settings manually
Selecting prede ned security levels for Real-Time File Protection task
Con guring general task settings
Con guring actions
Con guring performance
Real-Time File Protection task statistics
Managing Real-Time File Protection task via the Web Plug-in
Con guring Real-Time File Protection task
Con guring the task protection scope
Script Monitoring
About the Script Monitoring task
Default Script Monitoring task settings
Con guring Script Monitoring task settings
Con guring Script Monitoring task settings via the Application Console
Con guring Script Monitoring task settings via the Web Plug-in
Script Monitoring task statistics
KSN Usage
About the KSN Usage task
Default KSN Usage task settings
Managing KSN Usage via the Administration Plug-In
Con guring the KSN Usage task
Con guring data handling
Managing KSN Usage via the Application Console
Con guring KSN Usage task
Con guring Data handling
Managing KSN Usage via the Web Plug-in
Con guring additional data transfer
KSN Usage task statistics

8
Network Threat Protection
About the Network Threat Protection task
Default Network Threat Protection task settings
Con guring the Network Threat Protection task via the Application Console
General task settings
Adding exclusions
Con guring the Network Threat Protection task via the Administration Plug-in
General task settings
Adding exclusions
Con guring the Network Threat Protection task via the Web Plug-in
General task settings
Adding exclusions
Tra ic Security
About the Tra ic Security task
About Tra ic Security rules
Mail threat protection
List of categories
Prede ned protection level settings
Default Tra ic Security task settings
Managing Tra ic Security via the Administration Plug-in
Navigation
Opening policy settings for the Tra ic Security task
Opening the Tra ic Security rules list
Con guring the Tra ic Security task
Con guring the task operation mode
Con guring the Driver Interceptor mode
Con guring the Redirector mode
Con guring malware protection
Con guring mail threat protection
Con guring URL and web processing
Con guring web control
Con guring certi cate scanning
Selecting and con guring the task mode
Adding rules for certi cates
Con guring category-based web control
Adding URL-based rules
Managing Tra ic Security via the Application Console
Navigation
Opening the Tra ic Security task settings
Opening the Tra ic Security rules window
Con guring the Tra ic Security task
Con guring the task operation mode
Con guring the Driver Interceptor mode
Con guring the Redirector mode
Con guring malware protection
Con guring mail threat protection
Con guring URL and web processing
Con guring web control

9
 Con guring certi cate scanning
Selecting and con guring the task mode
Adding rules for certi cates
Con guring category-based web control
Adding URL-based rules
Managing Tra ic Security via the Web Plug-in
Anti-Cryptor
About the Anti-Cryptor task
Anti-Cryptor task statistics
Default Anti-Cryptor task settings
Con guring the Anti-Cryptor task via the Administration Plug-in
General task settings
Creating the protection scope
Adding exclusions
Con guring the Anti-Cryptor task via the Application Console
General task settings
Creating the protection scope
Adding exclusions
Con guring the Anti-Cryptor task via the Web Plug-in
General task settings
Creating the protection scope
Adding exclusions
Applications Launch Control
About the Applications Launch Control task
About Applications Launch Control rules
About Software Distribution Control
About KSN usage for the Applications Launch Control task
About Applications Launch Control rules generation
Default Applications Launch Control task settings
Managing Applications Launch Control via the Administration Plug-in
Navigation
Opening policy settings for the Applications Launch Control task
Opening the Applications Launch Control rules list
Opening the Rule Generator for Applications Launch Control task wizard and properties
Con guring Applications Launch Control task settings
Con guring Software Distribution Control
Con guring the Rule Generator for Applications Launch Control task
Con guring Applications Launch Control rules via the Kaspersky Security Center
Adding an Applications Launch Control rule
Enabling the Default Allow mode
Creating allowing rules from Kaspersky Security Center events
Importing rules from a Kaspersky Security Center report on blocked applications
Importing Applications Launch Control rules from an XML le
Checking application launches
Creating a Rule Generator for Applications Launch Control task
Restricting the task usage scope
Actions to perform during automatic rule generation
Actions to perform upon completion of automatic rule generation

10
 Managing Applications Launch Control via the Application Console
Navigation
Opening the Applications Launch Control task settings
Opening the Applications Launch Control rules window
Opening the Rule Generator for Applications Launch Control task settings
Con guring Applications Launch Control task settings
Selecting the mode of the Applications Launch Control task
Con guring the scope of the Applications Launch Control task
Con guring KSN usage
Software Distribution Control
Con guring Applications Launch Control rules
Adding an Applications Launch Control rule
Enabling the Default Allow mode
Creating allowing rules from Applications Launch Control task events
Exporting Applications Launch Control rules
Importing Applications Launch Control rules from an XML le
Removing Applications Launch Control rules
Con guring a Rule Generator for Applications Launch Control task
Restricting the task usage scope
Actions to perform during automatic rule generation
Actions to perform upon completion of automatic rule generation
Managing Applications Launch Control via the Web Plug-in
Device Control
About Device Control task
About Device Control rules
About Device Control rules generation
About Rule Generator for Device Control task
Device Control default task settings
Managing Device Control via the Administration Plug-in
Navigation
Opening policy settings for the Device Control task
Opening the Device Control rules list
Opening the Rule Generator for Device Control task wizard and properties
Con guring Device Control task
Con guring the Rule Generator for Device Control task
Con guring Device Control rules via the Kaspersky Security Center
Creating allowing rules based on system data in a Kaspersky Security Center policy
Generating rules for connected devices
Importing rules from the Kaspersky Security Center report on blocked devices
Creating rules using the Rule Generator for Device Control task
Adding generated rules to the Device Control rules list
Managing Device Control via the Application Console
Navigation
Opening the Device Control task settings
Opening the Device Control rules window
Opening the Rule Generator for Device Control task settings
Con guring Device Control task settings
Con guring Device Control rules

11
 Importing Device Control rules from XML le
Filling rules list basing on Device Control task events
Adding an allowing rule for one or several external devices
Removing Device Control rules
Exporting Device Control rules
Activating and deactivating of Device Control rules
Expanding Device Control rules usage scope
Con guring Rule Generator for Device Control task
Managing Device Control via the Application Console Web Plug-in
Firewall Management
About the Firewall Management task
About Firewall rules
Default Firewall Management task settings
Managing Firewall rules via the Administration Plug-in
Enabling and disabling Firewall rules
Adding Firewall rules manually
Deleting Firewall rules
Managing Firewall rules via the Application Console
Enabling and disabling Firewall rules
Adding Firewall rules manually
Deleting Firewall rules
Managing Firewall rules via the Web Plug-in
Enabling and disabling Firewall rules
Adding Firewall rules manually
Deleting Firewall rules
File Integrity Monitor
About the File Integrity Monitor task
About le operation monitoring rules
Default File Integrity Monitor task settings
Managing File Integrity Monitor via the Administration Plug-in
Con guring the File Integrity Monitor task
Con guring monitoring rules
Managing File Integrity Monitor via the Application Console
Con guring File Integrity Monitor task settings
Con guring monitoring rules
Managing File Integrity Monitor via the Web Plug-in
Con guring the File Integrity Monitor task
Con guring monitoring rules
Log Inspection
About the Log Inspection task
Default Log Inspection task settings
Managing Log Inspection rules via the Administration Plug-in
Con guring prede ned task rules
Adding Log Inspection rules via the Administration Plug-in
Managing Log Inspection rules via the Application Console
Con guring prede ned task rules
Adding Log Inspection rules via the Application Console
Managing Log Inspection rules via the Web Plug-in

12
On-Demand Scan
About On-Demand Scan tasks
About the task scan scope and security settings
Prede ned scan scopes
Online storage le scanning
About prede ned security levels
About the Removable Drives Scan
About the Baseline File Integrity Monitor task
Enabling start of On-Demand Scan task from context menu
Default On-Demand Scan tasks settings
Managing On-Demand Scan tasks via the Administration Plug-in
Navigation
Opening the On-Demand Scan task wizard
Opening the On-Demand Scan task properties
Creating an On-Demand Scan task
Assigning the Critical Areas Scan status to an On-Demand Scan task
Running an On-Demand Scan task in the background
Registering execution of a Critical Areas Scan
Con guring the task scan scope
Selecting prede ned security levels for On-Demand Scan tasks
Con guring security settings manually
Con guring general task settings
Con guring actions
Con guring performance
Con guring Removable Drives Scan
Con guring a Baseline File Integrity Monitor task
Managing On-Demand Scan tasks via the Application Console
Navigation
Opening the On-Demand Scan task settings
Opening the On-Demand Scan task scope settings
Creating and con guring an On-Demand Scan task
Scan scope in On-Demand Scan tasks
Con guring the view for network le resources
Creating a scan scope
Including network objects in the scan scope
Creating a virtual scan scope
Con guring security settings
Selecting prede ned security levels for On-Demand Scan tasks
Con guring general task settings
Con guring actions
Con guring performance
Con guring hierarchical storage
Scanning removable drives
On-Demand Scan task statistics
Creating and con guring a Baseline File Integrity Monitor task
Managing On-Demand Scan tasks via the Web Plug-in
Opening the On-Demand Scan task wizard
Opening the On-Demand Scan task properties

13
 Con guring the task scan scope
Con guring the task settings
Trusted Zone
About the Trusted Zone
Managing the Trusted Zone via the Administration Plug-in
Navigation
Opening the Trusted Zone policy settings
Opening the Trusted Zone properties window
Con guring Trusted Zone settings via the Administration Plug-in
Adding an exclusion
Adding trusted processes
Applying the not-a-virus mask
Managing the Trusted Zone via the Application Console
Applying the Trusted Zone to tasks in the Application Console
Con guring Trusted Zone settings in the Application Console
Adding an exclusion to the Trusted Zone
Adding trusted processes
Applying the not-a-virus mask
Managing the Trusted Zone via the Web Plug-in
Exploit Prevention
About Exploit Prevention
Managing Exploit Prevention via the Administration Plug-in
Navigation
Opening policy settings for Exploit Prevention
Opening the Exploit Prevention properties window
Con guring process memory protection settings
Adding a process to the protection scope
Managing Exploit Prevention via the Application Console
Navigation
Opening the Exploit Prevention general settings
Opening the Exploit Prevention process protection settings
Con guring process memory protection settings
Adding a process to the protection scope
Managing Exploit Prevention via the Web Plug-in
Con guring process memory protection settings
Adding a process to the protection scope
Exploit prevention techniques
Hierarchical storage management
About hierarchical storage
Con guring HSM system settings via the Administration Plug-in
Con guring HSM system settings via the Application Console
Con guring HSM system settings via the Web Plug-in
Network Attached Storage Protection
Integrating Kaspersky Security for Windows Server with network attached storages
Con guring inbound and outbound connections in Windows rewall
Con guring security settings of local policies in the local group policy editor
Working with the Kaspersky Security for Windows Server Console
About the Kaspersky Security for Windows Server Console

14
 Starting the Kaspersky Security for Windows Server Console from the Start menu
Kaspersky Security for Windows Server Console window
Viewing status information for Network Attached Storage Protection
Managing Network Attached Storage Protection tasks
Saving a task after changing its settings
Starting / pausing / resuming / stopping tasks manually
Managing task schedules
Con guring the task launch schedule settings
Enabling and disabling scheduled tasks
Protecting EMC network attached storages of the Celerra / VNX group
About protection of EMC network attached storages of the Celerra / VNX group
Integrating Kaspersky Security for Windows Server with an EMC network attached storage of the Celerra / VNX group
RPC Network Storage Protection
About the RPC Network Storage Protection
About scanning symbolic links
About scanning snapshots and other read-only volumes and folders
Con guring a connection between an RPC network storage and Kaspersky Security for Windows Server
Selecting a user account for running the RPC Network Storage Protection task
Creating the protection scope in the RPC Network Storage Protection task
Adding an RPC network storage to Kaspersky Security for Windows Server
Disabling and enabling protection of an added RPC network storage
Removing an RPC network storage from the protection scope
Con guring the RPC Network Storage Protection task
Using the Heuristic Analyzer
Integration with other components of Kaspersky Security for Windows Server
Con guring general settings for RPC Network Storage connection
Security levels in the RPC Network Storage Protection task
About security levels in the RPC Network Storage Protection task
Applying a preset security level in the RPC Network Storage Protection task
Manually con guring the security level settings in the RPC Network Storage Protection task
Using security level settings templates in the RPC Network Storage Protection task
Creating a security settings template
Applying a security settings template
Viewing security settings in a template
Deleting a security settings template
Viewing statistics of the RPC Network Storage Protection task
ICAP Network Storage Protection
About the ICAP Network Storage Protection
Con guring a connection between an ICAP network storage and Kaspersky Security for Windows Server
Con guring the ICAP Network Storage Protection task
Con guring the settings of the connection to an ICAP network storage
Using the Heuristic Analyzer
Using KSN for protection
Security levels in the ICAP Network Storage Protection task
About security levels in the ICAP Network Storage Protection task
Applying a preset security level in the ICAP Network Storage Protection task
Manually con guring the security level settings in the ICAP Network Storage Protection task
Viewing statistics of the ICAP Network Storage Protection task

15
 Anti-Cryptor for NetApp
About the Anti-Cryptor for NetApp
Creating and con guring FPolicy
Con guring the Kaspersky Security for Windows Server
Con guring Anti-Cryptor for NetApp task settings
Con guring task settings via the Kaspersky Security for Windows Server Console
Con guring task settings via Kaspersky Security Center
Con guring general task settings
Con guring addressing
Modifying the list of exclusions
Managing Network Attached Storage Protection tasks from Kaspersky Security Center
Con guring Network Attached Storage Protection settings using policies
Con guring Network Attached Storage Protection settings for one server in Kaspersky Security Center
Manually con guring the security level settings in the RPC Network Storage Protection task
Manually con guring the security level settings in the ICAP Network Storage Protection task
Integrating with third-party systems
Performance counters for System Monitor
About Kaspersky Security for Windows Server performance counters
Total number of requests denied
Total number of requests skipped
Number of requests not processed because of lack of system resources
Number of requests sent to be processed
Average number of le interception dispatcher streams
Maximum number of le interception dispatcher streams
Number of elements in the infected objects queue
Number of objects processed per second
Kaspersky Security for Windows Server SNMP counters and traps
About Kaspersky Security for Windows Server SNMP counters and traps
Kaspersky Security for Windows Server SNMP counters
Performance counters
Quarantine counters
Backup counter
General counters
Update counter
Real-Time File Protection counters
Script Monitoring counters
Tra ic Security counters
Kaspersky Security for Windows Server SNMP traps and their options
Kaspersky Security for Windows Server SNMP traps options descriptions and possible values
Integrating with WMI
Working with Kaspersky Security for Windows Server from the command line
Commands
Displaying Kaspersky Security for Windows Server command help: KAVSHELL HELP
Starting and stopping the Kaspersky Security Service KAVSHELL START: KAVSHELL STOP
Scanning a selected area: KAVSHELL SCAN
Starting the Critical Areas Scan task: KAVSHELL SCANCRITICAL
Managing tasks asynchronously: KAVSHELL TASK
Removing the PPL attribute: KAVSHELL CONFIG

16
 Starting and stopping Real-Time Server Protection tasks: KAVSHELL RTP
Managing the Applications Launch Control task: KAVSHELL APPCONTROL /CONFIG
Rule Generator for Applications Launch Control: KAVSHELL APPCONTROL /GENERATE
Filling the list of Applications Launch Control rules: KAVSHELL APPCONTROL
Filling the list of Device Control rules: KAVSHELL DEVCONTROL
Starting the Database Update task: KAVSHELL UPDATE
Rolling back Kaspersky Security for Windows Server database updates: KAVSHELL ROLLBACK
Managing log inspection: KAVSHELL TASK LOG-INSPECTOR
Activating the application: KAVSHELL LICENSE
Enabling, con guring and disabling trace logs: KAVSHELL TRACE
Defragmenting Kaspersky Security for Windows Server log les: KAVSHELL VACUUM
Cleaning iSwift base: KAVSHELL FBRESET
Enabling and disabling dump le creation: KAVSHELL DUMP
Importing settings: KAVSHELL IMPORT
Exporting settings: KAVSHELL EXPORT
Integration with Microsoft Operations Management Suite: KAVSHELL OMSINFO
Managing the Baseline File Integrity Monitor task: KAVSHELL FIM /BASELINE
Command return codes
Return code for the KAVSHELL START and KAVSHELL STOP commands
Return code for KAVSHELL SCAN and KAVSHELL SCANCRITICAL commands
Return codes for the KAVSHELL TASK LOG-INSPECTOR command
Return codes for the KAVSHELL TASK command
Return codes for the KAVSHELL RTP command
Return codes for the KAVSHELL UPDATE command
Return codes for the KAVSHELL ROLLBACK command
Return codes for the KAVSHELL LICENSE command
Return codes for the KAVSHELL TRACE command
Return codes for the KAVSHELL FBRESET command
Return codes for the KAVSHELL DUMP command
Return codes for the KAVSHELL IMPORT command
Return codes for the KAVSHELL EXPORT command
Return codes for the KAVSHELL FIM /BASELINE command
Contacting Technical Support
How to get technical support
Technical Support via Kaspersky CompanyAccount
Using trace les and AVZ scripts
Providing extended diagnostic information to the Technical Support specialists
Glossary
Active key
Administration Server
Anti-virus databases
Archive
Backup
Disinfection
Event severity
False positive
File mask
Heuristic analyzer

17
 Infectable le
Infected object
Kaspersky Security Network (KSN)
License term
Local task
OLE object
Policy
Protection status
Quarantine
Real-time protection
Security level
SIEM
Startup objects
Task
Task settings
Update
Vulnerability
Information about third-party code
Trademark notices

18
About Kaspersky Security for Windows Server
Kaspersky Security for Windows Server protects servers running Microsoft® Windows® operating systems
(hereinafter also referred to as protected devices) and network attached storages against viruses and other
computer security threats which servers and network attached storages are exposed to while exchanging les.
Kaspersky Security for Windows Server is designed for use on local area networks of medium to large
organizations. Kaspersky Security for Windows Server users are corporate network administrators and specialists
responsible for anti-virus protection of the corporate network.

You can install Kaspersky Security for Windows Server on servers with the following roles:

Active Directory® Certi cate Services

Active Directory Domain Services

Active Directory Federation Services

Active Directory Lightweight Directory Services

Active Directory Rights Management Services

Device Health Attestation

DHCP Server

DNS Server

Fax Server

File and Storage Services

Host Guardian Services

Hyper-V®

Network Controller

Network Policy and Access Services

Print and Document Services

Remote Access

Remote Desktop Services

Volume Activation Services

Web Server (IIS)

Windows Deployment Services

Windows Server® Update Services

Kaspersky Security for Windows Server can be managed in the following ways:

19
 Via the Application Console installed on the same device as Kaspersky Security for Windows Server or on a
di erent device.

Using commands in the command line.

Via Kaspersky Security Center Administration Console.

The Kaspersky Security Center application can also be used for centralized administration of multiple devices
running Kaspersky Security for Windows Server.

You can review Kaspersky Security for Windows Server performance counters for the "System Monitor"
application, as well as SNMP counters and traps.

An update or upgrade of supported Microsoft Windows operating systems does not a ect the functionality
of Kaspersky Security for Windows Server.

Kaspersky Security for Windows Server components and functions

The application includes the following components:

Real-Time File Protection . Kaspersky Security for Windows Server scans objects when they are accessed.
Kaspersky Security for Windows Server scans the following objects:

Files

Alternate le system streams (NTFS streams)

Master boot record and boot sectors on local hard drives and removable drives

Windows Server 2016 and Windows Server 2019 container les

On-Demand Scan. Kaspersky Security for Windows Server runs a single scan of the speci ed area for viruses
and other computer security threats. The application scans les, RAM, and startup objects on a protected
device.

RPC Network Storage Protection and ICAP Network Storage Protection. Kaspersky Security for Windows
Server installed on a device running a Microsoft Windows operating system protects network attached
storages against viruses and other security threats that in ltrate the device through le exchange.

Applications Launch Control. This component tracks users' attempts to launch application and controls
application launches.

Device Control. This component controls registration and use of external devices in order to protect the
device against security threats that may arise while exchanging les with USB-connected ash drives or other
types of external device.

Anti-Cryptor and Anti-Cryptor for NetApp. These components protect shared folders on devices and
network attached storages from malicious encryption by blocking hosts that show malicious activity.

Script Monitoring. This component controls the execution of scripts created using Microsoft Windows
scripting technologies.

Tra ic Security. This component intercepts and scans objects transferred through web tra ic (including mail)
to detect known computer and other threats on the protected device.

20
 Firewall Management. This component provides the ability to manage the Windows Firewall: con gure settings
and the operating system's rewall rules and block any external attempts to con gure the rewall.

File Integrity Monitor. Kaspersky Security for Windows Server detects changes in les within the monitoring
scopes speci ed in the task settings. These changes may indicate a security breach on the protected device.

Network Threat Protection. This component scans inbound network tra ic for activity that is typical of
network attacks. Upon detecting an attempted network attack that targets your computer, Kaspersky Security
for Windows Server blocks network activity from the attacking computer.

Log Inspection. This component monitors the integrity of the protected environment based on the results of
an inspection of Windows event logs.

The following functions are implemented in the application:

Database Update and Software Modules Update. Kaspersky Security for Windows Server downloads updates
of application databases and modules from Kaspersky's FTP or HTTP update servers, Kaspersky Security
Center Administration Server, or other update sources.

Quarantine. Kaspersky Security for Windows Server quarantines probably infected objects by moving such
objects from their original location to the Quarantine folder. For security purposes, objects in the Quarantine
folder are stored in encrypted form.

Backup. Kaspersky Security for Windows Server stores encrypted copies of objects classi ed as Infected in
Backup before disinfecting or deleting them.

Administrator and user noti cations. You can con gure the application to notify the protected device's
administrator and users about events related to the operation of Kaspersky Security for Windows Server and
the status of anti-virus protection on the device.

Importing and exporting settings. You can export Kaspersky Security for Windows Server settings to an XML
con guration le and import settings into Kaspersky Security for Windows Server from the con guration le.
You can save all application settings or only settings for individual components to a con guration le.

Applying templates. You can manually con gure a node's security settings in the tree or list of the device's le
resources, and save the con gured setting values as a template. This template can then be used to con gure
the security settings of other nodes in Kaspersky Security for Windows Server protection and scan tasks.

Managing access permissions for Kaspersky Security for Windows Server functions. You can con gure the
rights to manage Kaspersky Security for Windows Server and the Windows services registered by the
application, for users and groups of users.

Writing events to the application event log. Kaspersky Security for Windows Server logs information about
software component settings, the current status of tasks, events that occur while tasks run, events associated
with Kaspersky Security for Windows Server management, and information required to diagnose errors in
Kaspersky Security for Windows Server.

Hierarchical storage. Kaspersky Security for Windows Server can operate in hierarchical storage management
mode (to work with HSM systems). HSM systems allow data to be relocated between fast local drives and slow
long-term data storage devices.

Trusted Zone. You can generate a list of exclusions from the protection or scan scope, that Kaspersky Security
for Windows Server will apply in the On-Demand and Real-Time Server Protection tasks.

Exploit Prevention. You can protect process memory from exploits using an Agent injected into the process.

Blocked Hosts storage. You can block remote hosts that try to access the device's shared folders if they
exhibit any malicious activity.
21
What's new
The new version of Kaspersky Security for Windows Server introduces the following capabilities:

Network Threat Protection: a component that provides analysis of incoming tra ic for the signs of network
attacks is implemented. If a threat is detected, the Network Threat Protection component blocks the
compromised IP address.

The capability to use the Protect computer with Default Deny technology con guration is implemented. Now
you can activate the application for a long term, during which it will control launches of restricted applications.

Kaspersky Security Center policy pro les for the Trusted Zone lists: now you can create policy pro les for the
lists of trusted processes and for the Trusted Zone exclusion lists using the Management Plug-in version 3.0.

Monitoring of on-demand le changes based on cryptography: the application allows generating baseline lists
of les and running checks on the compliance of les on the disk with the baseline parameters. The application
detects the following mismatches with the baseline: creation of new les in the monitored areas, deletion of
les from the monitored areas, changes of the monitored le checksum.

Control of the network cards and modems connection: the Device Control and Automatic Rule Generator for
Device Control tasks support creation and application of rules that block connection of untrusted network
cards and modems via USB.

Information about the checksum of the object being processed in detection events, which are published in
Kaspersky Security Center reports, is added.

Administration Web-Plug-in is implemented: now you can manage the application using Kaspersky Security
Center Web Console.

Generation of Kaspersky Security Center incidents basing on events of blocked application launches and
connection of devices in audit mode.

Blocking changes of the important parameters in the USN (Update Sequence Number) log: the application uses
USN log entries to monitor le operations. You can prevent deletion of USN log entries and change the
threshold for the maximum USN log size.

Noti cation on changes of the important parameters in the USN (Update Sequence Number) log: if you have
not prohibited changes to the important parameters in the USN log, the application will report attempts to
delete entries from the USN log by publishing the events in application reports.

Methods of protection against active threats are optimized: now the application noti es you if the signs of
active infection are detected during the Real-Time Protection tasks execution. The application marks the
detected objects for deletion and deletes such objects from the computer after reboot.

The Real-Time Protection task settings now allow you to enable the launch of the Critical Areas Scan task if
signs of active infection are detected. If this option is enabled, the application automatically creates and starts
a temporary Critical Areas Scan task on the computer where an active infection was detected.

Anti-virus scan of the tasks created in the System Planner is implemented. Monitoring of tasks created by the
System Planner is performed as part of the on-demand scan tasks with the "Startup Objects" scan area
enabled.

Processing of persistent WMI subscriptions is implemented: now the application detects suspicious WMI
subscriptions in the WMI namespace on the computer with Kaspersky Security for Windows Server installed
and deletes them. Monitoring of persistent WMI subscriptions is performed as part of the on-demand scan
tasks with the "Startup Objects" scan area enabled.

22
Triggering criteria for custom rules of the Log Analysis component are enhanced: now you can set the rules for
the value of the "Source" parameter in the Windows Event Log entry.

The capability is added to con gure the triggering criteria for the applications launch control rule when creating
rules based on events of blocked launches in the Kaspersky Security Center Console.

Trace log les rotation options are extended.

The list of supported operating systems is extended.

The application interface is aligned with the new brand policy of the company.

Bugs from the previous versions are xed: the application includes the bug- xes, issued for the previous
versions.

23
Sources of information about Kaspersky Security for Windows Server
This section lists sources of information about the application.

You can select the most suitable information source, depending on the importance level and urgency of the issue.

Sources for independent retrieval of information

You can use the following sources to nd information about Kaspersky Security for Windows Server:

Kaspersky Security for Windows Server page on the Kaspersky website.

Kaspersky Security for Windows Server page on the Technical Support website (Knowledge Base).

Manuals.

If you did not nd a solution to your problem, contact Kaspersky Technical Support .

An Internet connection is required to use online information sources.

Kaspersky Security for Windows Server page on the Kaspersky website

On the Kaspersky Security for Windows Server page , you can view general information about the application and
its functions and features.

The Kaspersky Security for Windows Server page contains a link to the eStore, where you can purchase the
application or renew your license.

Kaspersky Security for Windows Server page in the Knowledge Base

The Knowledge Base is a section of the Technical Support website.

The Kaspersky Security for Windows Server page in the Knowledge Base features articles that provide useful
information, recommendations, and answers to frequently asked questions about how to purchase, install, and use
the application.

Knowledge Base articles can answer questions relating to not only Kaspersky Security for Windows Server but also
other Kaspersky applications. Knowledge Base articles can also include news form Technical Support.

Kaspersky Security for Windows Server documentation

Kaspersky Security for Windows Server Administrator's Guide contains information about the application
installation, uninstallation, settings, and usage.

Discussing Kaspersky applications in the community

24
If your question does not require an immediate answer, you can discuss it with Kaspersky experts and other users
in our community .

In our online community, you can view existing topics, leave comments, and create new discussion topics.

25
Kaspersky Security for Windows Server
This section describes the functions, components, and distribution kit of Kaspersky Security for Windows Server,
and provides a list of hardware and software requirements of Kaspersky Security for Windows Server.

Distribution kit
The distribution kit includes a welcome application that lets you do the following:

Start the Kaspersky Security for Windows Server Installation Wizard.

Start the Kaspersky Security for Windows Server Console Installation Wizard.

Start the Installation Wizard that will install Kaspersky Security for Windows Server Administration Plug-in for
managing the application via the Kaspersky Security Center.

Start the Kaspersky Security for Windows Server 11 Microsoft Outlook® Add-in (hereinafter referred to as
Microsoft Outlook Add-in) Installation Wizard.

Read the Administrator's Guide.

Read the Implementation Guide for Network Attached Storage Protection.

Go to the Kaspersky Security for Windows Server page on the Kaspersky website.

Visit the Technical Support website .

Read information about the current version of Kaspersky Security for Windows Server.

The \client folder contains les for the installation of Application Console (the set of components in Kaspersky
Security for Windows Server Administration Tools) and a le with the text of the End User License Agreement.

The \server folder contains:

Files for the installation of Kaspersky Security for Windows Server components on a device running a 32-bit or
64-bit Microsoft Windows operating system.

File for the installation of the Administration Plug-in for managing Kaspersky Security for Windows Server via
the Kaspersky Security Center.

Archive of anti-virus databases current at the time the application was released.

File with the text of the End User License Agreement and Privacy Policy.

The \setup contains start les for the welcome program.

The \email_plugin folder contains the Microsoft Outlook Add-in installation package and a le with the text of the
End User License Agreement.

The distribution kit les are stored in di erent folders depending on their intended use (see the table below).

Kaspersky Security for Windows Server distribution kit les

File Purpose
26
autorun.inf Autorun le for the Kaspersky Security for Windows Server
Installation Wizard when installing the application from
removable media.

migration.txt The le describes migration from previous application

versions.

release_notes.txt The le contains release information.

setup.exe Welcome program start le (starts setup.hta).

\client\ks4wstools_x86.msi Windows Installer installation package; installs the Application

Console on the protected device.
\client\ks4wstools_x64.msi

\client\license.txt Text of the End User License Agreement.

\client\setup.exe File that starts the setup wizard for the "Administration tools"
(including the Application Console); it starts the
ks4wstools.msi installation package le using the settings
speci ed in the setup wizard.

\server\bases.cab Archive of anti-virus databases current at the time the

application was released.

\server\setup.exe File that starts the wizard for installing Kaspersky Security for
Windows Server on the protected device; it starts the
ks4ws.msi installation package le with the installation
settings speci ed in the wizard.

\server\ks4ws_x86.msi Windows Installer installation package; installs Kaspersky

Security for Windows Server on the protected device.
\server\ks4ws_x64.msi

\server\ks4ws.kud File in Kaspersky Unicode De nition format with a description

of the installation package for remote installation of
Kaspersky Security for Windows Server via Kaspersky
Security Center.

\server\klcfginst.exe Installer for Administration Plug-in for managing Kaspersky

Security for Windows Server via the Kaspersky Security
Center. Install the Administration Plug-in on each protected
device where the Kaspersky Security Center Administration
Console is installed if you plan to use it to manage Kaspersky
Security for Windows Server.

\server\license.txt Text of the End User License Agreement and Privacy Policy.

server\endpoint_agent\endpointagent.msi Windows Installer installation package; installs the Kaspersky

Endpoint Agent on the protected device.

server\endpoint_agent\endpointagent.kud File in Kaspersky Unicode De nition format with a description

of the installation package for remote installation of
Kaspersky Endpoint Agent via Kaspersky Security Center.

server\endpoint_agent\klcfginst.exe Installer for Administration Plug-in for managing Kaspersky

Endpoint Agent via the Kaspersky Security Center.

\setup\setup.hta Welcome program start le.

\email_plugin\ksmail_x86.msi Windows Installer installation package; installs Microsoft

Outlook Add-in on the protected device.
\email_plugin\ksmail_x64.msi

\email_plugin\license.txt Text of the End User License Agreement.

27
 Distribution kit les can be run from the Installation CD. If you copy the distribution kit les onto the local drive
before installing, make sure that the structure of the distribution kit les is preserved.

You can download Kaspersky Security for Windows Server installation les from Kaspersky website . The table
below contains information about these les, including their checksums.

Kaspersky Security for Windows Server downloadable installation les

Distributive File name Description Checksum (SHA256

Version ks4ws_11.0.0.480_en.exe Extracts 5EF7BF028E7C2021E727E7B363855CFEF4AC038

11.0.0.480 | distribution kit
Windows les and runs
the welcome
application

Version klcfginst.exe Administration 37675407FE9D8649176316CE2D2DBC8A15541C24D

11.0.0.480 | Plug-in
Windows | installer
Administration
Plug-In

Version archive.zip Web console EAF5164B1204C5A77738FE035609CAAA017FD58

11.0.0.480 | Plug-in
Web console distributive
Plug-In

Hardware and software requirements

This section describes all hardware and software requirements for the protected device and network attached
storage.

Requirements for the server on which Kaspersky Security for Windows

Server is deployed

Before installing Kaspersky Security for Windows Server, you must uninstall other anti-virus applications from
the server.

Before installing Kaspersky Security for Windows Server, you must uninstall Kaspersky Anti-Virus 8.0 for
Windows Servers Enterprise Edition. You can install Kaspersky Security for Windows Server without
uninstalling Kaspersky Security 10 for Windows Server.

Hardware requirements for the server

General requirements:

x86/64-compatible single-core or multi-core systems

28
 disk space requirements:

for installing all application components: 100 MB

for downloading and storing anti-virus databases: 2 GB (recommended)

for storing objects in Quarantine and in Backup: 400 MB (recommended)

for storing logs: 1 GB (recommended)

Minimum con guration:

Processor: 1.4 GHz single-core

RAM: 1 GB

Disk: 4 GB of free space

Recommended con guration:

Processor: 2.4 GHz quad-core

RAM: 2 GB

Disk: 4 GB of free space

Software requirements for the server

You can install Kaspersky Security for Windows Server on a server running a 32-bit or 64-bit Microsoft Windows
operating system.

For installation and operation of Kaspersky Security for Windows Server, Microsoft Windows Installer 3.1 must be
installed on the server.

You can install Kaspersky Security for Windows Server on a server running one of the following 32-bit Microsoft
Windows operating systems:

Windows Server 2003 Standard / Enterprise / Datacenter SP2 or later

Windows Server 2003 R2 Foundation / Standard / Enterprise / Datacenter SP2 or later

Windows Server 2008 Standard / Enterprise / Datacenter SP1 or later

Windows Server 2008 Core Standard / Enterprise / Datacenter SP1 or later

You can install Kaspersky Security for Windows Server on a server running one of the following 64-bit Microsoft
Windows operating systems:

Windows Server 2003 Standard / Enterprise / Datacenter SP2 or later

Windows Server 2003 R2 Standard / Enterprise / Datacenter SP2 or later

Windows Server 2008 Core Standard / Enterprise / Datacenter SP1 or later

Windows Server 2008 Standard / Premium SP1 or later

29
Microsoft Small Business Server 2008 Standard / Premium

Windows Server 2008 R2 Foundation / Standard / Enterprise / Datacenter SP1 or later

Windows Server 2008 R2 Core Standard / Enterprise / Datacenter SP1 or later

Windows Hyper-V Server 2008 R2 SP1 or later

Microsoft Small Business Server 2011 Essentials / Standard

Microsoft Windows MultiPoint™ Server 2011 Standard / Premium

Windows Server 2012 Foundation / Essentials / Standard / Datacenter

Windows Server 2012 Core Foundation / Essentials / Standard / Datacenter

Microsoft Windows MultiPoint Server 2012 Standard / Premium

Windows Storage Server 2012

Windows Hyper-V Server 2012

Windows Server 2012 R2 Foundation / Essentials / Standard / Datacenter

Windows Server 2012 R2 Core / Foundation / Essentials / Standard / Datacenter

Windows Storage Server 2012 R2

Windows Hyper-V Server 2012 R2

Windows Server 2016 Essentials / Standard / Datacenter

Windows Server 2016 MultiPoint

Windows Server 2016 Core Standard / Datacenter

Microsoft Windows MultiPoint Server 2016

Windows Storage Server 2016

Windows Hyper-V Server 2016

Windows Server 2019 Essentials / Standard / Datacenter

Windows Server 2019 Core

Windows Storage Server 2019

Windows Hyper-V Server 2019

Windows 10 Enterprise multi-session

Before installing Kaspersky Security for Windows Server on Windows Server 2003 or Windows Server 2003
R2, please download the KB2868626 update and install it.

30
 The following operating systems are no longer supported by Microsoft Windows: Windows Server 2003
Standard / Enterprise / Datacenter SP2, Windows Server 2003 R2 Standard / Enterprise / Datacenter SP2
32-bit, 64-bit. Kaspersky’s technical support of servers running these operating systems may be limited.

Kaspersky Endpoint Agent does not support any version of Windows Server 2003 and Windows Server 2008.

You can install Kaspersky Security for Windows Server on the following terminal servers:

Microsoft Remote Desktop Services based on Windows Server 2008

Microsoft Remote Desktop Services based on Windows Server 2008 R2

Microsoft Remote Desktop Services based on Windows Server 2012

Microsoft Remote Desktop Services based on Windows Server 2012 R2

Microsoft Remote Desktop Services based on Windows Server 2016

Microsoft Remote Desktop Services based on Windows Server 2019

Citrix XenApp 6.0, 6.5, 7.0, 7.5 - 7.9, 7.15

Citrix XenDesktop 7.0, 7.1, 7.5 - 7.9, 7.15

The Kaspersky Security for Windows Server is compatible with the following versions of Kaspersky Security
Center:

Kaspersky Security Center 11

Kaspersky Security Center 12

Kaspersky Security Center 13

Requirements for protected network attached storage

Kaspersky Security for Windows Server can be used to protect the following network attached storages:

NetApp with one of the following operating systems:

Data ONTAP 7.x and Data ONTAP 8.x in 7-mode

Data ONTAP 8.2.1 in cluster-mode

Data ONTAP 9.x (from 9.0 to 9.7) in cluster-mode

Dell™ EMC™ Celerra™ / VNX™ with the following software:

EMC DART 6.0.36 or higher

Celerra Antivirus Agent (CAVA) 4.5.2.3 or higher

31
 Dell EMC Isilon™ with OneFS™ 7.0 or later

Hitachi HNAS (ICAP, RPC):

12.0 or later for integration via ICAP

11.2 or later for integration via RPC

IBM System Storage N series

Oracle® ZFS Storage Appliance

Dell NAS on the platform Dell Compellent™ FS8600:

FluidFS 6.x

FluidFS 5.x

HPE 3PAR with File Persona 3.3.1:

HPE 3PAR STORESERV File Controller

HPE 3PAR STORESERV 7000c, 8000, 9000, 20000 Storage

Requirements for the device on which the Application Console is installed

Hardware requirements for the device

Recommended RAM amount: at least 128 MB.

Free disk space: 30 MB.

Software requirements for the device

You can install the Application Console on a device running a 32-bit or 64-bit Microsoft Windows operating
system.

The device should have Microsoft Windows Installer 3.1 in order to support installation and operation of the
Application Console.

You can install the Application Console on a device running one of the following 32-bit Microsoft Windows
operating systems:

Windows Server 2003 Standard / Enterprise / Datacenter SP2 or later

Windows Server 2003 R2 Standard / Enterprise / Datacenter SP2 or later

Windows Server 2008 Standard / Enterprise / Datacenter SP1 or later

Microsoft Windows XP Professional SP2 or later

32
 Microsoft Windows Vista®

Microsoft Windows 7

Microsoft Windows 8

Microsoft Windows 8.1

Microsoft Windows 10

Windows 10 Redstone 1

Windows 10 Redstone 2

Windows 10 Redstone 3

Windows 10 Redstone 4

Windows 10 Redstone 5

Windows 10 Redstone 6

You can install the Application Console on a device running one of the following 64-bit Microsoft Windows
operating systems:

Windows Server 2003 Standard / Enterprise / Datacenter SP2 or later

Windows Server 2003 R2 Standard / Enterprise / Datacenter SP2 or later

Windows Server 2008 Core Standard / Enterprise / Datacenter SP1 or later

Microsoft Small Business Server 2008 Standard / Premium

Windows Server 2008 R2 Foundation / Standard / Enterprise / Datacenter SP1 or later

Windows Hyper-V Server 2008 R2 SP1 or later

Microsoft Small Business Server 2011 Essentials / Standard

Microsoft Windows MultiPoint Server 2011 Standard / Premium

Windows Server 2012 Foundation / Essentials / Standard / Datacenter

Microsoft Windows MultiPoint Server 2012 Standard / Premium

Windows Storage Server 2012 Foundation / Essentials / Standard / Datacenter

Windows Server 2012 R2 Foundation / Essentials / Standard / Datacenter

Windows Storage Server 2012 R2

Windows Hyper-V Server 2012

Windows Hyper-V Server 2012 R2

Windows Server 2016 Essentials / Standard / Datacenter

33
 Microsoft Windows MultiPoint Server 2016

Windows Storage Server 2016 Essentials / Standard / Datacenter

Windows Server 2019 Essentials / Standard / Datacenter

Windows Storage Server 2019

Microsoft Windows XP Professional Edition SP2 or later

Microsoft Windows Vista

Microsoft Windows 7

Microsoft Windows 8

Microsoft Windows 8.1

Microsoft Windows 10

Windows 10 Redstone 1

Windows 10 Redstone 2

Windows 10 Redstone 3

Windows 10 Redstone 4

Windows 10 Redstone 5

Windows 10 Redstone 6

Functional requirements and limitations

This section describes additional functional requirements and existing limitations for Kaspersky Security for
Windows Server components.

Installation and uninstallation

During application installation a warning appears if the new path to the Kaspersky Security for Windows Server
installation folder contains more than 150 symbols. The warning does not a ect the installation process:
Kaspersky Security for Windows Server will install and run successfully.

For installation of the SNMP protocol support component the SNMP service must be restarted, if it is running.

For installation and operation of Kaspersky Security for Windows Server on a device running an embedded
operating system, the Filter Manager component must be installed.

Kaspersky Security for Windows Server Administration Tools cannot be installed via Microsoft Active
Directory® group policies.

34
 When installing the application on protected devices running older operating systems that cannot receive
regular updates, the following root certi cates should be checked: DigiCert Assured ID Root CA,
DigiCert_High_Assurance_EV_Root_CA, DigiCertAssuredIDRootCA. If these certi cates are missing, the
application may not function correctly. We recommend that you install these certi cates in any possible way.

Kaspersky Security Center management tools comparison and limitations

The set of features available in Kaspersky Security for Windows Server depends on the management tools (see
the table below).

You can manage the application by using the following consoles of Kaspersky Security Center:

Administration Console. Microsoft Management Console (MMC) snap-in installed on the administrator's
workstation.

Web Console. Component of Kaspersky Security Center that is installed on the Administration Server. You can
work in the Web Console through a browser on any computer that has access to the Administration Server.

You can also manage the application by using the Kaspersky Security Center Cloud Console. The Kaspersky
Security Center Cloud Console is the cloud version of Kaspersky Security Center. This means that the
Administration Server and other components of Kaspersky Security Center are installed in the cloud infrastructure
of Kaspersky. For details on managing the application through the Kaspersky Security Center Cloud Console,
please refer to the Kaspersky Security Center Cloud Console Online Help.

Comparison of Kaspersky Security for Windows Server features depending on the management tools

Feature Kaspersky Security Center Kaspersky Security Center

Cloud Console
Administration Web
Console Console

Real-time server protection

Real-Time File Protection

KSN Usage

Tra ic Security
(no External Proxy mode)

Exploit Prevention

Network Threat Protection

Script Monitoring

Local activity control

Applications Launch Control

Device Control

Network attached storage

protection

RPC Network Storage Protection

ICAP Network Storage Protection

Anti-Cryptor for NetApp

Network activity control

35
 Firewall Management

Anti-Cryptor

System Inspection

File Integrity Monitor

Log Inspection

Logs and noti cations

Logs

Noti cations

Storages

Quarantine

Backup

Blocked Hosts

Supplementary

Hierarchical storage management

Trusted Zone

Removable Drives Scan

Kaspersky Endpoint Agent

Tasks

Activation of Application

Application Integrity Control

Baseline File Integrity Monitor

Copying Updates

Database Update

On-Demand Scan

Rollback of Database Update

Rule Generator for Applications

Launch Control

Rule Generator for Device Control

Software Modules Update

Web Plug-in limitations

Kaspersky Security for Windows Server Web Plug-in has the following limitations compared to Kaspersky Security
for Windows Server Administration Plug-in:

To add users and/or user groups, you need to specify the security descriptor strings using the security
descriptor de nition language (SDDL).

Prede ned security level can not be changed for the Real-Time File Protection task.

36
 Application Launch Control task rules can not be created using digital certi cate or Kaspersky Security Center
events.

Device Control task rules can not be generated based on connected devices or on system data.

Tra ic Security
This component is available only on the servers running on Microsoft Windows Server 2008 R2 operating
system and higher.

Tra ic cannot be veri ed when web connections are made using a cryptographic token.

We do not recommend including VPN tra ic in the protection scope (port 1723).

IPv6 addresses are not supported.

The application considers self-signed certi cates as invalid and blocks such connections if the Do not trust
web-servers with invalid certi cate check box is selected in the task settings.

The application processes only TCP packets.

Mail threat protection does not scan outgoing mail tra ic.

We recommend that you install the Network Agent component of Kaspersky Security Center before starting
the Tra ic Security task. If Tra ic Security component was installed and the task started before installation of
the Network Agent, then restart the Tra ic Security task. For more information on Kaspersky Security Center
Network Agent component please refer to the Kaspersky Security Center Online Help.

Tra ic Security does not work with Yandex.Disk or Dropbox.

VPN limitations: there might be issues when working via Microsoft VPN connection protocols.

If the installation is performed via Kaspersky Security Center in Driver Interceptor mode, Tra ic Security blocks
the connection from Microsoft Management Console (hereinafter referred to as MMC) to the Kaspersky
Security Center Administration Server, because this connection uses an untrusted certi cate.

If you run Tra ic Security task in Driver Interceptor mode with the Intercept all option enabled, make sure to
con gure the Kaspersky Security Center Administration Server to use the default port (13299) for connection
with the Kaspersky Security Center Web Console (for more information, refer to Kaspersky Security Center
Online Help), or, if you use a custom port, make sure to add this port to the Tra ic Security task's list of
excluded ports. Otherwise, Tra ic Security blocks the connection from the Kaspersky Security Center Web
Console to the Kaspersky Security Center Administration Server.

The component blocks connections to websites that use old technologies to generate root certi cates, for
example, sha1 certi cates.

The Do not scan objects larger than (MB) value cannot exceed 100MB. If a large value is speci ed and the
Internet connection is slow, there might be di iculties when receiving large les. The recommended value is 20
MB.

The application recognizes HTTPS connections as dangerous and blocks them if the following conditions are
satis ed:

The task is running in Driver Interceptor mode.

37
 Tra ic is redirected from external devices.

The devices from which tra ic is redirected are protected by Kaspersky Security for Windows Server and
the preset Tra ic Security task has been run at least once.

We do not recommend using Redirector mode to check tra ic redirected from external devices: besides the
aforementioned false positives, such a con guration may cause high server load and reduce application
performance.

File Integrity Monitor

By default, the File Integrity Monitor does not monitor changes in system folders or the le system's housekeeping
les in order to not clutter task reports with information about routine le changes performed constantly by the
operating system. The user cannot manually include such folders in the monitoring scope.

The following folders/ les are excluded from the monitoring scope:

NTFS housekeeping les with le id from 0 to 33

"%SystemRoot%\\Prefetch\\"

"%SystemRoot%\\ServicePro les\\LocalService\\AppData\\Local\\"

"%SystemRoot%\\System32\\LogFiles\\Scm\\"

"%SystemRoot%\\Microsoft.NET\\Framework\\v4.0.30319\\"

"%SystemRoot%\\Microsoft.NET\\Framework64\\v4.0.30319\\"

"%SystemRoot%\\Microsoft.NET\\"

"%SystemRoot%\\System32\\con g\\"

"%SystemRoot%\\Temp\\"

"%SystemRoot%\\ServicePro les\\LocalService\\"

"%SystemRoot%\\System32\\winevt\\Logs\\"

"%SystemRoot%\\System32\\wbem\\repository\\"

"%SystemRoot%\\System32\\wbem\\Logs\\"

"%ProgramData%\\Microsoft\\Windows\\WER\\ReportQueue\\"

"%SystemRoot%\\SoftwareDistribution\\DataStore\\"

"%SystemRoot%\\SoftwareDistribution\\DataStore\\Logs\\"

"%ProgramData%\\Microsoft\\Windows\\AppRepository\\"

"%ProgramData%\\Microsoft\\Search\\Data\\Applications\\Windows\\"
38
 "%SystemRoot%\\Logs\\SystemRestore\\"

"%SystemRoot%\\System32\\Tasks\\Microsoft\\Windows\\TaskScheduler\\"

The application excludes top-level folders.

The component does not monitor les changes that bypass the ReFS/NTFS le system ( le changes made
through BIOS, LiveCD, etc.).

Firewall Management
Working with IPv6 addresses is not available when the speci ed rule scope consists of one address.

Preset Firewall policy rules support basic scenarios of interaction between protected devices and
Administration Server. To make full use of Kaspersky Security Center functions, you need to set up port rules
manually. You can nd information about port numbers, protocols and their functions in the Kaspersky Security
Center Knowledge Base (https://support.kaspersky.com/ksc10, article 9297).

The application does not control modi cation of Windows Firewall rules and rule groups during the Firewall
management task if those rules were not added to the task con guration when the application was installed. To
update the status and include such rules, the Firewall management task must be restarted.

When the Firewall Management task is started, the following types of rules are automatically removed from the
operating system's rewall settings:

denying rules;

rules monitoring outgoing tra ic.

Other limitations
On-Demand Scan, Real-Time File Protection :

Scanning of connected MTP-devices is not available.

Archive scanning is not available without SFX-archive scanning: if archive scanning is enabled in the protection
settings of Kaspersky Security for Windows Server, the application automatically scans objects in both
archives and SFX-archives. SFX-archive scanning is available without archive scanning.

Licensing:

The application cannot be activated with a key via the Setup wizard if the key is stored on a disk created using
the SUBST command, or if the path to the key le is a network path.

Updates:

After Kaspersky Security for Windows Server critical modules updates are installed, the application icon is
hidden by default.

KLRAMDISK is not supported on protected devices running the Windows XP or Windows Server 2003
operating system.

39
Interface:

In the Application Console, ltering in the Quarantine, Backup, System audit log or Task log is case sensitive.

When con guring a protection or scan scope in the Application Console, you can use only one mask and only at
the end of the path. Some examples of correct masks include: "C:\Temp\Temp*", or "C:\Temp\Temp???.doc", and
"C:\Temp\Temp*.doc". This limitation does not a ect con guration of the Trusted Zone.

Security:

If the operating system’s User Account Control feature is enabled, a user account must be part of the
KAVWSEE Administrators group to open the Application Console with a double-click on the application icon in
the tray noti cation area. Otherwise, it will be necessary to login as a user whose is allowed to open the
Compact Diagnostic Interface or Microsoft Management Console snap-in.

The application cannot be uninstalled via the Microsoft Windows Programs and Features window if User
Account Control is enabled.

Integration with Kaspersky Security Center:

Administration Server veri es database updates when update packages are received, before sending the
updates to protected devices on the network. Administration Server does not verify software module updates.

Make sure the required check boxes are selected in the Interaction with the Administration Server settings
when you use components that transmit dynamic data to Kaspersky Security Center using network lists
(Quarantine, Backup, Blocked hosts).

Exploit Prevention:

Exploit Prevention is not available if the apphelp.dll libraries are not loaded in the current environment
con guration.

The Exploit Prevention component is incompatible with Microsoft’s EMET utility on protected devices running
the Microsoft Windows 10 operating system: Kaspersky Security for Windows Server blocks EMET, if the Exploit
Prevention component is being installed on a protected device with EMET installed.

Anti-Cryptor for NetApp:

Anti-Cryptor protection cannot be provided for NASes running new operating systems (ONTAP 9 and higher) if
FlexGroup containers are used for these servers.

File threat detection is limited on NetApp network attached storages in 7 Mode.

Anti-Cryptor for NetApp is only available in cluster mode.

A server can use only one network interface and only one IPv4 address.

Blocked Host storage: runs continuously when the Anti-Cryptor or Real-Time File Protection components are
enabled.

ICAP Network Storage Protection:

Management of the contents of protected storage depends on the storage settings. For example, detected
infected objects cannot be deleted if the storage does not allow this action.

HPE 3PAR storage only works in block access mode.

40
 If an exclusion rule for not-a-virus objects is active within the Trusted Zone, it is also applied to the ICAP
Network Storage Protection task.

RPC Network Storage Protection: Active Directory is required for cluster mode.

KSN Usage: For Windows Vista and earlier versions of Windows operating systems, this component does not
support statistics for web threat protection and mail threat protection.

41
Kaspersky Endpoint Agent
Kaspersky Endpoint Agent is installed on individual devices in the organization's IT infrastructure. The application
constantly monitors the processes running on these devices, open network connections and the les being
modi ed. Kaspersky Endpoint Agent supports interaction with the following Kaspersky solutions to detect
sophisticated threats (such as targeted attacks):

Kaspersky Endpoint Detection and Response Optimum . (Supported by Kaspersky Endpoint Agent 3.9 and
higher.)

Kaspersky Anti Targeted Attack Platform . (Supported by Kaspersky Endpoint Agent 3.8 and higher.)

Kaspersky Sandbox . (Supported by Kaspersky Endpoint Agent 3.7 and higher.)

Kaspersky Security 11 for Windows Server supports the following versions of Kaspersky Endpoint Agent: 3.7, 3.8,
3.9.

Kaspersky Security 11 for Windows Server distribution package includes installation les of Kaspersky Endpoint
Agent 3.9. You can install Kaspersky Endpoint Agent 3.9 during the Kaspersky Security for Windows Server
installation.

42
Installing and removing the application
This section provides step-by-step instructions for installing and removing Kaspersky Security for Windows
Server.

Kaspersky Security for Windows Server software component codes for the
Windows Installer service
The \product\ks4ws_x86.msi and \product\ks4ws_x64.msi les are designed to install the Protect computer with
Anti-Virus Bases con guration of Kaspersky Security for Windows Server.

If the Protect computer with Anti-Virus Bases con guration is selected, all Kaspersky Security for Windows
Server components are included by default except the Firewall Management and Performance Counters
components.
When you install the Protect computer with Anti-Virus Bases con guration of Kaspersky Security for
Windows Server over the application version that does not use signature analysis and anti-virus databases to
protect your computer, the set of application components will be automatically expanded by adding the
following components:
Real-Time File Protection

On-Demand Scan

Network Threat Protection

The \client\ks4wstools_x86.msi and \client\ks4wstools_x64.msi les install all software components in the
"Administration Tools" set.

The following sections list the Kaspersky Security for Windows Server component codes for the Windows Installer
service. These codes can be used to de ne a list of components to be installed when installing Kaspersky Security
for Windows Server from the command line.

Kaspersky Security for Windows Server software components

The following table contains codes for and a description of Kaspersky Security for Windows Server software
components.

Description of Kaspersky Security for Windows Server software components

Component Code Functions performed

Basic Core This component contains the set of basic application functions and
functionality ensures their operation.

Applications AppCtrl This component monitors user attempts to run applications and allows
Launch or denies application launch in accordance with speci ed Applications
Control Launch Control rules.
It is implemented in the Applications Launch Control task.

Device DevCtrl This component tracks attempts to connect USB external devices to a
Control protected device and allows or denies use of these devices according

43
 to the speci ed device control rules.
The component is implemented in the Device Control task.
Tra ic WebGW This component processes web tra ic (including tra ic received via
Security the mail services) and intercepts and scans objects transferred
through web tra ic to detect known computer and other threats on
the protected device.

Anti-Virus AVProtection This component provides anti-virus protection and contains the
protection following components:
On-Demand Scan
Real-Time File Protection
Network IDS This component scans inbound network tra ic for activity that is
Threat typical of network attacks. Upon detecting an attempted network
Protection attack that targets your computer, Kaspersky Security for Windows
Server blocks network activity from the attacking computer.

On-Demand Ods This component installs Kaspersky Security for Windows Server
Scan system les and provides On-Demand scan tasks (scanning of objects
on the protected device upon request).
If other Kaspersky Security for Windows Server components are
speci ed when installing Kaspersky Security for Windows Server from
the command line, but the Core component is not speci ed, the Core
component is installed automatically.

Real-Time File Oas This component performs anti-virus scans of les on the protected
Protection device when these les are accessed.
It implements the Real-Time File Protection task.

Anti-Cryptor AntiCryptor This component lls the list of blocked hosts with names of remote
devices that show malicious activity.
It implements the Anti-Cryptor task.

Script ScriptChecker This component scans the code of scripts created using Microsoft
Monitoring Windows scripting technologies. Scanning is performed when an
attempt is made to run a script.
This component implements the Script Monitoring task.

Kaspersky Ksn This component provides protection based on Kaspersky cloud

Security technologies.
Network
It implements the KSN Usage task (sending requests to and receiving
Usage
conclusions from the Kaspersky Security Network service).

Endpoint Soyuz Endpoint Agent supports interaction between a client computer and
Agent Kaspersky solutions to detect sophisticated threats.

File Integrity Fim This component logs operations performed on les in the speci ed
Monitor monitoring scope.
The component implements the File Integrity Monitor task.

Exploit AntiExploit This component makes it possible to manage settings to protect

Prevention memory used by processes in a device's memory.

Firewall Firewall This component makes it possible to manage Windows Firewall

Management through the Kaspersky Security for Windows Server graphical user
interface.
The component implements the Firewall Management task.

Module for AKIntegration This component provides a connection between the Kaspersky

44
 integration Security for Windows Server and the Kaspersky Security Center
with Network Agent.
Kaspersky
You can install this component on the protected device if you intend
Security
to manage the application via the Kaspersky Security Center.
Center
Network
Agent

Log LogInspector This component monitors the integrity of the protected environment
Inspection based on the results of an inspection of Windows event logs.

RPC Network RPCProt This component protects RPC network storages (such as NetApp
Storage network attached storages) against viruses and other computer
Protection security threats that in ltrate the server through the exchange of les.

ICAP Network ICAPProt This component protects ICAP network storages (such as EMC Isilon)
Storage against viruses and other security threats that in ltrate the server
Protection through the exchange of les.

Anti-Cryptor AntiCryptorNAS This component provides encryption protection for the folders on the
for NetApp Network Attached Storages. If any malicious encrypting is detected,
Kaspersky Security for Windows Server blocks access to the folders
of the protected network attached storage.

Set of PerfMonCounters This component installs a set of System Monitor performance

"System counters. Performance counters enable Kaspersky Security for
Monitor" Windows Server performance to be measured and potential
performance bottlenecks to be located on the protected device when Kaspersky
counters Security for Windows Server is used with other programs.

SNMP SnmpSupport This component publishes Kaspersky Security for Windows Server
counters and counters and traps via Simple Network Management Protocol (SNMP)
traps on Microsoft Windows. This component may be installed on the
protected device only if Microsoft SNMP is installed on the same
protected device.

Kaspersky TrayApp This component displays the Kaspersky Security for Windows Server
Security for icon in the task tray noti cation area of the protected device. The
Windows Kaspersky Security for Windows Server icon displays the status of
Server icon in device protection and can be used to open the Application Console in
the Microsoft Management Console (if installed) and the About the
noti cation application window.
area

"Administration tools" software component

The following table contains the code and the description of the "Administration tools" software component.

Description of the "Administration tools" software component

Component Code Component functions

Kaspersky MmcSnapin This component installs the Microsoft Management Console snap-in to
Security for manage the application via the Kaspersky Security for Windows Server
Windows Server Console.
snap-in If other components are speci ed during installation of "Administration
Tools" from the command line, and the MmcSnapin component is not
speci ed, the component will be installed automatically.

45
System changes after Kaspersky Security for Windows Server installation
When Kaspersky Security for Windows Server and the set of "Administration Tools" (including the Application
Console) are installed together, the Windows Installer service will make the following modi cations on the
protected device:

Kaspersky Security for Windows Server folders are created on the protected device and on the protected
device where the Application Console is installed.

Kaspersky Security for Windows Server services are registered.

Kaspersky Security for Windows Server user group is created.

Kaspersky Security for Windows Server keys are registered in the system registry.

These changes are described below.

Kaspersky Security for Windows Server folders on a protected device

When Kaspersky Security for Windows Server is installed, the following folders are created on a protected device:

Kaspersky Security for Windows Server default installation folder containing the Kaspersky Security for
Windows Server executable les depend on the operating system bit set. Therefore, the default installation
folders are as follows:

On the 32-bit version of Microsoft Windows: %ProgramFiles%\Kaspersky Lab\Kaspersky Security for

Windows Server\

On the 64-bit version of Microsoft Windows: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Security for

Windows Server\

Management Information Base (MIB) les containing a description of the counters and hooks published by
Kaspersky Security for Windows Server via the SNMP protocol:

%Kaspersky Security for Windows Server%\mibs

64-bit versions of Kaspersky Security for Windows Server executable les (this folder will be created only
during installation of Kaspersky Security for Windows Server on the 64-bit version of Microsoft Windows):

%Kaspersky Security for Windows Server%\x64

Kaspersky Security for Windows Server service les:

%ProgramData%\Kaspersky Lab\Kaspersky Security for Windows Server\11\Data\

%ProgramData%\Kaspersky Lab\Kaspersky Security for Windows Server\11\Settings\

%ProgramData%\Kaspersky Lab\Kaspersky Security for Windows Server\11\Dskm\

For Windows XP the path to the Kaspersky Lab folder is %ALLUSERSPROFILE%\Application Data\.

46
 Files with settings for update sources:
%ProgramData%\Kaspersky Lab\Kaspersky Security for Windows Server\11\Update\
%ProgramData%\Kaspersky Lab\Kaspersky Security for Windows Server\11\Update\

Updates of databases and software modules downloaded using the Copying Updates task (the folder will be
created the rst time updates are downloaded using the Copying Updates task).
%ProgramData%\Kaspersky Lab\Kaspersky Security for Windows Server\11\Update\Distribution\

Task logs and system audit log.

%ProgramData%\Kaspersky Lab\Kaspersky Security for Windows Server\11\Reports\

Set of databases currently in use.

%ProgramData%\Kaspersky Lab\Kaspersky Security for Windows Server\11\Bases\Current\

Backup copies of databases; they are overwritten each time the databases are updated.
%ProgramData%\Kaspersky Lab\Kaspersky Security for Windows Server\11\Bases\Backup\

Temporary les created during execution of update tasks.

%ProgramData%\Kaspersky Lab\Kaspersky Security for Windows Server\11\Bases\Temp\

Quarantined objects (default folder).

%ProgramData%\Kaspersky Lab\Kaspersky Security for Windows Server\11\Quarantine\

Objects in backup (default folder).

%ProgramData%\Kaspersky Lab\Kaspersky Security for Windows Server\11\Backup\

Objects restored from backup and quarantine (default folder for restored objects).
%ProgramData%\Kaspersky Lab\Kaspersky Security for Windows Server\11\Restored\

Folder created during installation of Application Console

The Application Console default installation folders containing the "Administration Tools" les depend on the
operating system bit set. Therefore, the default installation folders are as follows:

On the 32-bit version of Microsoft Windows: %ProgramFiles%\Kaspersky Lab\Kaspersky Security for Windows
Server Admins Tools\

On the 64-bit version of Microsoft Windows: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Security for

Windows Server Admins Tools\

Kaspersky Security for Windows Server services

The following Kaspersky Security for Windows Server services start using the local system (SYSTEM) account:

Kaspersky Security Service (KAVFS) – essential Kaspersky Security for Windows Server service that manages
Kaspersky Security for Windows Server tasks and work ows.

Kaspersky Security Management Service (KAVFSGT) – this service is intended for Kaspersky Security for
Windows Server application management through the Application Console.

47
 Kaspersky Security Exploit Prevention Service (KAVFSSLP)– a service that acts as an intermediary to
communicate security settings to external security agents, and to receive data about security events.

Kaspersky Security Script Checker Service (KAVFSSCS) – this service is started along with the Script
Monitoring task and allows to control the execution of scripts created using Microsoft Windows scripting
technologies.

Kaspersky Security for Windows Server group

KAVWSEE Administrators is a group on the protected device, which users have full access to the Kaspersky
Security Management Service and to all Kaspersky Security for Windows Server functions.

System registry keys

When Kaspersky Security for Windows Server is installed, the following system registry keys are created:

Properties of the Kaspersky Security for Windows Server:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KAVFS]

Kaspersky Security for Windows Server event log settings (Kaspersky Event Log):
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Kaspersky Security]

Properties of the Kaspersky Security for Windows Server management service:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KAVFSGT]

Performance counter settings:

On the 32-bit version of Microsoft Windows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kaspersky Security\Performance]

On the 64-bit version of Microsoft Windows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kaspersky Security x64\Performance]

SNMP Protocol Support component settings:

On the 32-bit version of Microsoft Windows:

[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\WSEE\11\SnmpAgent]

On the 64-bit version of Microsoft Windows:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE\11\SnmpAgent]

Dump le settings:

On the 32-bit version of Microsoft Windows:

[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\WSEE\11\CrashDump]

On the 64-bit version of Microsoft Windows:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE\11\CrashDump]

Trace le settings:

On the 32-bit version of Microsoft Windows:

[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\WSEE\11\Trace]

48
 On the 64-bit version of Microsoft Windows:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE\11\Trace]

Con guration of the application's tasks and functions:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE\11\Environment]

Kaspersky Security for Windows Server processes

Kaspersky Security for Windows Server starts processes described in the table below.

Kaspersky Security for Windows Server processes

File name Purpose

kavfswp.exe Kaspersky Security for Windows Server work ow

kavtray.exe Process for the System Tray Icon

kavfsmui.exe Process for the Compact Diagnostic Interface component

kavshell.exe Command line utility process

kavfsrcn.exe Kaspersky Security for Windows Server remote management process

kavfs.exe Kaspersky Security Service process

kavfsgt.exe Kaspersky Security Management Service process

kavfswh.exe Kaspersky Security Exploit Prevention Service process

kavfsscs.exe Kaspersky Security Script Checker Service

Installation and uninstallation settings and command line options for the
Windows Installer service
This section contains descriptions of the settings for installing and uninstalling Kaspersky Security for Windows
Server, their default values, keys for changing the installation settings, and their possible values. These keys can be
used in conjunction with standard keys for the Windows Installer service's msiexec command when installing
Kaspersky Security for Windows Server from the command line.

Installation settings and command line options in Windows Installer

Acceptance of the terms of the End User License Agreement: you must accept the terms to install Kaspersky
Security for Windows Server.
The possible values for EULA=<value> command line option are as follows:

0 – you reject the terms of the End User License Agreement (default value).

1 – you accept the terms of the End User License Agreement.

Acceptance of the terms of the Privacy Policy: you must accept the terms to install Kaspersky Security for
Windows Server.
The possible values for PRIVACYPOLICY=<value> command line option are as follows:

49
 0 – you reject the terms of the Privacy Policy (default value).

1 – you accept the terms of the Privacy Policy.

Allow installation of Kaspersky Security for Windows Server if the KB4528760 update not installed. For detailed
information about the KB4528760 update please visit Microsoft website .
The possible values for SKIPCVEWINDOWS10=<value> command line option are as follows:

0 – cancel the installation of Kaspersky Security for Windows Server if the KB4528760 update is not
installed (default value).

1 – allow the installation of Kaspersky Security for Windows Server if the KB4528760 update is not installed.

The KB4528760 update xes the CVE-2020-0601 security vulnerability. For detailed information about the
CVE-2020-0601 security vulnerability please visit the Microsoft website .

Installation of Kaspersky Security for Windows Server with a preliminary scan of active processes and the boot
sectors of local disks.
The possible values for PRESCAN=<value> command line option are as follows:

0 – do not perform a preliminary scan of active processes and the boot sectors of local disks during the
installation (default value).

1 – perform a preliminary scan of active processes and the boot sectors of local disks during the
installation.

Destination folder where Kaspersky Security for Windows Server les will be saved during installation. A
di erent folder can be speci ed.
The default values for INSTALLDIR=<full path to the folder> command line option are as follows:

Kaspersky Security for Windows Server: %ProgramFiles%\Kaspersky Lab\Kaspersky Security for Windows
Server

Administration tools: %ProgramFiles%\Kaspersky Lab\Kaspersky Security for Windows Server Admins Tools

On the x64-bit version of Microsoft Windows: %ProgramFiles(x86)%

The Real-Time File Protection task starts immediately after Kaspersky Security for Windows Server starts. Turn
on this setting to start Real-Time File Protection and Script Monitoring when Kaspersky Security for Windows
Server starts (recommended).
The possible values for RUNRTP=<value> command line option are as follows:

1 – start (default value).

0 – do not start.

Protection exclusions recommended by Microsoft Corporation. In the Real-Time File Protection task exclude
from the protection scope objects on the device that Microsoft Corporation recommends to exclude. Some
applications on the protected device may become unstable when an anti-virus application intercepts or
modi es the les they use. For example, Microsoft Corporation includes some domain controller applications in
the list of such objects.
The possible values for ADDMSEXCLUSION=<value> command line option are as follows:

50
 1 – exclude (default value).

0 – do not exclude.

Objects excluded from the protection scope according to Kaspersky recommendations. In the Real-Time File
Protection task exclude from the protection scope objects on the device that Kaspersky recommends to
exclude.
The possible values for ADDKLEXCLUSION=<value> command line option are as follows:

1 – exclude (default value).

0 – do not exclude.

Allow remote connection to the Application Console. By default, remote connection is not allowed to the
Application Console installed on the protected device. During the installation, you can allow connection.
Kaspersky Security for Windows Server creates allowing rules for the process kavfsgt.exe using the TCP
protocol for all ports.
The possible values for ALLOWREMOTECON=<value> command line option are as follows:

1 – allow.

0 – deny (default value).

Path to the key le (LICENSEKEYPATH

)

. By default, the Windows Installer attempts to nd the le with .key extension in the \server folder of the
distribution kit. If the \server folder contains several key les, the Windows Installer will select the key le that
has the farthest expiration date. A key le can be saved beforehand in the \server folder or by specifying
another path to the key le using the Add key setting. You can add a key after Kaspersky Security for Windows
Server is installed using an administrative tool of your choice: for example, the Application Console. If you do
not add a key during installation of the application, Kaspersky Security for Windows Server will not function.

Path to the con guration le. Kaspersky Security for Windows Server imports settings from the speci ed
con guration le created in the application. Kaspersky Security for Windows Server does not import
passwords from the con guration le, for example, account passwords for starting tasks, or passwords for
connecting to a proxy server. Once the settings are imported, you will have to enter all passwords manually. If
the con guration le is not speci ed, the application will start to work with the default settings after setup.
The default value for CONFIGPATH=<configuration file name> is not speci ed.

Enabling network connections for the Application Console option is used to install Kaspersky Security for
Windows Server Console on another device. You can remotely manage device protection from another device
with the Kaspersky Security for Windows Server Console installed. Port 135 (TCP) is opened in Microsoft
Windows Firewall, network connections are allowed for the executable le kavfsrcn.exe for remote management
of Kaspersky Security for Windows Server, and access is granted to DCOM applications. When installation is
complete, add users to the KAVWSEE Administrators group to let them remotely manage the application, if the
protected device operates on the Microsoft Windows Server 2008, and allow network connections to the
Kaspersky Security Management Service (kavfsgt.exe le) on the protected device. You can read more about
additional con guration when the Kaspersky Security for Windows Server Console is installed on another
device.
The possible values for ADDWFEXCLUSION=<value> command line option are as follows:

1 – allow.

0 – deny (default value).

51
 Disabling the check for incompatible software. Use this setting to enable or disable the check for incompatible
software during background installation of the application on the protected device.Regardless of the value of
this setting, during installation of Kaspersky Security for Windows Server, the application always warns about
other versions of the application installed on the protected device.
The possible values for SKIPINCOMPATIBLESW=<value> command line option are as follows:

0 – The check for incompatible software is performed (default value).

1 – The check for incompatible software is not performed.

Uninstallation settings and command line options in Windows Installer

Restoring quarantined objects.

The possible values for RESTOREQTN=<value> command line option are as follows:

0 – Remove quarantined content (default value).

1 – Restore quarantined content to the folder speci ed by the RESTOREPATH parameter into the
\Quarantine subfolder.

Restoring the content of backup.

The possible values for RESTOREBCK=<value> command line option are as follows:

0 – Remove backup content (default value).

1 – Restore backup contents to the folder speci ed by the RESTOREPATH parameter into the \Backup
subfolder.

Enter the current password to con rm the uninstallation (if password protection is enabled).
The default value for UNLOCK_PASSWORD=<specified password> is not speci ed.

Folder for restored objects. Restored objects will be saved to the speci ed folder.
The default value for RESTOREPATH=<full path to the folder> command line option is
%ALLUSERSPROFILE%\Application Data\Kaspersky Lab\Kaspersky Security for Windows Server\11\Restored.

Kaspersky Security for Windows Server install and uninstall logs

If Kaspersky Security for Windows Server is installed or uninstalled using the Installation (Uninstallation) Wizard, the
Windows Installer service creates an install (uninstall) log. A log le named ks4ws_v11.0_install_<uid>.log (where
<uid> is a unique 8-character log identi er) will be saved in the %temp% folder for the user whose account was
used to start the setup.exe le.

If you run the Modify or Remove option for the Application Console or Kaspersky Security for Windows Server
from the Start menu, a log le named ks4ws_11_maintenance.log is automatically created in the %temp% folder.

If Kaspersky Security for Windows Server is installed or uninstalled from the command line, the install log le will
not be created by default.

To install Kaspersky Security for Windows Server and create a log le on disk C:\:

msiexec /i ks4ws_x86.msi /l*v C:\ks4ws.log /qn EULA=1 PRIVACYPOLICY=1

52
 msiexec /i ks4ws_x64.msi /l*v C:\ks4ws.log /qn EULA=1 PRIVACYPOLICY=1

Installation planning
This section describes the set of Kaspersky Security for Windows Server administration tools, and special aspects
of installing and uninstalling Kaspersky Security for Windows Server using a wizard, command line, using Kaspersky
Security Center and via an Active Directory group policy.

Before starting installation of Kaspersky Security for Windows Server, plan the main stages of the installation.

1. Determine which administration tools will be used to manage and con gure Kaspersky Security for Windows
Server.

2. Select the necessary application components for installation.

3. Select the installation method.

Selecting administration tools

Determine the administration tools that will be used to con gure Kaspersky Security for Windows Server settings
and to manage the application. Kaspersky Security for Windows Server can be managed using the Application
Console, command-line utility, and Kaspersky Security Center Administration Console.

Kaspersky Security for Windows Server Console

Kaspersky Security for Windows Server Console is a standalone snap-in added to the Microsoft Management
Console. Kaspersky Security for Windows Server can be managed via the Application Console installed on the
protected device or on another device on the corporate network.

Multiple Kaspersky Security for Windows Server snap-ins can be added to one Microsoft Management Console
opened in author mode to use it to manage the protection of multiple device with Kaspersky Security for Windows
Server installed.

The Application Console is included in the set of "Administration Tools" application components.

Command line utility

You can manage Kaspersky Security for Windows Server from the command line of a protected device.

The command line utility is included in the Kaspersky Security for Windows Server software components group.

Kaspersky Security Center

If Kaspersky Security Center is used for centralized management of anti-virus protection of devices at your
company, you can manage Kaspersky Security for Windows Server via the Kaspersky Security Center
Administration Console.

53
The following components must be installed:

Module for integration with Kaspersky Security Center Network Agent. This component is included in the
Kaspersky Security for Windows Server software components group. It allows Kaspersky Security for Windows
Server to communicate with the Network Agent. Install the module for integration with Kaspersky Security
Center Network Agent on the protected device.

Kaspersky Security Center Network Agent. Install this component on each protected device. This
component supports interaction between Kaspersky Security for Windows Server installed on the protected
device and Kaspersky Security Center Administration Console. The Network Agent installation le is included in
the Kaspersky Security Center distribution kit folder.

Kaspersky Security 11 Administration Plug-in. Additionally, install the Administration Plug-in for managing
Kaspersky Security for Windows Server via the Administration Console on the protected device where the
Kaspersky Security Center Administration Server is installed. This provides the interface for application
management via Kaspersky Security Center. The Administration Plug-in installation le, \server\klcfginst.exe, is
included in the Kaspersky Security for Windows Server distribution kit.

Selecting the installation type

After specifying the software components for installation of Kaspersky Security for Windows Server, you need to
select the application installation method.

Select the installation method depending on the network architecture and the following conditions:

Whether you need special Kaspersky Security for Windows Server installation settings, or the recommended
installation settings.

Whether the installation settings will be the same for all protected devices or speci c to each protected
device.

Kaspersky Security for Windows Server can be installed interactively using the Setup Wizard or in silent mode
without user involvement, and can be invoked by running the installation package le with installation settings from
the command line. A centralized remote installation of Kaspersky Security for Windows Server can be performed
using Active Directory group policies or using the Kaspersky Security Center remote installation task.

Kaspersky Security for Windows Server can be installed and con gured on a single protected device with its
settings saved to a con guration le; the le can then be used to install Kaspersky Security for Windows Server on
other protected devices. Note that this ability does not exist when the application is installed using Active
Directory group policies.

Starting the Setup Wizard

The Setup Wizard can install the following:

Kaspersky Security for Windows Server components on a protected device out of a \server\setup.exe le
included in the distribution kit.

Kaspersky Security for Windows Server Console from the \client\setup.exe le in the distribution kit on the
protected device or another LAN host.

54
Running the installation package le from the command line with the necessary installation
settings

If the installation package le is started without command-line options, Kaspersky Security for Windows Server will
be installed with the default settings. Kaspersky Security for Windows Server options can be used to modify the
installation settings.

The Application Console can be installed on the protected device and / or administrator's workstation.

You can also use sample commands for the installation of Kaspersky Security for Windows Server and the
Application Console.

Centralized installation via Kaspersky Security Center

If Kaspersky Security Center is used in your network for managing networked devices' anti-virus protection,
Kaspersky Security for Windows Server can be installed on multiple devices by using the remote installation task.

The protected devices on which you want to install Kaspersky Security for Windows Server using Kaspersky
Security Center may be in the same domain as Kaspersky Security Center in a di erent domain, or in no domain at
all.

Centralized installation using Active Directory group policies

Active Directory group policies can be used to install Kaspersky Security for Windows Server on the protected
device. The Application Console can be installed on the protected device or administrator's workstation.

Kaspersky Security for Windows Server can be installed using just the recommended installation settings.

The protected devices on which Kaspersky Security for Windows Server is installed using Active Directory group
policies must be located in the same domain and the same organizational unit. Installation is performed at
protected device start before logging in to Microsoft Windows.

Installing and uninstalling the application using a wizard

This section describes the installation and uninstallation of Kaspersky Security for Windows Server and the
Application Console by means of the Setup Wizard, and contains information about additional con guration of
Kaspersky Security for Windows Server and actions to be performed upon installation.

Installing using the Setup Wizard

The following sections contain information about installation of Kaspersky Security for Windows Server, the
Application Console and the Microsoft Outlook Add-in.

To install and proceed to use Kaspersky Security for Windows Server:

1. Install Kaspersky Security for Windows Server on a protected device.

2. Install the Application Console on the devices from which you intend to manage Kaspersky Security for
Windows Server.

55
 3. If the Application Console has been installed on any device in the network, other than protected device,
perform the additional con guration to allow Application Console users to manage Kaspersky Security for
Windows Server remotely.

4. Install the Microsoft Outlook Add-in on the device with Microsoft Outlook client installed.

5. Perform actions after installation of Kaspersky Security for Windows Server.

Kaspersky Security for Windows Server installation

Before installing Kaspersky Security for Windows Server, do the following:

1. Make sure no other anti-virus programs are installed on the protected device. You must uninstall Kaspersky
Anti-Virus 8.0 for Windows Servers Enterprise Edition. You can install Kaspersky Security for Windows Server
without uninstalling Kaspersky Security 10 for Windows Server.

2. Make sure that the account which you are using to start the Setup Wizard belongs to the administrators group
on the protected device.

After completing the actions described above, proceed with the installation procedure. Following the Setup
Wizard instructions, specify the installation settings for Kaspersky Security for Windows Server. The Kaspersky
Security for Windows Server installation process can be stopped at any step of the Setup Wizard. To do so, click
the Cancel button in the Setup Wizard's window.

You can read more about the installation (uninstallation) settings.

To install Kaspersky Security for Windows Server using the Setup Wizard:

1. Start the setup.exe le on the protected device.

2. In the window that opens, in the Installation section, click the Install Kaspersky Security 11 for Windows
Server link.

3. In the welcome screen of the Kaspersky Security for Windows Server Setup Wizard, click the Next button.
The End User License Agreement and Privacy Policy window opens.

4. Review the terms of the License Agreement and Privacy Policy.

5. If you agree to the terms and conditions of End User License Agreement and Privacy Policy, select the I con rm
that I have fully read, understood, and accept the terms and conditions of this End User License
Agreement and I am aware and agree that my data will be handled and transmitted (including to third
countries) as described in the Privacy Policy. I con rm that I have fully read and understand the Privacy
Policy check boxes in order to proceed with the installation.

If you do not accept the End User License Agreement and/or Privacy Policy the installation will be aborted.

6. Click the Next button.

If the protected device has any compatible version of the application installed, the Previous version of the
application detected window will open.
If previous versions of the application are not detected, proceed to step 8 of these instructions.

56
7. To upgrade from the previous version of the application, click the Install button. The Setup Wizard will upgrade
application to Kaspersky Security for Windows Server 11 and save compatible settings in the new version. On
the upgrade completion, wizard will open the Installation complete window (proceed to the Step 15 of these
instructions).
The Quick scan of the device before installation window opens.

8. In the Quick scan of the device before installation, select the Scan device for viruses check box to scan
system memory and the boot sectors of the protected device local drives for threats. Click the Next button.
On completion of the scanning procedure the wizard will open a window reporting the scan results.
This window displays information about scanned protected device objects: the total number of scanned
objects, the number of threats detected, the number of infected or probably infected objects detected, the
number of dangerous or potentially dangerous processes removed from memory by Kaspersky Security for
Windows Server, and the number of dangerous or potentially dangerous processes that the application was
unable to remove.
To see exactly which objects were scanned, click the List of processed objects button.

9. Click the Next button in the Quick scan of the device before installation window.
The Custom installation window opens.

10. Select the components to be installed.

By default, all Kaspersky Security for Windows Server components are included in recommended installation
set, except the Firewall Management and Script Monitoring component.

The SNMP Protocol Support component of Kaspersky Security for Windows Server will only appear in the
list of components suggested for installation if the Microsoft Windows SNMP service is installed on the
protected device.

If you chose to install Kaspersky Endpoint Agent, Kaspersky Endpoint Agent End User License Agreement
window will open on the next step of the wizard. If you agree to the terms and conditions of End User License
Agreement, select the I con rm that I have fully read, understood, and accept the terms and conditions of
this End User License Agreement check box. The Kaspersky Endpoint Agent installation will start after the
installation of Kaspersky Security for Windows Server.

11. To cancel all changes, click the Reset button in the Custom installation window. Click the Next button.

12. In the Select a destination folder window:

If required, specify a folder to which Kaspersky Security for Windows Server les will be copied.

If required, review the information about available space on local drives by clicking the Disk button.

Click the Next button.

13. In the Advanced installation settings window, con gure the following installation settings:

Enable real-time protection after installation of application.

Add Microsoft recommended les to exclusions list.

Add Kaspersky recommended les to exclusions list.

Click the Next button.

14. In the Import settings from con guration le window:

57
 a. Specify the con guration le to import Kaspersky Security for Windows Server settings from an existing
con guration le created in any compatible previous version of the application.

b. Click the Next button.

15. In the Activation of the application window, do one of the following:

If you want to activate the application, specify a Kaspersky Security for Windows Server key le for
application activation.

If you want to activate the application later, click the Next button.

If a key le was previously saved in the \server folder of the distribution kit, the name of this le will be
displayed in the Key eld.

To add a key using a key le stored in another folder, specify the key le.

You cannot activate the application using an activation code via Setup Wizard. If you want to activate
the application using activation code, you need to enter the code after installation.

Once the key le is added, license information will be shown in the window. Kaspersky Security for Windows
Server displays the license's calculated expiration date. The license term runs from the time when you add a
key and expires no later than the expiration date of the key le.
Click the Next button to apply the key le in the application.

16. In the Ready to install window, click the Install button. The wizard will start the installation of Kaspersky
Security for Windows Server components.

17. The Installation complete window opens when installation is complete.

18. Select the View Release Notes check box to view information about the release after the Setup Wizard is
done.

19. Click Finish.

The Setup Wizard closes. Once installation is complete, Kaspersky Security for Windows Server is ready to use if
you have added an activation key.

Kaspersky Security for Windows Server Console installation

Follow the instructions of the Setup Wizard to con gure installation settings for the Application Console. The
installation process can be stopped at any step of the wizard. To do so, click the Cancel button in the Setup
Wizard window.

To install the Application Console:

1. Make sure that the account you use to run the Setup Wizard belongs to the administrators group on the
device.

2. Run the setup.exe le on the protected device.

The welcome window opens.

3. Click on the Install Kaspersky Security 11 Console link.

58
 The Setup Wizard's welcome window opens.

4. Click the Next button.

5. In the window that opens, review the terms of the End User License Agreement and select the I con rm that I
have fully read, understood, and accept the terms and conditions of this End User License Agreement
check box in order to proceed with the installation.

6. Click the Next button.

The Advanced installation settings window opens.

7. In the Advanced installation settings window:

If you intend to use the Application Console to manage Kaspersky Security for Windows Server installed on
a remote device, select the Allow remote access check box.

To open the Custom installation window and select components:

a. Click the Advanced button.

The Custom installation window opens.

b. Select the "Administration Tools" components from the list.

By default, all the components are installed.

c. Click the Next button.

You can nd more detailed information about Kaspersky Security for Windows Server components.

8. In the Select a destination folder window:

a. If required, specify a di erent folder to which the les being installed should be saved.

b. Click the Next button.

9. In the Ready to install window, click the Install button.

The wizard will begin installing the selected components.

10. Click Finish.

The Setup Wizard closes. The Application Console will be installed on the protected device.

If the "Administration tools" set has been installed on any device in the network other than protected device,
con gure the advanced settings.

Kaspersky Security Microsoft Outlook Add-in installation

Follow the instructions of the Setup Wizard to con gure installation settings for the Microsoft Outlook Add-in.
The installation process can be stopped at any step of the wizard. To do so, click the Cancel button in the Setup
Wizard window.

59
 You can install the Microsoft Outlook Add-in on the protected device only if Kaspersky Security for Windows
Server and Microsoft Outlook mail client are installed.

To install the Microsoft Outlook Add-in:

1. Make sure that the account you use to run the Setup Wizard belongs to the administrators group on the
device.

2. Run the setup.exe le on the protected device.

The welcome window opens.

3. Click on the Install Kaspersky Security 11 Microsoft Outlook Add-in (x86) or Install Kaspersky Security 11
Microsoft Outlook Add-in (x64) link according to bitness of the installed Microsoft Outlook client.
The Setup Wizard's welcome window opens.

4. Click the Next button.

5. Review the terms of the End User License Agreement in the opened window, and select the I con rm that I
have fully read, understood, and accept the terms and conditions of this End User License Agreement
check box in order to proceed with the installation.

6. Click the Next button.

The Destination folder window opens.

7. In the Destination folder window:

If you want to change the destination folder, click the Change button.
The Change destination folder window opens.

a. Specify another destination folder.

b. Click OK.

If you do not want to change the destination folder, click the Next button.

The Ready to install Kaspersky Security for Windows Server 11 Microsoft Outlook Add-in window opens.

8. In the Ready to install window, click the Install button.

The wizard will begin installing the selected components.

9. Click Finish.

The Setup Wizard closes.

If Microsoft Outlook mail client is running during installation of the Add-in, you must restart it after completion
of the installation.

60
Advanced settings after installation of the Application Console on another
device
If the Application Console has been installed on any device in the network, other than a protected device, perform
the following actions to allow users to manage Kaspersky Security for Windows Server remotely:

Add Kaspersky Security for Windows Server users to the KAVWSEE Administrators group on the protected
device.

Allow network connections for the Kaspersky Security Management Service (kavfsgt.exe), if the protected
device uses Windows Firewall or a third-party rewall.

If the Allow remote access check box is not selected during installation of the Application Console on a device
running Microsoft Windows, manually allow network connections for the Application Console via the device's
rewall.

The Application Console on the remote device uses the DCOM protocol to receive information about Kaspersky
Security for Windows Server events (such as objects scanned, tasks completed, etc.) from the Kaspersky Security
Management Service on the protected device. You need to allow network connections for the Application Console
in the Windows Firewall settings in order to establish connections between the Application Console and the
Kaspersky Security Management Service.

On the remote device, where the Application Console is installed, do the following:

Make sure that anonymous remote access to COM applications is allowed (but not remote start and activation
of COM applications).

In Windows Firewall, open TCP port 135 and allow network connections for kavfsrcn.exe, the executable le of
the Kaspersky Security for Windows Server remote management process.
The device where the Application Console is installed uses TCP port 135 to access the protected device and to
receive a response.

Con gure an outbound rule for Windows Firewall to allow the connection.
Unlike the traditional TCP/IP and UDP/IP services where a single protocol has a xed port, DCOM dynamically
assigns ports to remote COM objects. If a rewall exists between the client (where the Application Console is
installed) and the DCOM endpoint (the protected device), a large range of ports must be opened.

The same steps should be applied to con gure any other software or hardware rewall.

If the Application Console is open while you con gure the connection between the protected device and the
device on which the Application Console is installed:

1. Close the Application Console.

2. Wait until the Kaspersky Security for Windows Server remote management process kavfsrcn.exe is nished.

3. Restart the Application Console.

The new connection settings will be applied.

61
Allowing anonymous remote access to COM applications

The names of settings may vary depending on the installed Windows operating system.

To allow anonymous remote access to COM applications:

1. On the remote device with the Kaspersky Security for Windows Server Console installed, open the Component
Services console.

2. Select Start → Run.

3. Enter the command dcomcnfg.

4. Click OK.

5. Expand the Computers node in the Component Services console on your protected device.

6. Open the context menu on the My Computer node.

7. Select Properties.

8. On the COM Security tab of the Properties window, click the Edit Limits button in the Access permissions
settings group.

9. Make sure that the Allow Remote Access check box is selected for the ANONYMOUS LOGON user in the
Allow Remote Access window.

10. Click OK.

Allowing network connections for the Kaspersky Security for Windows Server remote
management process

The names of settings may vary depending on the installed Windows operating system.

To open TCP port 135 in Windows Firewall and to allow network connections for the Kaspersky Security for
Windows Server remote management process:

1. Close the Kaspersky Security for Windows Server Console on the remote device.

2. Perform one of the following steps:

On Microsoft Windows XP SP2 or later:

a. Select Start > Windows Firewall.

b. In the Windows Firewall window (or Windows Firewall settings), click the Add port button on the
Exclusions tab.

62
 c. In the Name eld, specify the port name RPC (TCP/135) or enter another name, for example Kaspersky
Security for Windows Server DCOM, and specify the port number (135) in the Port name eld.

d. Select the TCP protocol.

e. Click OK.

f. Click the Add button on the Exclusions tab.

On Microsoft Windows 7 or later:

a. Select Start > Control Panel > Windows Firewall.

b. In the Windows Firewall window, select Allow a program or feature through Windows Firewall.

c. In the Allow programs to communicate through Windows Firewall window click the Allow another
program button.

3. Specify the kavfsrcn.exe le in the Add Program window. It is located in the destination folder speci ed during
installation of Kaspersky Security for Windows Server Console using Microsoft Management Console.

4. Click OK.

5. Click the OK button in the Windows Firewall (Windows Firewall settings) window.

Adding outbound rule for Windows Firewall

The names of settings may vary depending on the installed Windows operating system.

To add the outbound rule for Windows Firewall:

1. Select Start > Control Panel > Windows Firewall.

2. In the Windows Firewall window, click the Advanced settings link.

The Windows Firewall with Advanced Security window opens.

3. Select the Outbound Rules child node.

4. Click on the New Rule option in the Actions pane.

5. In the New Outbound Rule Wizard window that opens, select the Port option and click Next.

6. Select the TCP protocol.

7. In the Speci c remote ports eld specify the following ports range for allowing outgoing connections: 1024-
65535.

8. In the Action window, select the Allow the connection option.

9. Save the new rule and close the Windows Firewall with Advanced Security window.

63
 The Windows Firewall will now allow network connections between the Application Console and Kaspersky
Security Management Service.

Actions to perform after Kaspersky Security for Windows Server installation

Kaspersky Security for Windows Server starts protection and scan tasks immediately after installation if you have
activated the application. If Enable real-time protection after installation of application (default option) is
selected during installation of Kaspersky Security for Windows Server, the application scans the device's le
system objects when they are accessed. If the Script monitoring component was installed during custom
installation, Kaspersky Security for Windows Server scans the program code of all scripts when they are run.
Kaspersky Security for Windows Server will run the Critical Areas Scan task every Friday at 8:00 PM.

We recommend taking the following steps after installing Kaspersky Security for Windows Server:

Start the application database update task. After installation Kaspersky Security for Windows Server will scan
objects using the database included in the application distribution kit.

We recommend updating Kaspersky Security for Windows Server databases immediately since they may
be out of date.

The application will then update the databases every hour according to the default schedule con gured in the
task.

Run a Critical Areas Scan on the device if no anti-virus software with real-time le protection was installed on
the device before installation of Kaspersky Security for Windows Server.

Con gure administrator noti cations about Kaspersky Security for Windows Server events.

Starting and con guring Kaspersky Security for Windows Server Database Update task
To update the application database after installation:

1. In the Database Update task settings, con gure a connection to an update source – Kaspersky HTTP or FTP
update servers.

2. Start the Database Update task.

Web Proxy Auto-Discovery Protocol (WPAD) may not be con gured on your network to detect proxy server
settings automatically in the LAN. At that, your network may require authentication when accessing the proxy
server.

To specify the optional proxy server settings and authentication settings for accessing the proxy server:

1. Open the context menu of the Kaspersky Security node.

2. Select the Properties item.

The Application settings window opens.

3. Select the Connection settings tab.

64
4. In the Proxy server settings section, select the Use speci ed proxy server settings check box.

5. Enter the proxy server address in the Address eld, and enter the port number for the proxy server in the Port
eld.

6. In the Proxy server authentication settings section, select the necessary authentication method in the drop-
down list:

Use NTLM authentication, if the proxy server supports the built-in Microsoft Windows NTLM
authentication. Kaspersky Security for Windows Server will use the user account speci ed in the task
settings to access the proxy server (by default the task will run under the local system (SYSTEM) user
account).

Use NTLM authentication with user name and password, if the proxy server supports the built-in
Microsoft Windows NTLM authentication. Kaspersky Security for Windows Server will use the speci ed
account to access the proxy server. Enter a user name and password or select a user from the list.

Apply user name and password, to select basic authentication. Enter a user name and password or select a
user from the list.

7. Click OK in the Application settings window.

To con gure the connection to Kaspersky's update servers, in the Database Update task:

1. Start Application Console in one of the following ways:

Open the Application Console on the protected device. To do this, select Start > All Programs > Kaspersky
Security for Windows Server > Administration Tools > Kaspersky Security 11 for Windows Server
Console.

If the Application Console has been started on a device other than the protected one, connect to the
device:

a. Open the context menu of the Kaspersky Security node in the Application Console tree.

b. Select the Connect to another computer item.

c. In the Select computer window, select Another computer and in the text eld indicate the network
name of the protected device.

If the account you used to sign in to Microsoft Windows does not have access permissions for the
Kaspersky Security Management Service, indicate an account with the required permissions.

The Application Console window opens.

2. In the Application Console tree, expand the Update node.

3. Select the Database Update child node.

4. Click the Properties link in the details pane.

5. In the Task settings window that opens, open the Connection settings tab.

6. Select Use proxy server settings to connect to Kaspersky update servers.

65
 7. Click OK in the Task settings window.

The settings for connecting to the update source in the Database Update task will be saved.

To run the Database Update task:

1. In the Application Console tree, expand the Update node.

2. In the context menu on the Database Update child node, select the Start item.

The Database Update task starts.

After the task has successfully completed, you can view the release date of the latest database updates
installed in the details pane of the Kaspersky Security node.

Critical Areas Scan

After you have updated the Kaspersky Security for Windows Server databases, scan the protected device for
malware using the Critical Areas Scan task.

To run the Critical Areas Scan task:

1. Expand the On-Demand Scan node in the Application Console tree.

2. In the context menu of the Critical Areas Scan child node, select the Start command.

The task starts; the Running task status is displayed in the details pane.

To view the task log,

in the details pane of the Critical Areas Scan node, click the Open task log link.

Modifying the set of components and repairing Kaspersky Security for

Windows Server
Kaspersky Security for Windows Server components can be added or removed. You need to stop the Real-Time
File Protection task before you can remove the Real-Time File Protection component. In other circumstances there
is no need to stop the Real-Time File Protection task or Kaspersky Security Service.

If application management is password protected, Kaspersky Security for Windows Server requests the
password when you attempt to remove components or modify the set of components in the Setup Wizard.

To modify the set of Kaspersky Security for Windows Server components:

1. In the Start menu, select All programs > Kaspersky Security for Windows Server > Modify or Remove
Kaspersky Security for Windows Server.
The Setup Wizard's Modify, repair or remove installation window opens.

2. Select Modify components set. Click the Next button.

The Custom installation window opens.

66
 3. In the Custom installation window, in the list of available components, select the components that you want to
add or remove from Kaspersky Security for Windows Server. To do this, perform the following actions:

To change the set of components, click the button next to the name of the selected component. Then in
the context menu, select:

Component will be installed on local hard drive, if you want to install one component;

Component and its subcomponents will be installed on local hard drive, if you want to install a group
of components.

To remove previously installed components, click the button next to the name of the selected component.
Then in the context menu, select Component will be unavailable.

Click the Next button.

4. In the Ready to install window, con rm the change to the set of software components by clicking the Install
button.

5. In the window that opens when installation is complete, click the OK button.

The set of Kaspersky Security for Windows Server components will be modi ed based on the speci ed settings.

If problems occur in the operation of Kaspersky Security for Windows Server (Kaspersky Security for Windows
Server crashes; tasks crash or do not start), it is possible to attempt to repair Kaspersky Security for Windows
Server. You can perform a repair while saving the current Kaspersky Security for Windows Server settings, or you
can select an option to reset all Kaspersky Security for Windows Server settings to their default values.

To repair Kaspersky Security for Windows Server after the application or a task crashes:

1. In the Start menu, select All programs.

2. Select Kaspersky Security for Windows Server.

3. Select Modify or Remove Kaspersky Security for Windows Server.

The Setup Wizard's Modify, repair or remove installation window opens.

4. Select Repair installed components. Click the Next button.

This opens the Repair installed components window.

5. In the Repair installed components window, select the Restore recommended application settings check box
if you want to reset the application settings and restore Kaspersky Security for Windows Server with its default
settings. Click the Next button.

6. In the Ready to repair window, con rm the repair operation by clicking the Install button.

7. In the window that opens when the repair operation is complete, click the OK button.

Kaspersky Security for Windows Server will be repaired using the speci ed settings.

Uninstalling using the Setup Wizard

This section contains instructions on removing Kaspersky Security for Windows Server, the Application Console
and the Microsoft Outlook Add-in from a protected device using the Setup / Uninstallation Wizard.
67
Kaspersky Security for Windows Server uninstallation

Dump and trace les are not deleted on uninstalling Kaspersky Security for Windows Server. You can manually
delete dump and trace les from the folder speci ed during the con guration of dump and trace les writing.

The names of settings may vary under di erent Windows operating systems.

Kaspersky Security for Windows Server can be uninstalled from the protected device using the Setup /
Uninstallation Wizard.

After uninstalling Kaspersky Security for Windows Server from a protected device a reboot may be required. The
reboot can be postponed.

Uninstallation, repair and installation of the application is not available via the Windows Control Panel if the
operating system uses the UAC feature (User Account Control) or access to the application is password
protected.

If application management is password protected, Kaspersky Security for Windows Server requests the
password when you attempt to remove components or modify the set of components in the Setup Wizard.

To uninstall Kaspersky Security for Windows Server:

1. In the Start menu, select All programs.

2. Select Kaspersky Security for Windows Server.

3. Select Modify or Remove Kaspersky Security for Windows Server.

The Setup Wizard's Modify, repair or remove installation window opens.

4. Select Remove software components. Click the Next button.

The Advanced application uninstallation settings window opens.

5. If necessary, in the Advanced application uninstallation settings window:

a. Select the Export quarantine objects check box to make Kaspersky Security for Windows Server export
objects that have been quarantined. The check box is cleared by default.

b. Check the Export Backup objects check box to export objects from Kaspersky Security for Windows
Server Backup. The check box is cleared by default.

c. Click the Save to button and select the folder to which you want to export the objects. By default, the
objects will be exported to %ProgramData%\Kaspersky Lab\Kaspersky Security for Windows
Server\Uninstall.
Click the Next button.

6. In the Ready to uninstall window, con rm the uninstallation by clicking the Uninstall button.

68
 7. In the window that opens when the uninstallation is complete, click the OK button.

Kaspersky Security for Windows Server will be uninstalled from the protected device.

Kaspersky Security for Windows Server Console uninstallation

The names of settings may vary under di erent Windows operating systems.

You can uninstall the Application Console from the protected device using the Setup / Uninstallation Wizard.

After uninstalling the Application Console, you do not need to restart the protected device.

To uninstall the Application Console:

1. In the Start menu, select All programs.

2. Select Kaspersky Security for Windows Server.

3. Select Modify or Remove Kaspersky Security 11 for Windows Server Administration Tools.
The wizard's Modify, repair or remove installation window opens.

4. Select Remove software components and click the Next button.

5. The Ready to uninstall window opens. Click the Uninstall button.

The Uninstallation complete window opens.

6. Click OK.

Uninstallation is now complete, and the Setup Wizard closes.

Kaspersky Security Microsoft Outlook Add-in uninstallation

To uninstall the Microsoft Outlook Add-in:

1. Run the setup.exe le on the protected device.

The Setup Wizard's welcome window opens.

2. Click the Next button.

The Repair or remove installation window opens.

3. Click the Remove button.

The Ready to remove Kaspersky Security Microsoft Outlook Add-in window opens.

4. Click the Remove button.

The wizard will begin uninstalling the Microsoft Outlook Add-in.

5. Click Finish.

69
 Uninstallation is now complete, and the Setup Wizard closes.

Installing and uninstalling the application from the command line

This section describes the particulars of installing and uninstalling Kaspersky Security for Windows Server from
the command line and contains examples of commands to install and uninstall Kaspersky Security for Windows
Server from the command line, and examples of commands to add and remove Kaspersky Security for Windows
Server components from the command line.

About installing and uninstalling Kaspersky Security for Windows Server

from command line

Dump and trace les are not deleted on uninstalling Kaspersky Security for Windows Server. You can manually
delete dump and trace les from the folder speci ed during the con guration of dump and trace les writing.

Kaspersky Security for Windows Server can be installed or uninstalled, and its components added or removed, by
running the \server\ks4ws_x86.msi or \server\ks4ws_x64.msi installation package le from the command line after
the installation settings have been speci ed using keys.

The "Administration Tools" set can be installed on the protected device or on another device on the network to
work with the Application Console locally or remotely. To do this, use the \client\ks4wstools.msi installation
package.

Perform the installation using an account included in the administrators group on the protected device where
the application is installed.

If one of the \server\ks4ws_x86.msi or \server\ks4ws_x64.msi les is run on the protected device without
additional keys, Kaspersky Security for Windows Server will be installed with the recommended installation
settings.

The set of components to be installed can be assigned using the ADDLOCAL command-line option by listing the
codes for the selected components or sets of components.

Example commands for installing Kaspersky Security for Windows Server

This section provides examples of commands used to install Kaspersky Security for Windows Server.

On protected devices running a 32-bit version of Microsoft Windows, run the les with the x86 su ix in the
distribution kit. On protected devices running a 64-bit version of Microsoft Windows, run the les with the x64
su ix in the distribution kit.

Detailed information about the use of Windows Installer's standard commands and command-line options is
provided in the documentation supplied by Microsoft.

Examples of installing Kaspersky Security for Windows Server from the setup.exe le
70
To install Kaspersky Security for Windows Server with the recommended installation settings without user
involvement, run the following command:

\server\setup.exe /s /p EULA=1 /p PRIVACYPOLICY=1

You can install Kaspersky Security for Windows Server with the following settings:

only install the Real-Time File Protection and On-Demand Scan components;

do not run Real-Time File Protection when starting Kaspersky Security for Windows Server;

do not exclude les that Microsoft Corporation recommends to exclude from the scan scope.

To do so, run the following command:

\server\setup.exe /p ADDLOCAL=Oas /p RUNRTP=0 /p ADDMSEXCLUSION=0

To install Kaspersky Security for Windows Server with Kaspersky Endpoint Agent without user involvement, run the
following command:

\server\setup.exe /s /p EULA=1 /p PRIVACYPOLICY=1 /p ADDLOCAL=Soyuz /p KEA_EULA=1

You can use the following optional keys with this command:
/p KEA_INSTALLDIR="<path to installation folder>"
Speci es a path to a custom Kaspersky Endpoint Agent installation folder.
/p KEA_UNLOCK_PASSWORD=<password>
Sets a password protection to limit user access to Kaspersky Endpoint Agent (modify, repair, uninstall).
/p KEA_PPL=<1|0>
Enables (1) or disables (0) protection of the Kaspersky Endpoint Agent processes using AM-PPL technology
(Antimalware Protected Process Light). For more details about AM-PPL technology, please refer to the Microsoft
Knowledge Base.

Examples of commands used for installation: running an .msi le

To install Kaspersky Security for Windows Server with the recommended installation settings without user
involvement, run the following command:

msiexec /i ks4ws.msi /qn EULA=1 PRIVACYPOLICY=1

To install Kaspersky Security for Windows Server with the recommended installation settings and display the
installation interface, run the following command:

msiexec /i ks4ws.msi /qf EULA=1 PRIVACYPOLICY=1

To install and activate Kaspersky Security for Windows Server using the key le C:\0000000A.key:

msiexec /i ks4ws.msi LICENSEKEYPATH=C:\0000000A.key /qn EULA=1 PRIVACYPOLICY=1

To install Kaspersky Security for Windows Server with a preliminary scan of active processes and the boot sectors
of local disks, run the following command:

msiexec /i ks4ws.msi PRESCAN=1 /qn EULA=1 PRIVACYPOLICY=1

To install Kaspersky Security for Windows Server in the installation folder C:\WSEE, run the following command:
71
 msiexec /i ks4ws.msi INSTALLDIR=C:\WSEE /qn EULA=1 PRIVACYPOLICY=1

To install Kaspersky Security for Windows Server and save an installation log le named ks4ws.log in the folder
where the Kaspersky Security for Windows Server msi le is stored, run the following command:

msiexec /i ks4ws.msi /l*v ks4ws.log /qn EULA=1 PRIVACYPOLICY=1

To install Kaspersky Security for Windows Server Console, run the following command:

msiexec /i ks4wstools.msi /qn EULA=1

To install the Microsoft Outlook Add-in for 64-bit Microsoft Outlook mail client, run the following command:

msiexec /i ksmail_x64.msi /qn EULA=1

To install the Microsoft Outlook Add-in for 32-bit Microsoft Outlook mail client, run the following command:

msiexec /i ksmail_x86.msi /qn EULA=1

To install and activate Kaspersky Security for Windows Server using the key le C:\0000000A.key and con gure
Kaspersky Security for Windows Server according to the settings in the con guration le C:\settings.xml, run the
following command:

msiexec /i ks4ws.msi LICENSEKEYPATH=C:\0000000A.key CONFIGPATH=C:\settings.xml /qn

EULA=1 PRIVACYPOLICY=1

To install an application patch when Kaspersky Security for Windows Server is password-protected, run the
following command:

msiexec /p "<msp file name with path>" UNLOCK_PASSWORD=<password>

Actions to perform after Kaspersky Security for Windows Server installation

Kaspersky Security for Windows Server starts protection and scan tasks immediately after installation if you have
activated the application. If you select Enable real-time protection after installation of application during
installation of Kaspersky Security for Windows Server, the application scans the device's le system objects when
they are accessed.If the Script monitoring component was installed during custom installation, Kaspersky Security
for Windows Server scans the program code of all scripts when they are run. Kaspersky Security for Windows
Server will run the Critical Areas Scan task every Friday at 8:00 P.M.

We recommend taking the following steps after installing Kaspersky Security for Windows Server:

Start the Kaspersky Security for Windows Server Database Update task. After installation Kaspersky Security
for Windows Server will scan objects using the database included in its distribution kit. We recommend
updating the Kaspersky Security for Windows Server database immediately. To do so, you must run the
Database Update task. The database will then be updated every hour according to the default schedule.
For example, you can run the Database Update task by running the following command:
KAVSHELL UPDATE /KL /PROXY:proxy.company.com:8080 /AUTHTYPE:1 /PROXYUSER:inetuser
/PROXYPWD:123456
In this case, Kaspersky Security for Windows Server database updates are downloaded from Kaspersky update
servers. Connection to an update source is established via a proxy server (proxy server address:
proxy.company.com, port: 8080) using built-in Windows NTLM authentication to access the server under an
account (username: inetuser; password: 123456).

72
 Run a Critical Areas Scan of the device if no anti-virus software with real-time le protection was installed on
the device before installation of Kaspersky Security for Windows Server.

To start the Critical Areas Scan task using the command line:

KAVSHELL SCANCRITICAL /W:scancritical.log

This command saves the task log in a le named scancritical.log contained in the current folder.
Con gure administrator noti cations about Kaspersky Security for Windows Server events.

Adding / removing components. Sample commands

The On-Demand Scan component is installed automatically. You do not need to specify it in the list of ADDLOCAL
key values by adding or deleting Kaspersky Security for Windows Server components.

To add the Applications Launch Control component to the components that have already been installed, run the
following command:

msiexec /i ks4ws.msi ADDLOCAL=Oas,AppCtrl /qn

or

\server\setup.exe /s /p "ADDLOCAL=Oas,AppCtrl"

If you list the components you want to install along with the already installed components, Kaspersky Security for
Windows Server will reinstall the existing components.

To remove installed components run the following command:

msiexec /i ks4ws.msi
"ADDLOCAL=Oas,Ods,Ksn,AntiExploit,DevCtrl,Firewall,AntiCryptor,LogInspector,AKIntegratio
REMOVE=AppCtrl,Fim" /qn

Kaspersky Security for Windows Server uninstallation. Sample commands

To uninstall Kaspersky Security for Windows Server from the protected device, run the following command:

msiexec /x ks4ws.msi /qn

or

For 32-bit operating systems:

msiexec /x {438F7FDE-2AC4-49D7-BE06-51642B3EA0A6} /qn

For 64-bit operating systems:

msiexec /x {DEBE0A18-36BD-47E9-9B7B-FC67B67D7F66} /qn

To uninstall Kaspersky Security for Windows Server Console, run the following command:

msiexec /x ks4wstools.msi /qn

73
 or

For 32-bit operating systems:

msiexec /x {EF00C20A-7441-4076-BA9A-10C9CF689099} /qn

For 64-bit operating systems:

msiexec /x {B0383C9F-53CB-4F0E-B8A5-7A4F80951CD9} /qn

To uninstall Kaspersky Security for Windows Server from a protected device on which password protection is
enabled, perform the following command:

For 32-bit operating systems:

msiexec /x {438F7FDE-2AC4-49D7-BE06-51642B3EA0A6} UNLOCK_PASSWORD=*** /qn

For 64-bit operating systems:

msiexec /x {DEBE0A18-36BD-47E9-9B7B-FC67B67D7F66} UNLOCK_PASSWORD=*** /qn

To uninstall Microsoft Outlook Add-in, perform the following command:

For 32-bit operating systems:

msiexec /x {58E0FA6E-4BEA-4B52-9059-CD44DF40AA44} /qn

For 64-bit operating systems:

msiexec /x {39DB1974-1EEB-452C-92BA-1BAE519D551C} /qn

Return codes
The table below contains a list of command-line return codes.

Return codes

Code Description

1324 The destination folder name contains invalid characters.

25001 Insu icient rights to install Kaspersky Security for Windows Server. To install the application, start
the installation wizard with local administrator rights.

25003 Kaspersky Security for Windows Server cannot be installed on devices running this version of
Microsoft Windows. Please start the installation wizard for 64-bit versions of Microsoft Windows.

25004 Incompatible software detected. To continue the installation, uninstall the following software: <list
of incompatible software>.

25010 The indicated path cannot be used to save quarantined objects.

25011 The name of the folder for saving quarantined objects contains invalid characters.

26251 Unable to download the Performance Counters DLL.

26252 Unable to download the Performance Counters DLL.

27300 The driver cannot be installed.

27301 The driver cannot be uninstalled.

27302 The network component cannot be installed. Maximum supported number of ltered devices
reached.

27303 Anti-virus databases not found.

74
Installing and uninstalling the application using Kaspersky Security Center
This section contains general information about installing Kaspersky Security for Windows Server via Kaspersky
Security Center. It also describes how to install and uninstall Kaspersky Security for Windows Server via Kaspersky
Security Center and actions to perform after installing Kaspersky Security for Windows Server.

General information about installing via Kaspersky Security Center

You can install Kaspersky Security for Windows Server via Kaspersky Security Center using the remote installation
task.

After the remote installation task is complete, Kaspersky Security for Windows Server will be installed with
identical settings on multiple protected devices.

All protected devices can be combined in a single administration group, and a group task can be created to install
Kaspersky Security for Windows Server on the protected devices in this group.

You can create a task to remotely install Kaspersky Security for Windows Server on a set of protected devices
that are not in the same administration group. When creating this task, you must generate the list of individual
protected devices that Kaspersky Security for Windows Server should be installed on.

Detailed information on the remote installation task is provided in Kaspersky Security Center Help.

Rights to install or uninstall Kaspersky Security for Windows Server

The account speci ed in the remote installation (removal) task must be included in the administrators group on
each of the protected devices in all cases except those described below:

If the Kaspersky Security Center Network Agent is already installed on the protected devices on which
Kaspersky Security for Windows Server is to be installed (regardless of which domain the protected devices are
in or whether they belong to any domain).

If the Network Agent is not yet installed on the protected devices, you can install it with Kaspersky
Security for Windows Server using a remote installation task. Before installing the Network Agent, make
sure that the account you want to specify in the task is included in the administrators group on each of the
protected devices.

All protected devices on which you want to install Kaspersky Security for Windows Server are in the same
domain as the Administration Server, and the Administration Server is registered as the Domain Admin account
(if this account has local administrator's rights on the protected devices within the domain).

By default, when using the Forced installation method, the remote installation task is run from the account
running the Administration Server.

When working with group tasks or with tasks for sets of protected devices under forced installation (uninstallation)
mode, an account must have the following rights on the protected device:

Right to execute applications remotely.

75
 Rights to the Admin$ share.

Right to Log on as a service.

Installing Kaspersky Security for Windows Server via Kaspersky Security

Center

Detailed information about generating an installation package and creating a remote installation task is
provided in the Kaspersky Security Center Implementation Guide.

If you intend to manage Kaspersky Security for Windows Server via Kaspersky Security Center in the future, make
sure that the following conditions are met:

The protected device where the Kaspersky Security Center Administration Server is installed also has the
Administration Plug-in installed (\server\klcfginst.exe le in the Kaspersky Security for Windows Server
distribution kit).

Kaspersky Security Center Network Agent is installed on protected devices. If Kaspersky Security Center
Network Agent is not installed on protected devices, you can install it together with Kaspersky Security for
Windows Server using a remote installation task.

Devices can also be combined into an administration group in order to later manage the protection settings using
Kaspersky Security Center policies and group tasks.

To install Kaspersky Security for Windows Server using a remote installation task:

1. Start the Kaspersky Security Center Administration Console.

2. In Kaspersky Security Center, expand the Advanced node.

3. Expand the Remote installation child node.

4. In the details pane of the Installation packages child node, click the Create installation package button.

5. Select the Create installation package for a Kaspersky application installation package type.

6. Enter the installation package name.

7. Specify the ks4ws.kud le from the Kaspersky Security for Windows Server distribution kit as the installation
package le.
The End User License Agreement and Privacy Policy window opens.

8. If you agree to the terms and conditions of End User License Agreement and Privacy Policy, select the I con rm
that I have fully read, understood, and accept the terms and conditions of this End User License
Agreement and I am aware and agree that my data will be handled and transmitted (including to third
countries) as described in the Privacy Policy. I con rm that I have fully read and understand the Privacy
Policy check boxes in order to proceed with the installation.

You must accept the License Agreement and the Privacy Policy to proceed.

76
9. To change the set of Kaspersky Security for Windows Server components to be installed and the default
installation settings in the installation package:

a. In Kaspersky Security Center, expand the Remote installation node.

b. In the details pane of the Installation packages child node, open the context menu of the created
Kaspersky Security for Windows Server installation package and select Properties.

c. In the Properties: <name of installation package> window open the Settings section.

d. In the Components to install settings group, select the check boxes next to the names of the Kaspersky
Security for Windows Server components you want to install.

e. To install Kaspersky Endpoint Agent, do the following:

1. Click the End User License Agreement button.

The Kaspersky Endpoint Agent Statement window opens.

2. Read the terms of the Kaspersky Endpoint Agent Statement.

3. Select the Accept the terms of the Kaspersky Endpoint Agent Statement check box.

4. Click OK.

5. Select the Install Endpoint Agent check box.

The Install Endpoint Agent check box is not available if the Accept the terms of the Kaspersky
Endpoint Agent Statement check box was not selected.

f. In order to indicate a destination folder other than the default one, specify the folder name and path in the
Destination folder eld.
The path to the destination folder may contain system environment variables. If the folder does not exist on
the protected device, it will be created.

g. In the Advanced installation settings group, con gure the following settings:

Scan device for viruses before installation

Enable real-time protection after installation of application

Add Microsoft recommended les to exclusions list

Add Kaspersky recommended les to exclusions list

h. If you want to import settings from the con guration le created in the previous version of Kaspersky
Security for Windows Server, specify the required con guration le.

i. In the Properties: <name of installation package> dialog window, click OK.

10. In the Installation packages node create a task to remotely install Kaspersky Security for Windows Server on
the selected protected devices (administration group). Con gure the task settings.
To learn more about creating and con guring remote installation tasks, see the Kaspersky Security Center Help.

11. Run the Kaspersky Security for Windows Server remote installation task.
77
 Kaspersky Security for Windows Server will be installed on the protected devices speci ed in the task.

Actions to perform after Kaspersky Security for Windows Server installation

After you install Kaspersky Security for Windows Server, we recommend that you update Kaspersky Security for
Windows Server databases on the devices, and perform a Critical Areas Scan of the devices if no anti-virus
applications with enabled real-time protection were installed on the devices before installation of Kaspersky
Security for Windows Server.

If the protected devices on which Kaspersky Security for Windows Server was installed are part of the same
administration group in the Kaspersky Security Center, you can perform these tasks using the following methods:

1. Create Database Update tasks for the group of protected devices on which Kaspersky Security for Windows
Server was installed. Set the Kaspersky Security Center Administration Server as the update source.

2. Create an On-Demand Scan group task with the Critical Areas Scan status. Kaspersky Security Center
evaluates the security status of each protected device in the group based on the results of this task, not based
on the results of the Critical Areas Scan task.

3. Create a new policy for the group of protected devices. In the policy properties, in the Application settings
section, deactivate the scheduled start of system on-demand scan tasks and the Database Update tasks on
the administration group's protected devices in the settings of the Run system tasks subsection.

You can also con gure administrator noti cations about Kaspersky Security for Windows Server events.

Installing the Application Console via Kaspersky Security Center

Detailed information about creating an installation package and a remote installation task is provided in the
Kaspersky Security Center Implementation Guide.

To install the Application Console using a remote installation task:

1. In the Kaspersky Security Center Administration Console expand the Advanced node.

2. Expand the Remote installation child node.

3. In the details pane of the Installation packages child node, click the Create installation package button. While
creating the new installation package:

a. In the New Package Wizard window, select Create installation package for speci ed executable le as a
package type.

b. Enter the new installation package name.

c. Select the \client\setup.exe le from the Kaspersky Security for Windows Server distribution kit folder and
select the Copy entire folder to the installation package check box.

d. Use the ADDLOCAL command-line option in the Executable le launch settings (optional) eld to perform
installation of the Application Console. The Application Console is installed in the default installation folder.
Make sure to specify the "EULA=1" parameter. Otherwise, it is impossible to install components.
/s /p "ADDLOCAL=MmcSnapin EULA=1"

78
 Optionally, in the Executable le launch settings (optional) eld, you can use the ADDLOCAL command-
line option to modify the set of components to be installed and the INSTALLDIR command-line option to
specify the destination folder other than default.
For example, to perform a standalone installation of the Application Console in the C:\KasperskyConsole
folder, use the following command-line option:
/s /p "ADDLOCAL=MmcSnapin INSTALLDIR=C:\KasperskyConsole EULA=1"

4. In the Installation packages child node, create a task to remotely install the Application Console on the
selected protected devices (administration group). Con gure the task settings.

To learn more about creating and con guring remote installation tasks, see the Kaspersky Security Center
Help.

5. Run the remote installation task.

The Application Console is installed on the protected devices speci ed in the task.

Uninstalling Kaspersky Security for Windows Server via Kaspersky Security

Center

Dump and trace les are not deleted on uninstalling Kaspersky Security for Windows Server. You can manually
delete dump and trace les from the folder speci ed during the con guration of dump and trace les writing.

If management of Kaspersky Security for Windows Server on network devices is password protected, enter
the password when creating a task to uninstall multiple applications. If the password protection is not
managed centrally by a Kaspersky Security Center policy, Kaspersky Security for Windows Server will be
successfully uninstalled from the devices, on which the entered password matched the set value. Kaspersky
Security for Windows Server will not be uninstalled from other protected devices.

To uninstall Kaspersky Security for Windows Server:

1. In the Kaspersky Security Center Administration Console, create and start an application removal task.

2. In the task, select the uninstallation method (similar to selecting the installation method; see the previous
section) and specify the account that Administration Server will use to access the protected devices. You can
uninstall Kaspersky Security for Windows Server with only the default uninstallation settings.

Installing and uninstalling via Active Directory group policies

This section describes installing and uninstalling Kaspersky Security for Windows Server via Active Directory group
polices. It also contains information about actions to perform after installing Kaspersky Security for Windows
Server through group policies.

79
Installing Kaspersky Security for Windows Server via Active Directory group
policies
You can install Kaspersky Security for Windows Server on several protected devices via the Active Directory group
policy. You can install the Application Console the same way.

The protected devices on which you want to install Kaspersky Security for Windows Server or the Application
Console must be in the same domain and a single organizational unit.

The operating systems on the protected devices on which you want to install Kaspersky Security for Windows
Server using the policy must be of the same bitness (32-bit or 64-bit).

You must have domain administrator rights.

To install Kaspersky Security for Windows Server, use the ks4ws_x86.msi or ks4ws_x64.msi installation package. To
install the Application Console, use the ks4wstools.msi installation package.

Detailed information about the use of Active Directory group policies is provided in the documentation
supplied by Microsoft.

To install Kaspersky Security for Windows Server (or the Application Console):

1. Save the msi le corresponding to the bitness (32- or 64-bit) of the installed version of the Microsoft Windows
operating system in the public folder on the domain controller.

2. Save the key le in the same public folder on the domain controller.

3. In the same public folder on the domain controller, create an install_props.json le with the contents below,
which means that you accept the terms of the License Agreement and the Privacy Policy.
{
"EULA": "1",
"PRIVACYPOLICY": "1"
}

4. On the domain controller create a new policy for the group that the protected devices belong to.

5. Using the Group Policy Object Editor, create a new installation package in the Computer Con guration node.
Specify the path to the msi le for Kaspersky Security for Windows Server (or Application Console) in UNC
(Universal Naming Convention) format.

6. Select the Windows Installer's Always install with elevated privileges check box in both the Computer
Con guration node and in the User Con guration node of the selected group.

7. Apply the changes using the gpupdate /force command.

Kaspersky Security for Windows Server will be installed on the protected devices of the group after they have
been restarted.

Actions to perform after Kaspersky Security for Windows Server installation

80
After installing Kaspersky Security for Windows Server on the protected devices, it is recommended that you
immediately update the application databases and run a Critical Areas Scan. You can perform these actions from
the Application Console.

You can also con gure administrator noti cations about Kaspersky Security for Windows Server events.

Uninstalling Kaspersky Security for Windows Server via Active Directory

group policies

Dump and trace les are not deleted on uninstalling Kaspersky Security for Windows Server. You can manually
delete dump and trace les from the folder speci ed during the con guration of dump and trace les writing.

If you used an Active Directory group policy to install Kaspersky Security for Windows Server (or the Application
Console) on the group of protected devices, you can use this policy to uninstall Kaspersky Security for Windows
Server (or the Application Console).

You can uninstall the application only with the default uninstallation parameters.

Detailed information about the use of Active Directory group policies is provided in the documentation
supplied by Microsoft.

If application management is password protected, you cannot uninstall Kaspersky Security for Windows
Server using Active Directory group policies.

To uninstall Kaspersky Security for Windows Server (or the Application Console):

1. On the domain controller, select the organizational unit from whose protected devices you want to uninstall
Kaspersky Security for Windows Server or the Application Console.

2. Select the policy created for the installation of Kaspersky Security for Windows Server and in the Group
Policies Object Editor, in the Software installation node (Computer Con guration > Software Settings >
Software installation) open the context menu of the Kaspersky Security for Windows Server (or the
Application Console) installation package and select the All tasks > Remove command.

3. Select the uninstallation method Immediately uninstall the software from users and computers.

4. Apply the changes using the gpupdate / force command.

Kaspersky Security for Windows Server is removed from the protected devices after they are restarted and
before logging in to Microsoft Windows.

Checking Kaspersky Security for Windows Server functions. Using the

EICAR test virus
This section describes the EICAR test virus and how to use the EICAR test virus to check the Real-Time File
Protection and On-Demand Scan features of Kaspersky Security for Windows Server.

81
About the EICAR test virus
This test virus is designed to verify the operation of anti-virus applications. It was developed by the European
Institute for Computer Antivirus Research (EICAR).

The test virus is not a malicious object and does not contain executable code for your device, but most
vendors' anti-virus applications identify it as a threat.

The le containing this test virus is called eicar.com. You can download it from the EICAR website .

Before saving the le in a folder on the device's hard drive, make sure that Real-Time File Protection is disabled
on that drive.

The eicar.com le contains a line of text. When scanning the le Kaspersky Security for Windows Server detects
the test threat in this line of text, assigns the Infected status to the le, and deletes it. Information about the
threat detected in the le will appear in the Application Console and in the task log.

You can use the eicar.com le to check how Kaspersky Security for Windows Server disinfects infected objects
and how it detects probably infected objects. To do this, open the le using a text editor, add one of the pre xes
listed in the table below to the beginning of the line of text in the le, and save the le under a new name, e.g.
eicar_cure.com.

To make sure that Kaspersky Security for Windows Server processes the eicar.com le with a pre x, in the
Objects protection security settings section, set the All objects value for the Real-Time Server Protection
tasks and Default On-Demand Scan tasks of Kaspersky Security for Windows Server.

Pre xes in EICAR les

Pre x File status after the scan and Kaspersky Security for Windows Server action

No Kaspersky Security for Windows Server assigns the Infected status to the object and deletes
pre x it.

SUSP– Kaspersky Security for Windows Server assigns the Probably infected status to the object
detected by the heuristic analyzer and deletes it since probably infected objects are not
disinfected.

WARN– Kaspersky Security for Windows Server assigns the Probably infected status to the object (the
object's code partly matches the code of a known threat) and deletes it since probably infected
objects are not disinfected.

CURE– Kaspersky Security for Windows Server assigns the Infected status to the object and disinfects
it. If disinfection is successful, the entire text in the le is replaced with the word "CURE".

Checking the Real-Time File Protection and On-Demand Scan features

After installing Kaspersky Security for Windows Server, you can con rm that Kaspersky Security for Windows
Server nds objects containing malicious code. To check this, you can use a test virus from EICAR.

To check the Real-Time File Protection feature:

82
 1. Download the eicar.com le from the EICAR website . Save it in a public folder on the local drive of any device
on the network.

Before you save the le to the folder, make sure that Real-Time File Protection is disabled for the folder.

2. If you want to check that network user noti cations are working, make sure that the Microsoft Windows
Messenger Service is enabled both on the protected device and on the device where you saved the eicar.com
le.

3. Open the Application Console on the protected device.

4. Copy the saved eicar.com le to the local drive of the protected device using one of the following methods:

To test noti cations through a Terminal Services window, copy the eicar.com le to the protected device
after connecting to the protected device using the Remote Desktop Connection utility.

To test noti cations through the Microsoft Windows Messenger Service, use the device's network places to
copy the eicar.com le from the device where you saved it.

Real-Time File Protection is working correctly if the following conditions are met:

The eicar.com le is deleted from the protected device.

In the Application Console, the task log is given the Critical status. The log has a new line with information about
a threat in the eicar.com le. (To view the task log, in the Application Console tree, expand the Real-Time
Server Protection node, select the Real-Time File Protection task and in the details panel of the node click
the Open task log link).

The following Microsoft Windows Messenger Service message appears on the device from which you
copied the le: Kaspersky Security for Windows Server blocked access to <path to file on
the device>\eicar.com on computer <network name of the device> at <time that event
occurred>. Reason: Threat detected. Virus: EICAR-Test-File. User name: <user name>.
Computer name: <network name of the device from which you copied the file>.

Make sure that the Microsoft Windows Messenger Service is running on the device from which you copied
the eicar.com le.

To check the On-Demand Scan feature:

1. Download the eicar.com le from the EICAR website . Save it in a public folder on the local drive of any device
on the network.

Before you save the le to the folder, make sure that Real-Time File Protection is disabled for the folder.

2. Open the Application Console.

3. Do the following:

a. Expand the On-Demand Scan node in the Application Console tree.

b. Select the Critical Areas Scan child node.

83
 c. On the Scan scope settings tab, open the context menu on the Network node and select Add network
le.

d. Enter the network path to the eicar.com le on the remote device in UNC (Universal Naming Convention)
format.

e. Select the check box to include the added network path in the scan scope.

f. Run the Critical Areas Scan task.

The On-Demand Scan is working as it should if the following conditions are met:

The eicar.com le is deleted from the device's hard drive.

In the Application Console, the task log is given the Critical status. The Critical Areas Scan task log has a new
line with information about a threat in the eicar.com le. (To view the task log, in the Application Console tree,
expand the On-Demand Scan child node, select the Critical Areas Scan task and in the details panel, click the
Open task log link).

84
Application interface
You can control Kaspersky Security for Windows Server using the following interfaces:

Local Application Console.

Kaspersky Security Center Administration Console.

Kaspersky Security Center Web Console.

Kaspersky Security Center Cloud Console.

Kaspersky Security Center Administration Console

Kaspersky Security Center lets you remotely install and uninstall, start and stop Kaspersky Security for Windows
Server, con gure application settings, change the set of available application components, add keys, and start and
stop tasks.

The application can be managed via Kaspersky Security Center using the Kaspersky Security for Windows Server
Administration Plug-in. See detailed information about the Kaspersky Security Center interface in the Kaspersky
Security Center Help.

Kaspersky Security Center Web Console and Cloud Console

Kaspersky Security Center Web Console (hereinafter also referred to as Web Console) is a web application
intended for centrally performing the main tasks to manage and maintain the security system of an organization's
network. Web Console is a Kaspersky Security Center component that provides a user interface. For detailed
information about Kaspersky Security Center Web Console, please refer to the Kaspersky Security Center Help.

Kaspersky Security Center Cloud Console (hereinafter also referred to as the Cloud Console) is a cloud-based
solution for protecting and managing an organization's network. For detailed information about Kaspersky Security
Center Cloud Console, please refer to the Kaspersky Security Center Cloud Console Help.

Web Console and Cloud Console let you do the following:

Monitor the status of your organization's security system.

Install Kaspersky applications on devices within your network.

Manage installed applications.

View reports on the security system status.

85
Application licensing
This section provides information about the main concepts related to licensing of the application.

About the End User License Agreement

The End User License Agreement is a binding agreement between you and AO Kaspersky Lab, stipulating the terms
on which you may use the application.

Carefully review the terms of the End User License Agreement before you start using the application.

You can review the terms of the End User License Agreement in the following ways:

During the Kaspersky Security for Windows Server installation

By reading the le license.txt. This document is included in the application's distribution kit

By con rming that you agree with the End User License Agreement when installing the application, you signify your
acceptance of the terms of the End User License Agreement. If you do not accept the terms of the End User
License Agreement, you must abort application installation and must not use the application.

About the license

A license is a time-limited right to use the application, granted to you under the End User License Agreement.

A valid license entitles you to receive the following services:

Use of the application in accordance with the terms of the End User License Agreement

Technical support

A commercial license is a paid license granted upon purchase of the application. When a commercial license
expires, the application continues to run but some of its features become unavailable (for example, the application
databases cannot be updated). To continue using all the features of Kaspersky Security for Windows Server, you
must renew your commercial license.

Application functionality available under the commercial license depends on the choice of product. The selected
product is indicated in the License Certi cate. Information on available products may be found at the Kaspersky
website .

To ensure maximum protection of your device against security threats, we recommend renewing the license before
it expires.

Make sure the additional key that you add has a later expiration date than the active one.

You cannot use a subscription as an additional key.

86
About license certi cate
A license certi cate is a document that you receive along with a key le or an activation code (if applicable).

A license certi cate contains the following information about the license provided:

Order number

Information about the user who has been granted the license

Information about the application that can be activated under the license provided

Limit of the number of licensing units (e.g., devices on which the application can be used under the license
provided)

License validity start date

License expiration date or license term

License type

About the key

A key is a sequence of bits with which you can activate and subsequently use the application in accordance with
the terms of the End User License Agreement. A key is generated by Kaspersky.

You can add a key to the application by using a key le. After you add a key to the application, the key is displayed in
the application interface as a unique alphanumeric sequence.

Kaspersky can black-list a key over violations of the License Agreement. If your key is blocked, a di erent key must
be added in order for the application to work.

A key may be an "active key" or an "additional key".

An active key is the key that the application currently uses to function. A key for a commercial or trial license may
be added as the active key. The application can have no more than one active key.

An additional key is a key that con rms the right to use the application but is not currently in use. An additional key
automatically becomes active when the license associated with the current active key expires. An additional key
may be added only if there is an active key.

About the key le

A key le is a le with the .key extension provided to you by Kaspersky. Key les are designed to activate the
application by adding a license key.

You receive a key le at the email address that you provided when you bought Kaspersky Security for Windows
Server or ordered the trial version of Kaspersky Security for Windows Server.

87
You do not need to connect to Kaspersky activation servers in order to activate the application with a key le.

You can restore a key le if it has been accidentally deleted. You may need a key le to register a Kaspersky
CompanyAccount, for example.

To restore your key le, perform any of the following actions:

Contact the license seller.

Receive a key le through Kaspersky website by using your available activation code.

About activation code

An activation code is a unique sequence of 20 letters and numbers. You have to enter an activation code in order
to add a key for activating Kaspersky Security for Windows Server. You receive the activation code at the email
address that you provided when you bought Kaspersky Security for Windows Server or ordered the trial version of
Kaspersky Security for Windows Server.

To activate the application with an activation code, you need Internet access in order to connect to Kaspersky
activation servers.

If you have lost your activation code after installing the application, it can be recovered. You may need the
activation code to register a Kaspersky CompanyAccount, for example. To recover your activation code, contact
Kaspersky Technical Support.

About subscription
A subscription is a purchase order for the application with speci c parameters (such as the subscription expiry
date and number of devices protected). It provides the right to use the application within selected parameters
(subscription end date, number of protected devices). A Kaspersky Security for Windows Server subscription can
be registered with the service provider (for example, your ISP). You can renew a subscription manually or
automatically, or cancel it. You can also suspend and then resume a subscription. Subscription management is
available through the service provider; you cannot manage a subscription independently.

The subscription management options depend on the service provider. The service provider may o er a grace
period for renewing a subscription.

A grace period is a time interval during which application functionality remains unchanged between the end of a
subscription and its renewal.

A subscription can be limited or unlimited.

A limited subscription o ers a limited license term and is not automatically renewed.

An unlimited subscription is automatically renewed without your involvement if payment is made on time, and does
not have a xed expiration date.

The status of a subscription is displayed in the details pane of the Kaspersky Security node and is updated
automatically every hour. You cannot manually update the status of a subscription.

88
 Activation codes obtained by subscription cannot be used to activate Kaspersky Security for Windows
Server versions earlier than 10.0.

About data provision

The License Agreement for Kaspersky Security for Windows Server, speci cally the section entitled "Terms of
data processing", speci es the terms, liability, and procedure for sending and processing the data indicated in this
Guide. Before accepting the License Agreement, carefully review its terms as well as all documents linked to by the
License Agreement.

The data Kaspersky receives from you when you use the application is protected and processed in accordance
with the Privacy Policy available at www.kaspersky.com/Products-and-Services-Privacy-Policy .

The terms of the License Agreement and Privacy Policy are available during the Kaspersky Security for Windows
Server installation, as a part of distribution kit, and from the Start menu (All programs > Kaspersky Security for
Windows Server > EULA and Privacy Policy) after the installation.

During the Kaspersky Security for Windows Server uninstallation, all the data stored by Kaspersky Security for
Windows Server on the protected device is deleted.

By accepting the terms of the License Agreement, you agree to automatically send the following data to
Kaspersky:

To support the mechanism for receiving updates – information about the installed application and its
activation: identi er of the application being installed and its full version, including build number, type, and
license identi er, installation identi er, update task identi er.

To use the ability to navigate to Knowledge Base articles when application errors occur (Redirector service) –
information about the application and link type: the name, locale, and full version number of the application,
type of redirecting link, and error identi er.

To manage con rmations for data processing – information about the status of acceptance of license
agreements and other documents, that stipulate data transferring terms: identi er and version of the License
Agreement or other document, as a part of which the data processing terms are accepted or declined; an
attribute, signifying the user’s action (con rmation or recall of the terms acceptance); date and time of status
changes of the data processing terms acceptance.

Local data processing

While executing the application's primary functions described in this Guide, Kaspersky Security for Windows
Server locally processes and stores a sequence of data on the protected computer.

The table below contains information about local processing and storing by Kaspersky Security for Windows
Server of data contained in reports.

Processing and storing of data contained in reports

Functional Event registration

area

Type of Kaspersky Security for Windows Server stores the data locally and sends the data to the
use Administration Server. The Administration Server's database stores information about
89
 application events that occur on the managed protected devices.

Storage %ALLUSERSPROFILE%\Kaspersky Lab\Kaspersky Security for Windows Server\<product

version>\Reports

%SystemRoot%\System32\Winevt\Logs\Kaspersky Security.evtx

Administration Server's database

Security Access-control list.

measures

Storage Kaspersky Security for Windows Server stores the data until the uninstallation of Kaspersky
period Security for Windows Server.
During the Kaspersky Security for Windows Server uninstallation, all the data stored by
Kaspersky Security for Windows Server on the protected device is deleted.

Purpose Providing primary functionality.

Kaspersky Security for Windows Server does not delete events in the Windows Event Log including during the
Kaspersky Security for Windows Server uninstallation.

In order to provide event registration functionality, Kaspersky Security for Windows Server locally processes the
following data:

Names, checksums (MD5, SHA-256) and attributes of processed les and full paths to them on the scanned
media.

Actions taken on scanned les by Kaspersky Security for Windows Server.

User actions taken on scanned les on the protected computer.

Information about accounts of users performing any actions on the protected network or protected device.

Device Instance Path values for devices added to the Device Control rules.

Information about processes and scripts running on the system: checksums (MD5, SHA-256) and full paths to
executable les, information about digital certi cates.

Windows Firewall settings.

Windows Event Log entries.

Names of user accounts taking actions on scanned les on the protected computer.

Instances of executable les being started, and the types, names, checksums, and attributes of these les.

Information about network activity:

The IP addresses of blocked external devices.

Identi ers of compromised logon sessions from which access to protected shared resources was
performed.

Processed web addresses.

90
 Processed IP addresses.

Names, checksums (MD5, SHA-256) and attributes of processed downloaded les.

Information about the Windows USN Journal status.

Information about processed emails:

Name of detected threat.

Data from email messages' elds ("To", "From", "Subject").

Email timestamp.

Metadata of the messages' bodies and attachments (type, size, name of the attachment).

Checksums (MD5, SHA-256) of processed le.

The following table contains information about the service data processed by the Kaspersky Security for Windows
Server. The service data includes: program parameters, quarantined and backup les, information in the program's
service databases, license data.

The table below contains information about local processing and storing by Kaspersky Security for Windows
Server of data about parameters speci ed by a user.

Processing and storing of data about parameters speci ed by a user

Functional All Kaspersky Security for Windows Server functionality

area

Type of Kaspersky Security for Windows Server stores the data locally and sends the data to the
use Administration Server. The data is stored in Administration Server's database.
The data processed by the application locally is not automatically sent to Kaspersky or other
third-party systems.

Storage
%ALLUSERSPROFILE%\Kaspersky Lab\Kaspersky Security for Windows Server\<product
version>\

Administration Server's database

Security Access-control list.

measures

Processing Kaspersky Security for Windows Server stores the data until the uninstallation of Kaspersky
period Security for Windows Server.
During the Kaspersky Security for Windows Server uninstallation, all the data stored by
Kaspersky Security for Windows Server on the protected device is deleted.
Kaspersky Security for Windows Server does not delete the data about parameters exported
into con guration le.
Kaspersky Security for Windows Server does not delete Quarantine objects and Backup
objects if the Export quarantine objects and Export Backup objects check boxes are
selected in the Setup Wizard.

Purpose Providing primary functionality.

For speci ed purposes, Kaspersky Security for Windows Server locally processes the following data:

91
 Objects placed in Quarantine or Backup.

Information about user accounts (username and password) under which Kaspersky Security for Windows
Server runs tasks.

Kaspersky Security for Windows Server password.

Settings used for connection to the proxy server: network port number, web address, information about user
account (login and password).

The addresses of network folders or folders on the HTTP or FTP servers used as user-de ned update sources.

IP addresses and identi ers of blocked logon sessions.

Windows Firewall settings and Windows Firewall rules settings.

Checksums (MD5, SHA-256) and paths to executable les added to the Application Launch Control task rules.

Device Instance Path values for devices added to the Device Control rules.

Information about les and folders included in scopes of Kaspersky Security for Windows Server tasks.

IP addresses, categories of web resources and web addresses included or excluded from the protection scope.

Full paths to executable les of programs whose activity is intercepted by the Kaspersky Security for Windows
Server during the execution of protection and scan tasks.

ICAP service connection settings: network port and service identi er.

Settings used for connection to protected network attached storages or clusters: network port, service
identi er, IP address, host name, server name, FPolicy name.

Account settings (username and password), used for access to the protected network storage or cluster.

Information about events in the Windows Event Log.

Information about detections with the use of iSwift or iChecker technology.

Checksums (MD5, SHA-256), full paths and masks speci ed in exclusions settings.

Information about processes added to the Trusted Zone.

Information about added license keys.

Information about digital certi cates.

Files unpacked from an archive or other composite object during the scan.

Kaspersky Security for Windows Server processes and stores data as part of the application's basic functionality,
including to log application events and receive diagnostic data. Locally processed data is protected in accordance
with the con gured and applied application settings.

92
Kaspersky Security for Windows Server lets you con gure the level of protection for data processed locally
(Managing access permissions for Kaspersky Security for Windows Server functions, Event registration. Kaspersky
Security for Windows Server logs): you can change user privileges to access process data, change data retention
periods for such data, entirely or partially disable functionality that involves data logging, and change the path and
attributes of the folder where the data is logged.

The data processed by the application locally is not automatically sent to Kaspersky or other third-party systems.

By default, all data locally processed by the application during operation is removed after Kaspersky Security for
Windows Server removal from the protected device.

Exception applies to les with diagnostics information (trace and dump les), the application events in the
Windows Event Log, and les with exported Kaspersky Security for Windows Server settings - it is recommended
to manually remove these les.

You can nd the detailed information about working with les containing diagnostic data of the application in the
corresponding sections of this Guide.

You can delete Windows Event Log les containing the program events of Kaspersky Security for Windows Server
via standard means of the operating system.

Local data processing by means of the application auxiliary components

The Kaspersky Security for Windows Server installation package comprises the application auxiliary components,
which can be installed on your device even if Kaspersky Security for Windows Server is not installed on it. Such
auxiliary components are:

The Application Console. This component is included in the Kaspersky Security for Windows Server
Administration Tools set and is represented by a Microsoft Management Console snap-in.

Add-in for Microsoft Outlook email client. The component provides email anti-virus scan.

The Administration Plug-in. This component provides a full integration with Kaspersky Security Center
application.

While performing the main functions of the application described in this Guide, the application auxiliary
components locally process and store a set of data on the protected device where they are installed, even if they
are installed separately from Kaspersky Security for Windows Server.

The application components locally process and store the following data:

The Application Console: the name of the protected device with installed Kaspersky Security for Windows
Server (IP address or domain name) to which the Application Console last connected remotely; display
parameters con gured in the Microsoft Management Console snap-in; data about the last folder in which the
user selected objects via the Application Console (by means of system dialog opened by clicking the Browse
button). The Application Console trace les can also contain the following data: the name of the protected
device with installed Kaspersky Security for Windows Server application to which the remote connection was
established, the name of the user account under which the remote connection was established.

The Add-in for Microsoft Outlook email client stores data only in trace les. The trace les of the Add-in for
Microsoft Outlook email client may contain the following information: data from email messages' elds ("To",
"From", "Subject"), metadata of the messages' bodies and attachments (type, size, name of the attachment).

The Administration Plug-in can process and temporarily store data processed by Kaspersky Security for
Windows Server; for example, con gured parameters of the application tasks and components, parameters of
Kaspersky Security Center policies, data sent in network lists.

93
The table below contains information about local processing and storing by Kaspersky Security for Windows
Server of data written in dump and trace les.

Kaspersky Security for Windows Server locally processes and stores the following data written in dump and trace
les:

Information about actions performed by Kaspersky Security for Windows Server on the protected device.

Information about objects processed by Kaspersky Security for Windows Server.

Information about activity on the protected device processed by Kaspersky Security for Windows Server.

Information about errors that occurred during the running of Kaspersky Security for Windows Server.

The data processed by the auxiliary components is not automatically sent to Kaspersky or other third-party
systems.

By default, all data locally processed by the application auxiliary components during the operation is deleted after
removal of these components.

The exceptions are trace les of the application auxiliary components, it is recommended to delete this les
manually.

Data in trace and dump les

Kaspersky Security for Windows Server can, in accordance with the settings, write debug information to trace les
for the purposes of technical support during the operation of Kaspersky Security for Windows Server.

Kaspersky Security for Windows Server dump les are generated by the operating system during application
crashes and are overwritten by the next crash.

Trace and dump les can include any personal data of a user or con dential data of your organization.

Do not use Kaspersky Security for Windows Server on devices for which data submission is prohibited by the
policy of your organization.

By default, Kaspersky Security for Windows Server does not record debug information.

Trace and dump les are not automatically submitted beyond the host on which they were generated. The content
of trace les can be viewed using standard text le viewers. Trace and dump les are kept inde nitely and are not
deleted on uninstalling Kaspersky Security for Windows Server.

Debug information can be useful for Technical Support.

No special mechanisms are provided for limiting access to trace and dump les. The administrator can con gure
this data to be written to a protected folder.

The path to the trace and dump le folder is not con gured by default. To use the trace and dump folder, the
administrator must specify it.

Data in trace and dump les can contain:

Actions performed by Kaspersky Security for Windows Server on the host.

94
Information about objects processed by Kaspersky Endpoint Agent.

Errors arising during the operation of Kaspersky Endpoint Agent.

About activating the application through Cloud Console

You can activate the application remotely through Kaspersky Security Center Cloud Console by distributing a key
stored on the Kaspersky Security Center Administration Server to the protected devices.

This method lets you automatically add a key to the protected devices that are already connected to Kaspersky
Security Center Cloud Console, and to new protected devices. To use this method, you need to rst add the key
to the Kaspersky Security Center Administration Server. For more details about adding keys to the Kaspersky
Security Center Administration Server, please refer to Kaspersky Security Center Cloud Console Help.

A trial version is provided for Kaspersky Security Center Cloud Console. The trial version is a special version of
Kaspersky Security Center Cloud Console designed to familiarize a user with the features of the application. In this
version, you can perform actions in a workspace for a period of 30 days. All managed applications are automatically
run under a trial license for Kaspersky Security Center Cloud Console, including Kaspersky Security for Windows
Server. However, you cannot activate Kaspersky Security for Windows Server using its own trial license when the
trial license for Kaspersky Security Center Cloud Console expires. For detailed information about Kaspersky
Security Center licensing, please refer to the Kaspersky Security Center Cloud Console Help.

The trial version of Kaspersky Security Center Cloud Console does not allow you to subsequently switch to a
commercial version. Any trial workspace will be automatically deleted with all its contents after the 30-day
period expires.

Activating the application with a key le

You can activate Kaspersky Security for Windows Server by applying a key le.

If an active key has already been added to Kaspersky Security for Windows Server and you add another key as the
active key, the new key replaces the previously added key. The previously added key is removed.

If an additional key has already been added to Kaspersky Security for Windows Server and you add another key as
an additional key, the new key replaces the previously added key. The previously added additional key is removed.

If an active key and an additional key have already been added to Kaspersky Security for Windows Server and you
add a new key as the active key, the new key replaces the previously added active key; the additional key is not
removed.

To activate Kaspersky Security for Windows Server using a key le:

1. In the Application Console tree, expand the Licensing node.

2. In the details pane of the Licensing node, click the Add key link.

3. In the window that opens, click the Browse button.

4. Select a key le with the .key extension.

95
 You can also add a key as an additional key. To add a key as an additional key, select the Use as additional
key check box.

5. Click OK.

The selected key le will be applied. Information about the added key will be available on the Licensing node.

Activating the application with an activation code

To activate the application using an activation code, the protected device must be connected to the Internet.

You can activate Kaspersky Security for Windows Server by using an activation code.

When activating the application with this method, Kaspersky Security for Windows Server sends data to the
activation server to verify the entered code:

If the activation code veri cation is successful, the application is activated.

If the activation code veri cation fails, the corresponding noti cation is displayed. In this case, you must
contact the software vendor from whom you purchased your Kaspersky Security for Windows Server license.

If the number of activations with the activation code is exceeded, the corresponding noti cation is displayed.
The application activation procedure is interrupted, and the application suggests that you contact Kaspersky
Technical Support.

To activate Kaspersky Security for Windows Server using an activation code:

1. In the Application Console tree, expand the Licensing node.

2. In the details pane of the Licensing node, click the Add activation code link.

3. In the window that opens, enter the activation code in the Activation code eld.

If you want to use the activation code as an additional key, enable Use as additional key check box.

If you want to view the license information, click the Show license information button; it will be displayed in
the License information group box.

4. Click OK.
Kaspersky Security for Windows Server sends information about the applied activation code to the activation
server.

Viewing information about the current license

Viewing licensing information

Information about the current license is displayed in the details pane of the Kaspersky Security node of the
Application Console. A key can have the following statuses:
96
 Checking the key status – Kaspersky Security for Windows Server is checking the applied key le or activation
code and waiting for a response about the current key status.

License expiration date – Kaspersky Security for Windows Server has been activated until the speci ed date
and time. The key status is highlighted in yellow in the following cases:

The license will expire in 14 days and no additional key has been applied.

The added key has been blacklisted and is about to be blocked.

Application not activated – Kaspersky Security for Windows Server is not activated because a key le or an
activation code has not been applied. The status is highlighted in red.

License has expired – Kaspersky Security for Windows Server is not activated because the license has
expired. The status is highlighted in red.

End User License Agreement has been violated – Kaspersky Security for Windows Server is not activated
because the terms of the End User License Agreement have been violated. The status is highlighted in red.

Key is blacklisted – The added key has been blocked and blacklisted by Kaspersky, for example, if the key has
been used by third parties to activate the application illegally. The status is highlighted in red.

Subscription suspended – The subscription has been suspended temporarily. The status is highlighted in red.
You can renew the subscription at any time.

Viewing information about the current license

To view information about the current license,

in the Application Console tree, expand the Licensing node.

General information about the current license is displayed in the details pane of the Licensing node (see the table
below).

General information about the license in the Licensing node

Field Description

The activation code. This eld is lled in if you activate the application using an activation
code.
Activation
code

Activation Information about the activation status of the application. The Activation status column of
status the Licensing node's details pane can have the following statuses:
Applied – if you have activated the application using an activation code or key le.

Activation – if you have applied an activation code to activate the application, but the
activation process has not been nalized yet. The status changes to Applied after
activation of the application is complete and the contents of the node's details pane are
refreshed.

Activation error – if application activation failed. You can view the cause of unsuccessful
activation in the task log.

97
 Key The key used to activate the application.

License License type: commercial or trial.

type

Expiration Expiration date and time of the license associated with the active key.
date

Activation Activation code status or key status: Active or Additional.

code status
or key
status

To view detailed information about the license,

on the Licensing node, open the context menu on the line with license data that you want to expand and select
Properties.

In the Key properties window, the General tab displays detailed information about the current license, and the
Advanced tab displays information about the customer and the contact details of Kaspersky or the retailer from
whom you purchased Kaspersky Security for Windows Server (see the table below).

Detailed license information in the Properties: <Activation code status or key status> window

Field Description

General tab

Key The key used to activate the application.

Key Date when the key was added to the application.

addition
date

License License type: commercial or trial.

type

Days till Number of days remaining until the expiration of the license associated with the active key.
expiration

Expiration Expiration date and time of the license associated with the active key. If you activate the
date application under an unlimited subscription, the eld value is Unlimited. If Kaspersky Security
for Windows Server is unable to determine the license expiration date, the eld value is
Unknown.
Application The name of the application activated with the key le or activation code.

Key usage Restriction on use of the key (if any).

restriction

Eligible for Information on whether Kaspersky or one of its partners will provide technical support under
technical the license terms.
support
Advanced tab

Information Current license number.

about the
license

Support Contact details of Kaspersky or its partner providing technical support. This eld may be
information empty if technical support is not provided.

Owner Information about the license owner: a customer name and the name of the organization for
information which the license was acquired.

98
Functional limitations when the license expires
When the current license expires, the following limitations are applied to the functional components:

All tasks are stopped, except the Real-Time File Protection, On-Demand Scan and Application Integrity Control
tasks.

You cannot start any tasks except the Real-Time File Protection, On-Demand Scan and Application Integrity
Control. These tasks continue to run using the old anti-virus databases.

Exploit Prevention functionality is limited:

Processes are protected until they are restarted.

New processes cannot be added to the protection scope.

Other functions (repositories, logs, diagnostic information) are still available.

Renewing the license

By default, when the license has 14 days remaining before expiration, Kaspersky Security for Windows Server
noti es you about the approaching expiration. In this case, the License expiration date status is highlighted in
yellow in the details pane of the Kaspersky Security node.

You can renew the license before the expiration date using an additional key. This ensures that your device remains
protected after expiration of the current license and before you activate the application with a new license.

To renew a license:

1. Obtain a new activation code or a key le.

2. In the Application Console tree, open the Licensing node.

3. Perform one of the following actions in the details pane of the Licensing node:

If you want to renew a license using a key le:

a. Click the Add key link.

b. In the window that opens, click the Browse button.

c. Select a new key le with the .key extension.

d. Select the Use as additional key check box.

If you want to renew a license using an activation code:

a. Click the Add activation code link.

b. Enter the purchased activation code in the window that opens.

c. Select the Use as additional key check box.

99
 An Internet connection is required to apply an activation code.

4. Click OK.

The additional key will be added and automatically applied upon expiration of the current Kaspersky Security for
Windows Server license.

Deleting the key

You can remove the added key.

If an additional key has been added to Kaspersky Security for Windows Server and you remove the active key, the
additional key automatically becomes the active key.

If you delete an added key, you can restore it by re-applying the key le.

To remove a key that has been added:

1. In the Application Console tree, select the Licensing node.

2. In the details pane of the Licensing node in the table containing information on added keys, select the key that
you want to remove.

3. In the context menu of the line containing information on the selected key, select Remove.

4. Click the Yes button in the con rmation window to con rm that you want to delete the key.

The selected key will be removed.

100
Working with the Administration Plug-in
This section provides information about the Kaspersky Security for Windows Server Administration Plug-in and
describes how to manage the application installed on a protected device or on a group of protected devices.

Managing Kaspersky Security for Windows Server from Kaspersky Security

Center
You can centrally manage several protected devices with Kaspersky Security for Windows Server installed and
included in an administration group by means of the Kaspersky Security for Windows Server Administration Plug-in.
Kaspersky Security Center also lets you separately con gure the operation settings of each protected device
included in the administration group.

An administration group is created manually on Kaspersky Security Center and includes several devices with
Kaspersky Security for Windows Server installed, for which you want to con gure the same control and protection
settings. For details on using administration groups, see the Kaspersky Security Center Help.

Application settings for a single protected device are unavailable if the operation of Kaspersky Security for
Windows Server on that protected device is controlled by an active Kaspersky Security Center policy.

Kaspersky Security for Windows Server can be managed from Kaspersky Security Center in the following ways:

Using Kaspersky Security Center policies. Kaspersky Security Center policies can be used to remotely
con gure the same protection settings for a group of devices. Task settings speci ed in the active policy have
priority over task settings con gured locally in the Application Console or remotely in the Properties:
<Protected device name> window of Kaspersky Security Center.
You can use policies to con gure general application settings, Real-Time Server Protection task settings, Local
Activity Control tasks settings, Network Attached Storage Protection task settings, and scheduled system
task start settings.

Using Kaspersky Security Center group tasks. Kaspersky Security Center group tasks allow remote
con guration of common settings of tasks with an expiration period for a group of devices.

You can use group tasks to activate the application, con gure On-Demand Scan task settings, update task
settings, and Rule Generator for Applications Launch Control task settings.

Using tasks for a set of devices. Tasks for a set of devices allow remote con guration of common task
settings with a limited execution period for protected devices that do not belong to any one of an
administration groups.

Using the properties window of a single computer. In the Properties: <Protected device name> window, you
can remotely con gure the task settings for a single protected device included in an administration group. You
can con gure both general application settings and settings of all Kaspersky Security for Windows Server
tasks if the selected protected device is not controlled by an active Kaspersky Security Center policy.

Kaspersky Security Center makes it possible to con gure application settings and advanced features, and lets you
work with logs and noti cations. You can con gure these settings for a group of protected devices as well as for
an individual protected device.

Managing application settings

101
This section contains information about con guring Kaspersky Security for Windows Server general settings in
Kaspersky Security Center Web Console.

Navigation
Learn how to navigate to the required task settings via the chosen interface.

Opening the general settings via the policy

To open the application settings of the Kaspersky Security for Windows Server via the policy:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Policies tab.

4. Double-click the policy name you want to con gure.

5. In the Properties: <Policy name> window that opens, select the Application settings section.

6. Click the Settings button in the subsection of the setting, that you want to con gure.

Opening the general settings in the application properties window

To open the properties window of the Kaspersky Security for Windows Server for a single protected device:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Devices tab.

4. Open the Properties: <Protected device name> window in one of the following ways:

Double-click the name of the protected device.

Select the Properties item in the context menu of the protected device.

The Properties: <Protected device name> window opens.

5. In the Applications section, select Kaspersky Security 11 for Windows Server.

6. Click the Properties button.

The Kaspersky Security 11 for Windows Server settings window opens.

7. Select the Application settings section.

102
Con guring general application settings in Kaspersky Security Center
You can con gure Kaspersky Security for Windows Server general settings from Kaspersky Security Center for a
group of protected devices or for one protected device.

Con guring scalability and the interface in Kaspersky Security Center

To con gure scalability settings and the application interface:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Application settings section, in the Scalability, interface and scan settings subsection, click Settings.

5. In the Advanced application settings window on the General tab, con gure the following settings:

In the Scalability settings section, con gure the settings that de ne the number of processes used by
Kaspersky Security for Windows Server:

Automatically detect scalability settings

Set the number of working processes manually

Maximum number of active processes

Number of processes for real-time protection

Number of processes for background on-demand scan tasks

In the Interaction with user section, con gure whether the System Tray Icon will be displayed in the
noti cation area by clearing or selecting the Display System Tray Icon in the taskbar check box.

6. On the Hierarchical storage tab, select the option for accessing the hierarchical storage.

7. Click OK.

The con gured application settings are saved.

103
Con guring security settings in Kaspersky Security Center
To con gure security settings manually:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Application settings section, click the Settings button in the Security subsection.

5. In the Security settings window, con gure the following settings:

In the Reliability settings section, con gure the settings for recovery of Kaspersky Security for Windows
Server tasks when the application returns an error or terminates.

Perform task recovery

Recover on-demand scan tasks no more than (times)

In the Actions when switching to UPS backup power section, specify limitations on protected device load
created by Kaspersky Security for Windows Server after switching to UPS power:

Do not start scheduled scan tasks

Stop current scan tasks

In the Password protection settings section, set a password to protect access to Kaspersky Security for
Windows Server functions.

6. Click OK.

The scalability and reliability settings are saved.

Con guring connection settings using Kaspersky Security Center

The con gured connection settings are used to connect Kaspersky Security for Windows Server to update and
activation servers and during integration of applications with KSN services.

To con gure the connection settings take the following steps:

104
1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Application settings section click the Settings button in the Connections subsection.
The Connection settings window opens.

5. In the Connection settings window, con gure the following settings:

In the Proxy server settings section, select the proxy server usage settings:

Do not use proxy server .

Use speci ed proxy server settings .

IP address or symbolic name of the proxy server and the port number.

Do not use proxy server for local addresses .

In the Proxy server authentication settings section, specify the authentication settings:

Select the authentication settings in the drop-down list.

Do not use authentication – authentication is not performed. This mode is selected by default.

Use NTLM authentication – authentication is performed using the NTLM network authentication
protocol developed by Microsoft.

Use NTLM authentication with user name and password – authentication is performed with a user
name and password using the NTLM network authentication protocol developed by Microsoft.

Apply user name and password – authentication is performed using the user name and password.

Enter the user name and password, if needed.

In the Licensing section clear or select the Use Kaspersky Security Center as a proxy server when
activating the application.

6. Click OK.

The con gured connection settings are saved.

105
Con guring scheduled start of local system tasks
You can use policies to allow or block start of the local system On-Demand Scan task and the Update task
according to the schedule con gured locally on each protected device in the administration group:

If the scheduled start of a speci c type of local system task is prohibited by a policy, these tasks will not be
performed on the protected device according to the schedule. You can start local system tasks manually.

If the scheduled start of a speci c type of local system task is allowed by a policy, these tasks will be performed
in accordance with the scheduled parameters con gured locally for this task.

By default, start of local system tasks is prohibited by policy.

We recommend that you do not allow local system tasks to start if updates or on-demand scans are
administered by Kaspersky Security Center group tasks.

If you do not use group update or on-demand scan tasks, allow local system tasks to be started in the policy:
Kaspersky Security for Windows Server will perform application database and module updates, and start all local
system on-demand scan tasks in accordance with the default schedule.

You can use policies to allow or block the scheduled start of the following local system tasks:

On-Demand Scan tasks: Critical Areas Scan, Quarantine Scan, Scan at Operating System Startup, Application
Integrity Control, Baseline File Integrity Monitor.

Update tasks: Database Update, Software Modules Update, Copying Updates.

If the protected device is excluded from the administration group, the system tasks schedule will be enabled
automatically.

To allow or block the scheduled start of Kaspersky Security for Windows Server system tasks in a policy take the
following steps:

1. In the Managed devices node in the Administration Console tree, expand the required group and select the
Policies tab.

2. On the Policies tab, in the context menu of the policy for which you want to con gure the scheduled start of
Kaspersky Security for Windows Server system tasks on the group of protected devices, select the Properties
item.

3. In the Properties: <Policy name> window, open the Application settings section. In the Run system tasks
section, click the Settings button and do the following:

Select the Allow on-demand scan tasks launch and Allow update tasks and Copying Update task launch
check boxes to allow the scheduled launch of the listed tasks.

Clear the Allow on-demand scan tasks launch and Allow update tasks and Copying Update task launch
check boxes to disable the scheduled launch of the listed tasks.

Selecting or clearing the check box will not a ect the start settings of any local custom tasks of this type.

106
4. Make certain that the policy you are con guring is active and applied to the selected group of protected
devices.

5. Click OK.

The con gured scheduled task start settings are applied for the selected tasks.

Con guring Quarantine and Backup settings in Kaspersky Security Center

To con gure general Backup settings in Kaspersky Security Center:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Supplementary section, click the Settings button in the Storages subsection.

5. Use the Backup tab of the Storages settings window to con gure the following Backup settings:

To specify the backup folder, use the Backup folder eld to select the required folder on the local drive of
the protected device, or enter its full path.

To set the maximum size of Backup, select the Maximum Backup size (MB) check box and specify the
relevant value in megabytes in the entry eld.

To set the threshold of free space in Backup, de ne the value of the Maximum Backup size (MB) setting,
select the Threshold value for space available (MB) check box, and specify the minimum value of free
space in the Backup folder in megabytes.

To specify a folder for restored objects, select the relevant folder on a local drive of the protected device in
the Restoration settings section, or enter the name of the folder and the full path to it in the Target folder
for restoring objects eld.

6. In the Storages settings window on the Quarantine tab, con gure the following Quarantine settings:

To change the Quarantine folder, in the Quarantine folder entry eld specify the complete path to the
folder on the local drive of the protected device.

To set the maximum Quarantine size, select the Maximum Quarantine size (MB) check box and specify the
value of this parameter in megabytes in the entry eld.

To set the minimum amount of free space in Quarantine, select the Maximum Quarantine size (MB) check
box and the Threshold value for space available (MB) check box, and then specify the value of this
107
 parameter in megabytes in the entry eld.

To change the folder to which objects are restored from Quarantine, in the Target folder for restoring
objects entry eld specify the complete path to the folder on the local drive of the protected device.

7. Click OK.

The con gured Quarantine and Backup settings are saved.

Creating and con guring policies

This section provides information on using Kaspersky Security Center policies for managing Kaspersky Security
for Windows Server on several protected devices.

Global Kaspersky Security Center policies can be created for managing protection on several device where
Kaspersky Security for Windows Server is installed.

A policy enforces the Kaspersky Security for Windows Server settings, functions and tasks speci ed in it on all the
protected devices for one administration group.

Several policies for one administration group can be created and enforced in turns. The policy currently active for a
group has active status in Administration Console.

Information on policy enforcement is logged in the Kaspersky Security for Windows Server system audit log. This
information can be viewed in the Application Console in the System audit log node.

Kaspersky Security Center o ers one way to apply policies on protected devices: Prohibit changing the settings.
After a policy has been applied, Kaspersky Security for Windows Server uses the values of settings for which you
have selected the icon in the policy properties on protected devices instead of the values of those settings in
e ect before the policy was applied. Kaspersky Security for Windows Server does not apply the values of active
policy settings for which the icon is selected in the policy properties.

If a policy is active, the values of settings marked with the icon in the policy are displayed in the Application
Console but cannot be edited. The values of other settings (marked with the icon in the policy) can be edited in
the Application Console.

The settings con gured in the active policy and marked with the icon also block changes in Kaspersky Security
Center for one protected device in the Properties: <Protected device name> window.

Settings that are speci ed and sent to the protected device using an active policy are saved in the local task
settings after the active policy is disabled.

If the policy de nes the settings for any Real-Time Server Protection task or Network Attached Storage
Protection task, and if such a task is currently running, then the settings de ned by the policy will be modi ed as
soon as the policy is applied. If the task is not running, the settings are applied when it starts.

Creating a policy
The process of creating a policy involves the following steps:

108
 1. Creating a policy using the policy wizard. Real-Time Server Protection tasks settings can be con gured using
the wizard dialogs.

2. Con guring policy settings. In the Properties: <Policy name> window of the created policy, you can de ne the
Real-Time Server Protection tasks settings, the general settings of Kaspersky Security for Windows Server, the
Quarantine and Backup settings, the level of detail for task logs, as well as user and administrator noti cations
about Kaspersky Security for Windows Server events.

To create a policy for a group of protected devices running the installed Kaspersky Security for Windows Server:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree, then select
the administration group containing the protected devices for which you wish to create a policy.

2. In the details pane of the selected administration group, select the Policies tab and click the Create a policy
link to start the wizard and create a policy.
The New Policy Wizard window opens.

3. In the Select the application for which you want to create a group policy window, select Kaspersky Security
for Windows Server and click Next.

4. Enter a group policy name in the Name eld.

The policy name cannot contain the following symbols: " * < : > ? \ | .

5. To apply a policy con guration used in a previous version of the application:

a. Select the Use settings from policy for previous versions of application check box.

b. Click the Select button.

c. Select the policy you want to apply.

d. Click Next.

6. In the Operation type selection window, select one of the following options:

New, to create a new policy with default settings.

Import policy created with previous versions of Kaspersky Security for Windows Server, to use the
imported policy as a template.

Click Browse and select a con guration le with an existing policy.

7. In the Real-time server protection window, con gure the Real-Time File Protection, KSN Usage tasks, Exploit
Prevention, and Script Monitoring as required. Allow or block the use of con gured policy tasks on protected
devices on the network:

Click the button to allow changes to task settings on network protected devices and block the application
of task settings con gured in the policy.

Click the button to deny changes to task settings on network protected devices and allow the application
of task settings con gured in the policy.

The newly created policy uses the default settings of Real-Time Server Protection tasks.

109
 To edit the default settings of the Real-Time File Protection task, click the Settings button in the Real-Time
File Protection subsection. In the window that opens, con gure the task according to your needs. Click OK.

To edit the default settings of the KSN Usage task, click the Settings button in the KSN Usage subsection.
In the window that opens, con gure the task according to your needs. Click OK.

To start the KSN Usage task, you need to accept the KSN Statement in the KSN data handling window.

To edit the default settings of the Exploit Prevention component, click the Settings button in the Exploit
Prevention subsection. In the window that opens, con gure the functionality according to your needs. Click
OK.

8. Select one of the following policy statuses in the Create the group policy for the application window:

Active policy if you want to apply the policy immediately after it is created. If an active policy already exists
in the group, it is deactivated and a new policy is applied.

Inactive policy if you do not want to apply the created policy immediately. In this case the policy may be
activated later.

Select the Open policy properties immediately after they are created check box to automatically close
the New Policy Wizard and con gure the newly created policy after clicking the Next button.

9. Click the Finish button.

The created policy appears in the list of policies on the Policies tab of the selected administration group. In the
Properties: <Policy name> window, you can con gure other settings, tasks and functions of Kaspersky Security
for Windows Server.

Kaspersky Security for Windows Server policy settings sections

General

In the General section, you can con gure the following policy settings:
Indicate the policy status.

Con gure the inheritance settings for parent and child policies.

Event con guration

In the Event con guration section, you can con gure settings for the following event categories:
Critical events

Functional failure

Warning

Informational message
You can use the Properties button to con gure the following settings for the selected events:

110
 Indicate the storage location and retention period for information about logged events.

Indicate the noti cation method for logged events.

Application settings

Settings of the Application Settings section

Section Options

Scalability, In the Scalability, interface and scan settings subsection, you can click the Settings
interface and button to con gure the following settings:
scan settings
Choose whether to con gure scalability settings automatically or manually.

Con gure the application icon display settings.

Security In the Security subsection, you can click the Settings button to con gure the following
settings:
Con gure the task run settings.

Specify how the application should behave when the protected device is running on
UPS power.

Enable or disable password-protection of application functions.

Connections In the Connections subsection, you can use the Settings button to con gure the
following proxy server settings for connecting with update servers, activation servers,
and KSN:
Con gure the proxy server settings.

Specify the proxy server authentication settings.

Run system In the Run system tasks subsection, you can use the Settings button to allow or block
tasks the start of the following system tasks according to a schedule con gured on
protected devices:
On-Demand Scan task.

Update tasks and Copying Update task.

Supplementary

Settings of the Supplementary section

Section Options

Trusted Zone Click the Settings button on the Trusted Zone subsection to con gure the
following Trusted Zone application settings:
Create a list of Trusted Zone exclusions.

Enable or disable scanning of le backup operations.

Create a list of trusted processes.

111
 Removable Drives Scan In the Removable Drives Scan subsection, you can use the Settings button to
con gure scan settings for removable USB drives.

User access permissions In the User access permissions for application management subsection, you
for application can con gure user rights and user group rights to manage Kaspersky Security
management for Windows Server.

User access permissions In the User access permissions for Security Service management
for Security Service subsection, you can con gure user rights and user group rights to manage the
management Kaspersky Security Service.

Storages In the Storages subsection, click the Settings button to con gure the
following Quarantine, Backup and Blocked Hosts settings:
Specify the path to the folder where you want to place Quarantine or
Backup objects.

Con gure the maximum size of Backup and Quarantine and also specify the
free space threshold.

Specify the path to the folder where you want to place objects restored
from Quarantine or Backup.

Con gure transmission of information about Quarantine and Backup

objects to Administration Server.

Con gure how long hosts are blocked.

Real-time server protection

Settings of the Real-Time Server Protection section

Section Options

Real-Time File In the Real-Time File Protection subsection, you can click the Settings button to
Protection con gure the following task settings:
Indicate the protection mode.

Con gure use of the Heuristic Analyzer.

Con gure use of the Trusted Zone.

Indicate the protection scope.

Set the security level for the selected protection scope: you can select a prede ned
security level or con gure the security settings manually.

Con gure the task start settings.

KSN Usage In the KSN Usage subsection, you can click the Settings button to con gure the following
task settings:
Indicate the actions to perform on KSN untrusted objects.

Con gure data transfer and usage of Kaspersky Security Center as a KSN proxy server.

112
 Click the Data processing button to accept or reject the KSN Statement and KMP
Statement, and con gure data exchange settings.

Tra ic In the Tra ic Security subsection, you can click the Settings button to con gure the
Security following task settings:

Con gure the task mode.

Con gure the malware protection.

Enable mail threat protection, anti-phishing and URL processing.

Click the Rules list to set up web control rules or apply prede ned categorization rules.

Exploit In the Exploit Prevention subsection, you can click the Settings button to con gure the
Prevention following task settings:
Select the process memory protection mode.

Indicate the actions to reduce exploit risks.

Add to and edit the list of protected processes.

Script In the Script Monitoring subsection, click the Settings button to con gure the following
Monitoring task run settings:
Allow or block execution of probably dangerous scripts.

Con gure the use of Heuristic Analyzer.

Con gure application of the trusted zone.

Con gure the task run settings.

Local activity control

Settings of the Local Activity Control section

Section Options

Applications In the Applications Launch Control subsection, you can use the Settings button to
Launch Control con gure the following task settings:
Select the task operating mode.

Con gure settings for controlling subsequent application launches.

Indicate the scope of the Applications Launch Control rules.

Con gure use of KSN.

Con gure the task start settings.

Device Control In the Device Control subsection, you can click the Settings button to con gure the
following task settings:

113
 Select the task operating mode.

Con gure the task start settings.

Network attached storage protection

Settings of Network Attached Storage Protection section

Section Options

Real-Time File In the Real-Time File Protection (RPC) subsection, you can click the Settings
Protection (RPC) button to con gure the following settings:
Heuristic analyzer usage.

Network attached storage connection settings.

Task protection scope.

Real-Time File In the Real-Time File Protection (ICAP) subsection, you can click the Settings
Protection (ICAP) button to con gure the following settings:
ICAP service connection settings.

Integration with other components.

Security level.

Anti-Cryptor for In the Anti-Cryptor for NetApp subsection, you can click the Settings button to
NetApp con gure the following settings:
Task mode.

Heuristic analyzer usage.

Connection and authentication settings.

Specify exclusions from the protection scope.

Network activity control

Settings of the Network activity control section

Section Options

Firewall In the Firewall Management subsection, you can click the Settings button to con gure
Management the following task settings:
Con gure rewall rules.

Con gure the task start settings.

Anti-Cryptor In the Anti-Cryptor subsection, you can click the Settings button to con gure the
following task settings:

114
 Con gure the Anti-Cryptor protection scope.

Con gure the task start settings.

System inspection

Settings of the System Inspection section

Section Options

File In the File Integrity Monitor subsection, you can con gure control over changes in les that
Integrity can signify a security breach on a protected device.
Monitor

Log In the Log Inspection section, you can con gure a protected device integrity monitoring
Inspection based on the results of an analysis of the Windows Event Log.

Logs and noti cations

Settings of the Logs and Noti cations section

Section Options

Task logs In the Task logs subsection, you can click the Settings button to con gure the following
settings:
Specify the importance level of the logged events for the selected software
components.

Specify the task log storage settings.

Specify the SIEM integration with Kaspersky Security Center settings.

Event In the Event noti cations subsection, you can click the Settings button to con gure the
noti cations following settings:
Specify the user noti cation settings for the Object detected, Untrusted mass
storage detected and restricted, and Host listed as untrusted events.

Specify the administrator noti cation settings for any event selected in the event list
in the Noti cation settings section.

Interaction In the Interaction with Administration Server subsection, you can click the Settings
with button to select the types of objects that Kaspersky Security for Windows Server will
Administration report to Administration Server.
Server

To review the detailed information about Network Attached Storage Protection tasks, see the Kaspersky
Security for Windows Server Implementation Guide for Network Storages Protection.

Revision history

115
In the Revision history section, you can manage revisions: compare with the current revision or other policy, add
descriptions of revisions, save revisions to a le or perform a rollback.

Con guring a policy

In the Properties: <Policy name> window of an existing policy, you can con gure general Kaspersky Security for
Windows Server settings, quarantine and backup settings, Trusted Zone settings, Real-Time Server Protection
settings, Local Activity Control settings, the level of detail for task logs, as well as user and administrator
noti cations about Kaspersky Security for Windows Server events and access privileges for managing the
application and the Kaspersky Security Service.

To con gure the policy settings:

1. Expand the Managed devices node in the tree of the Administration Console of Kaspersky Security Center.

2. Expand the administration group, for which you want to con gure the associated policy settings, and open the
Policies tab in the details pane.

3. Select a policy you want to con gure and open the Properties: <Policy name> window using one of the
following methods:

By selecting the Properties option in the policy's context menu.

By clicking the Con gure policy link in the right details pane of the selected policy.

By double-clicking the selected policy.

4. On the General tab in the Policy status section, enable or disable the policy. To do so, select one of the options
below:

Active policy, if you want the policy to be applied on all protected devices within the selected
administration group.

Inactive policy, if you want to activate the policy later on all protected devices within the selected
administration group.

The Out-of-o ice policy setting is not available when you manage Kaspersky Security for Windows
Server.

5. In the Event noti cation, Application settings, Supplementary, Logs and noti cations, and Revision history
sections, you can modify the application con guration (see table below).

6. In the Real-time server protection, Local activity control, Network activity control, and System inspection
sections, con gure the application settings and application launch settings (see the table below).

You can enable or disable the execution of any task on all protected devices within the administration
group by means of a Kaspersky Security Center policy.

You can con gure the application of policy settings on all network protected devices for each individual
software component.

116
 7. Click OK.

The con gured settings are applied in the policy.

Creating and con guring tasks using Kaspersky Security Center

This section contains information about Kaspersky Security for Windows Server tasks, and how to create them,
con gure task settings, and start and stop them.

About task creation in Kaspersky Security Center

You can create group tasks for administration groups and sets of protected devices. You can create the following
types of tasks:

Activation of the Application

Copying Updates

Database Update

Software Modules Update

Rollback of Database Update

On-Demand Scan

Application Integrity Control

Baseline File Integrity Monitor

Rule Generator for Applications Launch Control

Rule Generator for Device Control

You can create local and group tasks in the following ways:

for one protected device: in the Properties <Protected device name> window in the Tasks section.

for an administration group: in the details pane of the node of the selected group of protected devices on the
Tasks tab.

for a set of protected devices: in the details pane of the Device selections node.

You can use policies to disable schedules for update and On-Demand Scan local system tasks on all protected
devices in the same administration group.

General information on tasks in Kaspersky Security Center is provided in the Kaspersky Security Center Help.

Creating a task using Kaspersky Security Center

117
To create a new task in the Kaspersky Security Center Administration Console:

1. Start the task wizard in one of the following ways:

To create a local task:

a. Expand the Managed devices node in the Administration Console tree and select the group that the
protected device belongs to.

b. In the details pane, on the Devices tab, open the context menu of the protected device and select
Properties.

c. In the window that opens, click the Add button in the Tasks section.

To create a group task:

a. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

b. Select the administration group for which you want to create a task.

c. In the details pane, open the Tasks tab and select Create a task.

To create a task for a custom set of protected devices:

a. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

b. Select the administration group containing the protected devices.

c. Select a protected device or a custom set of protected devices.

d. From the Perform action drop-down list, select the Create a task option.

The task wizard window opens.

2. In the Select the task type window, under the heading Kaspersky Security 11 for Windows Server, select the
type of the task to be created.

3. If you selected any task type except Rollback of Database Update, Application Integrity Control or Activation
of the Application, the Settings window opens. Depending on the task type, the settings may vary:

Create an On-Demand Scan task.

To create an update task, con gure task settings based on your requirements:

a. Select an update source in the Update source window.

b. Click the Connection settings button. The Connection settings window opens.

c. On the Connection settings window:

Specify the FTP server mode for connecting to the protected device.
Modify the connection timeout when connecting to the update source, if required.
Con gure proxy server access settings when connecting to the update source.
Specify the location of the protected device(s) to optimize update downloads.

118
 To create a Software Modules Update task, con gure the required application module update settings in the
Settings for application software module updates window:

a. Select whether to copy and install critical software module updates, or only to check for their availability
without installation.

b. If Copy and install critical software modules updates is selected: a protected device restart may be
required to apply the installed software modules. If you wish Kaspersky Security for Windows Server to
restart the protected device automatically upon task completion, select the Allow operating system
restart check box.

c. To obtain information about Kaspersky Security for Windows Server module upgrades, select Receive
information about available scheduled software modules updates.
Kaspersky does not publish planned update packages on the update servers for automatic installation;
these can be downloaded manually from the Kaspersky website. An administrator noti cation about the
New scheduled software modules update is available event can be con gured. This will contain the
URL of our website from which scheduled updates can be downloaded.

To create the Copying Updates task, specify the set of updates and the destination folder in the Copying
updates settings window.

To create the Activation of the Application task:

a. In the Activation Settings window, specify the key le or activation code that you want to use to
activate the application.

b. Select the Use as additional key check box if you want to create a task for renewing the license.

Create the Rule Generator for Applications Launch Control task.

Create the Rule Generator for Device Control task.

4. Con gure the task schedule (you can con gure a schedule for all task types except the Rollback of Database
Update task).

5. Click OK.

6. If the task is being created for a set of protected devices, select the network (or group) of protected devices
on which this task will be executed.

7. In the Selecting an account to run the task window, specify the account under which you want to run the task.

8. In the De ne the task name window, enter the task name (no longer than 100 characters) not containing the
symbols " * < > ? \ | : .
We recommend that you add the task type to the task's name (for example, "On-demand scan of shared
folders").

9. In the Finishing creating the task window, select the Run task after Wizard nishes check box if you want the
task to be started as soon as it has been created. Click the Finish button.

The task created is displayed in the Tasks list.

Con guring local tasks in the Application settings window of the Kaspersky
Security Center
119
To con gure local tasks or general application settings for a single network protected device:

1. Expand the Managed devices node in the tree of the Administration Server of Kaspersky Security Center and
select the group that the protected device belongs to.

2. In the details pane, select the Devices tab.

3. Open the Properties: <Protected device name> window in one of the following ways:

Double-click the name of the protected device.

Open the context menu of the protected device name and select the Properties item.

The Properties: <Protected device name> window opens.

4. To con gure local task settings, perform the following steps:

a. Go to the Tasks section.

b. In the task list, select a local task to con gure:

Double-click the task name in the list of tasks.

Select the task name and click the Properties button.

Select Properties in the context menu of the selected task.

The Properties: <Task name> window opens.

5. To con gure application settings, perform the following steps:

a. Go to the Applications section.

b. In the installed applications list, select an application to con gure:

Double-click the application name in the list of installed applications.

Select the application name in the list of installed applications and click the Properties button.

Open the context menu of the application name in the list of installed applications and select the
Properties item.
The <Application name> settings window opens.

If the application is currently under the Kaspersky Security Center policy and this policy prohibits
changing the application settings, these settings cannot be edited via the <Application name> settings
window.

Con guring group tasks in Kaspersky Security Center

When managing Kaspersky Security for Windows Server from Kaspersky Security Center Cloud Console, you
can not add custom HTTP and FTP servers or network folders manually.

120
To con gure a group task for multiple protected devices:

1. In the Kaspersky Security Center Administration Console tree, expand the Managed devices node and select
the administration group for which you want to con gure the application tasks.

2. On the details pane of a selected administration group, open the Tasks tab.

3. In the list of previously created group tasks, select a task you want to con gure. Open the Properties: <Task
name> window in one of the following ways:

Double-click the name of the task in the list of created tasks.

Select the name of the task in the list of created tasks and click the Con gure task link.

Open the context menu of the task name in the list of created tasks and select the Properties item.

In the Noti cation section, con gure the task event noti cation settings. For detailed information
regarding con guring the settings in this section, see the Kaspersky Security Center Help.

4. Depending on the type of con gured task, do one of the following actions:

To con gure an On-Demand Scan task:

a. In the Scan scope section, con gure a scan scope.

b. In the Options section, con gure the task priority level and integration with other software components.

To con gure an update task, adjust the task settings based on your requirements:

a. In the Settings section, con gure update source settings and disk subsystem optimization.

b. Click the Connection settings button to con gure update source connection settings.

To con gure the Software Modules Update task, in the Settings for application software module updates
section, choose an action to perform: copy and install critical updates of software modules or only check for
them.

To con gure the Copying Updates task, specify the set of updates and the destination folder in the
Copying updates settings section.

To con gure the Activation of the Application task, in the Activation Settings section apply the key le or
activation code that you want to use to activate the application. Select the Use as additional key check box
if you want to add an activation code or key le for renewing the license.

To con gure the automatic generation of allowing rules for Device Control, in the Settings section, specify
the settings that will be used to create the list of allowing rules.

5. Con gure the task schedule in the Schedule section (you can con gure a schedule for all task types except
Rollback of Database Update).

6. In the Account section, specify the account whose rights will be used to run the task. For detailed information
regarding con guring settings in this section, see the Kaspersky Security Center Help.

7. If required, specify the objects to exclude from the task scope in the Exclusions from task scope section. For
detailed information regarding con guring settings in this section, see the Kaspersky Security Center Help.

121
 8. In the Properties: <Task name> window, click OK.

The newly con gured group task settings are saved.

Con gurable group task settings are summarized in the table below.

Kaspersky Security for Windows Server group tasks settings

Kaspersky Section in the Task settings

Security for Properties:
Windows <Task name>
Server task window
types

Rule Settings While con guring the Rule Generator for Applications Launch Control task
Generator settings you can select how to create allowing rules:
for
Create allowing rules based on running applications
Applications
Launch
Create allowing rules for applications from the folders
Control

Options You can specify actions to perform while creating allowing rules for
applications launch control:
Use digital certi cate

Use digital certi cate subject and thumbprint

If the certi cate is missing, use

Use SHA256 hash

Generate rules for user or group of users

You can con gure settings for con guration les with allowing rule lists
that Kaspersky Security for Windows Server creates upon task
completion.

Schedule You can con gure settings to start the task on a schedule.

Rule Settings
Select the operation mode: consider system data about all external
Generator
devices that have ever been connected or only consider currently
for Device
connected external devices.
Control
Con gure settings for con guration les with allowing rule lists that
Kaspersky Security for Windows Server creates upon task completion.

Schedule You can con gure settings to start the task on a schedule.

Activation Activation To activate the application or to renew the license, you can add an
of the Settings activation code or a key le.
Application
Schedule You can con gure settings to start the task on a schedule.

Copying Update You can specify Kaspersky Security Center Administration Server or
Updates source Kaspersky update servers as an application update source. You can also
create a customized list of update sources: by adding custom HTTP and
FTP servers or network folders manually and setting them as update
sources.

122
 You can specify the usage of Kaspersky update servers, if manually
customized servers are not available.

Connection In the Connection settings window linked from the Update source section,
settings you can specify whether a proxy server should be used to establish the
window connection to Kaspersky update servers or any other server.

Copying You can specify the set of updates intended for copying.
updates
In the Folder for local storage of copied updates eld, specify a path to
settings
the folder that will be used by Kaspersky Security for Windows Server to
store copied updates.

Schedule You can con gure settings to start the task on a schedule.

Database Settings You can specify Kaspersky Security Center Administration Server or
Update Kaspersky update servers as an application update source in the Update
source group box. You can also create a customized list of update sources:
by adding custom HTTP and FTP servers or network folders manually and
setting them as update sources.
You can specify the usage of Kaspersky update servers if manually
customized servers are not available.
In the Disk I/O usage optimization section you can con gure the feature
that reduces the workload on the disk subsystem:
Lower the load on the disk I/O

RAM used for optimization (MB)

Connection In the Connection settings window linked from the Update source section,
settings you can specify whether a proxy server should be used to establish the
window connection to Kaspersky update servers or any other server.

Schedule You can con gure settings to start the task on a schedule.

Software Update You can specify Kaspersky Security Center Administration Server or
Modules source Kaspersky update servers as an application update source. You can also
Update create a customized list of update sources: by adding custom HTTP and
FTP servers or network folders manually and setting them as update
sources.
You can specify the usage of Kaspersky update servers, if manually
customized servers are not available.

Connection In the Update source connection settings group box, you can specify
settings whether a proxy server should be used to establish the connection to
window Kaspersky update servers or any other server.

Settings You can specify which actions Kaspersky Security for Windows Server
for should perform when critical software module updates are available or have
application already been installed, and also whether Kaspersky Security for Windows
software Server should receive information regarding scheduled updates.
module
updates

Schedule You can con gure settings to start the task on a schedule.

On-Demand Scan scope You can specify a scan scope for the On-Demand Scan task and con gure
Scan security level settings.
Settings
On- In the On-demand scan settings window linked from the Scan scope
demand section, you can select one of the prede ned security levels or customize a
scan security level manually.

123
 settings
window

Options You can activate or deactivate use of the heuristic analyzer for the On-
Demand Scan task and set the analysis level using a slider in the Heuristic
analyzer group box.
In the Integration with other components group box, you can con gure the
following settings:
Apply Trusted Zone for On-Demand Scan tasks.

Apply KSN usage for On-Demand Scan tasks.

Set a priority for the On-Demand Scan task: perform task in background
mode (low priority) or consider task a Critical Areas Scan.

Schedule You can con gure settings to start the task on a schedule.

Application Schedule You can con gure settings to start the task on a schedule.
Integrity
Control

Baseline File Schedule You can con gure settings to start the task on a schedule.
Integrity
Monitor

For the Rollback of Database Update task, you can con gure only the standard task settings controlled by
Kaspersky Security Center in the Noti cation and Exclusions from task scope sections.

For detailed information regarding con guring the settings in these sections, see the Kaspersky Security Center
Help.

Activation of the Application task

To con gure an Activation of the Application task:

1. In the Kaspersky Security Center Administration Console tree, expand the Managed devices node and select
the administration group for which you want to con gure the application tasks.

2. On the details pane of a selected administration group, open the Tasks tab.

3. In the list of previously created group tasks, select a task you want to con gure. Open the Properties: <Task
name> window in one of the following ways:

Double-click the name of the task in the list of created tasks.

Select the name of the task in the list of created tasks and click the Con gure task link.

Open the context menu of the task name in the list of created tasks and select the Properties item.

In the Noti cation section, con gure the task event noti cation settings. For detailed information
regarding con guring the settings in this section, see the Kaspersky Security Center Help.

124
4. In the Activation Settings section, specify the key le that you want to use to activate the application. Select
the Use as additional key check box if you want to add a key to extend the license.

5. Con gure the task schedule in the Schedule section (you can con gure a schedule for all task types except
Rollback of Database Update).

6. In the Account section, specify the account whose rights will be used to run the task.

7. If required, specify the objects to exclude from the task scope in the Exclusions from task scope section.

For detailed information regarding con guring settings in these sections, see the Kaspersky Security
Center Help.

8. In the Properties: <Task name> window, click OK.

The newly con gured group task settings are saved.

Update tasks
To con gure the Copying Updates, Database Update, or Software Modules Update tasks:

1. In the Kaspersky Security Center Administration Console tree, expand the Managed devices node and select
the administration group for which you want to con gure the application tasks.

2. On the details pane of a selected administration group, open the Tasks tab.

3. In the list of previously created group tasks, select a task you want to con gure. Open the Properties: <Task
name> window in one of the following ways:

Double-click the name of the task in the list of created tasks.

Select the name of the task in the list of created tasks and click the Con gure task link.

Open the context menu of the task name in the list of created tasks and select the Properties item.

In the Noti cation section, con gure the task event noti cation settings. For detailed information
regarding con guring the settings in this section, see the Kaspersky Security Center Help.

4. Depending on the type of con gured task, do one of the following actions:

In the Update source section, con gure update source settings and disk subsystem optimization.

a. You can specify Kaspersky Security Center Administration Server or Kaspersky update servers as an
application update source in the Update source section. You can also create a customized list of update
sources: by adding custom HTTP and FTP servers or network folders manually and setting them as
update sources.
You can specify the usage of Kaspersky update servers, if manually customized servers are not available.

To use an SMB-shared folder as an update source, you need to specify a user account to start a
task.

125
 b. In the Disk I/O usage optimization section for the Database Update task, you can con gure the feature
that reduces the workload on the disk subsystem:

Lower the load on the disk I/O

RAM used for optimization (MB)

c. Click the Connection settings button, and in the Connection settings window that opens, con gure
the use of a proxy server for connecting to Kaspersky update servers and other servers.

In the Settings for application software module updates section for the Software Modules Update task,
you can specify which actions Kaspersky Security for Windows Server should perform when critical
software module updates are available or information about planned updates is available, and you can also
specify which actions Kaspersky Security for Windows Server should perform when critical updates are
installed.

Specify the set of updates and the destination folder in the Copying updates settings section for the
Copying Updates task.

5. Con gure the task schedule in the Schedule section (you can con gure a schedule for all task types except
Rollback of Database Update).

6. In the Account section, specify the account whose rights will be used to run the task.

For detailed information regarding con guring settings in these sections, see the Kaspersky Security
Center Help.

7. In the Properties: <Task name> window, click OK.

The newly con gured group task settings are saved.

For the Rollback of Database Update task, you can con gure only the standard task settings controlled by
Kaspersky Security Center in the Noti cations and Exclusions from task scope sections. For detailed
information regarding con guring the settings in these sections, see the Kaspersky Security Center Help.

Application Integrity Control

To con gure the Application Integrity Control group task:

1. In the Kaspersky Security Center Administration Console tree, expand the Managed devices node and select
the administration group for which you want to con gure the application tasks.

2. On the details pane of a selected administration group, open the Tasks tab.

3. In the list of previously created group tasks, select a task you want to con gure. Open the Properties: <Task
name> window in one of the following ways:

Double-click the name of the task in the list of created tasks.

Select the name of the task in the list of created tasks and click the Con gure task link.

Open the context menu of the task name in the list of created tasks and select the Properties item.

126
 In the Noti cation section, con gure the task event noti cation settings. For detailed information
regarding con guring the settings in this section, see the Kaspersky Security Center Help.

4. In the Devices section, select the devices for which you want to con gure the Application Integrity Control
task.

5. Con gure the task schedule in the Schedule section (you can con gure a schedule for all task types except
Rollback of Database Update).

6. In the Account section, specify the account whose rights will be used to run the task.

7. If required, specify the objects to exclude from the task scope in the Exclusions from task scope section.

For detailed information regarding con guring settings in these sections, see the Kaspersky Security
Center Help.

8. In the Properties: <Task name> window, click OK.

The newly con gured group task settings are saved.

Con guring crash diagnostics settings in Kaspersky Security Center

If a problem occurs during operation of Kaspersky Security for Windows Server (for example, Kaspersky Security
for Windows Server crashes) and you want to diagnose it, you can enable the creation of trace les and a dump le
for the Kaspersky Security for Windows Server process and send these les for analysis to Kaspersky Technical
Support.

Kaspersky Security for Windows Server does not send any trace or dump les automatically. Diagnostic data
can only be sent by a user who has the required permissions.

Kaspersky Security for Windows Server writes information to trace les and the dump le in unencrypted
form. The folder where les are saved is selected by the user and managed by the operating system
con guration and Kaspersky Security for Windows Server settings. You can con gure access permissions and
allow only required users to access logs, trace les, and dump les.

To con gure crash diagnostics settings in Kaspersky Security Center:

1. In the Kaspersky Security Center Administration Console, open the Application settings window.

2. Open the Malfunction diagnosis section and do the following:

If you want the application to write debug information to a le, select the Write debug information to trace
le check box.

In the eld below, specify the folder where Kaspersky Security for Windows Server will save trace les.

Con gure the level of detail of debug information .

Specify the maximum size of trace les.

127
 Specify the maximum number of les for one trace log.

Kaspersky Security for Windows Server will create up to the maximum number of trace les for each
component to be debugged.

Specify the components to be debugged. Component codes must be separated with a semicolon. The
codes are case sensitive (see the table below).

Kaspersky Security for Windows Server subsystem codes

Component Name of component

Code

* All components.

gui User interface subsystem, Kaspersky Security for Windows Server snap-in in Microsoft
Management Console.

ak_conn Subsystem for integrating Network Agent and Kaspersky Security Center.

bl Control process, implements Kaspersky Security for Windows Server control tasks.

wp Work process, handles anti-virus protection tasks.

blgate Kaspersky Security for Windows Server remote management process.

ods On-Demand Scan subsystem.

oas Real-Time File Protection subsystem.

qb Quarantine and Backup subsystem.

scandll Auxiliary module for virus scans.

core Subsystem for basic anti-virus functionality.

avscan Anti-virus processing subsystem.

avserv Subsystem for controlling the anti-virus kernel.

prague Subsystem for basic functionality.

updater Subsystem for updating databases and software modules.

snmp SNMP protocol support subsystem.

perfcount Performance counter subsystem.

The trace settings of the Kaspersky Security for Windows Server snap-in (gui) and the Administration Plug-in
for Kaspersky Security Center (ak_conn) are applied after these components are restarted. The trace settings
of the SNMP protocol support subsystem (snmp) are applied after the SNMP service is restarted. The trace
settings of the performance counter subsystem (perfcount) are applied after all processes that use
performance counters are restarted. Trace settings for other Kaspersky Security for Windows Server
subsystems are applied as soon as the crash diagnostics settings are saved.
By default, Kaspersky Security for Windows Server logs debug information for all Kaspersky Security for
Windows Server components.
The entry eld is available if the Write debug information to trace le check box is selected.

If you want the application to create a dump le, select the Create dump le check box.

In the eld below, specify the folder in which Kaspersky Security for Windows Server will save the dump
le.

128
 3. Click OK.

The con gured application settings are applied on the protected device.

Managing task schedules

You can con gure the start schedule for Kaspersky Security for Windows Server tasks, and con gure settings for
running tasks on a schedule.

Con guring the task start schedule settings

You can con gure the start schedule for local system and custom tasks in the Application Console. You cannot
con gure a start schedule for group tasks.

To con gure group task start schedule settings:

1. In the Kaspersky Security Center Administration Console tree, expand the Managed devices node.

2. Select the group that the protected device belongs to.

3. In the details pane, select the Tasks tab.

4. Open the Properties: <Task name> window in one of the following ways:

Double-click the name of the task.

Open the context menu of the task name and select the Properties item.

5. Select the Schedule section.

6. In the Schedule settings block, select the Run by schedule check box.

Fields with the schedule settings for the On-Demand Scan and Update tasks are unavailable if scheduled
start of these tasks is blocked by a Kaspersky Security Center policy.

7. Con gure schedule settings in accordance with your requirements. To do this, perform the following actions:

a. In the Frequency list, select one of the following values:

Hourly, if you want the task to run at intervals of a speci ed number of hours; specify the number of
hours in the Every <number> hour(s) eld.

Daily, if you want the task to run at intervals of a speci ed number of days; specify the number of days in
the Every <number> day(s) eld.

Weekly, if you want the task to run at intervals of a speci ed number of weeks; specify the number of
weeks in the Every <number> week(s) eld. Specify the days of the week on which the task will be
started (by default the task runs on Mondays).

At application launch, if you want the task to run every time Kaspersky Security for Windows Server
starts.
129
 After application database update, if you want the task to run after every update of the application
databases.

b. Specify the time for the rst task start in the Start time eld.

c. In the Start date eld, specify the date from which the schedule applies.

After you have speci ed the task start frequency, the time of the rst task start, and the date from
which the schedule applies, the estimated time for the next task start will appear in the top part of the
window in the Next start eld. The estimated time of the next task start will be updated and displayed
each time you open the Task settings window on the Schedule tab.

The Blocked by policy value is displayed in the Next start eld if the active policy settings of Kaspersky
Security Center prohibit start of scheduled system tasks.

8. Use the Advanced tab to con gure the following schedule settings in accordance with your requirements.

In the Task stop settings section:

a. Select the Duration check box and, in the elds to the right, enter the maximum number of hours and
minutes of task execution.

b. Select the Pause from check box and, in the elds to the right, enter the start and end values of a time
interval under 24 hours during which task execution will be paused.

In the Advanced settings section:

a. Select the Cancel schedule from check box and specify the date from which the schedule will cease to
apply.

b. Select the Run skipped tasks check box to enable the start of skipped tasks.

c. Select the Randomize the task start time within the interval of check box and specify a value in
minutes.

9. Click OK.

10. Click the Apply button to save the task start settings.

If you want to con gure application settings for a single task using Kaspersky Security Center, perform the
steps described in Section "Con guring local tasks in the Application settings window of the Kaspersky
Security Center".

Enabling and disabling scheduled tasks

You can enable and disable scheduled tasks either before or after con guring the schedule settings.

To enable or disable the task start schedule:

130
 1. In the Kaspersky Security Center Administration Console tree, expand the Managed devices node.

2. Select the group that the protected device belongs to.

3. In the details pane, select the Tasks tab.

4. Open the Properties: <Task name> window in one of the following ways:

Double-click the name of the task.

Open the context menu of the task name and select the Properties item.

5. Select the Schedule section.

6. Do one of the following:

Select the Run by schedule check box if you want to enable scheduled task start.

Clear the Run by schedule check box if you want to disable scheduled task start.

The con gured task start schedule settings are not deleted and will be applied at the next scheduled
start of the task.

7. Click OK.

8. Click the Apply button.

The con gured task start schedule settings are saved.

Reports in Kaspersky Security Center

Reports in Kaspersky Security Center contain information about the status of managed devices. Reports are
based on information stored on Administration Server.

Starting from Kaspersky Security Center 11, the following types of reports are available for Kaspersky Security for
Windows Server:

Report on the status of application components

Report on prohibited applications

Report on prohibited applications in test mode

See Kaspersky Security Center Help for detailed information about all Kaspersky Security Center reports and
how to con gure them.

Report on the status of Kaspersky Security for Windows Server components

You can monitor the protection status of all network devices and get a structured overview of the set of
components on each device.

131
The report displays one of the following states for each component: Running, Paused, Stopped, Malfunction, Not
installed, Starting.

The Not Installed status refers to the component, not the application itself. If the application is not installed
the Kaspersky Security Center assigns the N/A (Not available) status.

You can create component selections and use ltering to display network devices with a speci ed set of
components and state.

See Kaspersky Security Center Help for detailed information about creating and using selections.

To review the component statuses in the application settings:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree and select
the administration group for which you want to con gure application settings.

2. Select the Devices tab and open the Application settings window.

3. Select the Components section.

4. Review the status table.

To review a Kaspersky Security Center standard report:

1. Select the Administration Server <Administration Server name> node in the Administration Console tree.

2. Open the Reports tab.

3. Double-click the Report on the status of application components list item.

A report is generated.

4. Review the following report details:

A graphical diagram.

A summary table of components and aggregated numbers of network devices where each of the
components is installed, and groups they belong to.

A detailed table specifying the component status, version, device and group.

Reports on prohibited applications in active and test modes

Based on the results of the Applications Launch Control task, two types of reports can be generated: a report on
prohibited applications (if the task is started in Active mode) and a report on prohibited applications in test mode
(if the task is started in Statistics only mode). These reports display information about blocked applications on the
protected devices of the network. Each report is generated for all administration groups and accumulates data
from all the Kaspersky applications installed on the protected devices.

To review a report on prohibited applications in Statistics only mode:

1. Start the Applications Launch Control task in Statistics only mode.

132
 2. Select the Administration Server <Administration Server name> node in the Administration Console tree.

3. Open the Reports tab.

4. Double-click the Report on prohibited applications in test mode item.

A report is generated.

5. Review the following report details:

A graphical diagram that displays the top ten applications with the largest number of blocked starts.

A summary table of application blocks, specifying the executable le name, reason, time of blocking, and
number of devices where the blocking occurred.

A detailed table specifying data about the device, le path and criteria for blocking.

To review a report on prohibited applications in Active mode:

1. Start the Applications Launch Control task in Active mode.

2. Select the Administration Server <Administration Server name> node in the Administration Console tree.

3. Open the Reports tab.

4. Double-click the Report on prohibited applications item.

A report is generated.

This report consists of the same data about blocks as the report on prohibited applications in test mode.

133
Working with the Kaspersky Security for Windows Server Console
This section provides information about the Kaspersky Security for Windows Server Console and describes how
to manage the application using the Application Console installed on the protected device or another device.

About the Kaspersky Security for Windows Server Console

Kaspersky Security for Windows Server Console is an isolated snap-in added to the Microsoft Management
Console.

The application can be managed via the Application Console installed on the protected device or on another
device on the corporate network.

After the Application Console has been installed on another device, advanced con guration is required.

If the Application Console and Kaspersky Security for Windows Server are installed on di erent protected
devices assigned to di erent domains, limitations may be imposed on delivery of information from the
application to the Application Console. For example, after any application task starts, its status may remain
unchanged in the Application Console.

During installation of the Application Console the installation wizard creates the kavfs.msc le in the installation
folder and adds Kaspersky Security for Windows Server snap-in to the list of isolated Microsoft Windows snap-ins.

You can start the Application Console from the Start menu. The Kaspersky Security for Windows Server snap-in
msc- le can be run or added to the existing Microsoft Management Console as a new element in the tree.

Under a 64-bit version of Microsoft Windows, the Kaspersky Security for Windows Server snap-in can be
added only in the 32-bit version of Microsoft Management Console. To do so, open Microsoft Management
Console from the command line by executing the command: mmc.exe /32.

Multiple Kaspersky Security for Windows Server snap-ins can be added to one Microsoft Management Console
opened in author mode to use it to manage the protection of multiple devices on which Kaspersky Security for
Windows Server is installed.

Kaspersky Security for Windows Server Console interface

This section describes the primary elements of the application interface.

Kaspersky Security for Windows Server Console window

The Kaspersky Security for Windows Server Console is displayed in the Microsoft Management Console tree in
the form of a node with the name Kaspersky Security.

134
After a connection has been established to Kaspersky Security for Windows Server installed on a di erent
protected device, the name of the node is supplemented with the name of the protected device on which the
application is installed and the name of the user account under which the connection has been established:
Kaspersky Security <Protected device name> as <account name>. When connecting to Kaspersky Security for
Windows Server installed on the same protected device with the Application Console, the node name is
Kaspersky Security.

Console tree

The Application Console tree displays the Kaspersky Security node and the child nodes of functional
components of the application.

The Kaspersky Security node includes the following child nodes:

Real-Time Server Protection : manage real-time protection tasks and KSN services. The Real-Time Server
Protection node allows you to con gure the following tasks:

Real-Time File Protection

Script Monitoring

KSN Usage

Tra ic Security

Anti-Cryptor

Server Control: control launch of applications installed on a protected device, as well as external devices
connections. The Server Control node allows you to con gure the following tasks:

Applications Launch Control

Device Control

Firewall Management

Automated rule generators: con gure automatic generation of group and system rules for the Applications
Launch Control task and the Device Control task.

Rule Generator for Applications Launch Control

Rule Generator for Device Control

Rule generation group tasks <Task names> (if any)

Group tasks are created using Kaspersky Security Center. You cannot manage group tasks through the
Application Console.

System Inspection: con gure le operation control and Windows Event Log inspection settings.

File Integrity Monitor

Log Inspection

Network Attached Storage Protection: con gure network storage protection tasks.

135
 RPC Network Storage Protection

ICAP Network Storage Protection

Anti-Cryptor for NetApp

On-Demand Scan: manage On-Demand Scan tasks. There is a separate node for each task:

Scan at Operating System Startup

Critical Areas Scan

Quarantine Scan

Application Integrity Control

Baseline File Integrity Monitor

Custom tasks <Task names> (if any)

The node displays system tasks created when the application is installed, custom tasks, and group on-demand
scan tasks created and sent to a protected device using Kaspersky Security Center.

Update: manage updates for Kaspersky Security for Windows Server databases and modules and copies the
update to a local update source folder. The node contains child nodes for administering each update task and
the last Rollback of Application Database Update task:

Database Update

Software Modules Update

Copying Updates

Rollback of Application Database Update

The node displays all custom and group update tasks created and sent to a protected device using Kaspersky
Security Center.

Storages: Management of Quarantine, Backup and Blocked Hosts settings.

Quarantine

Backup

Blocked Host Storage

Logs and noti cations: manage local task logs, security log and Kaspersky Security for Windows Server
system audit log.

Security log

System audit log

Task logs

Licensing: add or delete Kaspersky Security for Windows Server license keys, view license details.

136
Details pane

The details pane displays information about the selected node. If the Kaspersky Security node is selected, the
details pane displays information about the current device protection status, information about Kaspersky
Security for Windows Server, the protection status of its functional components, and the license expiration date.

Context menu of the Kaspersky Security node

You can use the items of the context menu of the Kaspersky Security node to perform the following operations:

Connect to another computer. Connect to another device to manage Kaspersky Security for Windows Server
installed on it. You can also perform this operation by clicking the link in the lower right corner of the details
pane of the Kaspersky Security node.

Start the service / Stop the service. Start or stop the application or a selected task. To carry out these
operations, you can also use the buttons on the toolbar. You can also perform these operations in context
menus of application tasks.

Con gure removable drives scan settings. Con gure scanning of removable drives connected to the
protected device via the USB port.

Exploit Prevention: general settings. Con gure the Exploit Prevention mode and set up preventive actions.

Exploit Prevention: processes protection settings. Add processes for protection and select the exploit
prevention techniques.

Con gure Trusted Zone settings. View and con gure Trusted Zone settings.

Modify user rights of application management. View and con gure permissions to access Kaspersky Security
for Windows Server functions.

Modify user rights of Kaspersky Security Service management. View and con gure user rights to manage
the Kaspersky Security Service.

Hierarchical storage. Con gure the access method for the HSM system.

Export settings. Save the application settings in an XML con guration le. You can also perform this operation
in context menus of application tasks.

Import settings. Import application settings from an XML con guration le. You can also perform this
operation in context menus of application tasks.

Information about the application and available module updates. See information about Kaspersky Security
for Windows Server and currently available application modules updates.

Refresh. Refresh the contents of the Application Console window. You can also perform this operation in
context menus of application tasks.

Properties. View and con gure settings of Kaspersky Security for Windows Server or a selected task. You can
also perform this operation in context menus of application tasks.

To do so, you can also use the Application properties link in the details pane of the Kaspersky Security
node or use the button on the toolbar.

137
 Help. View information in Kaspersky Security for Windows Server Help. You can also perform this operation in
context menus of application tasks.

Toolbar and context menu of Kaspersky Security for Windows Server tasks

You can manage Kaspersky Security for Windows Server tasks using the items of context menus of each task in
the Application Console tree.

You can use the items of the context menu to perform the following operations:

Start / Stop. Start or stop task execution. To carry out these operations, you can also use the buttons on the
toolbar.

Resume / Pause. Resume or pause the task. To carry out these operations, you can also use the buttons on the
toolbar. This operation is available for Real-Time Server Protection tasks and On-Demand Scan tasks.

Add task. Create a new custom task. This operation is available for On-demand scan tasks.

Open log. View and manage a task log. This operation is available for all tasks.

Remove task. Delete a custom task. This operation is available for On-demand scan tasks.

Settings templates. Manage templates. This operation is available for Real-Time File Protection and On-
Demand Scan.

System Tray Icon in the noti cation area

Every time Kaspersky Security for Windows Server automatically starts after a protected device reboot, the
System Tray Icon is displayed in the toolbar noti cation area . It is displayed by default if the System Tray Icon
component was installed during application setup.

The appearance of the System Tray Icon re ects the current status of device protection. Two statuses are
possible:

active (colored icon) — if at least one of the following tasks is currently running: Real-Time File
Protection, Applications Launch Control

inactive (gray icon) — if none of the following tasks is currently running: Real-Time File Protection,
Applications Launch Control

You can open the context menu of the System Tray Icon by right-clicking it.

The context menu o ers several commands which can be used to display application windows (see the table
below).

Context menu commands displayed in the System Tray Icon

Command Description

Open the Opens Kaspersky Security for Windows Server Console (if installed).
Application
Console

Open Compact Open the Compact Diagnostic Interface.

Diagnostic
138
 Interface

About the Opens the About the application window containing information about Kaspersky
application Security for Windows Server.
For registered Kaspersky Security for Windows Server users, the About the
application window contains information about urgent updates that have been
installed.

Hide Hides the System Tray Icon in the toolbar noti cation area.

You can display the hidden System Tray Icon again at any time.

To display the System Tray Icon again,

in the Microsoft Windows Start menu, select All Programs > Kaspersky Security for Windows Server > System
Tray Icon.

The names of settings may vary depending on the installed operating system.

In the general settings of Kaspersky Security for Windows Server, you can enable or disable the display of the
System Tray Icon every time the application starts automatically following a protected device reboot.

Managing Kaspersky Security for Windows Server via the Application

Console on another device
You can manage Kaspersky Security for Windows Server via the Application Console installed on a remote device.

To manage the application using Kaspersky Security for Windows Server Console on a remote device, make sure
that:

The Application Console users on the remote device are added to the KAVWSEE Administrators group on the
protected device.

Network connections are allowed for the Kaspersky Security Management Service process (kavfsgt.exe) if
Windows Firewall is enabled on the protected device.

During installation of Kaspersky Security for Windows Server, the Allow remote access check box is selected in
the Installation Wizard window.

If Kaspersky Security for Windows Server on the remote device is password protected, enter the password to
get access for application management via the Application Console.

Con guring general application settings via the Application Console

General settings and malfunction diagnostics settings of Kaspersky Security for Windows Server establish the
general operating conditions for the application. These settings allow you to control the number of working
processes used by Kaspersky Security for Windows Server, enable recovery of Kaspersky Security for Windows
Server tasks after an abnormal termination, maintain the log, enable creation of dump les of Kaspersky Security
for Windows Server processes after abnormal termination, and con gure other general settings.

139
 Application settings cannot be con gured in the Application Console if the active Kaspersky Security Center
policy blocks changes to these settings.

To con gure Kaspersky Security for Windows Server settings:

1. In the Application Console tree, select the Kaspersky Security node and do one of the following:

Click the Application properties link in the details pane of the node.

Select Properties in the node's context menu.

The Application settings window opens.

2. In the window that opens, con gure Kaspersky Security for Windows Server general settings according to your
preferences:

The following settings can be con gured on the Scalability and interface tab:

In the Scalability settings section:

Maximum number of working processes that Kaspersky Security for Windows Server can run

Number of processes for Real-Time Server Protection

Number of working processes for background On-Demand Scan tasks

In the Interaction with user section select if the System Tray Icon will be displayed in the taskbar after each
application start.

The following settings can be con gured on the Security and reliability tab:

In the Reliability settings section, specify the number of attempts to recover an On-Demand Scan task
if it crashes.

In the Actions when switching to UPS backup power section, specify actions that Kaspersky Security for
Windows Server performs after switching to UPS power :

In the Password protection settings section, con gure the settings for password-protection of the
application's functions.

On the Connection settings tab:

In the Proxy server settings section, specify the proxy server settings.

In the Proxy server authentication settings section, specify the authentication type and details
required for authentication on the proxy server.

In the Licensing section, indicate whether Kaspersky Security Center will be used as a proxy-server for
application activation.

On the Malfunction diagnosis tab:

If you want the application to write debug information to a le, select the Write debug information to
trace le check box.

140
 In the eld below specify the folder in which Kaspersky Security for Windows Server will save trace
les.

Con gure the level of detail of debug information .

Specify the maximum size of trace les.

Specify the maximum number of les for one trace log. Kaspersky Security for Windows Server will
create up to the maximum number of trace les for each component to be debugged.

Specify the components to be debugged .

If you want the application to create a dump le, select the Create crash dump le check box.

In the eld below, specify the folder in which Kaspersky Security for Windows Server will save the
memory dump le.

Kaspersky Security for Windows Server does not send any trace or dump les automatically.
Diagnostics data can only be sent by a user with the corresponding permissions.

Kaspersky Security for Windows Server writes information to trace les and the dump les in
unencrypted form. The folder where les are saved is selected by the user and is managed by the
operating system con guration and Kaspersky Security for Windows Server settings. You can con gure
access permissions and allow only required users to access logs, trace les, and dump les.

3. Click OK.

Kaspersky Security for Windows Server settings are saved.

Managing Kaspersky Security for Windows Server tasks

This section contains information about Kaspersky Security for Windows Server tasks, and how to create them,
con gure task settings, and start and stop them.

Kaspersky Security for Windows Server task categories

Real-Time Server Protection, Server Control, On-Demand Scan, and Update functions in Kaspersky Security for
Windows Server are implemented as tasks.

You can manage tasks using the task's context menu in the Application Console tree, the toolbar, and the quick
access bar. You can view task status information in the details pane. Task management operations are recorded in
the system audit log.

There are two types of Kaspersky Security for Windows Server tasks: local and group.

Local tasks

141
Local tasks are executed only on the protected device for which they are created. Depending on the start method,
the following types of local tasks exist:

Local system tasks. Created automatically during installation of Kaspersky Security for Windows Server. You
can edit the settings of all system tasks, except for the Quarantine Scan and Rollback of Database Update
tasks. System tasks cannot be renamed or deleted. You can run system and custom On-Demand Scan tasks
simultaneously.

Local custom tasks. In the Application Console, you can create On-Demand Scan tasks. In Kaspersky Security
Center you can create On-Demand Scan, Database Update, Rollback of Database Update, and Copying
Updates tasks. Such tasks are called custom tasks. Custom tasks can be renamed, con gured, and deleted. You
can run several custom tasks simultaneously.

Group tasks

Group tasks and tasks for sets of protected devices created using Kaspersky Security Center are displayed in the
Application Console. Such tasks are called group tasks. Group tasks can be managed and con gured from the
Kaspersky Security Center. In the Application Console, you can only view the status of group tasks.

Starting / pausing / resuming / stopping tasks manually

You can pause and resume only Real-Time Server Protection and On-Demand Scan tasks.

To start / pause / resume / stop a task:

1. Open the context menu of the task in the Application Console.

2. Select one of the following: Start, Pause, Resume or Stop.

The operation is executed and recorded in the system audit log.

When an On-Demand Scan task is resumed, Kaspersky Security for Windows Server continues with the
object that was being scanned when the task was paused.

Managing task schedules

You can con gure the start schedule for Kaspersky Security for Windows Server tasks, and con gure settings for
running tasks on a schedule.

Con guring the task start schedule settings

You can con gure the start schedule for local system and custom tasks in the Application Console. You cannot
con gure the start schedule for group tasks.

To con gure task start schedule settings:

142
1. Open the context menu of the task for which you wish to con gure the start schedule.

2. Select Properties.
The Task settings window opens.

3. In the window that opens, on the Schedule tab, select the Run by schedule check box.

4. Con gure schedule settings in accordance with your requirements. To do this, perform the following actions:

a. In the Frequency drop-down menu, select one of the following values:

Hourly, if you want the task to run at intervals of a speci ed number of hours; specify the number of
hours in the Every <number> hour(s) eld.

Daily, if you want the task to run at intervals of a speci ed number of days; specify the number of days in
the Every <number> day(s) eld.

Weekly, if you want the task to run at intervals of a speci ed number of weeks; specify the number of
weeks in the Every <number> week(s) on eld. Specify the days of the week on which the task will be
started (by default the task runs on Mondays).

At application launch, if you want the task to run every time Kaspersky Security for Windows Server
starts.

After application database update, if you want the task to run after every update of the application
databases.

b. Specify the time for the rst task start in the Start time eld.

c. In the Start date eld, specify the date from which the schedule applies.

After you have speci ed the task start frequency, the time of the rst task start, and the date from
which the schedule applies, the estimated time for the next task start will appear in the top part of the
window in the Next start eld. The estimated time of the next task start will be updated and displayed
each time you open the Task settings window on the Schedule tab.

Blocked by policy is displayed in the Next start eld if Kaspersky Security Center policy settings
prohibit start of scheduled system tasks.

5. Use the Advanced tab to con gure the following schedule settings in accordance with your requirements.

In the Task stop settings section:

a. Select the Duration check box and, in the elds to the right, enter the maximum number of hours and
minutes of task execution.

b. Select the Pause from and, in the elds to the right, enter the start and end values of a time interval
under 24 hours during which task execution will be paused.

In the Advanced settings section:

a. Select the Cancel schedule from check box and specify the date from which the schedule will cease to
apply.

143
 b. Select the Run skipped tasks check box to enable the start of skipped tasks.

c. Select the Randomize the task start within interval of check box and specify a value in minutes.

6. Click OK.

The con gured task start settings will be saved.

Enabling and disabling scheduled tasks

You can enable and disable scheduled tasks either before or after con guring the schedule settings.

To enable or disable the task start schedule:

1. In the Application Console tree open the context menu on the name of the task for which you wish to con gure
the start schedule.

2. Select Properties.
The Task settings window opens.

3. In the window that opens, do one of the following on the Schedule tab:

Select the Run by schedule check box if you want to enable scheduled task start.

Clear the Run by schedule check box if you want to disable scheduled task start.

The con gured task start schedule settings are not deleted and will be applied at the next scheduled
start of the task.

4. Click OK.

The con gured task start schedule settings are saved.

Using user accounts to start tasks

You can start tasks under the system account or specify a di erent account.

About using accounts to start tasks

You can specify the account under which you want to run a selected task for the following functional components
of Kaspersky Security for Windows Server:

Rule Generator for Applications Launch Control and Rule Generator for Device Control tasks

On-Demand Scan task

Update tasks

144
By default, these tasks are run using system account permissions.

A di erent account with proper access permissions is recommended in the following cases:

In the Update task, if you speci ed a public folder on a di erent device on the network as the update source.

In the Update task, if a proxy server with built-in Windows NTLM authentication is used to access the update
source.

In On-Demand Scan tasks, if the system account does not possess permissions to access any of the scanned
objects (for example, access to les in shared folders on the protected device).

In the Rule Generator for Applications Launch Control task, if after completion of the task the generated rules
are exported to a con guration le located at a path that the system account cannot access (for example, in
one of the shared folders on the protected device).

You can run Update, On-Demand Scan, and Rule Generator tasks with system account permissions. During
execution of these tasks, Kaspersky Security for Windows Server accesses shared folders on another device
in the network if this device is registered in the same domain as the protected device. In this case, the system
account must possess access permissions for these folders. Kaspersky Security for Windows Server will
access the device using permissions of the account <domain name \ device_name>.

Specifying a user account to start a task

To specify an account to start a task:

1. In the Application Console tree, open the context menu of the task that you want to start using a speci c
account.

2. Select Properties.
The Task settings window opens.

3. In the window that opens, do the following on the Run as tab:

a. Select User name.

b. Enter the user name and password for the account you want to use.

The selected user must be registered on the protected device or in the same domain as this protected
device.

c. Con rm the password that has been entered.

4. Click OK.

The modi ed settings for running the task with the speci c user account are saved.

Importing and exporting settings

145
This section provides information about how to export Kaspersky Security for Windows Server settings or the
settings of speci c software components to an XML con guration le and how to import those settings from a
con guration le back into the application.

About importing and exporting settings

You can export Kaspersky Security for Windows Server settings to an XML con guration le and import settings
into Kaspersky Security for Windows Server from a con guration le. You can save all application settings or only
settings for individual components to a con guration le.

When you export all settings of Kaspersky Security for Windows Server to a le, the general application settings
and settings of the following Kaspersky Security for Windows Server components and functions are saved:

Real-Time File Protection

KSN Usage

Device Control

Applications Launch Control

Rule Generator for Device Control

Rule Generator for Applications Launch Control

On-Demand Scan tasks

Tra ic Security

Script Monitoring

ICAP Network Storage Protection

RPC Network Storage Protection

Anti-Cryptor for NetApp

File Integrity Monitor

Log Inspector

Kaspersky Security for Windows Server database and software module updates

Quarantine

Backup

Logs

Administrator and user noti cations

Trusted Zone

146
 Exploit Prevention

Blocked Hosts storage

Password protection

You can also save the general Kaspersky Security for Windows Server settings and user account permissions in
the con guration le.

You cannot export group task settings.

Kaspersky Security for Windows Server exports all passwords used by the application, for example, account
credentials for running tasks or connecting to a proxy server. Exported passwords are saved in encrypted form in
the con guration le. You can import passwords using Kaspersky Security for Windows Server installed on this
protected device only if it has not been reinstalled or updated.

You cannot import previously saved passwords using Kaspersky Security for Windows Server installed on a
di erent protected device. After settings have been imported on another protected device, all passwords must be
entered manually.

If a Kaspersky Security Center policy is active at the time of export, the application exports the speci ed values
used by that policy.

Settings from a con guration le containing parameters for individual components of Kaspersky Security for
Windows Server (e.g., from a le created in Kaspersky Security for Windows Server installed with an incomplete
set of components) can be imported. After the settings are imported, only those Kaspersky Security for Windows
Server settings that were contained in the con guration le are changed. All other settings remain the same.

Settings of an active Kaspersky Security Center policy that have been blocked do not change when importing
the settings.

Exporting settings
To export settings to a con guration le:

1. In the Application Console tree, do one of the following:

In the context menu of the Kaspersky Security node, select Export settings to export all Kaspersky
Security for Windows Server settings.

In the context menu for the task whose settings you want to export, select Export settings to export the
settings of an individual functional component of the application.

To export the settings of the Trusted Zone component:

a. In the Application Console tree, open the context menu of the Kaspersky Security node.

b. Select Con gure Trusted Zone settings.

The Trusted Zone window opens.

c. Click the Export button.

The welcome window of the settings export wizard opens.
147
 2. Follow the instructions in the Settings Export Wizard: specify the name and path of the con guration le for
saving the settings.
System environment variables can be used when specifying the path; user environment variables are not
allowed.

If a Kaspersky Security Center policy is active at the time of export, the application exports the settings
used by that policy.

3. Click the Close button in the Export of application settings complete window.

The export settings are saved when the wizard closes.

Importing settings
To import settings from a saved con guration le:

1. In the Application Console tree, do one of the following:

In the context menu of the Kaspersky Security node, select Import settings to import all Kaspersky
Security for Windows Server settings.

In the context menu for the task whose settings you want to import, select Import settings to import the
settings of an individual functional component of the application.

To import the settings of the Trusted Zone component:

a. In the Application Console tree, open the context menu of the Kaspersky Security node.

b. Select Con gure Trusted Zone settings.

The Trusted Zone window opens.

c. Click the Import button.

The welcome window of the settings import wizard opens.

2. Follow the instructions in the Settings Import Wizard: specify the con guration le from which you want to
import settings.

After you have imported the general settings of Kaspersky Security for Windows Server or its functional
components on the protected device, you will not be able revert to the previous settings.

3. Click the Close button in the Application settings import completed window.
The imported settings are saved when the wizard closes.

4. In the toolbar of the Application Console, click the Refresh button.

The imported settings are displayed in the Application Console window.

148
 Kaspersky Security for Windows Server does not import passwords (account credentials for starting tasks or
connecting to the proxy server) from a le created on another protected device or on the same protected
device after Kaspersky Security for Windows Server has been re-installed or updated on it. After the import
operation is complete, passwords must be entered manually.

Using security settings templates

This section contains information about using security settings templates in Kaspersky Security for Windows
Server protection and scan tasks.

About security settings templates

You can manually con gure a node's security settings in the tree or in a list of the protected device's le resources,
and save the con gured setting values as a template. This template can then be used to con gure the security
settings of other nodes in Kaspersky Security for Windows Server protection and scan tasks.

Templates can be used to con gure the security settings of the following Kaspersky Security for Windows Server
tasks:

Real-Time File Protection

RPC Network Storage Protection

Scan at Operating System Startup

Critical Areas Scan

On-Demand Scan tasks

Security settings from a template applied to a parent node in the protected device's le resource tree are applied
to all child nodes. A parent node's template is not applied to child nodes in the following cases:

If the security settings of the child nodes were con gured separately.

If the child nodes are virtual. You must apply the template to each virtual node separately.

Creating a security settings template

To manually save the security settings of a node to a template:

1. In the Application Console tree, select the task to which you want to create a security settings template.

2. In the details pane of the selected task, click the Con gure protection scope or Con gure scan scope link.

3. In the tree or list of the protected device's network le resources, select the template that you want to view.

4. On the Security level tab click the Save as template button.

149
 The Template properties window opens.

5. In the Template name eld, enter the name of the template.

6. Enter additional template information in the Description eld.

7. Click OK.

The template with the set of security settings is saved.

Viewing security settings in a template

To view security settings in a template that you have created, perform the following steps:

1. In the Application Console tree, select the task for which you want to view the security settings template.

2. In the context menu of the selected task, select Settings templates.

The Templates window opens.

3. In the list of templates in the window that opens, select the template that you want to view.

4. Click the View button.

The <Template name> window opens. The General tab displays the template name and additional information
about the template; the Options tab lists security settings saved in the template.

Applying a security settings template

To apply security settings from a template to a selected node:

1. In the Application Console tree, select the task to which you want to apply a security settings template.

2. In the details pane of the selected task, click the Con gure protection scope or Con gure scan scope link.

3. In the tree or list of the protected device's network le resources, open the context menu of the node or item
to which you want to apply the template.

4. Select Apply template → <Template name>.

5. Click the Save button.

The security settings template is applied to the selected node in the protected device's le resource tree. The
Security level tab of the selected node now has the value Custom.

Security settings from a template applied to a parent node in the protected device's le resource tree are
applied to all child nodes.

150
 If the protection scope or scan scope of child nodes in the device's le resource tree was con gured
separately, the security settings from the template applied to the parent node are not automatically applied
to such child nodes.

To apply security settings from a template to all selected nodes:

1. In the Application Console tree, select the task to which you want to apply the security settings template.

2. In the details pane of the selected task, click the Con gure protection scope or Con gure scan scope link.

3. In the tree or list of the protected device's network le resources, select a parent node in order to apply the
template to the selected node and to all of its child nodes.

4. In the context menu, select Apply template → <Template name>.

5. Click the Save button.

The security settings template is applied to the parent and all child nodes in the protected device's le resource
tree. The Security level tab of the selected node now has the value Custom.

Deleting a security settings template

To delete a security settings template:

1. In the Application Console tree, select the task for which you no longer want to use a security settings
template for con guration.

2. In the context menu of the selected task, select Settings templates.

You can view settings templates for On-Demand Scan tasks from the details pane of the On-Demand
Scan parent node.

The Templates window opens.

3. In the list of templates in the window that opens, select the template that you want to delete.

4. Click the Remove button.

A window opens to con rm the deletion.

5. In the window that opens, click Yes.

The selected template is deleted.

If the security settings template was applied to protect or scan nodes in the device's le resource tree, the
con gured security settings for such nodes are preserved after the template is deleted.

151
Viewing the protection status and Kaspersky Security for Windows Server
information
To view information about the device protection status of Kaspersky Security for Windows Server,

select the Kaspersky Security node in the Application Console tree.

By default, information in the details pane of the Application Console is refreshed automatically:

Every 10 seconds in case of a local connection.

Every 15 seconds in case of a remote connection.

You can refresh the information manually.

To refresh information in the Kaspersky Security node manually,

select the Refresh command in the context menu of the Kaspersky Security node.

The following application information is displayed in the details pane of the Application Console:

Kaspersky Security Network Usage status.

Device protection status.

Information about database and application module updates.

Actual diagnostic data.

Data about protected device control tasks.

License information.

Status of integration with Kaspersky Security Center: details of the server with Kaspersky Security Center
installed and to which the application is connected; information about application tasks controlled by the active
policy.

Di erent colors are used to indicate the protection status:

Green. The task is being run in accordance with the con gured settings. Protection is active.

Yellow. The task was not started, has been paused, or has been stopped. Security may be threatened. We
recommend that you con gure and start the task.

Red. The task ended with an error or a security threat was detected while the task was running. We recommend
that you start the task or take measures to eliminate the detected security threat.

Some details in this block (for example, task names or the number of threats detected) are links that take you
to the node of the relevant task or open the task log.

152
The Kaspersky Security Network Usage section displays the current task status, for example, Running, Stopped
or Never performed. The indicator can take the following values:
Green – The KSN Usage task is running and URL status requests are being sent to KSN.

Yellow – One of the Statements is accepted, but the task is not running; or URL status requests are not being
sent to KSN.

Server protection

The Server protection section (see the table below) displays information about the device's current protection
status.

Information about the device protection status

Protection Information
section

Device The color of the panel with the section name re ects the status of tasks being performed in
protection the section. The indicator can take the following values:
status
Green – This color is displayed by default and signi es that the Real-Time File Protection
indicator
component is installed and the task is running.

Yellow – The Real-Time File Protection component is not installed, or the Critical Areas
Scan task has not been performed for a long time.

Red – The Real-Time File Protection task is not running.

Real-Time Task status – Current task status, for example, Running or Stopped.
File
Detected – Number of objects detected by Kaspersky Security for Windows Server. For
Protection
example, if Kaspersky Security for Windows Server detects one malware program in ve les,
the value in this eld increases by one. If the number of detected malware programs exceeds
0, the value is highlighted in red.

Critical Last scan date – Date and time of the last Critical Areas Scan for viruses and other computer
Areas security threats.
Scan
Never performed – An event that occurs when the Critical Areas Scan task has not been
performed in the last 30 days or longer (default value). You can change the threshold for
generating this event.

Tra ic Task status – Current task status, for example, Running or Stopped.
security
Outlook add-in – Installed or not installed.

Exploit Status – Current status of exploit prevention techniques, for example, Applied or Not Applied.
prevention
Prevention mode – One of two available modes, selected during con guration of process
memory protection: Terminate on exploit or Statistics only.
Processes protected – Total number of processes added to the protection scope and
handled in accordance with the selected mode.

Backed up Backup free space threshold exceeded – This event occurs when the amount of free space in
objects Backup is approaching the speci ed limit. Kaspersky Security for Windows Server continues
to move objects to Backup. In this case, the value in the Space used eld is highlighted in
yellow.
Maximum Backup size exceeded – This event occurs when the Backup size has reached the
speci ed limit. Kaspersky Security for Windows Server continues to move objects to Backup.
In this case, the value in the Space used eld is highlighted in red.
Backed up objects – Number of objects currently in Backup.
153
 Space used – Amount of Backup space used.

Update

The Update section (see the table below) displays information about how up-to-date the anti-virus databases and
application modules are.

Information about the status of Kaspersky Security for Windows Server databases and modules

Update section Information

Status indicator The color of the panel with the section name re ects the status of application
for databases databases and modules. The indicator can take the following values:
and software
Green – This color is displayed by default and signi es that application databases
modules
are up to date and that the last Database Update task was successful.

Yellow – Databases are out of date, or the last database update task failed.

Red – The Application databases are extremely out of date or Application

databases are corrupted event has occurred.

Database Update Database status – An evaluation of the Database Update task status.
and Software
It can take the following values:
Modules Update
Application database is up to date – Application databases were updated no
more than 7 days ago (default).

Application database is out of date – Application databases were updated

between 7 and 14 days ago (default).

Application database is extremely out of date – Application databases were

updated more than 14 days ago (default).
You can change the thresholds for generating the Application database is out of
date and Application database is extremely out of date events.
Database release date – Date and time of the release of the latest database
update. The date and time are speci ed in UTC format.
Status of the latest completed Database Update task – Date and time of the
latest database update. The date and time are speci ed according to the local time
of the protected device. The eld is red if the Failed event occurred.
Number of module updates available – Number of Kaspersky Security for
Windows Server module updates available to be downloaded and installed.
Number of module updates installed – Number of installed Kaspersky Security for
Windows Server module updates.

Control

The Control section (see the table below) displays information about the Applications Launch Control, Device
Control, Anti-Cryptor and Firewall Management tasks.

Information about protected device control status

Control Information
section

154
 Status The color of the panel with the section name re ects the status of tasks being performed
indicator for in the section. The indicator can take the following values:
protected
Green – This color is displayed by default and signi es that Applications Launch
device control
Control component is installed and the task is running in the Active mode.

Yellow – Applications Launch Control is running in Statistics only mode.

Red – The Applications Launch Control task is not running or has failed.

Applications Task status – Current task status, for example, Running or Stopped.
Launch Operation mode – One of the two available Applications Launch Control task modes:
Control
Active

Statistics only
Applications launches denied – Number of attempts to start applications blocked by
Kaspersky Security for Windows Server during the Applications Launch Control task. If
the number of blocked application launches exceeds 0, the eld is red.
Average processing time (ms) – Time taken by Kaspersky Security for Windows
Server to process an attempt to start applications on the protected device.

Device Task status – Current task status, for example, Running or Stopped.
control Operation mode – One of two available Device Control task modes:
Active

Statistics only
Devices blocked – Number of attempts to connect an external device that were
blocked by Kaspersky Security for Windows Server during the Device Control task. If
the number of blocked external devices exceeds 0, the eld is red.

Anti-Cryptor Task status – Current task status, for example, Running or Stopped.
Operation mode – One of the two available Anti-Cryptor task modes:
Active

Statistics only
Hosts blocked – Number of hosts that displayed malicious activity and were blocked
when attempting to connect to the protected device.

Firewall Task status – Current task status, for example, Running or Stopped.
Management Connection attempts blocked – Number of connections to a protected device that were
blocked by the speci ed rewall rules.

Diagnostics

The Diagnostics section (see the table below) displays information about the File Integrity Monitor and Log
Inspection tasks.

Information about System Inspection status

Diagnostics Information
section

155
 Diagnostics The color of the panel with the section name re ects the status of tasks being performed in
status the section. The indicator can take the following values:
indicator
Green – This color is displayed by default and signi es that one or both system inspection
components are installed and the tasks are running.

Yellow – Both components are installed, but one of the system inspection tasks is not
running; the Not running event occurred.

Red – One of the tasks failed.

File Task status – Current task status, for example, Running or Stopped.
Integrity
Non-sanctioned le operations – Number of changes to les within the monitoring scope.
Monitor
These changes may indicate that the security of a protected device has been breached.

Log Task status – Current task status, for example, Running or Stopped.
Inspection
Possible violations – Number of recorded violations based on data from the Windows Event
Log. This number is determined based on the speci ed task rules or using the heuristic
analyzer.

The Kaspersky Security for Windows Server licensing information is displayed in the row in the bottom left corner
of the details pane of the Kaspersky Security node.

You can con gure Kaspersky Security for Windows Server properties by following the Application properties link.

You can connect to a di erent protected device by following the Connect to another computer link.

To review detailed information about the Network Attached Storage Protection tab, see the Kaspersky
Security for Windows Server Implementation Guide for Network Storage Protection.

156
Working with the Web Plug-in from Web Console and Cloud Console
This section provides information about the Kaspersky Security for Windows Server Administration Plug-in and
describes how to manage the application installed on a protected device or on a group of protected devices.

Managing Kaspersky Security for Windows Server from Web Console and
Cloud Console
You can centrally manage several protected devices with Kaspersky Security for Windows Server installed and
included in an administration group by means of the Kaspersky Security for Windows Server Web Plug-in.
Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console also let you separately
con gure the operation settings of each protected device included in the administration group.

An administration group is created manually on Kaspersky Security Center Web Console and includes several
devices with Kaspersky Security for Windows Server installed, for which you want to con gure the same control
and protection settings. For details on using administration groups, see the Kaspersky Security Center Help.

Application settings for a single protected device are unavailable if the operation of Kaspersky Security for
Windows Server on that protected device is controlled by an active Kaspersky Security Center policy.

Kaspersky Security for Windows Server can be managed from Kaspersky Security Center Web Console in the
following ways:

Using Kaspersky Security Center policies. Kaspersky Security Center policies can be used to remotely
con gure the same protection settings for a group of devices. Task settings speci ed in the active policy have
priority over task settings con gured locally in the Application Console or remotely in the device properties
window of Kaspersky Security Center Web Console.
You can use policies to con gure general application settings, Real-Time Server Protection task settings, Local
Activity Control tasks settings, Network Attached Storage Protection task settings, and scheduled system
task start settings.

Using Kaspersky Security Center group tasks. Kaspersky Security Center group tasks allow remote
con guration of common settings of tasks with an expiration period for a group of devices.

You can use group tasks to activate the application, con gure On-Demand Scan task settings, update task
settings, and Rule Generator for Applications Launch Control task settings.

Using tasks for a set of devices. Tasks for a set of devices allow remote con guration of common task
settings with a limited execution period for protected devices that do not belong to any one of an
administration groups.

Using the properties window of a single device. In the device properties window, you can remotely con gure
the task settings for a single protected device included in an administration group. You can con gure both
general application settings and settings of all Kaspersky Security for Windows Server tasks if the selected
protected device is not controlled by an active Kaspersky Security Center policy.

Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console make it possible to
con gure application settings and advanced features, and lets you work with logs and noti cations. You can
con gure these settings for a group of protected devices as well as for an individual protected devices.

157
Web Plug-in limitations
Kaspersky Security for Windows Server Web Plug-in has the following limitations compared to Kaspersky Security
for Windows Server Administration Plug-in:

To add users and/or user groups, you need to specify the security descriptor strings using the security
descriptor de nition language (SDDL).

Prede ned security level can not be changed for the Real-Time File Protection task.

Application Launch Control task rules can not be created using digital certi cate or Kaspersky Security Center
events.

Device Control task rules can not be generated based on connected devices or on system data.

Managing application settings

This section contains information about con guring Kaspersky Security for Windows Server general settings in
Kaspersky Security Center Web Console.

Con guring general application settings in Web Plug-in

You can con gure Kaspersky Security for Windows Server general settings in Web Plug-in for a group of
protected devices or for one protected devices.

Con guring scalability and interface in Web Plug-in

To con gure scalability settings and the application interface:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Application settings section.

5. Click Settings in the Scalability, interface and scan settings subsection.

6. Con gure the settings described in the table below.

Scalability settings

Setting Description

Automatically
Kaspersky Security for Windows Server automatically controls the number of
detect scalability
processes used.
158
 settings This is the default value.

Set the number of Kaspersky Security for Windows Server controls the number of active working
working processes processes according to the values speci ed.
manually

Maximum number Maximum number of processes that Kaspersky Security for Windows Server uses.
of active The entry eld is available if the Set the number of working processes manually
processes option is selected.

Number of Maximum number of processes that are used by the Real-Time Server Protection
processes for real- task components. The entry eld is available if the Set the number of working
time protection processes manually option is selected.

Number of Maximum number of processes used by the On-Demand Scan component when
processes for running On-Demand Scan tasks in background mode. The entry eld is available if
background on- the Set the number of working processes manually option is selected.
demand scan tasks

Display System
Con gure whether the System Tray Icon will be displayed in the noti cation area
Tray Icon in the
taskbar

HSM system
Select the option for accessing the hierarchical storage
settings

Con guring security settings in Kaspersky Security Center Web Console

To con gure security settings manually, take the following steps:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Application settings section.

5. Click Settings in the Security subsection.

6. Con gure the settings described in the table below.

Security settings

Setting Description

Perform task recovery

This check box enables or disables the recovery of Kaspersky Security for
Windows Server tasks when the application returns an error or terminates.
If the check box is selected, Kaspersky Security for Windows Server
automatically recovers Kaspersky Security for Windows Server tasks when
the application returns an error or terminates.
If the check box is cleared, Kaspersky Security for Windows Server does
not recover Kaspersky Security for Windows Server tasks when the
application returns an error or terminates.
The check box is selected by default.

Recover On-Demand Scan The number of attempts to recover an On-Demand Scan task after

159
 tasks no more than (times) Kaspersky Security for Windows Server returns an error. The entry eld is
in range 1 - 10 attempts available if the Perform task recovery check box is selected.

Do not start scheduled

This check box enables or disables the start of a scheduled scan task after
scan tasks
the protected device switches to a UPS source until the standard power
supply is restored.
If the check box is selected, Kaspersky Security for Windows Server does
not start scheduled scan tasks after the protected device switches to a
UPS source until the standard power supply is restored.
If the check box is cleared, Kaspersky Security for Windows Server starts
scheduled scan tasks regardless of the power supply.
The check box is selected by default.

Stop current scan tasks

The check box enables or disables the execution of running scan tasks
after the protected device switches to a UPS source.
If the check box is selected, Kaspersky Security for Windows Server
pauses running scan tasks after the protected device switches to a UPS
source.
If the check box is cleared, Kaspersky Security for Windows Server
continues running scan tasks after the protected device switches to a UPS
source.
The check box is selected by default.

Apply password
Set a password to protect access to Kaspersky Security for Windows
protection
Server functions.

Con guring connection settings in Web Plug-in

The con gured connection settings are used to connect Kaspersky Security for Windows Server to update and
activation servers and during integration of applications with KSN services.

To con gure the connection settings take the following steps:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Application settings section.

5. Click Settings in the Scalability, interface and scan settings subsection.

6. Con gure the settings described in the table below.

Connection settings

Setting Description

Do not use proxy If this option is selected, Kaspersky Security for Windows Server connects to
server KSN services directly, without using any proxy server.

Use speci ed proxy If this option is selected, Kaspersky Security for Windows Server connects to
server settings KSN using proxy server settings speci ed manually.
160
 Do not use proxy
The check box enables or disables the use of a proxy server when accessing
server for local
devices located in the same network as the protected device with Kaspersky
addresses
Security for Windows Server installed.
If this check box is selected, devices are accessed directly from the network
that hosts the protected device with Kaspersky Security for Windows Server
installed. No proxy server is used.
If the check box is cleared, a proxy server is used to connect to local devices.
The check box is selected by default.

Proxy server Specify the authentication settings

authentication
settings

Do not use Authentication is not performed. This mode is selected by default.

authentication

Use NTLM Authentication is performed using the NTLM network authentication protocol
authentication developed by Microsoft.

Use NTLM Authentication is performed with a user name and password using the NTLM
authentication with network authentication protocol developed by Microsoft.
user name and
password

Apply user name and Authentication is performed using the user name and password.
password

Con guring scheduled start of local system tasks

You can use policies to allow or block start of the local system On-Demand Scan task and the Update task
according to the schedule con gured locally on each protected device in the administration group:

If the scheduled start of a speci c type of local system task is prohibited by a policy, these tasks will not be
performed on the protected device according to the schedule. You can start local system tasks manually.

If the scheduled start of a speci c type of local system task is allowed by a policy, these tasks will be performed
in accordance with the scheduled parameters con gured locally for this task.

By default, start of local system tasks is prohibited by policy.

We recommend that you do not allow local system tasks to start if updates or on-demand scans are
administered by Kaspersky Security Center group tasks.

If you do not use group update or on-demand scan tasks, allow local system tasks to be started in the policy:
Kaspersky Security for Windows Server will perform application database and module updates, and start all local
system on-demand scan tasks in accordance with the default schedule.

You can use policies to allow or block the scheduled start of the following local system tasks:

161
 On-Demand Scan tasks: Critical Areas Scan, Quarantine Scan, Scan at Operating System Startup, Application
Integrity Control, Baseline File Integrity Monitor.

Update tasks: Database Update, Software Modules Update, Copying Updates.

If the protected device is excluded from the administration group, the system tasks schedule will be enabled
automatically.

To allow or block the scheduled start of Kaspersky Security for Windows Server system tasks in a policy take the
following steps:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Application settings section.

5. Click Settings in the Run system tasks subsection.

6. Con gure the settings described in the table below.

Scheduled launch of system tasks settings

Setting Description

Allow on-demand scan tasks Select or clear the check box to allow or disallow the scheduled launch
launch of on-demand scan tasks

Allow update tasks and Select or clear the check box to allow or disallow the scheduled launch
Copying Update task launch of update tasks and Copying Update task

Con guring Quarantine and Backup settings in Web Plug-in

To con gure general Quarantine and Backup settings in Kaspersky Security Center:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Supplementary section.

5. Click Settings in the Storages subsection.

6. Con gure the settings described in the table below.

Quarantine and Backup settings

Setting Description

Backup folder Specify the backup folder

162
 Maximum Backup size
Set the maximum size of Backup
(MB)

Threshold value for Specify the minimum value of free space in the Backup folder
space available (MB)

Target folder for Specify a folder for restored objects

restoring objects

Quarantine folder Specify the backup folder

Maximum Quarantine
Set the maximum size of Backup
size (MB)

Threshold value for Specify the minimum value of free space in the Backup folder
space available (MB)

Target folder for Specify a folder for restored objects

restoring objects

Host blocking term Specify the number of days, hours and minutes after which blocked hosts
regain access to network le resources after being blocked

Creating and con guring policies

This section provides information on using Kaspersky Security Center policies for managing Kaspersky Security
for Windows Server on several protected devices.

Global Kaspersky Security Center policies can be created for managing protection on several device where
Kaspersky Security for Windows Server is installed.

A policy enforces the Kaspersky Security for Windows Server settings, functions and tasks speci ed in it on all the
protected devices for one administration group.

Several policies for one administration group can be created and enforced in turns. The policy currently active for a
group has active status in Administration Console.

Information on policy enforcement is logged in the Kaspersky Security for Windows Server system audit log. This
information can be viewed in the Application Console in the System audit log node.

Kaspersky Security Center o ers one way to apply policies on protected devices: Prohibit changing the settings.
After a policy has been applied, Kaspersky Security for Windows Server uses the values of settings for which you
have selected the icon in the policy properties on protected devices instead of the values of those settings in
e ect before the policy was applied. Kaspersky Security for Windows Server does not apply the values of active
policy settings for which the icon is selected in the policy properties.

If a policy is active, the values of settings marked with the icon in the policy are displayed in the Application
Console but cannot be edited. The values of other settings (marked with the icon in the policy) can be edited in
the Application Console.

The settings con gured in the active policy and marked with the icon also block changes in Kaspersky Security
Center for one protected device in the Properties: <Protected device name> window.

Settings that are speci ed and sent to the protected device using an active policy are saved in the local task
settings after the active policy is disabled.

163
If the policy de nes the settings for any Real-Time Server Protection task or Network Attached Storage
Protection task, and if such a task is currently running, then the settings de ned by the policy will be modi ed as
soon as the policy is applied. If the task is not running, the settings are applied when it starts.

Creating a policy
To create a policy:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the Add button.

3. The New policy window opens.

4. In the Select application section, select Kaspersky Security for Windows Server and click Next.

5. On the General tab, you can perform the following actions:

Change the policy name.

The policy name cannot contain the following symbols: " * < : > ? \ | .

Select the policy status:

Active. After the next synchronization, the policy will be used as the active policy on the computer.

Inactive. Backup policy. If necessary, an inactive policy can be switched to active status.

Out-of-o ice. The policy is activated when a computer leaves the organization network perimeter.

Con gure the inheritance of settings:

Inherit settings from parent policy. If this toggle button is switched on, the policy setting values are
inherited from the top-level policy. Policy settings cannot be edited if is set for the parent policy.

Force inheritance of settings in child policies. If the toggle button is on, the values of the policy
settings are propagated to the child policies. In the child policy settings the Inherit settings from parent
policy check box is automatically selected. Child policy settings are inherited from the parent policy,
except for the settings marked with . Child policy settings cannot be edited if is set for the parent
policy.

6. On the Application settings tab, con gure the policy settings as required.

7. Click the Save button.

The created policy appears in the list of policies on the Policies & pro les tab of the selected administration
group. In the <Policy name> window, you can con gure other settings, tasks and functions of Kaspersky Security
for Windows Server.

Kaspersky Security for Windows Server policy settings sections

164
General

In the General section, you can con gure the following policy settings:
Indicate the policy status.

Con gure the inheritance settings for parent and child policies.

Event con guration

In the Event con guration section, you can con gure settings for the following event categories:
Critical events

Functional failure

Warning

Informational message
You can use the Properties button to con gure the following settings for the selected events:

Indicate the storage location and retention period for information about logged events.

Indicate the noti cation method for logged events.

Application settings

Settings of the Application Settings section

Section Options

Scalability, In the Scalability, interface and scan settings subsection, you can click the Settings
interface and button to con gure the following settings:
scan settings
Choose whether to con gure scalability settings automatically or manually.

Con gure the application icon display settings.

Security In the Security subsection, you can click the Settings button to con gure the following
settings:
Con gure the task run settings.

Specify how the application should behave when the protected device is running on
UPS power.

Enable or disable password-protection of application functions.

Connections In the Connections subsection, you can use the Settings button to con gure the
following proxy server settings for connecting with update servers, activation servers,
and KSN:
Con gure the proxy server settings.

Specify the proxy server authentication settings.

165
 Run system In the Run system tasks subsection, you can use the Settings button to allow or block
tasks the start of the following system tasks according to a schedule con gured on
protected devices:
On-Demand Scan task.

Update tasks and Copying Update task.

Supplementary

Settings of the Supplementary section

Section Options

Trusted Zone Click the Settings button on the Trusted Zone subsection to con gure the
following Trusted Zone application settings:
Create a list of Trusted Zone exclusions.

Enable or disable scanning of le backup operations.

Create a list of trusted processes.

Removable Drives Scan In the Removable Drives Scan subsection, you can use the Settings button to
con gure scan settings for removable drives.

User access permissions In the User access permissions for application management subsection, you
for application can con gure user rights and user group rights to manage Kaspersky Security
management for Windows Server.

User access permissions In the User access permissions for Security Service management
for Security Service subsection, you can con gure user rights and user group rights to manage the
management Kaspersky Security Service.

Storages In the Storages subsection, click the Settings button to con gure the
following Quarantine, Backup and Blocked Hosts settings:
Specify the path to the folder where you want to place Quarantine or
Backup objects.

Con gure the maximum size of Backup and Quarantine and also specify the
free space threshold.

Specify the path to the folder where you want to place objects restored
from Quarantine or Backup.

Con gure transmission of information about Quarantine and Backup

objects to Administration Server.

Con gure how long hosts are blocked.

Real-time server protection

Settings of the Real-Time Server Protection section

Section Options

166
 Real-Time File In the Real-Time File Protection subsection, you can click the Settings button to
Protection con gure the following task settings:
Indicate the protection mode.

Con gure use of the Heuristic Analyzer.

Con gure use of the Trusted Zone.

Indicate the protection scope.

Set the security level for the selected protection scope: you can select a prede ned
security level or con gure the security settings manually.

Con gure the task start settings.

KSN Usage In the KSN Usage subsection, you can click the Settings button to con gure the following
task settings:
Indicate the actions to perform on KSN untrusted objects.

Con gure data transfer and usage of Kaspersky Security Center as a KSN proxy server.

Tra ic In the Tra ic Security subsection, you can click the Settings button to con gure the
Security following task settings:

Con gure the task mode.

Con gure the malware protection.

Enable mail threat protection, anti-phishing and URL processing.

Exploit In the Exploit Prevention subsection, you can click the Settings button to con gure the
Prevention following task settings:
Select the process memory protection mode.

Indicate the actions to reduce exploit risks.

Add to and edit the list of protected processes.

Script In the Script Monitoring subsection, click the Settings button to con gure the following
Monitoring task run settings:
Allow or block execution of probably dangerous scripts.

Con gure the use of Heuristic Analyzer.

Con gure application of the trusted zone.

Con gure the task run settings.

Local activity control

167
Settings of the Local Activity Control section

Section Options

Applications In the Applications Launch Control subsection, you can use the Settings button to
Launch Control con gure the following task settings:
Select the task operating mode.

Con gure settings for controlling subsequent application launches.

Indicate the scope of the Applications Launch Control rules.

Con gure use of KSN.

Con gure the task start settings.

Device control In the Device control subsection, you can click the Settings button to con gure the
following task settings:
Select the task operating mode.

Con gure the task start settings.

Network attached storage protection

Settings of Network Attached Storage Protection section

Section Options

Real-Time File In the Real-Time File Protection (RPC) subsection, you can click the Settings
Protection (RPC) button to con gure the following settings:
Heuristic analyzer usage.

Network attached storage connection settings.

Task protection scope.

Real-Time File In the Real-Time File Protection (ICAP) subsection, you can click the Settings
Protection (ICAP) button to con gure the following settings:
ICAP service connection settings.

Integration with other components.

Security level.

Anti-Cryptor for In the Anti-Cryptor for NetApp subsection, you can click the Settings button to
NetApp con gure the following settings:
Task mode.

Heuristic analyzer usage.

Connection and authentication settings.

Specify exclusions from the protection scope.

168
Network activity control

Settings of the Network activity control section

Section Options

Firewall In the Firewall Management subsection, you can click the Settings button to con gure
Management the following task settings:
Con gure rewall rules.

Con gure the task start settings.

Anti-Cryptor In the Anti-Cryptor subsection, you can click the Settings button to con gure the
following task settings:
Con gure the Anti-Cryptor protection scope.

Con gure the task start settings.

System Inspection

Settings of the System Inspection section

Section Options

File In the File Integrity Monitor subsection, you can con gure control over changes in les that
Integrity can signify a security breach on a protected device.
Monitor

Log In the Log Inspection section, you can con gure a protected device integrity monitoring
Inspection based on the results of an analysis of the Windows Event Log.

Logs and noti cations

Settings of the Logs and Noti cations section

Section Options

Task logs In the Task logs subsection, you can click the Settings button to con gure the following
settings:
Specify the importance level of the logged events for the selected software
components.

Specify the task log storage settings.

Specify the SIEM integration with Kaspersky Security Center settings.

Event In the Event noti cations subsection, you can click the Settings button to con gure the
noti cations following settings:
Specify the user noti cation settings for the Object detected, Untrusted mass
storage detected and restricted, and Host listed as untrusted events.

169
 Specify the administrator noti cation settings for any event selected in the event list
in the Noti cation settings section.

Interaction In the Interaction with Administration Server subsection, you can click the Settings
with button to select the types of objects that Kaspersky Security for Windows Server will
Administration report to Administration Server.
Server

To review the detailed information about Network Attached Storage Protection tasks, see the Kaspersky
Security for Windows Server Implementation Guide for Network Storages Protection.

Revision history

In the Revision history section, you can manage revisions: compare with the current revision or other policy, add
descriptions of revisions, save revisions to a le or perform a rollback.

Creating and con guring tasks using Kaspersky Security Center

This section contains information about Kaspersky Security for Windows Server tasks, and how to create them,
con gure task settings, and start and stop them.

About task creation in Web Plug-in

You can create group tasks for administration groups and sets of protected devices. You can create the following
types of tasks:

Activation of the Application

Copying Updates

Database Update

Software Modules Update

Rollback of Database Update

On-Demand Scan

Application Integrity Control

Baseline File Integrity Monitor

Rule Generator for Applications Launch Control

Rule Generator for Device Control

You can create local and group tasks in the following ways:

170
 for one protected device: in the Properties <Protected device name> window in the Tasks section.

for an administration group: in the details pane of the node of the selected group of protected devices on the
Tasks tab.

for a set of protected devices: in the details pane of the Device selections node.

You can use policies to disable schedules for update and On-Demand Scan local system tasks on all protected
devices in the same administration group.

General information on tasks in Kaspersky Security Center is provided in the Kaspersky Security Center Help.

Creating a task in Web Plug-in

To create a new task in the Kaspersky Security Center Administration Console:

1. Start the task wizard in one of the following ways:

To create a local task:

a. In the main window of Web Console, select Devices → Managed devices.

b. Click the Groups tab to select the administration group that the protected device belongs to.

c. Click the protected device name.

d. In the <Device name> window that opens select the Tasks tab.

e. Click Add.

To create a group task:

a. In the main window of Web Console, select Devices → Managed devices.

b. Click the Groups tab to select the administration group for which you want to create a task.

c. Click Add.

To create a task for a custom set of protected devices:

a. In the main window of Web Console, select Devices → Device selections.

b. Select the selection for which you want to create a task.

c. Click Start.

d. In the Selection results window, select the devices for which you want to create a task.

e. Click New task.

The task wizard window opens.

2. In the Application drop-down list select Kaspersky Security for Windows Server.
171
3. In the Task type drop-down list select the type of the task to be created.

4. If you selected any task type except Rollback of Database Update, Application Integrity Control or Activation
of the Application, the settings window opens. Depending on the task type, the settings may vary:

Create an On-Demand Scan task.

To create an update task, con gure task settings based on your requirements:

a. Select an update source in the Database update source section.

b. In the Connection settings window con gure the proxy server settings.

After creating a Software Modules Update task, con gure the required application module update settings
in the Software Modules Update window:

a. Select whether to copy and install critical software module updates, or only to check for their availability
without installation.

b. If Copy and install critical software modules updates is selected: a protected device restart may be
required to apply the installed software modules. If you wish Kaspersky Security for Windows Server to
restart the protected device automatically upon task completion, select the Allow operating system
restart check box.

c. To obtain information about Kaspersky Security for Windows Server module upgrades, select Receive
information about available scheduled software modules updates.
Kaspersky does not publish planned update packages on the update servers for automatic installation;
these can be downloaded manually from the Kaspersky website. An administrator noti cation about the
New scheduled software modules update is available event can be con gured. This will contain the
URL of our website from which scheduled updates can be downloaded.

To create the Copying Updates task, specify the set of updates and the destination folder in the Copying
Updates window.

To create the Activation of the Application task:

a. In the List of keys in Kaspersky Security Center storage window, specify the key le or activation code
that you want to use to activate the application.

b. Select the Use as additional key check box if you want to create a task for renewing the license.

Create and con gure the Rule Generator for Applications Launch Control task.

Create and con gure the Rule Generator for Device Control task.

5. Click Next.

6. If the task is being created for a set of protected devices, select the network (or group) of protected devices
on which this task will be executed.

7. Click Next.

8. In the Finishing creation window, select the Open task details when creation is complete check box if you
want con gure task settings.

9. Click the Finish button.

172
 The task created is displayed in the Tasks list.

Con guring group tasks in Web Plug-in

To con gure a group task for multiple protected devices:

1. In the main window of Web Console, select Devices → Tasks.

2. Click the task name in the list of Kaspersky Security Center tasks.
The <Task name> window opens.

3. Depending on the type of con gured task, do one of the following actions:

To con gure an On-Demand Scan task:

a. In the Scan scope section, con gure a scan scope.

b. In the Options section, con gure the task priority level and integration with other software components.

To con gure an update task, adjust the task settings based on your requirements:

a. In the Update sources section, con gure update source and proxy server settings.

b. In the Optimization section con gure disk subsystem optimization.

To con gure the Software Modules Update task, in the Advanced settings section, choose an action to
perform: copy and install critical updates of software modules or only check for them.

To con gure the Copying Updates task, specify the set of updates and the destination folder in the
Copying updates settings section.

To con gure the Activation of the Application task, apply the key le or activation code that you want to
use to activate the application. Select the Use as additional key check box if you want to add an activation
code or key le for renewing the license.

To con gure the automatic generation of allowing rules for Device Control, specify the settings that will be
used to create the list of allowing rules.

4. Con gure the task schedule in the Schedule section (you can con gure a schedule for all task types except
Rollback of Database Update).

5. On the Settings tab in the Account section, specify the account whose rights will be used to run the task. For
detailed information regarding con guring settings in this section, see the Kaspersky Security Center Help.

6. Click Save.

The newly con gured group task settings are saved.

Con guring Activation of the Application task in Web Plug-in

To con gure an Activation of the Application task:

173
 1. In the main window of Web Console, select Devices → Tasks.

2. Click the task name in the list of Kaspersky Security Center tasks.
The <Task name> window opens.

3. In the Common section, specify the key le that you want to use to activate the application. Select the Use as
additional key check box if you want to add a key to extend the license.

4. Con gure the task schedule in the Schedule section.

5. In the <Task name> window, click OK.

Con guring Update tasks in Web Plug-in

To con gure the Copying Updates, Database Update, or Software Modules Update tasks:

1. In the main window of Web Console, select Devices → Tasks.

2. Click the task name in the list of Kaspersky Security Center tasks.
The <Task name> window opens.

3. In the Update sources section, con gure update source settings:

In the Database update source section, specify Kaspersky Security Center Administration Server or
Kaspersky update servers as an application update source. You can also create a customized list of update
sources: by adding custom HTTP and FTP servers or network folders manually and setting them as update
sources.
You can specify the usage of Kaspersky update servers, if manually customized servers are not available.

To use an SMB-shared folder as an update source, you need to specify a user account to start a task.

When con guring an update task via the Cloud Console, only Distribution points and Kaspersky
update servers settings are available to specify the update source.

In the Connection settings section, con gure the use of a proxy server for connecting to Kaspersky update
servers and other servers.

4. In the Optimization section for the Database Update task, you can con gure the feature that reduces the
workload on the disk subsystem:

Disk I/O usage optimization

RAM used for optimization (400 - 9999 MB)

5. Con gure the task schedule in the Schedule section (you can con gure a schedule for all task types except
Rollback of Database Update).

6. In the <Task name> window, click OK.

174
Con guring crash diagnostics settings in Web Plug-in
If a problem occurs during operation of Kaspersky Security for Windows Server (for example, Kaspersky Security
for Windows Server crashes) and you want to diagnose it, you can enable the creation of trace les and a dump le
for the Kaspersky Security for Windows Server process and send these les for analysis to Kaspersky Technical
Support.

Kaspersky Security for Windows Server does not send any trace or dump les automatically. Diagnostic data
can only be sent by a user who has the required permissions.

Kaspersky Security for Windows Server writes information to trace les and the dump le in unencrypted
form. The folder where les are saved is selected by the user and managed by the operating system
con guration and Kaspersky Security for Windows Server settings. You can con gure access permissions and
allow only required users to access logs, trace les, and dump les.

To con gure crash diagnostics settings in Kaspersky Security Center:

1. In the Kaspersky Security Center Administration Console, open the Application settings window.

2. Open the Malfunction diagnosis section and do the following:

If you want the application to write debug information to a le, select the Write debug information to trace
le check box.

In the eld below, specify the folder where Kaspersky Security for Windows Server will save trace les.

Con gure the level of detail of debug information .

Specify the maximum size of trace les.

Specify the maximum number of les for one trace log.

Kaspersky Security for Windows Server will create up to the maximum number of trace les for each
component to be debugged.

Specify the components to be debugged. Component codes must be separated with a semicolon. The
codes are case sensitive (see the table below).

Kaspersky Security for Windows Server subsystem codes

Component Name of component

Code

* All components.

gui User interface subsystem, Kaspersky Security for Windows Server snap-in in Microsoft
Management Console.

ak_conn Subsystem for integrating Network Agent and Kaspersky Security Center.

bl Control process, implements Kaspersky Security for Windows Server control tasks.

wp Work process, handles anti-virus protection tasks.

175
 blgate Kaspersky Security for Windows Server remote management process.

ods On-Demand Scan subsystem.

oas Real-Time File Protection subsystem.

qb Quarantine and Backup subsystem.

scandll Auxiliary module for virus scans.

core Subsystem for basic anti-virus functionality.

avscan Anti-virus processing subsystem.

avserv Subsystem for controlling the anti-virus kernel.

prague Subsystem for basic functionality.

updater Subsystem for updating databases and software modules.

snmp SNMP protocol support subsystem.

perfcount Performance counter subsystem.

The trace settings of the Kaspersky Security for Windows Server snap-in (gui) and the Administration Plug-in
for Kaspersky Security Center (ak_conn) are applied after these components are restarted. The trace settings
of the SNMP protocol support subsystem (snmp) are applied after the SNMP service is restarted. The trace
settings of the performance counter subsystem (perfcount) are applied after all processes that use
performance counters are restarted. Trace settings for other Kaspersky Security for Windows Server
subsystems are applied as soon as the crash diagnostics settings are saved.
By default, Kaspersky Security for Windows Server logs debug information for all Kaspersky Security for
Windows Server components.
The entry eld is available if the Write debug information to trace le check box is selected.

If you want the application to create a dump le, select the Create dump le check box.

In the eld below, specify the folder in which Kaspersky Security for Windows Server will save the dump
le.

3. Click OK.

The con gured application settings are applied on the protected device.

Managing task schedules

You can con gure the start schedule for Kaspersky Security for Windows Server tasks, and con gure settings for
running tasks on a schedule.

Con guring the task start schedule settings

You can con gure the start schedule for local system and custom tasks in the Application Console. You cannot
con gure a start schedule for group tasks.

To con gure group task start schedule settings:

1. In the main window of Web Console, select Devices → Tasks.

176
2. Click the task name in the list of Kaspersky Security Center tasks.
The <Task name> window opens.

3. Select the Application settings section.

4. In the Schedule section, select the Run by schedule check box.

Fields with the schedule settings for the On-Demand Scan and Update tasks are unavailable if scheduled
start of these tasks is blocked by a Kaspersky Security Center policy.

5. Con gure schedule settings in accordance with your requirements. To do this, perform the following actions:

a. In the Frequency list, select one of the following values:

Hourly, if you want the task to run at intervals of a speci ed number of hours; specify the number of
hours in the Every <number> hour(s) eld.

Daily, if you want the task to run at intervals of a speci ed number of days; specify the number of days in
the Every <number> day(s) eld.

Weekly, if you want the task to run at intervals of a speci ed number of weeks; specify the number of
weeks in the Every <number> week(s) eld. Specify the days of the week on which the task will be
started (by default the task runs on Mondays).

At application launch, if you want the task to run every time Kaspersky Security for Windows Server
starts.

After application database update, if you want the task to run after every update of the application
databases.

b. Specify the time for the rst task start in the Start time eld.

c. In the Start date eld, specify the date from which the schedule applies.

6. In the Task stop settings section:

a. Select the Duration check box and, in the elds to the right, enter the maximum number of hours and
minutes of task execution.

b. Select the Pause task check box and, in the elds to the right, enter the start and end values of a time
interval under 24 hours during which task execution will be paused.

7. In the Advanced schedule settings section:

a. Select the Cancel schedule check box and specify the date from which the schedule will cease to apply.

b. Select the Run skipped tasks check box to enable the start of skipped tasks.

c. Select the Randomize the task start time within the interval check box and specify a value in minutes.

8. Click the Save button to save the task start settings.

177
Enabling and disabling scheduled tasks
You can enable and disable scheduled tasks either before or after con guring the schedule settings.

To enable or disable the task start schedule:

1. In the main window of Web Console, select Devices → Tasks.

2. Click the task name in the list of Kaspersky Security Center tasks.
The <Task name> window opens.

3. Select the Application settings section.

4. Select the Schedule section.

5. Do one of the following:

Select the Run by schedule check box if you want to enable scheduled task start.

Clear the Run by schedule check box if you want to disable scheduled task start.

The con gured task start schedule settings are not deleted and will be applied at the next scheduled
start of the task.

6. Click the Save button.

The con gured task start schedule settings are saved.

Reports in Kaspersky Security Center

Reports in Kaspersky Security Center contain information about the status of managed devices. Reports are
based on information stored on Administration Server.

Starting from Kaspersky Security Center 11, the following types of reports are available for Kaspersky Security for
Windows Server:

Report on the status of application components

Report on prohibited applications

Report on prohibited applications in test mode

See Kaspersky Security Center Help for detailed information about all Kaspersky Security Center reports and
how to con gure them.

Report on the status of Kaspersky Security for Windows Server components

178
You can monitor the protection status of all network devices and get a structured overview of the set of
components on each device.

The report displays one of the following states for each component: Running, Paused, Stopped, Malfunction, Not
installed, Starting.

The Not Installed status refers to the component, not the application itself. If the application is not installed
the Kaspersky Security Center Web Console assigns the N/A (Not available) status.

You can create component selections and use ltering to display network devices with a speci ed set of
components and state.

See Kaspersky Security Center Help for detailed information about creating and using selections.

To review the component statuses in the application settings:

1. In the main window of Web Console, select Devices → Managed devices.

2. Click the protected device name.

3. On the General tab, select the Components section.

4. Review the status table.

Information about the Exploit Prevention component status is not available in this status table.

To review a Kaspersky Security Center Web Console standard report:

1. Select the Monitoring and Reporting → Reports.

2. Select the Report on the status of application components list item and click Show report button.
A report is generated.

3. Review the following report details:

A graphical diagram.

A summary table of components and aggregated numbers of network devices where each of the
components is installed, and groups they belong to.

A detailed table specifying the component status, version, device and group.

Reports on prohibited applications in active and test modes

Based on the results of the Applications Launch Control task, two types of reports can be generated: a report on
prohibited applications (if the task is started in Active mode) and a report on prohibited applications in test mode
(if the task is started in Statistics only mode). These reports display information about blocked applications on the
protected devices of the network. Each report is generated for all administration groups and accumulates data
from all the Kaspersky applications installed on the protected devices.

179
To review a report on prohibited applications in Statistics only mode:

1. Start the Applications Launch Control task in Statistics only mode.

2. Select the Monitoring and Reporting → Reports.

3. Select the Report on prohibited applications in test mode list item and click Show report button.
A report is generated.

4. Review the following report details:

A graphical diagram that displays the top ten applications with the largest number of blocked starts.

A summary table of application blocks, specifying the executable le name, reason, time of blocking, and
number of devices where the blocking occurred.

A detailed table specifying data about the device, le path and criteria for blocking.

To review a report on prohibited applications in Active mode:

1. Start the Applications Launch Control task in Active mode.

2. Select the Monitoring and Reporting → Reports.

3. Select the Report on prohibited applications in test mode list item and click Show report button.
A report is generated.

This report consists of the same data about blocks as the report on prohibited applications in test mode.

180
Compact Diagnostic Interface
This section describes how to use the Compact Diagnostic Interface for reviewing protected device status or
current activity, and how to con gure writing of dump and trace les.

About the Compact Diagnostic Interface

The Compact Diagnostic Interface component (also referred to as the "CDI") is installed and uninstalled along with
the System Tray Icon component independently from the Application Console, and can be used when the
Application Console is not installed on the protected device. The CDI is started from the System Tray Icon or by
running kavfsmui.exe from the application folder on the protected device.

From the CDI window, you can do the following:

Review information about general application status.

Review security incidents that have occurred.

Review current activity on the protected device.

Start or stop writing dump and trace les.

Open the Application Console.

Open the About the application window with the list of installed updates and available patches.

The CDI is available even if access to Kaspersky Security for Windows Server functions is password-protected. No
password is required.

The CDI component cannot be con gured via Kaspersky Security Center.

Reviewing the Kaspersky Security for Windows Server status via the
Compact Diagnostic Interface
To open the Compact Diagnostic Interface window, perform the following actions:

1. Right-click the Kaspersky Security for Windows Server System Tray Icon in the toolbar noti cation area.

2. Select the Open Compact Diagnostic Interface option.

The Compact diagnostic interface window opens.

Review the current status of the key, Real-Time Server Protection tasks, and Update tasks on the Protection
status tab. Di erent colors are used to notify the user about the protection status (see the table below).

Compact Diagnostic Interface protection status.

Section Status

Real-time The panel is green for either of the following scenarios (if any of the conditions are

181
protection status met):
Recommended con guration:

The Real-Time File Protection task is started with the default settings.

The Applications Launch Control task is started in Active mode with the
default settings.

Acceptable con guration:

The Real-Time File Protection task is con gured by the user.

Applications Launch Control task settings are modi ed.

The panel is yellow if one or more of the following conditions are met:
The Real-Time File Protection task is paused (by the user or schedule).

The Applications Launch Control task is started in Statistics only mode.

Exploit Protection and Applications Launch Control are started in Statistics

only mode.

The panel is red if both of the following conditions are met:

The Real-Time File Protection component is not installed or the task is stopped
or paused.

The Applications Launch Control component is not installed or the task is

started in Statistics only mode.

Licensing The panel is green if the current license is valid.

A yellow panel signi es that one of the following events has occurred:
Checking the license status.

The license will expire in 14 days and no additional key or activation code has
been added.

The added key has been black-listed and is about to be blocked.

A red panel signi es that one of the following events has occurred:
Application not activated

License has expired

End User License Agreement has been violated

Key is blacklisted

Update The panel is green when Application databases are up-to-date.

The panel is yellow when Application databases are out of date.

The panel is red when Application databases are extremely out of date.
182
Reviewing security event statistics
The Statistics tab displays all security events. Each protection task statistic is displayed in a separate block
specifying the number of incidents and the date, and time when the last incident occurred. When an incident is
logged, the block color changes to red.

To review the statistics:

1. Right-click the Kaspersky Security for Windows Server System Tray Icon in the toolbar noti cation area.

2. Select the Open Compact Diagnostic Interface option.

The Compact diagnostic interface window opens.

3. Open the Statistics tab.

4. Review the security incidents for the protection tasks.

Reviewing current application activity

On this tab, you can review the status of current tasks and application processes, and promptly get noti cations
about critical events that occur.

Di erent colors are used to indicate the application activity status:

In the Tasks section:

Green. There are no conditions that would require yellow or red.

Yellow. Critical areas have not been scanned for a long time.

Red. At least one of the following conditions is true:

No tasks are started and a start schedule is not set up for any of the tasks.

Application launch errors are logged as critical events.

In the Kaspersky Security Network section:

Green. The KSN Usage task is started.

Yellow. The KSN Statement is accepted, but the task is not started.

To review the current application activity on the protected device:

1. Right-click the Kaspersky Security for Windows Server System Tray Icon in the toolbar noti cation area.

2. Select the Open Compact Diagnostic Interface option.

The Compact diagnostic interface window opens.

3. Open the Current application activity tab.

183
4. Review the following information in the Tasks section:

Critical areas not scanned for a long time

This eld is displayed only if the application returns a corresponding warning about critical area scans.

Running now

Execution failed

Next start de ned by a schedule

5. Review the following information in the Kaspersky Security Network section:

KSN is on. File reputation services are enabled or Protection is o .

KSN is on. File reputation services are enabled, application statistics is being sent to KSN .

The application sends information about malware, including fraudulent software, detected during
execution of the Real-Time File Protection task and the On-Demand Scan tasks, as well as debugging
information about errors during scanning.
The eld is displayed if the Send Kaspersky Security Network statistics check box is selected in the
KSN Usage task settings.

6. Review the following information in the Integration with Kaspersky Security Center section:

Local management is allowed.

Policy is applied: <Administration Server name>.

Con guring writing of dump and trace les

You can con gure the writing of dump and trace les via the CDI.

You can also con gure malfunction diagnostics via the Application Console.

To start writing dump and trace les, perform the following actions:

1. Right-click the Kaspersky Security for Windows Server System Tray Icon in the toolbar noti cation area.

2. Select the Open Compact Diagnostic Interface option.

The Compact diagnostic interface window opens.

3. Open the Troubleshooting tab.

4. Change the following trace settings if necessary:

a. Select the Write debug information to the trace le in this folder check box.

184
 b. Click the Browse button to specify the folder where Kaspersky Security for Windows Server will save trace
les.
Tracing will be enabled for all components with the default parameters using the Debug level of detail and
the default maximum log size of 50 MB.

5. Change the following dump- le settings if necessary:

a. Select the Create dump le on malfunction in this folder check box.

b. Click the Browse button to specify the folder where Kaspersky Security for Windows Server will save the
dump le.

6. Click the Apply button.

The new con guration will be applied.

185
Updating Kaspersky Security for Windows Server databases and software
modules
This section provides information about Kaspersky Security for Windows Server databases and software module
update tasks, copying updates and rolling back database updates of Kaspersky Security for Windows Server, as
well as instructions on how to con gure database and software module update tasks.

About Update tasks

Kaspersky Security for Windows Server provides four system update tasks: Database Update, Software Modules
Update, Copying Updates, and Rollback of Database Update.

By default, Kaspersky Security for Windows Server connects to the update source (one of Kaspersky's update
protected devices) every hour. You can con gure all Update tasks, except for the Rollback of Database Update
task. When task settings are modi ed, Kaspersky Security for Windows Server will apply the new values at the next
task start.

You are not allowed to pause and resume Update tasks.

Database Update

By default, Kaspersky Security for Windows Server copies databases from the update source to the device and
immediately starts using them in the running Real-Time Server Protection task. The On-Demand Scan tasks start
using the updated database at the next start.

By default, Kaspersky Security for Windows Server runs the Database Update task every hour.

Software Modules Update

By default, Kaspersky Security for Windows Server checks whether software module updates are available on the
update source. In order to start using installed software modules, a protected device restart and / or a restart of
Kaspersky Security for Windows Server is required.

By default, Kaspersky Security for Windows Server runs the Software Modules Update task on a weekly basis on
Fridays at 4:00 PM (according to the regional time settings of the protected device). During task execution, the
application checks for availability of important and scheduled updates of Kaspersky Security for Windows Server
modules without distributing them.

Copying Updates

By default, during task execution, Kaspersky Security for Windows Server downloads Database Update les and
saves them to the speci ed network or local folder without applying them.

The Copying Updates task is disabled by default.

Rollback of Database Update

186
During task execution, Kaspersky Security for Windows Server returns to using databases from previously installed
updates.

The Rollback of Database Update task is disabled by default.

About Software Modules Update

Kaspersky can issue update packages for Kaspersky Security for Windows Server modules. The update packages
can be urgent (or critical) or planned. Critical update packages repair vulnerabilities and errors; planned packages
add new features or enhance existing features.

Urgent (critical) update packages are uploaded to Kaspersky's update servers. Their automatic installation can be
con gured using the Software Modules Update task. By default, Kaspersky Security for Windows Server runs the
Software Modules Update task on a weekly basis on Fridays at 4:00 PM (according to the regional time settings of
the protected device).

Kaspersky does not publish planned update packages on its update servers for automatic update; these can be
downloaded from the Kaspersky website. The Software Modules Update task can be used to receive information
about the release of scheduled Kaspersky Security for Windows Server updates.

Critical updates can be retrieved from the Internet and applied to each protected device, or one protected device
can be used as an intermediary by copying all updates onto it and then distributing them to the network protected
devices. In order to copy and save updates without installing them, use the Copying Updates task.

Before updates of modules are installed, Kaspersky Security for Windows Server creates backup copies of the
previously installed modules. If the software module update process is interrupted or results in an error, Kaspersky
Security for Windows Server will automatically return to using the previously installed software modules. Software
modules can be rolled back manually to the previously installed updates.

During the installation of downloaded updates, the Kaspersky Security Service automatically stops and then
restarts.

About Databases Update

Kaspersky Security for Windows Server databases stored on the protected device quickly become outdated.
Kaspersky's virus analysts detect hundreds of new threats daily, create identifying records for them, and include
them in application database updates. Database updates are a le or set of les containing records that identify
threats discovered during the time since the last update was created. To maintain the required level of device
protection, we recommend that database updates are received regularly.

By default, if the Kaspersky Security for Windows Server databases are not updated within a week from the time
that the installed database updates were created, the Application database is out of date event occurs. If the
databases are not updated for a period of two weeks, the Application database is extremely out of date event
occurs. Information about the up-to-date status of the databases is displayed in the details pane of the
Kaspersky Security node of the Application Console tree. You can use Kaspersky Security for Windows Server
general settings to indicate a di erent number of days before these events occur. You can also con gure
administrator noti cations about these events.

Kaspersky Security for Windows Server downloads updates of application databases and modules from
Kaspersky's FTP or HTTP update servers, Kaspersky Security Center Administration Server, or other update
sources.

187
Updates can be downloaded to every protected device, or one protected device can be used as an intermediary
by copying all updates onto it and then distributing them to the protected devices. If you use Kaspersky Security
Center for centralized administration of device protection in an organization, you can use Kaspersky Security
Center Administration Server as an intermediary for downloading updates.

Database Update tasks can be started manually or based on a schedule. By default, Kaspersky Security for
Windows Server runs the Database Update task every hour.

If the update download process is interrupted or results in an error Kaspersky Security for Windows Server will
automatically switch back to using the databases from the last installed updates. If the Kaspersky Security for
Windows Server databases become corrupted, they can be manually rolled back to previously installed updates.

Schemes for updating anti-virus application databases and modules used

within an organization
Selection of an update source in update tasks depends on the scheme used for updating databases and program
modules in the organization.

Kaspersky Security for Windows Server databases and modules can be updated on the protected devices using
the following schemes:

Download updates directly from the Internet to each protected device (Scheme 1).

Download updates from the Internet to an intermediate device and distribute updates to protected devices
from that device.
Any device with the software listed below installed can serve as an intermediate device:

Kaspersky Security for Windows Server (Scheme 2).

Kaspersky Security Center Administration Server (Scheme 3).

Updating using an intermediate device not only reduces Internet tra ic, but also provides additional network
protected device security.

The update schemes listed are described below.

Scheme 1. Updating databases and modules directly from the Internet

To con gure Kaspersky Security for Windows Server updates directly from the Internet:

on each protected device in the settings of the Database Update task and the Software Modules Update task,
specify Kaspersky's update servers as the source of updates.

Other HTTP or FTP servers that have an update folder can be con gured as the update source.

Figure 1: Updating databases and modules directly from the Internet

188
Scheme 2. Updating databases and modules via one of the protected devices

To con gure Kaspersky Security for Windows Server updates via one of the protected devices:

1. Copy updates to the selected protected device. To do this, perform the following actions:

Con gure the Copying Updates task settings on the selected protected device:

a. Specify Kaspersky's update server as the update source.

b. Specify a shared folder to be used as the folder where updates are saved.

2. Distribute updates to other protected devices. To do this, perform the following actions:

On each protected device, con gure the settings for the Database Update task and the Software Modules
Update task (see the gure below):

a. For the update source, specify a folder on the intermediate device's drive to which updates will be
downloaded.

Kaspersky Security for Windows Server will obtain updates via one of the protected devices.

Figure 2: Updating databases and modules via one of the protected devices

Scheme 3. Updating databases and modules via Kaspersky Security Center Administration
Server

If Kaspersky Security Center is used for centralized administration of anti-virus device protection, updates can be
downloaded via the Kaspersky Security Center Administration Server installed in the local area network (see the
gure below).

189
 Figure 3: Updating databases and modules via Kaspersky Security Center Administration Server

To con gure Kaspersky Security for Windows Server updates via the Kaspersky Security Center Administration
Server:

1. Download updates from Kaspersky's update servers to Kaspersky Security Center Administration Server. To do
this, perform the following actions:

Con gure the Retrieve Updates by Administration Server task for the speci ed set of protected devices:

a. Specify Kaspersky's update servers as the update source.

2. Distribute updates to protected devices. To do so, perform one of the following actions:

On the Kaspersky Security Center con gure an Anti-Virus database (application module) update group task
to distribute updates to protected devices:

a. In the task schedule specify After Administration Server has retrieved updates as the start frequency.
Administration Server will start the task each time it receives updates (recommended method).

The After Administration Server has retrieved updates start frequency cannot be speci ed in the
Application Console.

On each protected device, con gure the Database Update task and the Software Modules Update task:

a. Specify the Kaspersky Security Center Administration Server as the update source.

b. Con gure the task schedule if necessary.

If Kaspersky Security for Windows Server anti-virus databases are rarely updated (from once a month
to once a year), the likelihood of detecting threats decreases and the frequency of false alarms raised
by application components increases.

Kaspersky Security for Windows Server will obtain updates via the Kaspersky Security Center Administration
Server.

190
If you plan to use Kaspersky Security Center Administration Server to distribute updates, install Network Agent (an
application component included in the Kaspersky Security Center distribution kit) on each of the protected
devices. This ensures interaction between the Administration Server and Kaspersky Security for Windows Server
on the protected device. Detailed information about Network Agent and its con guration using Kaspersky
Security Center is provided in the Kaspersky Security Center Help.

Con guring Update tasks

This section provides instructions on how to con gure Kaspersky Security for Windows Server update tasks.

Con guring settings for working with Kaspersky Security for Windows
Server update sources
For each update task except the Rollback of Database Update task, you can specify one or more update sources,
add user-de ned update sources, and con gure the settings for connecting to the speci ed sources.

After update task settings are modi ed, the new settings will not be immediately applied in running update
tasks. The con gured settings will be applied only when the task is restarted.

To specify the type of update source:

1. In the Application Console tree, expand the Update node.

2. Select the child node corresponding to the update task that you want to con gure.

3. Click the Properties link in the details pane of the selected node.
The Task settings window opens on the General tab.

4. In the Update source section, select the type of Kaspersky Security for Windows Server update source:

Kaspersky Security Center Administration Server

Kaspersky update servers

Custom HTTP or FTP servers, or network folders

5. If required, con gure the advanced settings for user-de ned update sources:

a. Click on the Custom HTTP or FTP servers, or network folders link.

1. In the Update servers window that opens, select or clear the check boxes next to user-de ned update
sources in order to start or stop using them.

2. Click OK.

b. In the Update source section on the General tab, select or clear the Use Kaspersky update servers if
speci ed servers are not available check box.

6. In the Task settings window, select the Connection settings tab to con gure the settings for connecting to
update sources:
191
 Clear or select the Use proxy server settings to connect to Kaspersky update servers check box.

Clear or select the Use proxy server settings to connect to other servers check box.

For information about con guring the optional proxy server settings and authentication settings for
accessing the proxy server, see Starting and con guring Kaspersky Security for Windows Server Database
Update task section.

7. Click OK.

The con gured settings for the Kaspersky Security for Windows Server update source will be saved and applied
at the next task start.

You can manage the list of user-de ned Kaspersky Security for Windows Server update sources.

To edit the list of user-de ned application update sources:

1. In the Application Console tree, expand the Update node.

2. Select the child node corresponding to the update task that you want to con gure.

3. Click the Properties link in the details pane of the selected node.
The Task settings window opens on the General tab.

4. Click on the Custom HTTP or FTP servers, or network folders link.

The Update servers window opens.

5. Do the following:

To add a new user-de ned update source, click Add and in the entry eld specify the address of the folder
containing update les on the FTP or HTTP server. Specify a local or network folder in the UNC (Universal
Naming Convention) format. Press ENTER.
By default, the added folder is used as the source of updates.

To disable use of a user-de ned source, clear the check box next to the source in the list.

To enable use of a user-de ned source, select the check box next to the source in the list.

In order to change the order in which Kaspersky Security for Windows Server accesses user-de ned update
sources, use the Move up and Move down buttons to move the selected source toward the beginning or
end of the list, depending on whether it is to be used before or after other sources.

To change the path to a user-de ned source, select the source in the list and click the Edit button, make the
required changes in the entry eld, and press the ENTER key.

To remove a user-de ned source, select it in the list and click the Remove button.

You cannot delete the only remaining user-de ned source from the list.

6. Click OK.

The changes in the list of user-de ned application update sources will be saved.
192
Optimizing disk I/O when running the Database Update task
When running the Database Update task, Kaspersky Security for Windows Server stores update les on the
protected device's local disk. You can lower the workload on the protected device's disk I/O subsystem by storing
update les on a virtual drive in RAM when running the update task.

This feature is available for Microsoft Windows 7 operating systems and higher.

When using this feature while running the Database Update task, an extra logical drive may appear in the
operating system. This logical drive will be removed from the operating system after the task is completed.

To lower the workload on your protected devices's disk I/O subsystem during the Database Update task:

1. In the Application Console tree, expand the Update node.

2. Select the Database Update child node.

3. Click the Properties link in the details pane of the Database Update node.
The Task settings window opens on the General tab.

4. In the Disk I/O usage optimization section, de ne the following settings:

Clear or select the Lower the load on the disk I/O check box.

In the RAM used for optimization, MB eld, specify the RAM volume (in MB). The operating system
temporarily allocates the speci ed RAM volume to store update les while running the task. The default
RAM size is 512 MB. The minimum RAM size is 400 MB.
When running the Database Update task with the disk subsystem optimization feature enabled, one of the
following may occur, depending on the amount of RAM allocated for the feature:

If the value is too small, the allocated amount of RAM might be insu icient to complete the database
update task (for example, during the rst update), which will lead to the completion of the task with an
error.
In this case, it is recommended to allocate more RAM for the disk subsystem optimization feature.

If the value is too large, at the start of the Database Update task, it might be impossible to create a
virtual drive of a selected size in RAM. As a result, the disk subsystem optimization feature automatically
disables, and the Database Update task runs without the optimization feature.
In this case, it is recommended to allocate less RAM for the disk subsystem optimization feature.

5. Click OK.

The con gured settings will be saved and applied at the next task start.

Con guring Copying Updates task settings

To con gure the Copying Updates task:

193
 1. In the Application Console tree, expand the Update node.

2. Select the Copying Updates child node.

3. Click the Properties link in the details pane of the Copying Updates node.
The Task settings window opens.

4. On the General and Connection settings tabs, con gure the settings for working with update sources.

5. On the General tab in the Copying updates settings section:

Specify the conditions for copying updates:

Copy database updates .

Copy critical software modules updates .

Copy database updates and critical software modules updates .

Specify the local or network folder to which Kaspersky Security for Windows Server will be distributing
downloaded updates.

6. On the Schedule and Advanced tabs con gure the task start schedule.

7. On the Run as tab, con gure the task to start using a speci c user account.

8. Click OK.

The con gured settings will be saved and applied at the next task start.

Con guring Software Modules Update task settings

To con gure the Software Modules Update task:

1. In the Application Console tree, expand the Update node.

2. Select the Software Modules Update child node.

3. Click the Properties link in the details pane of the Software Modules Update node.
The Task settings window opens.

4. On the General and Connection settings tabs, con gure the settings for working with update sources.

5. On the General tab in the Update settings section, con gure the settings for updating application modules:

Only check for available critical software modules updates

Copy and install critical software modules updates

Allow operating system restart

Receive information about available scheduled software modules updates

194
 6. On the Schedule and Advanced tabs, con gure the task start schedule. By default, Kaspersky Security for
Windows Server runs the Software Modules Update task on a weekly basis on Fridays at 4:00 PM (according to
the regional time settings of the protected device).

7. On the Run as tab, con gure the task to start using a speci c user account.

8. Click OK.

The con gured settings will be saved and applied at the next task start.

Kaspersky does not publish planned update packages on the update servers for automatic installation; these can
be downloaded manually from the Kaspersky website. You can con gure administrator noti cation about the New
critical and scheduled updates are available event; the noti cation will contain the URL of the web page where
scheduled updates can be downloaded.

Rolling back Kaspersky Security for Windows Server database updates

Before database updates are applied, Kaspersky Security for Windows Server creates backup copies of the
previously used databases. If an update is interrupted or results in an error, Kaspersky Security for Windows Server
will automatically return to using the previously installed databases.

If any problems arise after you have updated the databases, they can be rolled back to the previously installed
updates through the Rollback of Database Update task.

To start the Rollback of Database Update task:

click the Start link in the details pane of the Rollback of Application Database Update node.

Rolling back application module updates

The names of settings may vary under di erent Windows operating systems.

Before applying software module updates, Kaspersky Security for Windows Server creates backup copies of the
modules currently in use. If the module update process is interrupted or results in an error, Kaspersky Security for
Windows Server will automatically return to using modules from the latest installed updates.

In order to roll back software modules, use the Install and delete applications feature in Microsoft Windows.

Update task statistics

While the update task is running, you can view real-time information about the amount of data downloaded since
the task started, as well as other task execution statistics.

When the task is complete or stopped, you can view this information in the task log.

To view update task statistics:

1. In the Application Console tree, expand the Update node.

195
 2. Select the child node that corresponds to the task whose statistics you want to view.

Task statistics are displayed in the Statistics section of the details pane of the selected node.

If you are viewing the Database Update task or the Copying Updates task, the Statistics section shows the
volume of data downloaded by Kaspersky Security for Windows Server as of the present moment (Received
data).

If you are viewing the Software Modules Update task, you will see the information described in the table below.

Information about the Software Modules Update task

Field Description

Received data Total amount of downloaded data.

Available critical Number of critical updates available for installation.

updates

Available Number of planned updates available for installation.

scheduled
updates

Errors applying If the value of this eld is non-zero, the update was not applied. The name of the update
updates that resulted in an error can be viewed in the task log.

196
Isolating objects and copying backups
This section provides information about backing up detected malicious objects before they are disinfected or
removed, and information about quarantining probably infected objects.

Isolating probably infected objects. Quarantine

This section describes how to isolate probably infected objects by quarantining them and how to con gure
Quarantine settings.

About quarantining probably infected objects

Kaspersky Security for Windows Server quarantines probably infected objects by moving such objects from their
original location to the Quarantine folder. For security purposes, objects in the Quarantine folder are stored in
encrypted form.

Viewing quarantine objects

Quarantined objects can be viewed in the Quarantine node of the Application Console.

To view quarantined objects:

1. In the Application Console tree, expand the Storages node.

2. Select the Quarantine child node.

Information about quarantined objects is displayed in the details pane of the selected node.

To nd the desired object in the list of quarantined objects,

sort the objects or lter the objects.

Sorting quarantined objects

By default, objects in the list of quarantined objects are sorted by quarantine date in reverse chronological order.
To nd the desired object you may sort objects by the columns with object information. The sorted results will be
saved if you close and then re-open the Quarantine node, or if you close the Application Console, save the msc
le and then re-open it from this le.

To sort objects:

1. In the Application Console tree, expand the Storages node.

2. Select the Quarantine child node.

197
 3. In the details pane of the Quarantine node, select the column heading that you wish to use to sort the objects
in the list.

Objects in the list will be sorted based on the selected setting.

Filtering quarantined objects

To nd the desired quarantined object, you can lter objects in the list, i.e. display only those objects that satisfy
the ltering criteria ( lters) that you specify. The ltered results are saved if you close and then reopen the
Quarantine node or if you close the Application Console, save the msc le and then reopen it from this le.

To specify one or more lters:

1. In the Application Console tree, expand the Storages node.

2. Select the Quarantine child node.

3. Select Filter in the context menu of the node's name.

The Filter settings window opens.

4. To add a lter, perform the following steps:

a. In the Field name list, select the eld that will form the basis of the lter.

b. In the Operator list, select the ltering condition. The ltering conditions in the list may di er depending on
the value you selected in the Field name list.

c. Enter the lter value in the Field value eld or select it from the list.

d. Click the Add button.

The lter you have added will appear in the list of lters in the Filter settings window. Repeat steps a-d for each
lter you add. Use the following guidelines while working with lters:

To combine multiple lters using the logical operator "AND", select If all conditions are met.

To combine multiple lters using the logical operator "OR", select If any condition is met.

To delete a lter, select the lter you wish to delete in the lter list, and click the Remove button.

To edit a lter, select the lter in the list in the Filter settings window. Then change the required values in the
Field name, Operator or Field value elds and click the Replace button.

5. After all lters have been added, click the Apply button.

The created lters will be saved.

To return to displaying all quarantined objects,

select Remove lter in the context menu of the Quarantine node.

Quarantine Scan
198
By default, after each database update, Kaspersky Security for Windows Server performs the Quarantine Scan
local system task. The task settings are described in the table below. The Quarantine Scan task settings cannot be
modi ed.

You can con gure the task start schedule, start it manually, and modify the permissions of the account used to
start the task.

After scanning quarantined objects following a database update, Kaspersky Security for Windows Server may
reclassify some of them as not infected: the status of such objects is changed to False alarm. Other objects may
be reclassi ed as infected, in which case Kaspersky Security for Windows Server handles such objects as
speci ed by the Quarantine Scan task settings: disinfect, or delete if disinfection failed.

Quarantine Scan task settings

Quarantine Scan task Value

setting

Scan scope Quarantine folder

Security settings The same for the entire scan scope; their values are provided in the next
table

Scan settings in the Quarantine Scan task

Security setting Value

Scan objects All objects included in the scan scope

Performance Disabled

Action to perform on infected and other objects Disinfect, delete if disinfection is impossible

Action to perform on probably infected objects Skip

Exclude les No

Do not detect No

Stop scanning if it takes longer than (sec.) Not con gured

Do not scan objects larger than (MB) Not con gured

Scan alternate NTFS streams Enabled

Scan disk boot sectors and MBR Disabled

Use iChecker technology Disabled

Use iSwift technology Disabled

Scan compound objects Archives*

SFX archives*

Packed objects*

Embedded OLE objects*

* Scan only new and modi ed les is disabled.

Check Microsoft signature in les Not performed

Use heuristic analyzer Enabled with Deep analysis level

Trusted Zone Not applied

199
Restoring quarantined objects
Kaspersky Security for Windows Server places probably infected objects into the Quarantine folder in encrypted
form to shield the protected device against any possible harmful e ects.

You can restore any object from Quarantine. This may be required in the following cases:

After a Quarantine Scan using an updated database, the status of the object changes to False alarm or
Disinfected.

You consider the object harmless for the protected device and want to use it. If you do not want Kaspersky
Security for Windows Server to isolate the object during the subsequent scans, you can exclude the object
from processing in the Real-Time File Protection task and On-Demand Scan tasks. To do this, specify the
object in the Exclude les (by lename) or Do not detect security setting in those tasks, or add it to the
Trusted Zone.

When you restore objects you can select where the object being restored will be saved: the original location
(default), special folder for restored objects on the protected device, or custom folder on the protected device
where the Application Console is installed or on another device in the network.

You can specify the folder used for storing restored objects on the protected device. You can con gure special
security settings for it to be scanned. The path to this folder is set by the Quarantine settings.

Restoring objects from Quarantine may lead to protected device infection.

You can restore the object and save a copy of it in the Quarantine folder to use later, for example, to rescan the
object after the database has been updated.

If a quarantined object was contained in a compound object (for example, in an archive), Kaspersky Security
for Windows Server will not include the quarantined object into the compound object during the restoration,
rather the quarantined object will be saved separately into a selected folder.

You can restore one or more objects.

To restore quarantined objects, perform the following steps:

1. In the Application Console tree, expand the Storages node.

2. Select the Quarantine child node.

3. Perform one of the following actions in the details pane of the Quarantine node:

To restore one object, select Restore from the context menu of the object that you want to restore.

To restore multiple objects, select the objects you wish to restore using the CTRL or SHIFT key, right-click
one of the selected objects, and select Restore from the context menu.

The Restore object window opens.

4. In the Restore object window, specify the folder in which the object being restored will be saved for each
selected object.

200
 The name of the object is displayed in the Object eld in the upper part of the window. If you selected
several objects, the name of the rst object in the list of selected objects will be displayed.

5. Perform one of the following steps:

To restore an object to its original location, select Restore to the source folder.

To restore an object to the folder speci ed as the location for restored objects in the settings, select
Restore to the default folder for restoration.

To save an object to a di erent folder on the protected device where the Application Console is installed or
to a shared folder, select Restore to folder on your local computer and then select the required folder or
specify the path to it.

6. If you want to save a copy of the object in the Quarantine folder after the object is restored, clear the Remove
objects from storage after they are restored check box.

7. To apply the speci ed restoration conditions to the rest of the selected objects, check the Apply to all
selected objects box.
All selected objects are restored and saved in the speci ed location. If you selected Restore to the source
folder, each of the objects will be saved in its original location; if you selected Restore to the default folder for
restoration or Restore to folder on your local computer, all objects will then be saved in one speci ed folder.

8. Click OK.
Kaspersky Security for Windows Server will start restoring the rst of the selected objects.

9. If an object with this name already exists in the speci ed location, the Object with this name already exists
window opens.

a. Select one of the following Kaspersky Security for Windows Server actions:

Replace, to replace the existing object with the restored object.

Rename, to save the restored object under a di erent name. In the entry eld, enter the new restored
object's lename and full path.

Rename by adding su ix, to rename the restored object by adding a su ix to its lename. Enter the
su ix in the entry eld.

b. If you selected several objects to be restored, then select the Apply to all selected objects check box to
apply the selected action (Replace or Rename) to the rest of the selected objects. If you selected Rename,
the Apply to all selected objects check box will be unavailable.

c. Click OK.

The object will be restored. Information about the restoration operation will be recorded in the system audit log.
If you did not select Apply to all selected objects in the Restore object window, the Restore object window
may open again. Use this window to specify the location where the next selected object will be saved (see Step
4 of this procedure).

Moving objects to Quarantine

201
You can quarantine les manually.

To quarantine a le:

1. In the Application Console tree, open the context menu of the Quarantine node.

2. Select Add.

3. In the Open window, select the le on the disk that you wish to quarantine.

4. Click OK.

Kaspersky Security for Windows Server will quarantine the selected le.

Deleting objects from Quarantine

Based on the Quarantine Scan task settings, Kaspersky Security for Windows Server automatically deletes
objects from the Quarantine folder if their status changed to Infected during a Quarantine Scan with updated
databases and if Kaspersky Security for Windows Server failed to disinfect them. Kaspersky Security for Windows
Server does not remove other objects from Quarantine.

One or more objects can be deleted from Quarantine.

To delete one or more objects from Quarantine:

1. In the Application Console tree, expand the Storages node.

2. Select the Quarantine child node.

3. Perform one of the following steps:

To remove one object, select Remove in the context menu of the name of the object.

To delete multiple objects, select the objects that you want to delete using the Ctrl or Shift key, open the
context menu on any one of the selected objects, and select Remove.

4. In the con rmation window, click the Yes button to con rm the operation.

The selected objects will be removed from Quarantine.

Sending probably infected objects to Kaspersky for analysis

If the behavior of a le gives you a reason to suspect that it contains a threat, and Kaspersky Security for Windows
Server considers the le to be clean, you may have encountered an unknown threat whose signature has not yet
been added to the databases. You can send this le to Kaspersky for analysis. Kaspersky's Anti-Virus analysts will
analyze it and, if they detect a new threat, will add a record identifying it in the databases. When you rescan the
object after the database has been updated, it is likely that Kaspersky Security for Windows Server will identify the
object as infected and will be able to disinfect it. You will not only be able to keep the object, but will also prevent a
virus outbreak.

Only quarantined les can be sent for analysis. Quarantined les are stored in encrypted form and are not deleted
by the Anti-Virus application installed on the mail server when they are sent.

202
 A quarantined object cannot be sent to Kaspersky for analysis after the license expires.

To send a le for analysis to Kaspersky:

1. If the le was not quarantined, rst move it into Quarantine.

2. In the Quarantine node, open the context menu on the le you want to send for analysis and select Send
object for analysis in the context menu.

3. In the con rmation window that opens, click Yes if you are sure you want to send the selected object for
analysis.

4. If a mail client is con gured on the protected device on which the Application Console is installed, a new email
message is created. Review it and click the Send button.
The Receiver eld contains the Kaspersky email address [email protected]. The Subject eld will
contain the text "Quarantined object".
The body of the message will contain the following text: "This le will be sent to Kaspersky for analysis". Any
additional information about the le, why you considered it probably infected or dangerous, how it behaves, or
how it a ects the system, can be included in the body of the message.
An archive named <object name>.cab will be attached to the message. This archive will contain a <uuid>.klq le
with the object in encrypted form, a <uuid>.txt le with information about the object extracted by Kaspersky
Security for Windows Server, and a Sysinfo.txt le, which contains the following information about Kaspersky
Security for Windows Server and the operation system installed on the protected device:

Name and version of the operating system.

Name and version of Kaspersky Security for Windows Server.

Release date of the latest database update installed.

Active key.

This information is required by Kaspersky's anti-virus analysts to analyze your le faster and more e iciently.
However, if you do not wish to send this information, you can delete the Sysinfo.txt le from the archive.

If a mail client is not installed on the protected device with the Application Console, the application prompts you to
save the selected encrypted object to le. This le can be sent to Kaspersky manually.

To save an encrypted object to a le:

1. In the window that opens with a prompt to save the object, click OK.

2. Select a folder on the drive of the protected device or a network folder where the le containing the object will
be saved.

The object will be saved to a CAB le.

Con guring Quarantine settings

You can con gure Quarantine settings. New Quarantine settings are applied immediately after saving.

To con gure Quarantine settings:

203
 1. In the Application Console tree, expand the Storages node.

2. Open the context menu of the Quarantine child node.

3. Select Properties.

4. In the Quarantine Properties window, con gure the necessary Quarantine settings in accordance with your
requirements:

In the Quarantine settings section:

Quarantine folder

Maximum Quarantine size (MB)

Threshold value for space available (MB)

If the size of objects in Quarantine exceeds the maximum quarantine size or exceeds the available
space threshold, Kaspersky Security for Windows Server will notify you about this while continuing to
place objects in Quarantine.

In the Restoration settings section:

Target folder for restoring objects

5. Click OK.

The newly con gured Quarantine settings will be saved.

Quarantine statistics
You can view information about the number of quarantined objects, i.e. quarantine statistics.

To view quarantine statistics,

in the context menu of the Quarantine node in the Application Console tree, select Statistics.

The Quarantine statistics window displays information about the number of objects currently stored in
Quarantine (see the following table):

Field Description

Probably Number of objects found by Kaspersky Security for Windows Server to be probably
infected infected.
objects

Used Total amount of data in the Quarantine folder.

quarantine
space

False alarms The number of objects that received False alarm status because they were classi ed as
non-infected during a Quarantine Scan using updated databases.

Objects The number of objects that received Disinfected status after the Quarantine Scan.

204
 disinfected

Total number Total number of objects in Quarantine.

of objects

Making backup copies of objects. Backup

This section provides information about backup of detected malicious objects before disinfection or deletion, as
well as instructions for con guring Backup.

About backing up objects before disinfection or deletion

Kaspersky Security for Windows Server stores encrypted copies of objects classi ed as Infected in Backup before
disinfecting or deleting them.

If the object is a part of a compound object (for example, part of an archive), Kaspersky Security for Windows
Server will save the compound object in its entirety in Backup. For example, if Kaspersky Security for Windows
Server has detected that one of the objects from a mail database is infected, it will back up the entire mail
database.

Large objects placed in Backup by Kaspersky Security for Windows Server can slow down the system and
reduce available disk space on the hard drive.

Files can be restored from Backup either to their original folder or to a di erent folder on the protected device or
on another device in the local area network. A le can be restored from Backup, for example, if an infected le
contains important information, but Kaspersky Security for Windows Server is unable to disinfect it without
damaging its integrity and losing the information.

Restoring les from Backup may lead to protected device infection.

Viewing objects stored in Backup

Objects can be viewed in the Backup folder only by using the Application Console in the Backup node. They
cannot be viewed using Microsoft Windows le managers.

To view the objects in Backup,

1. In the Application Console tree, expand the Storages node.

2. Select the Backup child node.

Information about objects placed in Backup is displayed in the details pane of the selected node.

To nd the necessary object in the list of objects in Backup,

sort the objects or lter the objects.

205
Sorting les in Backup
By default, les in Backup are sorted by the backup date in reverse chronological order. To nd the desired le, you
can sort les according to the content of any column in the details pane.

The sorted results are saved if you close and then reopen the Backup node or if you close the Application
Console, save the msc le and then reopen it from this le.

To sort les in Backup:

1. In the Application Console tree, expand the Storages node.

2. Select the Backup child node.

3. In the list of les in Backup, select the column heading which you want to use to sort the objects.

Files in Backup will be sorted based on the selected criterion.

Filtering les in Backup

To nd the desired le in Backup you can lter les: display in the Backup node only those les which satisfy the
ltering criteria you have speci ed ( lters).

The sorting result will be saved if you close and then re-open the Backup node or if you close the Application
Console, save the msc le and then re-open it from this le.

To lter les in Backup:

1. In the Application Console tree, open the context menu of the Backup node and select Filter.
The Filter settings window opens.

2. To add a lter, perform the following steps:

a. In the Field name list, select the eld that will form the basis of the lter.

b. In the Operator list select the ltering condition. The ltering conditions in the list may di er depending on
the value you selected in the Field name eld.

c. Enter the lter value in the Field value eld or select a lter value.

d. Click the Add button.

The lter you added will appear in the list of lters in the Filter settings window. Repeat these steps for each
lter you add. The following guidelines can be used while working with lters:

To combine multiple lters using the logical operator "AND", select If all conditions are met.

To combine multiple lters using the logical operator "OR", select If any condition is met.

To delete a lter, select the lter you wish to delete in the lter list, and click the Remove button.

206
 To edit the lter, select it from the lter list in the Filter settings window, modify the required values in the
Field name, Operator or Field value elds and click the Replace button.

When all lters have been added, click the Apply button. Only les that match the lters you have speci ed will
be displayed in the list.

To display all les included in the list of objects stored in Backup,

select Remove lter in the context menu of the Backup node.

Restoring les from Backup

Kaspersky Security for Windows Server stores les in the Backup folder in encrypted form to shield the protected
device against possible harmful e ects.

Any le can be restored from Backup.

A le may need to be restored in the following cases:

The original infected le contained important information and Kaspersky Security for Windows Server failed to
keep its integrity so, as a result, the information in the le became unavailable.

You consider the le harmless to the protected device and want to use it. If you do not want Kaspersky
Security for Windows Server to consider this le infected or probably infected, during subsequent scans you
can exclude it from processing in the Real-Time File Protection task and On-Demand Scan tasks. To do this,
specify the le in the Exclude les setting or the Do not detect setting in the corresponding tasks.

Restoring les from Backup may lead to protected device infection.

When you restore a le you can select where it will be saved: the original location (default), the special folder for
restored objects on the protected device, or a custom folder on the protected device where the Application
Console is installed or another device in the network.

You can specify the folder for storing restored objects on the protected device. You can con gure special security
settings for it to be scanned. The path to this folder is speci ed by Backup settings.

By default when Kaspersky Security for Windows Server restores a le, it makes a copy of it in Backup. The le
copy can be deleted from Backup after it is restored.

To restore les from Backup:

1. In the Application Console tree, expand the Storages node.

2. Select the Backup child node.

3. Perform one of the following actions in the details pane of the Backup node:

To restore one object, select Restore from the context menu of the object that you want to restore.

To restore multiple objects, select the objects you wish to restore using the CTRL or SHIFT key, right-click
one of the selected objects, and select Restore from the context menu.

The Restore object window opens.

207
4. In the Restore object window, specify the folder in which the object being restored will be saved for each
selected object.

The name of the object is displayed in the Object eld in the upper part of the window. If you selected
several objects, the name of the rst object in the list of selected objects will be displayed.

5. Perform one of the following steps:

To restore an object to its original location, select Restore to the source folder.

To restore an object to the folder speci ed as the location for restored objects in the settings, select
Restore to the default folder for restoration.

To save an object to a di erent folder on the protected device where the Application Console is installed or
to a shared folder, select Restore to folder on your local computer and then select the required folder or
specify the path to it.

6. If you do not want to save a copy of the le in the Backup folder after it is restored, select the Remove objects
from storage after they are restored check box (by default, this check box is cleared).

7. To apply the speci ed restoration conditions to the rest of the selected objects, check the Apply to all
selected objects box.
All selected objects are restored and saved in the speci ed location. If you selected Restore to the source
folder, each of the objects will be saved in its original location; if you selected Restore to the default folder for
restoration or Restore to folder on your local computer, all objects will then be saved in one speci ed folder.

8. Click OK.
Kaspersky Security for Windows Server will start restoring the rst of the selected objects.

9. If an object with this name already exists in the speci ed location, the Object with this name already exists
window opens.

a. Select one of the following Kaspersky Security for Windows Server actions:

Replace, to replace the existing object with the restored object.

Rename, to save the restored object under a di erent name. In the entry eld, enter the new restored
object's lename and full path.

Rename by adding su ix, to rename the restored object by adding a su ix to its lename. Enter the
su ix in the entry eld.

b. If you selected several objects to be restored, then select the Apply to all selected objects check box to
apply the selected action (Replace or Rename) to the rest of the selected objects. If you selected Rename,
the Apply to all selected objects check box will be unavailable.

c. Click OK.

The object will be restored. Information about the restoration operation will be recorded in the system audit log.

If you did not select Apply to all selected objects in the Restore object window, the Restore object window may
open again. Use this window to specify the location where the next selected object will be saved (see Step 4 of
this procedure).

208
Deleting les from Backup
To delete one or more les from Backup:

1. In the Application Console tree, expand the Storages node.

2. Select the Backup child node.

3. Perform one of the following steps:

To remove one object, select Remove in the context menu of the name of the object.

To delete multiple objects, select the objects that you want to delete using the Ctrl or Shift key, open the
context menu on any one of the selected objects, and select Remove.

4. In the con rmation window, click the Yes button to con rm the operation.

The selected les will be deleted from Backup.

Con guring Backup settings

To con gure Backup settings:

1. In the Application Console tree, expand the Storages node.

2. Open the context menu of the Backup child node.

3. Select Properties.

4. In the Backup Properties window, con gure the necessary Backup settings in accordance with your
requirements:
In the Backup settings section:

Backup folder

Maximum Backup size (MB)

Threshold value for space available (MB)

If the size of objects in Backup exceeds the maximum Backup size or exceeds the available space
threshold, Kaspersky Security for Windows Server will notify you about this while continuing to place
objects in Backup.

In the Restoration settings section:

Target folder for restoring objects

5. Click OK.

The con gured Backup settings will be saved.

209
Backup statistics
You can view information about the current status of Backup, i.e. Backup statistics.

To view Backup statistics,

open the context menu on the Backup node in the Application Console tree and select Statistics. The Backup
statistics window opens.

The Backup statistics window displays information about the current Backup status (see the table below).

Information about the current Backup status

Field Description

Current Backup size Amount of data in the Backup folder; the application calculates the le size in
encrypted form

Total number of Current total number of objects in Backup

objects

Blocking access to network resources. Blocked Hosts

This section describes how to block remote devices and con gure the Blocked Hosts storage settings.

About the Blocked Hosts storage

The Blocked Hosts storage is installed by default if any of the following components is installed: Real-Time File
Protection, Network Threat Protection, Anti-Cryptor for NetApp, Anti-Cryptor. These components discover
remote hosts' attempts to encrypt, open or execute objects on the protected device or network attached storage
shared folders in accordance with the list of blocked hosts. Information about blocked hosts from all protected
devices is sent to the Kaspersky Security Center. Kaspersky Security for Windows Server blocks access to
protected device shared folders or network attached storage folders for all remote hosts in the list of blocked
hosts.

The Blocked Hosts storage is populated when at least one of the following tasks is started in active mode (under
speci ed conditions):

For the Real-Time File Protection task: malicious activity by a device accessing network le resources is
detected and in the Real-Time File Protection task settings the Block access to network shared resources for
the hosts that show malicious activity check box is selected.

For the Network Threat Protection task: activity typical of network attacks is detected.

For the Anti-Cryptor task: malicious encryption by a device accessing network le resources is detected.

For the Anti-Cryptor for NetApp task: an attack on the network attached storage is detected.

210
After malicious activity or an encryption attempt is detected, the task sends information about the attacking host
to the Blocked Hosts storage and the application creates a Warning event for the host blocking. Any attempts by
this host to access the protected shared network folders will be blocked.

If the locally unique identi er (LUID) of an attacking host is added to the list of blocked hosts, Kaspersky Security
for Windows Server determines the IP address of this host and adds it to the list of blocked hosts instead of the
LUID of the attacking host.

By default, Kaspersky Security for Windows Server removes blocked hosts from the list 30 minutes after they
were added to the list. Computers' access to network le resources is restored automatically after they are
deleted from the list of blocked hosts. You can specify the period of time after which blocked hosts are
automatically unblocked.

Note that when you restrict access to storage management for any user account, the Blocked Hosts storage
will still be available. The Blocked Hosts settings cannot be changed unless the selected user account has Edit
permission for managing Kaspersky Security for Windows Server.

Managing Blocked Hosts via the Administration Plug-in

In this section, learn how to con gure the Blocked Hosts storage settings via the Administration Plug-in interface.

Enabling hosts blocking

To add hosts showing any malicious or encrypting activity to the Blocked Host Storage storage and block access
to network le resources for those hosts, at least one of the following tasks must run in the active mode:

Real-Time File Protection

Network Threat Protection

Anti-Cryptor

Anti-Cryptor for NetApp

Con gure the Real-Time File Protection task:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Policies tab.

4. Double-click the policy name you want to con gure.

5. In the Properties: <Policy name> window that opens, select the Real-time server protection section.

6. Click the Settings button in the Real-Time File Protection subsection.

The Real-time le protection window opens.

211
 7. In the Integration with other components section, select the Block access to network shared resources for
the hosts that show malicious activity check box if you want Kaspersky Security for Windows Server to block
access to network le resources for hosts on which malicious activity is detected while the Real-Time File
Protection task is running.

8. If the task has not been started, open the Task management tab:

a. Select the Run by schedule check box.

b. Select the At application launch frequency in the drop-down list.

9. In the Real-time server protection window, click OK.

The newly con gured settings are saved.

Con gure the Network Threat Protection task:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Policies tab.

4. Double-click the policy name you want to con gure.

5. In the Properties: <Policy name> window that opens, select the section.

6. Click the Settings button in the Network Threat Protection subsection.

The Network Threat Protection window opens.

7. Open the General tab.

8. In the Processing mode section select the Block connections when attack is detected processing mode.

The check box enables or disables adding hosts showing activity typical of network attacks to the list of
blocked hosts.
If this mode is selected, Kaspersky Security for Windows Server scans inbound network tra ic for activity
that is typical of network attacks, logs events about detected activity, and adds IP addresses of hosts
showing activity typical of network attacks to the list of blocked hosts.
The mode is selected by default.
You can view the list of blocked hosts in the Blocked Hosts storage.

You can restore access to blocked hosts, and specify the number of days, hours and minutes after which
hosts regain access to network le resources after being blocked by con guring the Blocked Hosts
storage settings.

9. If the task has not been started, open the Task management tab:

a. Select the Run by schedule check box.

b. Select the At application launch frequency in the drop-down list.

10. In the window, click OK.

212
 The newly con gured settings are saved.

Con gure the Anti-Cryptor task:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Policies tab.

4. Double-click the policy name you want to con gure.

5. In the Properties: <Policy name> window that opens, select the Network activity control section.

6. Click the Settings button in the Anti-Cryptor subsection.

The Anti-Cryptor window opens.

7. If the task has not been started, open the Task management tab:

a. Select the Run by schedule check box.

b. Select the At application launch frequency in the drop-down list.

8. In the Anti-Cryptor window, click OK.

The newly con gured settings are saved.

Con gure the Anti-Cryptor for NetApp task:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Policies tab.

4. Double-click the policy name you want to con gure.

5. In the Properties: <Policy name> window that opens, select the Network attached storage protection
section.

6. Click the Settings button in the Anti-Cryptor for NetApp subsection.

The Anti-Cryptor for NetApp window opens.

7. If the task has not been started, open the Task management tab:

a. Select the Run by schedule check box.

b. Select the At application launch frequency in the drop-down list.

8. In the Anti-Cryptor for NetApp window, click OK.

Kaspersky Security for Windows Server blocks access to network le resources for the hosts showing malicious
or encrypting activity.

213
Con guring Blocked Hosts settings
To con gure the Blocked Hosts storage:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Supplementary section, click the Settings button in the Storages subsection.
The Storages settings window is displayed.

5. In the Host blocking term section of the Blocked host storage tab, specify the number of days, hours and
minutes after which blocked hosts regain access to network le resources after being blocked.

6. Click OK.

Managing Blocked Hosts via the Application Console

In this section, learn how to con gure the Blocked Hosts storage settings via the Application Console interface.

Enabling untrusted hosts blocking

To add hosts showing any malicious or encryption activity to the Blocked Host Storage storage and block access
to network le resources for those hosts, at least one of the following tasks must be running in active mode:

Real-Time File Protection

Network Threat Protection

Anti-Cryptor

Anti-Cryptor for NetApp

Con gure the Real-Time File Protection task:

214
 1. In the Application Console tree, expand the Real-Time Server Protection node.

2. Select the Real-Time File Protection child node.

3. Click the Properties link in the details pane.

The Task settings window opens.

4. In the Integration with other components section, select the Block access to network shared resources for
the hosts that show malicious activity check box if you want Kaspersky Security for Windows Server to block
hosts on which malicious activity is detected while the Real-Time File Protection task is running.

5. If the task has not been started, open the Schedule tab:

a. Select the Run by schedule check box.

b. Select the At application launch frequency in the drop-down list.

6. In the Task settings window, click OK.

The newly con gured settings are saved.

Con gure the Network Threat Protection task:

1. In the Application Console tree, expand the Real-time server protection node.

2. Select the Network Threat Protection child node.

3. Click the Properties link in the details pane of the Network Threat Protection node.

4. The Task settings window opens.

5. Open the General tab.

6. In the Processing mode section select the processing mode:

Block connections when attack is detected .

The check box enables or disables adding hosts showing activity typical of network attacks to the list
of blocked hosts.
If this mode is selected, Kaspersky Security for Windows Server scans inbound network tra ic for
activity that is typical of network attacks, logs events about detected activity, and adds IP addresses
of hosts showing activity typical of network attacks to the list of blocked hosts.
The mode is selected by default.
You can view the list of blocked hosts in the Blocked Hosts storage.

You can restore access to blocked hosts, and specify the number of days, hours and minutes after
which hosts regain access to network le resources after being blocked by con guring the Blocked
Hosts storage settings.

7. Select or clear the Don't stop tra ic analysis when the task is not running check box.

215
 If this check box is selected, when Network Threat Protection task is stopped, Kaspersky Security for
Windows Server scans inbound network tra ic for activity that is typical of network attacks and blocks
network activity from the attacking computer depending on the selected processing mode.
If this check box is cleared, when Network Threat Protection task is stopped, Kaspersky Security for
Windows Server doesn't scan inbound network tra ic for activity that is typical of network attacks and
doesn't block network activity from the attacking computer.
The check box is cleared by default.

8. If the task has not been started, open the Schedule tab:

a. Select the Run by schedule check box.

b. Select the At application launch frequency in the drop-down list.

9. In the Task settings window, click OK.

The newly con gured settings are saved.

Con gure the Anti-Cryptor task:

1. In the Application Console tree, expand the Server Control node.

2. Select the Anti-Cryptor child node.

3. Click the Properties link in the details pane.

The Task settings window opens.

4. In the General tab, make sure that the task is in Active mode.

5. If the task has not been started, open the Schedule tab:

a. Select the Run by schedule check box.

b. Select the At application launch frequency in the drop-down list.

6. In the Task settings window, click OK.

The newly con gured settings are saved.

Con gure the Anti-Cryptor for NetApp task:

1. In the Application Console tree, expand the Network Attached Storage Protection node.

2. Select the Anti-Cryptor for NetApp child node.

3. Click the Properties link in the details pane.

The Task settings window opens.

4. In the General tab, make sure that the task is in Active mode.

5. If the task has not been started, open the Schedule tab:

a. Select the Run by schedule check box.

216
 b. Select the At application launch frequency in the drop-down list.

6. In the Task settings window, click OK.

Kaspersky Security for Windows Server blocks access to network le resources for the hosts showing malicious or
encrypting activity.

Con guring Blocked Hosts settings

To con gure the Blocked Hosts storage:

1. In the Application Console tree, expand the Storages node.

2. Open the context menu of the Blocked Host Storage child node.

3. Select the Properties menu option.

The Blocked hosts storage settings window is displayed.

4. In the Host blocking term section, specify the number of days, hours and minutes after which blocked hosts
regain access to network le resources after being blocked.

5. Click OK.

6. To restore access for all blocked hosts:

a. Open the context menu of the Blocked Host Storage child node.

b. Select the Unblock all option.

All hosts will be removed from the list and unblocked.

7. To remove several hosts from the list of blocked hosts:

a. In the list of blocked hosts, which is displayed in the details pane, select one or more hosts.

b. Open the context menu of the Blocked Host Storage child node.

c. Select the Unblock selected option.

The selected hosts are unblocked.

Managing Blocked Hosts via the Web Plug-in

In this section, learn how to con gure the Blocked Hosts storage settings via the Web Plug-in interface.

Enabling hosts blocking

To add hosts showing any malicious or encrypting activity to the Blocked Host Storage storage and block access
to network le resources for those hosts, at least one of the following tasks must run in the active mode:

217
 Real-Time File Protection

Network Threat Protection

Anti-Cryptor

Anti-Cryptor for NetApp

Con gure the Real-Time File Protection task:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Real-time server protection section.

5. Click Settings in the Real-Time File Protection subsection.

6. In the Integration with other components section, select the Block access to network shared resources for
the hosts that show malicious activity check box if you want Kaspersky Security for Windows Server to block
access to network le resources for hosts on which malicious activity is detected while the Real-Time File
Protection task is running.

7. If the task has not been started, open the Task management tab:

a. Select the Run by schedule check box.

b. Select the At application launch frequency in the drop-down list.

8. Click Save.

The newly con gured settings are saved.

Con gure the Anti-Cryptor task:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Network activity control section.

5. Click the Settings button in the Anti-Cryptor subsection.

The Anti-Cryptor window opens.

6. If the task has not been started, open the Task management tab:

a. Select the Run by schedule check box.

b. Select the At application launch frequency in the drop-down list.

7. Click Save.

218
 The newly con gured settings are saved.

Con gure the Anti-Cryptor for NetApp task:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Network attached storage protection section.

5. Click the Settings button in the Anti-Cryptor for NetApp subsection.

6. The Anti-Cryptor for NetApp window opens.

7. If the task has not been started, open the Task management tab:

a. Select the Run by schedule check box.

8. Select the At application launch frequency in the drop-down list.

9. Click Save.

Kaspersky Security for Windows Server blocks access to network le resources for the hosts showing malicious
or encrypting activity.

Con guring Blocked Hosts settings

To con gure the Blocked Hosts storage:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Supplementary section.

5. Click Settings in the Storages subsection.

6. In the Supplementary section, click the Settings button in the Storages subsection.
The Storages window is displayed.

7. In the Host blocking term section of the Blocked host storage tab, specify the number of days, hours and
minutes after which blocked hosts regain access to network le resources after being blocked.

8. Click OK.

219
Event registration. Kaspersky Security for Windows Server logs
This section provides information about working with Kaspersky Security for Windows Server logs: the system
audit log, task execution logs, and the event log.

Ways to register Kaspersky Security for Windows Server events

Events of Kaspersky Security for Windows Server are divided into two groups:

Events related to the processing of objects in Kaspersky Security for Windows Server tasks.

Events related to the administration of Kaspersky Security for Windows Server, such as starting the
application, creating or deleting tasks, or editing task settings.

Kaspersky Security for Windows Server uses the following methods to log events:

Task logs. A task log contains information about the current task status and events that occurred during task
execution.

System audit log. The system audit log contains information about events related to the administration of
Kaspersky Security for Windows Server.

Event Log. The Event Log contains information about events required to diagnose failures in the operation of
Kaspersky Security for Windows Server. The Event Log is available in Microsoft Windows Event Viewer.

Security log. The Security log contains information about events associated with security breaches or
attempted security breaches on the protected device.

If a problem occurs during operation of Kaspersky Security for Windows Server (for example, Kaspersky Security
for Windows Server or an individual task terminates abnormally or does not start), you can create a trace le and a
dump le of Kaspersky Security for Windows Server processes and send les with this information to Kaspersky
Technical Support for analysis in order to diagnose the problem.

Kaspersky Security for Windows Server does not send any trace or dump les automatically. Diagnostic data
can only be sent by a user who has the required permissions.

Kaspersky Security for Windows Server writes information to trace les and the dump le in unencrypted
form. The folder where les are saved is selected by the user and managed by the operating system
con guration and Kaspersky Security for Windows Server settings. You can con gure access permissions and
allow only required users to access logs, trace les and dump les.

Files that can be downloaded by the following links contain tables with the full lists of Kaspersky Security for
Windows Server events of the following categories:

Events that Kaspersky Security for Windows Server writes to the Event Log.

DOWNLOAD KSWS-WEL-EVENTS.ZIP

Events that Kaspersky Security for Windows Server sends to the Administration Server.

DOWNLOAD KSWS-KSC-EVENTS.ZIP
220
System audit log
Kaspersky Security for Windows Server performs a system audit of events related to the administration of
Kaspersky Security for Windows Server. The application logs information about, for example, start of the
application, starts and stops of Kaspersky Security for Windows Server tasks, changes in task settings, and
creation and deletion of On-Demand Scan tasks. Records of all those events are displayed in the details pane when
you select the System audit log node in the Application Console.

By default Kaspersky Security for Windows Server stores records in the system audit log for an unlimited period of
time. You specify the storage period for records in the system audit log.

You can specify a folder that Kaspersky Security for Windows Server will use to store les containing system audit
log other than the default one.

Sorting events in the system audit log

By default, events in the system audit log node are displayed in reverse chronological order.

Events can be sorted by the contents of any column except the Event column.

To sort events in the system audit log:

1. In the Application Console tree, expand the Logs and noti cations node.

2. Select the System audit log child node.

3. In the details pane, select the header of the column that you want to use to sort the events in the list.

The sorted results will be saved for the next time you view the system audit log.

Filtering events in the system audit log

You can con gure the system audit log to display only the records of events that meet the ltering conditions
( lters) that you have speci ed.

To lter events in the system audit log:

1. In the Application Console tree, expand the Logs and noti cations node.

2. Open the context menu of the System audit log child node and select Filter.
The Filter settings window opens.

3. To add a lter, perform the following steps:

a. In the Field name, select a column to lter events.

b. In the Operator list, select the ltering condition. Filtering conditions vary depending on the item selected in
the Field name list.

221
 c. In the Field value, select a value for the lter.

d. Click the Add button.

The lter you added will appear in the list of lters in the Filter settings window.

4. If necessary, perform one of the following actions:

To combine multiple lters using the logical operator "AND", select If all conditions are met.

To combine multiple lters using the logical operator "OR", select If any condition is met.

5. Click the Apply button to save the ltering conditions in the system audit log.
The list of events of the system audit log displays only events that meet the ltering conditions. The ltered
results will be saved for the next time you view the system audit log.

To disable the lter:

1. In the Application Console tree, expand the Logs and noti cations node.

2. Open the context menu of the System audit log child node and select Remove lter.
The list of events of the system audit log will then display all events.

Deleting events from the system audit log

By default, Kaspersky Security for Windows Server stores records in the system audit log for an unlimited period of
time. You can specify the storage period for records in the system audit log.

You can manually delete all events from the system audit log.

To delete events from the system audit log:

1. In the Application Console tree, expand the Logs and noti cations node.

2. Open the context menu of the System audit log child node and select Clear.

3. Perform one of the following steps:

If you want to save the log contents as a le in CSV or TXT format before deleting events from the system
audit log, click the Yes button in the deletion con rmation window. In the window that opens, specify the
name and location of the le.

If you do not want to save the log contents as a le, click the No button in the deletion con rmation window.

The system audit log will be cleared.

Task logs
This section provides information about Kaspersky Security for Windows Server task logs and instructions on how
to manage them.

222
About task logs
Information about the execution of Kaspersky Security for Windows Server tasks is displayed in the details pane
when you select the Task logs node in the Application Console.

In the log of each task, you can view task execution statistics, details of each of the objects that have been
processed by the application since the task started, and task settings.

By default, Kaspersky Security for Windows Server stores records in task logs for 30 days after a task is done. You
can change the storage period for records in task logs.

You can specify a folder that Kaspersky Security for Windows Server will use to store les containing task logs
other than the default one. You can also select events that Kaspersky Security for Windows Server will record in
task logs.

Sorting task logs

By default, task logs are displayed in reverse chronological order. They can be sorted by any column.

To sort task logs:

1. In the Application Console tree, expand the Logs and noti cations node.

2. Select the Task logs subnode.

3. In the details pane, select the header of the column that you want to use to sort Kaspersky Security for
Windows Server task logs.

The sorted results will be saved for the next time you view the task logs.

Filtering task logs

You can con gure the list of task logs to display only the task logs that meet the ltering conditions ( lters) that
you have speci ed.

To lter task logs:

1. In the Application Console tree, expand the Logs and noti cations node.

2. Open the context menu of the Task logs child node and select Filter.
The Filter settings window opens.

3. To add a lter, perform the following steps:

a. In the Field name, select a column to lter task logs.

b. In the Operator list, select the ltering condition. Filtering conditions vary depending on the item selected in
the Field name list.

c. In the Field value, select a value for the lter.

223
 d. Click the Add button.

The lter you added will appear in the list of lters in the Filter settings window.

4. If necessary, perform one of the following actions:

To combine multiple lters using the logical operator "AND", select If all conditions are met.

To combine multiple lters using the logical operator "OR", select If any condition is met.

5. Click the Apply button to save the ltering conditions in the list of task logs.

The list of task logs displays only task logs that meet the ltering conditions. The ltered results will be saved for
the next time you view the task logs.

To disable the lter:

1. In the Application Console tree, expand the Logs and noti cations node.

2. Open the context menu of the Task logs child node and select Remove lter.

The list of task logs will then display all task logs.

Viewing statistics and information about a Kaspersky Security for Windows

Server task in task logs
In task logs, you can view detailed information about all events that have occurred in tasks since they started, as
well as task execution statistics and task settings.

To view statistics and information about a Kaspersky Security for Windows Server task:

1. In the Application Console tree, expand the Logs and noti cations node.

2. Select the Task logs subnode.

3. In the results pane, open the Logs window using one of the following methods:

Double-click the task log you want to view.

Open the context menu of the task log you want to view and select View log.

4. In the window that opens, the following details are displayed:

The Statistics tab displays the time of task start and completion, as well as task statistics.

The Events tab displays a list of events logged during task execution.

The Options tab displays the task settings.

5. If necessary, click the Filter button to lter the events in the task log.

6. If necessary, click the Export button to export data from the task log into a le in CSV or TXT format.

224
 7. Click the Close button.

The Logs window will be closed.

Exporting information from a task log

You can export data from a task log into a le in CSV or TXT format.

To export data from a task log:

1. In the Application Console tree, expand the Logs and noti cations node.

2. Select the Task logs subnode.

3. In the results pane, open the Logs window using one of the following methods:

Double-click the task log you want to view.

Open the context menu of the task log you want to view and select View log.

4. In the lower part of the Logs window, click the Export button.
The Save as window opens.

5. Specify the name, location, type, and encoding of the le to which you want to export data from the task log.

6. Click the Save button.

The speci ed settings are saved.

Deleting task logs

By default, Kaspersky Security for Windows Server stores records in task logs for 30 days after a task is done. You
can change the storage period for records in task logs.

You can manually delete task logs that are already complete.

Events from the logs of tasks that are currently running and tasks being used by other users will not be
deleted.

To delete the task logs:

1. In the Application Console tree, expand the Logs and noti cations node.

2. Select the Task logs subnode.

3. Perform one of the following steps:

If you want to delete the logs of all tasks that are already complete, open the context menu of the Task logs
child node and select Clear.

225
 If you want to clear the log of an individual task, in the details pane, open the context menu the task log you
want to clear, and select Remove.

If you want to clear the logs of several tasks:

a. In the details pane, use the Ctrl or Shift key to select the task logs you want to clear.

b. Open the context menu of any selected task log and select Remove.

4. Click the Yes button in the deletion con rmation window to con rm that you want to delete the logs.

The task logs that you selected will be cleared. The deletion of task logs will be recorded in the system audit log.

Security log
Kaspersky Security for Windows Server maintains a log of events associated with security breaches or attempted
security breaches on the protected device. The following events are recorded in this log:

Exploit Prevention events.

Critical Log Inspection events.

Critical events that indicate an attempted security breach (for the Real-Time Server Protection, On-Demand
Scan, File Integrity Monitor, Applications Launch Control, and Device Control tasks).

You can clear the Security log as well as the system audit log. Moreover, Kaspersky Security for Windows Server
records a system audit event when the Security log is cleared.

Viewing the event log of Kaspersky Security for Windows Server in Event
Viewer
You can view the event log of Kaspersky Security for Windows Server using the Microsoft Windows Event Viewer
snap-in for Microsoft Management Console. The log contains events registered by Kaspersky Security for
Windows Server and required to diagnose failures in its operation.

Events that will be registered in the event log can be selected based on the following criteria:

by event types.

by level of detail. The level of detail corresponds to the importance level of the events registered in the log
(informational, important, or critical events). The most detailed is the Informational level, which registers all
events. The least detailed is the Critical level, which registers only critical events.

To view the Kaspersky Security for Windows Server event log:

1. Click the Start button, enter the mmc command at the search bar, and press ENTER.
Microsoft Management Console opens.

2. Select File > Add or remove snap-in.

The Add or remove snap-ins window opens.

3. In the list of available snap-ins, select the Event Viewer snap-in and click the Add button.
226
 The Select computer window opens.

4. In the Select computer window, specify the protected device on which Kaspersky Security for Windows
Server is installed, and click OK.

5. In the Add and remove snap-ins window, click OK.

In the Microsoft Management Console tree, the Event Viewer node appears.

6. Expand the Event Viewer node and select the Applications and Services Logs > Kaspersky Security child
node.

The Kaspersky Security for Windows Server event log opens.

Con guring log settings in Administration Plug-in

You can edit the following settings of Kaspersky Security for Windows Server logs:

Length of the storage period for events in task logs and the system audit log.

Location of the folder in which Kaspersky Security for Windows Server stores task log les and the system
audit log le.

Events generation thresholds for Application database is out of date, Application database is extremely out of
date and Critical areas scan has not been performed for a long time.

Events that Kaspersky Security for Windows Server saves in task logs, the system audit log, and the event log
of Kaspersky Security for Windows Server in Event Viewer.

Settings for publishing audit events and task performance events to the syslog server via the Syslog protocol.

To con gure Kaspersky Security for Windows Server logs, perform the following steps:

1. In the Application Console tree, open the context menu of the Logs and noti cations node and select
Properties.
The Logs and noti cations settings window opens.

2. In the Logs and noti cations settings window, con gure the logs in accordance with your requirements. To do
this, perform the following actions:

On the General tab, if necessary, select events that Kaspersky Security for Windows Server will save in task
logs, the system audit log, and the event log of Kaspersky Security for Windows Server in Event Viewer. To
do this, perform the following actions:

In the Component list, select the component of Kaspersky Security for Windows Server for which you
want to set the detail level.

For the Real-Time File Protection, RPC Network Storage Protection, ICAP Network Storage Protection,
Script Monitoring, On-Demand Scan, and Update components, events are recorded in tasks logs and
the event log. For these components, the event table contains the Task log and Windows Event Log
columns. Events for the Quarantine and Backup components are registered in the system audit log and
the event log. For these components, the event table contains the Audit and Windows Event Log
columns.

227
 In the Importance level list, select a detail level for events in task logs, the system audit log, and the
event log for the selected component.
In the following table with a list of events, the check boxes are selected next to events that are registered
in task logs, the system audit log, and the event log, according to the current detail level.

If you want to manually enable registration of speci c events for a selected component, perform the
following actions:

a. In the Importance level list, select Custom.

b. In the table with the list of events, select the check boxes next to events that you want to be registered
in task logs, the system audit log, and the event log.

On the Advanced tab, con gure the log storage settings and event generation thresholds for device
protection status:

In the Log storage section:

Logs folder

Remove task logs older than (days)

Remove from the system audit log events older than (days)

In the Event generation thresholds section:

Specify the number of days after which the Application database is out of date, Application
database is extremely out of date and Critical areas scan has not been performed for a long time
events will occur .

On the SIEM integration tab, con gure the settings for publishing audit events and task performance
events to the syslog server.

3. Click OK to save the changes.

About SIEM integration

To reduce the load on low-performance devices and to reduce the risk of system degradation as a result of
increased application log sizes, you can con gure the publication of audit events and task performance events to
the syslog server via the Syslog protocol.

A syslog server is an external server for aggregating events (SIEM). It stores and analyzes received events and
performs other log management actions.

You can use SIEM integration in two modes:

Duplicate events on the syslog server: in this mode, all task performance events whose publication is con gured
in log settings, as well as all system audit events, continue to be stored on the protected device even after they
are sent to the SIEM server.
We recommend that you use this mode to reduce the load on the protected device as much as possible.

Delete local copies of events: in this mode, all events that are registered during application operation and
published to the SIEM server will be deleted from the protected device.

228
 The application never deletes local versions of the security log.

Kaspersky Security for Windows Server can convert events in application logs into formats supported by the
syslog server so that those events can be transmitted and successfully recognized by the SIEM server. The
application supports conversion into structured data format and into JSON format.

We recommend that you select the format of events based on the con guration of the utilized SIEM server.

Reliability settings

You can reduce the risk that events will be relayed to the SIEM server unsuccessfully by de ning the settings for
connecting to a mirror syslog server.

A mirror syslog server is an additional syslog server to which the application switches automatically if the
connection to the main syslog server is unavailable or if the main server cannot be used.

Kaspersky Security for Windows Server also uses system audit events to notify you about unsuccessful attempts
to connect to the SIEM server and about errors while sending events to the SIEM server.

Con guring SIEM integration settings

By default, SIEM integration is not used. You can enable and disable SIEM integration, and con gure relevant
settings (see the table below).

SIEM integration settings

Setting Default Description

value

Send events to a remote Not You can enable or disable SIEM integration by selecting or
syslog server via syslog applied clearing the check box, respectively.
protocol

Remove local copies for Not You can con gure the settings for storing local copies of logs
events that have been sent applied after they are sent to the SIEM server by selecting or clearing
to a remote syslog server the check box.

Events format Structured You can select one of two formats to which the application
data converts its events prior to sending them to the syslog server
for better recognition of these events by the SIEM server.

Connection protocol TCP You can use the drop-down list to con gure the connection to
the main and mirror syslog servers via the UDP or TCP
protocols.

Main syslog server IP address: You can use the appropriate elds to con gure the IP address
connection settings 127.0.0.1 and port used to connect to the main syslog server.
Port: 514 You can specify the IP address only in IPv4 format.

Use mirror syslog server if Not You can use the check box to enable or disable the use of a
the main server is not applied mirror syslog server.
accessible

Mirror syslog server IP address: You can use the appropriate elds to con gure the IP address
connection settings 127.0.0.1 and port used to connect to the mirror syslog server.
Port: 514 You can specify the IP address only in IPv4 format.

229
To con gure SIEM integration settings:

1. In the Application Console tree, open the context menu of the Logs and noti cations node.

2. Select Properties.
The Logs and noti cations settings window opens.

3. Select the SIEM integration tab.

4. In the Integration settings section, select the Send events to a remote syslog server via syslog protocol
check box.

5. If necessary, in the Integration settings section, select the Remove local copies for events that have been
sent to a remote syslog server check box.

The status of the Remove local copies for events that have been sent to a remote syslog server check
box does not a ect the settings for storing events of the security log: the application never automatically
deletes security log events.

6. In the Events format section, specify the format to which you want to convert application events so that they
can be sent to the SIEM server.
By default, the application converts them into a structured data format.

7. In the Connection settings section:

Specify the SIEM connection protocol.

Specify the settings for connecting to the main syslog server.

You can only specify an IP address in IPv4 format.

Select the Use mirror syslog server if the main server is not accessible check box if you want the
application to use other connection settings when unable to send events to the main syslog server.
Specify the following settings for connecting to the mirror syslog server: Address and Port.
The Address and Port elds for the mirror syslog server cannot be edited if the Use mirror syslog server if
the main server is not accessible check box is cleared.
You can only specify an IP address in IPv4 format.

8. Click OK.
The con gured SIEM integration settings will be applied.

Con guring logs and noti cations

The Kaspersky Security Center Administration Console can be used to con gure noti cations for administrator
and users about the following events related to Kaspersky Security for Windows Server and the status of Anti-
Virus protection on the device:

The administrator can receive information about events of selected types;

LAN users who access the protected device and terminal protected device users can receive information
about Object detected events.

230
Noti cations about Kaspersky Security for Windows Server events can be con gured either for a single protected
device using the Properties: <Protected device name> window of the selected protected device, or for a group of
protected devices in the Properties: <Policy name> window of the selected administration group.

On the Event noti cations tab or in the Noti cation settings window, you can con gure the following types of
noti cations:

Administrator noti cations about events of selected types can be con gured using the Event noti cations
tab (the standard tab in Kaspersky Security Center). For details on noti cation methods, see the Kaspersky
Security Center Help.

Both administrator and user noti cations can be con gured in the Noti cation settings window.

You can con gure noti cations for some event types only in the window or on the tab; you can use both the
window and tab to con gure noti cations for other event types.

If you con gure noti cations about events of the same type using the same mode on the Event noti cations
tab and in the Noti cation settings window, the system administrator will receive noti cations for those
events twice but in the same mode.

Con guring log settings

To con gure Kaspersky Security for Windows Server logs, perform the following steps:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Logs and noti cations section, click the Settings button in the Task logs subsection.

5. In the Logs settings window de ne the following settings of Kaspersky Security for Windows Server according
to your requirements:

Con gure the level of detail of events in logs. To do this, perform the following actions:

a. In the Component list select the component of Kaspersky Security for Windows Server for which you
want to set the detail level.

b. To de ne the level of detail in the task logs and system audit log for the selected component, choose the
level you need from Importance level.

231
 To change the default location for logs, specify the full path to the folder or click the Browse button to
select it.

Specify how many days task logs will be stored.

Specify how many days information displayed in the System audit log node will be stored.

6. Click OK.

The con gured log settings are saved.

Security log
Kaspersky Security for Windows Server maintains a log of events associated with security breaches or attempted
security breaches on the protected device. The following events are recorded in this log:

Exploit Prevention events.

Critical Log Inspection events.

Critical events that indicate an attempted security breach (for the Real-Time Server Protection, On-Demand
Scan, File Integrity Monitor, Applications Launch Control, and Device Control tasks).

You can clear the Security log as well as the system audit log. Moreover, Kaspersky Security for Windows Server
records a system audit event when the Security log is cleared.

Con guring SIEM integration settings

To reduce the load on low-performance devices and to reduce the risk of system degradation as a result of
increased application log sizes, you can con gure the publication of audit events and task performance events to
the syslog server via the Syslog protocol.

A syslog server is an external server for aggregating events (SIEM). It stores and analyzes received events and
performs other log management actions.

You can use SIEM integration in two modes:

Duplicate events on the syslog server: in this mode, all task performance events whose publication is con gured
in log settings, as well as all system audit events, continue to be stored on the protected device even after they
are sent to the SIEM server.
We recommend that you use this mode to reduce the load on the protected device as much as possible.

Delete local copies of events: in this mode, all events that are registered during application operation and
published to the SIEM server will be deleted from the protected device.

The application never deletes local versions of the security log.

Kaspersky Security for Windows Server can convert events in application logs into formats supported by the
syslog server so that those events can be transmitted and successfully recognized by the SIEM server. The
application supports conversion into structured data format and into JSON format.

232
To reduce the risk that events will be relayed to the SIEM server unsuccessfully, you can de ne settings for
connecting to a mirror syslog server.

A mirror syslog server is an additional syslog server to which the application switches automatically if the
connection to the main syslog server is unavailable or if the main server cannot be used.

By default, SIEM integration is not used. You can enable and disable SIEM integration, and con gure relevant
settings (see the table below).

SIEM integration settings

Setting Default Description

value

Send events to a remote Not You can enable or disable SIEM integration by selecting or
syslog server via syslog applied clearing the check box, respectively.
protocol

Remove local copies for Not You can con gure the settings for storing local copies of logs
events that have been sent applied after they are sent to the SIEM server by selecting or clearing
to a remote syslog server the check box.

Events format Structured You can select one of two formats to which the application
data converts its events prior to sending them to the syslog server
for better recognition of these events by the SIEM server.

Connection protocol TCP You can use the drop-down list to con gure the connection to
the main syslog server via the UDP or TCP protocols; to the
mirror syslog server via the TCP protocol.

Main syslog server IP address: You can use the appropriate elds to con gure the IP address
connection settings 127.0.0.1 and port used to connect to the main syslog server.
Port: 514 You can specify the IP address only in IPv4 format.

Use mirror syslog server if Not You can use the check box to enable or disable the use of a
the main server is not applied mirror syslog server.
accessible

Mirror syslog server IP address: You can use the appropriate elds to con gure the IP address
connection settings 127.0.0.1 and port used to connect to the mirror syslog server.
Port: 514 You can specify the IP address only in IPv4 format.

To con gure SIEM integration settings:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

233
4. In the Logs and noti cations section click the Settings button in the Task logs subsection.
The Logs and noti cations settings window opens.

5. Select the SIEM integration tab.

6. In the Integration settings section, select the Send events to a remote syslog server via syslog protocol
check box.

7. If necessary, in the Integration settings section, select the Remove local copies for events that have been
sent to a remote syslog server check box.

The status of the Remove local copies for events that have been sent to a remote syslog server check
box does not a ect the settings for storing events of the security log: the application never automatically
deletes security log events.

8. In the Events format section, specify the format to which you want to convert application events so that they
can be sent to the SIEM server.
By default, the application converts them into a structured data format.

9. In the Connection settings section:

Specify the SIEM connection protocol.

Specify the settings for connecting to the main syslog server.

You can only specify an IP address in IPv4 format.

Select the Use mirror syslog server if the main server is not accessible check box if you want the
application to use other connection settings when unable to send events to the main syslog server.
Specify the following settings for connecting to the mirror syslog server: Address and Port.
The Address and Port elds for the mirror syslog server cannot be edited if the Use mirror syslog server if
the main server is not accessible check box is cleared.
You can only specify an IP address in IPv4 format.

10. Click OK.

The con gured SIEM integration settings will be applied.

Con guring noti cation settings

To con gure Kaspersky Security for Windows Server noti cations, perform the following steps:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

234
 To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Logs and noti cations section, click the Settings button in the Event noti cations subsection.

5. In the Noti cation settings window, de ne the following settings of Kaspersky Security for Windows Server
according to your requirements:

In the Noti cation settings list select the type of noti cation whose settings you want to con gure.

In the Notify users section con gure the user noti cation method. If necessary, enter the text of the
noti cation message.

In the Notify administrators section con gure the administrator noti cation method. If necessary, enter
the text of the noti cation message. If necessary, con gure additional noti cation settings by clicking the
Settings button.

In the Event generation thresholds section, specify the time intervals after which Kaspersky Security for
Windows Server logs Application database is out of date, Application database is extremely out of date and
Critical areas scan has not been performed for a long time events.

Application database is out of date (days)

Application database is extremely out of date (days)

Critical areas scan has not been performed for a long time (days)

6. Click OK.

The con gured noti cation settings are saved.

Con guring interaction with the Administration Server

To select the types of objects about which Kaspersky Security for Windows Server sends information to the
Kaspersky Security Center Administration Server:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

235
 If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Logs and noti cations section, click the Settings button in the Interaction with Administration Server
subsection.
The Administration Server Network lists window opens.

5. In the Administration Server Network lists window, select the types of objects about which Kaspersky
Security for Windows Server will send information to the Kaspersky Security Center Administration Server:

Quarantined objects.

Backed up objects.

Blocked hosts.

6. Click OK.
Kaspersky Security for Windows Server will send information about the selected object types to the
Administration Server.

236
Noti cation settings
This section provides information about ways in which users and administrators of Kaspersky Security for
Windows Server can be noti ed about application events and the device protection status, as well as instructions
on how to con gure noti cations.

Administrator and user noti cation methods

You can con gure the application to notify the administrator and users who access the device about events in the
operation of Kaspersky Security for Windows Server and the anti-virus protection status on the device.

The application ensures performance of the following tasks:

The administrator can receive information about events of selected types.

LAN users who access a device and terminal device users can receive information about events of the Object
detected type in the Real-Time File Protection task.

In the Application Console, administrator or user noti cations can be activated using several methods:

User noti cation methods:

a. Terminal service tools.

You can apply this method for notifying terminal protected device users if the protected device is used as
terminal.

b. Message service tools.

You can apply this method for noti cation via Microsoft Windows message services. The method is not
applicable if the protected device is running Microsoft Windows Server 2008 or higher.

Administrator noti cation methods:

a. Message service tools.

You can apply this method for noti cation via Microsoft Windows message services. The method is not
applicable if the protected device is running Microsoft Windows Server 2008 or higher.

b. Running an executable le.

This method runs an executable le stored on the protected device's local drive when an event occurs.

c. Sending by email.
This method uses email to transmit messages.

You can create the text of a message for individual event types. It can include an information eld to describe an
event. By default, the application uses a default message to notify users.

Con guring administrator and user noti cations

Event noti cation settings give you a choice of methods for con guring and composing a message text.

To con gure event noti cation settings:

237
1. In the Application Console tree, open the context menu of the Logs and noti cations node and select
Properties.
The Logs and noti cations settings window opens.

2. On the Noti cations tab select the noti cation mode:

a. Select the event for which you wish to select a noti cation method from the Event type list.

b. In the Notify administrators or Notify users group settings, select the check box next to the noti cation
methods that you wish to con gure.

You can only con gure user noti cations for the following events: Object detected, Untrusted
external device detected and restricted event, and Host listed as untrusted event.

3. To add the text of a message:

a. Click the Message text button.

b. In the window that opens, enter the text to be displayed in the corresponding event message.

You can create the same message for several event types: after selecting a noti cation method for one
event type, use the Ctrl or Shift key to select the other event types for which you want to use the same
message, and then click the Message text button.

a. To add elds with information about an event, click the Macro button and select the relevant elds from the
drop-down list. Fields with event information are described in the table in this section.

b. To restore the default event message text, click the By default button.

4. To con gure administrator noti cation methods for the selected event, select the Noti cations tab, click the
Settings button in the Notify administrators section and con gure the selected methods in the Advanced
settings window. To do this, perform the following actions:

a. For email noti cations, open the Email tab and specify the email addresses of recipients (delimit addresses
with semicolon), name or network address of the SMTP server, and port number in the appropriate elds. If
necessary, specify the text that will be displayed in the Subject and From elds. The text in the Subject eld
can also include variables with information about the event (see table below).
If you want to apply user account authentication when connecting to the SMTP server, select Use SMTP
authentication in the Authentication settings group and specify the name and password of the user
whose user account will be authenticated.

b. For noti cations using Windows Messenger Service, create a list of recipient protected devices for
noti cations on the Windows Messenger Service tab: for each protected device that you wish to add, click
the Add button and enter its network name in the input eld.

Windows Messenger Service noti cations are not used if the protected device is running Microsoft
Windows Server 2008 and subsequent versions of Microsoft Windows Server.

c. To run an executable le, select the le on the protected device's local drive that will be executed on the
protected device when an event occurs or enter its full path on the Executable le tab. Enter the user name
and password which will be used to execute the le.

238
 System environment variables can be used when the path to the executable le is speci ed; user
environment variables are not allowed.
If you wish to limit the number of messages of one event type over a period of time, on the Advanced tab,
select Do not send the same noti cation more than and specify the number of times and a time interval.

5. Click OK.

The con gured noti cation settings are saved.

Fields with event information

Variable Description

%EVENT_TYPE% Event type.

%EVENT_TIME% Event time.

%EVENT_SEVERITY% Importance level.

%OBJECT% Object name (in Real-Time Server Protection and On-Demand Scan tasks).
The Software Modules Update task includes the name of the update and the
address of the web page with information on the update.

%VIRUS_NAME% The name of the object according to the Virus Encyclopedia classi cation . This
name is included in the full name of the detected object that Kaspersky Security
for Windows Server returns on detecting an object. You can view the full name of
the detected object in the task log.

%VIRUS_TYPE% The type of detected object according to the Kaspersky classi cation, such as
"virus" or "trojan". It is included in the full name of the detected object, which is
returned by Kaspersky Security for Windows Server when it nds an object
infected or probably infected. You can view the full name of the detected object
in the task log.

%USER_COMPUTER% In the Real-time File Protection task and RPC Network Storage Protection task,
the protected device name for the user who accessed the object on the device.

%USER_NAME% In the Real-Time File Protection task and RPC Network Storage Protection task,
the name of the user who accessed the object on the device.

%FROM_COMPUTER% Name of the protected device where the noti cation originated.

%EVENT_REASON% Reason the event occurred (some events do not have this eld).

%ERROR_CODE% Error code (only for the "internal task error" event).

%TASK_NAME% Task name (only for events related to task performance).

239
Starting and stopping Kaspersky Security for Windows Server
This section contains information about starting Application Console and about starting and stopping the
Kaspersky Security Service.

Starting the Kaspersky Security for Windows Server Administration Plug-in

No additional actions are required to start the Kaspersky Security for Windows Server Administration Plug-in in
Kaspersky Security Center. Once the Plug-in is installed on the administrator's protected device, it is started
together with Kaspersky Security Center. Detailed information about starting Kaspersky Security Center can be
found in the Kaspersky Security Center Help.

Starting the Kaspersky Security for Windows Server Console from the
Start menu

The names of settings may vary under di erent Windows operating systems.

To start the Application Console from the Start menu:

1. In the Start menu, select Programs > Kaspersky Security for Windows Server > Administration Tools >
Kaspersky Security for Windows Server Console.

To add other snap-ins to the Application Console, start the Application Console in author mode.

To start the Application Console in author mode:

1. In the Start menu, select Programs > Kaspersky Security for Windows Server > Administration Tools.

2. In the context menu of the Application Console, select the Author command.

The Application Console is started in author mode.

If the Application Console has been started on the protected device, the Application Console window opens.

If you started the Application Console on a non-protected device, connect to the protected device.

To connect to the protected device:

1. In the Application Console tree, open the context menu of the Kaspersky Security node.

2. Select the Connect to another computer command.

The Select computer window opens.

3. Select Another computer in the window that opens.

4. Specify the network name of the protected device in the entry eld on the right.

5. Click OK.

240
 The Application Console will connect to the protected device.

If the user account that you are using to log in to Microsoft Windows does not have su icient permissions to
access the Kaspersky Security Management Service on the protected device, select the Connect as user check
box and specify a di erent user account that the required permissions.

Starting and stopping the Kaspersky Security Service

By default, the Kaspersky Security Service starts automatically immediately after the operating system. The
Kaspersky Security Service manages the work processes that execute the Real-Time Server Protection, Server
Control, On-Demand Scan and update tasks.

By default when Kaspersky Security for Windows Server is started, the Real-Time File Protection, Script
Monitoring (if installed) and Scan at Operating System Startup tasks are started, as well as other tasks that are
scheduled to start At application launch.

If the Kaspersky Security Service is stopped, all running tasks are stopped. After you restart the Kaspersky
Security Service, the application automatically starts only those tasks scheduled to run At application launch,
while other tasks have to be started manually.

You can start and stop the Kaspersky Security Service using the context menu of the Kaspersky Security node or
using the Microsoft Windows Services snap-in.

You can start and stop Kaspersky Security for Windows Server if you are a member of the Administrators
group on the protected device.

To stop or start the application using the Application Console:

1. In the Application Console tree, open the context menu of the Kaspersky Security node.

2. Select one of the following items:

Stop the service.

Start the service.

The Kaspersky Security Service will be started or stopped.

Starting Kaspersky Security for Windows Server components in the

operating system safe mode
This section provides information about Kaspersky Security for Windows Server working in the operating system
safe mode.

About Kaspersky Security for Windows Server working in the operating

system safe mode

241
Kaspersky Security for Windows Server components can be started when the operating system loads in safe
mode. In addition to the Kaspersky Security Service (kavfs.exe), the klam.sys driver is loaded. It is used to register
the Kaspersky Security Service as a protected service during the start of the operating system. For more details,
see section Registering the Kaspersky Security Service as a protected service.

Kaspersky Security for Windows Server can be started in the following safe modes of the operating system:

Safe Mode Minimal – This mode is started when the standard option of the operating system safe mode is
selected. At that, Kaspersky Security for Windows Server can start the following components:

Real-Time File Protection.

On-Demand Scan.

Applications Launch Control and Rule Generator for Applications Launch Control.

Log Inspection.

File Integrity Monitor.

Baseline File Integrity Monitor.

Application Integrity Control.

Anti-Cryptor.

Blocked Hosts storage.

Safe Mode with Networking – In this mode, the operating system is loaded in safe mode with network drivers. In
addition to the components started in Safe Mode Minimal, Kaspersky Security for Windows Server can start the
following components in this mode:

Database Update.

Software Modules Update.

Network Attached Storage Protection.

Starting Kaspersky Security for Windows Server in safe mode

By default, Kaspersky Security for Windows Server is not started when the operating system is loaded in safe
mode.

To make Kaspersky Security for Windows Server start in the operating system safe mode:

1. Start Windows Registry Editor (C:\Windows\regedit.exe).

2. Open the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klam\Parameters] key of the

system registry.

3. Open the LoadInSafeMode parameter.

4. Set the value to 1.

242
 5. Click OK.

To cancel start of Kaspersky Security for Windows Server in the operating system safe mode:

1. Start Windows Registry Editor (C:\Windows\regedit.exe).

2. Open the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klam\Parameters] key of the

system registry.

3. Open the LoadInSafeMode parameter.

4. Set the value to 0.

5. Click OK.

243
Kaspersky Security for Windows Server self-defense
This section provides information about Kaspersky Security for Windows Server self-defense mechanisms.

About Kaspersky Security for Windows Server self-defense

Kaspersky Security for Windows Server has self-defense mechanisms that protect the application against
modi cation or deletion of its folders, memory processes, and system registry entries.

Protection from changes to folders with installed Kaspersky Security for

Windows Server components
Kaspersky Security for Windows Server blocks renaming and deletion of folders with the installed application
components by any user account. By default, the paths to the application installation folders are as follows:

On the 32-bit version of Microsoft Windows: %ProgramFiles%\Kaspersky Lab\Kaspersky Security for Windows
Server\

On the 64-bit version of Microsoft Windows: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Security for

Windows Server\

Protection from changes to Kaspersky Security for Windows Server registry

keys
Kaspersky Security for Windows Server restricts access to the following registry branches and keys, which
facilitate loading of the application’s drivers and services:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kavfs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kavfsgt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kavfsslp]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klam]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klelaml]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kl tdev]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klramdisk]

[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\WSEE\11\CrashDump]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE\11\CrashDump] (on the 64-bit

version of Microsoft Windows)

244
 [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\WSEE\11\Trace]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE\11\Trace] (on the 64-bit version

of Microsoft Windows)

The rights to change these registry branches and keys are granted to Local System (SYSTEM) account only. User
and Administrator accounts are granted read-only rights.

Registering the Kaspersky Security Service as a protected service

Protected Process Light ("PPL") technology ensures that the operating system only loads trusted services and
processes. For a service to run as a protected service, an Early Launch Antimalware driver must be installed on the
device.

An Early Launch Antimalware ("ELAM") driver provides protection for the device in your network when they start
and before third-party drivers are initialized.

An ELAM driver is automatically installed during Kaspersky Security for Windows Server installation and is used for
registering the Kaspersky Security Service as a PPL when the operating system starts. When the Kaspersky
Security Service (KAVFS) is started as a system protected process, other non-protected processes on the system
are not able to inject threads, write into the virtual memory of the protected process, or stop the service.

When a process is started as a PPL, it cannot be managed by a user regardless of the assigned user
permissions. The Kaspersky Security Service can be registered as PPL using the ELAM driver on Microsoft
Windows Server 2016 RS3 build 16299 and higher operating systems. If you install Kaspersky Security for
Windows Server on a protected device running an operating system that supports PPL, permission
management will not be available for the Kaspersky Security Service (KAVFS).

To install Kaspersky Security as a PPL, run the following command:

msiexec /i ks4ws_x64.msi NOPPL=0 EULA=1 PRIVACYPOLICY=1 /qn

Managing access permissions for Kaspersky Security for Windows Server

functions
This section contains information about permissions to manage Kaspersky Security for Windows Server and
operating system services registered by the application, and instructions on how to con gure these permissions.

About permissions to manage Kaspersky Security for Windows Server

By default, access to all Kaspersky Security for Windows Server functions is granted to users of the
Administrators group on the protected device, users of the KAVWSEE Administrators group created on the
protected device during installation of Kaspersky Security for Windows Server, and the SYSTEM group.

Users who have Edit permissions access level for Kaspersky Security for Windows Server can grant access to
Kaspersky Security for Windows Server functions to other users registered on the protected device or included in
the domain.

245
Users who are not registered in the list of Kaspersky Security for Windows Server users cannot open the
Application Console.

You can choose one of the following preset access levels for a user or group of users:

Full control – access to all application functions: the ability to view and edit Kaspersky Security for Windows
Server general settings, component settings, and Kaspersky Security for Windows Server user permissions;
and the ability to view Kaspersky Security for Windows Server statistics.

Modi cation – access to all application functions except editing of user permissions: the ability to view and
edit Kaspersky Security for Windows Server general settings and Kaspersky Security for Windows Server
component settings.

Read – the ability to view Kaspersky Security for Windows Server general settings, Kaspersky Security for
Windows Server component settings, Kaspersky Security for Windows Server statistics, and Kaspersky
Security for Windows Server user permissions.

You can also con gure advanced access permissions: allow or block access to speci c functions of Kaspersky
Security for Windows Server.

If you have manually con gured access permissions for a user or group, then the Special permissions access level
is set for this user or group.

About access permissions for Kaspersky Security for Windows Server functions

User rights Description

Task management Ability to start / stop / pause / resume Kaspersky Security for Windows
Server tasks.

Create and delete On-Demand Ability to create and delete On-Demand Scan tasks.
Scan tasks

Edit settings Ability to:

Import Kaspersky Security for Windows Server settings from a
con guration le.

Edit the application settings.

Read settings Ability to:

View Kaspersky Security for Windows Server general settings and task
settings.

Export Kaspersky Security for Windows Server settings to a

con guration le.

View settings for task logs, system audit log, and noti cations.

Manage repositories Ability to:

Move objects to Quarantine.

Remove objects from Quarantine and Backup.

Restore objects from Quarantine and Backup.

Manage logs Ability to delete task logs and clear the system audit log.

246
 Read logs Ability to view Anti-Virus events in task logs and the system audit log.

Read statistics Ability to view statistics for each Kaspersky Security for Windows Server
task.

Application licensing Ability to activate Kaspersky Security for Windows Server.

Uninstalling the application Ability to uninstall Kaspersky Security for Windows Server.

Read permissions Ability to view the list of Kaspersky Security for Windows Server users
and user access privileges.

Edit permissions Ability to:

Edit the list of users with access to application management.

Edit user access permissions for Kaspersky Security for Windows

Server functions.

About permissions to manage registered services

During installation, Kaspersky Security for Windows Server registers in Windows the Kaspersky Security Service
(KAVFS), the Kaspersky Security Management Service (KAVFSGT) and Kaspersky Security Exploit Prevention
(KAVFSSLP).

The Kaspersky Security Service can be registered as a Protected Process Light using the ELAM driver on
Microsoft Windows 10 and higher operating systems. When a process is started as a PPL, it cannot be
managed by a user regardless of the assigned user permissions. If you install Kaspersky Security for Windows
Server on a protected device running an operating system that supports PPL, permission management will not
be available for the Kaspersky Security Service (KAVFS).

Kaspersky Security Service

By default, access permissions for managing the Kaspersky Security Service are granted to users in the
Administrators group on the protected device, as well as to the SERVICE and INTERACTIVE groups with read
permissions and to the SYSTEM group with read and execute permissions.

Users who have the Edit permissions level access can grant access permissions for managing Kaspersky Security
Service to other users registered on the protected device or included in the domain.

Kaspersky Security Management Service

To manage the application via the Application Console installed on a di erent protected device, the account
whose permissions are used to connect to Kaspersky Security for Windows Server must have full access to the
Kaspersky Security Management Service on the protected device.

By default, access to the Kaspersky Security Management Service is granted to users of the Administrators group
on the protected device and users of the KAVWSEE Administrators group created on the protected device during
Kaspersky Security for Windows Server installation.

You can only manage the Kaspersky Security Management Service via the Microsoft Windows Services snap-in.

247
Kaspersky Security Exploit Prevention

By default, access permissions for managing the Kaspersky Security Exploit Prevention service are granted to
users in the Administrators group on the protected device, as well as to the SYSTEM group with read and execute
permissions.

About access permissions for the Kaspersky Security Management Service

You can review the list of Kaspersky Security for Windows Server services.

During installation, Kaspersky Security for Windows Server registers the Kaspersky Security Management Service
(KAVFSGT). To manage the application via the Application Console installed on a di erent protected device, the
account used to connect to Kaspersky Security for Windows Server must have full access to the Kaspersky
Security Management Service on the protected device.

By default, access to the Kaspersky Security Management Service is granted to users of the Administrators group
on the protected device and users of the KAVWSEE Administrators group created on the protected device during
installation of Kaspersky Security for Windows Server.

You can manage the Kaspersky Security Management Service only via the Microsoft Windows Services snap-in.

You cannot allow or block user access to the Kaspersky Security Management Service by con guring
Kaspersky Security for Windows Server.

You can connect to Kaspersky Security for Windows Server from a local account if an account with the same
user name and password is registered on the protected device.

About permissions to manage the Kaspersky Security Service

During installation, Kaspersky Security for Windows Server registers Kaspersky Security Service (KAVFS) in
Windows, and internally enables functional components started at operating system startup. To reduce the risk of
third-party access to application functions and security settings on the protected device through management of
the Kaspersky Security Service, you can restrict permissions for managing the Kaspersky Security Service from
the Application Console or the Administration Plug-in.

By default, access permissions for managing the Kaspersky Security Service are granted to users in the
"Administrators" group on the protected device as well as to the SERVICE and INTERACTIVE groups with read
permissions and to the SYSTEM group with read and execute permissions.

You cannot delete the SYSTEM account or edit permissions for this account. If the SYSTEM account
permissions are edited, the maximum privileges are restored for this account when you save the changes.

Users who have access to functions of the Edit permissions level can grant access permissions for managing
Kaspersky Security Service to other users registered on the protected device or included in the domain.

248
You can choose one of the following preset levels of access permissions for a user or group of users of Kaspersky
Security for Windows Server for managing the Kaspersky Security Service:

Full control: ability to view and edit general settings and user permissions for the Kaspersky Security Service,
and to start and stop the Kaspersky Security Service.

Read: ability to view Kaspersky Security Service general settings and user permissions.

Modi cation: ability to view and edit Kaspersky Security Service general settings and user permissions.

Execution: ability to start and stop the Kaspersky Security Service.

You can also con gure advanced access permissions: allow or deny access to speci c Kaspersky Security for
Windows Server functions (see the table below).

If you have manually con gured access permissions for a user or group, then the Special permissions access level
is set for this user or group.

Delimitation of access permissions for Kaspersky Security for Windows Server functions

Feature Description

View service con gurations Ability to view Kaspersky Security Service general settings and user
permissions.

Request service status from Ability to request the execution status of the Kaspersky Security Service
Service Control Manager from the Microsoft Windows Service Control Manager.

Request status from service Ability to request the service status from the Kaspersky Security Service.

Read list of dependent Ability to view a list of services which the Kaspersky Security Service
services depends on and which depend on the Kaspersky Security Service.

Editing service settings Ability to view and edit Kaspersky Security Service general settings and
user permissions.

Start the service Ability to start the Kaspersky Security Service.

Stop the service Ability to stop the Kaspersky Security Service.

Pause / Resume the service Ability to pause and resume the Kaspersky Security Service.

Read permissions Ability to view the list of Kaspersky Security Service users and each user's
access privileges.

Edit permissions Ability to:

Add and remove Kaspersky Security Service users.

Edit user access permissions for the Kaspersky Security Service.

Delete the service Ability to unregister the Kaspersky Security Service in the Microsoft
Windows Service Control Manager.

User de ned requests to Ability to create and send user requests to the Kaspersky Security Service.
service

Managing access permissions via the Administration Plug-in

249
In this section, learn how to navigate the Administration Plug-In interface and con gure access permissions for one
or all protected devices on the network.

Con guring access permissions for Kaspersky Security for Windows Server
and the Kaspersky Security Service
You can edit the list of users and user groups allowed to access Kaspersky Security for Windows Server functions
and manage the Kaspersky Security Service. You can also edit the access permissions of those users and user
groups.

To add or remove a user or group from the list:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Supplementary section, perform one of the following steps:

Click Settings in the User access permissions for application management subsection if you want to edit
the list of users who have access permissions for managing Kaspersky Security for Windows Server
functions.

Click Settings in the User access permissions for Security Service management subsection if you want
to edit the list of users who have access permissions for managing the Kaspersky Security Service.
The Permissions for Kaspersky Security 11 for Windows Server group window opens.

5. In the window that opens, perform the following operations:

In order to add a user or group to the list, click the Add button and select the user or group that you want to
grant privileges to.

To remove a user or group from the list, select the user or group whose access you want to restrict, and
click the Remove button.

6. Click the Apply button.

The selected users (groups) are added or removed.

To edit the permissions of a user or group to manage Kaspersky Security for Windows Server or the Kaspersky
Security Service:

250
1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Supplementary section, perform one of the following steps:

Click Settings in the User access permissions for application management subsection if you want to edit
the list of users who have access permissions for managing Kaspersky Security for Windows Server
functions.

Click Settings in the User access permissions for Security Service management subsection if you want
to edit the list of users who have access permissions for managing the application via the Kaspersky
Security Service.
The Permissions for Kaspersky Security group window opens.

5. In the window that opens, in the Group or user names list, select the user or group of users whose permissions
you want to change.

6. In the Permissions for <User (Group)> section, select the Allow or Deny check boxes for the following access
levels:

Full control: full set of permissions to manage Kaspersky Security for Windows Server or the Kaspersky
Security Service.

Read:

The following permissions to manage Kaspersky Security for Windows Server: Retrieve statistics, Read
settings, Read logs and Read permission.

The following permissions to manage the Kaspersky Security Service: Read service settings, Request
status from Service Control Manager, Request status from service, Read list of dependent services,
Read permission.

Modi cation:

All permissions to manage Kaspersky Security for Windows Server, except Edit permission.

The following permissions to manage the Kaspersky Security Service: Modify service settings, Read
permission.

Special permissions: the following permissions to manage the Kaspersky Security Service: Starting
service, Stop service, Pause / Resume service, Read permission, User de ned requests to service.

7. To con gure advanced permissions for a user or group (Special permissions), click the Advanced button.
251
 a. In the Advanced security settings for Kaspersky Security window that opens, select the desired user or
group.

b. Click the Edit button.

c. In the drop-down list in the top part of the window, select the type of access control (Allow or Block).

d. Select the check boxes next to the functions that you want to allow or block for the selected user or group.

e. Click OK.

f. In the Advanced security settings for Kaspersky Security window, click OK.

8. In the Permissions for Kaspersky Security window, click the Apply button.

The con gured permissions for managing Kaspersky Security for Windows Server or the Kaspersky Security
Service are saved.

Password-protected access to Kaspersky Security for Windows Server

functions
You can restrict access to application management and registered services by con guring user permissions. You
can also set password protection in the Kaspersky Security for Windows Server settings for additional protection
of critical operations.

Kaspersky Security for Windows Server requests a password when you attempt to access the following
application functions:

connect to the Application Console;

uninstall Kaspersky Security for Windows Server;

modify Kaspersky Security for Windows Server components;

execute command-line commands.

The Kaspersky Security for Windows Server interface disguises the speci ed password on screen. Kaspersky
Security for Windows Server stores the password as a checksum calculated when the password is entered.

Kaspersky Security for Windows Server doesn't check password strength and doesn't block password entry
after a number of failed attempts.

When creating a password, you are recommended to meet the following conditions:

The password doesn't contain the account name or computer name.

The password is at least 8 characters long.

The password contains characters that match at least three of the following categories:

uppercase latin letters (A-Z);

lowercase latin letters (a-z);

252
 numbers (0-9);

symbols of exclamation point (!), dollar sign ($), pound sign (#) and percent sign (%).

You can export and import a password-protected application con guration. A con guration le created by
exporting a protected application con guration contains the password checksum and the value of the modi er
used to pad the password string.

Do not change the checksum or modi er in the con guration le. Importing a password-protected
con guration that has been changed manually may cause access to the application to be entirely blocked.

To protect access to Kaspersky Security for Windows Server functions:

1. In the tree of Kaspersky Security Center Administration Console, expand the Managed devices node. Select
the administration group with the protected devices whose application settings you want to con gure.

2. Perform one of the following actions in the details pane of the selected administration group:

To con gure policy settings for a group of protected devices, select the Policies tab and open the
properties of the <Policy name> by means of the context menu.

If you want to con gure application settings for a single protected device, open the required settings in the
Application settings window in the Kaspersky Security Center.

3. In the Security section of the Application settings tab, click the Settings button.
The Security settings window opens.

4. In the Password protection settings section, select the Apply password protection check box.
The Password and Con rm password elds become active.

5. In the Password eld, enter the password you want to use to protect access to Kaspersky Security for
Windows Server functions.

6. In the Con rm password eld, enter your password again.

7. Click OK.

The speci ed settings are saved. Kaspersky Security for Windows Server will request the speci ed password to
access protected functions.

This password cannot be recovered. Losing your password will result in the complete loss of control of the
application. Additionally, it will be impossible to uninstall the application from the protected device.

You can reset the password at any time. To do that, clear the Apply password protection check box and save
changes. Password protection will be disabled and the old password checksum will be removed. Repeat the
password creation process with a new password.

Managing access permissions via the Application Console

In this section, learn how to navigate the Application Console interface and con gure access permissions on a
protected device.
253
Con guring access permissions for managing Kaspersky Security for
Windows Server and the Kaspersky Security Service
You can edit the list of users and user groups allowed to access Kaspersky Security for Windows Server functions
and manage Kaspersky Security Service, and also edit the access permissions of those users and user groups.

To add or remove a user or group from the list:

1. In the Application Console tree, open the context menu of the Kaspersky Security node and do one of the
following:

Select Modify user rights of application management if you want to edit the list of users who have access
permissions for managing Kaspersky Security for Windows Server functions.

Select Modify user rights of Kaspersky Security Service management if you want to edit the list of users
who have access permissions for managing the Kaspersky Security Service.
The Permissions for Kaspersky Security window opens.

2. In the window that opens, perform the following operations:

In order to add a user or group to the list, click the Add button and select the user or group.

To remove a user or group from the list, select the user or group and click the Remove button.

3. Click the Apply button.

The selected users (groups) are added or removed.

To edit a user’s or group’s permissions to manage Kaspersky Security for Windows Server or the Kaspersky
Security Service:

1. In the Application Console tree, open the context menu of the Kaspersky Security node and do one of the
following:

Select Modify user rights of application management if you want to con gure access permissions for
Kaspersky Security for Windows Server functions.

Select Modify user rights of Kaspersky Security Service management if you want to con gure access
permissions for the Kaspersky Security Service.
The Permissions for Kaspersky Security window opens.

2. In the window that opens, in the Group or user names list, select the user or group of users whose permissions
you want to change.

3. In the Permissions for group "<User (Group)>" section, select the Allow or Deny check boxes for the following
access levels:

Click Settings in the User access permissions for application management subsection if you want to edit
the list of users who have access permissions for managing Kaspersky Security for Windows Server
functions.

254
 Click Settings in the User access permissions for Security Service management subsection if you want
to edit the list of users who have access permissions for managing the application via the Kaspersky
Security Service.
The Permissions for Kaspersky Security group window opens.

4. In the window that opens, in the Group or user names list, select the user or group of users whose permissions
you want to change.

5. In the Permissions for <User (Group)> section, select the Allow or Deny check boxes for the following access
levels:

Full control: full set of permissions to manage Kaspersky Security for Windows Server or the Kaspersky
Security Service.

Read:

The following permissions to manage Kaspersky Security for Windows Server: Retrieve statistics, Read
settings, Read logs and Read permission.

The following permissions to manage the Kaspersky Security Service: Read service settings, Request
status from Service Control Manager, Request status from service, Read list of dependent services,
Read permission.

Modi cation:

All permissions to manage Kaspersky Security for Windows Server, except Edit permission.

The following permissions to manage the Kaspersky Security Service: Modify service settings, Read
permission.

Special permissions: the following permissions to manage the Kaspersky Security Service: Starting
service, Stop service, Pause / Resume service, Read permission, User de ned requests to service.

6. To con gure advanced permissions for a user or group (Special permissions), click the Advanced button.

a. In the Advanced security settings for Kaspersky Security window that opens, select the desired user or
group.

b. Click the Edit button.

c. In the drop-down list in the top part of the window, select the type of access control (Allow or Block).

d. Select the check boxes next to the functions that you want to allow or block for the selected user or group.

e. Click OK.

f. In the Advanced security settings for Kaspersky Security window, click OK.

7. In the Permissions for Kaspersky Security window, click the Apply button.

The con gured permissions for managing Kaspersky Security for Windows Server or the Kaspersky Security
Service are saved.

255
Password-protected access to Kaspersky Security for Windows Server
functions
You can restrict access to application management and registered services by con guring user permissions. You
can also set password protection in the Kaspersky Security for Windows Server settings for additional protection
of critical operations.

Kaspersky Security for Windows Server requests a password when you attempt to access the following
application functions:

connect to the Application Console;

uninstall Kaspersky Security for Windows Server;

modify Kaspersky Security for Windows Server components;

execute command-line commands.

The Kaspersky Security for Windows Server interface disguises the speci ed password on screen. Kaspersky
Security for Windows Server stores the password as a checksum calculated when the password is entered.

You can export and import a password-protected application con guration. A con guration le created by
exporting a protected application con guration contains the password checksum and the value of the modi er
used to pad the password string.

Do not change the checksum or modi er in the con guration le. Importing a password-protected
con guration that has been changed manually may cause access to the application to be entirely blocked.

To protect access to Kaspersky Security for Windows Server functions:

1. In the Application Console tree, select the Kaspersky Security node and do one of the following:

Click the Application properties link in the details pane of the node.

Select Properties in the node's context menu.

The Application settings window opens.

2. On the Security and reliability tab in the Password protection settings section, select the Apply password
protection check box.
The Password and Con rm password elds become active.

3. In the Password eld, enter the password you want to use to protect access to Kaspersky Security for
Windows Server functions.

4. In the Con rm password eld, enter the password again.

5. Click OK.

256
 This password cannot be recovered. Losing your password results in complete loss of control of the
application. Additionally, it will be impossible to uninstall the application from the protected device.

You can reset the password at any time. To do that, clear the Apply password protection check box and save
changes. Password protection will be disabled and the old password checksum will be removed. Repeat the
password creation process with a new password.

Managing access permissions via the Web Plug-in

In this section, learn how to navigate the Web Plug-In interface and con gure access permissions for one or all
protected devices on the network.

Con guring access permissions for Kaspersky Security for Windows Server
and the Kaspersky Security Service
To con gure the access permissions for a user or group you need to specify the security descriptor string using
the security descriptor de nition language (SDDL). For detailed information about the security descriptor string,
please visit the Microsoft website.

To con gure the access permissions for a user or group:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Supplementary section.

5. Perform one of the following steps:

Click Settings in the User access permissions for application management subsection if you want to edit
the list of users who have access permissions for managing Kaspersky Security for Windows Server
functions.

Click Settings in the User access permissions for Security Service management subsection if you want
to edit the list of users who have access permissions for managing the Kaspersky Security Service.

6. Add a user or group by specifying the security descriptor string in the User access permissions for
application management or User access permissions for Security Service management window.

7. Click OK.

Password-protected access to Kaspersky Security for Windows Server

functions

257
You can restrict access to application management and registered services by con guring user permissions. You
can also set password protection in the Kaspersky Security for Windows Server settings for additional protection
of critical operations.

Kaspersky Security for Windows Server requests a password when you attempt to access the following
application functions:

connect to the Application Console;

uninstall Kaspersky Security for Windows Server;

modify Kaspersky Security for Windows Server components;

execute command-line commands.

The Kaspersky Security for Windows Server interface disguises the speci ed password on screen. Kaspersky
Security for Windows Server stores the password as a checksum calculated when the password is entered.

You can export and import a password-protected application con guration. A con guration le created by
exporting a protected application con guration contains the password checksum and the value of the modi er
used to pad the password string.

Do not change the checksum or modi er in the con guration le. Importing a password-protected
con guration that has been changed manually may cause access to the application to be entirely blocked.

To protect access to Kaspersky Security for Windows Server functions:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Application settings section.

5. In the Security section, click the Settings button.

6. In the Password protection settings section, select the Apply password protection check box.

7. In the Password eld, enter the password you want to use to protect access to Kaspersky Security for
Windows Server functions.

8. Click OK.

The speci ed settings are saved. Kaspersky Security for Windows Server will request the speci ed password to
access protected functions.

This password cannot be recovered. Losing your password will result in the complete loss of control of the
application. Additionally, it will be impossible to uninstall the application from the protected device.

You can reset the password at any time. To do that, clear the Apply password protection check box and save
changes. Password protection will be disabled and the old password checksum will be removed. Repeat the
password creation process with a new password.

258
Real-Time File Protection
This section contains information about the Real-Time File Protection task and how to con gure it.

About the Real-Time File Protection task

When the Real-Time File Protection task is running, Kaspersky Security for Windows Server scans the following
protected device objects when they are accessed:

Files.

NTFS alternate data streams.

Master boot records and boot sectors on local hard drives and external devices.

Windows Server 2016 and Windows Server 2019 container les.

When any application writes a le to the protected device or reads a le from it, Kaspersky Security for Windows
Server intercepts the le, scans it for threats, and, if a threat is detected, performs a default action or an action
you have speci ed: try to disinfect, move to Quarantine, or delete it. Before disinfection or deletion, Kaspersky
Security for Windows Server saves an encrypted copy of the source le to the Backup folder.

Kaspersky Security for Windows Server intercepts le operations, executed in Windows Server 2016 and Windows
Server 2019 containers.

A container is an isolated environment, which allows applications to run without direct interaction with the
operating system. If container is located in task the task protection scope, Kaspersky Security for Windows Server
scans container les, which are being accessed by users, for computer threats. When a threat is detected, the
application attempts to disinfect the container. If the attempt is successful, the container continues to work; if
disinfection fails, the container is shut down.

Kaspersky Security for Windows Server also detects malware for processes running under Windows Subsystem
for Linux®. For such processes, the Real-Time File Protection task applies action de ned by the current
con guration.

About the task protection scope and security settings

By default, the Real-Time File Protection task protects all objects of the device le system. If there is no security
requirement to protect all objects of the le system or you want to exclude any objects from the task scope, you
can limit the protection scope.

In the Application Console, the protection scope is displayed as a tree or list of the device's le resources that
Kaspersky Security for Windows Server can monitor. By default, the network le resources of the device are
displayed as a list.

In the Administration Plug-in, only the list view is available.

To display network le resources as a tree in the Application Console,

open the drop-down list in the upper left section of the Protection scope settings window and select Tree-
view.

259
Whether the protected device's le resources are displayed as a list or a tree, the node icons have the following
meanings:

The node is included in the protection scope.

The node is excluded from the protection scope.

At least one of this node's child nodes is excluded from the protection scope, or the security settings of the child
node(s) di er(s) from those of the parent node (for the tree view only).

The icon is displayed if all child nodes are selected, but the parent node is not selected. In this case, changes
in the composition of the parent node's les and folders are disregarded automatically when the protection
scope for the selected child node is created.

Using the Application Console, you can also add virtual drives to the protection scope. The names of the
virtual nodes are displayed in blue.

Security settings

The task security settings can be con gured as common settings for all nodes or items included in the protection
scope, or as di erent settings for each node or item in the device's le resource tree or list.

Security settings con gured for the selected parent node are automatically applied to all its child nodes. The
security settings of the parent node are not applied to child nodes that are con gured separately.

The settings for a selected protection scope can be con gured using one of the following methods:

Selecting one of three prede ned security levels.

Con guring the security settings manually for the selected nodes or items in the le resource tree or list (the
security level changes to Custom).

A set of settings for a node or item can be saved in a template in order to be applied later to other nodes or items.

About virtual protection scopes

Kaspersky Security for Windows Server can scan not only existing folders and les on hard drives and removable
drives, but also drives that are connected to the protected device temporarily, for example, common cluster drives
that are dynamically created on the protected device by various applications and services.

If all device objects are included in the protection scope, these dynamic nodes will automatically be included in the
protection scope. However, if you want to specify special values for the security settings of these dynamic nodes
or if you have selected only part of the device for protection, then in order to include virtual drives, les or folders
in the protection scope, you will rst have to create them in the Application Console: that is, specify the virtual
protection scope. The drives, les and folders created will exist only in the Application Console, but not in the le
structure of the protected device.

If, while creating a protection scope, all subfolders or les are selected without the parent folder being selected,
then all virtual folders or les that appear in it will not automatically be included in the protected scope. "Virtual
copies" of these should be created in the Application Console and added to the protection scope.
260
Prede ned protection scopes

The le resource tree or list displays the nodes to which you have read-access based on the con gured
Microsoft Windows security settings.

Kaspersky Security for Windows Server covers the following prede ned protection scopes:

Local hard drives. Kaspersky Security for Windows Server protects les on the device hard drives.

Removable drives. Kaspersky Security for Windows Server protects les on external devices, such as CDs or
removable drives. All removable drives, individual disks, folders or les can be included in or excluded from the
protection scope.

Network. Kaspersky Security for Windows Server protects les that are written to network folders or read
from them by applications running on the device. Kaspersky Security for Windows Server does not protect les
when such les are accessed by applications from other protected devices.

Virtual drives. Virtual folders, les, and drives temporarily connected to the device can be included in the
protection scope, for example, common cluster drives.

By default, you can view and con gure prede ned protection scopes in the scope list; you can also add prede ned
scopes to the list during its formation in the protection scope settings.

By default, the protection scope includes all prede ned areas except virtual drives.

Virtual drives created using the SUBST command are not displayed in the protected device’s le resource tree
in the Application Console. To include objects on the virtual drive in the protection scope, include the device
folder associated with the virtual drive in the protection scope.

Connected network drives will also not be displayed in the protected device’s le resource list. To include
objects on network drives in the protection scope, specify the path to the folder that corresponds to this
network drive in UNC format.

About prede ned security levels

One of the following prede ned security levels for the nodes selected either in the protected device's le resource
tree or le resource list can be applied: Maximum performance, Recommended, and Maximum protection. Each
of these levels contains its own prede ned set of security settings (see the table below).

Maximum performance

The Maximum performance security level is recommended if your network has additional protected device
security measures, for example, rewalls and existing security policies, beyond using Kaspersky Security for
Windows Server on protected devices and work stations.

261
Recommended

The Recommended security level ensures the best combination of protection and performance impact on
devices. Kaspersky experts recommend this level as adequate to protect devices on most corporate networks.
The Recommended security level is set by default.

Maximum protection

The Maximum protection security level is recommended if your organization's network has elevated device
security requirements.

Preset security levels and corresponding setting values

Options Security level

Maximum Recommended Maximum

performance protection

Objects protection By extension By format By format

Protect only new and modi ed les Enabled Enabled Disabled

Action to perform on infected and other Block access and Block access and Block access and
objects disinfect. Remove if disinfect. Remove if disinfect. Remove
disinfection fails disinfection fails if disinfection fails

Action to perform on probably infected Block access and Block access and Block access and
objects quarantine quarantine quarantine

Exclude les No No No

Do not detect No No No

Stop scanning if it takes longer than 60 sec. 60 sec. 60 sec.

(sec.)

Do not scan compound objects larger 8 MB 8 MB Not set

than (MB)

Scan alternate NTFS streams Yes Yes Yes

Scan disk boot sectors and MBR Yes Yes Yes

Compound objects protection

Packed objects* SFX archives* SFX archives*
*New and
modi ed Packed objects* Packed
objects only objects*
Embedded OLE
objects* Embedded
*New and OLE objects*
modi ed *All objects
objects only

Entirely remove compound le that No No Yes

cannot be modi ed by the application in
case of embedded object detect

262
 The Objects protection, Use iChecker technology, Use iSwift technology, and Use heuristic analyzer
settings are not included in the settings of the prede ned security levels. If you edit the Objects protection,
Use iChecker technology, Use iSwift technology, or Use heuristic analyzer security settings after selecting
one of the prede ned security levels, the security level that you have selected will not change.

File extensions scanned by default in the Real-Time File Protection task

Kaspersky Security for Windows Server scans les with the following extensions by default:

386;

acm;

ade, adp;

asp;

asx;

ax;

bas;

bat;

bin;

chm;

cla, clas*;

cmd;

com;

cpl;

crt;

dll;

dpl;

drv;

dvb;

dwg;

e ;

emf;
263
eml;

exe;

fon;

fpm;

hlp;

hta;

htm, html*;

htt;

ico;

inf;

ini;

ins;

isp;

jpg, jpe;

js, jse;

lnk;

mbx;

msc;

msg;

msi;

msp;

mst;

nws;

ocx;

oft;

otm;

pcd;

pdf;

264
php;

pht;

phtm*;

pif;

plg;

png;

pot;

prf;

prg;

reg;

rsc;

rtf;

scf;

scr;

sct;

shb;

shs;

sht;

shtm*;

swf;

sys;

the;

them*;

tsp;

url;

vb;

vbe;

vbs;

265
 vxd;

wma;

wmf;

wmv;

wsc;

wsf;

wsh;

do?;

md?;

mp?;

ov?;

pp?;

vs?;

xl?.

Default Real-Time File Protection task settings

By default, the Real-Time File Protection task uses the settings described in the table below. You can change the
values of these settings.

Default Real-Time File Protection task settings

Setting Default value Description

Protection scope The entire protected device, You can change the protection scope.
excluding virtual drives.

Security settings Common settings for the entire For nodes selected in the protected
protection scope correspond device’s le resource list or tree, you can:
to the Recommended security Select a di erent prede ned security
level. level

Manually change security settings

You can save a group of security settings
for a selected node as a template to use
later for a di erent node.

Objects protection mode On access and modi cation You can select the protection mode, i.e.
de ne the type of access attempts for
which Kaspersky Security for Windows
Server scans objects.

266
 Heuristic analyzer The Medium security level is The Heuristic Analyzer can be enabled or
applied. disabled and the analysis level can be
con gured.

Apply Trusted Zone Applied. General list of exclusions that can be used in
selected tasks.

Use KSN for protection Applied. You can improve your device’s protection
using the Kaspersky Security Network cloud
service (available if the KSN Statement is
accepted).

Task start schedule At application start. You can con gure for scheduled task start.

Block access to network Not applied. You can add hosts showing malicious
shared resources for the activity to the list of blocked hosts.
hosts that show
malicious activity

Launch critical areas Applied. When active infection is detected,

scan when active Kaspersky Security for Windows Server
infection is detected creates and launches a temporary Critical
Areas Scan task.

Managing the Real-Time File Protection task via the Administration Plug-in
In this section, learn how to navigate the Administration Plug-In interface and con gure task settings for one or all
protected devices on the network.

Navigation
Learn how to navigate to the required task settings via the chosen interface.

Opening policy settings for the Real-Time File Protection task

To open the Real-Time File Protection task settings via the Kaspersky Security Center policy:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Policies tab.

4. Double-click the policy name you want to con gure.

5. In the Properties: <Policy name> window that opens, select the Real-time server protection section.

6. Click the Settings button in the Real-Time File Protection subsection.

The Real-time le protection window opens.

267
 If a protected device is being managed by an active Kaspersky Security Center policy and this policy blocks
changes to the application settings, these settings cannot be edited via the Application Console.

Opening the Real-Time File Protection task properties

To open the Real-Time File Protection task settings window for a single network device:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Devices tab.

4. Open the Properties: <Protected device name> window in one of the following ways:

Double-click the name of the protected device.

Select the Properties item in the context menu of the protected device.

The Properties: <Protected device name> window opens.

5. In the Tasks section, select the Real-Time File Protection task.

6. Click the Properties button.

The Properties: Real-Time File Protection window opens.

Con guring the Real-Time File Protection task

To con gure the Real-Time File Protection task settings:

1. Open the Real-time le protection window.

2. Con gure the following task settings:

On the General tab:

Interception parameters

Heuristic analyzer

Integration with other components

On the Task management tab:

Scheduled task start settings.

3. Select the Protection scope tab and do the following:

Click the Add or Edit button to edit the protection scope.

268
 In the window that opens, choose what you want to include in the task protection scope:

Prede ned scope

Disk, folder or network location

File

Select one of the prede ned security levels or manually con gure the protection settings.

4. Click OK in the Real-time le protection window.

Kaspersky Security for Windows Server immediately applies the new settings to a running task. The date and
time when the settings were modi ed, and the values of task settings before and after modi cation, are saved in
the system audit log.

Selecting the protection mode

In the Real-Time File Protection task, the protection mode can be selected. The Objects protection mode section
lets you specify the type of access attempts for which Kaspersky Security for Windows Server scans objects.

The value of the Objects protection mode setting applies to the entire protection scope speci ed in the task. You
cannot specify di erent values for the setting for individual nodes within the protection scope.

To select the protection mode:

1. Open the Real-time le protection window.

2. In the window that opens, open the General tab and select the protection mode that you want to set:

Smart mode

On access and modi cation

On access

When run

Deeper analysis of launching processes (process launch is blocked until the analysis ends)

3. Click OK.

The selected protection mode will take e ect.

Con guring Heuristic Analyzer and integration with other application

components

To start the KSN Usage task, you must accept the Kaspersky Security Network Statement.

269
To con gure Heuristic Analyzer and integration with other components:

1. Open the Real-time le protection window.

2. On the General tab, clear or select the Use heuristic analyzer check box.

3. If necessary, adjust the level of analysis using the slider .

4. In the Integration with other components section, con gure the following settings:

Select or clear the Apply Trusted Zone check box.

Select or clear the Use KSN for protection check box.

The Send data about scanned les check box must be selected in the KSN Usage task settings.

Select or clear the Block access to network shared resources for the hosts that show malicious activity
check box.

Select or clear the Launch critical areas scan when active infection is detected check box.

Select or clear the Use Kaspersky Sandbox for protection check box.

The Kaspersky Sandbox functionality does not work if Kaspersky Endpoint Agent is not installed on the
protected device.

The running Tra ic Security task might obstruct the use of Kaspersky Sandbox. To use the Tra ic
Security task and Kaspersky Sandbox on the same protected device, restart Tra ic Security task after
the installation of Kaspersky Security for Windows Server and Kaspersky Endpoint Agent.

5. Click OK.

The con gured task settings are applied immediately to a running task. If the task is not running, the modi ed
settings are applied at next start.

Con guring the task start schedule settings

You can con gure the start schedule for local system and custom tasks in the Application Console. You cannot
con gure a start schedule for group tasks.

To con gure group task start schedule settings:

1. In the Kaspersky Security Center Administration Console tree, expand the Managed devices node.

2. Select the group that the protected device belongs to.

3. In the details pane, select the Tasks tab.

4. Open the Properties: <Task name> window in one of the following ways:

270
 Double-click the name of the task.

Open the context menu of the task name and select the Properties item.

5. Select the Schedule section.

6. In the Schedule settings block, select the Run by schedule check box.

Fields with the schedule settings for the On-Demand Scan and Update tasks are unavailable if scheduled
start of these tasks is blocked by a Kaspersky Security Center policy.

7. Con gure schedule settings in accordance with your requirements. To do this, perform the following actions:

a. In the Frequency list, select one of the following values:

Hourly, if you want the task to run at intervals of a speci ed number of hours; specify the number of
hours in the Every <number> hour(s) eld.

Daily, if you want the task to run at intervals of a speci ed number of days; specify the number of days in
the Every <number> day(s) eld.

Weekly, if you want the task to run at intervals of a speci ed number of weeks; specify the number of
weeks in the Every <number> week(s) eld. Specify the days of the week on which the task will be
started (by default the task runs on Mondays).

At application launch, if you want the task to run every time Kaspersky Security for Windows Server
starts.

After application database update, if you want the task to run after every update of the application
databases.

b. Specify the time for the rst task start in the Start time eld.

c. In the Start date eld, specify the date from which the schedule applies.

After you have speci ed the task start frequency, the time of the rst task start, and the date from
which the schedule applies, the estimated time for the next task start will appear in the top part of the
window in the Next start eld. The estimated time of the next task start will be updated and displayed
each time you open the Task settings window on the Schedule tab.

The Blocked by policy value is displayed in the Next start eld if the active policy settings of Kaspersky
Security Center prohibit start of scheduled system tasks.

8. Use the Advanced tab to con gure the following schedule settings in accordance with your requirements.

In the Task stop settings section:

a. Select the Duration check box and, in the elds to the right, enter the maximum number of hours and
minutes of task execution.

b. Select the Pause from check box and, in the elds to the right, enter the start and end values of a time
interval under 24 hours during which task execution will be paused.

271
 In the Advanced settings section:

a. Select the Cancel schedule from check box and specify the date from which the schedule will cease to
apply.

b. Select the Run skipped tasks check box to enable the start of skipped tasks.

c. Select the Randomize the task start time within the interval of check box and specify a value in
minutes.

9. Click OK.

10. Click the Apply button to save the task start settings.

If you want to con gure application settings for a single task using Kaspersky Security Center, perform the
steps described in Section "Con guring local tasks in the Application settings window of the Kaspersky
Security Center".

Creating and con guring the task protection scope

To create and con gure the task protection scope via the Kaspersky Security Center:

1. Open the Real-time le protection window.

2. Select the Protection scope tab.

3. All items already protected by the task are listed in the Protection scope table.

4. Click the Add button to add new item to the list.

The Add objects to protection scope window opens.

5. Select an object type to add it to a protection scope:

Prede ned scope - to include one of the prede ned scopes in the protection scope on the device. Then in
the drop-down list, select the desired protection scope.

Disk, folder or network location - to include individual drive, folder or a network object in the protection
scope. Then select the desired protection scope by clicking the Browse button.

File - to include an individual le in the protection scope. Then select the desired protection scope by
clicking the Browse button.

You cannot add an object to a protection scope if it has already been added as an exclusion from a
protection scope.

6. To exclude individual items from the protection scope, clear check boxes next to the names of these items or
take the following steps:

a. Open the context menu of the protection scope by right-clicking it.

272
 b. In the context menu, select the Add exclusion option.

c. In the Add exclusion window, select an object type that you want to add as an exclusion from the protection
scope following the procedure used when adding an object to the protection scope.

7. To modify the protection scope or an existing exclusion, select the Edit scope option in the context menu of
the desired protection scope.

8. To hide a previously added protection scope or an exclusion in the list of network le resources, select the
Remove scope option in the context menu of the desired protection scope.

A protection scope is removed from the Real-Time File Protection task scope when it is removed from the
network le resource list.

9. Click OK.

The Protection scope settings window closes. Your newly con gured settings are saved.

The Real-Time File Protection task can be started if at least one of the device’s le resource nodes is
included in a protection scope.

Selecting prede ned security levels for On-Demand Scan tasks

You can apply one of the following three prede ned security levels to a node selected in the device's le resource
list: Maximum performance, Recommended, and Maximum protection.

To select one of the prede ned security levels:

1. Open the Properties: Real-Time File Protection window.

2. Select the Protection scope tab.

3. In the protected device's list, select an item included in the protection scope in order to set a prede ned
security level.

4. Click the Con gure button.

The Real-time le protection settings window opens.

5. On the Security level, tab select the security level to be applied.

The window displays the list of security settings corresponding to the security level selected.

6. Click OK.

7. Click OK in the Properties: Real-Time File Protection window.

Con gured task settings are saved and applied immediately to a running task. If the task is not running, the
modi ed settings are applied at next start.

273
Con guring security settings manually
By default, the Real-Time File Protection task uses common security settings for the entire protection scope.
These settings correspond to the Recommended prede ned security level.

The default values of security settings can be modi ed by con guring them as common settings for the entire
protection scope or as di erent settings for individual items in the device's le resource list or nodes in the tree.

To con gure the security settings of the selected node manually:

1. Open the Real-time le protection window.

2. On the Protection scope tab, select the node whose security settings you want to con gure, and click
Con gure.
The Real-time le protection settings window opens.

3. On the Security level tab, click the Settings button to customize the con guration.

4. You can con gure custom security settings for the selected node in accordance with your requirements:

General settings

Actions

Performance

5. Click OK in the Real-time le protection window.

The new protection scope settings are saved.

Con guring general task settings

To con gure the general security settings of the Real-Time File Protection task:

1. Open the Real-time le protection settings window.

2. Select the General tab.

3. In the Objects protection section, specify the objects types that you want to include in the protection scope:

All objects

Objects scanned by format

Objects scanned according to list of extensions speci ed in anti-virus database

Objects scanned by speci ed list of extensions

Scan disk boot sectors and MBR

274
 Scan alternate NTFS streams

4. In the Performance group box, select or clear the Protect only new and modi ed les check box.

To switch between available options when the check box is cleared, click on the All / Only new link for each
of the compound object types.

5. In the Compound objects protection section, specify the compound objects that you want to include in the
protection scope:

All / Only new archives

All / Only new SFX archives

All / Only new email databases

All / Only new packed objects

All / Only new plain email

All / Only new embedded OLE objects

6. Click Save.

The new task con guration will be saved.

Con guring actions

To con gure actions on infected and other detected objects during the Real-Time File Protection task:

1. Open the Real-time le protection settings window.

2. Select the Actions tab.

3. Select the action to be performed on infected and other detected objects:

Notify only .

Block access .

Perform additional action.

Select the action from the drop-down list:

Disinfect.

Disinfect. Remove if disinfection fails.

Remove .

Recommended .

4. Select the action to be performed on probably infected objects:

275
 Notify only .

Block access .

Perform additional action.

Select the action from the drop-down list:

Quarantine.

Remove .

Recommended .

5. Con gure actions to be performed on objects depending on the type of object detected:

a. Clear or select the Perform actions depending on the type of object detected check box.

b. Click the Settings button.

c. In the window that opens, select a primary action and a secondary action (to be performed if the primary
action fails) for each type of detected object.

d. Click OK.

6. Select the action to perform on unmodi able compound les: select or clear the Entirely remove compound
le that cannot be modi ed by the application in case of embedded object detect check box.

7. Click Save.

The new task con guration will be saved.

Con guring performance

To con gure performance settings for the Real-Time File Protection task:

1. Open the Real-time le protection settings window.

2. Select the Performance tab.

3. In the Exclusions section:

Clear or select the Exclude les check box.

Clear or select the Do not detect check box.

Click the Edit button for each setting to add exclusions.

4. In the Advanced settings section:

Stop scanning if it takes longer than (sec.)

Do not scan compound objects larger than (MB)

Use iSwift technology

276
 Use iChecker technology

Managing Real-Time File Protection task via the Application Console

In this section, you will learn how to navigate the Application Console interface and con gure task settings on a
protected device.

Navigation
Learn how to navigate to the required task settings via the chosen interface.

Opening the Real-Time File Protection task settings

To open the general task settings window:

1. In the Application Console tree, expand the Real-time server protection node.

2. Select the Real-Time File Protection child node.

3. Click the Properties link in the details pane.

The Task settings window opens.

Opening the Real-Time File Protection task scope settings

To open the Protection scope settings window for the Real-Time File Protection task:

1. In the Application Console tree, expand the Real-time server protection node.

2. Select the Real-Time File Protection child node.

3. Click the Con gure protection scope link in the details pane.
The Protection scope settings window opens.

Con guring the Real-Time File Protection task

To con gure the Real-Time File Protection task settings:

1. Open the Task settings window.

2. On the General tab, con gure the following task settings:

Objects protection mode

277
 Heuristic analyzer

Integration with other components

3. On the Schedule and Advanced tabs, specify the scheduled start settings.

4. Click OK in the Task settings window.

The modi ed settings are saved.

5. In the details pane of the Real-Time File Protection node click the Con gure protection scope link.

6. Do the following:

In the tree or list of the device's le resources, select the nodes or items that you want to be included in the
task protection scope.

Select one of the prede ned security levels or con gure the object protection settings manually.

7. In the Protection scope settings window, click the Save button.

Kaspersky Security for Windows Server immediately applies the new settings to a running task. The date and
time of the settings modi cation, and the values of task settings set before and after modi cation, are saved in
the system audit log.

Selecting protection mode

In the Real-Time File Protection task, the protection mode can be selected. The Objects protection mode section
lets you specify the type of access attempts for which Kaspersky Security for Windows Server scans objects.

The value of the Objects protection mode setting applies to the entire protection scope speci ed in the task. You
cannot specify di erent values for the setting for individual nodes within the protection scope.

To select the protection mode:

1. Open the Task settings window.

2. In the window that opens, open the General tab and select the protection mode that you want to set:

Smart mode

On access and modi cation

On access

When run

Deeper analysis of launching processes (process launch is blocked until the analysis ends)

3. Click OK.

The selected protection mode will take e ect.

278
Con guring Heuristic Analyzer and integration with other application
components

To start the KSN Usage task, you must accept the Kaspersky Security Network Statement.

To con gure Heuristic Analyzer and integration with other components:

1. Open the Task settings window.

2. On the General tab, clear or select the Use heuristic analyzer check box.

3. If necessary, adjust the level of analysis using the slider .

4. In the Integration with other components section, con gure the following settings:

Select or clear the Apply Trusted Zone check box.

Click the Trusted Zone link to open the Trusted Zone settings.

Select or clear the Use KSN for protection check box.

The Send data about scanned les check box must be selected in the KSN Usage task settings.

Select or clear the Block access to network shared resources for the hosts that show malicious activity
check box.

Select or clear the Launch critical areas scan when active infection is detected check box.

Select or clear the Use Kaspersky Sandbox for protection check box.

The Kaspersky Sandbox functionality does not work if Kaspersky Endpoint Agent is not installed on the
protected device.

The running Tra ic Security task might obstruct the use of Kaspersky Sandbox. To use the Tra ic
Security task and Kaspersky Sandbox on the same protected device, restart Tra ic Security task after
the installation of Kaspersky Security for Windows Server and Kaspersky Endpoint Agent.

5. Click OK.

The newly con gured settings will be applied.

Con guring the task start schedule settings

You can con gure the start schedule for local system and custom tasks in the Application Console. You cannot
con gure the start schedule for group tasks.

279
To con gure task start schedule settings:

1. Open the context menu of the task for which you wish to con gure the start schedule.

2. Select Properties.
The Task settings window opens.

3. In the window that opens, on the Schedule tab, select the Run by schedule check box.

4. Con gure schedule settings in accordance with your requirements. To do this, perform the following actions:

a. In the Frequency drop-down menu, select one of the following values:

Hourly, if you want the task to run at intervals of a speci ed number of hours; specify the number of
hours in the Every <number> hour(s) eld.

Daily, if you want the task to run at intervals of a speci ed number of days; specify the number of days in
the Every <number> day(s) eld.

Weekly, if you want the task to run at intervals of a speci ed number of weeks; specify the number of
weeks in the Every <number> week(s) on eld. Specify the days of the week on which the task will be
started (by default the task runs on Mondays).

At application launch, if you want the task to run every time Kaspersky Security for Windows Server
starts.

After application database update, if you want the task to run after every update of the application
databases.

b. Specify the time for the rst task start in the Start time eld.

c. In the Start date eld, specify the date from which the schedule applies.

After you have speci ed the task start frequency, the time of the rst task start, and the date from
which the schedule applies, the estimated time for the next task start will appear in the top part of the
window in the Next start eld. The estimated time of the next task start will be updated and displayed
each time you open the Task settings window on the Schedule tab.

Blocked by policy is displayed in the Next start eld if Kaspersky Security Center policy settings
prohibit start of scheduled system tasks.

5. Use the Advanced tab to con gure the following schedule settings in accordance with your requirements.

In the Task stop settings section:

a. Select the Duration check box and, in the elds to the right, enter the maximum number of hours and
minutes of task execution.

b. Select the Pause from and, in the elds to the right, enter the start and end values of a time interval
under 24 hours during which task execution will be paused.

In the Advanced settings section:

280
 a. Select the Cancel schedule from check box and specify the date from which the schedule will cease to
apply.

b. Select the Run skipped tasks check box to enable the start of skipped tasks.

c. Select the Randomize the task start within interval of check box and specify a value in minutes.

6. Click OK.

The con gured task start settings will be saved.

Creating a protection scope

This section provides instructions on creating and managing a protection scope in the Real-Time File Protection
task.

Con guring the view for network le resources

To select the view for network le resources during con guration of protection scope settings:

1. Open the Protection scope settings window.

2. Open the drop-down list in the upper left section of the window and select one of the following options:

Select the Tree-view option to display the network le resources as a tree.

Select the List-view option to display the network le resources as a list.

By default, the network le resources of the protected device are displayed as a list.

3. Click the Save button.

Creating a protection scope

The procedure for creating the Real-Time File Protection task scope depends on the selected network le
resource view. You can view the network le resources as a tree or a list (set as default).

To apply the new protection scope settings to the task, the Real-Time File Protection task must be restarted.

To create a protection scope using the network le resource tree:

1. Open the Protection scope settings window.

2. In the left section of the window, open the network le resource tree to display all the nodes and child nodes.

3. Do the following:
281
 To exclude individual nodes from the protection scope, clear check boxes next to the names of these nodes.

To include individual nodes in the protection scope, clear the My Computer check box and do the following:

If all drives of one type are to be included in the protection scope, select the check box opposite the
name of the required disk type (for example, to add all removable drives on the device, select the
Removable drives check box).

If an individual disk of a certain type is to be included in the protection scope, expand the node that
contains the list of drives of this type and check the box next to the name of the required drive. For
example, in order to select removable drive F:, expand the Removable drives node and check the box for
F: drive.

If you would like to include only a single folder or le on the drive, select the check box next to the name
of that folder or le.

4. Click the Save button.

The Protection scope settings window closes. Your newly con gured settings are saved.

To create a protection scope using the network le resources list:

1. Open the Protection scope settings window.

2. To include individual nodes in the protection scope, clear the My Computer check box and do the following:

a. Open the context menu of the protection scope by right-clicking it.

b. In the context menu of the button, select Add protection scope.

c. In the Add protection scope window select an object type to add it to the protection scope:

Prede ned scope - to include one of the prede ned scopes in the protection scope on the device. Then
in the drop-down list, select the desired protection scope.

Disk, folder or network location - to include an individual drive, folder or a network object in the
protection scope. Then select the desired scope by clicking the Browse button.

File - to include an individual le in the protection scope. Then select the desired scope by clicking the
Browse button.

You cannot add an object to a protection scope if it has already been added as an exclusion from a
protection scope.

3. To exclude individual nodes from the protection scope, clear check boxes next to the names of these nodes or
take the following steps:

a. Open the context menu of the protection scope by right-clicking it.

b. In the context menu, select the Add exclusion option.

c. In the Add exclusion window, select an object type that you want to add as an exclusion from the protection
scope following the procedure used when adding an object to the protection scope.

282
4. To modify the protection scope or an existing exclusion, select the Edit scope option in the context menu of
the desired protection scope.

5. To hide a previously added protection scope or an exclusion in the list of network le resources, select the
Remove from the list option in the context menu of the desired protection scope.

A protection scope is removed from the Real-Time File Protection task scope when it is removed from the
network le resource list.

6. Click the Save button.

The Protection scope settings window closes. Your newly con gured settings are saved.

The Real-Time File Protection task can be started if at least one of the device's le resource nodes is included
in a protection scope.

If a complex protection scope is speci ed, for example, if di erent security values for settings for multiple
nodes in the device's le resource tree are speci ed, this may slow the scanning of objects when they are
accessed.

Including network objects in the protection scope

Network drives, folders or les can be added to the protection scope by specifying their path in UNC (Universal
Naming Convention) format.

You can scan network folders under the system account.

To add a network location to the protection scope:

1. Open the Protection scope settings window.

2. Open the drop-down list in the upper left part of the window and select Tree-view.

3. In the context menu of the Network node:

Select Add network folder, if you want to add a network folder to the protection scope.

Select Add network le, if you want to add a network le to the protection scope.

4. Enter the path to the network folder or le in UNC format.

5. Press the ENTER key.

6. Select the check box next to the newly added network object to include it in the protection scope.

7. If necessary, change the security settings for the added network object.

283
 8. Click the Save button.

The modi ed task settings are saved.

Creating a virtual protection scope

You can expand the protection / scan scope by adding individual virtual drives, folders, or les only if the
protection / scan scope is presented as a tree of le resources.

To add a virtual drive to the protection scope:

1. Open the Protection scope settings window.

2. Open the drop-down list in the window upper left sector and select Tree-view.

3. Open the context menu of the Virtual drives node.

4. Select the Add virtual drive option.

5. In the list of available names, select the name of the virtual drive that is being created.

6. Select the check box next to the drive to include the drive in the protection scope.

7. In the Protection scope settings window, click the Save button.

Your newly con gured settings are saved.

To add a virtual folder or virtual le to the protection scope:

1. Open the Protection scope settings window.

2. Open the drop-down list in the upper left part of the window and select Tree-view.

3. Open the context menu of the virtual drive to which you want to add a folder or a le, and select one of the
following options:

Add virtual folder - if you want to add a virtual folder to the protection scope.

Add virtual le - if you want to add a virtual le to the protection scope.

4. In the entry eld, specify the name of the folder or le.

5. In the line containing the name of the created folder or le, select the check box to include the folder or le in
the protection scope.

6. In the Protection scope settings window, click the Save button.

The modi ed task settings are saved.

Con guring security settings manually

284
By default Real-Time Server Protection tasks use common security settings for the entire protection scope.
These settings correspond to the Recommended prede ned security level.

The default values of security settings can be modi ed by con guring them as common settings for the entire
protection scope or as di erent settings for individual items in the device's le resource list or nodes in the tree.

When working with the protected device's le resource tree, security settings that are con gured for the selected
parent node are automatically applied to all child nodes. The security settings of the parent node are not applied to
child nodes that are con gured separately.

To con gure security settings manually:

1. Open the Protection scope settings window.

2. In the left window section select the node to con gure security settings.
A prede ned template containing security settings can be applied for a selected node or item in the protection
scope.
In the left part of the window, you can select the view for network le resources, create a protection scope, or
create a virtual protection scope.

3. In the right part of the window, do one of the following:

On the Security level tab select the security level to be applied.

Con gure the required security settings of the selected node or item in accordance with your requirements
in the following tabs:

General

Actions

Performance

4. In the Protection scope settings window, click the Save button.

The new protection scope settings are saved.

Selecting prede ned security levels for Real-Time File Protection task
You can apply one of the following three prede ned security levels to a node selected in the protected device's le
resource tree or list: Maximum performance, Recommended, and Maximum protection.

To select one of the prede ned security levels:

1. Open the Protection scope settings window.

2. In the protected device's network le resource tree or list, select a node or item to set the prede ned security
level.

3. Make sure that the selected node or item is included in the protection scope.

4. In the right part of the window, on the Security level tab select the security level to be applied.

285
 The window displays the list of security settings corresponding to the selected security level.

5. Click the Save button.

The task settings are saved and applied immediately to the running task. If the task is not running, the modi ed
settings are applied at the next start.

Con guring general task settings

To con gure the general security settings of the Real-Time File Protection task:

1. Open the Protection scope settings window.

2. Select the General tab.

3. In the Objects protection section, specify the objects that you want to include in the protection scope:

All objects

Objects scanned by format

Objects scanned according to list of extensions speci ed in anti-virus database

Objects scanned by speci ed list of extensions

Scan disk boot sectors and MBR

Scan alternate NTFS streams

4. In the Performance group box, select or clear the Protect only new and modi ed les check box.

To switch between available options when the check box is cleared, click on the All / Only new link for each
of the compound object types.

5. In the Compound objects protection section, specify the compound objects that you want to include in the
protection scope:

All / Only new archives

All / Only new SFX archives

All / Only new email databases

All / Only new packed objects

All / Only new plain email

All / Only new embedded OLE objects

6. Click Save.

The new task con guration will be saved.

286
Con guring actions
To con gure actions on infected and other detected objects for the Real-Time File Protection task:

1. Open the Protection scope settings window.

2. Select the Actions tab.

3. Select the action to be performed on infected and other detected objects:

Notify only .

Block access .

Perform additional action.

Select the action from the drop-down list:

Disinfect.

Disinfect. Remove if disinfection fails.

Remove .

Recommended .

4. Select the action to be performed on probably infected objects:

Notify only .

Block access .

Perform additional action.

Select the action from the drop-down list:

Quarantine.

Remove .

Recommended .

5. Con gure actions to be performed on objects depending on the type of object detected:

a. Clear or select the Perform actions depending on the type of object detected check box.

b. Click the Settings button.

c. In the window that opens, select a primary action and a secondary action (to be performed if the primary
action fails) for each type of detected object.

d. Click OK.

6. Select the action to perform on unmodi able compound les: select or clear the Entirely remove compound
le that cannot be modi ed by the application in case of embedded object detect check box.
287
 7. Click Save.

The new task con guration will be saved.

Con guring performance

To con gure performance settings for the Real-Time File Protection task:

1. Open the Protection scope settings window.

2. Select the Performance tab.

3. In the Exclusions section:

Clear or select the Exclude les check box.

Clear or select the Do not detect check box.

Click the Edit button for each setting to add exclusions.

4. In the Advanced settings section:

Stop scanning if it takes longer than (sec.)

Do not scan compound objects larger than (MB)

Use iSwift technology

Use iChecker technology

Real-Time File Protection task statistics

When the Real-Time File Protection task is running, you can view detailed real-time information about the number
of objects processed by Kaspersky Security for Windows Server since the task was started.

To view the Real-Time File Protection task statistics:

1. In the Application Console tree, expand the Real-time server protection node.

2. Select the Real-Time File Protection child node.

Task statistics are displayed in the Statistics section of the details pane of the selected node.

The information can be viewed about objects processed by Kaspersky Security for Windows Server since it was
started (see the table below).

Real-Time File Protection task statistics

Field Description

Detected Number of objects detected by Kaspersky Security for Windows Server. For example, if
Kaspersky Security for Windows Server detects one malicious object in ve les, the value
in this eld increases by one.
288
 Infected and Number of objects that Kaspersky Security for Windows Server found and classi ed as
other objects infected, or number of found legitimate software les that can be used by intruders to
detected damage your device or personal data.

Probably Number of objects detected by Kaspersky Security for Windows Server as probably
infected infected.
objects
detected

Objects not Number of objects that Kaspersky Security for Windows Server did not disinfect for the
disinfected following reasons:
The detected object is of a type that cannot be disinfected.

An error occurred during disinfection.

Objects not Number of objects that Kaspersky Security for Windows Server attempted to quarantine
moved to unsuccessfully, for example, due to insu icient disk space.
Quarantine

Objects not Number of objects that Kaspersky Security for Windows Server attempted to delete
removed unsuccessfully, for example, because access to the object was blocked by another
application.

Objects not Number of objects in the protection scope that Kaspersky Security for Windows Server
scanned failed to scan, because, for example, access to the object was blocked by another
application.

Objects not Number of objects whose copies Kaspersky Security for Windows Server attempted to
backed up save in Backup unsuccessfully, for example, due to insu icient disk space.

Processing Number of objects whose processing resulted in an error.

errors

Objects Number of objects disinfected by Kaspersky Security for Windows Server.

disinfected

Moved to Number of objects quarantined by Kaspersky Security for Windows Server.

Quarantine

Moved to Number of objects whose copies Kaspersky Security for Windows Server saved to Backup.
Backup

Objects Number of objects removed by Kaspersky Security for Windows Server.

removed

Password- Number of objects (archives, for example) that Kaspersky Security for Windows Server
protected missed because they were password protected.
objects

Corrupted Number of objects skipped by Kaspersky Security for Windows Server because their
objects format was corrupted.

Objects Total number of objects processed by Kaspersky Security for Windows Server.
processed

You can view the Real-Time File Protection task statistics in the task log by clicking the Open task log link in the
Management section in the detail pane.

If the value of the Total events eld in the Real-Time File Protection task log window exceeds 0, we
recommend that you manually process the events in the task log on the Events tab.

289
Managing Real-Time File Protection task via the Web Plug-in
In this section, learn how to manage the Real-Time File Protection task via the Web Plug-in interface.

Con guring Real-Time File Protection task

Prede ned security level can not be changed for the Real-Time File Protection task via the Web Plug-in.

To con gure Real-Time File Protection task via the Web Plug-in:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Real-time server protection section.

5. Click Settings in the Real-Time File Protection subsection.

6. Con gure the settings described in the table below.

Real-Time File Protection task settings

Setting Description

Smart mode Kaspersky Security for Windows Server selects objects to be scanned on its own.
An object is scanned on being opened and then again after being saved if the
object has been modi ed. If the object is accessed multiple times and modi ed by
the process, Kaspersky Security for Windows Server rescans the object only after
the object is saved by the process for the last time.

On access Kaspersky Security for Windows Server scans all objects when they are opened for
reading, execution, or modi cation.

On access and Kaspersky Security for Windows Server scans an object when it is opened and
modi cation rescans after it is saved, if the object was modi ed.
This option is selected by default.

When run Kaspersky Security for Windows Server scans a le only when it is accessed to be
executed.

Deeper analysis Kaspersky Security for Windows Server performs longer analysis of launching
of launching processes with higher probability to detect a threat. The process launch is blocked
processes until the end of analysis.
(process launch
is blocked until
the analysis
ends)

Use Heuristic This check box enables / disables Heuristic Analyzer during object scanning.
Analyzer
If the check box is selected, Heuristic Analyzer is enabled.

290
 If the check box is cleared, Heuristic Analyzer is disabled.
The check box is selected by default.

Heuristic The heuristic analysis level sets the balance between the thoroughness of searches
analysis level for threats, the load on the operating system's resources and the time required for
scanning.
The following scanning sensitivity levels are available:
Light. Heuristic Analyzer performs fewer instructions within executable les.
The probability of threat detection in this mode is somewhat lower. Scanning is
faster and less resource-intensive.

Medium. Heuristic Analyzer performs the number of executable le

instructions recommended by Kaspersky experts.

This level is selected by default.

Deep. Heuristic Analyzer performs more instructions within executable les.
The probability of threat detection in this mode is higher. Scanning uses more
system resources, takes more time, and can produce a higher number of false
alarms.

The setting is available if the Use heuristic analyzer check box is selected.

Apply Trusted This check box enables / disables use of the Trusted Zone for a task.
Zone
If the check box is selected, Kaspersky Security for Windows Server adds le
operations of trusted processes to the scan exclusions con gured in the task
settings.
If the check box is cleared, Kaspersky Security for Windows Server disregards the
le operations of trusted processes when forming the protection scope for the
task.
The check box is selected by default.

Use KSN for This check box enables or disables the use of KSN services.
protection
If the check box is selected, the application uses Kaspersky Security Network data
to ensure that the application responds more quickly to new threats and to reduce
the likelihood of false positives.
If the check box is cleared, the task does not use KSN services.
The check box is selected by default.

Block access to The check box enables or disables adding hosts showing malicious activity to the list
network shared of blocked hosts.
resources for the
hosts that show If the check box is selected, Kaspersky Security for Windows Server adds hosts
malicious showing malicious activity to the list of blocked hosts.
activity If the check box is cleared, Kaspersky Security for Windows Server does not add
hosts showing malicious activity to the list of blocked hosts.
The check box is cleared by default.
You can view the list of blocked hosts in the Blocked Hosts storage.

You can restore access to blocked hosts, and specify the number of days, hours and
minutes after which hosts regain access to network le resources after being
blocked by con guring the Blocked Hosts storage settings.

Launch critical If the check box is selected, when active infection is detected, Kaspersky Security
areas scan when for Windows Server creates and launches a temporary Critical Areas Scan task.

291
 active infection When the Critical Areas Scan temporary task nishes, Kaspersky Security for
is detected Windows Server removes this temporary task.
If the check box is cleared, when active infection is detected, Kaspersky Security for
Windows Server does not create and launch Critical Areas Scan task.
The check box is selected by default.

Use Kaspersky This check box enables or disables the use of Kaspersky Sandbox.
Sandbox for
protection If the check box is selected, Kaspersky Endpoint Agent sends objects to Kaspersky
Sandbox. Kaspersky Sandbox analyzes the behavior of these objects to identify
malicious activity and signs of targeted attacks.
If the check box is cleared, the task does not send objects to Kaspersky Sandbox.
The check box is cleared by default.

Protection scope You can con gure security settings of the protection scope.

Con guring the task protection scope

To con gure a protection scope for Real-Time File Protection task:

1. In the main window of the Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Real-time server protection section.

5. Click Settings in the Real-Time File Protection subsection.

6. Select the Protection scope section.

7. Do one of the following:

Click Add button to add a new rule.

Select an existing rule and click Edit button.

The Edit scope window opens.

8. Switch the toggle button to Active and select an object type.

9. In the Objects protection section, con gure the following settings:

Objects protection mode:

All objects

Objects scanned by format

Objects scanned according to list of extensions speci ed in anti-virus database

Objects scanned by speci ed list of extensions

292
 Scan disk boot sectors and MBR

Scan alternate NTFS streams

10. In the Objects protection section, select or clear the Protect only new and modi ed les check box.

11. In the Compound objects protection section, specify the compound objects that you want to include in the
scan scope:

Archives

SFX archives

Packed objects

Email databases

Plain email

Embedded OLE objects

Entirely remove compound le that cannot be modi ed by the application in case of embedded object
detect

12. Select the action to be performed on infected and other detected objects:

Notify only .

Block access .

Perform additional action.

Select the action from the drop-down list:

Disinfect.

Disinfect. Remove if disinfection fails.

Remove .

Recommended .

13. Select the action to be performed on probably infected objects:

Notify only .

Block access .

Perform additional action.

Select the action from the drop-down list:

Quarantine.

Remove .

Recommended .

293
14. Con gure actions to be performed on objects depending on the type of object detected:

a. Clear or select the Perform actions depending on the type of object detected check box.

b. Click the Settings button.

c. In the window that opens, select a primary action and a secondary action (to be performed if the primary
action fails) for each type of detected object.

d. Click OK.

15. In the Exclusions section, con gure the following settings:

Clear or select the Exclude les check box.

Clear or select the Do not detect check box.

16. In the Performance section, con gure the following settings:

Stop scanning if it takes longer than (sec.)

Do not scan compound objects larger than (MB)

Use iSwift technology

Use iChecker technology

17. Click the OK button.

294
Script Monitoring
This section contains information about the Script Monitoring task and how to con gure it.

About the Script Monitoring task

When the Script Monitoring task is running, Kaspersky Security for Windows Server controls the execution of
scripts created using Microsoft Windows scripting technologies (Active Scripting) such as VBScript or JScript®.
The application can also process PowerShell™ scripts and scripts run in the Microsoft O ice applications on
operating systems with the Antimalware Scan Interface (AMSI) installed. You can allow or block execution of a
script that has been found to be dangerous or probably dangerous. If Kaspersky Security for Windows Server
identi es a script as potentially dangerous, it blocks or allows execution of the script according to your selected
action. If the Block action is selected, the application allows script execution only if a script has been found to be
safe.

Starting from the Microsoft Windows Server 2016 operating system, Kaspersky Security for Windows Server
supports the Antimalware Scan Interface (AMSI). AMSI allows applications and services to integrate with any
antimalware application installed on a device in order for all the executed scripts to be intercepted and scanned by
the antimalware.

By default, the Script Monitoring component is not installed on the protected device as part of the application.
When the Script Monitoring component is installed, the application is registered as an AMSI provider and starts to
monitor executed scripts.

On devices running operating systems that do not support the AMSI feature, the use of this component may
be incompatible with some of third-party applications installed on the protected device. In this case,
monitoring third-party scripts can cause scripts to malfunction. We recommend that you either not use such
third-party applications or disable the Script Monitoring task. If the task is disabled, security risks associated
with script execution increase.

If you want to use the Script Monitoring component, you must manually select it in the list of installed components
during installation of Kaspersky Security for Windows Server. By default, if the component is installed, the Script
Monitoring task is automatically started when Kaspersky Security for Windows Server starts.

You can nd more information about AMSI functionality on the Microsoft Windows website .

You can con gure the Script Monitoring task settings.

Default Script Monitoring task settings

The Script Monitoring system task uses the default settings described in the table below. You can change the
values of these settings.
Default Script Monitoring task settings

Setting Default value Description

Action to perform Block You can specify the action to be performed on detection of
on dangerous probably dangerous scripts: block or allow their execution.
scripts

Heuristic analyzer The Medium The heuristic analyzer can be enabled or disabled. The analysis
security level is level can be con gured.

295
 applied.

Trusted Zone Used General list of exclusions that can be used in selected tasks.

Con guring Script Monitoring task settings

To con gure a Script Monitoring task:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Real-time server protection section of the Properties: <Policy name> window, click Settings for Script
Monitoring.

5. In the Action to perform on dangerous scripts section in the General tab, do one of the following:

To allow execution of probably dangerous scripts, select Allow .

To block execution of probably dangerous scripts, select Block .

6. In the Heuristic analyzer section, do one of the following:

Clear or select the Use heuristic analyzer check box.

If necessary, adjust the level of analysis using the slider .

7. In the Trusted Zone section, select or clear the Apply Trusted Zone check box.

8. Click OK.

The newly con gured settings are applied.

Con guring Script Monitoring task settings via the Application Console
To con gure a Script Monitoring task:

1. In the Application Console tree, expand the Real-time server protection node.

2. Select the Script Monitoring child node.

296
 3. Click the Properties link in the details pane of the node.
The Task settings window opens on the General tab.

4. In the Action to perform on dangerous scripts section, do one of the following:

To allow execution of probably dangerous scripts, select Allow .

To prohibit execution of probably dangerous scripts, select Block .

5. In the Heuristic analyzer section, do one of the following:

Clear or select the Use heuristic analyzer check box.

If necessary, adjust the level of analysis using the slider .

6. In the Trusted Zone section, select or clear the Apply Trusted Zone check box.

7. Click OK.

The newly con gured settings are applied.

Con guring Script Monitoring task settings via the Web Plug-in
To con gure a Script Monitoring task:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Real-time server protection section.

5. Click Settings in the Script Monitoring subsection.

6. In the Action to perform on dangerous scripts section on the General tab, do one of the following:

To allow execution of probably dangerous scripts, select Allow .

To block execution of probably dangerous scripts, select Block .

7. In the Heuristic analyzer section, do one of the following:

Clear or select the Use heuristic analyzer check box.

If necessary, adjust the level of heuristic analysis .

8. In the Trusted Zone section, select or clear the Apply Trusted Zone check box.

9. Click OK.

The newly con gured settings are applied.

297
Script Monitoring task statistics
While the Script Monitoring task is running, you can view information about the number of scripts processed by
Kaspersky Security for Windows Server from the time when the task was started.

To view Script Monitoring task statistics:

1. In the Application Console tree, expand the Real-time server protection node.

2. Select the Script Monitoring child node.

Current task statistics are displayed in the details pane of the node in the Management and Statistics sections.

You can view information about objects processed by Kaspersky Security for Windows Server since the task was
started (see the table below).

Script Monitoring task statistics

Field Description

Scripts blocked Number of scripts blocked by Kaspersky Security for Windows

Server.

Dangerous scripts detected Number of dangerous scripts detected.

Probably dangerous scripts Number of probably dangerous scripts detected.

detected

Processed scripts Total number of processed scripts.

298
KSN Usage
This section contains information about the KSN Usage task and how to con gure it.

About the KSN Usage task

Kaspersky Security Network (also referred to as "KSN") is an infrastructure of online services providing access to
Kaspersky's operative knowledge base on the reputation of les, web resources and programs. Kaspersky Security
Network allows Kaspersky Security for Windows Server to react very promptly to new threats, improves the
performance of several protection components, and reduces the likelihood of false positives.

To start the KSN Usage task, you must accept the Kaspersky Security Network Statement.

Information received by Kaspersky Security for Windows Server from Kaspersky Security Network pertains
only to the reputation of programs and URLs.

Participation in KSN allows Kaspersky to receive real-time information about types and sources of new threats,
develop ways to neutralize them, and reduce the number of false positives in application components.

More detailed information about the transferring, processing, storage, and destruction of information about
application usage is available in the Data handling window of the KSN Usage task, and in the Privacy Policy
on the Kaspersky's website.

Participation in Kaspersky Security Network is voluntary. The decision regarding participation in Kaspersky Security
Network is made after installation of Kaspersky Security for Windows Server. You can change your decision about
participation in Kaspersky Security Network at any time.

Kaspersky Security Network can be used in the following Kaspersky Security for Windows Server tasks:

Real-Time File Protection.

On-Demand Scan.

Applications Launch Control.

Tra ic Security.

RPC Network Storage Protection.

ICAP Network Storage Protection.

Kaspersky Private Security Network

See details about how to con gure Kaspersky Private Security Network (hereinafter referred to "Private KSN")
in the Kaspersky Security Center Help.

299
If you use Private KSN on the device, in the Data handling window of the KSN Usage task you can read the KSN
Statement and enable the task by selecting the I con rm that I have fully read, understood, and accept the
terms of participation in Kaspersky Security Network check box. By accepting the terms you agree to send all
types of data mentioned in KSN Statement (security requests, statistical data) to KSN services.

After accepting the Private KSN terms, the check boxes that adjust the Global KSN usage are not available.

If you disable Private KSN when the KSN Usage task is running, the License violation error occurs and the task
stops. To continue protecting the device you need to accept the KSN Statement in the Data handling window and
restart the task.

Withdrawal of the KSN Statement acceptance

You can withdraw the acceptance and stop any data exchange with the Kaspersky Security Network at any
moment. The following actions are considered as the full or partial withdrawal of KSN Statement:

Clearing the Send data about scanned les check box: the application stops sending checksums of scanned
les to KSN service for analysis.

Clearing the Send data about requested URLs check box: the application stops sending URLs for analysis.

Clearing the Send Kaspersky Security Network statistics check box: the application stops processing data
with additional KSN statistics.

Clearing the I con rm that I have fully read, understood, and accept the terms of participation in Kaspersky
Security Network check box: the application stops all KSN-related data processing, the KSN Usage task stops.

Clearing the Accept the terms of the Kaspersky Managed Protection Statement check box: the KMP service
will be disabled.

Uninstalling the KSN Usage component: all KSN-related data processing stops.

Uninstalling the Kaspersky Security for Windows Server: all KSN-related data processing stops.

Default KSN Usage task settings

You can change the default settings of the KSN Usage task (see the table below).

Default KSN Usage task settings

Setting Default Value Description

Action to perform on Remove You can specify actions that Kaspersky Security for
KSN untrusted objects Windows Server will take on objects identi ed by KSN as
untrusted.

Data transfer The le checksum You can specify the maximum size of les for which a
(MD5 hash) is checksum is calculated using the MD5 algorithm for
calculated for les delivery to KSN. If the check box is cleared, Kaspersky
that do not exceed Security for Windows Server calculates the MD5 hash
2 MB in size. for les of any size.

Task start schedule First run is not You can start the task manually or con gure a scheduled
scheduled. start.
300
 Use Kaspersky Security Selected By default the data is sent to KSN via Kaspersky
Center as KSN Proxy Security Center.
You can change this setting only via the Administration
Plug-in.

I con rm that I have fully Cleared If selected, participation in KSN after the installation is
read, understood, and accepted. You can change your decision at any moment.
accept the terms of
participation in
Kaspersky Security
Network

Send Kaspersky Security Selected (applied If the KSN Statement is accepted, the KSN Statistics will
Network statistics only if the KSN be sent automatically, unless you clear the check box.
Statement is
accepted)

Send data about scanned Selected (applied If the KSN Statement is accepted, the data about les
les only if the KSN that were scanned and analyzed since the task has been
Statement is started, is sent. You can clear the check box at any time.
accepted)

Send data about Selected (applied If the KSN Statement is accepted, the application sends
requested URLs only if the KSN information about the accessed URLs to Kaspersky.
Statement is
accepted)

Accept the terms of the Cleared You can enable or disable the KMP service. The service
Kaspersky Managed available only if the additional agreement has been
Protection Statement signed during the application purchase process.

Managing KSN Usage via the Administration Plug-In

In this section, learn how con gure the KSN Usage task and Data Handling via the Administration Plug-In.

Con guring the KSN Usage task

To con gure the KSN Usage task:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

301
 If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Real-time server protection section, click the Settings button in the KSN Usage subsection.
The KSN Usage window opens.

5. On the General tab, con gure the following task settings:

In the Action to perform on KSN untrusted objects section, specify the action that Kaspersky Security for
Windows Server is to perform if it detects an object identi ed by KSN as untrusted:

Remove

Log information

In the Data transfer section, restrict the size of les for which the checksum is calculated:

Clear or select the Do not calculate checksum before sending to KSN if le size exceeds (MB) check
box.

If required, in the eld to the right, change the maximum size of les for which Kaspersky Security for
Windows Server calculates the checksum.

In the KSN Proxy section, clear or select the Use Kaspersky Security Center as KSN Proxy check box.

To enable KSN Proxy the KSN Statement must be accepted and Kaspersky Security Center properly
con gured. See Kaspersky Security Center Help for more details.

6. If needed, con gure the task start schedule on the Task management tab. For example, you can start the task
by schedule and specify the At application launch frequency, if you want the task to run automatically when
the protected device is restarted.
The application will automatically start the KSN Usage task by schedule.

7. Con gure the data handling before starting the task.

8. Click OK.

The modi ed settings are applied. The date and time of modifying the settings, as well as information about the
task settings before and after modi cation, are saved in the system audit log.

Con guring data handling

To con gure what data will be processed by the KSN services and accept the KSN Statement:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

302
 To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Real-time server protection section click the Data processing button in the KSN Usage subsection.
The KSN data handling window opens.

5. On the Services tab, read the Statement and select the I con rm that I have fully read, understood, and
accept the terms of participation in Kaspersky Security Network check box.

6. To increase the protection level, the following check boxes are automatically selected:

Send data about scanned les .

Send data about scanned URLs .

You can clear these check boxes and stop sending additional data at any moment.

7. The Send Kaspersky Security Network statistics check box is selected by default. You can clear the check
box at any time, if you don't want Kaspersky Security for Windows Server to send additional statistics to
Kaspersky.

8. On the Kaspersky Managed Protection tab, read the Statement and select the Accept the terms of the
Kaspersky Managed Protection Statement check box.

The changes of Accept the terms of the Kaspersky Managed Protection Statement check box state do
not start or stop the processing of data immediately. To apply the changes you must restart Kaspersky
Security for Windows Server.

To use the KMP service, you need to sign the corresponding agreement and execute con guration les on
a protected device, enable I con rm that I have fully read, understood, and accept the terms of
participation in Kaspersky Security Network, Send data about scanned les, Send data about scanned
URLs, and Send Kaspersky Security Network statistics check boxes on the Services tab.

9. Click OK.

The data processing con guration will be saved.

Managing KSN Usage via the Application Console

In this section, learn how con gure the KSN Usage task and Data handling via the Application Console.

Con guring KSN Usage task

303
To con gure the KSN Usage task:

1. In the Application Console tree, expand the Real-time server protection node.

2. Select the KSN Usage child node.

3. Click the Properties link in the details pane.

The Task settings window opens on the General tab.

4. Con gure the task:

In the Action to perform on KSN untrusted objects section, specify the action that Kaspersky Security for
Windows Server is to perform if it detects an object identi ed by KSN as untrusted:

Remove

Log information

In the Data transfer section, restrict the size of les for which the checksum is calculated:

Clear or select the Do not calculate checksum before sending to KSN if le size exceeds (MB) check
box.

If required, in the eld to the right, change the maximum size of les for which Kaspersky Security for
Windows Server calculates the checksum.

5. If needed, con gure the task start schedule on the Schedule and Advanced tabs. For example, you can enable
task start by schedule and specify the start frequency of the At application launch if you want the task to run
automatically when the protected device is restarted.
The application will automatically start the KSN Usage task by schedule.

6. Con gure the Data handling before starting the task.

7. Click OK.

The modi ed settings are applied. The date and time of modifying the settings, as well as information about the
task settings before and after modi cation, are saved in the system audit log.

Con guring Data handling

To con gure what data will be processed by the KSN services and accept the KSN Statement:

1. In the Application Console tree, expand the Real-time server protection node.

2. Select the KSN Usage child node.

3. Click the Data processing link in the details pane.

The Data handling window opens.

4. On the Services tab, read the Statement and select the I con rm that I have fully read, understood, and
accept the terms of participation in Kaspersky Security Network check box.

304
 5. To increase the protection level, the following check boxes are automatically selected:

Send data about scanned les .

Send data about scanned URLs .

You can clear these check boxes and stop sending additional data at any moment.

6. The Send Kaspersky Security Network statistics check box is selected by default. You can clear the check
box at any time, if you don't want Kaspersky Security for Windows Server to send additional statistics to
Kaspersky.

7. On the Kaspersky Managed Protection tab, read the Statement and select the Accept the terms of the
Kaspersky Managed Protection Statement check box.

The changes of Accept the terms of the Kaspersky Managed Protection Statement check box state do
not start or stop the processing of data immediately. To apply the changes you must restart Kaspersky
Security for Windows Server.

To use the KMP service, you need to sign the corresponding agreement and execute con guration les on
a protected device, enable I con rm that I have fully read, understood, and accept the terms of
participation in Kaspersky Security Network, Send data about scanned les, Send data about scanned
URLs, and Send Kaspersky Security Network statistics check boxes on the Services tab.

8. Click OK.

The data processing con guration will be saved.

Managing KSN Usage via the Web Plug-in

To con gure the KSN Usage task and Data Handling via the Web Plug-in:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Real-time server protection section.

5. Click Settings in the KSN Usage subsection.

6. Con gure the settings described in the table below.

KSN Usage task and Data Handling via the Administration Plug-In settings

Setting Description

Remove
Kaspersky Security for Windows Server deletes the object with KSN-untrusted status
and places a copy of it in Backup.
This option is selected by default.

Log Kaspersky Security for Windows Server records information about the object with KSN-
305
information untrusted status in the task log. Kaspersky Security for Windows Server does not delete
the untrusted object.

Do not
This check box enables or disables calculation of the checksum for les of the speci ed
calculate
size for delivery of this information to the KSN service.
checksum
before The duration of the checksum calculation depends on the le size.
sending to If this check box is selected, Kaspersky Security for Windows Server does not calculate
KSN if le the checksum for les that exceed the speci ed size (in MB).
size exceeds
If the check box is cleared, Kaspersky Security for Windows Server calculates the
checksum for les of any size.
The check box is selected by default.

Use
The check box allows to manage the data transfer between the protected devices and
Kaspersky
KSN.
Security
Center as If the check box is cleared the data from the Administration Server and protected
KSN Proxy devices is sent to KSN directly (not via the Kaspersky Security Center). The active policy
de nes which type of data can be sent to KSN directly.
If the check box is selected, all data is sent to KSN via the Kaspersky Security Center.
The check box is selected by default.

I con rm By selecting this check box you con rm that you have read and accepted the terms of
that I have the Kaspersky Security Network Statement.
fully read,
understood,
and accept
the terms of
participation
in Kaspersky
Security
Network

Send data
If the check box is selected, Kaspersky Security for Windows Server sends the
about
checksum of scanned les to the Kaspersky. Conclusion about each le security is
scanned les
based on the reputation received from KSN.
If the check box is cleared, Kaspersky Security for Windows Server does not send
checksum of les to KSN.
Note, than the le reputation requests might be sent in a limited mode. The limitations
are used for protection of the Kaspersky reputation servers from the DDoS attacks. In
this scenario, the parameters of le reputation requests, that are being sent, are de ned
by the rules and methods established by the Kaspersky experts and cannot be
con gured by user on a protected device. Updates of these rules and methods are
received along with the application database updates. If the limitations are applied, the
enabled by Kaspersky for protecting KSN servers against DDoS status is displayed in the
KSN Usage task statistics.
The check box is selected by default.

Send data
If the check box is selected, Kaspersky Security for Windows Server sends the data
about
about requested web resources, including web addresses, to the Kaspersky. Conclusion
requested
about the requested web resource security is based on the reputation received from
URLs
KSN.
If the check box is cleared, Kaspersky Security for Windows Server does not check URLs
reputation in KSN.
The check box is selected by default.
The check box in uences the Tra ic Security task con guration.

306
 Agree to
If the check box is selected the Kaspersky Security for Windows Server sends additional
process data
statistics, which may contain personal data. The list of all data, that is sent as KSN
as a part of
statistics, is speci ed in the KSN Statement. The data received by Kaspersky is used to
the
improve the quality of applications and level of threat detection rates.
Kaspersky
Security If the check box is cleared, Kaspersky Security for Windows Server does not send
Network additional statistics.
statistics The check box is selected by default.

Accept the
If the check box is selected, you agree to send statistics on the protected device
terms of the
activity to the Kaspersky specialists. Received data is used for around-the-clock
Kaspersky
analysis and reporting, required to prevent security breach incidents.
Managed
Protection The check box is cleared by default.
Statement

Task You can con gure settings to start the task on a schedule.
management

Con guring additional data transfer

Kaspersky Security for Windows Server can be con gured to send the following data to Kaspersky:

Checksums of scanned les (Send data about scanned les check box).

Data about requested web addresses and processed email messages (Send data about scanned URLs check
box).

Additional statistics, including personal data (Send Kaspersky Security Network statistics check box).

See the "Local data handling" section of this guide for detailed information about data that is sent to
Kaspersky.

The corresponding check boxes can be selected or cleared only if the I con rm that I have fully read, understood,
and accept the terms of participation in Kaspersky Security Network check box is selected.

By default Kaspersky Security for Windows Server sends checksums of les and additional statistics after you
accept the KSN Statement.

The I con rm that I have fully read, understood, and accept the terms of participation in Kaspersky
Security Network check box is not editable only if the Kaspersky Security Center policy blocks changes of
the data handling settings.

Possible check box states and corresponding conditions

Check Conditions Conditions for Conditions Conditions for the Conditions for the I
box for the Send the Send for the Send Accept the terms con rm that I have fully
state data about Kaspersky data about of the Kaspersky read, understood, and
scanned les Security scanned Managed accept the terms of
check box Network URLs check Protection participation in Kaspersky
state statistics box state Statement check Security Network check
check box box state box state
state

307
 reputation additional data the terms of the the terms of the
requests statistics is about Kaspersky Kaspersky Security
are sent sent requested Managed Network Statement are
URLs is Protection accepted
check box check box sent Statement are
is editable is editable accepted check box is editable
check box
is editable check box is
editable

reputation additional data the terms of the the terms of the

requests statistics is about Kaspersky Kaspersky Security
are sent sent requested Managed Network Statement are
URLs is Protection accepted
check box check box sent Statement are
is not is not accepted check box is not
editable editable check box editable
is not check box is not
editable editable

reputation additional data the terms of the the terms of the

requests statistics is about Kaspersky Kaspersky Security
are not not sent requested Managed Network Statement are
sent URLs is Protection not accepted
check box not sent Statement are
check box is editable not accepted check box is editable
is editable check box
is editable check box is
editable

reputation additional data the terms of the the terms of the

requests statistics is about Kaspersky Kaspersky Security
are not not sent requested Managed Network Statement are
sent URLs is Protection not accepted
check box not sent Statement are
check box is not not accepted check box is not
is not editable check box editable
editable is not check box is not
editable editable

KSN Usage task statistics

While the KSN Usage task is being executed, detailed information can be viewed in real time about the number of
objects processed by Kaspersky Security for Windows Server since it was started up till now. Information about all
events that occur during the task performing is recorded in the task log.

To view KSN Usage task statistics:

1. In the Application Console tree, expand the Real-time server protection node.

2. Select the KSN Usage child node.

308
 Task statistics are displayed in the Statistics section of the details pane of the selected node.

You can view information about objects processed by Kaspersky Security for Windows Server since the task was
started (see the table below).

KSN Usage task statistics

Field Description

File Number of le reputation queries sent by Kaspersky Security for Windows Server to KSN.
requests
sent

URL Number of URL reputation queries sent by Kaspersky Security for Windows Server to KSN.
requests
sent

URLs Number of URLs considered untrusted by KSN.

untrusted
in KSN

Files Number of objects considered untrusted by KSN.

untrusted
in KSN

Request Number of KSN requests whose processing resulted in a task error.

sending
errors

Statistics Number of generated statistic packages sent to KSN.

formed

Objects Number of objects that Kaspersky Security for Windows Server deleted when running the KSN
removed Usage task.

Moved to The number of object copies that Kaspersky Security for Windows Server saved to Backup.
Backup

Objects The number of objects that Kaspersky Security for Windows Server attempted but was unable
not to delete, because, for example, access to the object was blocked by another application.
removed Information about such objects is recorded in the task log.

Objects The number of objects the copies of which Kaspersky Security for Windows Server attempted
not to save in Backup but was unable to do so, for example, due to insu icient disk space. The
backed application does not disinfect or delete les that it could not move to Backup. Information
up about such objects is recorded in the task log.

Limited The status signi es whether the application sends le reputation requests in a limited mode. In
mode a limited mode Kaspersky Security for Windows Server sends only a part of le reputation
requests according to Kaspersky experts recommendation.

309
Network Threat Protection
This section contains information about the Network Threat Protection task and how to con gure it.

About the Network Threat Protection task

The Network Threat Protection can only be installed on a device running Microsoft Windows 7 and any later
version or Windows Server 2008 R2 and any later version.

The Network Threat Protection task scans inbound network tra ic for activity that is typical of network attacks.
Upon detecting an attempted network attack that targets your computer, Kaspersky Security for Windows Server
blocks network activity from the attacking computer. Your screen then displays a warning stating that a network
attack was attempted, and shows information about the attacking computer.

By default, the Network Threat Protection task runs in the Block connections when attack is detected mode. In
this mode, Kaspersky Security for Windows Server adds IP addresses of hosts showing activity typical of network
attacks to the list of blocked hosts.

You can view the list of blocked hosts in the Blocked Hosts storage.

You can restore access to blocked hosts, and specify the number of days, hours and minutes after which hosts
regain access to network le resources after being blocked by con guring the Blocked Hosts storage settings.

The IP addresses of hosts showing activity typical of network attacks are deleted from the list of blocked hosts in
the following cases:

Kaspersky Security for Windows Server is uninstalled.

The IP address was deleted manually from the list of blocked hosts.

Host blocking term has expired.

The Network Threat Protection task was stopped and the Don't stop tra ic analysis when the task is not
running check boxed is cleared.

The Block connections when attack is detected mode was turned o .

Default Network Threat Protection task settings

The Network Threat Protection task uses the default settings described in the table below. You can change the
values of these settings.
Default Network Threat Protection task settings

Setting Default value Description

Processing Block connections when The Network Threat Protection task can be started in Pass-
mode attack is detected through , Only inform about network attacks or Block
connections when attack is detected mode.

310
 The check box enables or disables adding hosts showing
activity typical of network attacks to the list of blocked
hosts.
If this mode is selected, Kaspersky Security for Windows
Server scans inbound network tra ic for activity that is
typical of network attacks, logs events about detected
activity, and adds IP addresses of hosts showing activity
typical of network attacks to the list of blocked hosts.
The mode is selected by default.
You can view the list of blocked hosts in the Blocked Hosts
storage.

You can restore access to blocked hosts, and specify the

number of days, hours and minutes after which hosts regain
access to network le resources after being blocked by
con guring the Blocked Hosts storage settings.

If this mode is selected, Kaspersky Security for Windows

Server scans inbound network tra ic for activity that is
typical of network attacks, logs events about detected
activity, but doesn't block network activity from the
attacking computer.

If this mode is selected, Kaspersky Security for Windows

Server scans inbound network tra ic for activity that is
typical of network attacks, but doesn't log events about
detected activity and doesn't block network activity from
the attacking computer.
For example, you can use this mode in case of a decrease in
the protected device's performance.

Exclusions The exclusion list is not Specify areas that you want to exclude from the task protection
applied. scope.

Schedule By default, the Network You can con gure the schedule.
settings Threat Protection task
starts automatically when
Kaspersky Security for
Windows Server starts.

Con guring the Network Threat Protection task via the Application Console
In this section, learn how to manage the Network Threat Protection task via the Application Console interface.

General task settings

311
To con gure the general task settings:

1. In the Application Console tree, expand the Real-time server protection node.

2. Select the Network Threat Protection child node.

3. Click the Properties link in the details pane of the Network Threat Protection node.
The Task settings window opens.

4. Open the General tab.

5. In the Processing mode section select the processing mode:

Pass-through .

If this mode is selected, Kaspersky Security for Windows Server scans inbound network tra ic for
activity that is typical of network attacks, but doesn't log events about detected activity and doesn't
block network activity from the attacking computer.
For example, you can use this mode in case of a decrease in the protected device's performance.

Only inform about network attacks .

If this mode is selected, Kaspersky Security for Windows Server scans inbound network tra ic for
activity that is typical of network attacks, logs events about detected activity, but doesn't block
network activity from the attacking computer.

Block connections when attack is detected .

The check box enables or disables adding hosts showing activity typical of network attacks to the list
of blocked hosts.
If this mode is selected, Kaspersky Security for Windows Server scans inbound network tra ic for
activity that is typical of network attacks, logs events about detected activity, and adds IP addresses
of hosts showing activity typical of network attacks to the list of blocked hosts.
The mode is selected by default.
You can view the list of blocked hosts in the Blocked Hosts storage.

You can restore access to blocked hosts, and specify the number of days, hours and minutes after
which hosts regain access to network le resources after being blocked by con guring the Blocked
Hosts storage settings.

6. Select or clear the Don't stop tra ic analysis when the task is not running check box.

If this check box is selected, when Network Threat Protection task is stopped, Kaspersky Security for
Windows Server scans inbound network tra ic for activity that is typical of network attacks and blocks
network activity from the attacking computer depending on the selected processing mode.
If this check box is cleared, when Network Threat Protection task is stopped, Kaspersky Security for
Windows Server doesn't scan inbound network tra ic for activity that is typical of network attacks and
doesn't block network activity from the attacking computer.
The check box is cleared by default.

7. Click OK.
312
Adding exclusions
To add exclusions for Network Threat Protection task, take the following steps:

1. In the Application Console tree, expand the Real-time server protection node.

2. Select the Network Threat Protection child node.

3. Click the Properties link in the details pane of the Network Threat Protection node.
The Task settings window opens.

4. On the Exclusions tab, select the Do not control excluded IP-addresses check box.

If this check box is selected, Kaspersky Security for Windows Server doesn't scan inbound network tra ic
for excluded IP addresses.
If this check box is cleared, Kaspersky Security for Windows Server doesn't apply the exclusion list.

5. Specify the IP address and click Add button.

6. Click OK.

Con guring the Network Threat Protection task via the Administration Plug-
in
In this section, learn how to manage the Network Threat Protection task via the Administration Plug-in interface.

General task settings

To con gure the general task settings:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

313
4. In the Real-time server protection section, click the Settings button in the Network Threat Protection
subsection.
The Network Threat Protection window opens.

5. Open the General tab.

6. In the Processing mode section select the processing mode:

Pass-through .

If this mode is selected, Kaspersky Security for Windows Server scans inbound network tra ic for
activity that is typical of network attacks, but doesn't log events about detected activity and doesn't
block network activity from the attacking computer.
For example, you can use this mode in case of a decrease in the protected device's performance.

Only inform about network attacks .

If this mode is selected, Kaspersky Security for Windows Server scans inbound network tra ic for
activity that is typical of network attacks, logs events about detected activity, but doesn't block
network activity from the attacking computer.

Block connections when attack is detected .

The check box enables or disables adding hosts showing activity typical of network attacks to the list
of blocked hosts.
If this mode is selected, Kaspersky Security for Windows Server scans inbound network tra ic for
activity that is typical of network attacks, logs events about detected activity, and adds IP addresses
of hosts showing activity typical of network attacks to the list of blocked hosts.
The mode is selected by default.
You can view the list of blocked hosts in the Blocked Hosts storage.

You can restore access to blocked hosts, and specify the number of days, hours and minutes after
which hosts regain access to network le resources after being blocked by con guring the Blocked
Hosts storage settings.

7. Select or clear the Don't stop tra ic analysis when the task is not running check box.

If this check box is selected, when Network Threat Protection task is stopped, Kaspersky Security for
Windows Server scans inbound network tra ic for activity that is typical of network attacks and blocks
network activity from the attacking computer depending on the selected processing mode.
If this check box is cleared, when Network Threat Protection task is stopped, Kaspersky Security for
Windows Server doesn't scan inbound network tra ic for activity that is typical of network attacks and
doesn't block network activity from the attacking computer.
The check box is cleared by default.

8. Click OK.

Adding exclusions
314
To add exclusions for Network Threat Protection task, take the following steps:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Real-time server protection section, click the Settings button in the Network Threat Protection
subsection.
The Network Threat Protection window opens.

5. On the Exclusions tab, select the Do not control excluded IP-addresses check box.

If this check box is selected, Kaspersky Security for Windows Server doesn't scan inbound network tra ic
for excluded IP addresses.
If this check box is cleared, Kaspersky Security for Windows Server doesn't apply the exclusion list.

6. Specify the IP address and click Add button.

7. Click OK.

Con guring the Network Threat Protection task via the Web Plug-in
In this section, learn how to manage the Network Threat Protection task via the Web Plug-in interface.

General task settings

To con gure the general task settings:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Real-time server protection section.

5. Click Settings in the Network Threat Protection subsection.

315
 6. Open the General tab.

7. In the Processing mode section select the processing mode:

Pass-through .

If this mode is selected, Kaspersky Security for Windows Server scans inbound network tra ic for
activity that is typical of network attacks, but doesn't log events about detected activity and doesn't
block network activity from the attacking computer.
For example, you can use this mode in case of a decrease in the protected device's performance.

Only inform about network attacks .

If this mode is selected, Kaspersky Security for Windows Server scans inbound network tra ic for
activity that is typical of network attacks, logs events about detected activity, but doesn't block
network activity from the attacking computer.

Block connections when attack is detected .

The check box enables or disables adding hosts showing activity typical of network attacks to the list
of blocked hosts.
If this mode is selected, Kaspersky Security for Windows Server scans inbound network tra ic for
activity that is typical of network attacks, logs events about detected activity, and adds IP addresses
of hosts showing activity typical of network attacks to the list of blocked hosts.
The mode is selected by default.
You can view the list of blocked hosts in the Blocked Hosts storage.

You can restore access to blocked hosts, and specify the number of days, hours and minutes after
which hosts regain access to network le resources after being blocked by con guring the Blocked
Hosts storage settings.

8. Select or clear the Don't stop tra ic analysis when the task is not running check box.

If this check box is selected, when Network Threat Protection task is stopped, Kaspersky Security for
Windows Server scans inbound network tra ic for activity that is typical of network attacks and blocks
network activity from the attacking computer depending on the selected processing mode.
If this check box is cleared, when Network Threat Protection task is stopped, Kaspersky Security for
Windows Server doesn't scan inbound network tra ic for activity that is typical of network attacks and
doesn't block network activity from the attacking computer.
The check box is cleared by default.

9. Click OK.

Adding exclusions
To add exclusions for Network Threat Protection task, take the following steps:

1. In the main window of Web Console, select Devices → Policies & pro les.

316
2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Real-time server protection section.

5. Click Settings in the Network Threat Protection subsection.

6. On the Exclusions tab, select the Do not control excluded IP-addresses check box.

If this check box is selected, Kaspersky Security for Windows Server doesn't scan inbound network tra ic
for excluded IP addresses.
If this check box is cleared, Kaspersky Security for Windows Server doesn't apply the exclusion list.

7. Specify the IP address and click Add button.

8. Click OK.

317
Tra ic Security
This section contains information about the Tra ic Security task and how to con gure it.

About the Tra ic Security task

The Tra ic Security component processes web tra ic (including tra ic received via mail services) and intercepts
and scans objects transferred through web tra ic in order to detect known computer and other threats on the
protected device. The ICAP service scans incoming tra ic for threats and blocks or allows tra ic depending on
the scan results and con gured scan settings.

Kaspersky Security for Windows Server also detects and intercepts tra ic requested by any processes running
under Windows Subsystem for Linux. For such processes, the Tra ic Security task applies the action de ned by
the current task con guration.

Tra ic Security component is installed by default.

The component provides the following types of protection:

Mail threat protection:

Anti-phishing

Protection against mail-based malware

Web threat protection:

Anti-phishing

Malicious URL scan

Protection against web-based malware

Web Control:

URL control

Certi cate control

Category-based web control

We highly recommend that you use KSN services when starting the Tra ic Security task in order to enhance
threat detection. KSN cloud databases contain more recent information about web threats than local anti-
virus databases. Several web control categories are analyzed purely based on conclusions received from KSN
services.

Tra ic Security modes

Tra ic Security can operate in the following modes:

318
 Driver Interceptor. The application intercepts tra ic with a network driver. It uses a network kernel driver to
intercept and analyze all incoming tra ic for the speci ed ports.

Redirector. The application processes requests coming from the user's web browser as a proxy server and
redirects the received tra ic to an internal ICAP-server. This mode implies additional con guration of the web
browser: it is necessary to specify the address and the port for the proxy server connection.

External Proxy. The application processes tra ic from an external proxy server. The tra ic is transferred from
the external proxy server to Kaspersky Security for Windows Server. The application analyzes the tra ic and
recommends an action to the external proxy. Kaspersky Security for Windows Server is only compatible with
proxies that transfer tra ic via the ICAP protocol.

About Tra ic Security rules

Kaspersky Security for Windows Server lets you add and con gure allowing or denying rules for certi cates and
web addresses, and use preset rules for categories to block content by type. Rules for certi cates can be applied
if the task is running in Driver Interceptor or Redirector mode.

Web control

This type of control is carried out by applying allowing and denying rules for web addresses and certi cates.
Allowing rules have a higher priority than conclusions from KSN and signature analysis.

A URL or certi cate can be allowed or blocked based on prioritized conclusions (from highest to lowest):

1. Allowing or denying rules.

2. Anti-phishing and anti-virus databases.

3. KSN.

4. Categories.

Category-based web control

Kaspersky Security for Windows Server lets you block web addresses based on categories. You can set the level
of heuristic analysis used for categorization. Category-based web control uses the preset list of categories for
analysis. While the list itself cannot be modi ed, you can select categories of web resources to allow or block, or
turn o category-based control. The Other category includes all web resources that do not fall under any other
category in the list. If this check box is selected, Kaspersky Security for Windows Server allows all web resources
that are not categorized. If the check box is cleared, all web resources are blocked.

Categorization has the lowest priority.

By default, Kaspersky Security for Windows Server applies only one rule: the denying rule for TOR certi cates. You
can uncheck the rule in the rule settings to allow TOR connections. If the rule is applied, all incoming or outgoing
TOR connections will be blocked.

319
Tra ic Security also considers the conclusions for the not-a-virus mask, which are the resources or objects
that are not viruses themselves, but can be used to harm the protected device. By default, Kaspersky Security for
Windows Server does not apply the not-a-virus mask to categories.

Mail threat protection

The Tra ic Security component scans mail in 32-bit and 64-bit editions of Microsoft Outlook (2010, 2013, 2016,
2019, and 365). Mail threat protection is provided through a Microsoft Outlook Add-in that is installed separately
from Kaspersky Security for Windows Server components.

Mail threat protection includes:

Incoming email scanning (including encrypted email).

Anti-virus email scanning.

Anti-virus scanning of attachments (including packed objects).

Anti-phishing email scanning.

Anti-phishing scanning of attachments (including packed objects).

If a threat is detected, Kaspersky Security for Windows Server:

Permanently deletes infected attachments.

Modi es the infected message body. The original infected message body is attached as an HTML page along
with information about the threat. If a phishing link is detected, the original infected message body is attached
in TXT format along with information about the threat.

Logs a Mail threat detected event.

Kaspersky Security for Windows Server scans emails when they are opened, not when they are received by the
protected device. The scan is performed only once when they are rst opened. The scanned emails and
attachments are stored in a cache until Outlook restarts. After a restart, emails are scanned again when they are
opened.

If Microsoft Outlook mail client is running during installation of the Add-in, you must restart it after completion
of the installation.

Kaspersky Security for Windows Server performs the mail threat protection only when the Tra ic Security
task is running and the Enable mail threat protection check box is selected. The check box is selected by
default. You can con gure the mail threat protection via the Administration Plug-in, Application Console, or
Web Plug-in.

List of categories
Web resources are analyzed and categorized according to tags. A tag can be applied to several categories (see
table below).

320
Tags for web resource categories

Tag Description List of categories

18+ (adult) These categories may Abortion, Adult dating, Anorexia, Discontent,
include web resources Discrimination, Erotic, Illegal drugs, Illegal software, LGBT,
that potentially Lingerie, Non-adult dating, Nudism, Policy decision, Porn,
contain content for Restricted by global legislation, Restricted by RF
adults (18+), e.g. legislation, Restricted by Roskomnadzor (RF), Sex
descriptions of education, Sex shops, Social networks, Suicide, Obscene
violence, pornography, vocabulary, Violence, Weapons.
or obscene language.

children These categories may For children, Restricted by Federal Law 436 (RF), Schools
include web resources and universities.
that potentially
contain content for
children. For example,
educational websites,
children’s
entertainment
websites, forums and
blogs about child-
rearing.

drug These categories may Abortion, Alcohol, Anorexia, Drugs, Health and beauty,
include web resources Illegal drugs, Medicine, Pharmacy, Tobacco.
that potentially
contain information
about narcotics and
other legal and illegal
substances. For
example, information
about the distribution
of prohibited drugs or
alcohol, or the
websites of registered
pharmaceutical
companies.

education These categories may Books and writing, Education, For children, Information
include web resources technologies, Online encyclopedias, Schools and
that potentially universities, Search engines, Sex education.
contain educational
materials or materials
about teaching.
For example, online
encyclopedias,
knowledge bases, wikis,
and the web pages of
educational
institutions or web
pages about sex
education.

hobby&entertainment These categories may Adult dating, Hobby and entertainment, All
include web resources communication media, Astrology and esoterica, Audio,
potentially related to video and software, Betting, Blogging, Casinos, card
entertainment, games, Casual games, Chats and forums, Computer
hobbies, recreational games, Culture and society, Erotic, Fashion, File sharing,
activities. Fishing and hunting, For children, Gambling, Health and
beauty, Hobby and entertainment, Home and family,
321
 For example, various Humor, LGBT, Lingerie, Lotteries, Media hosting and
types of online games, streaming, Medicine, Music, News, Non-adult dating,
including gambling and Nudism, Online shopping, Online shopping (self-payed),
social networks, web Pets and animals, Porn, Restaurants, cafes and food, Sex
pages about books or shops, Social networks, Sport, Torrents, Traveling, TV and
hunting, blogs about radio, Wargaming.
health and beauty, and
news feeds.

gaming These categories may Casual games, Computer games, Sport, Wargaming.
include web resources
potentially related to
various types of
games. For example,
games of chance and
betting, lotteries,
online or casual games,
as well as websites and
forums about gaming.

hazard This category refers to Bets, Casinos, card games, Gambling, Gambling
web pages that (expanded), Lotteries.
contain:
Games of chance that
are “pay to play”.
Betting pools.
Lotteries that involve
purchase of lottery
tickets/numbers.

health&medicine Web pages on healthy Abortion, Anorexia, Drugs (legal and illegal), Health and
lifestyles. May include beauty, Medicine, Pharmacy, Sport.
sites dedicated to
tness, healthy eating,
and alternative
practices and methods
of treatment; web
pages about medicine,
pharmacies,
pharmaceutical
companies, and
medications and
supplements.

illegal These categories may Alcohol, Audio, video and software, Drugs, File sharing,
include potentially Illegal drugs, Illegal software, Lotteries, Restricted by
illegal web resources. global legislation, Restricted by RF legislation, Restricted
For example, illegal by Roskomnadzor (RF), Tobacco.
sharing of media les
or installation
packages, or web
pages prohibited by
the o icial laws of
various countries.

IT Broadly speaking, web Anonymous proxy servers, Hosting and domain services,
pages that allow users Illegal software, Information technologies, Search
(with or without engines, Web Mail.
requiring an account)
to send personal

322
 messages to other
users (including e-mail
services, social
networks, blogs, etc.)

forbidden by law These categories may Law and policy, Mentioned in Federal list of extremists
include web resources (RF), Restricted by Federal Law 436 (RF), Restricted by
potentially controlled global legislation, Restricted by RF legislation, Restricted
by federal law or by Roskomnadzor (RF).
related to the
government or politics.

legal These categories may Alcohol, Audio, video and software, Drugs, File sharing,
include potentially legal Legal advertisement, Lotteries, Military, Pharmacy,
web resources. Religion, Sex education, Teasers and ad services,
Tobacco, Wargaming.

media sharing These categories may Audio, video and software, Books and writing, File sharing,
include web resources For children, Internet services, Media hosting and
that may enable le streaming, Music, Search engines, Torrents, TV and radio.
sharing.
For example, torrents,
le sharing websites,
music and video
hosting, both legal and
illegal.

money&payment These categories may Banking, Books and writing, Casual games, E-commerce,
include web resources Online shopping (self-payed), Payment by credit cards,
potentially related to Payment systems, Restaurants, cafes and food, Traveling.
nance and nancial
transactions.
For example, the
o icial websites of
banks, online banks,
online stores, and web
pages to perform
money transfers.

online collaboration These categories may Adult dating, Blogging, Chats and forums, For children,
include web resources Health and beauty, Job search sites, Medicine, Non-adult
potentially related to dating, Social networks, Traveling.
online communication.
For example,
specialized blogs and
forums, private chat
rooms, social networks
and dating websites.

psychotropic&drug These categories may Drugs (legal and illegal), Health and beauty, Illegal drugs,
include web resources Medicine, Pharmacy, Tobacco.
related to any type of
drugs, psychotropic
medicine or tobacco.

sex&adult These categories may Adult dating, Erotic, LGBT, Lingerie, Nudism, Porn, Sex
include web resources education, Sex shops.
that potentially
contain sexual or erotic
material.

323
 For example,
pornographic hosting,
web pages about sex
education, and
websites about sexual
minorities.

society&law This category includes Culture and society, Law and politics, Military, Religion,
many aspects of Weapons.
society and human life,
including religion,
religious associations;
government, politics,
laws; home and family;
news media; military
and weapons.

shopping These categories may Books and writing, Lingerie, Online shopping, Online
include web resources shopping (self-payed), Payment by credit cards,
potentially related to Restaurants, cafes and food, Sex shops, Traveling.
online shopping.

violence These categories may Discontent, Discrimination, Extremism and racism, Fishing
include web resources and hunting, Hate and discrimination, Mentioned in
that potentially Federal list of extremists (RF), Military, Policy Decision
contain explicit (JP), Restricted by global legislation, Restricted by RF
expressions of legislation, Restricted by Roskomnadzor (RF), Suicide,
aggression, Violence, Wargaming, Weapons.
descriptions of cruelty,
extremist propaganda,
or descriptions of
suicide.

web services These categories may Anonymous proxy servers, Hosting and domain services,
include web resources Internet services, Search engines, Teasers and ad
potentially o ering services, Web Mail.
various web services.
For example,
anonymization, web
hosting, or email
services.

Prede ned protection level settings

One of three prede ned protection levels can be applied for the task: Maximum performance, Recommended, and
Maximum protection. Each of these levels contains its own prede ned set of security settings (see the table
below).

Maximum performance

The Maximum performance security level is recommended if your network has additional protected device
security measures, for example, rewalls and existing security policies, beyond using Kaspersky Security for
Windows Server on protected devices and work stations.

Recommended

324
The Recommended security level ensures the best combination of protection and performance impact on
devices. Kaspersky experts recommend this level as adequate to protect devices on most corporate networks.
The Recommended security level is set by default.

Maximum protection

The Maximum protection security level is recommended if your organization's network has elevated device
security requirements.

Prede ned protection levels and corresponding security settings

Options Protection level

Maximum performance Recommended Maximum

protection

Scan objects According to the list of All objects All objects

extensions in the database

Actions on infected and other Block Block Block

detected objects

Do not detect No No No

Stop scanning if it takes longer 60 sec. 60 sec. No

than (sec.)

Do not scan objects larger 20 MB 20 MB No

than (MB)

Compound objects protection

Packed objects Archives Archives

SFX archives SFX archives

Packed Packed
objects objects

Embedded Embedded
OLE objects OLE objects

Default Tra ic Security task settings

You can change the default settings of the Tra ic Security task (see the table below).

Default Tra ic Security task settings

Setting Default value Description

Task mode Driver The application intercepts tra ic with a network driver. It uses a
Interceptor network kernel driver to intercept and analyze all incoming tra ic
for the speci ed ports.

Network port 1345 The default port number for the ICAP service.
number

Service ID webscan ICAP service identi er for the address of installed anti-virus
server.

325
 Use malicious URL Applied Enable or disable signature analysis of each URL.
database to scan
web links

Use anti-phishing Applied Enable or disable URL anti-phishing scan based on heuristic
database to scan analysis.
web pages

Use KSN for Applied You can use KSN application reputation data for protection when
protection running the task.

Use Trusted Zone Applied You can apply the Trusted Zone if required.

Use heuristic Applied Con gure usage of the heuristic analyzer.

analyzer

Protection level Recommended Apply another prede ned security level or edit the security level
manually.

Task start schedule First run is not The Tra ic Security task is not started automatically. You can start
scheduled. the task manually or con gure a scheduled start.

Managing Tra ic Security via the Administration Plug-in

In this section, learn how to navigate the Administration Plug-In interface and con gure task settings for one or all
protected devices on the network.

Navigation
Learn how to navigate to the required task settings via the chosen interface.

Opening policy settings for the Tra ic Security task

To open the Tra ic Security task settings via the Kaspersky Security Center policy:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Policies tab.

4. Double-click the policy name you want to con gure.

5. In the Properties: <Policy name> window that opens, select the Real-time server protection section.

6. Click the Settings button in the Tra ic Security subsection.

The Tra ic Security window opens.

7. Con gure the policy as required.

326
Opening the Tra ic Security rules list
To open the Web Control rules list via the Kaspersky Security Center:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Policies tab.

4. Double-click the policy name you want to con gure.

5. In the Properties: <Policy name> window that opens, select the Real-time server protection section.

6. Click the Rules list button in the Tra ic Security subsection.

The Web Control rules window opens.

7. Con gure the rules list as required.

Con guring the Tra ic Security task

To con gure the Tra ic Security task:

1. Open the Tra ic Security window.

2. On the Task mode tab select and con gure the task operation mode.

3. On the URL and web processing tab, con gure the anti-phishing and anti-virus scanning of URLs.

4. On the Malware protection tab, con gure the heuristic analyzer and security level.

5. On the Task management tab, con gure the task settings for starting the task on a schedule.

6. Click OK.

The task con guration is saved.

Con guring the task operation mode

To con gure the task operation mode:

1. Open the Tra ic Security window.

2. On the General tab, select one of the available modes from the Task mode drop-down list:

Driver Interceptor

327
 Redirector

External Proxy

3. Specify the ICAP service connection settings (required for all three modes):

Network port number

Service ID

Restart the task to apply ICAP service connection settings.

4. Con gure the selected task mode.

No additional con guration is required for the External Proxy mode. Con guration is performed on the
external proxy server.

5. Click OK.

The con guration is saved.

Con guring the Driver Interceptor mode

To con gure the Driver Interceptor mode:

1. Open the Tra ic Security window.

2. On the General tab, select Driver Interceptor mode.

3. In the Task mode settings block, con gure the following settings:

Check safe connections through the HTTPS protocol .

Scanning is available only if the HTTPS port is open.

Select the versions of the cryptographic protocol that you want to use:

TLS 1.0

TLS 1.1

TLS 1.2

All versions are selected by default. Moreover, the TLS 1.0 option cannot be disabled.

328
 Note, that you can use the TLS protocol in the Tra ic Security task con guration only on protected
devices running Microsoft Windows 7 or later, Microsoft Windows Server 2008 R2 or later.

Do not trust web-servers with invalid certi cate .

If the Do not trust web-servers with invalid certi cate check box is selected, Kaspersky Security for
Windows Server blocks all connections with invalid certi cates and also all connections with self signed
certi cate.

Security port .

4. To add or exclude ports from the interception area, click the Con gure interception area button.
The Interception area window opens.

5. Select one of the following options on the Intercept ports tab:

Intercept all

Intercept speci ed ports

a. Enter the port number in the text eld. You can add several ports by using a semicolon delimiter between
port numbers.

b. Click Add.
Port is included in the interception area.

By default, Kaspersky Security for Windows Server intercepts tra ic that is transferred via the
following ports: 80, 8080, 3128, 443.

If you run Tra ic Security task in Driver Interceptor mode with the Intercept all option enabled, make
sure to con gure the Kaspersky Security Center Administration Server to use the default port (13299)
for connection with the Kaspersky Security Center Web Console (for more information, refer to
Kaspersky Security Center Online Help), or, if you use a custom port, make sure to add this port to the
Tra ic Security task's list of excluded ports. Otherwise, Tra ic Security blocks the connection from the
Kaspersky Security Center Web Console to the Kaspersky Security Center Administration Server.

6. To specify ports you want to exclude from the interception area on the Exclude ports tab:

a. Enter the port number in the text eld. You can add several ports by using a semicolon delimiter between
port numbers.

b. Click Add.
Port is excluded from the area.

By default, Kaspersky Security for Windows Server excludes ports which are used by other applications
and might cause issues when attempting to read data transferred via encrypted connection: 3389, 1723,
13291, 13299.

329
 7. To exclude IP addresses from the interception area on the Exclude IP addresses tab:

a. Enter IP addresses in IPv4 format (in a short form or specifying an address with a subnet mask).

b. Click Add.

c. Click OK to save the changes.

8. To exclude process or executable le which requires tra ic exchange on the Exclude processes tab:

a. Select the Apply exclusions for processes check box.

b. To exclude a le:

1. Click the Executable les button.

The standard Open windows is displayed.

2. Select the executable le you want to exclude and click Open.

9. In the Interception area window click the OK button.

10. In the Tra ic Security window click the OK button.

The task mode con guration is saved.

Con guring the Redirector mode

To con gure the Redirector mode:

1. Open the Tra ic Security window.

2. On the General tab, select Redirector mode.

3. In the Task mode settings block, con gure the following settings:

Check safe connections through the HTTPS protocol .

Scanning is available only if the HTTPS port is open.

Select the versions of the cryptographic protocol that you want to use:

TLS 1.0

TLS 1.1

TLS 1.2

All versions are selected by default. Moreover, the TLS 1.0 option cannot be disabled.

330
 Note, that you can use the TLS protocol in the Tra ic Security task con guration only on protected
devices running Microsoft Windows 7 or later, Microsoft Windows Server 2008 R2 or later.

Redirect tra ic to proxy server after scanning .

Proxy server address .

Port .

Security port .

For Redirector mode, the operating system must be con gured to transfer encrypted tra ic via the port
speci ed by Kaspersky Security for Windows Server.

4. Click OK.

The task mode con guration is saved.

Con guring malware protection

The following protection settings a ect all incoming tra ic. However, the selected actions on infected and
other detected objects are performed only for mail attachments.

To con gure heuristic analysis to detect viruses and other computer security threats that are transferred via web
tra ic:

1. Open the Tra ic Security window.

2. On the Malware protection tab:

Select the Use heuristic analyzer check box.

Set the required level of heuristic analysis for malware scanning.

Select the security level from the drop-down list:

Recommended

Maximum protection

Maximum performance

Custom

3. Open the General tab by clicking Settings and in the Object protection section, specify the objects that you
want to include in the scan scope:

All objects

Objects scanned by format

331
 Objects scanned according to list of extensions speci ed in anti-virus database

Objects scanned by speci ed list of extensions

a. Click the Modify button to edit the list of extensions.

b. In the window that opens, specify an extension.

c. Click Add.

Click the By default button to populate the list with the preset list of excluded extensions.

4. In the Compound object protection section, specify the compound objects that you want to include in the
scan scope:

Archives

SFX archives

Packed objects

Embedded OLE objects

5. On the Actions tab, select an action to be performed on infected and other detected objects:

Block

Allow

6. On the Performance tab, con gure the following settings:

In the Exclusions section select or clear the Do not detect check box. To con gure the list of objects to
exclude:

a. Click the Edit button.

b. In the window that opens, specify an object name or mask.

c. Click Add.

In the Advanced settings section, restrict the scanning time and object size:

Stop scanning if it takes longer than (sec.)

Do not scan objects larger than (MB)

7. Click OK in the Malware protection settings window.

The security level con guration is saved.

Con guring mail threat protection

332
 To use mail threat protection, the Microsoft Outlook Add-in must be installed and the device must be
con gured correctly.

To enable mail threat protection:

1. Open the Tra ic Security window.

2. On the Mail threat protection tab, select the Enable mail threat protection check box.

If you enable or disable mail threat protection, the changes are applied after a short timeout (5 minutes) or
immediately after Microsoft Outlook restarts.

3. Click OK.

The changes are saved.

Con guring URL and web processing

To check web resources for phishing threats and identify web addresses designated as malicious according to the
anti-virus database and URL reputation from KSN:

1. Open the Tra ic Security window.

2. On the General tab, select and con gure the task operation mode.

3. On the URL and web processing tab:

Clear or select the Use malicious URL database to scan web links check box.

Clear or select the Use anti-phishing database to scan web pages check box.

Clear or select the Use Trusted Zone check box.

Clear or select the Use KSN for protection check box.

The KSN reputation for a URL is available only if all of the following conditions are met:

The Use KSN for protection check box is selected in the Tra ic Security settings.

The KSN Statement is accepted. The Send data about requested URLs check box is selected.

The KSN Usage task is started.

4. Click OK.

The URL and web processing con guration is saved.

Con guring web control

Con gure rules and manage settings for certi cate scanning and category-based web control.

333
Con guring certi cate scanning
Kaspersky Security for Windows Server lets you scan and block web resources with invalid and expired
certi cates. In order to con gure the scanning of certi cates, the following steps must be performed:

a. Con gure the Tra ic Security task.

b. Add and apply rules for certi cates.

Rules for certi cates can only be used in Driver Interceptor or Redirector mode. By default, Kaspersky Security
for Windows Server creates only denying rules for certi cates.

Selecting and con guring the task mode

To select and con gure the mode for working with certi cates:

1. Open the Tra ic Security window.

2. On the General tab, select a mode that supports certi cate scanning from the Task mode drop-down list:

Driver Interceptor

Redirector

3. In the Task mode settings block, con gure the following settings:

Check safe connections through the HTTPS protocol .

Scanning is available only if the HTTPS port is open.

Select the versions of the cryptographic protocol that you want to use:

TLS 1.0

TLS 1.1

TLS 1.2

All versions are selected by default. Moreover, the TLS 1.0 option cannot be disabled.

Note, that you can use the TLS protocol in the Tra ic Security task con guration only on protected
devices running Microsoft Windows 7 or later, Microsoft Windows Server 2008 R2 or later.

4. Click OK.

The task con guration is saved.

334
Adding rules for certi cates
Rules for certi cates can only be used in Driver Interceptor or Redirector mode. By default, Kaspersky Security
for Windows Server creates only denying rules for certi cates.

To add or con gure a certi cate rule:

1. Open the Web Control rules window.

2. On the Web Control tab, select the Apply certi cate-based rules check box to apply rules.

3. Click the Add button to add a new rule.

4. In the context menu of the Add button select the Certi cate-based rule option.

5. In the Certi cate-based rule window that opens:

a. Enter the name of the rule.

b. Select the Apply rule check box.

c. Select the Operator type: Use mask symbols or Use regular expressions.

d. Specify the mask or expression in the Operator eld.

e. Click OK.

6. To edit a rule, select one rule in the list and click Modify.

7. Click the Save button in the Web Control rules window.

The new rules are applied.

Con guring category-based web control

To add or modify a Tra ic Security category-based rule:

1. Open the Web Control rules window.

2. Open the Categorization tab.

3. Select the Apply rules for web tra ic category control check box.
Category control settings become available.

4. Select or clear the following check boxes:

Allow access if the web page can not be categorized.

Allow access to legitimate web resources that can be used to damage your device.

Allow access to legitimate advertisement.

335
 5. In the list of available categories:

Select the corresponding check box to allow a category.

The Type of rule column changes to Allowing.

Clear the corresponding check box to block a category.

The Type of rule column changes to Denying.

The list of categories is prede ned and cannot be modi ed (you cannot add or remove categories).

6. Click OK.

The rule con guration is saved.

Using the not-a-virus mask

To use the not-a-virus mask for category analysis:

1. In the Kaspersky Security Center Administration Console, open the KSN Usage task settings.

2. Select the Send data about requested URLs check box.

3. Start the KSN Usage task.

4. In the Tra ic Security settings window, select the Use KSN for protection check box.

5. In the Web Control rules window, on the Categorization tab, select the Apply rules for web tra ic category
control check box.

6. In the list of categories, select the categories for which you want to apply the not-a-virus mask.
The Tra ic Security task will not detect objects corresponding to the mask in the selected categories.

Use of the not-a-virus mask is con gured in the Trusted Zone settings.

Adding URL-based rules

You can add a URL-based rule to deny or allow a speci c URL. These rules have higher priority than any other
conclusions.

To create a new URL-based rule:

1. Open the Web Control rules window.

2. On the Web Control tab, select the Apply URL-based rules check box to apply rules.

3. Click the Add button to add a new rule.

4. In the context menu of the Add button select the URL-based rule option.
336
 5. In the URL-based rule window that opens:

a. Enter the name of the rule.

b. Select the Rule type: Denying or Allowing.

c. Select the Apply rule check box.

d. Specify the URL in the URL eld.

e. Click OK.

6. To edit a rule, select one rule in the list and click Modify.

7. Click OK in the Web Control rules window.

The new rules are applied.

Managing Tra ic Security via the Application Console

In this section, learn how to navigate the Application Console interface and con gure task settings on a protected
device.

Navigation
Learn how to navigate to the required task settings via the chosen interface.

Opening the Tra ic Security task settings

To open the Tra ic Security general task settings via the Application Console:

1. In the Application Console tree, expand the Real-Time Server Protection node.

2. Select the Tra ic Security child node.

3. Click the Properties link in the details pane of the Tra ic Security node.
The Task settings window opens.

Opening the Tra ic Security rules window

To open the Tra ic Security rules list via the Application Console:

1. In the Application Console tree, expand the Real-Time Server Protection node.

2. Select the Tra ic Security child node.

337
 3. Click the Web Control rules link in the details pane of the Tra ic Security node.
The Web Control rules window opens.

Con gure the rules list as required.

Con guring the Tra ic Security task

To con gure the Tra ic Security task:

1. Open the Task settings window.

2. On the General tab select and con gure the task operation mode.

3. On the URL and web processing tab, con gure the anti-phishing and anti-virus scanning of URLs.

4. On the Malware protection tab, con gure the heuristic analyzer and security level.

5. On the Schedule and Advanced tabs, start the task based on a schedule.

6. Click OK to save changes.

Con guring the task operation mode

To con gure the task operation mode:

1. Open the Task settings window.

2. On the General tab, select one of the available modes from the Task mode drop-down list:

Driver Interceptor

Redirector

External Proxy

3. Specify the ICAP service connection settings (required for all three modes):

Network port number

Service ID

Restart the task to apply ICAP service connection settings.

4. Con gure the selected task mode.

No additional con guration is required for the External Proxy mode. Con guration is performed on the
external proxy server.

338
 5. Click OK.

The con guration is saved.

Con guring the Driver Interceptor mode

To con gure the Driver Interceptor mode:

1. Open the Task settings window.

2. On the General tab, select the Driver Interceptor mode.

3. In the Task mode settings block, con gure the following settings:

Check safe connections through the HTTPS protocol .

Scanning is available only if the HTTPS port is open.

Select the versions of the cryptographic protocol that you want to use:

TLS 1.0

TLS 1.1

TLS 1.2

All versions are selected by default. Moreover, the TLS 1.0 option cannot be disabled.

Note, that you can use the TLS protocol in the Tra ic Security task con guration only on protected
devices running Microsoft Windows 7 or later, Microsoft Windows Server 2008 R2 or later.

Do not trust web-servers with invalid certi cate .

If the Do not trust web-servers with invalid certi cate check box is selected, Kaspersky Security for
Windows Server blocks all connections with invalid certi cates and also all connections with self signed
certi cate.

Security port .

4. To add or exclude ports from the interception area, click the Con gure interception area button.
The Interception area window opens.

5. Select one of the following options on the Intercept ports tab:

Intercept all

Intercept speci ed ports:

339
 a. Enter the port number in the text eld. You can add several ports by using a semicolon delimiter between
port numbers.

b. Click Add.
Port is included in the interception area.

By default, Kaspersky Security for Windows Server intercepts tra ic that is transferred via the
following ports: 80, 8080, 3128, 443.

If you run Tra ic Security task in Driver Interceptor mode with the Intercept all option enabled, make
sure to con gure the Kaspersky Security Center Administration Server to use the default port (13299)
for connection with the Kaspersky Security Center Web Console (for more information, refer to
Kaspersky Security Center Online Help), or, if you use a custom port, make sure to add this port to the
Tra ic Security task's list of excluded ports. Otherwise, Tra ic Security blocks the connection from the
Kaspersky Security Center Web Console to the Kaspersky Security Center Administration Server.

6. To specify ports you want to exclude from the interception area on the Exclude ports tab:

a. Enter the port number in the text eld. You can add several ports by using a semicolon delimiter between
port numbers.

b. Click Add.
Port is excluded from the area.

By default, Kaspersky Security for Windows Server excludes ports which are used by other applications
and might cause issues when attempting to read data transferred via encrypted connection: 3389, 1723,
13291, 13299.

7. To exclude IP addresses from the interception area on the Exclude IP addresses tab:

a. Enter IP addresses in IPv4 format (in a short form or specifying an address with a subnet mask).

b. Click Add.

c. Click OK to save the changes.

8. To exclude process or executable le which requires tra ic exchange on the Exclude processes tab:

a. Select the Apply exclusions for processes check box.

b. To exclude a le:

1. Click the Executable les button.

The standard Open windows is displayed.

2. Select the executable le you want to exclude and click Open.

9. In the Interception area window click the OK button.

10. In the Task settings window click the OK button.

340
 The task mode con guration is saved.

Con guring the Redirector mode

To con gure the Redirector mode:

1. Open the Task settings window.

2. On the General tab, select Redirector mode.

3. In the Task mode settings block, con gure the following settings:

Check safe connections through the HTTPS protocol .

Scanning is available only if the HTTPS port is open.

Select the versions of the cryptographic protocol that you want to use:

TLS 1.0

TLS 1.1

TLS 1.2

All versions are selected by default. Moreover, the TLS 1.0 option cannot be disabled.

Note, that you can use the TLS protocol in the Tra ic Security task con guration only on protected
devices running Microsoft Windows 7 or later, Microsoft Windows Server 2008 R2 or later.

Security port .

Redirect tra ic to an external proxy after checking .

Proxy server address .

Port .

For Redirector mode, the operating system must be con gured to transfer encrypted tra ic via the port
speci ed by Kaspersky Security for Windows Server.

4. Click OK.

The task mode con guration is saved.

Con guring malware protection

341
 The following protection settings a ect all incoming tra ic. However, the selected actions on infected and
other detected objects are performed only for mail attachments.

To con gure heuristic analysis to detect viruses and other computer security threats that are transferred via web
tra ic:

1. Open the Task settings window.

2. On the Malware protection tab:

Select the Use heuristic analyzer check box.

Set the required level of heuristic analysis for malware scanning.

Select the protection level from the drop-down list:

Recommended

Maximum protection

Maximum performance

Custom

3. On the Description tab below you can review the settings of the selected protection level.

4. Open the General tab and in the Objects protection section, specify the objects that you want to include in
the scan scope:

All objects

Objects scanned by format

Objects scanned according to list of extensions speci ed in anti-virus database

Objects scanned by speci ed list of extensions

a. Click the Modify button to edit the list of extensions.

b. In the window that opens, specify an extension.

c. Click Add.

Click the By default button to populate the list with the preset list of excluded extensions.

5. In the Compound objects protection section, specify the compound objects that you want to include in the
scan scope:

Archives

SFX archives

Packed objects
342
 Embedded OLE objects

6. On the Actions tab, select an action to be performed on infected and other detected objects:

Block

Allow

7. On the Performance tab, con gure the following settings:

In the Exclusions section select or clear the Do not detect check box. To con gure the list of objects to
exclude:

a. Click the Modify button.

b. In the window that opens, specify an object name or mask.

c. Click Add.

In the Advanced settings section, restrict the scanning time and object size:

Stop scanning if it takes longer than (sec.)

Do not scan objects larger than (MB)

8. Click OK in the Task settings window.

The protection level con guration is saved.

Con guring mail threat protection

To enable mail threat protection:

1. Open the Task settings window.

2. On the Mail threat protection tab, select the Enable mail threat protection check box.

If you enable or disable mail threat protection, the changes are applied after a short timeout (5 minutes) or
immediately after Microsoft Outlook restarts.

3. Click OK.

The changes are saved.

Con guring URL and web processing

To check web resources for phishing threats and identify web addresses designated as malicious according to the
anti-virus database and URL reputation from KSN:

1. Open the Task settings window.

343
 2. In the Task mode section of the General tab, select and con gure the task operation mode.

3. On the URL and web processing tab:

Clear or select the Use malicious URL database to scan web links check box.

Clear or select the Use anti-phishing database to scan web pages check box.

Clear or select the Use Trusted Zone check box.

Clear or select the Use KSN for protection check box.

The KSN reputation for a URL is available only if all of the following conditions are met:

The Use KSN for protection check box is selected in the Tra ic Security settings.

The KSN Statement is accepted. The Send data about scanned URLs check box is selected.

The KSN Usage task is started.

4. Click OK.

The URL and web processing con guration is saved.

Con guring web control

Con gure rules and manage settings for certi cate scanning and category-based web control.

Con guring certi cate scanning

Kaspersky Security for Windows Server lets you scan and block web resources with invalid and expired
certi cates. In order to con gure the scanning of certi cates, the following steps must be performed:

a. Con gure the Tra ic Security task.

b. Add and apply rules for certi cates.

Rules for certi cates can only be used in Driver Interceptor or Redirector mode. By default, Kaspersky Security
for Windows Server creates only denying rules for certi cates.

Selecting and con guring the task mode

To select and con gure the mode for working with certi cates:

1. Open the Task settings window.

2. On the General tab, select a mode that supports certi cate scanning from the Task mode drop-down list:

Driver Interceptor

Redirector

344
 3. In the Task mode settings block, con gure the following settings:

Check safe connections through the HTTPS protocol .

Scanning is available only if the HTTPS port is open.

Select the versions of the cryptographic protocol that you want to use:

TLS 1.0

TLS 1.1

TLS 1.2

All versions are selected by default. Moreover, the TLS 1.0 option cannot be disabled.

Note, that you can use the TLS protocol in the Tra ic Security task con guration only on protected
devices running Microsoft Windows 7 or later, Microsoft Windows Server 2008 R2 or later.

4. Click OK.

The task con guration is saved.

Adding rules for certi cates

Rules for certi cates can only be used in Driver Interceptor or Redirector mode. By default, Kaspersky Security
for Windows Server creates only denying rules for certi cates.

To add or con gure a certi cate rule:

1. Open the Web Control rules window.

2. On the Web Control tab, select the Apply certi cate-based rules check box to apply rules.

3. Click the Add button to add a new rule.

4. In the context menu of the Add button select the Certi cate-based rule option.

5. In the Certi cate-based rule window that opens:

a. Enter the name of the rule.

b. Select the Apply rule check box.

c. Select the Operator type: Use mask symbols or Use regular expressions.

d. Specify the mask or expression in the Operator eld.

e. Click OK.
345
 6. To edit a rule, select one rule in the list and click Modify.

7. Click the Save button in the Web Control rules window.

The new rules are applied.

Con guring category-based web control

To add or modify a Tra ic Security category-based rule:

1. Open the Web Control rules window.

2. Open the Categorization tab.

3. Select the Apply rules for web tra ic category control check box.
Category control settings become available.

4. Select or clear the following check boxes:

Allow access if the web page can not be categorized.

Allow access to legitimate web resources that can be used to damage your device.

Allow access to legitimate advertisement.

5. In the list of available categories:

Select the corresponding check box to allow a category.

The Type column changes to Allowing.

Clear the corresponding check box to block a category.

The Type column changes to Denying.

The list of categories is prede ned and cannot be modi ed (you cannot add or remove categories).

6. Click Save.

The rule con guration is saved.

Using the not-a-virus mask

To use the not-a-virus mask for category analysis:

1. In the Application Console tree, open the KSN Usage task settings.

2. Select the Send data about scanned URLs check box.

3. Start the KSN Usage task.

4. In the Tra ic Security settings window, select the Use KSN for protection check box.

346
 5. In the Web Control rules window, on the Categorization tab, select the Apply rules for web tra ic category
control check box.

6. In the list of categories, select the categories for which you want to apply the not-a-virus mask.
The Tra ic Security task will not detect objects corresponding to the mask in the selected categories.

Use of the not-a-virus mask is con gured in the Trusted Zone settings.

Adding URL-based rules

You can add a URL-based rule to deny or allow a speci c URL. These rules have higher priority than any other
conclusions.

To create a new URL-based rule:

1. Open the Web Control rules window.

2. On the Web Control tab, select the Apply URL-based rules check box to apply rules.

3. Click the Add button to add a new rule.

4. In the context menu of the Add button select the URL-based rule option.

5. In the URL-based rule window that opens:

a. Enter the name of the rule.

b. Select the Rule type: Denying or Allowing.

c. Select the Apply rule check box.

d. Specify the URL in the URL eld.

e. Click OK.

6. To edit a rule, select one rule in the list and click Modify.

7. Click the Save button in the Web Control rules window.

The new rules are applied.

Managing Tra ic Security via the Web Plug-in

In this section, you will learn how to navigate the Web Plug-in interface and con gure task settings on a protected
device.

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

347
3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Real-time server protection section.

5. Click Settings in the Tra ic Security subsection.

6. Con gure the settings described in the table below.

Tra ic Security task settings

Tab Description

General You can select and con gure the task operation mode.

Malware You can con gure the heuristic analyzer and security level.
protection

URL and web You can con gure the anti-phishing and anti-virus scanning of URLs.
processing

Mail threat You can con gure the mail threat protection.
protection

Web Control You can con gure rules and manage settings for certi cate scanning and
category-based web control.

Categorization You can add or modify a Tra ic Security category-based rule.

Task management You can con gure settings to start the task on a schedule.

If you run Tra ic Security task in Driver Interceptor mode with the Intercept all option enabled, make sure to
con gure the Kaspersky Security Center Administration Server to use the default port (13299) for connection
with the Kaspersky Security Center Web Console (for more information, refer to Kaspersky Security Center
Online Help), or, if you use a custom port, make sure to add this port to the Tra ic Security task's list of
excluded ports. Otherwise, Tra ic Security blocks the connection from the Kaspersky Security Center Web
Console to the Kaspersky Security Center Administration Server.

348
Anti-Cryptor
This section contains information about the Anti-Cryptor task and how to con gure it.

About the Anti-Cryptor task

The Anti-Cryptor task makes it possible to detect malicious encrypting of network le resources on a protected
device from remote devices on the corporate network.

While the Anti-Cryptor task runs, Kaspersky Security for Windows Server scans remote devices' calls to access
les located in the shared folders of the protected device. If the application considers a remote device's actions
on network le resources to be malicious encrypting, then Kaspersky Security for Windows Server adds the locally
unique device's identi er (LUID) to the list of blocked hosts.

The Anti-Cryptor task can be performed in synchronous or asynchronous mode. By default, the Anti-Cryptor task
runs in asynchronous mode, and le operations are processed on several parallel threads. For more detailed
information about synchronous and asynchronous modes for processing le operations and about how to change
the mode used to process le operations, refer to the Kaspersky Knowledge Base.

Kaspersky Security for Windows Server does not consider activity to be malicious encrypting if the detected
encryption activity takes place in folders excluded from the scope of the Anti-Cryptor task.

By default, the application blocks a host's access to network le resources for 30 minutes.

The Anti-Cryptor task does not block access to network le resources until the host's activity is identi ed as
malicious. This can take some time, during which the encryption program may conduct malicious activity.

If the Anti-Cryptor task runs in Statistics only mode, Kaspersky Security for Windows Server only logs remote
devices' attempts at malicious encrypting in the task log.

Anti-Cryptor task statistics

If the Anti-Cryptor task is running, you can view real-time information about the number of objects processed by
Kaspersky Security for Windows Server since the task was started, i.e., task execution statistics.

To view Anti-Cryptor task statistics:

1. In the Application Console tree, expand the Real-time server protection node.

2. Select the Anti-Cryptor child node.

Task statistics are displayed in the Statistics section of the details pane of the selected node.

You can view information about objects processed by Kaspersky Security for Windows Server since the task was
started (see the table below).

The Anti-Cryptor task statistics

Field Description

Malicious encrypting Number of access attempts where Kaspersky Security for Windows Server

349
 attempts detected detected encryption activity.

Processing errors Number of application requests to the storage area that resulted in a task
error.

Objects processed Total number of access attempts processed by Kaspersky Security for
Windows Server.

Default Anti-Cryptor task settings

The Anti-Cryptor task uses the default settings described in the table below. You can change the values of these
settings.
Default Anti-Cryptor task settings

Setting Default value Description

Work Active The Anti-Cryptor task can be

mode started in Active or Statistics
only mode.

Protection Kaspersky Security for Windows Server applies the Anti- You can change the protection
area Cryptor task to all of the protected device's shared scope by specifying shared
folders by default. folders to which the task will apply.

Exclusions The exclusion list is applied and includes items added by Specify areas that you want to
Kaspersky experts. exclude from the task protection
scope.

Heuristic Heuristic Analyzer is enabled, and Kaspersky Security for You can enable or disable Heuristic
analyzer Windows Server applies Medium scanning depth. Analyzer, and regulate the level of
scanning depth.

Schedule By default, the rst start is not scheduled. The Anti- You can enable or disable Heuristic
settings Cryptor task does not start automatically when Analyzer and set the scanning
Kaspersky Security for Windows Server starts. depth.

Con guring the Anti-Cryptor task via the Administration Plug-in

To con gure Anti-Cryptor task settings, take the following steps:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

350
4. In the Network activity control section, click the Settings button in the Anti-Cryptor subsection.
The Anti-Cryptor window opens.

5. In the window that opens, con gure the following settings:

Task mode and heuristic analyzer usage on the General tab.

Protection scope on the Protection scope tab.

Exclusions on the Exclusions tab.

Scheduled task start settings on the Task management tab.

6. Click OK.

Kaspersky Security for Windows Server immediately applies the new settings to the running task. The date and
time when the settings were modi ed and the values of task settings before and after modi cation are saved in
the system audit log.

General task settings

To con gure the general task settings:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Network activity control section, click the Settings button in the Anti-Cryptor subsection.
The Anti-Cryptor window opens.

5. In the Work mode section on the General tab, select Active mode.

6. Clear or select the Use heuristic analyzer check box.

7. If necessary, adjust the level of analysis using the slider .

8. Click OK to apply the new con guration.

351
Creating the protection scope
The following types of protection scopes can be applied in the Anti-Cryptor task:

Prede ned. You can use the default protection scope, which includes all the device's shared folders in the scan.
Applied if the All shared network folders on the server setting is selected.

User. You can manually con gure the protection scope by selecting the folders that need to be included in the
encryption protection scope. Applied if the Only speci ed shared folders setting is selected.

You can only use a local path to con gure the protection scope for the Anti-Cryptor task.

To con gure a protection scope for the Anti-Cryptor task:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Network activity control section, click the Settings button in the Anti-Cryptor subsection.
The Anti-Cryptor window opens.

5. On the Protection scope tab, select the folders that Kaspersky Security for Windows Server will scan when
executing the Anti-Cryptor task:

All shared network folders on the protected device .

Only speci ed shared folders .

6. To specify the device's shared folders, that you want to include in the encryption protection scope:

a. Select Only speci ed shared folders and click the Add button.
The Select folder to add window opens.

b. Click the Browse button to select a folder, or enter the folder manually.

c. Click OK.

7. Click OK in the Anti-Cryptor window.

352
 The speci ed settings are saved.

Adding exclusions
To add exclusions from the encryption protection scope, take the following steps:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Network activity control section, click the Settings button in the Anti-Cryptor subsection.
The Anti-Cryptor window opens.

5. On the Exclusions tab, select the Apply exclusion list check box.

6. Click the Add button.

The Select folder to add window opens.

7. Click the Browse button to select a folder, or enter the folder manually.

8. Click OK.

The excluded area will be added to the list.

Con guring the Anti-Cryptor task via the Application Console

To con gure Anti-Cryptor task settings take the following steps:

1. In the Application Console tree, expand the Real-time server protection node.

2. Select the Anti-Cryptor child node.

3. Click the Properties link in the details pane of the Anti-Cryptor node.
The Task settings window opens.

4. In the window that opens, con gure the following settings:

Work mode and heuristic analyzer usage on the General tab.

353
 Protection area on the Protection area tab.

Exclusions on the Exclusions tab.

Scheduled task start settings on the Schedule and Advanced tabs.

5. Click OK.

Kaspersky Security for Windows Server immediately applies the new settings to the running task. The date and
time when the settings were modi ed, and the values of task settings before and after modi cation are saved in
the system audit log.

General task settings

To con gure the general task settings:

1. In the Application Console tree, expand the Real-time server protection node.

2. Select the Anti-Cryptor child node.

3. Click the Properties link in the details pane of the Anti-Cryptor node.
The Task settings window opens.

4. In the Work mode section on the General tab, select Active mode.

5. Clear or select the Use heuristic analyzer check box.

6. If necessary, adjust the level of analysis using the slider .

7. Click OK to apply the new con guration.

Creating the protection scope

The following types of protection scopes are applied in the Anti-Cryptor task:

Prede ned. You can use the default protection scope, which includes all the device's shared network folders in
the scan. Applied if the All shared network folders on the protected device setting is selected.

User. You can manually con gure the protection scope by selecting the folders that need to be included in the
encryption protection scope. Applied if the Only speci ed shared folders setting is selected.

You can only use a local path to con gure the protection scope for the Anti-Cryptor task.

When using either a prede ned or user protection scope, you can exclude selected folders from the protection
scope, for example, if data in these folders is encrypted by programs installed on remote devices.

To con gure a protection scope for the Anti-Cryptor task:

354
 1. In the Application Console tree, expand the Real-time server protection node.

2. Select the Anti-Cryptor child node.

3. Click the Properties link in the details pane of the Anti-Cryptor node.
The Task settings window opens.

4. On the Protection area tab, select the folders that Kaspersky Security for Windows Server will scan when
executing the Anti-Cryptor task:

All shared network folders on the protected device .

Only speci ed shared folders .

5. To specify the protected device's shared folders that you want to include in the encryption protection scope,
use one of the following methods:

Manually:

a. Enter the name of the shared folder on a protected device.

b. Click the Add button.

The folder is added to the list.

Browse:

a. Click the Browse button.

The standard Microsoft Windows window opens.

b. Select the folder that you want to add to the protection scope of the task.

c. Click OK.

6. Click OK.

The speci ed settings are saved.

Adding exclusions
To con gure a protection scope for the Anti-Cryptor task:

1. In the Application Console tree, expand the Real-time server protection node.

2. Select the Anti-Cryptor child node.

3. Click the Properties link in the details pane of the Anti-Cryptor node.
The Task settings window opens.

4. On the Exclusions tab, select the Apply exclusion list check box.

5. Specify a folder name or a mask.

6. Click the Add button.

355
 7. If required, repeat steps 5 and 6 to add more exclusions.

8. Click OK in the Task settings window.

The protection scope exclusions will be added and applied.

Con guring the Anti-Cryptor task via the Web Plug-in

In this section, learn how to manage the Anti-Cryptor task via the Web Plug-in interface.

General task settings

To con gure the general task settings:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Network activity control section.

5. Click Settings in the Anti-Cryptor subsection.

6. On the General tab, select Active mode.

7. In the Heuristic analyzer section, do one of the following:

Clear or select the Use Heuristic Analyzer check box.

If necessary, adjust the level of heuristic analysis .

8. Click OK to apply the new con guration.

Creating the protection scope

The following types of protection scopes are applied in the Anti-Cryptor task:

Prede ned. You can use the default protection scope, which includes all the device's shared network folders in
the scan. Applied if the All shared network folders on the server setting is selected.

User. You can manually con gure the protection scope by selecting the folders that need to be included in the
encryption protection scope. Applied if the Only speci ed shared folders setting is selected.

You can only use a local path to con gure the protection scope for the Anti-Cryptor task.

When using either a prede ned or user protection scope, you can exclude selected folders from the protection
scope, for example, if data in these folders is encrypted by programs installed on remote devices.
356
To con gure a protection scope for the Anti-Cryptor task:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Network activity control section.

5. Click Settings in the Anti-Cryptor subsection.

6. On the Protection scope tab, select the folders that Kaspersky Security for Windows Server will scan when
executing the Anti-Cryptor task:

All shared network folders on the server .

Only speci ed shared folders .

7. To specify the device's shared folders, that you want to include in the encryption protection scope:

a. Select Only speci ed shared folders and click the Add button.

b. In the pane on the right specify the path to a folder.

c. Click OK.

8. Click OK to apply the new con guration.

The speci ed settings are saved.

Adding exclusions
To con gure Anti-Cryptor task settings take the following steps:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Network activity control section.

5. Click Settings in the Anti-Cryptor subsection.

6. On the Exclusion list tab, select the Apply exclusion list check box.

7. Click the Add button.

8. In the pane on the right specify the path to a folder or a mask.

9. Click OK.

10. Click OK to apply the new con guration.

357
The protection scope exclusions will be added and applied.

358
Applications Launch Control
This section contains information about the Applications Launch Control task and how to con gure it.

About the Applications Launch Control task

When running the Applications Launch Control task, Kaspersky Security for Windows Server monitors user's
attempts to start applications and allows or denies start of these applications. The Applications Launch Control
task relies on the Default Deny principle, which means that any applications that are not allowed in the task
settings will be blocked automatically.

You can allow applications to start using one of the following methods:

Set allowing rules for trusted applications.

Check trusted applications reputation in KSN on launch.

The task gives top priority to denying the start of applications. For example, if an application is prevented from
starting by one of the blocking rules, the application start will be denied regardless of the trusted conclusion for
KSN. At that, if the application is not trusted by the KSN services but is included in the scope of an allowing rule,
the application start will be denied.

All attempts to start applications are recorded in the task log.

The Applications Launch Control task can operate in one of two modes:

Active. Kaspersky Security for Windows Server uses a set of rules to control the start of applications that fall
within the scope of the Applications Launch Control rules. The scope of the Applications Launch Control rules
is speci ed in the settings of this task. If an application falls within the scope of the Applications Launch
Control rules, and the task settings do not satisfy any speci ed rule, the application launch will be denied.
Launches of applications that do not fall within the scope of any rule speci ed in the Applications Launch
Control task settings are allowed regardless of the Applications Launch Control task settings.

The Applications Launch Control task cannot be started in Active mode if no rules have been created or
if there are more than 65,535 rules for one protected device.

Statistics only. Kaspersky Security for Windows Server does not use Applications Launch Control rules to
allow or deny the start of applications. Instead, it only records information about application starts, rules
satis ed by running applications, and actions that would have been performed if the task was running in Active
mode. All applications are allowed to start. This mode is set by default.
You can use this mode to create Applications Launch Control rules based on information recorded in the task
log.

You can con gure the Applications Launch Control task according to one of the following scenarios:

Advanced rule con guration and usage for Application Launch Control.

Basic rules con guration and KSN usage for Application Launch Control.

359
 If operating system les fall within the scope of the Applications Launch Control task, we recommend that
when creating Applications Launch Control rules you make sure that such applications are allowed by the
newly created rules. Otherwise, the operating system may fail to start.

Kaspersky Security for Windows Server also intercepts processes launched under the Windows Subsystem for
Linux (except for scripts run from the UNIX™ shell, or command line interpreters). For such processes, the
Applications Launch Control task applies the action de ned by the current con guration. The Rule Generator for
Applications Launch Control task detects application launches and generates corresponding rules for applications
running under the Windows Subsystem for Linux.

About Applications Launch Control rules

How Applications Launch Control rules work

The operation of Applications Launch Control rules is based on the following components:

Type of rule.
Applications Launch Control rules can allow or deny the start of application. Accordingly, they are called
allowing or denying rules. To create a list of allowing rules for Applications Launch Control, you can use the Rule
Generator for generating allowing rules or use the Applications Launch Control task in Statistics only mode.
You can also add allowing rules manually.

User and / or user group.

Applications Launch Control rules can control the start of speci ed applications by a user and / or user group.

Rule usage scope.

Applications Launch Control rules can be applied to executable les, scripts, and MSI packages.

Rule-triggering criterion.
Applications Launch Control rules control the launch of les that satisfy one of the criteria speci ed in the rule
settings: signed by the speci ed digital certi cate, matching the speci ed SHA256 hash, or located at the
speci ed path.
If Digital certi cate is set as the rule-triggering criterion, the created rule controls the start of all trusted
applications in the operating system. You can set stricter conditions for this criterion by selecting the following
check boxes:

Use subject

Use thumb

Thumbprints allow for the most restrictive triggering of application start rules based on a digital certi cate,
because a thumbprint uniquely identi es a digital certi cate and cannot be forged, unlike the subject of a
digital certi cate.

You can specify exclusions for Applications Launch Control rules. Exclusions to Applications Launch Control rules
are based on the same criteria used to trigger rules: digital certi cate, SHA256 hash, and le path. Exclusions to
Applications Launch Control rules may be required for certain allowing rules: for example, if you want to allow users
to start applications from the C:\Windows path, while blocking launch of the Regedit.exe le.

360
 If operating system les fall within the scope of the Applications Launch Control task, we recommend that
when creating Applications Launch Control rules you make sure that such applications are allowed by the
newly created rules. Otherwise, the operating system may fail to start.

Managing Applications Launch Control rules

You can perform the following actions with Applications Launch Control rules:

Add rules manually.

Generate and add rules automatically.

Remove rules.

Export rules to le.

Check selected les for rules that allow execution of these les.

Filter the rules in the list according to speci ed criterion.

About Software Distribution Control

Generating Applications Launch Control rules can be complicated if you also need to control software distribution
on a protected device, for example, on protected devices where installed software is periodically automatically
updated. In this case, the list of allowing rules must be updated after each software update for newly created les
to be considered in the Applications Launch Control task settings. To simplify launch control in software
distribution scenarios, you can use the Software Distribution Control subsystem.

A software distribution package (hereinafter referred to as “package”) represents a software application to be

installed on a protected device. Each package contains at least one application and may also contain individual
les, updates, or even an individual command, in addition to applications, particularly when you are installing a
software application or update.

The Software Distribution Control subsystem is implemented as an additional list of exclusions. When you add a
software distribution package to this list, the application allows these trusted packages to be decompressed and
allows software installed or modi ed by a trusted package to be started automatically. The extracted les can
inherit the trusted attribute of the primary distribution package. A primary distribution package is a package that
has been added to the list of Software Distribution Control exclusions by a user and has become a trusted
package.

Kaspersky Security for Windows Server controls only full software distribution cycles. The application cannot
correctly process the launch of les modi ed by a trusted package if, when the package is started for the rst
time, software distribution control is turned o or the Application Launch Control component is not installed.

Software distribution control is not available if the Apply rules to executable les check box is cleared in the
Applications Launch Control task settings.

361
Software distribution cache

Kaspersky Security for Windows Server uses a dynamically generated software distribution cache (“distribution
cache”) to establishes the relationship between trusted packages and les created during software distribution.
When a package is rst started, Kaspersky Security for Windows Server detects all les created by the package
during the software distribution process and stores le checksums and paths in the distribution cache. Then all
les in the distribution cache are allowed to start by default.

You cannot review, clear or manually modify the distribution cache via the user interface. The cache is populated
and controlled by Kaspersky Security for Windows Server.

You can export the distribution cache to a con guration le (XML format) and clear the cache using command line
options.

To export the distribution cache to a con guration le, execute the following command:

kavshell appcontrol /config /savetofile:<full path> /sdc

To clear the distribution cache, execute the following command:

kavshell appcontrol /config /clearsdc

Kaspersky Security for Windows Server updates the distribution cache every 24 hours. If the checksum of a
previously allowed le is changed, the application deletes the record for this le from the distribution cache. If the
Applications Launch Control task is started in Active mode, subsequent attempts to start this le will be blocked.
If the full path to the previously allowed le is changed, subsequent attempts to start this le will not be blocked,
because the checksum is stored within the distribution cache.

Processing the extracted les

All les extracted from a trusted package inherit the trusted attribute upon rst launch of the package. If you
clear the check box after rst launch, all les extracted from the package will retain the inherited attribute. To
reset the inherited attribute on all extracted les, you need to clear the distribution cache and clear the Allow
the further distribution of programs created from this distribution package check box before starting the
trusted distribution package again.

Extracted les and packages created by a trusted primary distribution package inherit the trusted attribute when
their checksums are added to the distribution cache when the software distribution package in the exclusion list is
opened for the rst time. Hence, the distribution package itself and all les extracted from this package will also be
trusted. By default, the number of levels of inheritance of the trusted attribute is unlimited.

Extracted les will retain the trusted attribute after the operating system restarts.

The processing of les is con gured in the Software Distribution Control settings by selecting or clearing the
Allow the further distribution of programs created from this distribution package check box.

For example, suppose you add a test.msi package containing several other packages and applications to the
exclusions list and select the check box. In this case, all packages and applications contained in the test.msi
package are allowed to run or be extracted if they contain other les. This scenario works for extracted les on all
nested levels.

362
If you add a test.msi package to the exclusions list and clear the Allow the further distribution of programs
created from this distribution package check box, the application will assign the trusted attribute only to the
packages and executable les extracted directly from the primary trusted package (on the rst level of nesting).
The checksums of such les are stored in the distribution cache. All les on the second level of nesting and beyond
will be blocked by the Default Deny principle.

Working with the Applications Launch Control rule list

The list of trusted packages of software distribution control subsystem is a list of exclusions, which ampli es, but
does not replace the general list of applications launch control rules.

Denying applications launch control rules have the highest priority: trusted package decompression and start of
new or modi ed les will be blocked, if these packages and les are a ected by the applications launch control
denying rules.

Software distribution control exclusions are applied both for trusted packages and les created or modi ed by
these packages, if no denying rules in the applications launch control list are applied for those packages and les.

Using KSN conclusions

KSN conclusions that a le is untrusted have a higher priority than the software distribution control exclusions:
decompression of trusted packages and start of les created or modi ed by these packages will be blocked if KSN
reports that these les are untrusted.

At that, after unpacking from a trusted package, all child les will be allowed to run regardless of KSN usage within
the Applications Launch Control scope. At that, states of Deny applications untrusted by KSN and Allow
applications trusted by KSN check boxes do not a ect the operation of the Allow the further distribution of
programs created from this distribution package check box.

About KSN usage for the Applications Launch Control task

To start the KSN Usage task, you must accept the KSN Statement.

If KSN data about an application’s reputation is used by the Applications Launch Control task, the KSN application
reputation is considered a criterion for allowing or denying launch of that application. If KSN reports to Kaspersky
Security for Windows Server that an application is untrusted when the user attempts to launch the application, the
application launch is denied. If KSN reports to Kaspersky Security for Windows Server that the application is
trusted when the user attempts to launch the application, the application launch is allowed. KSN can be used along
with Applications Launch Control rules or as an independent criterion for denying launch of applications.

Using KSN conclusions as independent criterion for denying application launch

This scenario lets you securely control application launches on a protected device without requiring advanced
con guration of the rule list.

You can apply KSN conclusions to Kaspersky Security for Windows Server together with the only speci ed rule.
The application will only allow the start of applications that are trusted in KSN or are allowed by a speci ed rule.

For such a scenario, we recommend that you set a rule allowing start of the application based on a digital
certi cate.

363
All other applications are denied in accordance with the Default Deny policy. Using KSN when no rules are applied
protects a device from applications that KSN considers to be a threat.

Using KSN conclusions simultaneously with Applications Launch Control rules

When using KSN conclusions simultaneously with Applications Launch Control rules, the following conditions apply:

Kaspersky Security for Windows Server always denies launch of an application if it is included in the scope of at
least one denying rule. If the application is considered trusted by KSN, the corresponding conclusion has a lower
priority and is not considered; the application launch will still be denied. This lets you expand the list of blocked
applications.

Kaspersky Security for Windows Server always denies the launch of an application if the launch of applications
not trusted in KSN is prohibited and the application is not trusted in KSN. If an allowing rule is set for the
application, it has a lower priority and is not considered; the application launch will still be denied. This protects
the device from applications that KSN considers to be a threat but were not considered during initial
con guration of the rules.

About Applications Launch Control rules generation

You can create lists of Applications Launch Control rules using Kaspersky Security Center tasks and policies
simultaneously for all protected devices and groups of protected devices on the corporate network. The scenarios
listed below are recommended if the corporate network does not have a reference machine and you are unable to
create a list of allowing rules based on applications installed on the template machine.

You can run the Rule Generator for Applications Launch Control task locally via the Application Console to
create a list of rules based on the applications running on a single protected device.

The Applications Launch Control component is installed with two preset allowing rules:

Allowing rule for scripts and Windows Installer packages with a certi cate trusted by the operating system.

Allowing rule for executable les with a certi cate trusted by the operating system.

You can create lists of Applications Launch Control rules on the side of Kaspersky Security Center in one of the
following ways:

Using a Rule Generator for Applications Launch Control group task.

Under this scenario, a group task generates its own list of Applications Launch Control rules for each protected
device on the network and saves those lists to an XML le in the speci ed shared folder. The XML le
generated by the Rule Generator for Applications Launch Control task contains the allowing rules speci ed in
task settings before the task starts.No rules will be created for applications that are not allowed to start in the
speci ed task settings. The start of such applications is denied by default. You can then manually import the
created list of rules into the Applications Launch Control task for the Kaspersky Security Center policy.
You can con gure the generated rules to be automatically imported into the list of rules for the Applications
Launch Control task.
This scenario is recommended when you need to quickly create lists of Applications Launch Control rules. We
recommend that you con gure the scheduled launch of the Rule Generator for Applications Launch Control
task only if the applied allowing rules include folders and les you know to be safe.

364
 Before using the Applications Launch Control task in the network, make sure that all protected devices
have access to a shared folder. If the organization's policy does not provide for the use of a shared folder
in the network, we recommend that you start the Rule Generator for Applications Launch Control task on
a protected device in the test protected devices group or on a template machine.

Based on a report of task events generated in Kaspersky Security Center by the Applications Launch Control
task running in Statistics only mode.
Under this scenario, Kaspersky Security for Windows Server does not deny the launch of applications. Instead,
with Applications Launch Control running in the Statistics only mode, it reports all allowed and denied
application launches across all network protected devices in the Events tab of the Administration Server
node's workspace in the Kaspersky Security Center. Kaspersky Security Center uses the reports to generate a
single list of events in which application launches were denied.
You need to con gure the task execution period so that all possible scenarios involving the protected devices
and protected device groups, and at least one protected device restart are performed during the speci ed
time period. After the end of the task execution period, you can import application launch data from the saved
Kaspersky Security Center event report (TXT format) and generate Applications Launch Control allowing rules
for such applications based on this data.
This scenario is recommended if a corporate network includes a large number of protected devices of di erent
type (with a di erent software installed).

Based on denied application launch events received through Kaspersky Security Center, without creating and
importing a con guration le.
To use this feature, the Applications Launch Control task on the protected device must be running under an
active Kaspersky Security Center policy. In this case, all events on the protected device are sent to the
Administration Server.

We recommend that you update the list of rules when the set of applications installed on network protected
devices changes (for example, when updates are installed or operating systems are reinstalled). We recommend
that you generate an updated list of rules by running the Rule Generator for Applications Launch Control task or
the Applications Launch Control task in Statistics only mode on protected devices in the test administration
group. The test administration group includes the protected devices required to test the launch of new
applications before they are installed on network protected devices.

XML les containing lists of allowing rules are created based on an analysis of tasks started on the protected
device. To account for all applications used on the network when generating lists of rules you are advised to
start the Rule Generator for Applications Launch Control task and the Applications Launch Control task in
Statistics only mode on a template machine.

Before generating allowing rules based on the applications launched on a reference machine, make sure that
the template machine is secure and there is no malware on it.

Before adding allowing rules, select one of the available rule application modes. The list of Kaspersky Security
Center policy rules displays only rules speci ed by the policy, regardless of the rule application mode. The local
rule list includes all applied rules — both local rules and rules added through a policy.

Default Applications Launch Control task settings

365
By default, the Applications Launch Control task has the settings described in the table below. You can change the
values of these settings.

Default Applications Launch Control task settings

Setting Default value Description

Task mode Statistics only. The task records You can select Active mode after the nal
denied launch events and allowed list of rules is generated.
launch events based on the set
rules. Application launch is not
actually denied.

Repeat action taken Applied You can repeat actions taken for the rst
for the rst le le launch on all the subsequent launches
launch on all the for this le.
subsequent launches
for this le

Deny the command Not applied. You can deny launch of command
interpreters launch interpreters with no command to execute.
with no command to
execute

Rules managing Replace local rules with policy You can select a mode in which rules
rules speci ed in a policy are applied together
with the rules on the protected device.

Rules usage scope The task controls the launch of You can specify the le types for which
executable les, scripts, and MSI launch is controlled by rules.
packages. It also monitors loading of
DLL modules.

KSN Usage KSN application reputation data is You can use KSN application reputation
not used. data when running the Applications Launch
Control task.

Automatically allow Not applied. You can allow software distribution using
software distribution the installers and applications speci ed in
for applications and the settings. By default, software
packages listed distribution is only allowed using the
Windows Installer service.

Always allow Applied (can be changed only when You can allow any software installation or
software distribution the Automatically allow software update if the operations are performed via
via Windows Installer distribution for applications and Windows Installer.
packages listed setting is enabled).

Always allow Not applied (can be changed only You can turn on or o automatic software
software distribution when the Automatically allow distribution using the System Center
via SCCM using the software distribution for Con guration Manager.
Background applications and packages listed
Intelligent Transfer setting is enabled).
Service

Task start First run is not scheduled. The Applications Launch Control task does
not start automatically at start of
Kaspersky Security for Windows Server. You
can start the task manually or con gure a
scheduled start.

Rule Generator for Applications Launch Control task default settings

Setting Default Value Description

366
 Pre x for Identical to the name of the You can change the pre x for names of allowing rules.
allowing protected device on which
rules names Kaspersky Security for Windows
Server is installed.

Allowing The scope of allowing rules You can change the protection scope by adding or
rules usage includes the following le removing folder paths and specifying the types of les
scope categories by default: that will be allowed to launch by the automatically
generated rules. You can also ignore running applications
Files with the EXE extension
when creating allowing rules.
located in the folders
C:\Windows, C:\Program Files
(x86) and C:\Program Files

MSI packages stored in the

C:\Windows folder

Scripts stored in the

C:\Windows folder
The task also creates rules for
all running applications,
regardless of their location
and format.

Criteria for The digital certi cate subject and You can use the SHA256 hash when generating allowing
generation thumbprint are used; rules are rules.
of allowing generated for all users and
You can select a user and group of users for which
rules groups of users.
allowing rules need to be automatically generated.

Actions Allowing rules are added to the You can add rules to the existing rules without merging
upon task list of Applications Launch them and without deleting duplicate rules, or replace
completion Control rules; new rules are existing rules with the new allowing rules, or con gure
merged with existing rules; export of the allowing rules to a le.
duplicate rules are removed.

Task launch The task is started under a You can allow the Rule Generator for Applications Launch
settings system account. Control task to start under a system account or using
with the permissions of a speci ed user.
permissions

Task start First run is not scheduled. The Rule Generator for Applications Launch Control task
schedule does not start automatically when Kaspersky Security
for Windows Server starts. You can start the task
manually or con gure a scheduled start.

Managing Applications Launch Control via the Administration Plug-in

In this section, learn how to navigate the Administration Plug-In interface and con gure task settings for one or all
protected devices on the network.

Navigation
Learn how to navigate to the required task settings via the chosen interface.

367
Opening policy settings for the Applications Launch Control task
To open the Applications Launch Control task settings via the Kaspersky Security Center policy:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Policies tab.

4. Double-click the policy name you want to con gure.

5. In the Properties: <Policy name> window that opens, select the Local activity control section.

6. Click the Settings button in the Applications Launch Control subsection.

The Applications Launch Control window opens.

Con gure the policy as required.

Opening the Applications Launch Control rules list

To open the Applications Launch Control rules list via the Kaspersky Security Center:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Policies tab.

4. Double-click the policy name you want to con gure.

5. In the Properties: <Policy name> window that opens, select the Local activity control section.

6. Click the Settings button in the Applications Launch Control subsection.

The Applications Launch Control window opens.

7. On the General tab, click the Rules list button.

The Applications Launch Control rules window opens.

Con gure the rules list as required.

Opening the Rule Generator for Applications Launch Control task wizard
and properties
To start creating a Rule Generator for Applications Launch Control task:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
368
 2. Select the administration group for which you want to con gure the task.

3. Select the Tasks tab.

4. Click Create a task button.

The New Task Wizard window opens.

5. Select the Rule Generator for Applications Launch Control task.

6. Click Next.
The Settings window opens.

To con gure the existing Rule Generator for Applications Launch Control task:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Tasks tab.

4. Double-click the task name in the list of Kaspersky Security Center tasks.
The Properties: Rule Generator for Applications Launch Control window opens.

See the Con guring the Rule Generator for Applications Launch Control task section for details on con guring
the task.

Con guring Applications Launch Control task settings

To con gure general Applications Launch Control task settings:

1. Open the Applications Launch Control window.

2. On the General tab, select the following settings in the Task mode section:

In the Task mode drop-down list, specify the task mode.

Clear or select the Repeat action taken for the rst le launch on all the subsequent launches for this
le check box.

Clear or select the Deny the command interpreters launch with no command to execute check box.

3. In the Rules managing section, con gure settings for applying rules:

a. Click the Rules list button to add allowing rules for the Applications Launch Control task.

Kaspersky Security for Windows Server does not recognize paths that contain slashes ("/"). Use
backslash ("\") to enter the path correctly.

b. Select the mode for applying rules:

Replace local rules with policy rules.

369
 The application applies the rule list speci ed in the policy for centralized application launch control on a
group of protected devices. Local rule lists cannot be created, edited, or applied.

Add policy rules to the local rules.

The application applies the rule list speci ed in a policy together with local rule lists. You can edit the local
rule lists using the Rule Generator for Applications Launch Control task.

By default, Kaspersky Security for Windows Server applies two preset rules that allow a list of scripts,
MSI packages, and executable les if these objects are signed with a trusted digital signature.

4. In the Rules usage scope section, specify the following settings:

Apply rules to executable les .

Monitor loading of DLL modules .

Controlling loading of DLL modules may a ect the performance of the operating system.

Apply rules to scripts and MSI packages .

5. In the KSN Usage group box, con gure the following application launch settings:

Deny applications untrusted by KSN .

Allow applications trusted by KSN .

Users and / or user groups allowed to launch applications trusted in KSN.

6. On the Software Distribution Control tab, con gure the settings for software distribution control.

7. On the Task management tab, con gure the scheduled task start settings.

8. Click OK in the Applications Launch Control window.

Kaspersky Security for Windows Server immediately applies the new settings to the running task. Information
about the date and time when the settings were modi ed, and the values of task settings before and after
modi cation, are saved in the system audit log.

Con guring Software Distribution Control

To add a trusted distribution package:

1. Open the Applications Launch Control window.

2. On the Software Distribution Control tab, select the Automatically allow software distribution for applications
and packages listed check box.

You can select the Automatically allow software distribution for applications and packages listed, if the
Apply rules to executable les check box in the General tab is selected in the Applications Launch
Control task settings.

370
3. Clear the Always allow software distribution via Windows Installer check box if required.

Clearing the Always allow software distribution via Windows Installer check box is only recommended if
it is absolutely necessary. Turning o this function may cause issues with updating operating system les
and also prevent the launch of les extracted from a distribution package.

4. If required, select the Always allow software distribution via SCCM using the Background Intelligent
Transfer Service check box.

The application controls the software distribution cycle on the protected device — from package delivery
to installation or update. The application does not control processes if any stage of distribution was
performed before installation of the application on the protected device.

5. To edit the list of trusted distribution packages, click Change packages list and select one of the following
methods in the window that opens:

Add one distribution package.

a. Click the Browse button.

b. Select the executable le or distribution package.

The Trusting criteria section is automatically populated with data about the selected le.

c. Clear or select the Allow the further distribution of programs created from this distribution package
check box.

d. Select one of two available options for criteria to use to determine whether a le or distribution package
is trusted:

Use digital certi cate

Use SHA256 hash

Add several packages by hash.

You can select an unlimited number of executable les and distribution packages, and add them to the
list all at the same time. Kaspersky Security for Windows Server examines the hash and allows the
operating system to launch the speci ed les.

Change selected package.

Use this option to select a di erent executable le or distribution package, or to change the trust criteria.

Import distribution packages list from le .

In the Open window, specify the con guration le containing a list of trusted distribution packages.

6. If you want to remove a previously added application or distribution package for the trusted list, click the
Delete distribution packages button. Extracted les will be allowed to run.

To prevent extracted les from starting, uninstall the application on the protected device or create a
denying rule in the Applications Launch Control task settings.

371
 7. Click OK.

Your newly con gured settings are saved.

Con guring the Rule Generator for Applications Launch Control task
To con gure the Rule Generator for Applications Launch Control task:

1. Open the Properties: Rule Generator for Applications Launch Control window.

2. In the Noti cation section, con gure the task event noti cation settings.

For detailed information regarding con guring settings in this section, see the Kaspersky Security Center
Help.

3. In the Settings section, you can con gure the following settings:

Add pre x for rule names.

Select how to create allowing rules:

Create allowing rules based on running applications

Create allowing rules for applications from the folders

4. In the Options section, you can specify actions to perform while creating allowing rules for applications launch
control:

Use digital certi cate

Use digital certi cate subject and thumbprint

If the certi cate is missing, use

SHA256 hash. The checksum of the le used to generate the rule is set as a criterion for triggering the
allowing rule for Applications Launch Control. The application will allow start of programs launched using
les with the speci ed checksum.

path to le. The path to the le used to generate the rule is set as a criterion for triggering the allowing
rule for Applications Launch Control. The application will now allow start of programs launched using les
located in the folders speci ed in the Create allowing rules for applications from the folders table in
the Settings section.

Use SHA256 hash

Generate rules for user or group of users .

You can con gure settings for con guration les with allowing rules lists that Kaspersky Security for Windows
Server creates upon the task completion.

5. Con gure the task schedule in the Schedule section (you can con gure a schedule for all task types except
Rollback of Database Update).

372
 6. In the Account section, specify the account whose rights will be used to run the task.

7. If required, specify the objects to exclude from the task scope in the Exclusions from task scope section.

For detailed information regarding con guring settings in these sections, see the Kaspersky Security
Center Help.

8. In the Properties: <Task name> window, click OK.

The newly con gured group task settings are saved.

Con guring Applications Launch Control rules via the Kaspersky Security
Center
Learn how to generate a list of rules based on various criteria or manually create allowing or denying rules using the
Application Launch Control task.

Adding an Applications Launch Control rule

To add an Applications Launch Control rule:

1. Open the Applications Launch Control rules window.

2. Click the Add button.

3. In the context menu of the button, select Add one rule.

The Rule settings window opens.

4. Specify the following settings:

a. In the Name eld, enter the name of the rule.

b. In the Type drop-down list, select the rule type:

Allowing if you want the rule to allow launch of applications in accordance with the criteria speci ed in
the rule settings.

Denying if you want the rule to block launch of applications in accordance with the criteria speci ed in
the rule settings.

c. In the Scope drop-down list, select the type of les whose execution will be controlled by the rule:

Executable les if you want the rule to control launch of executable les.

Scripts and MSI packages if you want the rule to control launch of scripts and MSI packages.

d. In the User or user group eld, specify the users who will be allowed or not allowed to start programs based
on the type of rule. To do this, perform the following actions:

373
 1. Click the Browse button.

2. The standard Microsoft Windows Select user or groups window opens.

3. Specify the list of users and/or user groups.

4. Click OK.

e. If you want to take the values of the rule-triggering criteria listed in the Rule triggering criterion section
from a speci c le:

1. Click the Set rule triggering criterion from le properties button.

The standard Microsoft Windows Open window opens.

2. Select the le.

3. Click the Open button.

The criteria values in the le are displayed in the elds in the Rule triggering criterion group box. The
criterion for which data are available in the le properties is selected by default.

f. In the Rule triggering criterion group box, select one of the following options:

Digital certi cate if you want the rule to control the start of applications launched using les signed with
a digital certi cate:

Select the Use subject check box if you want the rule to control the launch of les signed with a
digital certi cate only with the speci ed header.

Select the Use thumb check box if you want the rule to only control the launch of les signed with a
digital certi cate with the speci ed thumbprint.

SHA256 hash if you want the rule to control the start of programs launched using les whose checksum
matches the one speci ed.

Path to le if you want the rule to control the start of programs launched using les located at the
speci ed path.

Kaspersky Security for Windows Server does not recognize paths that contain slashes ("/"). Use
backslash ("\") to enter the path correctly.

When specifying the objects, you can use le masks (via ? and * characters) and the following types
of environment variables: %WINDIR%, %SYSTEM32%, %OSDRIVE%, %PROGRAMFILES%.

g. If you want to add rule exclusions:

1. In the Exclusions from rule section, click the Add button.

The Exclusion from rule window opens.

2. In the Name eld, enter the name of the exclusion.

3. Specify the settings for exclusion of application les from the Applications Launch Control rule. You can
ll out the settings elds from the le properties by clicking the Set exclusion based on le properties
button.
374
 Digital certi cate

Use subject

Use thumb

SHA256 hash

Path to le

4. Click OK.

5. If necessary, repeat steps (i)-(iv) to add additional exclusions.

5. Click OK in the Rule settings window.

The created rule is displayed in the list in the Applications Launch Control rules window.

Enabling the Default Allow mode

Default Allow mode allows all applications to start if they are not blocked by rules or by a conclusion from KSN that
they are not trusted. Default Allow mode can be enabled by adding speci c allowing rules. You can enable Default
Allow for only scripts or for all executable les.

To add a Default Allow rule:

1. Open the Applications Launch Control rules window.

2. Click the Add button and, in the button’s context menu, select Add one rule.
The Rule settings window opens.

3. In the Name eld, enter the name of the rule.

4. In the Type drop-down list, select the Allowing rule type.

5. In the Scope drop-down list, select the type of les whose execution will be controlled by the rule:

Executable les if you want the rule to control the launch of executable les.

Scripts and MSI packages if you want the rule to control the launch of scripts and MSI packages.

6. In the Rule triggering criterion group box, select the Path to le option.

7. Enter the following mask: ?:\

8. Click OK in the Rule settings window.

Kaspersky Security for Windows Server applies the Default Allow mode.

Creating allowing rules from Kaspersky Security Center events

To generate allowing rules for applications from Kaspersky Security Center events in Applications Launch Control:

375
1. Open the Applications Launch Control rules window.

2. Click the Add button and, in the button’s context menu, select Create allowing rules for applications from
Kaspersky Security Center events.

3. Select the principle for adding the rules to the list of previously created Application Launch Control rules:

Add to existing rules if you want to add the imported rules to the list of existing rules. Rules with identical
settings are duplicated.

Replace existing rules if you want to replace the existing rules with the imported rules.

Merge with existing rules if you want to add the imported rules to the list of existing rules. Rules with
identical settings are not added; the rule is added if at least one rule parameter is unique.

The Applications launch control rules generation window opens.

4. Con gure the following request settings:

Administration Server address

Port

User

Password

5. Select the types of events that you want the rule generation task to use:

Statistics only mode: application launch denied.

Application launch denied.

6. Select the time period from the Request events that were generated within the period drop-down list.

7. Select or clear the Prioritize the use of hash when generating rules check box.

If the check box is selected, Kaspersky Security for Windows Server uses the checksum of the le to
generate the rule when both the checksum and the certi cate of the le are available.

If the check box is cleared, Kaspersky Security for Windows Server uses the digital certi cate of the le to
generate the rule when both the checksum and the certi cate of the le are available.

8. Click the Generate rules button.

9. Click the Save button in the Applications Launch Control rules window.
The rule list in the Applications Launch Control task will be populated with new rules generated based on
system data from the protected device with the Kaspersky Security Center Administration Console installed.

If the list of Application Launch Control rules is already speci ed in the policy, Kaspersky Security for
Windows Server adds the selected rules from the blocking events to the already speci ed rules. Rules with
the same hash are not added, because all rules in the list must be unique.

376
Importing rules from a Kaspersky Security Center report on blocked
applications
You can import data on blocked application launches from a report generated in Kaspersky Security Center after
the Applications Launch Control task is run in Statistics only mode and use this data to generate a list of
Applications Launch Control allowing rules in the policy being con gured.

When generating a report on events occurring during the Applications Launch Control task, you can keep track of
the applications whose launch is blocked.

When importing data from a report on blocked applications into policy settings, make sure that the list you are
using contains only applications whose launch you want to allow.

To specify Applications Launch Control allowing rules for a group of protected devices based on a blocked
applications report from Kaspersky Security Center:

1. Open the Applications Launch Control window.

2. In the Task mode section, select Statistics only mode.

3. In the policy properties in the Event noti cation section, make sure that:

For Critical Events, the task log retention period for Application launch denied events exceeds the
planned period for running the task in Statistics only mode (the default value is 30 days).

For events with an importance level of Warning, the task log retention period for Statistics only mode:
application launch denied events exceeds the planned period for running the task in Statistics only mode
(the default value is 30 days).

When the retention period for events elapses, information about the logged events is deleted and is
not re ected in the report le. Before running the Applications Launch Control task in Statistics only
mode, make sure that the task run time does not exceed the con gured period for the speci ed events.

4. When the task has nished, export the logged events to a TXT le:

a. In the workspace of the Administration Server node in Kaspersky Security Center, select the Events tab.

b. Click the Create a selection button to create a selection of events based on the Blocked criterion to view
the applications whose start will be blocked by the Applications Launch Control task.

c. In the details pane of the selection, click Export events to le list to save the blocked application starts
report to a TXT le.

Before importing and applying the generated report in a policy, make sure that the report only contains
data on the applications whose start you want to allow.

5. Import data on blocked application starts into the Applications Launch Control task. To do so, in the policy
properties in the Applications Launch Control task settings:

377
 a. On the General tab, click the Rules list button.
The Applications Launch Control rules window opens.

b. Click the Add button and, in the button’s context menu, select Import data of blocked applications from
Kaspersky Security Center report.

c. Select the principle for adding rules from the list created based on a Kaspersky Security Center report to
the list of previously con gured Applications Launch Control rules:

Add to existing rules if you want to add the imported rules to the list of existing rules. Rules with
identical settings are duplicated.

Replace existing rules if you want to replace the existing rules with the imported rules.

Merge with existing rules if you want to add the imported rules to the list of existing rules. Rules with
identical settings are not added; the rule is added if at least one rule parameter is unique.

d. In the standard Microsoft Windows window that opens, select the TXT le to which events from the blocked
application launch report have been exported.

e. Click Save in the Applications Launch Control rules window.

Rules created based on the Kaspersky Security Center report on blocked applications are added to the list of
Applications Launch Control rules.

Importing Applications Launch Control rules from an XML le

You can import reports generated by the Rule Generator for Applications Launch Control group task and apply
them as a list of allowing rules in the policy you are con guring.

When the Rule Generator for Applications Launch Control group task nishes, the application exports the created
allowing rules into XML les saved in the speci ed shared folder. Each le with a rule list is created by analyzing les
executed and applications launched on each separate protected device on the corporate network. The lists
contain allowing rules for les and applications whose type matches the type speci ed in the Rule Generator for
Applications Launch Control group task.

To specify Applications Launch Control allowing rules for a group of protected devices based on an automatically
generated list of allowing rules:

1. On the Tasks tab in the detail pane of the group of protected devices you are con guring, create a Rule
Generator for Applications Launch Control group task or select an existing task.

2. In the properties of the created Rule Generator for Applications Launch Control group task or in the task
wizard, specify the following settings:

In the Noti cation section, con gure the settings for saving the task execution report.

For detailed instructions on con guring settings in this section, see the Kaspersky Security Center
Help.

In the Settings section, specify the types of applications whose start will be allowed by the rules that are
created. You can edit the set of folders containing allowed applications: exclude default folders from the
task scope or add new folders manually.

378
 In the Options section, specify the operations to be performed by the task while it is running and after it is
nished. Specify the rule-generating criterion and the name of the le to which the generated rules will be
exported.

In the Schedule section, con gure the task start schedule settings.

In the Account section, specify the user account under which the task will be executed.

In the Exclusions from task scope section, specify the groups of protected devices to be excluded from
the task scope.

Kaspersky Security for Windows Server does not create allowing rules for applications launched on
excluded protected devices.

3. On the Tasks tab on the detail pane of the group of protected devices being con gured, in the list of group
tasks select the Rule Generator for Applications Launch Control task that you have created, and click the Start
button to start the task.
When the task is nished, the automatically generated lists of allowing rules are saved in XML les in a shared
folder.

Before using the Applications Launch Control task in the network, make sure that all protected devices
have access to a shared folder. If the organization’s policy does not provide for the use of a shared folder
in the network, we recommend that you start the Rule Generator for Applications Launch Control task on
a protected device in the test protected devices group or on a reference machine.

4. To add the generated lists of allowing rules to the Applications Launch Control task:

a. Open the Applications Launch Control rules window.

b. Click the Add button and in the list that opens select Import rules from XML le.

c. Select the principle for adding the automatically generated allowing rules to the list of previously created
Applications Launch Control rules:

Add to existing rules if you want to add the imported rules to the list of existing rules. Rules with
identical settings are duplicated.

Replace existing rules if you want to replace the existing rules with the imported rules.

Merge with existing rules if you want to add the imported rules to the list of existing rules. Rules with
identical settings are not added; the rule is added if at least one rule parameter is unique.

d. In the standard Microsoft Windows window that opens, select XML les created after completion of the
Rule Generator for Applications Launch Control group task.

e. Click Save in the Applications Launch Control rules window.

5. If you want to apply the created rules to control the launch of application, in the policy in the properties of the
Applications Launch Control task, select the Active mode for the task.

Allowing rules automatically generated based on task runs on each separate protected device are applied to all
network protected devices covered by the policy being con gured. On these protected devices, the application
will allow the launch of only those applications for which allowing rules have been created.

379
Checking application launches
Before applying the con gured Applications Launch Control rules, you can test any application to determine which
Applications Launch Control rules are triggered by that application.

By default, Kaspersky Security for Windows Server denies the launch of applications whose launch is not allowed
by a single rule. To avoid the denial of the launch of important applications, you need to create allowing rules for
them.

If the launch of an application is controlled by several rules of di erent types, denying rules are given priority: the
launch of an application will be denied if it falls under even one denying rule.

To test Applications Launch Control rules:

1. Open the Applications Launch Control rules window.

2. In the window that opens, click the Show rules for the le button.
The standard Microsoft Windows window opens.

3. Select the le whose start control you want to test.

The path to the speci ed le is displayed in the search eld. The list contains all rules that will be triggered when
the selected le is started.

Creating a Rule Generator for Applications Launch Control task

To create and con gure the Rule Generator for Applications Launch Control task settings:

1. Open the Settings window in the New Task Wizard.

2. Con gure the following:

Specify Pre x for rule names .

Con gure the allowing-rules usage scope.

3. Click Next.

4. Specify the actions that must be performed by Kaspersky Security for Windows Server:

When generating allowing rules.

Upon task completion.

5. In the Schedule window, set the scheduled task start settings.

6. Click Next.

7. In the Selecting an account to run the task window, specify the account you want to use.

8. Click Next.

380
 9. Specify a task name.

10. Click Next.

The task name should be no longer than 100 characters and cannot contain the following symbols: " * < > & \
:|

The Finish creating the task window opens.

11. You can optionally run the task after the Wizard nishes by selecting the Run task after Wizard nishes check
box.

12. Click Finish to nish creating the task.

To con gure an existing rule in Kaspersky Security Center,

open the Properties: Rule Generator for Applications Launch Control window and adjust the settings
described above.

Information about the date and time when the settings were modi ed, and the values of task settings before and
after modi cation, are saved in the system audit log.

Restricting the task usage scope

To restrict the scope of the Rule Generator for Applications Launch Control task:

1. Open the Properties: Rule Generator for Applications Launch Control window.

2. Select how to create allowing rules:

Create allowing rules based on running applications

Create allowing rules for applications from the folders

3. Click OK.

The speci ed settings are saved.

Actions to perform during automatic rule generation

To con gure the actions that Kaspersky Security for Windows Server while the Rule Generator for Applications
Launch Control task is running:

1. Open the Properties: Rule Generator for Applications Launch Control window.

2. Open the Options tab.

3. In the While generating allowing rules section, con gure the following settings:

381
 Use digital certi cate

Use digital certi cate subject and thumbprint

If the certi cate is missing, use

SHA256 hash. The checksum of the le used to generate the rule is set as a criterion for triggering the
allowing rule for Applications Launch Control. The application will allow start of programs launched using
les with the speci ed checksum.

path to le. The path to the le used to generate the rule is set as a criterion for triggering the allowing
rule for Applications Launch Control. The application will now allow start of programs launched using les
located in the folders speci ed in the Create allowing rules for applications from the folders table in
the Settings section.

Use SHA256 hash

Generate rules for user or group of users .

4. Click OK.

The speci ed settings are saved.

Actions to perform upon completion of automatic rule generation

To con gure the actions to be taken by Kaspersky Security for Windows Server after the Rule Generator for
Applications Launch Control task is nished:

1. Open the Properties: Rule Generator for Applications Launch Control window.

2. Open the Options tab.

3. In the After task completes section, con gure the following settings:

Add allowing rules to the list of Applications Launch Control rules .

Principle of adding .

Export allowing rules to le.

Add server details to le name .

4. Click OK.

The speci ed settings are saved.

Managing Applications Launch Control via the Application Console

In this section, you will learn how to navigate the Application Console interface and con gure task settings on a
protected device.

382
Navigation
Learn how to navigate to the required task settings via the chosen interface.

Opening the Applications Launch Control task settings

To open the Applications Launch Control general task settings via the Application Console:

1. In the Application Console tree, expand the Server Control node.

2. Select the Applications Launch Control child node.

3. In the details pane of the Applications Launch Control child node, click the Properties link.
The Task settings window opens.

Opening the Applications Launch Control rules window

To open the Applications Launch Control rule list via the Application Console:

1. In the Application Console tree, expand the Server Control node.

2. Select the Applications Launch Control child node.

3. In the details pane of the Applications Launch Control node, click the Applications Launch Control rules link.
The Applications Launch Control rules window opens.

4. Con gure the rules list as required.

Opening the Rule Generator for Applications Launch Control task settings
To con gure the Rule Generator for Applications Launch Control task:

1. In the Application Console tree, expand the Automated rule generators node.

2. Select the Rule Generator for Applications Launch Control child node.

3. In the details pane of the Rule Generator for Applications Launch Control child node, click the Properties link.
The Task settings window opens.

4. Con gure the task as required.

Con guring Applications Launch Control task settings

383
To con gure general Applications Launch Control task settings:

1. Open the Task settings window.

2. Con gure the following task settings:

On the General tab:

Applications Launch Control task mode.

Rule usage scope in the task.

KSN Usage.

Software Distribution Control settings on the Software Distribution Control tab.

Task start schedule settings on the Schedule and Advanced tabs.

3. Click OK in the Task settings window.

The modi ed settings are saved.

Kaspersky Security for Windows Server immediately applies the new settings to the running task. Information
about the date and time when the settings were modi ed, and the values of task settings before and after
modi cation, are saved in the system audit log.

Selecting the mode of the Applications Launch Control task

To con gure the mode of the Applications Launch Control task:

1. Open the Task settings window.

2. On the General tab, in the Task mode drop-down list, specify the task mode.

3. Clear or select the Repeat action taken for the rst le launch on all the subsequent launches for this le
check box.

Kaspersky Security for Windows Server creates a new list of cached events every time the Applications
Launch Control task settings are modi ed. This means that Applications Launch Control is performed
according to the current security settings.

4. Clear or select the Deny the command interpreters launch with no command to execute .

5. Click OK in the Task settings window.

The speci ed settings are saved.

All attempts to start applications are recorded in the task log.

384
Con guring the scope of the Applications Launch Control task
To de ne the scope of the Applications Launch Control task:

1. Open the Task settings window.

2. On the General tab, in the Rules usage scope section, specify the following settings:

Apply rules to executable les

Monitor loading of DLL modules

Controlling loading of DLL modules may a ect the performance of the operating system.

Apply rules to scripts and MSI packages

3. Click OK in the Task settings window.

The speci ed settings are saved.

Con guring KSN usage

To con gure the use of KSN services for the Applications Launch Control task:

1. Open the Task settings window.

2. On the General tab, in the KSN Usage section, specify the settings for use of KSN services:

If necessary, select the Deny applications untrusted by KSN check box.

If necessary, select the Allow applications trusted by KSN check box.

If the Allow applications trusted by KSN check box is selected, indicate the users and/or groups of users
allowed to start applications trusted in KSN. To do this, perform the following actions:

a. Click the Edit button.

The standard Microsoft Windows Select users or groups window opens.

b. Specify the list of users and/or user groups.

c. Click OK.

3. Click OK in the Task settings window.

The speci ed settings are saved.

Software Distribution Control

385
To add a trusted distribution package:

1. Open the Task settings window.

2. On the Software Distribution Control tab, select the Automatically allow software distribution for
applications and packages listed check box.

You can select the Automatically allow software distribution for applications and packages listed, if the
Apply rules to executable les check box in the General tab is selected in the Applications Launch
Control task settings.

3. Clear the Always allow software distribution via Windows Installer check box if required.

Clearing the Always allow software distribution via Windows Installer check box is only recommended if
it is absolutely necessary. Turning o this function may cause issues with updating operating system les
and also prevent the launch of les extracted from a distribution package.

4. If required, select the Always allow software distribution via SCCM using the Background Intelligent
Transfer Service check box.

The application controls the software distribution cycle on the protected device — from package delivery
to installation or update. The application does not control processes if any stage of distribution was
performed before installation of the application on the protected device.

5. To edit the list of trusted distribution packages, click Change packages list and select one of the following
methods in the window that opens:

Add one distribution package.

a. Click the Browse button.

b. Select the executable le or distribution package.

The Trusting criteria section is automatically populated with data about the selected le.

c. Clear or select the Allow the further distribution of programs created from this distribution package
check box.

d. Select one of two available options for criteria to use to determine whether a le or distribution package
is trusted:

Use digital certi cate

Use SHA256 hash

Add several packages by hash.

You can select an unlimited number of executable les and distribution packages, and add them to the
list all at the same time. Kaspersky Security for Windows Server examines the hash and allows the
operating system to launch the speci ed les.

386
 Change selected package.
Use this option to select a di erent executable le or distribution package, or to change the trust criteria.

Import distribution packages list from le .

In the Open window, specify the con guration le containing a list of trusted distribution packages.

6. If you want to remove a previously added application or distribution package for the trusted list, click the
Delete distribution packages button. Extracted les will be allowed to run.

To prevent extracted les from starting, uninstall the application on the protected device or create a
denying rule in the Applications Launch Control task settings.

7. Click OK.

Your newly con gured settings are saved.

Con guring Applications Launch Control rules

Learn how to generate, import and export a list of rules, or manually create allowing or denying rules using the
Application Launch Control task.

Adding an Applications Launch Control rule

To add an Applications Launch Control rule:

1. Open the Applications Launch Control rules window.

2. Click the Add button.

3. In the context menu of the button, select Add one rule.

The Rule settings window opens.

4. Specify the following settings:

a. In the Name eld, enter the name of the rule.

b. In the Type drop-down list, select the rule type:

Allowing if you want the rule to allow launch of applications in accordance with the criteria speci ed in
the rule settings.

Denying if you want the rule to block launch of applications in accordance with the criteria speci ed in
the rule settings.

c. In the Scope drop-down list, select the type of les whose execution will be controlled by the rule:

Executable les if you want the rule to control launch of executable les.

Scripts and MSI packages if you want the rule to control launch of scripts and MSI packages.

387
d. In the User or user group eld, specify the users who will be allowed or not allowed to start programs based
on the type of rule. To do this, perform the following actions:

1. Click the Browse button.

2. The standard Microsoft Windows Select user or groups window opens.

3. Specify the list of users and/or user groups.

4. Click OK.

e. If you want to take the values of the rule-triggering criteria listed in the Rule triggering criterion section
from a speci c le:

1. Click the Set rule triggering criterion from le properties button.

The standard Microsoft Windows Open window opens.

2. Select the le.

3. Click the Open button.

The criteria values in the le are displayed in the elds in the Rule triggering criterion group box. The
criterion for which data are available in the le properties is selected by default.

f. In the Rule triggering criterion group box, select one of the following options:

Digital certi cate if you want the rule to control the start of applications launched using les signed with
a digital certi cate:

Select the Use subject check box if you want the rule to control the launch of les signed with a
digital certi cate only with the speci ed header.

Select the Use thumb check box if you want the rule to only control the launch of les signed with a
digital certi cate with the speci ed thumbprint.

SHA256 hash if you want the rule to control the start of programs launched using les whose checksum
matches the one speci ed.

Path to le if you want the rule to control the start of programs launched using les located at the
speci ed path.

Kaspersky Security for Windows Server does not recognize paths that contain slashes ("/"). Use
backslash ("\") to enter the path correctly.

When specifying the objects, you can use le masks (via ? and * characters) and the following types
of environment variables: %WINDIR%, %SYSTEM32%, %OSDRIVE%, %PROGRAMFILES%.

g. If you want to add rule exclusions:

1. In the Exclusions from rule section, click the Add button.

The Exclusion from rule window opens.

2. In the Name eld, enter the name of the exclusion.

388
 3. Specify the settings for exclusion of application les from the Applications Launch Control rule. You can
ll out the settings elds from the le properties by clicking the Set exclusion based on le properties
button.

Digital certi cate

Use subject

Use thumb

SHA256 hash

Path to le

4. Click OK.

5. If necessary, repeat steps (i)-(iv) to add additional exclusions.

5. Click OK in the Rule settings window.

The created rule is displayed in the list in the Applications Launch Control rules window.

Enabling the Default Allow mode

Default Allow mode allows all applications to start if they are not blocked by rules or by a conclusion from KSN that
they are not trusted. Default Allow mode can be enabled by adding speci c allowing rules. You can enable Default
Allow for only scripts or for all executable les.

To add a Default Allow rule:

1. Open the Applications Launch Control rules window.

2. Click the Add button.

3. In the context menu of the button, select Add one rule.

The Rule settings window opens.

4. In the Name eld, enter the name of the rule.

5. In the Type drop-down list, select the Allowing rule type.

6. In the Scope drop-down list, select the type of les whose execution will be controlled by the rule:

Executable les if you want the rule to control the launch of executable les.

Scripts and MSI packages if you want the rule to control the launch of scripts and MSI packages.

7. In the Rule triggering criterion group box, select the Path to le option.

8. Enter the following mask: ?:\

9. Click OK in the Rule settings window.

Kaspersky Security for Windows Server applies the Default Allow mode.

389
Creating allowing rules from Applications Launch Control task events
To create a con guration le that contains allowing rules generated from Applications Launch Control task events:

1. Start the Applications Launch Control task in Statistics only mode to record information about all applications
launches on a protected device in the task log.

2. After the task nishes running in Statistics only mode, open the task log by clicking the Open task log button
in the Management section of the Applications Launch Control node's detail pane.

3. In the Logs window, click Generate rules based on events.

Kaspersky Security for Windows Server will generate an XML con guration le containing a rule list based on
events of the Applications Launch Control task in Statistics only mode. You can apply this rule list in the
Applications Launch Control task.

Before applying the rule list generated from the logged task events, we recommend that you review and
manually process the list to be certain that the launch of critical les (for example, system les) is allowed by
the speci ed rules.

All task events are recorded in the task log regardless of the task mode. You can generate a con guration le with
a rule list based on the log created while the task is running in Active mode. This scenario is not recommended
except for urgent cases, because a nal rule list must be generated before the task is run in Active mode in order
to make it e icient.

Exporting Applications Launch Control rules

To export Applications Launch Control rules to a con guration le:

1. Open the Applications Launch Control rules window.

2. Click the Export to a le button.

The standard Microsoft Windows window opens.

3. In the window that opens, specify the le to which you want to export the rules. If no such le exists, it will be
created. If a le with the speci ed name already exists, its contents will be overwritten when the rules are
exported.

4. Click the Save button.

The rule settings will be exported to the speci ed le.

Importing Applications Launch Control rules from an XML le

To import Applications Launch Control rules:

1. Open the Applications Launch Control rules window.

390
 2. Click the Add button.

3. In the context menu of the button, select Import rules from XML le.

4. Specify the method for adding the imported rules. To do so, select one of the options from the context menu
of the Import rules from XML le button:

Add to existing rules if you want to add the imported rules to the list of existing rules. Rules with identical
settings are duplicated.

Replace existing rules if you want to replace the existing rules with the imported rules.

Merge with existing rules if you want to add the imported rules to the list of existing rules. Rules with
identical settings are not added; the rule is added if at least one rule parameter is unique.

The standard Microsoft Windows Open window opens.

5. In the Open window, select the XML le that contains the Applications Launch Control rules.

6. Click the Open button.

The imported rules will be displayed in the list in the Applications Launch Control rules window.

Removing Applications Launch Control rules

To remove Applications Launch Control rules:

1. Open the Applications Launch Control rules window.

2. In the list, select one or more rules that you want to delete.

3. Click the Remove Selected button.

4. Click the Save button.

The selected Applications Launch Control rules are deleted.

Con guring a Rule Generator for Applications Launch Control task

To con gure the Rule Generator for Applications Launch Control task settings:

1. Open the Task settings window of the Rule Generator for Applications Launch Control task.

2. Con gure the following settings:

On the General tab:

Specify Pre x for rule names .

Con gure the allowing-rules usage scope.

On the Actions tab, specify the actions that must be performed by Kaspersky Security for Windows Server.

391
 On the Schedule and Advanced tabs, con gure Schedule task start settings.

On the Run as tab, con gure Task start settings with account permission.

3. Click OK in the Task settings window.

Kaspersky Security for Windows Server immediately applies the new settings to the running task. Information
about the date and time when the settings were modi ed, and the values of task settings before and after
modi cation.

Restricting the task usage scope

To restrict the scope of the Rule Generator for Applications Launch Control task:

1. Open the Task settings window of the Rule Generator for Applications Launch Control task.

2. Select how to create allowing rules:

Create allowing rules based on running applications .

Create allowing rules for applications from the folders .

3. Click OK in the Task settings window.

The speci ed settings are saved.

Actions to perform during automatic rule generation

To con gure the actions of Kaspersky Security for Windows Server during the running and upon the completion of
the Rule Generator for Applications Launch Control task:

1. Open the Task settings window of the Rule Generator for Applications Launch Control task.

2. Open the Options tab.

3. In the While generating allowing rules section, con gure the following settings:

Use digital certi cate

Use digital certi cate subject and thumbprint

If the certi cate is missing, use

SHA256 hash. The checksum of the le used to generate the rule is set as a criterion for triggering the
allowing rule for Applications Launch Control. The application will allow start of programs launched using
les with the speci ed checksum.

path to le. The path to the le used to generate the rule is set as a criterion for triggering the allowing
rule for Applications Launch Control. The application will now allow start of programs launched using les
located in the folders speci ed in the Create allowing rules for applications from the folders table in
the Settings section.

392
 Use SHA256 hash

Generate rules for user or group of users .

4. In the After task completes section, con gure the following settings:

Add allowing rules to the list of Applications Launch Control rules .

Principle of adding .

Export allowing rules to le.

Add server details to le name .

5. Click OK in the Task settings window.

The speci ed settings are saved.

Actions to perform upon completion of automatic rule generation

To con gure the actions to be taken by Kaspersky Security for Windows Server after the Rule Generator for
Applications Launch Control task is nished:

1. Open the Task settings window of the Rule Generator for Applications Launch Control task.

2. Open the Options tab.

3. In the After task completes section, con gure the following settings:

Add allowing rules to the list of Applications Launch Control rules .

Principle of adding .

Export allowing rules to le.

Add server details to le name .

4. Click OK in the Task settings window.

The speci ed settings are saved.

Managing Applications Launch Control via the Web Plug-in

To con gure Applications Launch Control tasks via the Web Plug-in:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Local activity control section.

393
5. Click Settings in the Applications Launch Control subsection.

6. Con gure the settings described in the table below.

Applications Launch Control task settings

Setting Description

Task mode
In this drop-down list, you can select the Applications Launch Control task’s mode:
Active. Kaspersky Security for Windows Server uses the speci ed rules to
control the launch of any application.

Statistics only. Kaspersky Security for Windows Server does not use the
speci ed rules to control application launches. Instead, it simply records
information about launch events in the task log. All applications are allowed to
start. You can use this mode to generate a list of Applications Launch Control
rules based on the information about denied application launches recorded in
the task log.

By default, the Applications Launch Control task runs in Statistics only mode.

Repeat action
The check box enables or disables launch control for the second and subsequent
taken for the
attempts to start applications based on the event information stored in the cache.
rst le launch
on all the If the check box is selected, Kaspersky Security for Windows Server allows or denies
subsequent subsequent launches of an application based on the task’s conclusion regarding the
launches for rst launch of the application. For example, if the rst application launch was allowed
this le by the rules, information about this decision will be stored in the cache, and the
second and all subsequent launches will also be allowed without rechecking.
If the check box is cleared, Kaspersky Security for Windows Server analyzes an
application every time a launch is attempted.
The check box is selected by default.

Deny the
If the check box is selected, Kaspersky Security for Windows Server denies the launch
command
of command line interpreters even if launching interpreters is allowed. A command
interpreters
interpreter can only be launched with no command if both of the following conditions
launch with no
are met:
command to
execute Launch of the command line interpreter is allowed.

The command to be executed is allowed.

If the check box is cleared, Kaspersky Security for Windows Server only considers
allowing rules when launching a command line interpreter. The launch is denied if no
allowing rule applies or the executable process is not trusted by KSN. If an allowing rule
applies or the process is trusted by KSN, a command line interpreter can be launched
with or without a command to execute.
Kaspersky Security for Windows Server recognizes the following command line
interpreters:
cmd.exe

powershell.exe

python.exe

perl.exe

The check box is cleared by default.

394
Apply rules to The check box either enables or disables launch control of executable les.
executable
If this check box is selected, Kaspersky Security for Windows Server allows or blocks
les
start of executable les using the speci ed rules whose settings specify Executable
les as the scope.
If the check box is cleared, Kaspersky Security for Windows Server does not control
start of executable les using the speci ed rules. Startup of executable les is
allowed.
The check box is selected by default.

Monitor
The check box either enables or disables control of loading of DLL modules.
loading of DLL
modules If this check box is selected, Kaspersky Security for Windows Server allows or blocks
loading of DLL modules using the speci ed rules whose settings specify Executable
les as the scope.
If this check box is cleared, Kaspersky Security for Windows Server does not control
loading of DLL modules using the speci ed rules. Loading of DLL modules is allowed.
The check box is active if the Apply rules to executable les check box is selected.
The check box is cleared by default.
Apply rules to
The check box either enables or disables launch of scripts and MSI packages.
scripts and
MSI packages If this check box is selected, Kaspersky Security for Windows Server allows or blocks
start of scripts and MSI packages using the speci ed rules whose settings specify
Scripts and MSI packages as the scope.
If the check box is cleared, Kaspersky Security for Windows Server does not control
start of scripts and MSI packages using speci ed rules. Start of scripts and MSI
packages is allowed.
The check box is selected by default.

Deny
The check box either enables or disables Applications Launch Control according to
applications
application reputation data in KSN.
untrusted by
KSN If this check box is selected, Kaspersky Security for Windows Server blocks any
application from running if it is not trusted in KSN. Applications Launch Control
allowing rules that apply to applications not trusted in KSN will not be triggered.
Selecting the check box provides additional protection from malware.
If the check box is cleared, Kaspersky Security for Windows Server does not consider
the reputation of applications not trusted in KSN and allows or blocks start in
accordance with the rules that apply to such applications.
The check box is cleared by default.

Allow
The check box either enables or disables Applications Launch Control according to
applications
application reputation data in KSN.
trusted by KSN
If this check box is selected, Kaspersky Security for Windows Server allows
applications to run if they are trusted in KSN. Denying application launch control rules
that apply to KSN-trusted applications have higher priority: if an application is trusted
by KSN services, the application launch will be denied.
If the check box is cleared, Kaspersky Security for Windows Server does not consider
the reputation of KSN-trusted applications and allows or denies launch in accordance
with rules that apply to such applications.
The check box is cleared by default.

Rules Con gure allowing or denying rules for the Application Launch Control task.

Software You can add trusted distribution packages.

Distribution
Control
395
Task You can con gure settings to start the task on a schedule.
management

396
Device Control
This section contains information about the Device Control task and how to con gure it.

About Device Control task

Kaspersky Security for Windows Server controls registration and usage of the external devices and CD/DVD
drives in order to protected device against computer security threats, that may occur in process of le exchange
with ash drives or other type of external device connected via USB.

Kaspersky Security for Windows Server controls the following USB external devices connections:

USB-connected ash drives

CD/DVD ROM drives

USB-connected oppy disk drives

USB-connected network adapters

USB-connected MTP-mobile devices

Kaspersky Security for Windows Server informs you about all devices connected via USB with the
corresponding event in the task and event logs. The event details include device type and connection path.
When the Device Control task is started, Kaspersky Security for Windows Server checks and lists all devices
connected via USB. You can con gure the noti cations in the Kaspersky Security Center noti cation settings
section.

The Device Control task monitors all the attempts of external devices connections to a protected device via USB
and blocks connection, if there are no allowing rules for such devices. After the connection is blocked, the device is
not available.

The application prescribes one of the following statuses to each connected external device:

Trusted. Device for which you want to allow les exchange. Upon rules list generation, the Device instance path
value is included into usage scope for at least one rule.

Untrusted. Device for which you want to restrict les exchange. Device instance path is not included into any
allowing rule usage scope.

You can create allowing rules for external devices to allow data exchange using the Rule Generator for Device
Control task. You can also expand the usage scope for already speci ed rules. You cannot create allowing rules
manually.

Kaspersky Security for Windows Server identi es external devices that are registered in the system, by using the
Device Instance Path value. Device Instance Path is a default feature uniquely speci ed for each external device.
The Device Instance Path value is speci ed for each external device in its Windows properties and is automatically
determined by Kaspersky Security for Windows Server during rule generation.

The Device Control task can operate in two modes:

397
 Active. Kaspersky Security for Windows Server applies rules to control the connection of ash drives and
other external devices, and allows or blocks the use of all devices according to the Default Deny principle and
speci ed allowing rules. The use of trusted external devices is allowed. The use of untrusted external devices is
blocked by default.

If an external device you consider to be untrusted is connected to a protected device before the Device
Control task is run in the Active mode, the device is not blocked by the application. We recommend that
you disconnect the untrusted device manually or restart the protected device. Otherwise, the Default
Deny principle will not be applied to the device.

Statistics only. Kaspersky Security for Windows Server does not control the connection of ash drives and
other external devices, but only logs information about the connection and registration of external devices on a
protected device, and about the Device Control allowing rules triggered by the connected devices. The use of
all external devices is allowed. This mode is set by default.
You can apply this mode for rules generation on the basis of the information about blocking devices logged
during the task running.

About Device Control rules

Kaspersky Security for Windows Server does not apply allowing rules for MTP-connected mobile devices.

The rules are generated uniquely for each device that is currently connected or has ever been connected to a
protected device if the information about this device is stored in the system registry.

To generate allowing rules for device control:

Apply the Rule Generator for Device Control task.

Run the Device Control task in the Statistics only mode.

Apply system information about previously connected devices.

Expand the usage scope for already speci ed rules.

The maximum number of the Device Control rules supported by Kaspersky Security for Windows Server is
3072.

Device Control rules are described below.

Rule type

Rule type is always allowing. By default, the Device Control task blocks all ash drives and other external devices
connections if these devices are not included into any allowing rule usage scope.

Triggering criterion and rule usage scope

398
Device Control rules identify ash drives and other external devices basing on Device instance path. Device
instance path is a unique criterion that is assigned to a device by the system when the device is connected and is
registered as an External Device or CD/DVD drive (for example, IDE or SCSI).

Kaspersky Security for Windows Server controls connection of the CD/DVD drives regardless of the bus used
for connection. When mounting such device via USB, operating system registers two path values to the
device instance: for the external device and for CD/DVD drive (for example, IDE or SCSI). To connect such
devices correctly, allowing rules for each path value to the instance must be set.

Kaspersky Security for Windows Server automatically de nes the device instance path and parses the value
obtained into the following elements:

Device manufacturer (VID)

Device controller type (PID)

Device serial number

You cannot set the device instance path manually. Allowing rule triggering criteria de ne the rule usage scope. By
default, newly created rule usage scope includes one initial device, basing on whose properties Kaspersky Security
for Windows Server had generated the rule. You can con gure the values in the created rule settings by using a
mask to expand the rule usage scope.

Initial device values

Device properties that Kaspersky Security for Windows Server used for allowing rule generation and that are
displayed in Windows Device Manager for each device connected.

Initial device values contain the following information:

Device instance path. Basing on this property Kaspersky Security for Windows Server de nes rule triggering
criteria and lls the following elds: Manufacturer (VID), Controller type (PID), Serial number in the Rule
usage scope section of the Rule properties window.

Friendly name. Device clear name that is set in the device properties by its manufacturer.

Kaspersky Security for Windows Server automatically de nes initial device values when the rule is generating.
Later on you can use these values to recognize the device that was used as a base for the rule generating. Initial
device values are not available for editing.

Description

You can add additional information for each created device control rule in the Description eld, for example, you
can note name of the connected ash driver or de ne its owner. The description is displayed in a corresponding
graph in the Device Control rules window.

Description and initial device values are not allowed for rule triggering and are prescribed only to simplify
device identi cation by user.

399
About Device Control rules generation
You can import device control allowing rules from the XML les that were automatically generated during the
Device Control or the Rule Generator for Device Control tasks running.

By default, Kaspersky Security for Windows Server restricts connections of any ash drives and other external
devices, if they are not included into the usage scope of speci ed device control rules.

Targets and scenarios for device control rules generation

Rule generation scenario Target

The Rule Generator for Device Control

Add allowing rules for previously connected trusted devices
task
before the rst start of the Device Control task.

Generate rules list for devices trusted in the protected

devices network.

Rules generation based on system data Add allowing rules for one or several external devices, whose
data have been stored in the system.

Rules generation based on data about Renew an already speci ed rules list when it is necessary to trust
the currently connected devices a little amount of new external devices.

The Device Control task in the Generate allowing rules for a large number of trusted devices.
Statistics only mode

The Rule Generator for Device Control task usage

XML le, generated upon the Rule Generator for Device Control task completion, contains allowing rules for those
ash drives and other external devices whose data have been stored in a system registry.

Use this scenario during the rule generation process to take into account all ever connected external devices that
are registered by the systems on all network protected device or to consider only data about devices currently
connected to all network protected device. The task also allows for all external devices that a connected at the
moment of task running. Upon the group task completion Kaspersky Security for Windows Server generates
allowing rules lists for all external devices registered in the network and saves these lists in an XML le in a speci ed
folder. Then you can manually import generated rules in the Device Control task settings. Unlike a task on a
protected device, the policy does not allow con guring the automatic addition of the created rules to the list of
Device Control rules when the Rule Generator for Device Control group task is completed.

This scenario is recommended to generate allowing rules list before the rst start of the Device Control task, so
that allowing rules generated cover all trusted external devices that are used on a protected device.

Usage of system data about all connected devices

During the task running, Kaspersky Security for Windows Server receives system data about all external devices
that have ever been connected or that are currently connected to a protected device, and displays detected
devices in the list of the Generate rules based on the system information window.

400
For each detected device Kaspersky Security for Windows Server parses the values of manufacturer (VID),
controller type (PID), friendly name, serial number and device instance path. You can generate allowing rules for any
external device, whose data have been stored in the system, and straightly add newly created rules to the list of
the device control rules.

According to this scenario Kaspersky Security for Windows Server generates allowing rules for external
devices that have ever been connected or are currently connected to a protected device with Kaspersky
Security Center installed.

This scenario is recommended to renew an already speci ed rules list when it is necessary to trust a little amount
of new external devices.

Usage of data about the currently connected devices

In this scenario, Kaspersky Security for Windows Server generates allowing rules only for currently connected
external devices. You can select one or more external devices for which you want to generate allowing rules.

Usage of the Device Control task in the Statistics only mode

XML le received upon the Device Control task completion in the Statistics only mode is generated basing on the
task log.

During the task running Kaspersky Security for Windows Server logs information about all connections of ash
drives and other external devices to a protected device. You can generate allowing rules based on task events and
export them to an XML le. Before starting the task in the Statistics only mode, it is recommended to con gure
the task running period so that during the term speci ed all the possible external devices connections to a
protected device would be performed.

This scenario is recommended to renew an already generated rules list if it is required to allow a large number of
new external devices.

If the rule list generation according to this scenario is performed on a template machine, you can apply a generated
allowing rules list while con guring the Device Control task via the Kaspersky Security Center. This way you will be
able to allow to use the external devices that are connected to a template machine on all the protected devices.

About Rule Generator for Device Control task

The Rule Generator for Device Control task can automatically create a list of allowing rules for connected ash
drives and other external devices basing on the system data about all external devices that have ever been
connected to a protected device.

Upon the task completion Kaspersky Security for Windows Server creates an XML con guration le that contains
allowing rules list for all detected external devices or straightly adds generated rules in the Device Control task
depending on the Rule Generator for Device Control settings. The application will subsequently allow devices for
which allowing rules were automatically generated.

Generated and added in the task rules are displayed in the Device Control rules window.

Device Control default task settings

401
By default, the Device Control task has the settings described in the table below. You can change the values of
these settings.

Default Device Control task settings

Setting Default Description

value

Task mode Statistics The task logs information about external devices that were blocked or
only allowed according to the speci ed rules. External devices are not
actually blocked.
You can select the Active mode for device protection to actually
block the use of external devices.

Allow using all Not Kaspersky Security for Windows Server blocks use of external
external devices applied devices, regardless of the Device Control task state. This provides
when the Device maximum protection level against computer security threats arising
Control task is not when exchanging les with external devices.
running
You can adjust the setting so that Kaspersky Security for Windows
Server allows use of all external devices when the Device Control task
is not running.

Task start schedule First run is The Device Control task does not start automatically at the start of
not Kaspersky Security for Windows Server.
scheduled.
You can con gure the task start schedule.

Rule Generator for Device Control task default settings

Setting Default value Description

Task mode Consider system data about all The task operation mode.
external devices that have ever
You can select the Consider currently connected
been connected
external devices only task mode.

Actions Allowing rules are added to the list of You can add rules to existing ones without merging
upon task Device Control rules; new rules are them and without deleting duplicated rules, or replace
completion merged with existing ones; duplicated existing rules with new allowing rules, or con gure
rules are removed. export of allowing rules to a le.

Task start First run is not scheduled. The Rule Generator for Device Control task does not
schedule start automatically at startup of Kaspersky Security
for Windows Server. You can start the task manually
or con gure a scheduled start.

Managing Device Control via the Administration Plug-in

In this section, learn how to navigate through the Administration Plug-in interface and manage connections of any
external devices to all protected devices on the network by generating rule lists via the Kaspersky Security Center
for the groups of protected devices.

Navigation
Learn how to navigate to the required task settings via the chosen interface.

402
Opening policy settings for the Device Control task
To open the Device Control task settings via the Kaspersky Security Center policy:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Policies tab.

4. Double-click the policy name you want to con gure.

5. In the Properties: <Policy name> window that opens, select the Local activity control section.

6. Click the Settings button in the Device Control subsection.

The Device Control window opens.

7. Con gure the policy as required.

Opening the Device Control rules list

To open the Device Control rules list via the Kaspersky Security Center:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Policies tab.

4. Double-click the policy name you want to con gure.

5. In the Properties: <Policy name> window that opens, select the Local activity control section.

6. Click the Settings button in the Device Control subsection.

The Device Control window opens.

7. On the General tab, click the Rules list button.

The Device Control rules window opens.

8. Con gure the policy as required.

Opening the Rule Generator for Device Control task wizard and properties
To initialize creation of a Rule Generator for Device Control task:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

403
 2. Select the administration group for which you want to con gure the task.

3. Select the Tasks tab.

4. Click Create a task button.

The New Task Wizard window opens.

5. Select the Rule Generator for Device Control task.

6. Click Next.
The Settings window opens.

To con gure the existing Rule Generator for Device Control task:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Tasks tab.

4. Double-click the task name in the list of Kaspersky Security Center tasks.
The Properties: Rule Generator for Device Control window opens.

See the Con guring the Rule Generator for Device Control task section for details on con guring the task.

Con guring Device Control task

To con gure the Device Control task settings:

1. Open the Device Control window.

2. On the General tab, con gure the following task settings:

In the Task mode section, select one of the task modes:

Active .

If an external device you consider to be untrusted is connected to a protected device before the
Device Control task is run in the Active mode, the device is not blocked by the application. We
recommend that you disconnect the untrusted device manually or restart the protected device.
Otherwise, the Default Deny principle will not be applied to the device.

Statistics only .

Select or clear the Allow using all external devices when the Device Control task is not running check
box.

3. Click the Rules list button to edit the list of Device control rules.

4. If necessary, con gure the scheduled task start settings on the Task management tab.

5. Click OK in the Device Control window.

404
 Kaspersky Security for Windows Server immediately applies the new settings to the running task. Information
about the date and time when the settings were modi ed, and the values of task settings before and after
modi cation, are saved in the system audit log.

Con guring the Rule Generator for Device Control task

To con gure the Rule Generator for Device Control task:

1. Open the Properties: Rule Generator for Device Control window.

2. In the Noti cation section, con gure the task event noti cation settings.

For detailed information regarding con guring settings in this section, see the Kaspersky Security Center
Help.

3. In the Settings section, you can con gure the following settings:

Select the operation mode: consider system data about all external devices that have ever been connected
or consider currently connected external devices only.

Con gure settings for con guration les with allowing rules lists that Kaspersky Security for Windows
Server creates upon the task completion.

4. Con gure the task schedule in the Schedule section (you can con gure a schedule for all task types except
Rollback of Database Update).

5. In the Account section, specify the account whose rights will be used to run the task.

6. If required, specify the objects to exclude from the task scope in the Exclusions from task scope section.

For detailed information regarding con guring settings in these sections, see the Kaspersky Security
Center Help.

7. In the Properties: <Task name> window, click OK.

The newly con gured group task settings are saved.

Con guring Device Control rules via the Kaspersky Security Center
Learn how to generate a list of rules based on various criteria or manually create allowing or denying rules using the
Device Control task.

Creating allowing rules based on system data in a Kaspersky Security Center

policy
To specify allowing rules using the Generate rules based on system data option in the Device Control task:

405
 1. If necessary, connect a new external device that you want to make trusted to a protected device with the
Kaspersky Security Center Administration Console installed.

2. Open the Device Control rules window.

3. Click the Add button and in the context menu that opens select the Generate rules based on system data
option.

4. In the device list of Generate rules based on the system information window, select a device.

5. Click Add rules for devices selected.

6. Click the Save button in the Device Control rules window.

Rules list in the Device Control task will be lled up with new rules generated basing on a system data of the
protected device with the Kaspersky Security Center Administration Console installed.

Generating rules for connected devices

To specify allowing rules using the Generate rules based on connected devices option in the Device Control task:

1. Open the Device Control rules window.

2. Click the Add button and in the context menu, select Generate rules based on connected devices.
The Generate rules based on the system information window opens.

3. In the list of detected devices connected to the protected device, select the devices you want to generate
allowing rules for.

4. Click the Add rules for devices selected button.

5. Click the Save button in the Device Control rules window.

Rules list in the Device Control task will be lled up with new rules generated basing on a system data of the
protected device with the Kaspersky Security Center Administration Console installed.

Importing rules from the Kaspersky Security Center report on blocked

devices
You can import data on blocked device connections from the report generated in Kaspersky Security Center after
completion of the Device Control task in Statistics only mode and use this data to generate a list of Device
Control allowing rules in the policy being con gured.

When generating the report on events occurring during the Device Control task, you can keep track of the devices
whose connection is restricted.

To specify allowing rules for devices connection for a group of protected devices based on the Kaspersky Security
Center report on blocked devices:

1. In the policy properties, in the Event noti cation section, make sure that:

For the Critical Events importance level the period of time for storing the task log for the Untrusted
external device detected and restricted event exceeds the planned period of operation in the Statistics
406
 only mode (the default value is 30 days).

For the Warning importance level the period of time for storing the task log for the Statistics only:
untrusted external device detected event exceeds the planned period of task operation in the Statistics
only mode (the default value is 30 days).

When the period for storing the events elapses, information about logged events is deleted and is not
re ected in the report le. Before running the Device Control task in Statistics only mode, make sure
that the task run time does not exceed the con gured storage time for the speci ed events.

2. Start the Device Control task in the Statistics only mode.

a. In the workspace of the Administration Server node in Kaspersky Security Center, select the Events tab.

b. Click the Create a selection button and create a selection of events based on the Untrusted external
device detected and restricted criterion to view the devices whose connections will be restricted by the
Device Control task.

c. In the details pane of the selection, click the Export events to le link to save the report on restricted
connections to a TXT le.

Before importing and applying the generated report in a policy, make sure that the report contains data
only on those devices whose connection you want to allow.

3. Import data about restricted devices connections into the Device Control task:

a. Open the Device Control rules window.

b. Click the Add button and in the context menu of the button select Import data of blocked devices from
Kaspersky Security Center report.

c. Select the principle for adding rules from the list created on the basis of the Kaspersky Security Center
report to the list of previously con gured Device Control rules:

Add to existing rules if you want to add the imported rules to the list of existing rules. Rules with
identical settings are duplicated.

Replace existing rules if you want to replace the existing rules with the imported rules.

Merge with existing rules if you want to add the imported rules to the list of existing rules. Rules with
identical settings are not added; the rule is added if at least one rule parameter is unique.

d. In the standard window of Microsoft Windows that opens, select the TXT le to which events from the
report about restricted devices have been exported.

e. Click the Save button in the Device Control rules window.

4. Click OK the Device Control window.

Rules created on the basis of the Kaspersky Security Center report on restricted devices are added to the list
of Device Control rules.

407
Creating rules using the Rule Generator for Device Control task
To specify allowing device control rules for a group of protected devices using the Rule Generator for Device
Control task:

1. Open the Settings window in the New Task Wizard.

2. Con gure the following:

In the Mode section:

Consider system data about all external devices that have ever been connected.

Consider currently connected external devices only.

In the After task completes section:

Add allowing rules to the list of Device Control rules .

Principle of adding .

Export allowing rules to le .

Add computer details to le name .

3. Click Next.

4. In the Schedule window, set the scheduled task start settings.

5. Click Next.

6. In the Selecting an account to run the task window, specify the account you want to use.

7. Click Next.

8. Specify a task name.

9. Click Next.

The task name should be no longer than 100 characters and cannot contain the following symbols: " * < > & \
:|

The Finish creating the task window opens.

10. You can optionally run the task after the Wizard nishes by selecting the Run task after Wizard nishes check
box.

11. Click Finish to nish creating the task.

12. On the Tasks tab on the workspace of the group of protected devices being con gured, in the list of group
tasks select the Rule Generator for Device Control you have created.

408
13. Click the Start button to start the task.
When the task is completed, automatically generated lists of allowing rules are saved in a shared folder in XML
les.

Before using the Device Control policy in the network, make certain that all protected devices have access
to a shared network folder. If the organization’s policy does not provide for the use of a shared network
folder in the network, it is recommended to start the Rule Generator for Device Control task for protected
device control rules on the test protected device group or on a template machine.

Adding generated rules to the Device Control rules list

To add the generated lists of allowing rules to the Device Control task:

1. Open the Device Control rules window.

2. Click the Add button.

3. In the Add button context menu select the Import rules from XML le option.

4. Select the principle for adding the automatically generated allowing rules to the list of previously created
Device Control rules:

Add to existing rules if you want to add the imported rules to the list of existing rules. Rules with identical
settings are duplicated.

Replace existing rules if you want to replace the existing rules with the imported rules.

Merge with existing rules if you want to add the imported rules to the list of existing rules. Rules with
identical settings are not added; the rule is added if at least one rule parameter is unique.

5. In the standard window of Microsoft Windows that opens, select XML les created after completion of the Rule
Generator for Device Control group task.

6. Click Open.
All generated rules from the XML le are added to the list according to the selected principle.

7. Click the Save button in the Device Control rules window.

8. If you want to apply generated device control rules, select the Active task mode in the Device Control policy
settings.

Allowing rules automatically generated based on system data on each separate protected device are applied to
all network protected devices covered by the policy being con gured. On these protected devices, the
application will allow connection of only those devices for which allowing rules have been created.

Managing Device Control via the Application Console

In this section, you will learn how to navigate the Application Console interface and con gure task settings on a
protected device.

409
Navigation
Learn how to navigate to the required task settings via the chosen interface.

Opening the Device Control task settings

To open the Device Control task settings via the Application Console:

1. In the Application Console tree, expand the Server Control node.

2. Select the Device Control child node.

3. In the details pane of the Device Control child node, click the Properties link.
The Task settings window opens.

4. Con gure the task as required.

Opening the Device Control rules window

To open the Device Control rules list via the Application Console:

1. In the Application Console tree, expand the Server Control node.

2. Select the Device Control child node.

3. In the details pane of the Device Control node, click the Device Control rules link.
The Device Control rules window opens.

4. Con gure the rules list as required.

Opening the Rule Generator for Device Control task settings

To con gure the Rule Generator for Device Control task:

1. In the Application Console tree, expand the Automated rule generators node.

2. Select the Rule Generator for Device Control child node.

3. In the details pane of the Rule Generator for Device Control child node, click the Properties link.
The Task settings window opens.

4. Con gure the task as required.

410
Con guring Device Control task settings
To con gure the Device Control task settings:

1. Open the Task settings window.

2. On the General tab, con gure the following task settings:

In the Task mode section, select one of the task modes:

Active .

If an external device you consider to be untrusted is connected to a protected device before the
Device Control task is run in the Active mode, the device is not blocked by the application. We
recommend that you disconnect the untrusted device manually or restart the protected device.
Otherwise, the Default Deny principle will not be applied to the device.

Statistics only .

Select or clear the Allow using all external devices when the Device Control task is not running check
box.

3. If necessary, on the Schedule and Advanced tabs, con gure the scheduled task start settings.

4. To edit the list of device control rules, click the Device Control rules link in the lower part of the details pane of
the Device Control node.

Kaspersky Security for Windows Server immediately applies the new settings to the running task. Information
about the date and time when the settings were modi ed, and the values of task settings before and after
modi cation, are saved in the system audit log.

Con guring Device Control rules

Learn how to generate, import and export a list of rules, or manually create allowing or denying rules using the
Device Control task.

Importing Device Control rules from XML le

To import the Device Control rules:

1. Open the Device Control rules window.

2. Click the Add button.

3. In the context menu of the button, select Import rules from XML le.

4. Specify the method for adding the imported rules. To do so, select one of the options from the context menu
of the Import rules from XML le button:
411
 Add to existing rules if you want to add the imported rules to the list of existing ones. Rules with identical
settings are duplicated.

Replace existing rules if you want to replace the existing rules with the imported ones.

Merge with existing rules if you want to add the imported rules to the list of existing ones. Rules with
identical settings are not added; the rule is added if at least one rule parameter is unique.

The standard Microsoft Windows Open window opens.

5. In the Open window, select the XML le that contains the settings of the Device Control rules.

6. Click the Open button.

The imported rules will be displayed in the list of the Device Control rules window.

Filling rules list basing on Device Control task events

To create a con guration le that contains device control rules list basing on the Device Control task events:

1. Start the Device Control task in the Statistics only mode, to log all events of ash drives and other external
devices connections to a protected device.

2. Upon the completion of the task in the Statistics only mode, open the task log by clicking the Open task log
button in the Management section of the Device Control node details pane.

3. In the Logs window click the Generate rules based on events.

Kaspersky Security for Windows Server will create an XML con guration le that contains a rules list generated
basing on events of the Device Control task in the Statistics only mode. You can apply this list in the Device
Control task.

Before applying a rules list generated basing on the task events, it is recommended to review and then
manually process the rules list to make certain that there are no untrusted devices allowed by the speci ed
rules.

During the conversion of an XML le with the task events to a rules list, the application generates allowing
rules for all registered events, including the devices restrictions.

All the task events are registered in the task log regardless of the task mode. You can create a con guration le
with a rules list basing on the events of the task in the Active mode. This scenario is not recommended except
urgent cases, as far as the task e iciency requires to generate a nal rule list version before the task is run in the
active mode.

Adding an allowing rule for one or several external devices

The function of manual adding rules by ones is not supported in the Device Control task. However, in cases when
you need to add rules for one or several new external devices you can use the Generate rules based on system
data option. If this scenario is applied, the application uses Windows data about all ever connected external
devices and also allows for currently connected devices for lling an allowing rules list.

412
To add an allowing rule for one or several external devices that are currently connected:

1. Open the Device Control rules window.

2. Click the Add button.

3. In the context menu that opens select the Generate rules based on system data option.

4. In the window that opens, review the detected devices list and select a single device or several devices that you
want to trust on a protected device.

5. Click the Add rules for devices selected button.

New rules will be generated and added to the device control rules list.

Removing Device Control rules

To remove the Device Control rules:

1. Open the Device Control rules window.

2. In the list, select one or several rules that you want to delete.

3. Click the Remove Selected button.

4. Click the Save button.

The selected Device Control rules will be removed.

Exporting Device Control rules

To export Device Control rules to a con guration le:

1. Open the Device Control rules window.

2. Click the Export to a le button.

The standard Microsoft Windows window opens.

3. In the window that opens, specify the le to which you want to export the rules. If no such le exists, it will be
created. If a le with the speci ed name already exists, its contents will be rewritten after the rules are
exported.

4. Click the Save button.

The rules and its settings will be exported in the speci ed le.

Activating and deactivating of Device Control rules

You can activate and deactivate created device control rules without removing them.

To activate or deactivate a created device control rule:

413
 1. Open the Device Control rules window.

2. In the list of speci ed rules open the Rule properties window by double clicking on the rule whose properties
you want to con gure.

3. In the window that opens, select or clear the Apply rule check box.

4. Click OK.

Rule apply status will be saved and displayed for a speci ed rule.

Expanding Device Control rules usage scope

Each automatically generated device control rule covers only one external device. You can manually expand a rule
usage scope by setting the device instance path mask in properties of any speci ed rule.

Device instance path application reduces the total number of rules speci ed and simpli es rules processing.
But expanding of a rule usage scope can lead to decreasing of external devices control e iciency.

To apply a device instance path mask in a device control rule properties:

1. Open the Device Control rules window.

2. In the window that opens, select a rule to use its properties for mask application.

3. Open the Rule properties window by double clicking on a selected device control rule.

4. In the window that opens, perform the following operations:

Select the Use mask check box next to the Controller type (PID) eld if you want a rule selected to allow
connections for all external devices that t the speci ed information about device manufacturer and
controller type.

Select the Use mask check box next to the Serial number eld if you want a rule selected to allow
connections for all external devices that t the speci ed information about device manufacturer and device
serial number.

Select the Use mask check boxes next to the Controller type (PID) eld and the Serial number eld if you
want a rule selected to allow connections for all external devices that t the speci ed information about
device manufacturer and both controller type and device serial number.

If the Use mask check box is selected in at least one of the elds, the data from the elds with the selected
check box is replaced with the * sign and is not considered when the rule is applied.

5. If necessary, specify additional information about rule in the Description eld. For example, specify the devices
a ected by the rule.

6. Click OK.

The newly con gured rule properties will be saved. The rule usage scope will be expanded according to a device
instance path mask speci ed.

414
Con guring Rule Generator for Device Control task
To con gure the Rule Generator for Device Control task:

1. In the Application Console tree, expand the Automated rule generators node.

2. Select the Rule Generator for Device Control child node.

3. Click the Properties link in the details pane of the Rule Generator for Device Control node.
The Task settings window opens.

4. On the General tab, select the task operation mode in the Task mode section:

Consider system data about all external devices that have ever been connected.

Consider currently connected external devices only.

5. In the After task completes section, specify the actions that must be performed by Kaspersky Security for
Windows Server upon task completion:

Add allowing rules to the list of Device Control rules .

Principle of adding .

Export allowing rules to le .

Add computer details to le name .

6. On the Schedule and Advanced tabs, con gure the scheduled task start settings.

7. Click OK in the Task settings window.

Kaspersky Security for Windows Server immediately applies the new settings to the running task. Information
about the date and time when the settings were modi ed, and the values of task settings before and after
modi cation, are saved in the system audit log.

Managing Device Control via the Application Console Web Plug-in

In this section, you will learn how to navigate the Web Plug-in interface and con gure task settings on a protected
device.

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Local activity control section.

5. Click Settings in the Device control subsection.

415
6. Con gure the settings described in the table below.

Device Control task settings

Setting Description

Active Kaspersky Security for Windows Server applies rules to control the connection of
removable drives and other external devices, and allows or blocks the use of all devices
according to the Default Deny principle and speci ed allowing rules. The use of trusted
external devices is allowed. The use of untrusted external devices is blocked by default.

Statistics only Kaspersky Security for Windows Server does not control the connection of removable
drives and other external devices, but only logs information about the connection and
registration of external devices on a protected device, and about the Device Control
allowing rules triggered by the connected devices. The use of all external devices is
allowed. This mode is set by default.

Allow using all

The check box allows or blocks the use of external devices when the Device Control
external
task is not running.
devices when
the Device If the check box is selected and Device Control task is not running, Kaspersky Security
Control task for Windows Server allows using any external devices on a protected device.
is not running If the check box is cleared, the application blocks the use of untrusted external devices
on a protected device in the following cases: the Device Control task is not running or
the Kaspersky Security Service is turned o . This option is recommended to maximize
the level of protection against computer security threats arising when exchanging les
with external devices.
The check box is cleared by default.

Device control You can edit the list of Device control rules.
rules

Task You can con gure settings to start the task on a schedule.
management

416
Firewall Management
This section contains information about the Firewall Management task and how to con gure it.

About the Firewall Management task

Kaspersky Security for Windows Server provides a reliable and convenient solution for protecting network
connections using the Firewall Management task.

The Firewall Management task does not perform independent network tra ic ltering, but it lets you manage
Windows Firewall through the Kaspersky Security for Windows Server graphical interface. During the Firewall
Management task Kaspersky Security for Windows Server takes over management of the settings and policies of
the operation system's rewall and blocks any external attempts to con gure the rewall.

During installation of the application, the Firewall Management component reads and copies the Windows Firewall
status and all speci ed rules. After that, the set of rules and the rule parameters may only be changed, and the
rewall may only be turned on or o in Kaspersky Security for Windows Server.

If Windows Firewall is turned o during installation of Kaspersky Security for Windows Server, the Firewall
Management task will not be executed after the installation is complete. If Windows Firewall is turned on
during installation of the application, the Firewall Management task is executed after the installation is
complete, blocking all network connections that are not allowed by the speci ed rules.

The Firewall Management component is not installed by default, as it is not included in the set of components
in the Recommended Installation.

The Firewall Management task enforces blocking of all incoming and outgoing connections not allowed by the
task's speci ed rules.

The task polls the Windows Firewall regularly and monitors its status. By default, the polling interval is set to 1
minute and cannot be changed. If Kaspersky Security for Windows Server detects a mismatch between the
Windows Firewall settings and the Firewall Management task settings, the application forcibly applies the task
settings to the operating system rewall.

Polling Windows Firewall each minute, Kaspersky Security for Windows Server monitors the following:

Operating status of the Windows Firewall.

Status of rules added by other applications or tools (for example, the addition of a new application rule for a
port/application using wf.msc) after installation of Kaspersky Security for Windows Server.

When applying new rules to Windows Firewall, Kaspersky Security for Windows Server creates a Kaspersky
Security Group rule set in the Windows Firewall snap-in. This rule set contains all the rules created by Kaspersky
Security for Windows Server using the Firewall Management task. The rules in the Kaspersky Security Group are
not monitored by the application during polling and are not automatically synchronized with the list of rules
speci ed in the Firewall Management task settings.

To update the Kaspersky Security Group rules manually,

restart the Kaspersky Security for Windows Server Firewall Management task.

417
You can also edit the Kaspersky Security Group rules manually using the Windows Firewall snap-in.

If Windows Firewall is managed by a Kaspersky Security Center group policy, the Firewall Management task
cannot be started.

About Firewall rules

The Firewall Management task controls ltration of incoming and outgoing network tra ic using allowing rules
forcibly applied to the Windows Firewall during task execution.

The rst time the task is started Kaspersky Security for Windows Server reads and copies all the incoming network
tra ic rules speci ed in the Windows Firewall settings to the Firewall Management task settings. Then the
application operates according to the following rules:

If a new rule is created in the Windows Firewall settings (manually or automatically during a new application
installation), Kaspersky Security for Windows Server deletes the rule.

If an existing rule is deleted from the Windows Firewall settings, Kaspersky Security for Windows Server
restores the rule when the task is restarted.

If the parameters of an existing rule are changed in the Windows Firewall settings, Kaspersky Security for
Windows Server rolls back the changes.

If a new rule is created in the Firewall Management settings, Kaspersky Security for Windows Server forcibly
applies the rule to Windows Firewall.

If an existing rule is deleted from the Firewall Management settings, Kaspersky Security for Windows Server
forcibly deletes the rule from the Windows Firewall settings.

Kaspersky Security for Windows Server does not work with blocking rules or rules controlling outgoing
network tra ic. Upon start of the Firewall Management task, Kaspersky Security for Windows Server deletes
all such rules from the Windows Firewall settings.

You can set, delete and edit ltration rules for incoming network tra ic.

You cannot specify a new rule to control outgoing network tra ic in the Firewall Management task settings. All
Firewall rules speci ed in Kaspersky Security for Windows Server control only incoming network tra ic.

You can manage di erent types of Firewall rules: for applications and for ports.

Application rules

This type of rule allows targeted network connections for speci ed applications. The triggering criterion for these
rules is based on a path to an executable le.

You can manage application rules:

Add new rules.

418
 Remove existing rules.

Enable or disable speci ed rules.

Edit the parameters of the speci ed rules: specify the rule name, path to the executable le, and the rule usage
scope.

Port rules

This type of rule allows network connections for speci ed ports and protocols (TCP / UDP). The triggering criteria
for these rules are based on the port number and protocol type.

You can manage port rules:

Add new rules.

Remove existing rules.

Enable or disable speci ed rules.

Edit the parameters of the speci ed rules: set the rule name, port number, protocol type, and scope for
application of the rule.

Port rules involve a broader scope than application rules. By allowing connections based on port rules, you
lower the security level of the protected device.

Default Firewall Management task settings

The Firewall Management task uses the default settings described in the table below. You can change the values of
these settings.

Default Firewall Management task settings

Setting Default value Description

Firewall rules Two default rules for You can disable the default rules or add new rules.
for application enabled
application

Firewall rules Six default rules for You can disable the default rules or add new rules.
for ports ports enabled

Task start First run is not The Firewall Management task does not start automatically at the
schedule scheduled. start of Kaspersky Security for Windows Server.
You can con gure the task start schedule.

Managing Firewall rules via the Administration Plug-in

In this section, learn how to manage Firewall rules via the Administration Plug-in interface.

419
Enabling and disabling Firewall rules
To enable or disable an existing rule for ltering incoming network tra ic, perform the following actions:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Network activity control section, click the Settings button in the Firewall Management subsection.

5. Click the Rules list button in the window that opens.

The Firewall rules window opens.

6. Depending on the type of the rule whose status you want to modify, select the Applications or Ports tab.

7. In the rule list, select the rule whose status you want to modify and perform one of the following actions:

If you want to enable a disabled rule, select the check box to the left of the rule name.
The selected rule is enabled.

If you want to disable an enabled rule, clear the check box to the left of the rule name.
The selected rule is disabled.

8. Click OK in the Firewall rules window.

9. Click OK in the Firewall Management window.

10. Click OK in the Properties: <Policy name> window.

The speci ed task settings are saved. The new rule parameters will be sent to Windows Firewall.

Adding Firewall rules manually

You can only add and edit rules for applications and ports. You cannot add new or edit existing group rules.

To add a new or edit an existing rule for ltering incoming network tra ic:

420
1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Network activity control section, click the Settings button in the Firewall Management subsection.

5. Click the Rules list button in the window that opens.

The Firewall rules window opens.

6. Depending on the type of rule you want to add, select the Applications or Ports tab and perform one of the
following actions:

To edit an existing rule, select the rule you want to edit in the rule list and click Edit.

To add a new rule, click Add.

Depending on the type of rule being con gured, the Application rule window or Port rule window opens.

7. In the window that opens, perform the following operations:

If you are working with an application rule, do the following:

a. In the Rule name eld enter the name of the edited rule.

b. Specify the Application path to the executable le of the application for which you are allowing a
connection by modifying this rule.
You can set the path manually or by using the Browse button.

c. In the Rule application scope eld, specify the network addresses for which the modi ed rule will be
applied.

You can only use IPv4 addresses.

If you are working with a port rule, do the following:

a. In the Rule name eld enter the name of the edited rule.

b. Specify the Port number for which the application will allow connections.

c. Select the type of protocol (TCP / UDP) for which the application will allow connections.

421
 d. In the Rule application scope eld, specify the network addresses for which the modi ed rule will be
applied.

You can only use IPv4 addresses.

8. Click OK in the Application rule or Port rule window.

9. Click OK in the Firewall Management window.

10. Click OK in the Properties: <Policy name> window.

The speci ed task settings are saved. The new rule parameters will be sent to Windows Firewall.

Deleting Firewall rules

You can only delete application and port rules. You cannot delete existing group rules.

To delete an existing rule for ltering incoming network tra ic, perform the following actions:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Network activity control section click the Settings button in the Firewall Management subsection.

5. Click the Rules list button in the window that opens.

The Firewall rules window opens.

6. Depending on the type of rule whose status you want to modify, select the Applications or Ports tab.

7. In the rule list, select the rule you want to delete.

8. Click the Delete button.

The selected rule is deleted.

9. Click OK in the Firewall rules window.

10. Click OK in the Firewall Management window.

422
 11. Click OK in the Properties: <Policy name> window.

The speci ed Firewall Management task settings are saved. The new rule parameters will be sent to Windows
Firewall.

Managing Firewall rules via the Application Console

In this section, learn how to manage Firewall rules via the Application Console interface.

Enabling and disabling Firewall rules

To enable or disable an existing rule for ltering incoming network tra ic, perform the following actions:

1. In the Application Console tree, expand the Server Control node.

2. Select the Firewall Management child node.

3. Click the Firewall rules link in the details pane of the Firewall Management node.
The Firewall rules window opens.

4. Depending on the type of the rule whose status you want to modify, select the Applications or Ports tab.

5. In the rule list, select the rule whose status you want to modify and perform one of the following actions:

If you want to enable a disabled rule, select the check box to the left of the rule name.
The selected rule is enabled.

If you want to disable an enabled rule, clear the check box to the left of the rule name.
The selected rule is disabled.

6. Click Save in the Firewall rules window.

The speci ed task settings are saved. The new rule parameters will be sent to Windows Firewall.

Adding Firewall rules manually

To add a new or edit an existing rule for ltering incoming network tra ic:

1. In the Application Console tree, expand the Server Control node.

2. Select the Firewall Management child node.

3. Click the Firewall rules link in the details pane of the Firewall Management node.
The Firewall rules window opens.

4. Depending on the type of rule you want to add, select the Applications or Ports tab and perform one of the
following actions:

To edit an existing rule, select the rule you want to edit in the rule list and click Edit.
423
 To add a new rule, click Add.
Depending on the type of rule being con gured, the Application rule window or Port rule window opens.

5. In the window that opens, perform the following operations:

If you are working with an application rule, do the following:

a. In the Rule name eld enter the name of the edited rule.

b. Specify the Application path to the executable le of the application for which you are allowing a
connection by modifying this rule.
You can set the path manually or by using the Browse button.

c. In the Rule application scope eld, specify the network addresses for which the modi ed rule will be
applied.

You can only use IPv4 addresses.

If you are working with a port rule, do the following:

a. In the Rule name eld enter the name of the edited rule.

b. Specify the Port number for which the application will allow connections.

c. Select the type of protocol (TCP / UDP) for which the application will allow connections.

d. In the Rule application scope eld, specify the network addresses for which the modi ed rule will be
applied.

You can only use IPv4 addresses.

6. Click OK in the Application rule or Port rule window.

7. Click Save in the Firewall rules window.

The speci ed task settings are saved. The new rule parameters will be sent to Windows Firewall.

Deleting Firewall rules

You can only delete application and port rules. You cannot delete existing group rules.

To delete an existing rule for ltering incoming network tra ic, perform the following actions:

1. In the Application Console tree, expand the Server Control node.

2. Select the Firewall Management child node.

3. Click the Firewall rules link in the details pane of the Firewall Management node.
The Firewall rules window opens.
424
 4. Depending on the type of rule whose status you want to modify, select the Applications or Ports tab.

5. In the rule list, select the rule you want to delete.

6. Click the Delete button.

The selected rule is deleted.

7. Click Save in the Firewall rules window.

The speci ed task settings are saved. The new rule parameters will be sent to Windows Firewall.

Managing Firewall rules via the Web Plug-in

To con gure the Firewall rules via the Web Plug-in:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Network activity control section.

5. Click Settings in the Firewall Management subsection.

6. Con gure the settings described in the table below.

Firewall Management task settings

Setting Description

Application You can manage application rules.

rules
This type of rule allows targeted network connections for speci ed applications. The
triggering criterion for these rules is based on a path to an executable le.

Port rules You can manage port rules.

This type of rule allows network connections for speci ed ports and protocols (TCP /
UDP). The triggering criteria for these rules are based on the port number and protocol
type.

Task You can con gure settings to start the task on a schedule.
management

Enabling and disabling Firewall rules

To enable or disable an existing rule for ltering incoming network tra ic, perform the following actions:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

425
 4. Select the Network activity control section.

5. Click Settings in the Firewall Management subsection.

6. Depending on the type of the rule whose status you want to modify, select the Application rules or Port rules
tab.

7. In the rule list, select the rule whose status you want to modify and perform one of the following actions:

If you want to enable a disabled rule, switch on the toggle button to the left of the rule name.

If you want to disable an enabled rule, switch o the toggle button to the left of the rule name.

8. Click OK.

The speci ed task settings are saved. The new rule parameters will be sent to Windows Firewall.

Adding Firewall rules manually

To add a new or edit an existing rule for ltering incoming network tra ic:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Network activity control section.

5. Click Settings in the Firewall Management subsection.

6. Depending on the type of the rule whose status you want to modify, select the Application rules or Port rules
tab and perform one of the following actions:

To edit an existing rule, select the rule you want to edit and click Edit.

To add a new rule, click Add.

7. On the right part of the screen, perform the following operations:

If you are working with an application rule, do the following:

a. In the Rule name eld enter the name of the edited rule.

b. Specify the Application path to the executable le of the application for which you are allowing a
connection by modifying this rule.

c. In the Rule application scope eld, specify the network addresses for which the modi ed rule will be
applied.

You can only use IPv4 addresses.

If you are working with a port rule, do the following:

426
 a. In the Rule name eld enter the name of the edited rule.

b. Specify the port number for which the application will allow connections.

c. Select the type of protocol (TCP / UDP) for which the application will allow connections.

d. In the Rule application scope eld, specify the network addresses for which the modi ed rule will be
applied.

You can only use IPv4 addresses.

8. Click OK.

9. Click OK in the Firewall Management window.

The speci ed task settings are saved. The new rule parameters will be sent to Windows Firewall.

Deleting Firewall rules

You can only delete application and port rules. You cannot delete existing group rules.

To delete an existing rule for ltering incoming network tra ic, perform the following actions:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Network activity control section.

5. Click Settings in the Firewall Management subsection.

6. Depending on the type of the rule you want to delete, select the Application rules or Port rules tab.

7. In the rule list, select the rule you want to delete.

8. Click the Delete button.

The selected rule is deleted.

9. Click OK.

The speci ed task settings are saved. The new rule parameters will be sent to Windows Firewall.

427
File Integrity Monitor
This section contains information about starting and con guring the File Integrity Monitor task.

About the File Integrity Monitor task

The File Integrity Monitor task is designed to track actions performed with the speci ed les and folders in the
monitoring scopes speci ed in the task settings. You can use the task to detect le changes that may indicate a
security breach on the protected device. You can also con gure le changes to be tracked during periods in which
monitoring is interrupted.

A monitoring interruption occurs when the monitoring scope temporarily falls outside the scope of the task, e.g. if
the task is stopped or if an external device is not physically present on a protected device. Kaspersky Security for
Windows Server reports detected le operations in the monitoring scope as soon as an external device is
reconnected.

If the tasks stops running in the speci ed monitoring scope due to a reinstallation of the File Integrity Monitor
component, this does not constitute a monitoring interruption. In this case, the File Integrity Monitor task is
not run.

Requirements on the environment

To start the File Integrity Monitor task, the following conditions must be satis ed:

ReFS or NTFS le systems must be used on the protected device.

The Windows USN Journal must be enabled. The component queries this journal to receive information about
le operations.

If you enable USN Journal after a rule has been created for a volume and the File Integrity Monitor task has
been started, the task must be restarted. If not, the rule will not be applied during monitoring.

Excluded monitoring scopes

You can create excluded monitoring scopes. Exclusions are speci ed for each separate rule and work only for the
indicated monitoring scope. You can specify an unlimited number of exclusions for each rule.

Exclusions have higher priority than the monitoring scope and are not monitored by the task, even if an
indicated folder or le is in the monitoring scope. If the settings for one of the rules specify a monitoring
scope at a lower level than a folder speci ed in exclusions, the monitoring scope is not considered when the
task is run.

To specify exclusions, you can use the same masks that are used to specify monitoring scopes.

About le operation monitoring rules

428
The File Integrity Monitor is run based on le operation monitoring rules. You can use rule triggering criteria to
con gure the conditions that trigger the task, and adjust the importance level for detected le operation events
recorded in the task log.

A le operation monitoring rule is speci ed for each monitoring scope.

You can con gure the following rule triggering criteria:

Trusted users.

File operation markers.

Trusted users

By default, the application treats all user actions as potential security breaches. The trusted user list is empty. You
can con gure the event importance level by creating a list of trusted users in the le operation monitoring rule
settings.

Untrusted user – any user not indicated in the trusted user list in the monitoring scope rule settings. If Kaspersky
Security for Windows Server detects a le operation performed by an untrusted user, the File Integrity Monitor
task records a Critical event in the task log.

Trusted user – a user or group of users authorized to perform le operations in the speci ed monitoring scope. If
Kaspersky Security for Windows Server detects le operations performed by a trusted user, the File Integrity
Monitor task records an Informational event in the task log.

Kaspersky Security for Windows Server cannot determine the users that initiate operations during monitoring
interruptions. In this case, the user status is determined to be unknown.

Unknown user – This status is assigned to a user if Kaspersky Security for Windows Server cannot receive
information about a user due to a task interruption or a failure of the data synchronization driver or USN Journal. If
Kaspersky Security for Windows Server detects a le operation performed by an unknown user, the File Integrity
Monitor task records a Warning event in the task log.

File operation markers

When the File Integrity Monitor task runs, Kaspersky Security for Windows Server uses le operation markers to
determine that an action has been performed on a le.

A le operation marker is a unique descriptor that can characterize a le operation.

Each le operation can be a single action or a chain of actions with les. Each action of this kind is equated to a le
operation marker. If the marker you specify as a rule triggering criterion is detected in a le operation chain, the
application logs an event indicating that the given le operation was performed.

The importance level of the logged events does not depend on the selected le operation markers or the number
of events.

By default, Kaspersky Security for Windows Server considers all available le operation markers. You can
select le operation markers manually in the task's rule settings.

File operation markers

File operation ID File operation marker Supported le

429
 systems

BASIC_INFO_CHANGE Attributes or time markers of a le or folder changed NTFS, ReFS

COMPRESSION_CHANGE Compression of a le or folder changed NTFS, ReFS

DATA_EXTEND Size of le or folder increased NTFS, ReFS

DATA_OVERWRITE Data in a le or folder was overwritten NTFS, ReFS

DATA_TRUNCATION File or folder truncated NTFS, ReFS

EA_CHANGE Extended le or folder attributes changed Only NTFS

ENCRYPTION_CHANGE Encryption status of le or folder changed NTFS, ReFS

FILE_CREATE File or folder created for the rst time NTFS, ReFS

FILE_DELETE File or folder permanently deleted using a SHIFT+DEL NTFS, ReFS

combination

HARD_LINK_CHANGE Hard link created or deleted for le or folder Only NTFS

INDEXABLE_CHANGE Index status of le or folder changed NTFS, ReFS

INTEGRITY_CHANGE Integrity attribute changed for a named le stream Only ReFS

NAMED_DATA_EXTEND Size of a named le stream increased NTFS, ReFS

NAMED_DATA_OVERWRITE Named le stream overwritten NTFS, ReFS

NAMED_DATA_TRUNCATION Named le stream truncated NTFS, ReFS

OBJECT_ID_CHANGE File or folder identi er changed NTFS, ReFS

RENAME_NEW_NAME New name assigned to le or folder NTFS, ReFS

REPARSE_POINT_CHANGE New reparse point created or existing reparse point NTFS, ReFS
changed for a le or folder

SECURITY_CHANGE File or folder access rights changed NTFS, ReFS

STREAM_CHANGE New named le stream created or existing named le NTFS, ReFS

stream changed

TRANSACTED_CHANGE Named le stream changed by TxF transaction Only ReFS

Default File Integrity Monitor task settings

By default, the File Integrity Monitor task has the settings described in the table below. You can change the values
of these settings.

Default File Integrity Monitor task settings

Default
Setting Description
value

Monitoring scope Not You can specify the folders and les for which actions will be
con gured monitored. Monitoring events will be generated for the folders
and les in the speci ed monitoring scope.

Trusted users list Not You can specify users and/or groups of users, whose actions in
con gured the speci ed folders will be treated as safe by the component.

Log information about Used You can enable or disable logging of le operations performed in
le operations that the indicated monitoring scopes during periods in which the task
430
 appear during the in not running.
monitor interruption
period

Block attempts to Used You can enable or disable protection of the USN log.
compromise the USN
log

Exclude the following Not applied You can check the use of exclusions for folders in which le
folders from control operations do not need to be monitored. When the File Integrity
Monitor task runs, Kaspersky Security for Windows Server will skip
monitoring scopes speci ed as exclusions.

Checksum calculation Not applied You can con gure calculation of the le checksum after changes
are made in the le.

Set le operations All available You can specify the set of le operation markers. If a le
markers le operation performed in a monitoring scope is characterized by
operation one or more speci ed markers, Kaspersky Security for Windows
markers are Server generates an audit event.
considered

Task start schedule First run is You can con gure the settings for starting the task on a schedule.
not
scheduled

Managing File Integrity Monitor via the Administration Plug-in

In this section, learn how to con gure the File Integrity Monitor task via the Administration Plug-in.

Con guring the File Integrity Monitor task

To con gure general File Integrity Monitor task settings, perform the following steps:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the System inspection section in the File Integrity Monitor subsection, click the Settings button.
The File Integrity Monitor window opens.

431
 5. In the File operations monitoring settings tab in the window that opens, con gure the following settings:

a. Clear or select the Log information about le operations that appear during the monitoring interruption
period check box.

b. Clear or select the Block attempts to compromise the USN log check box.

The check box enables or disables protection of the USN log.

If the check box is selected, Kaspersky Security for Windows Server will block attempts to delete the
USN log or to compromise the USN log's content.
If the check box is cleared, the application will not monitor changes to the USN log.
The check box is selected by default.

c. Add the monitoring scopes to be monitored by the task.

6. On the Task management tab, con gure the task settings for starting the task on a schedule.

7. Click OK to save the changes.

Con guring monitoring rules

To add a monitoring scope, perform the following steps:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the System inspection section in the File Integrity Monitor subsection, click the Settings button.
The File Integrity Monitor window opens.

5. In the Monitoring scope section, click the Add button.

The File operations monitoring rule window opens.

6. Add a monitoring scope in one of the following ways:

If you want to select folders through the standard Microsoft Windows dialog:

a. Click the Browse button.

432
 The standard Microsoft Windows Browse For Folder window opens.

b. In the window that opens, select the folder for which you want to monitor operations, and click the OK
button.

If you want to specify a monitoring scope manually, add a path using a supported mask:

<*.ext> - all les with the extension <ext>, regardless of their location;

<*\name.ext> - all les with name <name> and extension <ext>, regardless of their location;

<\dir\*> - all les in folder <\dir>;

<\dir\*\name.ext> - all les with the name <name> and extension <ext> in folder <\dir> and all of its child
folders.

When specifying a monitoring scope manually, be sure that the path is in the following format: <volume
letter>:\<mask>. If the volume letter is missing, Kaspersky Security for Windows Server will not add the
speci ed monitoring scope.

7. In the Trusted users tab, click the Add button.

The standard Microsoft Windows Select Users or Groups window opens.

8. Select the users or groups of users for whom le operations are allowed in the selected monitoring scope, and
click the OK button.

By default, Kaspersky Security for Windows Server treats all users not on the trusted user list as
untrusted, and generates Critical events for them.

9. Select the File operation markers tab.

10. If required, perform the following actions to select several markers:

a. Select the Detect le operations basing on the following markers option.

b. In the list of available le operations select the check boxes next to the operations you want to monitor.

By default Kaspersky Security for Windows Server detects all le operation markers, the Detect le
operations basing on all recognizable markers option is selected.

11. If you want Kaspersky Security for Windows Server to calculate a le checksum after an operation is
performed, do the following:

a. Select the Calculate checksum for the le if possible. The checksum will be available for viewing in the
task report check box.

b. In the Checksum type drop down list, select one of the options:

MD5 hash

SHA256 hash

433
12. If you do not want to monitor all le operations in the list of available le operations, select the check boxes
next to the operations you want to monitor.

13. If necessary, add excluded monitoring scopes by performing the following steps:

a. Select the Exclusions tab.

b. Select the Exclude the following folders from control check box.

c. Click the Add button.

The Select folder to add window opens.

d. In the window that opens, specify the folder that you want to exclude from the monitoring scope.

e. Click OK.
The speci ed folder is added to the list of excluded scopes.

14. Click OK in the File operations monitoring rule window.

The speci ed rule settings will be applied to the selected monitoring scope of the File Integrity Monitor task.

Managing File Integrity Monitor via the Application Console

In this section, learn how to con gure the File Integrity Monitor task via the Application Console.

Con guring File Integrity Monitor task settings

To con gure general File Integrity Monitor task settings, perform the following steps:

1. In the Application Console tree, expand the System Inspection node.

2. Select the File Integrity Monitor child node.

3. Click the Properties link in the details pane of the File Integrity Monitor node.
The Task settings window opens.

4. In the window that opens, on the General tab, con gure the following settings:

a. Clear or select the Log information about le operations that appear during the monitor interruption
period check box.

b. Clear or select the Block attempts to compromise the USN log check box.

The check box enables or disables protection of the USN log.

If the check box is selected, Kaspersky Security for Windows Server will block attempts to delete the
USN log or to compromise the USN log's content.
If the check box is cleared, the application will not monitor changes to the USN log.
The check box is selected by default.

434
 5. On the Schedule and Advanced tabs, con gure the task start schedule.

6. Click OK to save the changes.

Con guring monitoring rules

To add a monitoring scope:

1. In the Application Console tree, expand the System Inspection node.

2. Select the File Integrity Monitor child node.

3. Click the File operations monitoring rules link in the details pane of the File Integrity Monitor node.
The File operations monitoring window opens.

4. Add a monitoring scope in one of the following ways:

If you want to select folders through the standard Microsoft Windows dialog:

a. On the left side of the window, click the Browse button.

The standard Microsoft Windows Browse For Folder window opens.

b. In the window that opens, select the folder for which you want to monitor operations, and click the OK
button.

c. Click the Add button to have Kaspersky Security for Windows Server start monitoring le operations in
the indicated monitoring scope.

If you want to specify a monitoring scope manually, add a path using a supported mask:

<*.ext> - all les with the extension <ext>, regardless of their location;

<*\name.ext> - all les with name <name> and extension <ext>, regardless of their location;

<\dir\*> - all les in folder <\dir>;

<\dir\*\name.ext> - all les with the name <name> and extension <ext> in folder <\dir> and all of its child
folders.

When specifying a monitoring scope manually, be sure that the path is in the following format: <volume
letter>:\<mask>. If the volume letter is missing, Kaspersky Security for Windows Server will not add the
speci ed monitoring scope.

On the right side of the window, the Rule description tab displays the trusted users and le operation markers
selected for this monitoring scope.

5. In the list of added monitoring scopes, select the scope whose settings you want to con gure.

6. Select the Trusted users tab.

7. Click the Add button.

435
 The standard Microsoft Windows Select Users or Groups window opens.

8. Select the users or groups of users that Kaspersky Security for Windows Server will consider trusted for the
selected monitoring scope.

9. Click OK.

By default, Kaspersky Security for Windows Server treats all users not on the trusted user list as
untrusted, and generates Critical events for them.

10. Select the Set le operations markers tab.

11. If required, perform the following actions to select several markers:

a. Select the Detect le operations basing on the following markers option.

b. In the list of available le operations select the check boxes next to the operations you want to monitor.

By default, Kaspersky Security for Windows Server detects all le operation markers, i.e. the Detect le
operations basing on all recognizable markers option is selected.

12. If you want Kaspersky Security for Windows Server to calculate a le checksum after an operation is
performed, do the following:

a. In the Checksum calculation section, select the Calculate checksum for a le nal version, after the le
was changed, if possible. The checksum will be available for viewing in the task log check box.

b. In the Calculate the checksum using the algorithm drop down list select one of the options:

MD5 hash.

SHA256 hash.

13. If necessary, add excluded monitoring scopes by performing the following steps:

a. Select the Set exclusions tab.

b. Select the Consider excluded monitoring scope check box.

c. Click the Browse button.

The standard Microsoft Windows Browse For Folder window opens.

d. In the window that opens, specify the folder that you want to exclude from the monitoring scope.

e. Click OK.

f. Click the Add button.

The speci ed folder is added to the list of excluded scopes.

You can also add excluded monitoring scopes manually using the same masks that are used to specify
monitoring scopes.

436
14. Click the Save button to apply the new rule con guration.

Managing File Integrity Monitor via the Web Plug-in

In this section, learn how to con gure the File Integrity Monitor task via the Web Plug-in.

Con guring the File Integrity Monitor task

To con gure the File Integrity Monitor task via the Web Plug-in:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the System Inspection section.

5. Click Settings in the File Integrity Monitor subsection.

6. In the File Integrity Monitor window that opens, on the File operations monitoring settings tab, con gure the
following settings:

a. Clear or select the Log information about le operations that appear during the monitoring interruption
period check box.

b. Clear or select the Block attempts to compromise the USN log check box.

The check box enables or disables protection of the USN log.

If the check box is selected, Kaspersky Security for Windows Server will block attempts to delete the
USN log or to compromise the USN log's content.
If the check box is cleared, the application will not monitor changes to the USN log.
The check box is selected by default.

7. On the Task management tab, con gure the task start schedule.

8. Click OK to save the changes.

Con guring monitoring rules

To add a monitoring scope, perform the following steps:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

437
3. In the <Policy name> window that opens select the Application settings tab.

4. Select the System Inspection section.

5. Click Settings in the File Integrity Monitor subsection.

6. In the File Integrity Monitor window that opens, open the File operations monitoring settings tab.

7. In the USN log section, click the Add button.

The File operations monitoring rule window opens.

8. In the Monitor le operations for the scope, specify a path using a supported mask:

<*.ext> - all les with the extension <ext>, regardless of their location;

<*\name.ext> - all les with name <name> and extension <ext>, regardless of their location;

<\dir\*> - all les in folder <\dir>;

<\dir\*\name.ext> - all les with the name <name> and extension <ext> in folder <\dir> and all of its child
folders.

When specifying a monitoring scope manually, be sure that the path is in the following format: <volume
letter>:\<mask>. If the volume letter is missing, Kaspersky Security for Windows Server will not add the
speci ed monitoring scope.

9. In the Trusted users tab, click the Add button.

Specify the user in the User name eld.

By default, Kaspersky Security for Windows Server treats all users not on the trusted user list as
untrusted, and generates Critical events for them.

10. Select the File operation markers tab.

11. If required, perform the following actions to select several markers:

a. Select the Detect le operations basing on the following markers option.

b. In the list of available le operations select the check boxes next to the operations you want to monitor.

By default Kaspersky Security for Windows Server detects all le operation markers, the Detect le
operations basing on all recognizable markers option is selected.

12. If you want Kaspersky Security for Windows Server to calculate a le checksum after an operation is
performed, do the following:

a. Select the Calculate checksum for the le if possible. The checksum will be available for viewing in the
task report check box.

b. In the Checksum type drop down list, select one of the options:

438
 SHA256 hash

MD5 hash

13. If you do not want to monitor all le operations in the list of available le operations, select the check boxes
next to the operations you want to monitor.

14. If necessary, add excluded monitoring scopes by performing the following steps:

a. Select the Exclusions tab.

b. Select the Exclude the following folders from control check box.

c. Click the Add button.

The Select folder to add window opens.

d. In the pane that opens on the right, specify the folder that you want to exclude from the monitoring scope.

e. Click OK.
The speci ed folder is added to the list of excluded scopes.

15. Click OK in the File operations monitoring rule window.

The speci ed rule settings will be applied to the selected monitoring scope of the File Integrity Monitor task.

439
Log Inspection
This section contains information about the Log Inspection task and task settings.

About the Log Inspection task

When the Log Inspection task runs, Kaspersky Security for Windows Server monitors the integrity of the
protected environment based on the results of an inspection of Windows event logs. The application noti es the
administrator upon detecting abnormal behavior that may indicate attempted cyberattacks.

Kaspersky Security for Windows Server analyzes the Windows event logs and identi es breaches based on the
rules speci ed by the user or by the settings of the heuristic analyzer, which the task uses to inspect logs.

Prede ned rules and heuristic analysis

You can use the Log Inspection task to monitor the state of the protected system by applying prede ned rules
based on existing heuristics. The heuristic analyzer identi es abnormal activity on the protected device, which may
be evidence of an attempted attack. Templates to identify abnormal behavior are included in the available rules in
the prede ned rules settings.

Seven rules are included in the rule list for the Log Inspection task. You can enable or disable any of the rules. You
cannot delete existing rules or create new rules.

You can con gure the triggering criteria for rules that monitor events for the following operations:

Password brute-force detection

Network login detection

You can also con gure exclusions in the task settings. The heuristic analyzer is not activated when a login is
conducted by a trusted user or from a trusted IP address.

Kaspersky Security for Windows Server does not use heuristics to inspect Windows logs if the heuristic
analyzer is not used by the task. By default, the heuristic analyzer is enabled.

When the rules are applied, the application records a Critical event in the Log Inspection task log.

Custom rules for the Log Inspection task

You can use the rule settings to specify and change the criteria for triggering rules upon detecting the selected
events in the speci ed Windows log. By default, the list of Log Inspection rules has four rules. You can enable and
disable these rules, remove rules, and edit rule settings.

You can con gure the following rule triggering criteria for each rule:

List of record identi ers in the Windows Event Log.

The rule is triggered when a new record is created in the Windows Event Log, if the event properties includes an
event identi er speci ed in the rule. You can also add and remove identi ers for each speci ed rule.

440
 Event source.
For each rule, you can specify a log within the Windows Event Log. The application will search for records with
the speci ed event identi ers only in this log. You can select one of the standard logs (Application, Security, or
System), or specify a custom log by entering the name in the source selection eld.

The application does not verify that the speci ed log actually exists in the Windows Event Log.

When the rule is triggered, Kaspersky Security for Windows Server records a Critical event in the Log Inspection
task log.

By default, the Log Inspection task applies custom rules.

Before starting the Log Inspection task make sure the system audit policy is set up correctly. Refer to the
Microsoft article for details.

Default Log Inspection task settings

By default, the Log Inspection task has the settings described in the table below. You can change the values of
these settings.

Default Log Inspection task settings

Setting Default value Description

Apply custom Applied. You can enable, disable, add, or modify the custom rules.
rules for log
inspection

Apply Applied. You can enable or disable the heuristic analyzer, which detects
prede ned rules abnormal activity on the protected device.
for log
inspection

Brute-force 10 logon You can set the number of attempts and time frame used, which will
attack detection failures per be considered as triggers by the heuristic analyzer.
300 seconds.

Network logon 12:00:00 AM. You can indicate the start and end of the time interval during which
Kaspersky Security for Windows Server treats sign-in attempts as
abnormal activity.

Exclusions Not applied. You can specify users and IP addresses which will not trigger the
heuristic analyzer.

Task start First run is not You can con gure settings to start the task on a schedule.
schedule scheduled.

Managing Log Inspection rules via the Administration Plug-in

In this section, learn how to add and con gure Log Inspection rules via the Administration Plug-in.

441
Con guring prede ned task rules
Perform the following actions to con gure the prede ned rules for the Log Inspection task:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the System inspection section, click the Settings button in the Log Inspection subsection.
The Log Inspection window opens.

5. Select the Prede ned rules tab.

6. Select or clear the Apply prede ned rules for log inspection check box.

For the task to run, at least one Log Inspection rule must be selected.

7. Select the rules you want to apply from the list of prede ned rules:

There are patterns of a possible brute-force attack in the system.

There are patterns of a possible Windows Event log abuse.

Atypical actions detected on behalf of a new service installed.

Atypical logon that uses explicit credentials detected.

There are patterns of a possible Kerberos forged PAC (MS14-068) attack in the system.

Atypical actions detected directed at a privileged built-in group Administrators.

There is an atypical activity detected during a network logon session.

8. To con gure the selected rules, click the Advanced settings button.
The Log Inspection window opens.

9. In the Brute-force attack detection section, set the number of attempts and time frame used as triggers by
the heuristic analyzer.

442
10. In the Network logon detection section, indicate the start and end of the time interval during which Kaspersky
Security for Windows Server treats sign-in attempts as abnormal activity.

11. Select the Exclusions tab.

12. Perform the following actions to add trusted users:

a. Click the Browse button.

b. Select a user.

c. Click OK.
The selected user is added to the list of trusted users.

13. Perform the following actions to add trusted IP addresses:

a. Enter the IP address.

b. Click the Add button.

14. The entered IP address is added to the list of trusted IP addresses.

15. On the Task management tab, con gure the task start schedule.

16. Click OK in the Log Inspection window.

The Log Inspection task con guration is saved.

Adding Log Inspection rules via the Administration Plug-in

Perform the following actions to add and con gure a new custom Log Inspection rule:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the System inspection section, click the Settings button in the Log Inspection subsection.
The Log Inspection window opens.

5. On the Custom rules tab, select or clear the Apply custom rules for log inspection check box.

443
 You can control whether the preset rules are applied for Log Inspection. Select the check boxes
corresponding to the rules you want to apply for Log Inspection.

6. To add a new custom rule, click the Add button.

The Custom log inspection rule window opens.

7. In the General section specify the following information about the new rule:

Rule name

Source

8. In the Triggered events ID section, specify the event IDs that will trigger the rule:

a. Enter an ID.

b. Click the Add button.

The entered event ID is added to the list. You can add an unlimited number of identi ers to each rule.

9. Click OK.
The Log Inspection rule is added to the list of rules.

Managing Log Inspection rules via the Application Console

In this section, learn how to add and con gure Log Inspection rules via the Application Console.

Con guring prede ned task rules

Perform the following actions to con gure the heuristic analyzer for the Log Inspection task:

1. In the Application Console tree, expand the System Inspection node.

2. Select the Log Inspection child node.

3. Click the Properties link in the details pane of the Log Inspection node.
The Task settings window opens.

4. Select the Prede ned rules tab.

5. Select or clear the Apply prede ned rules for log inspection check box.

For the task to run, at least one Log Inspection rule must be selected.

6. Select the rules you want to apply from the list of prede ned rules:

There are patterns of a possible brute-force attack in the system.

444
 There are patterns of a possible Windows Event log abuse.

Atypical actions detected on behalf of a new service installed.

Atypical logon that uses explicit credentials detected.

There are patterns of a possible Kerberos forged PAC (MS14-068) attack in the system.

Atypical actions detected directed at a privileged built-in group Administrators.

There is an atypical activity detected during a network logon session.

7. To con gure the selected rules, go to the Extended tab.

8. In the Brute-force attack detection section, set the number of attempts and time frame used as triggers by
the heuristic analyzer.

9. In the Network logon section, indicate the start and end of the time interval during which Kaspersky Security
for Windows Server treats sign-in attempts as abnormal activity.

10. Select the Exclusions tab.

11. Perform the following actions to add trusted users:

a. Click the Browse button.

b. Select a user.

c. Click OK.
The selected user is added to the list of trusted users.

12. Perform the following actions to add trusted IP addresses:

a. Enter the IP address.

b. Click the Add button.

The entered IP address is added to the list of trusted IP addresses.

13. Select the Schedule and Advanced tabs to con gure the task start schedule.

14. Click OK in the Task settings window.

The Log Inspection task con guration is saved.

Adding Log Inspection rules via the Application Console

To add and con gure a new custom Log Inspection rule:

1. In the Application Console tree, expand the System Inspection node.

2. Select the Log Inspection child node.

3. In the details pane of the Log Inspection node, click the Log inspection rules link.

445
4. The Log inspection rules window opens.

5. Select or clear the Apply custom rules for log inspection. The rules con gured are not applied until the
checkbox is selected check box.

You can control whether the prede ned rules are applied to the Log Inspection task. Select the check
boxes corresponding to the rules you want to apply to Log Inspection.

6. To create a new custom rule:

a. Enter the name of the new rule.

b. Click the Add button.

The created rule is added to the general rule list.

7. To con gure any rule:

a. Select a rule from the list.

In the right area of the window, the Description tab displays general information about the rule.

The description for the new rule is blank.

b. Select the Rule description tab.

8. In the General section specify the following information about the new rule:

Rule name

Log name

Source

9. In the Event identi ers section specify the event IDs that will trigger the rule:

a. Enter an event ID.

b. Click the Add button.

The entered event ID is added to the list. You can add an unlimited number of identi ers to each rule.

10. Click the Save button.

The con gured log inspection rules will be applied.

Managing Log Inspection rules via the Web Plug-in

To add and con gure Log Inspection rules via the Web Plug-in:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

446
3. In the <Policy name> window that opens select the Application settings tab.

4. Select the System Inspection section.

5. Click Settings in the Log Inspection subsection.

6. Con gure the settings described in the table below.

Log Inspection task settings

Setting Description

Apply custom rules for log You can enable, disable, add, or modify the custom rules.
inspection
The setting is available on the table is with the list of custom
rules.

Apply prede ned rules for log You can enable or disable the heuristic analyzer, which detects
inspection abnormal activity on the protected device.
The setting is available on the table is with the list of custom
rules.

Detect brute-force attack if an You can set the number of attempts and time frame used, which
incorrect password is entered with will be considered as triggers by the heuristic analyzer.
a frequency de ned

Detect network logon, if logged on You can indicate the start and end of the time interval during
within a period de ned which Kaspersky Security for Windows Server treats sign-in
attempts as abnormal activity.

Users Exclusions You can specify users which will not trigger the heuristic
analyzer.

Excluded IP Addresses You can specify IP addresses which will not trigger the heuristic
analyzer.

Task management You can con gure settings to start the task on a schedule.

447
On-Demand Scan
This section provides information about On-Demand Scan tasks, and instructions on con guring On-Demand
Scan task settings and security settings on the protected device.

About On-Demand Scan tasks

Kaspersky Security for Windows Server scans the speci ed area for viruses and other computer security threats.
Kaspersky Security for Windows Server scans protected device les, RAM, and autorun objects.

Kaspersky Security for Windows Server provides the following On-Demand Scan tasks:

The Scan at Operating System Startup task is performed every time Kaspersky Security for Windows Server
starts. Kaspersky Security for Windows Server scans boot sectors and master boot records of hard drives,
removable drives, system memory, and process memory. Every time Kaspersky Security for Windows Server
runs the task, it creates a copy of non-infected boot sectors. If it detects a threat in those sectors the next
time the task starts, it replaces them with the backup copy.

The Scan at Operating System Startup task might not be performed if a protected device wakes up after
either sleep or hibernate mode. The task is performed only at protected device reboot or start up after
complete shut down.

By default, the Critical Areas Scan task is performed weekly on a schedule. Kaspersky Security for Windows
Server scans objects in critical areas of the operating system: autorun objects, boot sectors and master boot
records of hard drives and removable drives, system memory and process memory. The application scans les in
system folders, for example, %windir%\system32. Kaspersky Security for Windows Server applies security
settings that correspond to the Recommended level. You can modify the settings of the Critical Areas Scan
task.

The Quarantine Scan task is executed by default according to a schedule after every database update. The
Quarantine Scan task scope cannot be modi ed.

The Application Integrity Control task is performed daily. It provides the option of checking Kaspersky Security
for Windows Server modules for damage or modi cation. The application installation folder is checked. The
task execution statistics indicate the number of modules checked and the number of modules found to be
corrupted. The values of the task settings are de ned by default and cannot be edited. The task start schedule
settings can be edited.

Additionally, you can create custom On-Demand Scan tasks, for example, a task for scanning shared folders on the
protected device.

Kaspersky Security for Windows Server may run several On-Demand Scan tasks at the same time.

About the task scan scope and security settings

In the Application Console, the scan scope of the selected On-Demand task is displayed as a tree or in the list of
the protected device le resources that Kaspersky Security for Windows Server can control. By default, the
network le resources of the protected device are displayed in a list-view mode.

In the Administration Plug-in only the list view is available.

448
To display network le resources in the tree-view mode in the Application Console,

open the drop down list in the Scan scope settings window upper left sector and select Tree-view.

The items or nodes are displayed in a list-view or in a tree-view mode of the protected device le resources as
follows:

The node is included in the scan scope.

The node is excluded from the scan scope.

At least one of the child nodes of this node is excluded from the scan scope, or the security settings of the child
node(s) di er(s) from the setting of a parental node (for a tree-view mode only).

The icon is displayed if all child nodes are selected, but the parent node is not selected. In this case, changes
in the composition of les and folders of the parent node are disregarded automatically when the scan scope
for the selected child node is being created.

Using the Application Console, you can also add virtual drives to the scan scope. The names of the virtual
nodes are displayed in blue font.

Security settings

In the selected On-Demand task, the default security settings can be modi ed by con guring them as common
settings for the entire protection or scan scope, or as di erent settings for di erent nodes or items in the device's
le resource tree or list.

Security settings con gured for the selected parent node are automatically applied to all child nodes. The security
settings of the parent node are not applied to child nodes that are con gured separately.

The settings for a selected scan scope or protection scope can be con gured using one of the following methods:

Select one of three prede ned security levels (Maximum performance, Recommended, or Maximum
protection).

Manually change the security settings for the selected nodes or items in the tree or list of the protected
device's le resources (the security level changes to Custom).

A set of node settings can be saved in a template in order to be applied later to other nodes.

Prede ned scan scopes

The tree or list of protected device le resources for the selected On-Demand Scan task is displayed in the Scan
scope settings window.

The le resource tree or list displays the nodes to which you have read-access based on the con gured
Microsoft Windows security settings.

Kaspersky Security for Windows Server contains the following prede ned scan scopes:
449
 My Computer. Kaspersky Security for Windows Server scans the entire protected device.

Local hard drives. Kaspersky Security for Windows Server scans objects on a protected device hard drives. All
hard drives, individual disks, folders or les can be included in or excluded from the scan scope.

Removable drives. Kaspersky Security for Windows Server scans les on external devices, such as CDs or
removable drives. All removable drives, individual disks, folders or les can be included in or excluded from the
scan scope.

Network. Network folders or les can be added to the scan scope by specifying their path in UNC (Universal
Naming Convention) format. The account used to start the task must have permissions to access the added
network folders and les. By default, On-Demand Scan tasks run under the system account.

Connected network drives will also not be displayed in the protected device's le resource tree. To include
objects on network drives in the scan scope, specify the path to the folder that corresponds to the
network drive in UNC format.

System memory. Kaspersky Security for Windows Server scans the executable les and modules of the
processes running in the operating system when the scan is initiated.

Startup objects. Kaspersky Security for Windows Server scans objects referred to by registry keys and
con guration les, for example WIN.INI or SYSTEM.INI, as well as the application's modules that are started
automatically at protected device startup.

Shared folders. You can include shared folders on the protected device in the scan scope.

Virtual drives. Virtual folders, les, and drives connected to the protected device can be included in the scan
scope, for example, common cluster drives.

Virtual drives created using a SUBST command are not displayed in the protected device's le resource
tree in the Application Console. In order to scan objects on a virtual drive, include the protected device
folder associated with the virtual drive in the scan scope.

By default, you can view and con gure prede ned scan scopes in the network le resource tree; you can also add
prede ned scopes to the network le resource list during its formation in the scan scope settings.

By default, On-Demand Scan tasks are run under the following scopes:

Scan at Operating System Startup task:

Local hard drives

Removable drives

System memory

Critical Areas Scan:

Local hard drives (excluding Windows folders)

Removable drives

System memory

450
 Startup objects

Other tasks:

Local hard drives (excluding Windows folders)

Removable drives

System memory

Startup objects

Shared folders

Online storage le scanning

About cloud les

Kaspersky Security for Windows Server can interact with Microsoft OneDrive cloud les. The application supports
the new OneDrive Files On-Demand feature.

Kaspersky Security for Windows Server does not support other online storages.

OneDrive Files On-Demand helps you access all your OneDrive les without having to download all of them and use
storage space on your device. You can download les to your hard drive when you need to.

When the OneDrive Files On-Demand feature is on, you see status icons next to each le in the Status column in
File Explorer. Each le has one of the following statuses:

This status icon indicates that the le is only available online. Online-only les are not physically stored on your
hard drive. You can't open online-only les when your device is not connected to the Internet.

This status icon indicates that a le is locally available. This happens when you open an online-only le and it
downloads to your device. You can open a locally available le anytime, even without Internet access. To clear up
space you can change the le back to online-only.

This status icon indicates that a le is stored on your hard drive and is always available.

Cloud le scanning

Kaspersky Security for Windows Server can only scan cloud les that are stored locally on a protected device.
Such OneDrive les have the and statuses. The les are skipped during scanning, since they are not
physically located on the protected device.

Kaspersky Security for Windows Server does not automatically download les from the cloud during the
scanning, even if they are included in the scan scope.

451
Cloud les are processed by several Kaspersky Security for Windows Server tasks in various scenarios depending
on the task type:

Real-time cloud le scanning: you can add folders containing cloud les to the Real-Time File Protection task
protection scope. A le is scanned when it is accessed by the user. If a le is accessed by the user, it is
downloaded, becomes locally available, and its status changes to . This allows the le to be processed by the
Real-Time File Protection task.

On-demand cloud le scanning: you can add folders containing cloud les to the On-Demand Scan task's scan
scope. The task scans les with the and statuses. If any les are found in the scope, they will be skipped
during scanning and an informational event will be recorded in the task log, indicating that the scanned le is
only a placeholder for a cloud le and does not exist on a local drive.

Application Control rule generation and usage: you can create allowing and denying rules for and les using
the Rule Generator for Applications Launch Control task. The Applications Launch Control task applies the
Default Deny principle and created rules to process and block cloud les.

The Applications Launch Control task blocks the start of all cloud les, irrespective of their status. The
les are not included in the rule generation scope by the application, as they are not physically stored on
your hard drive. Since allowing rules cannot be created for such les, they are subject to the Default Deny
principle.

When a threat is detected in a OneDrive cloud le, the application applies the action speci ed in the settings of
the task performing the scanning. Thus, the le may be removed, disinfected, moved to quarantine, or backed up.

Changes to local les are synchronized with the copies stored on OneDrive in accordance with the principles
outlined in the relevant Microsoft OneDrive documentation.

About prede ned security levels

The Use iChecker technology, Use iSwift technology, Use heuristic analyzer, and Check Microsoft
signature in les security settings are not included in the settings for the preset security levels. If the Use
iChecker technology, Use iSwift technology, Use heuristic analyzer, and Check Microsoft signature in les
settings change, the preset security level you have selected will not change.

You can apply one of the following three prede ned security levels to a node selected in the device's le resource
tree: Maximum performance, Recommended, or Maximum protection. Each of these levels contains its own
prede ned security settings (see the table below).

Maximum performance

The Maximum performance security level is recommended if your network has additional protected device
security measures, for example, rewalls and existing security policies, beyond using Kaspersky Security for
Windows Server on protected devices and work stations.

Recommended

452
The Recommended security level ensures the best combination of protection and performance impact on
devices. Kaspersky experts recommend this level as adequate to protect devices on most corporate networks.
The Recommended security level is set by default.

Maximum protection

The Maximum protection security level is recommended if your organization's network has elevated device
security requirements.

Prede ned security levels and corresponding security setting values

Options Security level

Maximum Recommended Maximum

performance protection

Scan objects By format All objects All objects

Scan only new and Enabled Disabled Disabled

modi ed les

Action to perform on Disinfect. Remove Perform recommended action Disinfect. Remove

infected and other if disinfection fails (Disinfect. Remove if disinfection if disinfection fails
objects fails)

Action to perform on Quarantine Perform recommended action Quarantine

probably infected (Quarantine)
objects

Exclude les No No No

Do not detect No No No

Stop scanning if it takes 60 sec. No No

longer than (sec.)

Do not scan compound 8 MB No No

objects larger than (MB)

Scan alternate NTFS Yes Yes Yes

streams

Scan disk boot sectors Yes Yes Yes

and MBR

Scan of compound
SFX archives* Archives* Archives*
objects
Packed SFX archives* SFX archives*
objects*
Packed objects* Email
Embedded OLE databases*
objects* Embedded OLE objects*
* New and * All objects Plain mail*
modi ed
objects only Packed
objects*

Embedded
OLE objects*
* All objects

453
About the Removable Drives Scan
You can con gure scanning of removable drives connected to the protected device via a USB port.

Kaspersky Security for Windows Server scans a removable drive using the On-Demand Scan task. The application
automatically creates a new On-Demand Scan task when the removable drive is connected and deletes the task
after the scanning is complete. The created task is performed with the prede ned security level de ned for
removable drive scanning. You cannot con gure the settings of the temporary On-Demand Scan task.

Kaspersky Security for Windows Server scans connected removable drives when they are registered as USB
external devices in the operating system. The application does not scan a removable drive if the connection is
blocked by the Device Control task. The application does not scan MTP-connected mobile devices.

Kaspersky Security for Windows Server allows access to removable drives during scanning.

Scan results for each removable drive are available in the log for the On-Demand Scan task created when the
removable drive is connected.

You can change the settings of the Removable Drives Scan component (see the table below).

Removable Drives Scan settings

Setting Default Description

value

Scan removable Check box You can turn on or turn o scanning of removable drive upon
drives on connection is cleared connection to the protected device via USB.
via USB

Scan removable 1024 MB You can reduce the component's scope by setting the maximum
drives if its stored volume of data on the scanned drive.
data volume does not Kaspersky Security for Windows Server does not scan a removable
exceed (MB) drive if the volume of stored data exceeds the speci ed value.

Scan with security Maximum You can con gure created On-Demand Scan tasks by selecting one
level protection of three security levels:
Maximum protection

Recommended

Maximum performance
The algorithm used when infected, probably infected, and other
objects are detected, as well as the other scan settings for each
security level, correspond to the prede ned security levels in the
On-Demand Scan tasks.

About the Baseline File Integrity Monitor task

454
 During the Baseline File Integrity Monitor task, Kaspersky Security for Windows Server does not check locked
les, folders, le shortcuts and cloud les.

The Baseline File Integrity Monitor task monitors the integrity of les in the monitoring scope by comparing the
les' hash (MD5 hash or SHA256 hash) to a baseline.

On the rst Baseline File Integrity Monitor task run, Kaspersky Security for Windows Server creates a baseline by
calculating and storing hash for les in the task's monitoring scope. If a Baseline File Integrity Monitor task
monitoring scope was changed, Kaspersky Security for Windows Server updates the baseline on the next Baseline
File Integrity Monitor task run by calculating and storing hash for les in the task's monitoring scope. If a Baseline
File Integrity Monitor task was deleted, Kaspersky Security for Windows Server deletes the baseline for this
Baseline File Integrity Monitor task.

You can delete a baseline without deleting the Baseline File Integrity Monitor task by using the command line.

The Baseline File Integrity Monitor task tracks the following changes of les in the monitoring scope:

the monitoring scope contains le which is not present in the baseline

the monitoring scope does not contain a le present in the baseline

the hash of a le in the monitoring scope di ers from the hash of this le in a baseline

The Baseline File Integrity Monitor task does not track changes to le's attributes and alternative streams.

If a le or a folder is inaccessible, Kaspersky Security for Windows Server will not add this le or folder to the
baseline during the baseline creation and will create an event about a failure to calculate le's checksum during the
run of the Baseline File Integrity Monitor task.

A le or a folder may be inaccessible for the following reasons:

the speci ed path does not exist

a type of les speci ed by mask is not present under the speci ed path

the speci ed le is locked

the speci ed le is empty

Enabling start of On-Demand Scan task from context menu

You can enable the start of On-Demand Scan task for one or several les from a context menu in Microsoft
Windows Explorer.

To enable the start of On-Demand Scan task from a context menu:

1. Create the following REG les:

Windows Registry Editor Version 5.0.0
[HKEY_CLASSES_ROOT\Directory\shell\ksws\command]
455
 @="C:\\Temp\\scan.cmd \"%1\""
[HKEY_CLASSES_ROOT\*\shell\ksws\command]
@="C:\\Temp\\scan.cmd \"%1\""
[HKEY_CLASSES_ROOT\Directory\shell\ksws]
@="Scan with Kaspersky Security for Windows Server\"
"Icon"="\"C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Security for Windows
Server\\kavtrayr.dll\",0"
[HKEY_CLASSES_ROOT\Directory\shell\ksws\DefaultIcon]
@="\"C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Security for Windows
Server\\kavtrayr.dll\",0"
[HKEY_CLASSES_ROOT\*\shell\ksws]
@="Scan with Kaspersky Security for Windows Server\"
"Icon"="\"C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Security for Windows
Server\\kavtrayr.dll\",0"
[HKEY_CLASSES_ROOT\*\shell\ksws\DefaultIcon]
@="\"C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Security for Windows
Server\\kavtrayr.dll\",0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Security for Windows
Server\\kavshell.exe"="~ RUNASADMIN"

You need to specify the actual location of the Kaspersky Security for Windows Server installation folder.

2. Create the scan.cmd le with the following content:

@echo off
set LOGNAME=%RANDOM%
"C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Windows
Server\kavshell.exe" scan "%~1" /W:c:\temp\%LOGNAME%.txt
echo Scanning is in progress...
type c:\temp\%LOGNAME%.txt
del c:\temp\%LOGNAME%.txt
timeout /t -1
The scan.cmd le must contain the following information:

The location of kavshell.exe le.

The location of temporary le containing the scan results.

Parameters for the KAVSHELL SCAN command.

The timeout value for closing the console window when the task is nished.

3. Copy the scan.cmd le to the folder speci ed in the

[HKEY_CLASSES_ROOT\Directory\shell\ksws\command] REG le.
The C:\Temp folder is used in example.

456
 You don't need to restart the operating system.

Default On-Demand Scan tasks settings

By default On-Demand Scan tasks have the settings described in the table below. You can con gure system and
custom On-Demand Scan tasks.

Default On-Demand Scan tasks settings

Setting Default value Description

Scan scope Applied in system and custom You can change the scan scope. The scan scope
tasks: cannot be con gured for the Quarantine Scan and
Application Integrity Control system tasks.
Scan at Operating System
Startup: the entire protected
device, excluding shared
folders and autorun objects.

Critical Areas Scan: the

entire protected device,
excluding shared folders and
certain operating system les.

Custom On-Demand Scan

tasks: the entire protected
device.

Security settings Common settings for the entire For nodes selected in the protected device's le
scan scope correspond to the resource list or tree, you can:
Recommended security level.
Select a di erent prede ned security level

Manually change security settings

You can save a group of security settings for a
selected node as a template to use later for a
di erent node.

Use heuristic It is used with the Medium Heuristic Analyzer can be enabled or disabled and
analyzer analysis level for Critical Areas the analysis level can be con gured. The Quarantine
Scan, Scan at Operating System Scan task analysis level cannot be con gured.
Startup, and custom tasks.
Heuristic Analyzer is not used in the Application
It is used with the Deep analysis Integrity Control and Baseline File Integrity Monitor
level for the Quarantine Scan tasks.
task.

Apply Trusted Applied (Not applied for General list of exclusions that can be used in
Zone Quarantine Scan task) selected tasks.

Use KSN for Applied You can improve your device's protection using the
scanning Kaspersky Security Network cloud service
infrastructure.

Settings to start The task is started under the You can edit settings to start tasks with speci c
a task with system account. account permissions for all system and custom On-
457
 speci c Demand Scan tasks, except Quarantine Scan and
permissions Application Integrity Control tasks.

Perform task in Not applied You can con gure the priority level of On-Demand
background Scan tasks.
mode (low
priority)

Task start Applied in system tasks: You can con gure the settings for scheduled task
schedule startup.
Scan at Operating System
Startup - At application
launch

Critical Areas Scan - Weekly

Quarantine Scan - After

application database update

Application Integrity Control -

Daily
Not used in newly created
custom tasks.

Registering scan The device protection status is You can con gure settings for registering the
execution and updated weekly after the Critical execution of the Critical Areas Scan in the following
updating the Areas Scan is performed. ways:
device
Edit the settings of the Critical Areas Scan task
protection status
start schedule.

Edit the scan scope of the Critical Areas Scan

task.

Create custom On-Demand Scan tasks.

Managing On-Demand Scan tasks via the Administration Plug-in

In this section, learn how to navigate the Administration Plug-In interface and con gure task settings for one or all
protected devices on the network.

Navigation
Learn how to navigate to the required task settings via the chosen interface.

Opening the On-Demand Scan task wizard

To start creating a new custom On-Demand Scan task:

1. To create a local task:

458
 a. Expand the Managed devices node in the Kaspersky Security Center Administration Console.

b. Select the administration group that the protected device belongs to.

c. In the details pane, on the Devices tab open the context menu for the protected device.

d. Select the Properties menu option.

e. In the window that opens, click the Add button in the Tasks section.

The New Task Wizard window opens.

2. To create a group task:

a. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

b. Select the administration group for which you want to create a task.

c. Open the Tasks tab.

d. Click the Create a task button.

The New Task Wizard window opens.

3. To create a task for a custom group of protected devices:

a. In the Device selections node in the Kaspersky Security Center Administration Console tree, click the Run
selection button to perform a device selection.

b. Open the Selection results "selection name" tab.

c. In the Perform selection drop-down list, select the Create a task for a selection result option.

The New Task Wizard window opens.

4. Select the On-Demand Scan task in the list of available tasks for Kaspersky Security for Windows Server.

5. Click Next.
The Settings window opens.

Con gure the task settings as required.

To con gure an existing On-Demand Scan task,

double-click the task name in the list of Kaspersky Security Center tasks.

The Properties: On-Demand Scan window opens.

Opening the On-Demand Scan task properties

To open the application properties for the On-Demand Scan task for a single protected device:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
459
 2. Select the administration group that the protected device belongs to.

3. Select the Devices tab.

4. Double-click the name of the protected device for which you want to con gure the scan scope.
The Properties: <Protected device name> window opens.

5. Select the Tasks section.

6. In the list of tasks created for the device, select the On-Demand Scan task that you created.

7. Click the Properties button.

The Properties: On-Demand Scan window opens.

Con gure the task settings as required.

Creating an On-Demand Scan task

To create a custom On-Demand Scan task:

1. Open the Settings window in the New Task Wizard.

2. Select the required Task creation method.

3. Click Next.

4. Create a scan scope in the Scan scope window:

By default, the scan scope includes critical areas of the protected device. Scan scopes are marked in the
table with the icon . Excluded scan scopes are marked with the icon in the table.

You can change the scan scope: add speci c preset scan scopes, disks, folders, network objects and les
and assign speci c security settings for each scope added.

To exclude all critical areas from the scan, open the context menu on each of the lines and select the
Remove scope option.

To include a prede ned scan scope, disk, folder, network object, or le in the scan scope:

a. Right-click the Scan scope table and select Add scope or click the Add button.

b. In the Add objects to the scan scope window, select the prede ned scope in the Prede ned scope list,
specify the protected device drive, folder, network object, or le on the protected device or on another
network protected device, and click the OK button.

To exclude subfolders or les from the scan, select the added folder (disk) in the Scan scope window of the
wizard:

a. Open the context menu and select the Con gure option.

b. Click the Settings button in the Security level window.

460
 c. On the General tab in the On-demand scan settings window clear the Subfolders and Sub les check
boxes.

To change scan scope security settings:

a. Open the context menu on the scope whose settings you wish to con gure, and select Con gure.

b. In the On-demand scan settings window, select one of the prede ned security levels, or click the
Settings button to con gure security settings manually.

Security settings are con gured the same way as for the Real-Time File Protection task.

To skip embedded objects in the added scan scope:

a. Open the context menu on the Scan scope table, select Add exclusion.

b. Specify the objects to exclude: select prede ned scope in the Prede ned scope list, specify the
protected device disk, folder, network object, or le on the protected device or on another network
protected device.

c. Click the OK button.

5. In the Options window, con gure the heuristic analyzer and integration with other components:

Con gure use of the heuristic analyzer.

Select the Apply Trusted Zone check box, if you want to exclude objects added to the Trusted Zone list
from the scan scope of the task.

Select the Use KSN for scanning check box, if you want to use Kaspersky Security Network cloud
services for the task.

To assign Low priority to the working process in which the task will be executed, select the Perform task in
background mode check box in the Options window.

By default, the working processes in which Kaspersky Security for Windows Server tasks are run have
Medium (Normal) priority.

To use the created task as a Critical Areas Scan task, select the Consider task as critical areas scan
check box in the Options window.

6. Click Next.

7. In the Schedule window, set the scheduled task start settings.

8. Click Next.

9. In the Selecting an account to run the task window, specify the account you want to use.

10. Click Next.

11. Specify a task name.

461
12. Click Next.

The task name should be no longer than 100 characters and cannot contain the following symbols: " * < > & \
:|

The Finish creating the task window opens.

13. You can optionally run the task after the Wizard nishes by selecting the Run task after Wizard nishes check
box.

14. Click Finish to nish creating the task.

The new On-Demand Scan task will be created for the selected protected device or a group of protected
devices.

Assigning the Critical Areas Scan status to an On-Demand Scan task

By default, Kaspersky Security Center assigns the Warning status to the protected device if the Critical Areas
Scan task is performed less often than speci ed by the Critical areas scan has not been performed for a long time
event-generation threshold in Kaspersky Security for Windows Server.

To con gure scanning of all protected devices in a single administration group:

1. Create a group On-Demand Scan task.

2. In the Options window of the task wizard, select the Consider task as critical areas scan check box. The
speci ed task settings (the scan scope and security settings) will be applied to all protected devices in the
group. Con gure the task schedule.

You can select the Consider task as critical areas scan check box when creating the On-Demand Scan
task for a group of protected devices or later in the Properties: <Task name> window.

3. Using a new or existing policy, disable the scheduled start of On-Demand Scan system tasks on the group
protected devices.

Kaspersky Security Center Administration Server will then evaluate the security status of the protected device
and will notify you about it based on the results of the last run of a task with the Critical Areas Scan status, rather
than based on the results of the Critical Areas Scan system task.

You can assign the Critical Areas Scan status both to On-Demand Scan group tasks and to tasks for groups of
protected devices.

The Application Console can be used to view whether an On-Demand Scan task is a Critical Areas Scan task.

In the Application Console, the Consider task as critical areas scan check box is displayed in the task
properties but cannot be edited.

462
Running an On-Demand Scan task in the background
By default the processes in which Kaspersky Security for Windows Server tasks are executed are assigned the
Medium (Normal) priority.

A process that will run an On-Demand Scan task can be assigned Low priority. Demoting the process priority
increases the time required to execute the task, but may have a bene cial e ect on the performance of the
processes of other running programs.

Multiple background tasks can be running in a single worker process with low priority. You can specify the maximum
number of processes for On-Demand Scan background tasks.

To change the priority of an existing On-Demand Scan task:

1. Open the Properties: On-Demand Scan window.

2. Select or clear the Perform task in background mode check box.

3. Click OK.

Con gured task settings are saved and applied immediately to the running task. If the task is not running, the
modi ed settings are applied at next start.

Registering execution of a Critical Areas Scan

By default, the device protection status is displayed in the details pane of the Kaspersky Security node and is
updated weekly after the Critical Areas Scan task is performed.

The time when the device protection status is updated is linked to the schedule of the On-Demand task for which
the Consider task as critical areas scan check box is selected. By default, the check box is selected only for the
Critical Areas Scan task and cannot be modi ed for this task.

You can select the On-Demand Scan task linked to the device's protection status only from Kaspersky
Security Center.

Con guring the task scan scope

If you modify the scan scope in the Scan at Operating System Startup and Critical Areas Scan tasks, you can
restore the default scan scope in these tasks by repairing Kaspersky Security for Windows Server itself (Start >
Programs > Kaspersky Security for Windows Server > Modify or Remove Kaspersky Security for Windows
Server). In the setup wizard, select Repair installed components and click Next. Then select the Restore
recommended application settings check box.

To con gure a scan scope for an existing On-Demand Scan task:

1. Open the Properties: On-Demand Scan window.

2. Select the Scan scope tab.

463
 3. To include items in the scan scope:

a. Open the context menu in an empty part of the scan scope list.

b. Select the Add scope option in the context menu.

c. In the opened Add objects to the scan scope window select an object type that you want to add:

Prede ned scope – to add one of the prede ned scopes on a protected device. Then in the drop-down
list, select the desired scan scope.

Disk, folder or network location – to include an individual drive, folder or network object in the scan
scope. Then select the desired scope by clicking the Browse button.

File – to include an individual le in the scan scope. Then select the desired scope by clicking the Browse
button.

You cannot add an object to a scan scope if it has already been added as an exclusion from scan scope.

4. To exclude individual nodes from the scan scope, clear the check boxes next to the names of these nodes or
take the following steps:

a. Open the context menu on the scan scope by right-clicking it.

b. In the context menu, select the Add exclusion option.

c. In the Add exclusion window, select an object type that you want to add as an exclusion from the scan
scope following the procedure used when adding an object to the scan scope.

5. To modify the scan scope or an added exclusion, select the Edit scope option in the context menu for the
corresponding scan scope.

6. To hide a previously added scan scope or exclusion in the list of network le resources, select the Remove
scope option in the context menu for the necessary scan scope.

The scan scope is excluded from the On-Demand Scan task scope when it is removed from the network
le resource list.

7. Click the OK button.

The scan scope settings window closes. The newly con gured settings are saved.

Selecting prede ned security levels for On-Demand Scan tasks

You can apply one of the following three prede ned security levels to a node selected in the protected device's le
resource list: Maximum performance, Recommended, and Maximum protection.

To select one of the prede ned security levels:

1. Open the Properties: On-Demand Scan window.

2. Select the Scan scope tab.

464
 3. In the list of the protected device's list, select an item included in the scan scope in order to set a prede ned
security level.

4. Click the Con gure button.

The On-demand scan settings window opens.

5. On the Security level, tab select the security level to be applied.

The window displays the list of security settings corresponding to the security level selected.

6. Click the OK button.

7. Click the OK button in the Properties: On-Demand Scan window.

Con gured task settings are saved and applied immediately to a running task. If the task is not running, the
modi ed settings are applied at next start.

Con guring security settings manually

By default, On-Demand Scan tasks use common security settings for the entire scan scope.

These settings correspond to the Recommended prede ned security level.

The default values of security settings can be modi ed by con guring them as common settings for the entire
scan scope or as di erent settings for di erent items in the protected device's le resource list or nodes in the
tree.

To con gure security settings manually:

1. Open the Properties: On-Demand Scan window.

2. Select the Scan scope tab.

3. Select the items in the scan scope list whose security settings you want to con gure.

A prede ned template containing security settings can be applied for a selected node or item in the scan
scope.

4. Click the Con gure button.

The On-demand scan settings window opens.

5. On the following tabs con gure the security settings of the selected node or item in accordance with your
requirements:

General

Actions

Performance

Hierarchical storage

6. Click OK in the On-demand scan settings window.

465
 7. Click OK in the Scan scope window.

The new scan scope settings are saved.

Con guring general task settings

To con gure general On-Demand Scan task settings:

1. Open the Properties: On-Demand Scan window.

2. Select the Scan scope tab.

3. Click the Con gure button.

The On-demand scan settings window opens.

4. Click the Settings button.

5. On the General tab, in the Scan objects group box, specify the object types that you want to include in the
scan scope:

Objects to scan:

All objects

Objects scanned by format

Objects scanned according to list of extensions speci ed in anti-virus database

Objects scanned by speci ed list of extensions

Subfolders

Sub les

Scan disk boot sectors and MBR

Scan alternate NTFS streams

6. In the Performance group box, select or clear the Scan only new and modi ed les check box.

To switch between available options when the check box is cleared, click on the All / Only new link for each
of the compound object types.

7. In the Scan of compound objects group box, specify the compound objects that you want to include in the
scan scope:

All / Only new archives

All / Only new SFX archives

All / Only new email databases

466
 All / Only new packed objects

All / Only new plain email

All / Only new embedded OLE objects

8. Click OK.

The new task con guration will be saved.

Con guring actions

To con gure actions on infected and other detected objects during the On-Demand Scan task:

1. Open the Properties: On-Demand Scan window.

2. Select the Scan scope tab.

3. Click the Con gure button.

The On-demand scan settings window opens.

4. Click the Settings button.

5. Select the Actions tab.

6. Select the action to be performed on infected and other detected objects:

Notify only .

Disinfect.

Disinfect. Remove if disinfection fails.

Remove .

Perform recommended action.

7. Select the action to be performed on probably infected objects:

Notify only .

Quarantine.

Remove .

Perform recommended action .

8. Con gure actions to be performed on objects depending on the type of object detected:

a. Clear or select the Perform actions depending on the type of object detected check box.

b. Click the Settings button.

467
 c. In the window that opens, select a primary action and a secondary action (to be performed if the primary
action fails) for each type of detected object.

d. Click OK.

9. Select the action to perform on incurable compound objects: select or clear the Entirely remove compound
le that cannot be modi ed by the application in case of embedded object detect check box.

10. Click OK.

The new task con guration will be saved.

Con guring performance

To con gure performance settings for the On-Demand Scan task:

1. Open the Properties: On-Demand Scan window.

2. Select the Scan scope tab.

3. Click the Con gure button.

The On-demand scan settings window opens.

4. Click the Settings button.

5. Select the Performance tab.

6. In the Exclusions section:

Clear or select the Exclude les check box.

Clear or select the Do not detect check box.

Click the Edit button for each setting to add exclusions.

7. In the Advanced settings section:

Stop scanning if it takes longer than (sec.)

Do not scan compound objects larger than (MB)

Use iSwift technology

Use iChecker technology

8. Click OK.

The new task con guration will be saved.

Con guring Removable Drives Scan

To con gure scanning of removable drives upon connection to the protected device:

468
 1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Policies tab.

4. Double-click the policy name you want to con gure.

In the Properties: <Policy name> window that opens, select the Supplementary section.

5. Click the Settings button in the Removable Drives Scan subsection.

The Removable Drives Scan window opens.

6. In the Scan on connection section do the following:

Select the Scan removable drives on connection via USB check box, if you want Kaspersky Security for
Windows Server to automatically scan removable drives when they are connected.

If required, select the Scan removable drives if its stored data volume does not exceed (MB) and specify
the maximum value in the eld on the right.

In the Scan with security level drop-down list specify the security level with the settings that are required
for removable drives scanning.

7. Click OK.

The speci ed settings are saved and applied.

Con guring a Baseline File Integrity Monitor task

To con gure the Baseline File Integrity Monitor group task:

1. In the Kaspersky Security Center Administration Console tree, expand the Managed devices node and select
the administration group for which you want to con gure the application tasks.

2. On the details pane of a selected administration group, open the Tasks tab.

3. In the list of previously created group tasks, select a task you want to con gure. Open the Properties: <Task
name> window in one of the following ways:

Double-click the name of the task in the list of created tasks.

Select the name of the task in the list of created tasks and click the Con gure task link.

Open the context menu of the task name in the list of created tasks and select the Properties item.

In the Noti cation section, con gure the task event noti cation settings. For detailed information regarding
con guring the settings in this section, see the Kaspersky Security Center Help.

4. In the Scan scope section do the following:

a. To include folder in the Baseline File Integrity Monitor task scope:

1. Click the Add button.

The Scan area properties window opens.
469
 2. Select or clear the Scan this area check box.

3. Click the Browse button to specify the folder that you want to include in the Baseline File Integrity
Monitor task scope.

4. Select the Also scan subfolders check box, if you want to include all subfolders in the Baseline File
Integrity Monitor task scope.

b. To include or exclude the folder previously added to the Baseline File Integrity Monitor task scope select or
clear the check box to the left of the folder's path in the Scan scope table.

c. To delete the folder previously added to the Baseline File Integrity Monitor task scope select this folder in
the Scan scope table and click the Delete button.

5. Con gure the task schedule in the Schedule section (you can con gure a schedule for all task types except
Rollback of Database Update).

6. In the Account section, specify the account whose rights will be used to run the task.

7. If required, specify the objects to exclude from the task scope in the Exclusions from task scope section.

For detailed information regarding con guring settings in these sections, see the Kaspersky Security
Center Help.

8. In the Properties: <Task name> window, click OK.

The newly con gured group task settings are saved.

Managing On-Demand Scan tasks via the Application Console

In this section, you will learn how to navigate the Application Console interface and con gure task settings on a
protected device.

Navigation
Learn how to navigate to the required task settings via the chosen interface.

Opening the On-Demand Scan task settings

To open the general settings of the On-Demand Scan task via the Application Console:

1. Expand the On-Demand Scan node in the Application Console tree.

2. Select the child node that corresponds to the task that you want to con gure.

3. In the child node details pane click the Properties link.

The Task settings window opens.

470
Opening the On-Demand Scan task scope settings
To open the scan scope settings window via the Application Console:

1. Expand the On-Demand Scan node in the Application Console tree.

2. Select the child node corresponding to an On-Demand Scan task that you want to con gure.

3. In the details pane of the selected node click the Con gure scan scope link.
Scan scope settings window opens.

Creating and con guring an On-Demand Scan task

Custom tasks for a single protected device can be created in the On-Demand Scan node. Custom tasks cannot
be created in the other functional components of Kaspersky Security for Windows Server.

To create and con gure a new On-Demand Scan task:

1. In the Application Console tree, open the context menu of the On-Demand Scan node.

2. Select Add task.

The Add task window opens.

3. Con gure the following task settings:

Name – A task name consisting of no more than 100 characters. It may contain any symbols except " * < > &
\ : |.

You cannot save a task or con gure a new task on the Schedule, Advanced and Run as tabs if the task
name is not speci ed.

Description – Any additional information about the task. No more than 2000 characters. This information
will be displayed in the task properties window.

Use heuristic analyzer .

Perform task in background mode .

Apply Trusted Zone .

Consider task as critical areas scan .

Use KSN for scanning .

4. Con gure the task start schedule settings on the Schedule and Advanced tabs.

5. On the Run as tab, con gure the settings to start the task using speci c account permissions.

6. Click OK in the Add task window.

471
 A new custom On-Demand Scan task is created. A node with the name of the new task is displayed in the
Application Console tree. The operation is recorded in the system audit log.

7. If required, in the details pane of the selected node, select Con gure scan scope.
The Scan scope settings window opens.

8. In the protected device's le resource tree or list, select the nodes or items that you want to include in the scan
scope.

9. Select one of the prede ned security levels or con gure the scan settings manually.

10. Click Save in the Scan scope settings window.

The con gured settings are applied at the next task start.

Scan scope in On-Demand Scan tasks

This section contains information on creating and using a scan scope in On-Demand Scan tasks.

Con guring the view for network le resources

To select the view for network le resources during con guration of scan scope settings:

1. Open the Scan scope settings window.

2. Open the drop-down list in the upper left section of the window and select one of the following options:

Select the Tree-view option to display the network le resources as a tree.

Select the List-view option to display the network le resources as a list.

By default, the network le resources of the protected device are displayed as a list.

3. Click the Save button.

Creating a scan scope

If you are remotely managing Kaspersky Security for Windows Server on the protected device using the
Application Console installed on an administrator's workstation, you must be a member of administrators group on
the protected device to be able to view folders on it.

The names of settings may vary under di erent Windows operating systems.

472
If you modify the scan scope in the Scan at Operating System Startup and Critical Areas Scan tasks, you can
restore the default scan scope in these tasks by repairing Kaspersky Security for Windows Server itself (Start >
Programs > Kaspersky Security for Windows Server > Modify or Remove Kaspersky Security for Windows
Server). In the setup wizard, select Repair installed components and click Next. Then select the Restore
recommended application settings check box.

The procedure of creating an On-Demand Scan task scope depends on the selected view of network le
resources. You can con gure the view of network le resources as a tree or as a list (default view).

To create a scan scope using the network le resource tree:

1. Open the Scan scope settings window.

2. In the left section of the window, open the network le resource tree to display all the nodes and child nodes.

3. Do the following:

To exclude individual nodes from the scan scope, clear the check boxes next to the names of these nodes.

To include individual nodes in the scan scope, clear the My Computer check box and do the following:

If all drives of a particular type are to be included in the scan scope, select the check box next to the
name of the required drive type (for example, to add all removable drives on the protected device, select
the Removable drives check box).

If an individual drive of a particular type is to be included in the scan scope, expand the node that
contains drives of that type and select the check box next to the name of the required drive. For
example, to select the removable drive F:, expand the Removable drives node and select the check box
for the F: drive.

If you would like to include only a single folder or le on the drive, select the check box next to the name
of that folder or le.

4. Click the Save button.

The Scan scope settings window will be closed. Your newly con gured settings will be saved.

To create a scan scope using the network le resource list:

1. Open the Scan scope settings window.

2. To include individual nodes in the scan scope, clear the My Computer check box and do the following:

a. Open the context menu of the scan scope by right-clicking it.

b. In the context menu of the button, select Add scan scope.

c. In the opened Add scan scope window, select the type of object that you want to add:

Prede ned scope — to add one of the prede ned scopes on a protected device. Then in the drop-down
list, select the desired scan scope.

Disk, folder or network location — to include an individual drive, folder or network object in the scan
scope. Then select the desired scope by clicking the Browse button.

473
 File — to include an individual le in the scan scope. Then select the desired scope by clicking the Browse
button.

You cannot add an object into a scan scope if it has already been added as an exclusion from the scan
scope.

3. To exclude individual nodes from the scan scope, clear the check boxes next to the names of these nodes or
take the following steps:

a. Open the context menu of the scan scope by right-clicking it.

b. In the context menu, select Add exclusion option.

c. In the Add exclusion window, select the type of object that you want to add as an exclusion from the scan
scope following the procedure used when adding an object to the scan scope.

4. To modify the scan scope or an exclusion added, select the Edit scope option in the context menu for the
necessary scan scope.

5. To hide a previously added scan scope or an exclusion in the list of network le resources, select the Remove
from the list option in the context menu for the corresponding scan scope.

The scan scope is excluded from the On-Demand Scan task scope when it is removed from the network
le resource list.

6. Click the Save button.

The Scan scope settings window will be closed. Your newly con gured settings will be saved.

Including network objects in the scan scope

Network drives, folders or les can be added to the scan scope by specifying their path in UNC (Universal Naming
Convention) format.

You can scan network folders under the system account.

To add a network location to the scan scope:

1. Open the Scan scope settings window.

2. Open the drop-down list in the upper left part of the window and select Tree-view.

3. In the context menu of the Network node:

Select Add network folder, if you want to add a network folder to the scan scope.

Select Add network le, if you want to add a network le to the scan scope.

4. Enter the path to the network folder or le in UNC format and press the ENTER key.

474
 5. Select the check box next to the newly added network object to include it in the scan scope.

6. If necessary, change the security settings for the added network object.

7. Click the Save button.

The modi ed task settings are saved.

Creating a virtual scan scope

Virtual drives, folders, and les can be included in the scan scope in order to create a virtual scan scope.

You can expand the scan scope by adding individual virtual drives, folders, or les only if the scan scope is
viewed as a le resources tree.

To add a virtual drive to the scan scope:

1. Open the Scan scope settings window.

2. Open the drop-down list in the upper left part of the window and select Tree-view.

3. In the protected device's le resource tree, open the context menu of the Virtual drives node, click Add virtual
drive and select the name of the virtual drive from the list of available names.

4. Select the check box next to the added drive in order to include the drive in the scan scope.

5. Click the Save button.

The modi ed task settings are saved.

To add a virtual folder or virtual le to the scan scope:

1. Open the Scan scope settings window.

2. Open the drop-down list in the upper left part of the window and select Tree-view.

3. In the protected device's le resource tree, open the context menu of the node to add a folder or le, and
select one of the following options:

Add virtual folder if you want to add a virtual folder to the scan scope.

Add virtual le if you want to add a virtual le to the scan scope.

4. In the entry eld specify the name of the folder or le.

5. In the line with the name of the folder or le, select the check box to include this folder or le in the scan scope.

6. Click the Save button.

The modi ed task settings are saved.

475
Con guring security settings
By default On-Demand Scan tasks use common security settings for the entire scan scope.

These settings correspond to the Recommended prede ned security level.

The default values of security settings can be modi ed by con guring them as common settings for the entire
scan scope or as di erent settings for di erent items in the protected device's le resource list or nodes in the
tree.

When working with the network le resource tree, security settings that are con gured for the selected parent
node are automatically applied to all child nodes. The security settings of the parent node are not applied to child
nodes that are con gured separately.

To con gure security settings manually:

1. Open the Scan scope settings window.

2. In the left part of the window, select the node or item whose security settings you want to con gure.
A prede ned template containing security settings can be applied to the selected node or item in the scan
scope.
In the left part of the window, you can select the view for network le resources, create a scan scope, or create
a virtual scan scope.

3. In the right part of the window, do one of the following:

On the Security level tab select the security level to be applied.

On the following tabs con gure the required security settings of the selected node or item in accordance
with your requirements:

General

Actions

Performance

Hierarchical storage

4. Click Save in the Scan scope settings window.

The new scan scope settings are saved.

Selecting prede ned security levels for On-Demand Scan tasks

You can apply one of the following three prede ned security levels to a node selected in the protected device's le
resource tree or list: Maximum performance, Recommended, and Maximum protection.

To select one of the prede ned security levels:

476
 1. Open the Scan scope settings window.

2. In the protected device's network le resource tree or list, select a node or item to set the prede ned security
level.

3. Make sure that the selected node or item is included in the scan scope.

4. In the right part of the window, on the Security level tab select the security level to be applied.
The window displays the list of security settings corresponding to the selected security level.

5. Click the Save button.

The task settings are saved and applied immediately to the running task. If the task is not running, the modi ed
settings are applied at the next start.

Con guring general task settings

To con gure the general security settings of the On-Demand Scan task:

1. Open the Scan scope settings window.

2. Select the General tab.

3. In the Scan objects group box, specify the object types that you want to include in the scan scope:

Objects to scan:

All objects

Objects scanned by format

Objects scanned according to list of extensions speci ed in anti-virus database

Objects scanned by speci ed list of extensions

Scan disk boot sectors and MBR

Scan alternate NTFS streams

4. In the Performance group box, select or clear the Scan only new and modi ed les check box.

To switch between available options when the check box is cleared, click the All / Only new link for each of
the compound object types.

5. In the Scan of compound objects group box, specify the compound objects that you want to include in the
scan scope:

All / Only new archives

All / Only new SFX archives

All / Only new email databases

477
 All / Only new packed objects

All / Only new plain email

All / Only new embedded OLE objects

6. Click Save.

The new task con guration will be saved.

Con guring actions

To con gure the actions on infected and other detected objects for the On-Demand Scan task:

1. Open the Scan scope settings window.

2. Select the Actions tab.

3. Select the action to be performed on infected and other detected objects:

Notify only .

Disinfect.

Disinfect. Remove if disinfection fails.

Remove .

Perform recommended action.

4. Select the action to be performed on probably infected objects:

Notify only .

Quarantine.

Remove .

Perform recommended action .

5. Con gure actions to be performed on objects depending on the type of object detected:

a. Clear or select the Perform actions depending on the type of object detected check box.

b. Click the Settings button.

c. In the window that opens, select a primary action and a secondary action (to be performed if the primary
action fails) for each type of detected object.

d. Click OK.

6. Select the action to perform on incurable compound objects: select or clear the Entirely remove compound
le that cannot be modi ed by the application in case of embedded object detect check box.

478
 7. Click Save.

The new task con guration will be saved.

Con guring performance

To con gure performance settings for the On-Demand Scan task:

1. Open the Scan scope settings window.

2. Select the Performance tab.

3. In the Exclusions section:

Clear or select the Exclude les check box.

Clear or select the Do not detect check box.

Click the Edit button for each setting to add exclusions.

4. In the Advanced settings section:

Stop scanning if it takes longer than (sec.)

Do not scan compound objects larger than (MB)

Use iSwift technology

Use iChecker technology

5. Click Save.

The new task con guration will be saved.

Con guring hierarchical storage

To con gure the actions performed on infected and other detected objects for the On-Demand Scan task:

1. Open the Scan scope settings window.

2. Select the Hierarchical storage tab.

3. Select the action to be performed on the les:

Do not scan.

Scan resident part of le only.

Scan entire le.

If this action is selected, you can specify the following options:

479
 Select or clear the Only if the le has been accessed within the speci ed period (days) check box and
specify the number of days.

Select or clear the Do not copy le to a local hard drive, if possible check box.

4. Click Save.

The new task con guration will be saved.

Scanning removable drives

To con gure scanning of the removable drives upon connection to the protected device in the Application
Console:

1. In the Application Console tree, open the context menu of the Kaspersky Security node and select the
Con gure removable drives scan settings option.
The Removable Drives Scan window opens.

2. In the Scan on connection section do the following:

Select the Scan removable drives on connection via USB check box, if you want Kaspersky Security for
Windows Server to automatically scan removable drives when they are connected.

If required, select the Scan removable drives if its stored data volume does not exceed (MB) and specify
the maximum value in the eld on the right.

In the Scan with security level drop-down list specify the security level with the settings that are required
for removable drives scanning.

3. Click OK.

The speci ed settings are saved and applied.

On-Demand Scan task statistics

While the On-Demand Scan task is being executed, you can view information about the number of objects
processed by Kaspersky Security for Windows Server since it was started.

This information remains available even if the task is paused. You can view the task statistics in the task log.

To view the statistics of an On-Demand Scan task:

1. Expand the On-Demand Scan node in the Application Console tree.

2. Select the On-Demand Scan task whose statistics you want to view.

Task statistics are displayed in the Statistics section of the details pane of the selected node.

Information about objects processed by Kaspersky Security for Windows Server since it was started is presented
in the table below.

On-Demand Scan task statistics

480
 Field Description

Detected Number of objects detected by Kaspersky Security for Windows Server. For example, if
Kaspersky Security for Windows Server detects one malicious object in ve les, the value in
this eld increases by one.

Infected Number of objects that Kaspersky Security for Windows Server found and classi ed as
and other infected or number of found legitimate software les that were not excluded from the scan
objects scope and were classi ed as legitimate software that can be used by intruders to damage
detected your device or personal data.

Probably Number of objects detected by Kaspersky Security for Windows Server as probably infected.
infected
objects
detected

Objects Number of objects that Kaspersky Security for Windows Server did not disinfect for the
not following reasons:
disinfected
The detected object is of a type that cannot be disinfected.

An error occurred during disinfection.

Objects Number of objects that Kaspersky Security for Windows Server attempted to quarantine
not moved unsuccessfully, for example, due to insu icient disk space.
to
Quarantine

Objects Number of objects that Kaspersky Security for Windows Server attempted to delete
not unsuccessfully, because, for example, access to the object was blocked by another
removed application.

Objects Number of objects in the protection scope that Kaspersky Security for Windows Server
not failed to scan, because, for example, access to the object was blocked by another application.
scanned

Objects Number of objects whose copies Kaspersky Security for Windows Server attempted to save
not backed in Backup unsuccessfully, for example, due to insu icient disk space.
up

Processing Number of objects whose processing resulted in an error.

errors

Objects Number of objects disinfected by Kaspersky Security for Windows Server.

disinfected

Moved to Number of objects quarantined by Kaspersky Security for Windows Server.

Quarantine

Moved to Number of objects whose copies Kaspersky Security for Windows Server saved to Backup.
Backup

Objects Number of objects removed by Kaspersky Security for Windows Server.

removed

Password- Number of objects (archives, for example) that Kaspersky Security for Windows Server
protected skipped because they were password protected.
objects

Corrupted Number of objects skipped by Kaspersky Security for Windows Server because their format
objects was corrupted.

Objects Total number of objects processed by Kaspersky Security for Windows Server.
processed

481
You can also view the On-Demand Scan task statistics in the selected task log by clicking the Open task log link in
the Management section of the details pane.

We recommend that you manually process the events recorded on the Events tab in the task log upon task
completion.

Creating and con guring a Baseline File Integrity Monitor task

To create or con gure a new Baseline File Integrity Monitor task:

1. In the Application Console tree, open the context menu of the System Inspection node.

2. Select Create Baseline File Integrity Monitor task.

The Add task window opens.

3. In the Hash calculation algorithm drop-down list, select one of the options:

MD5

SHA256

4. In the Scan areas table do the following:

a. To add a le or folder in the Baseline File Integrity Monitor task scope:

1. Click the Add button.

The Scan area properties window opens.

2. Select or clear the Scan this area check box.

3. Click the Browse button to specify the le or folder that you want to include in the Baseline File Integrity
Monitor task scope.

4. Select the Also scan subfolders check box, if you want to include all subfolders in the Baseline File
Integrity Monitor task scope.

5. Click OK.

b. To change a le or folder previously added to the Baseline File Integrity Monitor task scope:

1. Click the Change button.

The Scan area properties window opens.

2. Select or clear the Scan this area check box.

3. Click the Browse button to specify the le or folder that you want to include in the Baseline File Integrity
Monitor task scope.

4. Select or clear the Also scan subfolders check box, if you want to include or exclude all subfolders from
the Baseline File Integrity Monitor task scope.

482
 5. Click OK.

c. To delete the le or folder previously added to the Baseline File Integrity Monitor task scope select this le
or folder in the Scan areas table and click the Remove button.

5. Con gure the task start schedule settings on the Schedule and Advanced tabs.

6. On the Run as tab, con gure the settings to start the task using speci c account permissions.

7. Click OK in the Add task window.

A new custom Baseline File Integrity Monitor task is created. A node with the name of the new task is displayed
in the Application Console tree. The operation is recorded in the system audit log.

To open the settings of the Baseline File Integrity Monitor task:

1. Expand the System Inspection node in the Application Console tree.

2. Select the child node that corresponds to the task that you want to con gure.

3. In the child node details pane click the Properties link.

The Task settings window opens.

Managing On-Demand Scan tasks via the Web Plug-in

In this section, learn how to navigate the Web Plug-in interface for one or all protected devices on the network.

Opening the On-Demand Scan task wizard

To start creating a new local On-Demand Scan task:

1. In the main window of Web Console, select Devices → Managed devices.

2. Click the Groups tab to select the administration group that the protected device belongs to.

3. Click the protected device name.

4. In the <Device name> window that opens select the Tasks tab.

5. Click Add.
The Add Task Wizard window opens.

6. In the Application drop-down list select Kaspersky Security for Windows Server.

7. In the Task type drop-down list select On-Demand Scan task.

8. Click Next.

Con gure the task settings as required.

To start creating a new group On-Demand Scan task:

483
 1. In the main window of Web Console, select Devices → Tasks.

2. Click the Groups tab to select the administration group for which you want to create a task.

3. Click Add.
The Add Task Wizard window opens.

4. In the Application drop-down list select Kaspersky Security for Windows Server.

5. In the Task type drop-down list select On-Demand Scan task.

6. Click Next.

Con gure the task settings as required.

To start creating a new On-Demand Scan task for a custom group:

1. In the main window of Web Console, select Devices → Device selections.

2. Select the selection for which you want to create a task.

3. Click Start.

4. In the Selection results window, select the devices for which you want to create a task.

5. Click New task.

6. In the Application drop-down list select Kaspersky Security for Windows Server.

7. In the Task type drop-down list select On-Demand Scan task.

8. Click Next.

Con gure the task settings as required.

To con gure an existing On-Demand Scan task:

1. In the main window of Web Console, select Devices → Tasks.

2. Click the task name in the list of Kaspersky Security Center tasks.

The <Task name> window opens.

Opening the On-Demand Scan task properties

To open the application properties for the On-Demand Scan task for a single protected device:

1. In the main window of Web Console, select Devices → Managed devices.

2. Click the Groups tab to select the administration group that the protected device belongs to.

3. Click the protected device name.

484
4. In the <Device name> window that opens select the Tasks tab.

5. In the list of tasks created for the device, select the On-Demand Scan task that you created.

6. Open the Application settings tab.

Con guring the task scan scope

To con gure a scan scope for an existing On-Demand Scan task:

1. Open the On-Demand Scan task properties.

2. Select the Scan scope section.

3. Do one of the following:

Click Add button to add a new rule.

Select an existing rule and click Edit button.

The Edit scope window opens.

4. Switch the toggle button to Active and select an object type.

5. In the Objects protection section, con gure the following settings:

Objects protection mode:

All objects

Objects scanned by format

Objects scanned according to list of extensions speci ed in anti-virus database

Objects scanned by speci ed list of extensions

Subfolders

Sub les

Scan disk boot sectors and MBR

Scan alternate NTFS streams

Protect only new and modi ed les

6. In the Compound objects protection section, specify the compound objects that you want to include in the
scan scope:

Archives

SFX archives

485
 Packed objects

Email databases

Plain email

Embedded OLE objects

7. In the Action to perform on infected and other objects section, select the action to be performed on
infected and other detected objects:

Notify only .

Disinfect.

Disinfect. Remove if disinfection fails.

Remove .

Recommended.

8. In the Action to perform on probably infected objects section, select the action to be performed on probably
infected objects:

Notify only .

Quarantine.

Remove .

Recommended .

9. In the Action to perform on probably infected objects section, select or clear the Entirely remove compound
le that cannot be modi ed by the application in case of embedded object detect check box.

10. In the Exclusions section, con gure the following settings:

Clear or select the Exclude les check box.

Clear or select the Do not detect check box.

11. In the Advanced settings section, con gure the following settings:

Stop scanning if it takes longer than (sec.)

Do not scan compound objects larger than (MB)

Use iSwift technology

Use iChecker technology

12. In the Action on the o line les section, select the action to be performed on the les:

Do not scan.

Scan resident part of le only.

486
 Scan entire le.
If this action is selected, you can specify the following options:

Select or clear the Only if the le has been accessed within the speci ed period (days) check box and
specify the number of days.

Select or clear the Do not copy le to a local hard drive, if possible check box.

13. Click the OK button.

Con guring the task settings

To con gure settings of an existing On-Demand Scan task:

1. Open the On-Demand Scan task properties.

2. Select the Options section.

3. Clear or select the Use Heuristic Analyzer check box.

4. If necessary, select the level of analysis using the Heuristic analysis level drop-down list.

5. In the Integration with other components section, con gure the following settings:

Select the Apply Trusted Zone check box, if you want to exclude objects added to the Trusted Zone list
from the scan scope of the task.

Select the Use KSN for scanning check box, if you want to use Kaspersky Security Network cloud
services for the task.

To assign Low priority to the working process in which the task will be executed, select the Perform task in
background mode check box.

By default, the working processes in which Kaspersky Security for Windows Server tasks are run have
Medium (Normal) priority.

To use the created task as a Critical Areas Scan task, select the Consider task as critical areas scan
check box.

487
Trusted Zone
This section provides information about the Trusted Zone in Kaspersky Security for Windows Server, as well as
instructions on how to add objects to the Trusted Zone when running tasks.

About the Trusted Zone

The Trusted Zone is a list of exclusions from the protection or scan scope that you can generate and apply to On-
Demand Scan and Real-Time File Protection tasks, Tra ic Security, Script Monitoring, and RPC Network Storage
Protection.

If you selected the Add Microsoft recommended les to exclusions list and Add Kaspersky recommended les
to exclusions list check boxes when installing Kaspersky Security for Windows Server, Kaspersky Security for
Windows Server adds les recommended by Microsoft and Kaspersky for Real-Time Server Protection tasks to
the Trusted Zone.

You can create a Trusted Zone in Kaspersky Security for Windows Server according to the following rules:

Trusted processes. Objects sensitive to application processes' interception of le operations are placed in the
Trusted Zone.

Backup operations. Objects accessed by systems in order to backup hard drives to external devices are placed
in the Trusted Zone.

Exclusions. Objects speci ed by their location and / or an object detected inside them are placed in the Trusted
Zone.

You can apply the Trusted Zone in the Real-Time File Protection task, Tra ic Security task, Script Monitoring task,
RPC Network Storage Protection task, newly created custom On-Demand Scan tasks, and all system On-Demand
Scan tasks, except for the Quarantine Scan task.

The Trusted Zone is applied in Real-Time File Protection and On-Demand Scan tasks by default.

The list of rules for generating the Trusted Zone can be exported to an XML con guration le in order to then
import it into Kaspersky Security for Windows Server running on another protected device.

Trusted processes

Applies to the Real-Time File Protection and Tra ic Security tasks.

Some applications on the protected device may be unstable if the les that they access are intercepted by
Kaspersky Security for Windows Server. Such applications include, for example, system domain controller
applications.

To avoid disrupting the operation of such applications, you can disable protection of les accessed by the running
processes of these applications (thereby creating a list of trusted processes within the Trusted Zone).

Microsoft Corporation recommends excluding some Microsoft Windows operating system les and Microsoft
application les from Real-Time File Protection as programs that cannot be infected. The names of some of these
are listed on the Microsoft website (article code: KB822158).

You can enable or disable the use of trusted processes in the Trusted Zone.

488
 If an executable le is modi ed, for example, through an update, Kaspersky Security for Windows Server will
exclude it from the list of trusted processes.

The application does not use the le's path on a protected device to trust the process. The path to the le on the
protected device is used only to search for the le, calculate a checksum, and provide the user with the
information about the source of the executable le.

Backup operations

Applies to Real-Time Server Protection tasks.

When data stored on hard drives is backed up to external devices, you can disable protection of objects that are
accessed during the backup operations. Kaspersky Security for Windows Server will scan objects which the
backup application opens for reading with the FILE_FLAG_BACKUP_SEMANTICS attribute.

Exclusions

Applies to Real-Time File Protection, Tra ic Security, RPC Network Storage Protection and On-Demand Scan
tasks.

You can select tasks for which you want to use every exclusion added to the Trusted Zone. Also, you can exclude
objects from scans in the security level settings of every single Kaspersky Security for Windows Server task.

You can add exclusions to the Trusted Zone by their location on the protected device, by name or name mask of
the object detected, or by using both criteria.

Based on the exclusion, Kaspersky Security for Windows Server can skip objects while performing the speci ed
tasks according to the following settings:

Speci ed objects detectable by name or name mask in the speci ed areas of the protected device or the
network attached storages.

All detectable objects in the speci ed areas of the protected device or the network attached storage.

Speci ed detectable objects by name or name mask within the entire protection or scan scope.

Managing the Trusted Zone via the Administration Plug-in

In this section, learn how to navigate through the Administration Plug-in interface and con gure the Trusted Zone
for one or all protected devices of the network.

Navigation
Learn how to navigate to the required task settings via the chosen interface.

489
Opening the Trusted Zone policy settings
To open the Trusted Zone via the Kaspersky Security Center policy:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Policies tab.

4. Double-click the policy name you want to con gure.

5. In the Properties: <Policy name> window that opens, select the Supplementary section.

6. Click the Settings button in the Trusted Zone subsection.

The Trusted Zone window opens.

Con gure the Trusted Zone as required.

If a protected device is being managed by an active Kaspersky Security Center policy and this policy blocks
changes to the application settings, these settings cannot be edited via the Application Console.

Opening the Trusted Zone properties window

To con gure the Trusted Zone in the Application properties window:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Devices tab.

4. Open the Properties: <Protected device name> window in one of the following ways:

Double-click the name of the protected device.

Select the Properties item in the context menu of the protected device.

The Properties: <Protected device name> window opens.

5. In the Applications section, select the Kaspersky Security 11 for Windows Server.

6. Click the Properties button.

The Kaspersky Security 11 for Windows Server application settings window opens.

7. Select the Supplementary section.

8. Click the Settings button in the Trusted Zone subsection.

490
 The Trusted Zone window opens.

Con gure the Trusted Zone as required.

Con guring Trusted Zone settings via the Administration Plug-in

By default, the Trusted Zone is applied for all newly created policies and tasks.

To con gure Trusted Zone settings:

1. Specify the objects to be skipped by Kaspersky Security for Windows Server during task execution on the
Exclusions tab.

2. Specify the processes to be skipped by Kaspersky Security for Windows Server during task execution on the
Trusted processes tab.

3. Apply the not-a-virus mask.

Adding an exclusion
To add an exclusion to the Trusted Zone via the Kaspersky Security Center policy:

1. Open the Trusted Zone window.

2. On the Exclusions tab, specify the objects to be skipped by Kaspersky Security for Windows Server during
scanning:

To create recommended exclusions, click the Add recommended exclusions button.

To import exclusions, click the Import button and in the window that opens, select the les that Kaspersky
Security for Windows Server will consider trusted.

To manually specify the conditions under which a le will be considered trusted, click the Add button.
The Exclusion window opens.

3. In the Object will not be scanned if the following conditions are met section, specify the objects that you
want to exclude from the protection / scan scope and objects that you want to exclude among detectable
objects:

If you want to exclude an object from the protection or scan scope:

a. Select the Object to scan check box.

b. Click the Edit button.

The Select an object window opens.

c. Specify the object that you want to exclude from the scan scope.

491
 When specifying the objects, you can use names masks (via ? and * characters) and all types of
environment variables. The resolving of environment variables (replacing variables with their values)
is performed by Kaspersky Security for Windows Server when starting a task, or when applying new
settings to a running task (not applicable to On-Demand Scan tasks). Kaspersky Security for
Windows Server resolves environment variables under the account used to start the task. For more
information on environment variables, refer to the Microsoft Knowledge Base.

d. Click OK.

e. Select the Apply also to subfolders check box, if you want to exclude all child les and folders of the
speci ed object from the protection or scan scope.

If you want to specify the name of a detectable object:

a. Select the Objects to detect check box.

b. Click the Edit button.

The List of objects to detect window opens.

c. Specify the name or name mask of the detectable object according to the Virus Encyclopedia
classi cation.

d. Click the Add button.

e. Click OK.

4. In the Exclusion usage scope section, select the check boxes next to the names of the tasks to which the
exclusion should be applied.

5. Click OK.

The exclusion is displayed in the list on the Exclusions tab of the Trusted Zone window.

Adding trusted processes

To add one or more processes to the list of trusted processes:

1. Open the Trusted Zone window.

2. Select the Trusted processes tab.

3. Select the Do not check le backup operations check box to skip scanning of le read operations.

4. Select the Do not check le activity of the speci ed processes check box to skip le operation scanning
for trusted processes.

5. Click the Add button.

6. In the button's context menu, select one of the options:

Multiple processes.
In the Adding trusted processes window that opens, con gure the following:

492
 a. Use full process path on disk to consider it trusted .

b. Use process le hash to consider it trusted .

c. Click the Browse button to add data based on executable processes.

d. Select an executable le in the window that opens.

You can only add one executable le at a time. Repeat steps c-d to add other executable les.

e. Click the Processes button to add data based on running processes.

f. Select processes in the window that opens. To select multiple processes, press and hold the CTRL
button while selecting.

g. Click OK.

The account under which the Real-Time File Protection task is run must have administrator rights on
the device with Kaspersky Security for Windows Server installed in order to allow viewing of the list
of active processes. You can sort processes in the list of active processes by le name, process
identi er (PID), or path to the executable le of the process on the protected device. Note, that you
can select running processes by clicking the Processes button only using the Application Console
on a protected device or in the speci ed host settings via the Kaspersky Security Center.

One process based on le name and path.

In the Adding a process window that opens, do the following:

a. Enter a path to an executable le (including the le name).

When specifying the objects, you can use names masks (via ? and * characters) and all types of
environment variables. The resolving of environment variables (replacing variables with their values)
is performed by Kaspersky Security for Windows Server when starting a task, or when applying new
settings to a running task (not applicable to On-Demand Scan tasks). Kaspersky Security for
Windows Server resolves environment variables under the account used to start the task. For more
information on environment variables, refer to the Microsoft Knowledge Base.

b. Click OK.

One process based on object properties.

In the Trusted process adding window that opens, con gure the following:

a. Click the Browse button to select a process.

b. Use full process path on disk to consider it trusted .

c. Use process le hash to consider it trusted .

d. Click OK.

493
 To add the selected process to the list of trusted processes, at least one trust criterion must be
selected.

7. In the Trusted Zone window, click the OK button.

The selected le or process will be added to the list of trusted processes in the Trusted Zone window.

Applying the not-a-virus mask

The not-a-virus mask makes it possible to skip scanning of legitimate software les and web resources that can be
considered harmful. The mask a ects the following tasks:

Real-Time File Protection.

On-Demand scan.

Script Monitoring.

RPC Network Storage Protection.

Tra ic Security.

If the mask is not added to the exclusions list, Kaspersky Security for Windows Server will apply the actions
speci ed in the task settings for the software or web resources which fall under this category.

To apply the not-a-virus mask:

1. Open the Trusted Zone window.

2. On the Exclusions tab, in the Objects to detect column, scroll the list and select the line with not-a-virus:*, if
the check box is cleared.

3. Click OK.

The new con guration is applied.

Managing the Trusted Zone via the Application Console

In this section, learn how to navigate through the Application Console interface and con gure the Trusted Zone on
a protected device.

Applying the Trusted Zone to tasks in the Application Console

By default, the Trusted Zone is applied in the Real-Time File Protection task, newly created custom On-Demand
Scan tasks, and all system On-Demand Scan tasks, except the Quarantine Scan task.

After the Trusted Zone is enabled or disabled, the speci ed exclusions are immediately applied or cease to be
applied in running tasks.

494
To enable or disable the use of the Trusted Zone in Kaspersky Security for Windows Server tasks:

1. In the Application Console tree, open the context menu of the task, for which you want to con gure use of the
Trusted Zone.

2. Select Properties.
The Task settings window opens.

3. In the window that opens, select the General tab and do one of the following:

To apply the Trusted Zone in the task, select the Apply Trusted Zone check box.

To disable the Trusted Zone in the task, clear the Apply Trusted Zone check box.

4. If you want to con gure Trusted Zone settings, click the link in the name of the Apply Trusted Zone check box.
The Trusted Zone window opens.
In the Trusted Zone window con gure exclusions and trusted processes and click OK.

5. Click OK in the Task settings window to save changes.

Con guring Trusted Zone settings in the Application Console

To con gure Trusted Zone settings:

1. Specify the objects to be skipped by Kaspersky Security for Windows Server during task execution on the
Exclusions tab.

2. Specify the processes to be skipped by Kaspersky Security for Windows Server during task execution on the
Trusted processes tab.

3. Apply the Trusted Zone for the application tasks.

4. Apply the not-a-virus mask.

Adding an exclusion to the Trusted Zone

To manually add an exclusion to the Trusted Zone via the Application Console:

1. In the Application Console tree, open the context menu of the Kaspersky Security node.

2. Select the Con gure Trusted Zone settings menu option.

The Trusted Zone window opens.

3. Select the Exclusions tab.

4. Click the Add button.

The Exclusion window opens.

495
 5. In the Object will not be scanned if the following conditions are met section, specify the objects that you
want to exclude from the protection / scan scope and objects that you want to exclude among detectable
objects:

If you want to exclude an object from the protection or scan scope:

a. Select the Object to scan check box.

b. Click the Edit button.

The Select an object window opens.

c. Specify the object that you want to exclude from the scan scope.

When specifying the objects, you can use names masks (via ? and * characters) and all types of
environment variables. The resolving of environment variables (replacing variables with their values)
is performed by Kaspersky Security for Windows Server when starting a task, or when applying new
settings to a running task (not applicable to On-Demand Scan tasks). Kaspersky Security for
Windows Server resolves environment variables under the account used to start the task. For more
information on environment variables, refer to the Microsoft Knowledge Base.

d. Click OK.

e. Select the Apply also to subfolders check box, if you want to exclude all child les and folders of the
speci ed object from the protection or scan scope.

If you want to specify the name of a detectable object:

a. Select the Objects to detect check box.

b. Click the Edit button.

The List of objects to detect window opens.

c. Specify the name or name mask of the detectable object according to the Virus Encyclopedia
classi cation.

d. Click the Add button.

e. Click OK.

6. In the Exclusion usage scope section, select the check boxes next to the names of the tasks to which the
exclusion should be applied.

7. Click OK.

The exclusion is displayed in the list on the Exclusions tab of the Trusted Zone window.

Adding trusted processes

You can add a process to the list of trusted processes using one of the following methods:

Select the process from the list of processes running on the protected device.

Select the executable le of a process regardless of whether the process is currently running.
496
 If the executable le of a process has been modi ed, Kaspersky Security for Windows Server excludes this
process from the list of trusted processes.

To add one or more processes to the list of trusted processes:

1. In the Application Console tree, open the context menu of the Kaspersky Security node.

2. Select the Con gure Trusted Zone settings menu option.

The Trusted Zone window opens.

3. Select the Trusted processes tab.

4. Select the Do not check le backup operations check box to skip scanning of le read operations.

5. Select the Do not check le activity of the speci ed processes check box to skip le operation scanning
for trusted processes.

6. Click the Add button.

7. In the button's context menu, select one of the options:

Multiple processes.
In the Adding trusted processes window that opens, con gure the following:

a. Use full process path on disk to consider it trusted .

b. Use process le hash to consider it trusted .

c. Click the Browse button to add data based on executable processes.

d. Select an executable le in the window that opens.

You can only add one executable le at a time. Repeat steps c-d to add other executable les.

e. Click the Processes button to add data based on running processes.

f. Select processes in the window that opens. To select multiple processes, press and hold the CTRL
button while selecting.

g. Click OK.

The account under which the Real-Time File Protection task is run must have administrator rights on
the device with Kaspersky Security for Windows Server installed in order to allow viewing of the list
of active processes. You can sort processes in the list of active processes by le name, process
identi er (PID), or path to the executable le of the process on the protected device. Note, that you
can select running processes by clicking the Processes button only using the Application Console
on a protected device or in the speci ed host settings via the Kaspersky Security Center.

One process based on le name and path.

In the Adding a process window that opens, do the following:

497
 a. Enter a path to an executable le (including the le name).

When specifying the objects, you can use names masks (via ? and * characters) and all types of
environment variables. The resolving of environment variables (replacing variables with their values)
is performed by Kaspersky Security for Windows Server when starting a task, or when applying new
settings to a running task (not applicable to On-Demand Scan tasks). Kaspersky Security for
Windows Server resolves environment variables under the account used to start the task. For more
information on environment variables, refer to the Microsoft Knowledge Base.

b. Click OK.

One process based on object properties.

In the Trusted process adding window that opens, con gure the following:

a. Click the Browse button to select a process.

b. Use full process path on disk to consider it trusted .

c. Use process le hash to consider it trusted .

d. Click OK.

To add the selected process to the list of trusted processes, at least one trust criterion must be
selected.

8. In the Trusted Zone window, click the OK button.

The selected le or process will be added to the list of trusted processes in the Trusted Zone window.

Applying the not-a-virus mask

The not-a-virus mask makes it possible to skip scanning of legitimate software les and web resources that can be
considered harmful. The mask a ects the following tasks:

Real-Time File Protection.

On-Demand scan.

Script Monitoring.

RPC-Network Storage Protection.

Tra ic Security.

If the mask is not added to the exclusions list, Kaspersky Security for Windows Server will apply the actions
speci ed in the task settings for the software or web resources which fall under this category.

To apply the not-a-virus mask:

1. In the Application Console tree, open the context menu of the Kaspersky Security node.

498
 2. Select the Con gure Trusted Zone settings menu option.
The Trusted Zone window opens.

3. Select the Exclusions tab.

4. Scroll the list to nd the not-a-virus:* value.

5. Select the corresponding check box, if it is cleared.

6. Click OK.

The new con guration is applied.

Managing the Trusted Zone via the Web Plug-in

To con gure the Trusted Zone via the Web Plug-in:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Supplementary section.

5. Click Settings in the Trusted Zone subsection.

6. Con gure the Trusted Zone as required.

499
Exploit Prevention
This section contains instructions on how to con gure process memory protection settings.

About Exploit Prevention

Kaspersky Security for Windows Server provides the ability to protect process memory from exploits. This feature
is implemented in the Exploit Prevention component. You can change the component's activity status and
con gure process memory protection settings.

The component protects process memory from exploits by inserting an external Process Protection Agent
(“Agent”) in the protected process.

A Process Protection Agent is a dynamically loaded Kaspersky Security for Windows Server module that is
inserted in protected processes to monitor their integrity and reduce the risk of being exploited.

The Agent's operation within the protected process requires starting and stopping the process: the initial loading
of the Agent into a process added to the protected process list is only possible if the process is restarted.
Additionally, after a process has been removed from the protected process list, the Agent can be unloaded only
after the process has been restarted.

The Agent must be stopped to unload it from protected processes: if the Exploit Prevention component is
uninstalled, the application freezes the environment and forces the Agent to be unloaded from protected
processes. If during uninstallation of the component Agent is inserted in any of the protected processes, you
must terminate the a ected process. A protected device restart may be required (for example, if system
process is being protected).

If evidence of an exploit attack in a protected process is detected, Kaspersky Security for Windows Server
performs one of the following actions:

Terminates the process if an exploit attempt is made.

Reports the fact that the process has been compromised.

You can stop process protection using one of the following methods:

Uninstalling the component.

Removing the process from the list of protected processes and restarting the process.

Kaspersky Security Exploit Prevention Service

The Kaspersky Security Exploit Prevention Service is required on the protected device in order for the Exploit
Prevention component to be most e ective. This service and the Exploit Prevention component are part of the
recommended installation. During installation of the service on the protected device, the kavfswh process is
created and started. This communicates information about protected processes from the component to the
Security Agent.

After the Kaspersky Security Exploit Prevention Service is stopped, Kaspersky Security for Windows Server
continues to protect processes added to the protected process list, is also loaded in newly-added processes, and
applies all available exploit prevention techniques to protect process memory.
500
 If your device is running the Windows 10 operating system or later, the application will not continue to protect
processes and process memory after the Kaspersky Security Exploit Prevention Service is stopped.

If the Kaspersky Security Exploit Prevention Service is stopped, the application will not receive information about
events occurring with protected processes (including information about exploit attacks and the termination of
processes). Furthermore, the Agent will not be able to receive information about new protection settings and the
addition of new processes to the protected process list.

Exploit Prevention mode

You can select one of the following modes to con gure actions taken to reduce risks that vulnerabilities will be
exploited in protected processes:

Terminate on exploit: apply this mode to terminate a process when an exploit attempt is made.

Upon detecting an attempt to exploit a vulnerability in a protected critical operating system process,
Kaspersky Security for Windows Server does not terminate the process, regardless of the mode indicated
in the Exploit Prevention component settings.

Notify only: apply this mode to receive information about instances of exploits in protected processes using
events in the Security log.
If this mode is selected, Kaspersky Security for Windows Server creates events to log all attempts to exploit
vulnerabilities.

Managing Exploit Prevention via the Administration Plug-in

In this section, learn how to navigate the Administration Plug-In interface and con gure the component settings
for one or all protected devices on the network.

Navigation
Learn how to navigate to the required task settings via the chosen interface.

Opening policy settings for Exploit Prevention

To open the Exploit Prevention settings via the Kaspersky Security Center policy:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Policies tab.

4. Double-click the policy name you want to con gure.

501
 5. In the Properties: <Policy name> window that opens, select the Real-time server protection section.

6. Click the Settings button in the Exploit Prevention subsection.

The Exploit Prevention window opens.

Con gure Exploit Prevention as required.

Opening the Exploit Prevention properties window

To open the properties window for Exploit Prevention:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Devices tab.

4. Open the Properties: <Protected device name> window in one of the following ways:

Double-click the name of the protected device.

Select the Properties item in the context menu of the protected device.

The Properties: <Protected device name> window opens.

5. In the Applications section, select Kaspersky Security 11 for Windows Server.

6. Click the Properties button.

The Kaspersky Security 11 for Windows Server application settings window opens.

7. Select the Real-time server protection section.

8. Click the Settings button in the Exploit Prevention subsection.

The Exploit Prevention window opens.

Con gure Exploit Prevention as required.

Con guring process memory protection settings

To con gure settings to protect the memory of processes added to the list of protected processes, perform the
following actions:

1. Open the Exploit Prevention window.

2. In the Exploit prevention mode block, con gure the following settings:

Prevent vulnerable processes exploit .

Terminate on exploit .

502
 Notify only .

3. In the Preventing actions block, con gure the following settings:

Notify about abused processes via Terminal Service .

Prevent vulnerable processes exploit even if Kaspersky Security Service is disabled .

4. Click OK in the Exploit Prevention window.

Kaspersky Security for Windows Server saves and applies the con gured process memory protection settings.

Adding a process to the protection scope

The Exploit Prevention component protects several processes by default. You can exclude the processes from the
protection scope by clearing the corresponding check boxes in the list.

To add a process to the list of protected processes:

1. Open the Exploit Prevention window.

2. On the Protected processes tab, click the Browse button.

A Microsoft Windows Explorer window opens.

3. Select the process you want to add to the list.

4. Click the Open button.

The process name is displayed in the line.

5. Click the Add button.

The process will be added to the list of protected processes.

6. Select the added process.

7. Click Set exploit prevention techniques.

The Exploit prevention techniques window opens.

8. Select one of the options for applying impact reduction techniques:

Apply all available exploit prevention techniques.

If this option is selected, the list cannot be edited. By default, all available techniques are applied to a
process.

Apply selected exploit prevention techniques.

If this option is selected, you can edit the list of impact reduction techniques applied:

a. Select the check boxes next to the techniques that you want to apply to protect the selected process.

b. Select or clear the Apply Attack Surface Reduction technique check box.

9. Con gure settings for the Attack Surface Reduction technique:

503
 Enter the names of the modules whose launch will be blocked from the protected process in the Deny
modules eld.

In the Do not deny modules if launched in the Internet Zone eld, select the check boxes next to the
options for which you want to allow modules to be launched:

Internet

Local intranet

Trusted sites

Restricted sites

Computer

These settings only apply to Internet Explorer®.

10. Click OK.

The process is added to the task protection scope.

Managing Exploit Prevention via the Application Console

In this section, learn how to navigate the Application Console interface and con gure the component settings on a
protected device.

Navigation
Learn how to navigate to the required task settings via the chosen interface.

Opening the Exploit Prevention general settings

To open the Exploit Prevention settings window:

1. In the Application Console tree, select the Kaspersky Security node.

2. Open the context menu and select the Exploit Prevention: general settings menu option.
The Exploit Prevention settings window opens.

Con gure general settings for Exploit Prevention as required.

Opening the Exploit Prevention process protection settings

To open the Processes protection settings window:

504
 1. In the Application Console tree, select the Kaspersky Security node.

2. Open the context menu and select the Exploit Prevention: processes protection settings menu option.
The Processes protection settings window opens.

Con gure process protection settings for Exploit Prevention as required.

Con guring process memory protection settings

To add a process to the list of protected processes:

1. Open the Exploit Prevention settings window.

2. In the Exploit prevention mode block, con gure the following settings:

Prevent vulnerable processes exploit .

Terminate on exploit .

Notify only .

3. In the Preventing actions block, con gure the following settings:

Notify about abused processes via Terminal Service .

Prevent vulnerable processes exploit even if Kaspersky Security Service is disabled .

4. Click OK in the Exploit Prevention settings window.

Kaspersky Security for Windows Server saves and applies the con gured process memory protection settings.

Adding a process to the protection scope

The Exploit Prevention component protects several processes by default. You can uncheck the processes that
you don't want to protect in the list of protected processes.

To add a process to the list of protected processes:

1. Open the Processes protection settings window.

2. To add a process to protect it from abuse and to reduce the potential impact of an exploit, perform the
following actions:

a. Click the Browse button.

The standard Microsoft Windows Open window opens.

b. In the window that opens select a process you want to add to the list.

c. Click the Open button.

d. Click the Add button.

The process will be added to the list of protected processes.
505
3. Select a process in the list.

4. The current con guration is displayed on the Process protection settings tab:

Process name.

Is being executed.

Exploit prevention techniques applied.

Attack Surface Reduction settings.

5. To modify the exploit prevention techniques that are applied to the process, select the Exploit prevention
techniques tab.

6. Select one of the options for applying impact reduction techniques:

Apply all available exploit prevention techniques.

If this option is selected, the list cannot be edited. By default, all available techniques are applied to a
process.

Apply listed exploit prevention techniques for the process.

If this option is selected, you can edit the list of impact reduction techniques applied:

a. Select the check boxes next to the techniques that you want to apply to protect the selected process.

7. Con gure settings for the Attack Surface Reduction technique:

Enter the names of the modules whose launch will be blocked from the protected process in the Deny
modules eld.

In the Do not deny modules loading within internet zones section, select the check boxes next to the
options for which you want to allow modules to be launched:

Internet

Local intranet

Trusted sites

Restricted sites

Computer

These settings only apply to Internet Explorer®.

8. Click Save.

The process is added to the task protection scope.

Managing Exploit Prevention via the Web Plug-in

506
In this section, learn how to navigate the Web Plug-in interface and con gure the component settings on a
protected device.

Con guring process memory protection settings

To con gure settings to protect the memory of processes added to the list of protected processes, perform the
following actions:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Real-time server protection section.

5. Click Settings in the Exploit Prevention subsection.

6. Open the Exploit Prevention settings tab.

7. In the Exploit prevention mode block, con gure the following settings:

Prevent vulnerable processes exploit .

Terminate on exploit .

Notify only .

8. In the Preventing actions block, con gure the following settings:

Notify about abused processes via Terminal Service .

Prevent vulnerable processes exploit even if Kaspersky Security Service is disabled .

9. Click OK in the Exploit Prevention window.

Kaspersky Security for Windows Server saves and applies the con gured process memory protection settings.

Adding a process to the protection scope

To con gure settings to protect the memory of processes added to the list of protected processes, perform the
following actions:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Real-time server protection section.

5. Click Settings in the Exploit Prevention subsection.

507
 6. Open the Protected processes tab.

7. Click the Add button.

8. The Exploit prevention techniques window opens.

9. Specify the process name.

10. Select one of the options for applying impact reduction techniques:

Apply all available exploit prevention techniques.

If this option is selected, the list cannot be edited. By default, all available techniques are applied to a
process.

Apply selected exploit prevention techniques.

If this option is selected, you can edit the list of impact reduction techniques applied:

a. Select the check boxes next to the techniques that you want to apply to protect the selected process.

b. Select or clear the Apply Attack Surface Reduction technique check box.

11. Con gure settings for the Attack Surface Reduction technique:

Enter the names of the modules whose launch will be blocked from the protected process in the Deny
modules eld.

In the Do not deny modules if launched in the Internet Zone eld, select the check boxes next to the
options for which you want to allow modules to be launched:

Internet

Local intranet

Trusted sites

Restricted sites

Computer

These settings only apply to Internet Explorer®.

12. Click OK.

The process is added to the task protection scope.

Exploit prevention techniques

Exploit prevention techniques

Exploit prevention technique Description

Data Execution Prevention (DEP) Data execution prevention blocks execution of arbitrary code
in protected areas of memory.

508
Address Space Layout Randomization Changes to the layout of data structures in the address space
(ASLR) of the process.

Structured Exception Handler Overwrite Replacement of exception records or replacement of the

Protection (SEHOP) exception handler.

Null Page Allocation Prevention of redirecting the null pointer.

LoadLibrary Network Call Check (Anti Protection against loading DLLs from network paths.
ROP)

Executable Stack (Anti ROP) Blocking of unauthorized execution of areas of the stack.

Anti RET Check (Anti ROP) Check that the CALL instruction is invoked safely.

Anti Stack Pivoting (Anti ROP) Protection against relocation of the ESP stack pointer to an
executable address.

Simple Export Address Table Access Protection of read access to the export address table for
Monitor (EAT Access Monitor & EAT kernel32.dll, kernelbase.dll, and ntdll.dll
Access Monitor via Debug Register)

Heap Spray Allocation (Heapspray) Protection against allocating memory to execute malicious
code.

Execution Flow Simulation (Anti Return Detection of potentially dangerous chains of instructions
Oriented Programming) (potential ROP gadget) in the Windows API component.

IntervalPro le Calling Monitor (Ancillary Protection against escalation of privileges through a

Function Driver Protection (AFDP)) vulnerability in the AFD driver (execution of arbitrary code in
ring 0 through a QueryIntervalPro le call).

Attack Surface Reduction (ASR) Blocking the start of vulnerable add-ins via the protected
process.

Anti Process Hollowing (Hollowing) Protection against creating and executing the malicious
copies of trusted processes.

Anti AtomBombing (APC) Global atom table exploit via Asynchronous Procedure Calls
(APC).

Anti CreateRemoteThread (RThreadLocal) Another process has created a thread in protected process.

Anti CreateRemoteThread Protected process has created a thread in another process.

(RThreadRemote)

509
Hierarchical storage management
This section provides information about how to perform anti-virus scans of les located in hierarchical storage
areas and backup systems.

About hierarchical storage

The Hierarchical Storage Management system (hereinafter referred to as the "HSM system") allows data to be
relocated between fast local drives and slow long-term data storage devices. Despite the obvious advantages of
fast data storage devices, they tend to be too expensive for most organizations. HSM systems transfer unused
data to inexpensive remote data storage devices thus minimizing corporate expenses.

HSM systems store some data in remote storage areas and restore the information if necessary. HSM systems
constantly monitor le accesses to detect which les can safely be moved to remote storage and which should be
stored locally. Files are relocated to remote storage if no access attempts are made for a speci ed time period. If a
user accesses a le stored remotely, the le is transferred back to the local drive. This approach ensures that users
can quickly access a volume of data considerably larger than available local disk space.

While moving a le from a local drive to remote storage, the HSM system saves a reference to the actual location
of the le. Whenever the corresponding le is accessed, the system determines its location on the backup device.
Replacing les with references to their remote storage locations makes it possible to create storage areas of
practically unlimited size.

Some HSM systems support local storage of part of a le. In this case, a large part of le is transferred to remote
storage while local storage retains just a small part of the original le.

HSM systems use two methods to access the data in hierarchical storage:

Reparse points.

Extended le attributes.

Con guring HSM system settings via the Administration Plug-in

If you do not use an HSM system, don’t change the default value for the Hierarchical storage access type
setting (Non-HSM system).

To con gure access to the hierarchical storage, you have to specify the way the HSM system determines the
location of the le being scanned. You can nd this information in the manuals of the HSM system being used.

To de ne the access type for the hierarchical storage:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Policies tab.

510
4. Double-click the policy name you want to con gure.

5. In the Properties: <Policy name> window that opens, select the Application settings section.

6. In the Scalability, interface and scan settings subsection, click the Settings button.
The Advanced application settings window opens.

7. Open the Hierarchical storage tab.

8. Select the option for accessing the HSM system:

Non-HSM system .

HSM system uses reparse points .

HSM system uses extended le attributes .

Unknown HSM system .

If you specify the wrong version or select the Unknown HSM system option, Kaspersky Security for
Windows Server may incorrectly determine the location of objects, which will increase the time it takes
to process objects.

9. Click OK.

The con gured HSM system settings are saved.

Con guring HSM system settings via the Application Console

If you do not use an HSM system, don’t change the default value for the Hierarchical storage access type
setting (Non-HSM system).

To con gure access to the hierarchical storage, you have to specify the way the HSM system determines the
location of the le being scanned. You can nd this information in the manuals of the HSM system being used.

To de ne the access type for the hierarchical storage:

1. In the Application Console tree, open the context menu of the Kaspersky Security node.

2. Select Hierarchical storage.

The HSM system settings window opens.

3. Specify the settings of the HSM system on the Hierarchical storage tab:

Non-HSM system .

HSM system uses reparse points .

HSM system uses extended le attributes .

511
 Unknown HSM system .

If you specify the wrong version or select the Unknown HSM system option, Kaspersky Security for
Windows Server may incorrectly determine the location of objects, which will increase the time it takes
to process objects.

4. Click OK.

The con gured HSM system settings are saved.

Con guring HSM system settings via the Web Plug-in

If you do not use an HSM system, don’t change the default value for the Hierarchical storage access type
setting (Non-HSM system).

To con gure access to the hierarchical storage, you have to specify the way the HSM system determines the
location of the le being scanned. You can nd this information in the manuals of the HSM system being used.

To de ne the access type for the hierarchical storage:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Application settings section.

5. In the Scalability, interface and scan settings subsection, click the Settings button.
The Scalability, interface and scan settings window opens.

6. In the HSM system settings section select the option for accessing the HSM system:

Non-HSM system .

HSM system uses reparse points .

HSM system uses extended le attributes .

Unknown HSM system .

If you specify the wrong version or select the Unknown HSM system option, Kaspersky Security for
Windows Server may incorrectly determine the location of objects, which will increase the time it takes
to process objects.

7. Click OK.

The con gured HSM system settings are saved.

512
Network Attached Storage Protection
This section contains information about the Network Attached Storage and how to con gure it.

Integrating Kaspersky Security for Windows Server with network attached

storages
This section provides information about the principles of joint operation of Kaspersky Security for Windows
Server and network attached storages.

Protecting an EMC network attached storage of the Celerra / VNX group

Kaspersky Security for Windows Server interacts with an EMC network attached storage of the Celerra / VNX
group using CAVA (Celerra Antivirus Agent) running on the protected device with Kaspersky Security for Windows
Server installed. When running, Kaspersky Security for Windows Server checks the protected device for installed
CAVA, which must meet the requirements of Kaspersky Security for Windows Server.

When an attempt is made to read or write a le stored in a network attached storage, this storage initiates a
network request and hands the le to CAVA. CAVA writes the received le to a local disk of the computer, saving it
in a dedicated folder. The Real-Time File Protection component intercepts the le operation and scans the le in
accordance with the settings de ned in the Real-Time File Protection task, for example, disinfecting or deleting the
le. CAVA analyzes Kaspersky Security for Windows Server actions to create the check result and hand it to the
network attached storage.

RPC Network Storage Protection

Interaction between Kaspersky Security for Windows Server and an RPC network storage (such as NetApp or
Hitachi NAS in RPC mode) requires the RPC (Remote Procedure Call) protocol.

Kaspersky Security for Windows Server maintains a continuous connection with the network attached storage
and regularly initiates RPC requests. When an attempt is made to read or create / write to a le stored in a network
attached storage, the latter provides Kaspersky Security for Windows Server direct access to the le using the
CIFS protocol. The RPC Network Storage Protection component scans the le in accordance with the settings
de ned in the RPC Network Storage Protection task. When a threat is detected, Kaspersky Security for Windows
Server performs the actions de ned in the task settings (including le disinfection or deletion) on the le, and then
it sends the scan result to the network attached storage.

ICAP Network Storage Protection

With an ICAP network storage (such as EMC Isilon, IBM NAS, or Hitachi NAS in ICAP mode), Kaspersky Security for
Windows Server functions as a service operating via the Internet Content Adaptation Protocol (ICAP).

When an attempt is made to read or create / write to a le stored in a network attached storage, the latter
generates an ICAP request to Kaspersky Security for Windows Server and sends the le inside this request. The
ICAP Network Storage Protection component scans the le in accordance with the settings de ned in the ICAP
Network Storage Protection task. When a threat is detected, Kaspersky Security for Windows Server performs
the actions de ned in the task settings on the le, and then it returns the scan result to the network attached
storage. If the Disinfect action is speci ed in the settings, and the le is successfully disinfected, Kaspersky
Security for Windows Server returns the disinfected le to the network attached storage as the response to the
request.
513
Con guring inbound and outbound connections in Windows rewall

The names of settings may vary under di erent Windows operating systems.

To con gure inbound and outbound connections in Windows rewall:

1. Open the settings window of Windows rewall in one of the following ways:

If you con gure Windows rewall locally, click the Start button, enter the wf.msc command at the search
bar, and press ENTER.

If you con gure Windows rewall from another computer:

a. Click the Start button, enter the mmc command at the search bar, and press ENTER.
The Management Console window opens.

b. In the window that opens, select File > Add or remove a snap-in.
The Add or remove snap-ins window opens.

c. In the list of available snap-ins, select the Firewall with Advanced Security snap-in and click the Add
button.
The Select computer window opens.

d. In the window that opens, select Another computer and specify a server with Kaspersky Security for
Windows Server installed, using one of the following methods:

In the entry eld, specify the domain name of a server with Kaspersky Security for Windows Server
installed.

Click the Browse button and, in the integrated security subject selection window that opens, select a
server with Kaspersky Security for Windows Server installed, using search by domain or by workgroup.

e. Click OK.
The changes will be saved.

2. Create rules for inbound and outbound connections with the following settings:

Allow inbound connections from all remote ports to local ports TCP 137 – 139, TCP 445.

Allow outbound connections from all local ports to remote ports TCP 137 – 139, TCP 445.

If all outbound connections are denied, open the following ports: TCP 443 (RPC(HTTP)), TCP 445
(SMB), TCP 88 (Kerberos), TCP 53 (DNS), UDP 53 (DNS).

By default, Windows rewall allows all inbound connections for which no denying rules have been set. If the
default settings are applied, no rule should be created for outbound connections.

The Windows rewall settings can also be de ned by a group or domain policy.

514
Con guring security settings of local policies in the local group policy editor

The names of settings may vary under di erent Windows operating systems.

To de ne the security settings of local policies in the local group policy editor:

1. Open the Local group policy editor using one of the following methods:

If you de ne the settings locally, click the Start button, enter the gpedit.msc command at the search bar,
and press ENTER.

If you de ne the settings from another computer:

a. Click the Start button, enter the mmc command at the search bar, and press ENTER.
The Management Console window opens.

b. In the window that opens, select File > Add or remove a snap-in.
The Add or remove snap-ins window opens.

c. In the list of available snap-ins, select the Group policy object editor snap-in and click the Add button.
The Group Policy Wizard starts.

d. In the Wizard window, click the Browse button.

The Search group policy object window opens.

e. In the window that opens, on the Computers tab, select Another computer and specify a server with
Kaspersky Security for Windows Server installed, using one of the following methods:

In the entry eld, specify the domain name of a server with Kaspersky Security for Windows Server
installed.

Click the Browse button and, in the computer selection window that opens, select a server with
Kaspersky Security for Windows Server installed, using search by domain or by workgroup.

f. Click OK.
The changes will be saved.

2. Select Computer con guration > Windows Settings > Security settings > Local policies > Security Options.

3. Specify the following values for network access settings:

Network access: Let For everyone permissions apply to anonymous users – Enabled

Network access: Do not allow anonymous enumeration of SAM accounts – Disabled

Network access: Restrict anonymous access to named pipes and shares – Disabled

4. Restart the server with Kaspersky Security for Windows Server installed.

The applied changes take e ect.

515
Working with the Kaspersky Security for Windows Server Console
This section provides information about Kaspersky Security for Windows Server Console and describes how to
manage Kaspersky Security for Windows Server using the Application Console installed on the protected server or
a di erent computer.

About the Kaspersky Security for Windows Server Console

Kaspersky Security for Windows Server Console is an isolated snap-in added to the Microsoft Management
Console.

The application can be managed via the Application Console installed on the protected device or on another
device on the corporate network.

After the Application Console has been installed on another device, advanced con guration is required.

If the Application Console and Kaspersky Security for Windows Server are installed on di erent protected
devices assigned to di erent domains, limitations may be imposed on delivery of information from the
application to the Application Console. For example, after any application task starts, its status may remain
unchanged in the Application Console.

During installation of the Application Console the installation wizard creates the kavfs.msc le in the installation
folder and adds Kaspersky Security for Windows Server snap-in to the list of isolated Microsoft Windows snap-ins.

You can start the Application Console from the Start menu. The Kaspersky Security for Windows Server snap-in
msc- le can be run or added to the existing Microsoft Management Console as a new element in the tree.

Under a 64-bit version of Microsoft Windows, the Kaspersky Security for Windows Server snap-in can be
added only in the 32-bit version of Microsoft Management Console. To do so, open Microsoft Management
Console from the command line by executing the command: mmc.exe /32.

Multiple Kaspersky Security for Windows Server snap-ins can be added to one Microsoft Management Console
opened in author mode to use it to manage the protection of multiple devices on which Kaspersky Security for
Windows Server is installed.

Starting the Kaspersky Security for Windows Server Console from the
Start menu

The names of settings may vary under di erent Windows operating systems.

To start the Application Console from the Start menu:

1. In the Start menu, select Programs > Kaspersky Security for Windows Server > Administration Tools >
Kaspersky Security for Windows Server Console.

516
To add other snap-ins to the Application Console, start the Application Console in author mode.

To start the Application Console in author mode:

1. In the Start menu, select Programs > Kaspersky Security for Windows Server > Administration Tools.

2. In the context menu of the Application Console, select the Author command.

The Application Console is started in author mode.

If the Application Console has been started on the protected device, the Application Console window opens.

If you started the Application Console on a non-protected device, connect to the protected device.

To connect to the protected device:

1. In the Application Console tree, open the context menu of the Kaspersky Security node.

2. Select the Connect to another computer command.

The Select computer window opens.

3. Select Another computer in the window that opens.

4. Specify the network name of the protected device in the entry eld on the right.

5. Click OK.

The Application Console will connect to the protected device.

If the user account that you are using to log in to Microsoft Windows does not have su icient permissions to
access the Kaspersky Security Management Service on the protected device, select the Connect as user check
box and specify a di erent user account that the required permissions.

Kaspersky Security for Windows Server Console window

The Kaspersky Security for Windows Server Console is displayed in the Microsoft Management Console tree in
the form of a node with the name Kaspersky Security.

After a connection has been established to Kaspersky Security for Windows Server installed on a di erent
protected device, the name of the node is supplemented with the name of the protected device on which the
application is installed and the name of the user account under which the connection has been established:
Kaspersky Security <Protected device name> as <account name>. When connecting to Kaspersky Security for
Windows Server installed on the same protected device with the Application Console, the node name is
Kaspersky Security.

Console tree

The Application Console tree displays the Kaspersky Security node and the child nodes of functional
components of the application.

The Kaspersky Security node includes the following child nodes:

517
Real-Time Server Protection : manage real-time protection tasks and KSN services. The Real-Time Server
Protection node allows you to con gure the following tasks:

Real-Time File Protection

Script Monitoring

KSN Usage

Tra ic Security

Anti-Cryptor

Server Control: control launch of applications installed on a protected device, as well as external devices
connections. The Server Control node allows you to con gure the following tasks:

Applications Launch Control

Device Control

Firewall Management

Automated rule generators: con gure automatic generation of group and system rules for the Applications
Launch Control task and the Device Control task.

Rule Generator for Applications Launch Control

Rule Generator for Device Control

Rule generation group tasks <Task names> (if any)

Group tasks are created using Kaspersky Security Center. You cannot manage group tasks through the
Application Console.

System Inspection: con gure le operation control and Windows Event Log inspection settings.

File Integrity Monitor

Log Inspection

Network Attached Storage Protection: con gure network storage protection tasks.

RPC Network Storage Protection

ICAP Network Storage Protection

Anti-Cryptor for NetApp

On-Demand Scan: manage On-Demand Scan tasks. There is a separate node for each task:

Scan at Operating System Startup

Critical Areas Scan

Quarantine Scan

Application Integrity Control

518
 Baseline File Integrity Monitor

Custom tasks <Task names> (if any)

The node displays system tasks created when the application is installed, custom tasks, and group on-demand
scan tasks created and sent to a protected device using Kaspersky Security Center.

Update: manage updates for Kaspersky Security for Windows Server databases and modules and copies the
update to a local update source folder. The node contains child nodes for administering each update task and
the last Rollback of Application Database Update task:

Database Update

Software Modules Update

Copying Updates

Rollback of Application Database Update

The node displays all custom and group update tasks created and sent to a protected device using Kaspersky
Security Center.

Storages: Management of Quarantine, Backup and Blocked Hosts settings.

Quarantine

Backup

Blocked Host Storage

Logs and noti cations: manage local task logs, security log and Kaspersky Security for Windows Server
system audit log.

Security log

System audit log

Task logs

Licensing: add or delete Kaspersky Security for Windows Server license keys, view license details.

Details pane

The details pane displays information about the selected node. If the Kaspersky Security node is selected, the
details pane displays information about the current device protection status, information about Kaspersky
Security for Windows Server, the protection status of its functional components, and the license expiration date.

Context menu of the Kaspersky Security node

You can use the items of the context menu of the Kaspersky Security node to perform the following operations:

Connect to another computer. Connect to another device to manage Kaspersky Security for Windows Server
installed on it. You can also perform this operation by clicking the link in the lower right corner of the details
pane of the Kaspersky Security node.
519
 Start the service / Stop the service. Start or stop the application or a selected task. To carry out these
operations, you can also use the buttons on the toolbar. You can also perform these operations in context
menus of application tasks.

Con gure removable drives scan settings. Con gure scanning of removable drives connected to the
protected device via the USB port.

Exploit Prevention: general settings. Con gure the Exploit Prevention mode and set up preventive actions.

Exploit Prevention: processes protection settings. Add processes for protection and select the exploit
prevention techniques.

Con gure Trusted Zone settings. View and con gure Trusted Zone settings.

Modify user rights of application management. View and con gure permissions to access Kaspersky Security
for Windows Server functions.

Modify user rights of Kaspersky Security Service management. View and con gure user rights to manage
the Kaspersky Security Service.

Hierarchical storage. Con gure the access method for the HSM system.

Export settings. Save the application settings in an XML con guration le. You can also perform this operation
in context menus of application tasks.

Import settings. Import application settings from an XML con guration le. You can also perform this
operation in context menus of application tasks.

Information about the application and available module updates. See information about Kaspersky Security
for Windows Server and currently available application modules updates.

Refresh. Refresh the contents of the Application Console window. You can also perform this operation in
context menus of application tasks.

Properties. View and con gure settings of Kaspersky Security for Windows Server or a selected task. You can
also perform this operation in context menus of application tasks.

To do so, you can also use the Application properties link in the details pane of the Kaspersky Security
node or use the button on the toolbar.

Help. View information in Kaspersky Security for Windows Server Help. You can also perform this operation in
context menus of application tasks.

Toolbar and context menu of Kaspersky Security for Windows Server tasks

You can manage Kaspersky Security for Windows Server tasks using the items of context menus of each task in
the Application Console tree.

You can use the items of the context menu to perform the following operations:

Start / Stop. Start or stop task execution. To carry out these operations, you can also use the buttons on the
toolbar.

520
 Resume / Pause. Resume or pause the task. To carry out these operations, you can also use the buttons on the
toolbar. This operation is available for Real-Time Server Protection tasks and On-Demand Scan tasks.

Add task. Create a new custom task. This operation is available for On-demand scan tasks.

Open log. View and manage a task log. This operation is available for all tasks.

Remove task. Delete a custom task. This operation is available for On-demand scan tasks.

Settings templates. Manage templates. This operation is available for Real-Time File Protection and On-
Demand Scan.

Viewing status information for Network Attached Storage Protection

To view information about Network Attached Storage Protection status,

select the Kaspersky Security node in the Application Console tree.

By default, information in the details pane of Kaspersky Security for Windows Server Console is refreshed
automatically:

every 10 seconds in case of a local connection.

every 15 seconds in case of a remote connection.

To refresh information in the Kaspersky Security node manually,

select the Refresh command in the context menu of the Kaspersky Security node.

Information about the status of protected network attached storages is displayed in the details pane of the
Kaspersky Security node on the Network Attached Storage Protection tab.

The Real-time protection section displays information about the RPC and ICAP Network Storage Protection
tasks, and the Celerra / VNX integration status (see table below).

Information about network storage protection

Network Attached Information

Storage Protection
section

Network Attached The color of the panel with the name of the section re ects the status of tasks
Storage Protection described in the section. The indicator can take the following values:
status indicator
Green is displayed in the following case: RPC Network Storage Protection and
ICAP Network Storage Protection tasks are running.

Yellow is displayed in the following cases:

One of the following tasks is running: RPC Network Storage Protection or

ICAP Network Storage Protection.

Celerra / VNX Anti-Virus Agent is found.

521
 Red is displayed in the following case: no protection tasks are running and Celerra
/ VNX Anti-Virus Agent is found.

RPC-Network Task status eld displays current task status, for example, Running or Stopped.
Storage Protection
Detected eld displays the number of malicious objects detected on RPC network
storage shared folders. If the number of detected software exceeds 0, the row value
is highlighted in red.

ICAP-Network Task status eld displays current task status, for example, Running or Stopped.
Storage Protection
Detected eld speci es the number of malicious objects detected on ICAP network
storage shared folders. If the number of detected software exceeds 0, the row value
is highlighted in red.

Celerra / VNX The following values are possible:

integration
Celerra / VNX Anti-Virus Agent not found . Kaspersky Security for Windows
Server cannot nd any EMC software, or an error has occurred in the integration
code.

Protection disabled. Kaspersky Security for Windows Server has established a

connection to EMC software, but the Real-Time File Protection task is not
running in Kaspersky Security for Windows Server.

Protection enabled. Kaspersky Security for Windows Server has established a

connection to EMC software, and the Real-Time File Protection task is running in
Kaspersky Security for Windows Server.

The Anti-Cryptor protection section (see the table below) displays information about the Anti-Cryptor for
NetApp task status.

Information about Anti-Cryptor protection status

Control section Information

Anti-Cryptor The color of the panel with the name of the section re ects the status of tasks
protection status being performed in the section. The indicator can take the following values:
indicator
Green color of the panel – the Anti-Cryptor for NetApp task is running.

Red color of the panel – the Anti-Cryptor for NetApp task is not running.

Anti-Cryptor for Task status – current task status, for example, Running or Stopped.
NetApp
Operation mode – one of the two available modes for the Anti-Cryptor for NetApp
task.
Hosts blocked – the number of compromised hosts that were blocked when
attempting to access the network shared folders on the protected server.

Managing Network Attached Storage Protection tasks

This section provides information about Kaspersky Security for Windows Server tasks: how to create, start and
stop tasks manually or automatically, and de ne task settings.

522
Saving a task after changing its settings
The settings of a task that is running or stopped (paused) can be modi ed. New settings take e ect under the
following conditions:

If you changed the settings of a running task, the new settings are applied immediately after saving the task.

If you changed the settings of a stopped (paused) task, the new settings are applied when the task is next
started.

To save modi ed task settings,

in the context menu of the task name, select Save task.

If after changing task settings another node in the Application Console tree is selected without rst selecting the
Save task command, the window for saving the settings appears.

To save modi ed settings when switching to another Console node,

Click Yes in the save settings window.

Starting / pausing / resuming / stopping tasks manually

To start or stop a Network Attached Storage Protection task:

1. Open the context menu of the task name in Kaspersky Security for Windows Server Console.

2. Select one of the items: Start or Stop.

The operation is performed and logged in the system audit log.

Managing task schedules

You can con gure the launch schedule for Kaspersky Security for Windows Server tasks, and con gure settings
for running tasks by schedule.

Con guring the task launch schedule settings

You can con gure the launch schedule for local system and custom tasks in the Application Console. You cannot
con gure the launch schedule for group tasks.

To con gure task launch schedule settings:

1. Open the context menu of the task for which you want to con gure the launch schedule.

2. Select Properties.

523
 The Task settings window opens.

3. In the window that opens, on the Schedule tab, select the Run by schedule check box.

4. Con gure schedule settings in accordance with your requirements. To do this, perform the following actions:

a. In the Frequency list, select one of the following values:

Hourly, if you want the task to run every hour for a speci ed number of hours; specify the number of
hours in the Every <number> hour(s) eld.

Daily, if you want the task to run every day for a speci ed number of days; specify the number of days in
the Every <number> day(s) eld.

Weekly, if you want the task to run every week for a speci ed number of weeks; specify the number of
weeks in the Every <number> week(s) eld. Specify the days of the week on which the task will be
launched (by default the task is launched on Mondays).

At application launch, if you want the task to run every time Kaspersky Security for Windows Server
starts.

After application database update, if you want the task to run after every update of the application
databases.

b. Specify the time for the rst task launch in the Start time eld.

c. In the Start date eld, specify the date from which the schedule applies.

After the task startup frequency has been speci ed, the time of the rst task launch, and the date
from which the schedule applies, information about the calculated time for the next task launch will
appear in the top part of the window in the Next start eld. Updated information about the estimated
time of the next task launch will be displayed each time you open the Task settings window of the
Schedule tab.

The Blocked by policy value is displayed in the Next start eld if the active policy settings of Kaspersky
Security Center prohibit launching scheduled system tasks.

5. Using the Advanced tab con gure the following schedule settings in accordance with your requirements.

In the Advanced settings section:

a. Select the Cancel schedule from check box and specify the date from which the schedule will cease to
operate.

b. Select the Run skipped tasks check box to enable the launch of skipped tasks.

c. Select the Randomize the task start within interval of check box and specify the value in minutes.

6. Click the Apply button.

The con gured task launch settings will be saved.

524
Enabling and disabling scheduled tasks
You can enable and disable scheduled tasks either before or after con guring the schedule settings.

To enable or disable the task launch schedule:

1. Open the context menu of the task for which you want to con gure the launch schedule.

2. Select Properties.
The Task settings window opens.

3. In the window that opens on the Schedule tab, do one of the following:

Select the Run by schedule check box if you want to enable the scheduled launch of the task.

Clear the Run by schedule check box if you want to disable scheduled task launch.

The con gured task launch schedule settings are not deleted and will be applied at the next scheduled
launch of the task.

4. Click the Apply button.

The con gured task launch schedule settings are saved.

Protecting EMC network attached storages of the Celerra / VNX group

This section provides information on the protection of EMC network attached storages of the Celerra / VNX
group (hereinafter also Celerra / VNX) and on integration of Kaspersky Security for Windows Server with a Celerra
/ VNX network attached storage.

About protection of EMC network attached storages of the Celerra / VNX

group
Kaspersky Security for Windows Server installed on a server under a Microsoft Windows operating system
protects EMC network attached storages of the Celerra / VNX group against viruses and other security threats
that in ltrate the server through exchange of les.

Kaspersky Security for Windows Server scans les located in network share folders in the EMC network attached
storage of the Celerra / VNX group when an attempt is made to read or modify the les from a workstation. The
network attached storage allows reading or modifying a le if Kaspersky Security for Windows Server has
identi ed that le as safe. If Kaspersky Security for Windows Server has identi ed a le as infected or probably
infected, the network attached storage blocks that le from being read or modi ed.

Kaspersky Security for Windows Server allows you to con gure the actions that the application will perform on
infected and probably infected les.

525
By default, Kaspersky Security for Windows Server performs the following operations:

Disinfects infected les.

Deletes infected les if disinfection fails.

Moves probably infected les to Quarantine.

Moves a copy of an infected le to Backup before disinfecting or removing this le.

To protect a network attached storage, you have to integrate Kaspersky Security for Windows Server with the
Celerra / VNX network attached storage.

Protection of the Celerra / VNX network attached storage is provided by the Real-Time File Protection task.

Detailed information about the Real-Time File Protection task is provided in the Kaspersky Security for Windows
Server Administrator's Guide.

Integrating Kaspersky Security for Windows Server with an EMC network

attached storage of the Celerra / VNX group
To protect a network attached storage, you have to integrate Kaspersky Security for Windows Server with the
Celerra / VNX network attached storage.

Integration of Kaspersky Security for Windows Server with a Celerra / VNX network attached storage is
performed when the following conditions are met:

1. The CAVA (Celerra Antivirus Agent) software agent that is part of the EMC Celerra / VNX software package is
installed on the protected device with Kaspersky Security for Windows Server. Kaspersky Security for
Windows Server interacts with the EMC network attached storage of the Celerra / VNX group through this
program agent.

2. Real-Time File Protection task is started.

For detailed information about the Real-Time File Protection task and instructions on how to con gure its
settings, refer to the Kaspersky Security for Windows Server Administrator's Guide.

The status of Kaspersky Security for Windows Server integration with the Celerra / VNX network attached
storage is shown in the details pane of the Kaspersky Security node.

RPC Network Storage Protection

This section provides information about the RPC Network Storage Protection, con guration of connection
between a network attached storage and Kaspersky Security for Windows Server, and instructions on how to
con gure the RPC Network Storage Protection task settings and the security settings in the task.

About the RPC Network Storage Protection

526
Kaspersky Security for Windows Server installed on a server under Microsoft Windows protects RPC network
storages (such as NetApp network attached storages) against viruses and other computer security threats that
in ltrate the server through the exchange of les.

Kaspersky Security for Windows Server scans les located in network share folders in the RPC network storage
(hereinafter also network attached storage) when an attempt is made to read or modify the les from a
workstation. The network attached storage allows reading or modifying a le if Kaspersky Security for Windows
Server has identi ed that le as safe. If Kaspersky Security for Windows Server has identi ed a le as infected or
probably infected, the network attached storage performs the action according to the con gured settings (e.g.,
blocks that le from being read or modi ed).

Kaspersky Security for Windows Server allows you to con gure the actions that the application will perform on
infected and probably infected les.

By default, Kaspersky Security for Windows Server performs the following operations:

Disinfects infected les.

Deletes infected les if disinfection fails.

Moves probably infected les to Quarantine.

Moves a copy of an infected le to Backup before disinfecting or removing this le.

You can protect one network attached storage or several network attached storages using one server with
Kaspersky Security for Windows Server installed on it. To improve the performance of the network attached
storage and the server with Kaspersky Security for Windows Server, you can use several servers with Kaspersky
Security for Windows Server for protection of a single network attached storage. In this case, the network
attached storage distributes the workload among associated servers on which Kaspersky Security for Windows
Server is installed.

To ensure real-time protection of a network attached storage, add it to Kaspersky Security for Windows Server as
part of the protection scope and then con gure a connection between the network attached storage and the
server with Kaspersky Security for Windows Server installed on it. Kaspersky Security for Windows Server
provides an RPC network storage protection with task called RPC Network Storage Protection.

The RPC Network Storage Protection task is created by default; it is a system task of Kaspersky Security for
Windows Server. You cannot delete or rename this task. You cannot create custom tasks for RPC Network Storage
Protection.

You can con gure the RPC Network Storage Protection task. Settings con gured in the RPC Network Storage
Protection task properties are applied to all protection scopes that are added to the task. You can also con gure
the security settings for each protection scope.

You can run Network Attached Storage Protection tasks if the active key supports network attached storage
protection. If you run a Network Attached Storage Protection task when the active key does not support
network attached storage protection, the task returns an error. In this case, Kaspersky Security for Windows
Server does not protect network attached storages.

The RPC Network Storage Protection component is available within Kaspersky Security for Windows Server
for Network Attached Storages.

527
 For more details on solutions for protection of organizations that include Kaspersky Security for Windows
Server, see the Kaspersky Security for Windows Server Administrator's Guide.

About scanning symbolic links

Symbolic link is a speci c type of le that contains an indicator redirecting to another object and presented as an
absolute or relative path. A symbolic link can point to, for example, an object that is located in a shared network
folder of another network attached storage.

Scanning symbolic links in network attached storages typically occurs as follows. Kaspersky Security for Windows
Server scans the le that the symbolic link indicates, only if that le is included in the protection scope. If the le
that the symbolic link indicates is located beyond the protection scope, Kaspersky Security for Windows Server
does not scan that le. If the settings of the network attached storage allow using the link to leave the folder
storing that link, you are recommended to make sure that the destination folder makes part of the protection
scope. For example, if the settings allow using the symbolic link to browse between shared network folders within
the protected network attached storage, you are recommended to make sure that anti-virus scanning is enabled
for all shared network folders.

About scanning snapshots and other read-only volumes and folders

Kaspersky Security for Windows Server scans les stored in snapshots and other volumes and folders that are set
up in read-only mode, but does not perform any actions on les in those volumes and folders: for example, it does
not block access to infected les. To prevent any risk of infection of workstations, you are recommended to mark
snapshots and other volumes and folders in read-only mode as hidden form users and provide access to
snapshots and other volumes and folders in read-only mode by requesting the administrator.

Con guring a connection between an RPC network storage and Kaspersky

Security for Windows Server

You can run Network Attached Storage Protection tasks if the active key supports network attached storage
protection. If you run a Network Attached Storage Protection task when the active key does not support
network attached storage protection, the task returns an error. In this case, Kaspersky Security for Windows
Server does not protect network attached storages.

To protect an RPC network storage, you need to con gure the connection of the network attached storage to
Kaspersky Security for Windows Server.

To con gure a connection between a network attached storage and Kaspersky Security for Windows Server:

1. Con gure the following settings on the server with Kaspersky Security for Windows Server installed:

Add a network attached storage to Kaspersky Security for Windows Server.

In Kaspersky Security for Windows Server Console, specify the user account under which you want to run
the RPC Network Storage Protection task.

528
 In the local group policy editor, con gure the security settings of local policies.

In the Windows rewall settings window, con gure the rules of outbound and inbound connections in
Windows rewall.

If necessary, install a connector application for the RPC network storage to be protected by Kaspersky
Security for Windows Server.

You can nd information on how to install the connector application for the protected network attached
storage in the accompanying manual.

2. In the network attached storage, con gure the following settings:

Enable the anti-virus protection feature (vscan).

Add the user account under which the RPC Network Storage Protection task must be run to the Backup
Operators group.

You can nd information on how to con gure your network attached storage in the accompanying manual.

The connection between an RPC network storage and Kaspersky Security for Windows Server is established.

Selecting a user account for running the RPC Network Storage Protection
task

The user account under which the RPC Network Storage Protection task will be run must have administrator
rights on the server with Kaspersky Security for Windows Server installed and must be included in the Backup
Operators group in the network attached storage.

If the network attached storage and the server with Kaspersky Security for Windows Server installed are in the
same domain, you can use the domain account. If the network attached storage and the server with Kaspersky
Security for Windows Server installed are in the same work group, you can use local accounts with the same user
name and the same password.

Only a domain account can be used for network storages running under the Data ONTAP operating system of
version 8.2.1 or later in cluster mode.

If more than one user account exists on the Kaspersky Security for Windows Server side, make sure the user
under which you con gure and start the RPC Network Storage Protection task is added to the privileged
users list for working with NetApp. If the user account does not have required privileges, les on the network
attached storage shared folders can be accessed, but no scanning will be performed by the running
protection tasks.

To specify a user account under which the RPC Network Storage Protection task is started:

1. Expand the Network Attached Storage Protection node in the Application Console tree.

529
 2. Select the RPC Network Storage Protection child node.

3. In the details pane of the RPC Network Storage Protection node, click the Properties link.
The Task settings window opens.

4. In the window that opens, go to the General tab, and in the Network attached storage systems connection
settings section enter the name of the user account under which the task starts, the account password, and
the password con rmation.

5. Click OK.

The modi ed settings to run the task with user account permissions are saved.

Creating the protection scope in the RPC Network Storage Protection task
This section provides instructions on creating and managing a protection scope in the RPC Network Storage
Protection task.

Adding an RPC network storage to Kaspersky Security for Windows Server

To add an RPC network storage to the protection scope of Kaspersky Security for Windows Server:

1. Expand the Network Attached Storage Protection node in the Application Console tree.

2. Select the RPC Network Storage Protection child node.

3. In the details pane of the RPC Network Storage Protection node, click the Con gure protection scope link.

4. In the window that opens, click the Add button.

The Add protection scope window opens.

5. In the Add protection scope window, enter the domain name or IP address of the network attached storage.

If you are using a NetApp storage system managed by NetApp Clustered Data ONTAP operating system,
ll in this eld by specifying the IP address of the computer on which the connector application is installed;
in particular, 127.0.0.1.

6. Click OK to add the network attached storage to Kaspersky Security for Windows Server.
The network attached storage appears in the list of protected network attached storages.

7. Click the Save button.

The con gured protection scope settings are saved.

Kaspersky Security for Windows Server connects to the network attached storage when the RPC Network
Storage Protection task is launched. If you have speci ed an incorrect domain name or incorrect IP address for the
network attached storage, the task returns an error. Kaspersky Security for Windows Server records information
about this event in the system audit log and the task log.

530
 If you are using a NetApp storage system managed by the NetApp Clustered Data ONTAP operating
system, Kaspersky Security for Windows Server connects to the connector application installed on the
protected server. You are recommended to make sure that the connection between the connector
application and the NetApp storage system is con gured correctly and that the added network attached
storage is protected by Kaspersky Security for Windows Server.

Disabling and enabling protection of an added RPC network storage

To disable protection of an added RPC network storage:

1. Expand the Network Attached Storage Protection node in the Application Console tree.

2. Select the RPC Network Storage Protection child node.

3. In the details pane of the RPC Network Storage Protection node, click the Con gure protection scope link.

4. In the list of protected network attached storages, clear the check box next to the name of the network
attached storage for which you want to temporarily disable protection.

5. Click the Save button.

Kaspersky Security for Windows Server interrupts the connection with the selected network attached storage.

If you disable the protection feature for all added network attached storages, Kaspersky Security for Windows
Server stops the RPC Network Storage Protection task.

To enable protection of an added RPC network storage:

1. Expand the Network Attached Storage Protection node in the Application Console tree.

2. Select the RPC Network Storage Protection child node.

3. In the details pane of the RPC Network Storage Protection node, click the Con gure protection scope link.

4. In the list of protected network attached storages, select the check box next to the name of the network
attached storage for which you want to enable protection.

5. Click the Save button.

If RPC Network Storage Protection is enabled, Kaspersky Security for Windows Server establishes a connection
to the network attached storage. If the RPC Network Storage Protection task is not running, you need to start it
so that Kaspersky Security for Windows Server establishes a connection with the network attached storage.

Removing an RPC network storage from the protection scope

To delete an RPC network storage from the RPC Network Storage Protection task:

1. Expand the Network Attached Storage Protection node in the Application Console tree.

531
 2. Select the RPC Network Storage Protection child node.

3. In the details pane of the RPC Network Storage Protection node, click the Con gure protection scope link.

4. In the list of protected network attached storages, select the network attached storage that you want to
remove from the protection scope.

5. In the context menu of the network attached storage that you want to remove from the protection scope,
select Remove from the list.

The selected network attached storage is removed from the list of protected network attached storages.

Con guring the RPC Network Storage Protection task

By default, the RPC Network Storage Protection task has the settings described in the table below. You can
change the values of these settings.

When task settings are modi ed (for example, a di erent protection scope is speci ed), Kaspersky Security for
Windows Server immediately applies new settings in the running task. Kaspersky Security for Windows Server logs
the date and time when task settings were modi ed in the system audit log.

Settings of the RPC Network Storage Protection task

Setting Default value Comment

Protection Not available. You need to add the network attached storage to
scope Kaspersky Security for Windows Server.

Security level The Recommended security level is You can apply one of the preset security levels to
applied. the protected network attached storage, or
specify the values of the security settings
manually.

Heuristic The Medium analysis level is applied. The Heuristic Analyzer can be enabled or disabled
analyzer and the analysis level con gured.

Apply Trusted Applied. You can enable and disable the use of the trusted
Zone zone and con gure it.

Use KSN for Applied. You can enable or disable the use of KSN services
protection in the RPC Network Storage Protection task.

Network You need to specify the user account under which

The User name and the
attached the RPC Network Storage Protection task is
Password of the user account
storage started. You can also modify other network
under which the task is started:
systems storage connection settings.
none.
connection
settings
Timeout between reconnection
attempts (sec.): 5.

Maximum number of
reconnection attempts: 3.

Clear cache of scanned les on

network attached storage after
application database update
check box is cleared.

532
 Schedule Not applied. The Run by schedule You can con gure the task to run by schedule, for
check box is cleared. The task is run example at Kaspersky Security for Windows
manually. Server start.

To con gure settings of the RPC Network Storage Protection task:

1. Expand the Network Attached Storage Protection node in the Application Console tree.

2. Select the RPC Network Storage Protection child node.

3. In the details pane of the RPC Network Storage Protection node, click the Properties link.
The Task settings window opens.

4. On the General tab in the window that opens, con gure the following task settings:

Using the Heuristic Analyzer.

Task launch with user account permissions.

Connection to an RPC network storage.

Integration with other Kaspersky Security for Windows Server components.

5. On the Schedule and Advanced tabs, con gure the scheduled task launch settings.

6. Click OK in the Task settings window.

The modi ed settings are saved.

7. In the details pane of the RPC Network Storage Protection node, click the Con gure protection scope link.

8. Do the following:

Add network attached storage via RPC protocol to the protection scope of Kaspersky Security for
Windows Server.

In the list of added network attached storages connected via the RPC protocol, select the network
attached storages whose protection you want to activate.

Select one of the preset security levels or con gure the security settings of objects manually.

9. Click Save in the Protection scope settings window.

Kaspersky Security for Windows Server immediately applies the new values of settings to the running task.
Information about the date and time when the settings were modi ed and the values of task settings before and
after modi cation are saved in the task log.

Using the Heuristic Analyzer

The RPC Network Storage Protection task can use heuristic analyzer with a con gured level of analysis.

To con gure the settings of heuristic analyzer used in the RPC Network Storage Protection task:

533
 1. Expand the Network Attached Storage Protection node in the Application Console tree.

2. Select the RPC Network Storage Protection child node.

3. In the details pane of the RPC Network Storage Protection node, click the Properties link.
The Task settings window opens.

4. In the window that opens, go to the General tab and do the following in the Heuristic analyzer section:

Clear or select the Use heuristic analyzer check box.

If necessary, adjust the level of analysis using the slider .

5. Click OK.

The newly con gured settings are applied.

Integration with other components of Kaspersky Security for Windows

Server

RPC Network Storage Protection task sends only document les to the Kaspersky Sandbox.

You can use the RPC Network Storage Protection task together with the following functional component and task
of Kaspersky Security for Windows Server:

Trusted Zone

KSN Usage task

Trusted zone is a prede ned list of exclusions for protection scope or scan scope.

You can enable or disable the use of the trusted zone in the RPC Network Storage Protection task. After the
trusted zone is enabled or disabled, exclusions in this zone will be applied or removed immediately.

Kaspersky Security Network (KSN) is an infrastructure of online services providing access to Kaspersky online
knowledge base on the reputation of les, web resources and programs.

You can enable or disable the KSN usage in the RPC Network Storage Protection task. After you enable or disable
the KSN usage, the task starts or stops showing conclusions about the reputation of les being scanned based on
information received from KSN.

To start the KSN Usage task, you must accept the Kaspersky Security Network Statement.

To enable or disable the use of other application components in the RPC Network Storage Protection task:

1. Expand the Network Attached Storage Protection node in the Application Console tree.

2. Select the RPC Network Storage Protection child node.

534
 3. In the details pane of the RPC Network Storage Protection node, click the Properties link.
The Task settings window opens.

4. In the window that opens, go to the General tab and do the following in the Integration with other
components section:

Select or clear the Apply Trusted Zone check box.

Select or clear the Use KSN for protection check box.

Select or clear the Use Kaspersky Sandbox for protection check box.

The Kaspersky Sandbox functionality does not work if Kaspersky Endpoint Agent is not installed on the
protected device.

The running Tra ic Security task might obstruct the use of Kaspersky Sandbox. To use the Tra ic
Security task and Kaspersky Sandbox on the same protected device, restart Tra ic Security task after
the installation of Kaspersky Security for Windows Server and Kaspersky Endpoint Agent.

5. Click OK.

The newly con gured settings are saved.

Con guring general settings for RPC Network Storage connection

To con gure general settings of the connection to an RPC network storage:

1. Expand the Network Attached Storage Protection node in the Application Console tree.

2. Select the RPC Network Storage Protection child node.

3. In the details pane of the RPC Network Storage Protection node, click the Properties link.
The Task settings window opens.

4. In the window that opens, go to the General tab and do the following in the Network attached storage
systems connection settings section:

Enter a value for the timeout between attempts to recover the connection with the network attached
storage.

Enter a value for the maximum number of attempts to recover the connection with the network attached
storage.

It is recommended to keep default values or specify larger values.

If you want Kaspersky Security for Windows Server to clear the cache of scanned les of the network
attached storage after each update of the application databases, select the Clear cache of scanned les
on network attached storage after application database update check box.

535
 If you want Kaspersky Security for Windows Server to save the cache of scanned les of the network
attached storage after each update of the application databases, clear the Clear cache of scanned les
on network attached storage after application database update check box.

5. Click OK.

The newly con gured settings are saved.

Security levels in the RPC Network Storage Protection task

This section describes the security settings and provides instructions on applying preset security levels and
con guring security settings manually in the RPC Network Storage Protection task.

About security levels in the RPC Network Storage Protection task

In the RPC Network Storage Protection task, you can apply any of the following preset security levels to every
protected storage system: Maximum performance, Recommended, or Maximum protection. Each of these levels
contains its own pre-de ned set of security settings (see the table below). You can also specify the values of the
security settings manually; in this case, the security level of the network attached storage changes to Custom.

Maximum performance

The Maximum performance security level is recommended if, apart from using Kaspersky Security for Windows
Server on servers and workstations, there are additional computer security measures on your network, for
example, rewalls are set up, network users comply with existing security policies.

Recommended

The Recommended security level ensures an optimum combination of protection quality and degree of impact on
the performance of protected servers. This level is recommended by Kaspersky experts as su icient for
protection of le servers on most corporate networks. The Recommended security level is set by default.

Maximum Protection

The Maximum protection security level is recommended if you have higher requirements for computer security on
your organization's network.

Settings of preset security levels in the RPC Network Storage Protection task

Options Security level

Maximum performance Recommended Maximum protection

Objects protection Objects scanned according to list Objects scanned by Objects scanned by
of extensions speci ed in anti-virus format format
database

Compound objects Packed objects

SFX archives SFX archives
protection

536
 Packed objects Packed objects

Embedded OLE Embedded OLE

objects objects

Action to perform Block access and disinfect. Delete Block access and Block access and
on infected and if disinfection fails perform disinfect. Delete if
other objects recommended disinfection fails
action

Action to perform Block access and quarantine Block access and Block access and
on probably perform quarantine
infected objects recommended
action

Actions depending No No No
on the detected
object type

Exclude les No No No

Do not detect No No No

Stop scanning if it 60 60 60
takes longer than
(sec.)

Do not scan 8 8 No
compound objects
larger than (MB)

Applying a preset security level in the RPC Network Storage Protection task
To apply one of the preset security levels to an RPC network storage:

1. Expand the Network Attached Storage Protection node in the Application Console tree.

2. Select the RPC Network Storage Protection child node.

3. In the details pane of the RPC Network Storage Protection node, click the Con gure protection scope link.

4. In the list of protected network attached storages, select the network attached storage for which you want to
select a preset security level.

5. On the Security level tab, select one of the following preset security levels in the list:

Maximum protection

Recommended

Maximum performance
The Security level tab displays the main values for settings of the selected security level. The applied
security level is displayed next to the name of the network attached storage in the list of protected network
attached storages.

6. Click the Save button.

537
 The con gured security level settings are saved and applied to the running task.

You can also con gure the security settings for a protected network attached storage manually.

Manually con guring the security level settings in the RPC Network Storage
Protection task
To manually con gure the security settings of an RPC network storage:

1. Expand the Network Attached Storage Protection node in the Application Console tree.

2. Select the RPC Network Storage Protection child node.

3. In the details pane of the RPC Network Storage Protection node, click the Con gure protection scope link.

4. In the list of protected network attached storages, select the network attached storage whose security
settings you want to con gure.

You can apply a preset security settings template.

5. Con gure the settings of the selected network attached storage in accordance with your computer security
requirements. To do this, perform the following actions:

On the General tab take the following actions:

In the Objects protection section, specify objects to be scanned by Kaspersky Security for Windows
Server:

All objects

Objects scanned by format

Objects scanned according to list of extensions speci ed in anti-virus database

Objects scanned by speci ed list of extensions

This setting can be also con gured in the network attached storage. If the setting is con gured in
Kaspersky Security for Windows Server, the network attached storage sends the inapplicable
object for scanning, and Kaspersky Security for Windows Server declares the object safe without
running a virus scan. If the setting is con gured in the network attached storage, the network
attached storage does not send the inapplicable object for scanning. To reduce network tra ic and
the load on the server with Kaspersky Security for Windows Server installed, it is recommended to
con gure settings that limit the number of objects scanned in the network attached storage.

In the Compound objects protection section, specify compound objects to be scanned by Kaspersky
Security for Windows Server.

On the Actions tab take the following actions:

538
 In the Action to perform on infected and other objects section, select the action to be performed by
Kaspersky Security for Windows Server on detecting an infected object.

In the Action to perform on probably infected objects section, select the action to be performed by
Kaspersky Security for Windows Server on detecting a probably infected object.

Con gure actions to be performed on objects depending on the type of object detected.

Select the actions to perform on unmodi able compound les: select or clear the Entirely remove
compound le that cannot be modi ed by the application in case of embedded object detect
check box.

On the Performance tab take the following actions:

In the Exclusions section, specify objects that you want Kaspersky Security for Windows Server to
exclude from scanning:

To exclude les from scanning, select the Exclude les check box and specify the names or name
masks of les to be excluded.

To exclude detectable objects (such as remote administration utilities), select the Do not detect
check box and specify the names or name masks of detectable objects, according to the Virus
Encyclopedia classi cation.

In the Advanced settings section, specify the maximum duration of object scanning and the maximum
size of the compound le being scanned.

If you are using a network attached storage under the Clustered Data ONTAP operating system, this
setting can be also con gured in the network attached storage. If the setting is con gured in
Kaspersky Security for Windows Server, the network attached storage sends the inapplicable
object for scanning, and Kaspersky Security for Windows Server declares the object safe without
running a virus scan. If the setting is con gured in the network attached storage, the network
attached storage does not send the inapplicable object for scanning. To reduce network tra ic and
the load on the server with Kaspersky Security for Windows Server installed, it is recommended to
con gure settings that limit the number of objects scanned in the network attached storage.

6. Click the Save button.

The con gured custom security level settings are saved and applied to the running task.

Using security level settings templates in the RPC Network Storage

Protection task
This section provides instructions on how to manage security level settings templates in the RPC Network Storage
Protection task.

Creating a security settings template

To manually save the security settings of a node to a template:

539
 1. In the Application Console tree, select the task to which you want to create a security settings template.

2. In the details pane of the selected task, click the Con gure protection scope or Con gure scan scope link.

3. In the tree or list of the protected device's network le resources, select the template that you want to view.

4. On the Security level tab click the Save as template button.

The Template properties window opens.

5. In the Template name eld, enter the name of the template.

6. Enter additional template information in the Description eld.

7. Click OK.

The template with the set of security settings is saved.

Applying a security settings template

To apply security settings from a template for a selected node:

1. In the Application Console tree, select the task for which you want to apply the security setting template.

2. In the details pane of the selected task, click the Con gure protection scope link.

3. In the list of the server's network le resources select the node for which you want to apply the template.

4. In the context menu, select Apply template.

5. Select <Template name>.

6. In the Application Console tree, open the context menu of the con gurable task.

7. Select Save task.

The security settings template is applied to the selected item in the server le resource list. The Security level
tab of the selected item will now have the Custom value.

Viewing security settings in a template

To view security settings in a template that you have created, perform the following steps:

1. In the Application Console tree, select the task for which you want to view the security template.

2. In the context menu of the selected task, select Settings templates.

The Templates window opens.

3. In the list of templates in the window that opens, select the template that you want to view.

4. Click the View button.

The <Template name> window opens. The General tab displays the template name and additional information
about the template; the Options tab lists security settings saved in the template.

540
Deleting a security settings template
To delete a security settings template:

1. In the Application Console tree, select the task for which you no longer want to use a security settings
template for con guration.

2. In the context menu of the selected task, select Settings templates.

The Templates window opens.

3. In the list of templates in the window that opens, select the template that you want to delete.

4. Click the Remove button.

A window opens to con rm the deletion.

5. In the window that opens, click Yes.

The selected template will be deleted.

If the security settings template was applied to protect or to scan nodes of server le resources, the
con gured security settings for such nodes are preserved after the template is deleted.

Viewing statistics of the RPC Network Storage Protection task

If the RPC Network Storage Protection task is running, you can view real-time information about the number of
objects processed by Kaspersky Security for Windows Server since the task was started up till now (in particular,
task execution statistics).

To view statistics of the RPC Network Storage Protection task:

1. Expand the Network Attached Storage Protection node in the Application Console tree.

2. Select the RPC Network Storage Protection child node.

In the details pane, the Statistics section shows a table with information about objects processed by Kaspersky
Security for Windows Server since it was started until the current moment (see the table below).

Full statistics of the RPC Network Storage Protection task

Field Description

Detected Number of objects detected by Kaspersky Security for Windows Server. For example, if
Kaspersky Security for Windows Server detects one software program in ve les, the value
in this eld increases by one.

Infected Number of objects that Kaspersky Security for Windows Server found and classi ed as
and other infected or number of found legitimate software les, which were not excluded from the real-
objects time protection and on-demand tasks scope and can be used by intruders to damage your
detected computer.

Probably Number of objects found by Kaspersky Security for Windows Server to be probably infected.
541
 infected
objects
detected

Objects Number of objects which Kaspersky Security for Windows Server did not disinfect for the
not following reasons:
disinfected the type of detected object cannot be disinfected;

an error occurred during disinfection.

Objects The number of objects that Kaspersky Security for Windows Server attempted to quarantine
not moved but was unable to do so, for example, due to insu icient disk space.
to
Quarantine

Objects The number of objects that Kaspersky Security for Windows Server attempted but was
not unable to delete, because, for example, access to the object was blocked by another
removed application.

Objects The number of objects in the protection scope that Kaspersky Security for Windows Server
not failed to scan because, for example, access to the object was blocked by another application.
scanned

Objects The number of objects the copies of which Kaspersky Security for Windows Server
not backed attempted to save in Backup but was unable to do so, for example, due to insu icient disk
up space.

Processing Number of objects whose processing resulted in an error.

errors

Objects Number of objects disinfected by Kaspersky Security for Windows Server.

disinfected

Moved to Number of objects quarantined by Kaspersky Security for Windows Server.

Quarantine

Moved to The number of object copies that Kaspersky Security for Windows Server saved to Backup.
Backup

Objects Number of objects deleted by Kaspersky Security for Windows Server.

removed

Password- Number of objects (archives, for example) that Kaspersky Security for Windows Server
protected missed because they were password protected.
objects

Corrupted The number of objects skipped by Kaspersky Security for Windows Server as their format
objects was corrupted.

Objects Total number of objects processed by Kaspersky Security for Windows Server.
processed

ICAP Network Storage Protection

This section contains information about the ICAP Network Storage Protection task, and how to connect a network
attached storage to Kaspersky Security for Windows Server, as well as instructions on how to con gure
protection task settings and ICAP network storage security settings.

542
About the ICAP Network Storage Protection
Kaspersky Security for Windows Server installed on a server under Microsoft Windows protects ICAP network
storages (such as EMC Isilon) against viruses and other security threats that in ltrate the server through the
exchange of les.

Kaspersky Security for Windows Server has no direct access to les in an ICAP network storage (hereinafter also
referred to as network attached storage). When an attempt is made to read or write to a le, the network attached
storage generates an ICAP request to Kaspersky Security for Windows Server and sends the le inside this
request. The application performs an anti-virus scan of this le in accordance with the settings de ned in the ICAP
Network Storage Protection task. When a threat is detected, Kaspersky Security for Windows Server performs
the actions de ned in the task settings on the le, and then it sends the scan result to the network attached
storage. If the Disinfect action is speci ed in the task settings, and the le is successfully disinfected, Kaspersky
Security for Windows Server returns the disinfected le to the network attached storage as the response to the
request.

Kaspersky Security for Windows Server allows you to con gure the actions that the application will perform on
infected and probably infected les.

When using KSN in the ICAP Network Storage Protection task, Kaspersky Security for Windows Server
cannot delete or block les used by an ICAP network storage because the application has no direct access to
network folders of the storage system when an untrusted conclusion is received from KSN services.
Information about receiving an untrusted conclusion is recorded in the KSN Usage task log.

You can protect one network attached storage using one server with Kaspersky Security for Windows Server
installed. To improve the performance of the network attached storage and the server with Kaspersky Security for
Windows Server, you can use several servers with Kaspersky Security for Windows Server for protection of a
single network attached storage. In this case, the network attached storage distributes the workload among
associated servers on which Kaspersky Security for Windows Server is installed.

The ICAP Network Storage Protection task is created by default; it is a system task of Kaspersky Security for
Windows Server. You cannot delete or rename this task. You cannot create custom tasks for ICAP Network
Storage Protection. You can con gure the ICAP Network Storage Protection task.

You can run Network Attached Storage Protection tasks if the active key supports network attached storage
protection. If you run a Network Attached Storage Protection task when the active key does not support
network attached storage protection, the task returns an error. In this case, Kaspersky Security for Windows
Server does not protect network attached storages.

The ICAP Network Storage Protection component is available within Kaspersky Security for Windows Server
for network attached storages.

For more details on solutions for protection of organizations that include Kaspersky Security for Windows
Server, see the Administrator's Guide of Kaspersky Security for Windows Server.

543
Con guring a connection between an ICAP network storage and Kaspersky
Security for Windows Server

You can run Network Attached Storage Protection tasks if the active key supports network attached storage
protection. If you run a Network Attached Storage Protection task when the active key does not support
network attached storage protection, the task returns an error. In this case, Kaspersky Security for Windows
Server does not protect network attached storages.

To protect an ICAP network storage, you need to con gure the connection of the network attached storage to
Kaspersky Security for Windows Server.

To con gure a connection between a network attached storage and Kaspersky Security for Windows Server:

1. Con gure the following settings on the server with Kaspersky Security for Windows Server installed:

In Application Console, specify the settings of the connection to an ICAP network storage to be protected
by Kaspersky Security for Windows Server.

In the local group policy editor, con gure the security settings of local policies.

In the Windows rewall settings window, con gure the rules of outbound and inbound connections in
Windows rewall.

2. In the network attached storage, con gure the following settings:

Enable anti-virus protection.

Specify the address of the connection to Kaspersky Security for Windows Server in the network attached
storage settings.

You can nd information on how to con gure your network attached storage in the accompanying manual.

The connection between an ICAP network storage and Kaspersky Security for Windows Server is established.

Con guring the ICAP Network Storage Protection task

By default, the ICAP Network Storage Protection task has the settings described in the table below. You can
change the values of these settings.

When the task settings are modi ed (for example, a di erent security level is speci ed), Kaspersky Security for
Windows Server immediately applies the new settings in the running task. Kaspersky Security for Windows Server
logs the date and time when task settings were modi ed in the system audit log.

Settings of the ICAP Network Storage Protection task

Setting Default value Comment

Security The Recommended security You can apply one of the preset security levels to the
level level is applied. protected network attached storage, or specify the values
544
 of the security settings manually.

Use The Medium analysis level is The Heuristic Analyzer can be enabled or disabled and the
heuristic applied. analysis level con gured.
analyzer

Use KSN Applied. You can enable or disable the use of KSN services for ICAP
for Network Storage Protection.
protection

ICAP You can also modify other network storage connection

Network port number –
service settings. These changes should be incorporated on the
1344.
connection network attached storages.
settings
Service ID – avscan.

Schedule Not applied. The Run by You can con gure the task to run by schedule, for example
schedule check box is cleared. at Kaspersky Security for Windows Server startup.
The task is run manually.

To con gure settings of the ICAP Network Storage Protection task:

1. Expand the Network Attached Storage Protection node in the Application Console tree.

2. Select the ICAP Network Storage Protection child node.

3. In the details pane of the ICAP Network Storage Protection node, click the Properties link.
The Task settings window opens.

4. On the General tab in the window that opens, con gure the following task settings:

Connection to an ICAP network storage.

Using the Heuristic Analyzer.

KSN Usage for protection.

In the Security level section:

Select one of the preset security levels or con gure the security settings of objects manually.

5. On the Schedule and Advanced tabs, con gure the scheduled task launch settings.

6. Click OK.

Kaspersky Security for Windows Server immediately applies the new values of settings to the running task.
Information about the date and time when the settings were modi ed and the values of task settings before and
after modi cation are saved in the task log.

Con guring the settings of the connection to an ICAP network storage

To con gure settings of the connection to an ICAP network storage:

1. Expand the Network Attached Storage Protection node in the Application Console tree.

545
 2. Select the ICAP Network Storage Protection child node.

3. In the details pane of the ICAP Network Storage Protection node, click the Properties link.
The Task settings window opens.

4. On the General tab in the elds of the ICAP service connection settings section specify the following
settings:

Network port number

Service ID

5. Click OK.

The newly con gured settings are saved.

Once you have con gured the connection settings, on the network attached storage you need to set the address
of the connection to Kaspersky Security for Windows Server. The connection settings are included in this address.
For example, if the default settings are used, the connection address looks as follows:

icap://<IP address of computer with Kaspersky Security for Windows Server

installed>/avscan:1344

Using the Heuristic Analyzer

The ICAP Network Storage Protection task can use the Heuristic Analyzer with a con gured level of analysis.

To con gure the settings of Heuristic Analyzer used in the ICAP Network Storage Protection task:

1. Expand the Network Attached Storage Protection node in the Application Console tree.

2. Select the ICAP Network Storage Protection child node.

3. In the details pane of the ICAP Network Storage Protection node, click the Properties link.
The Task settings window opens.

4. In the window that opens, go to the General tab and do the following in the Heuristic analyzer section:

Clear or select the Use heuristic analyzer check box.

If necessary, adjust the level of analysis using the slider .

5. Click OK.

The newly con gured settings are applied.

Using KSN for protection

Kaspersky Security Network (KSN) is an infrastructure of online services providing access to Kaspersky's online
knowledge base on the reputation of les, web resources and programs.

546
You can enable or disable the KSN usage in the RPC Network Storage Protection task. After you enable or disable
the KSN usage, the task starts or stops showing conclusions about the reputation of les being scanned based on
information received from KSN.

To start the KSN Usage task, you must accept the KSN Statement. The KSN Usage task does not start
automatically at start of Kaspersky Security for Windows Server by default.

To enable or disable KSN usage in the ICAP Network Storage Protection task:

1. Expand the Network Attached Storage Protection node in the Application Console tree.

2. Select the ICAP Network Storage Protection child node.

3. In the details pane of the ICAP Network Storage Protection node, click the Properties link.
The Task settings window opens.

4. In the window that opens, go to the General tab and select or clear the Use KSN for protection check box.

5. Click OK.

The newly con gured settings are saved.

Security levels in the ICAP Network Storage Protection task

This section describes the security settings and provides instructions for applying preset security levels and
con guring security settings manually in the ICAP Network Storage Protection task.

About security levels in the ICAP Network Storage Protection task

In the ICAP Network Storage Protection task, you can apply any of the following preset security levels to every
protected storage system: Maximum performance, Recommended, or Maximum protection. Each of these levels
contains its own prede ned set of security settings (see the table below). You can also specify the values of the
security settings manually; in this case, the security level of the network attached storage changes to Custom.

Maximum performance

The Maximum performance security level is recommended if, apart from using Kaspersky Security for Windows
Server on servers and workstations, there are additional computer security measures on your network, for
example, rewalls are set up, network users comply with existing security policies.

Recommended

The Recommended security level ensures an optimum combination of protection quality and degree of impact on
the performance of protected servers. This level is recommended by Kaspersky experts as su icient for
protection of le servers on most corporate networks. The Recommended security level is set by default.

Maximum Protection

547
The Maximum protection security level is recommended if you have higher requirements for computer security on
your organization's network.

Settings of preset security levels in the ICAP Network Storage Protection task

Options Security level

Maximum performance Recommended Maximum

protection

Objects protection Objects scanned according to list of Objects Objects

extensions speci ed in anti-virus database scanned by scanned by
format format

Compound objects Packed objects

SFX archives SFX
protection
archives
Packed
objects Packed
objects
Embedded
OLE objects Embedded
OLE
objects

Action to perform on Disinfect Perform Disinfect

infected and other recommended
objects action

Action to perform on Quarantine Perform Quarantine

probably infected recommended
objects action

Exclude les No No No

Do not detect No No No

Stop scanning if it takes 60 60 60

longer than (sec.)

Do not scan compound 8 8 No

objects larger than (MB)

Applying a preset security level in the ICAP Network Storage Protection

task
To apply one of the preset security levels to an ICAP network storage:

1. Expand the Network Attached Storage Protection node in the Application Console tree.

2. Select the ICAP Network Storage Protection child node.

3. In the details pane of the ICAP Network Storage Protection node, click the Properties link.

4. The Task settings window opens.

5. On the General tab, in the Security level section, select one of the following preset security levels in the list:

548
 Maximum protection

Recommended

Maximum performance

The main values of the settings of the selected security level are displayed under the list.

6. Click OK.

The newly con gured settings are saved.

You can also con gure the security settings for a protected network attached storage manually.

Manually con guring the security level settings in the ICAP Network Storage
Protection task
To manually con gure the security settings of an ICAP network storage:

1. Expand the Network Attached Storage Protection node in the Application Console tree.

2. Select the ICAP Network Storage Protection child node.

3. In the details pane of the ICAP Network Storage Protection node, click the Properties link.
The Task settings window opens.

4. On the General tab in the Security level section, click the Settings button.
The Security settings window opens.

5. Con gure the settings in accordance with your computer security requirements. To do this, perform the
following actions:

On the General tab take the following actions:

In the Objects protection section, specify objects to be scanned by Kaspersky Security for Windows
Server:

All objects

Objects scanned by format

Objects scanned according to list of extensions speci ed in anti-virus database

Objects scanned by speci ed list of extensions

549
 This setting can be also con gured in the network attached storage. If the setting is con gured in
Kaspersky Security for Windows Server, the network attached storage sends the inapplicable
object for scanning, and Kaspersky Security for Windows Server declares the object safe without
running a virus scan. If the setting is con gured in the network attached storage, the network
attached storage does not send the inapplicable object for scanning. To reduce network tra ic and
the load on the server with Kaspersky Security for Windows Server installed, it is recommended to
con gure settings that limit the number of objects scanned in the network attached storage.

In the Compound objects protection section, specify compound objects to be scanned by Kaspersky
Security for Windows Server.

On the Actions tab take the following actions:

In the Action to perform on infected and other objects section, select the action to be performed by
Kaspersky Security for Windows Server on detecting an infected object.

In the Action to perform on probably infected objects section, select the action to be performed by
Kaspersky Security for Windows Server on detecting a probably infected object.

Con gure actions to be performed on objects depending on the type of object detected.

On the Performance tab take the following actions:

In the Exclusions section, specify objects that you want Kaspersky Security for Windows Server to
exclude from scanning:

To exclude les from scanning, select the Exclude les check box and specify the names or name
masks of les to be excluded.

To exclude detectable objects (such as remote administration utilities), select the Do not detect
check box and specify the names or name masks of detectable objects, according to the Virus
Encyclopedia classi cation.

In the Advanced settings section, specify the maximum duration of object scanning and the maximum
size of the compound le being scanned.

6. Click OK in the Security settings window.

The Security settings window closes.

7. Click OK in the Task settings window.

The con gured custom security level settings are saved.

Viewing statistics of the ICAP Network Storage Protection task

If the ICAP Network Storage Protection task is running, you can view real-time information about the number of
objects processed by Kaspersky Security for Windows Server since the task was started till now (in particular, task
execution statistics).

To view statistics of the ICAP Network Storage Protection task:

1. Expand the Network Attached Storage Protection node in the Application Console tree.
550
 2. Select the ICAP Network Storage Protection child node.

The Statistics section in the details pane displays a table with information about objects processed by
Kaspersky Security for Windows Server since the task was started (see table below).

Statistics of the ICAP Network Storage Protection task

Field Description

Detected Number of objects detected by Kaspersky Security for Windows Server. For example, if
Kaspersky Security for Windows Server detects one malware program in ve les, the value in
this eld increases by one.

Infected Number of objects that Kaspersky Security for Windows Server found and classi ed as
and other infected or number of found legitimate software les, which were not excluded from the real-
objects time protection and on-demand tasks scope and can be used by intruders to damage your
detected computer.

Probably Number of objects found by Kaspersky Security for Windows Server to be probably infected.
infected
objects
detected

Objects Number of objects which Kaspersky Security for Windows Server did not disinfect for the
not following reasons:
disinfected The type of detected object cannot be disinfected.

An error occurred during disinfection.

Objects The number of objects that Kaspersky Security for Windows Server attempted to quarantine
not moved but was unable to do so, for example, due to insu icient disk space.
to
Quarantine

Objects The number of objects that Kaspersky Security for Windows Server attempted but was
not unable to delete, because, for example, access to the object was blocked by another
removed application.

Objects The number of objects in the protection scope that Kaspersky Security for Windows Server
not failed to scan because, for example, access to the object was blocked by another application.
scanned

Objects The number of objects the copies of which Kaspersky Security for Windows Server
not backed attempted to save in Backup but was unable to do so, for example, due to insu icient disk
up space.

Processing Number of objects whose processing resulted in an error.

errors

Objects Number of objects disinfected by Kaspersky Security for Windows Server.

disinfected

Moved to Number of objects quarantined by Kaspersky Security for Windows Server.

Quarantine

Moved to The number of object copies that Kaspersky Security for Windows Server saved to Backup.
Backup

Objects Number of objects deleted by Kaspersky Security for Windows Server.

removed

Password- Number of objects (archives, for example) that Kaspersky Security for Windows Server
protected missed because they were password protected.
551
 objects

Corrupted The number of objects skipped by Kaspersky Security for Windows Server as their format
objects was corrupted.

Objects Total number of objects processed by Kaspersky Security for Windows Server.
processed

Anti-Cryptor for NetApp

This section provides information about the Anti-Cryptor for NetApp task and how to con gure it.

About the Anti-Cryptor for NetApp

The Anti-Cryptor for NetApp provides encryption protection for the folders on the Network Attached Storages. If
any malicious encrypting is detected, Kaspersky Security for Windows Server blocks access to the folders of the
protected network attached storage.

To operate on network attached storage, Kaspersky Security for Windows Server must be connected to a
protected storage as an external engine. The connection implies receiving noti cations about le operations that
have been performed on a protected network attached storage by the external engine; analyzing the patterns on
the le operations received and sending conclusions about the le activity (whether it can be estimated as an
encryption attempt or not); blocking the compromised hosts. In order to start the Anti-Cryptor for NetApp task
the server (with Kaspersky Security for Windows Server installed) must be speci ed as the primary FPolicy server
on the network attached storage side. FPolicy is a le access noti cation framework that is used to monitor and
manage le access events on Storage Virtual Machines (SVMs) with FlexVol volumes. The framework generates
noti cations that are sent to external FPolicy servers.

The Fpolicy is not supported for FlexGroup volumes, hence the Anti-Cryptor for NetApp component cannot
be con gured to protect the network attached storages with FlexGroup volumes.

Noti cations from network attached storage to an external server are sent via the FPolicy protocol, only in a
synchronous mode. The server analyzes each noti cation before allowing a le operation.

The external engine (Kaspersky Security for Windows Server) and a protected network attached storage are
connected using the FPolicy protocol.

To con gure the protection you need to:

1. Create and con gure the FPolicy on the protected network attached storage side.

2. Specify Kaspersky Security for Windows Server as an FPolicy server on a protected network attached storage
side. Kaspersky Security for Windows Server will be recognized as an external server.

3. Con gure the Anti-Cryptor for NetApp task settings in Kaspersky Security for Windows Server.

To complete the required con guration you need the following data:

SVM machine name.

External server IP address and the name assigned to it.

552
 Full list of cluster nodes of the protected network attached storage along with their names.

Cluster management interface address.

Created FPolicy name.

Port for establishing a secure connection between the protected network attached storage and the external
server.

Credentials (login and password):

for a user allowed to access network attached storage shared folders;

for the CDOT Local Administrator.

All these settings must be speci ed during the FPolicy creation and when the Anti-Cryptor for NetApp task is
con gured on the Kaspersky Security for Windows Server.

For detailed instructions on how to create the FPolicy please see the following article .

Creating and con guring FPolicy

While creating the FPolicy for the rst time, Kaspersky experts recommend to apply the con guration speci ed in
the table below.

FPolicy settings

Parameter String Value Note

_EVENT CREATE Vserver name <svm_name> Must coincide with the

value speci ed in the
This parameter identi es the le
Anti-Cryptor for NetApp
operations that will be
task settings on the
intercepted and reported to
external engine side
Kaspersky Security for Windows
(Kaspersky Security for
Server for analysis and detection
Windows Server).
encryption attempts.
Event <events_source> Will be used as a source
for the FPolicy.

Protocol cifs

File operations create, open, rename,

write, close, setattr,
delete

Filters close-with-
modi cation, rst-
write, write-with-size-
change, open-with-
delete-intent, open-
with-write-intent

Is volume false
operation
required

553
_ENGINE CREATE Vserver name <svm_name> Must coincide with the
value speci ed in the
This parameter determines the
Anti-Cryptor for NetApp
settings for the connection to an
task settings on the
external engine (or FPolicy
external engine.
server).
Engine <engine_name> External engine name.
Must coincide with the
value speci ed in the
Anti-Cryptor for NetApp
task settings on the
external engine.

Primary <primary_server_ip> Only one server is

FPolicy servers allowed.

Port Number <port_number> 1346 is recommended.

of FPolicy Must coincide with the
Service value speci ed in the
Anti-Cryptor for NetApp
task settings on the
external engine.

Secondary <secondary_server_ip> If a primary server is

FPolicy servers selected, the secondary
server is not available.

External Synchronous Asynchronous mode is

Engine Type not supported.

SSL option for No-auth

external
communication

FQDN or CCN -

Serial Number -
of Certi cate

Certi cate -
Authority

_POLICY CREATE Vserver name <svm_name> Must coincide with the

value speci ed in the
This parameter determines the
Anti-Cryptor for NetApp
future FPolicy settings.
task settings on the
external engine.

Fpolicy <fpolicy_name> Must coincide with the

value speci ed in the
Anti-Cryptor for NetApp
task settings on the
external engine.

Events to <events_source>
Monitor

FPolicy Engine <engine_name> External engine string

name. Must coincide with
the value speci ed in the
Anti-Cryptor for NetApp
task settings on the
external engine.

Is mandatory true
554
 screening
required

Allow yes
privileged
access

User name for <user_name> The same value must be

privileged speci ed in the Anti-
access Cryptor for NetApp task
settings for the
Credentials eld to
access shared folders on
network attached
storage.

Is passthrough false
read enabled

_SCOPE CREATE Vserver name <svm_name> We recommend that you

specify the widest
This parameter determines the
possible area for
protection scope covered by the
protecting the network
external engine.
attached storage. We
Policy <fpolicy_name> recommend that you add
exclusions in the Anti-
Cryptor for NetApp task
settings.

We recommend that you specify the highlighted values in the table. Other values may vary depending on your
requirements.

If FPolicy settings are changed on the network attached storage while the Anti-Cryptor for NetApp task is
running, the Anti-Cryptor for NetApp task must be restarted to apply the new settings.

Con guring the Kaspersky Security for Windows Server

To establish the connection between the Kaspersky Security for Windows Server Anti-Cryptor for NetApp
component and a protected network attached storage, the Anti-Cryptor for NetApp settings must be con gured
(see table below).

Anti-Cryptor for NetApp con guration

Setting Possible values Default

Task mode Active

Notify only

Active

Heuristic Light – Medium – Deep Applied with the

analyzer “medium” heuristic
level.

Exclusion Applied for all protected shares. Not de ned

list
555
 Exclusion criteria:
Mask (folder, object, extension)

Client computer IP address

Trusted user

Addressing Not de ned

Cluster IP-address

Full list of clusters

Credentials (login and password) for the CDOT local Administrator.

This setting duplicates the value that has been con gured for
_POLICY CREATE parameter (User name for privileged access
string)
Credentials (login and password) for the user that is allowed to
access the network attached storage shared folders.
These settings duplicate values that have been con gured for
_ENGINE CREATE parameter on network attached storage side.

FPolicy name

SVM (Vserver) name

Port (1346)

Schedule Not applied by default. The Run by schedule check box is cleared. You Not de ned
can con gure the run schedule.

Blocked hosts storage usage

The Blocked hosts storage is populated when the following conditions are met:

The Anti-Cryptor for NetApp task is started in an Active mode.

Anti-Cryptor for NetApp detects an encryption attempt on protected NetApp shares.

After the encryption attempt is detected, the Anti-Cryptor for NetApp component sends information about the
compromised host to the Blocked Host Storage. After that, Kaspersky Security for Windows Server creates a
critical event for the host blocking and blocks any le operation executed from this host.

By default Kaspersky Security for Windows Server automatically unblocks hosts in 30 minutes after they were
added to the list. Computers' access to network le resources is restored automatically after they are deleted
from the list of untrusted hosts.

You can modify the blocked hosts list:

Unblock hosts manually.

Con gure blocking term.

556
 When con guring the Anti-Cryptor for NetApp task, please pay attention to the external engine type that is
used in the FPolicy settings (_ENGINE CREATE parameter).

Kaspersky Security for Windows Server logs the event with the result of received conclusion and performs an
action according to the task mode.

Kaspersky Security for Windows Server supports two possible con gurations:

Network Anti- Description

Attached Cryptor
Storage for
#
mode NetApp
task
mode

1 Synchronous Notify This con guration provides protection from encryption in the audit
only mode: the application only logs encryption events. You can switch to
con guration 2 from Kaspersky Security for Windows Server.

2 Synchronous Active This con guration provides full protection: all compromised hosts are
stored in the Blocked Hosts storage, any le operations executed by
these hosts are blocked. You can switch to con guration 1 from
protected network attached storage or from an external server.

See detailed information on how to con gure the Blocked Hosts Storage in the Kaspersky Security for
Windows Server Administrator's Guide.

Con guring Anti-Cryptor for NetApp task settings

Set up external server and Network Attached Storage settings to start and con gure the Anti-Cryptor for
NetApp task.

Con guring task settings via the Kaspersky Security for Windows Server
Console
To con gure the Anti-Cryptor for NetApp task settings:

1. In the Application Console tree, expand the Network Attached Storage Protection node.

2. Select the Anti-Cryptor for NetApp child node.

3. Click the Properties link in the details pane.

The Task settings window opens.

4. On the General tab con gure the following settings:

Select the task mode in the Task mode section.

557
 Con gure the heuristic analyzer usage and the level of analysis in the Heuristic analyzer section.

5. On the Addressing tab, con gure connection and authentication settings.

6. On the Schedule and Advanced tab, con gure the task start schedule.

7. Click OK.

To set up the exclusion list for the Anti-Cryptor for NetApp task:

1. In the Application Console tree, expand the Network Attached Storage Protection node.

2. Select the Anti-Cryptor for NetApp child node.

3. Click the Exclusion list link in the details pane.

The Exclusion list window opens.

4. Set up the exclusion list.

Con guring task settings via Kaspersky Security Center

To con gure the Anti-Cryptor for NetApp task:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree and select
the administration group for which you want to con gure application settings.

2. To con gure application settings for a group of servers, select the Policies tab and open the properties of the
policy you want to con gure.

3. In the Network attached storage protection section click the Settings button the Anti-Cryptor for NetApp
section.

4. On the General tab, con gure the task mode and the heuristic analyzer.

5. On the Addressing tab, con gure connection and authentication settings.

6. On the Exclusion list tab, add exclusions from the protection scope.

7. On the Task management tab, start the task based on a schedule.

8. Click OK.

Con guring general task settings

To con gure the Anti-Cryptor for NetApp task:

1. On the General tab, con gure the following settings:

In the Task mode section:

558
 Notify only

Active

In the Heuristic analyzer section:

Clear or select the Use heuristic analyzer check box.

If necessary, adjust the level of analysis using the slider .

2. On the Addressing tab, con gure connection and authentication settings.

3. On the Schedule tab, con gure the task start schedule.

4. Open the Exclusion list window, to add exclusions from the protection scope.

5. Click OK.

Con guring addressing

To set up connection with protected clusters and gain access to network attached storage:

1. Open the Addressing tab in the task settings.

2. In the Connection section con gure the following:

IP address of protected cluster

Vserver name

FPolicy name

Port

3. To edit the list of protected cluster nodes:

a. Click the Cluster nodes list in the Connection section.

b. Enter the node name.

c. Click Add.

d. Click OK.

All existing nodes of a protected cluster must be added to the list.

4. In the Authentication section enter:

Credentials of a user with a privileged access to network attached storage folders: login and password.

559
 This account should coincide with the account that has been de ned during _POLICY CREATE
operation on network attached storage side.

Credentials of a CDOT Administrator: login and password.

5. Click OK in the Task settings window.

The con gured addressing settings are saved.

Modifying the list of exclusions

You can add exclusions based on three criteria:

Path

IP address

User ID

You can use any combination of these criteria for exclusion. The more criteria are speci ed, the more strict the
exclusion parameters are. Kaspersky Security for Windows Server does not analyze le operations for speci ed
exclusions. Note that exclusions added to this list are used for all folders on network attached storage.

If you simultaneously con gure anti-virus protection and FPolicy on the same network attached storage,
access to the storage shared folders will be possible only if the RPC Network Storage Protection and Anti-
Cryptor for NetApp tasks are running.

The external engine should have only one network interface card with one IP address.

To add or modify the list of exclusion:

1. Open the Exclusion list window.

2. Select the Do not detect encryption for the speci ed exclusions check box.
The list of exclusions becomes active.

3. Click the Add button.

The Exclusion settings window opens.

4. To add a mask-based exclusion:

a. On the Path masks tab, select the Exclude by path mask check box.

b. Enter the path.

c. Click the Add button.

5. To add an IP address-based exclusion:

a. On the IP addresses tab, select the Exclude by IP address of client computer check box.

560
 b. Enter IP address.

c. Click the Add button.

6. To add a user-based exclusion:

a. On the Trusted users tab, select the Exclude by user names check box.

b. Click the Browse button.

The Select Users window opens.

c. Select a user or group you want to exclude.

d. Click OK.

7. Click OK in the Exclusion settings window.

The list of exclusions is populated with the speci ed exceptions.

Managing Network Attached Storage Protection tasks from Kaspersky

Security Center
This section provides information on how to manage Network Attached Storage Protection tasks using the
Kaspersky Security Center Administration Server as well as instructions on how to con gure task settings for a
server group and for one server from Kaspersky Security Center.

You can manage Network Attached Storage Protection tasks from Kaspersky Security Center in the following
ways:

Using Kaspersky Security Center policies. You can con gure common Network Attached Storage Protection
settings and apply them to tasks for the selected server group.

In the Device properties window. You can con gure Network Attached Storage Protection settings separately
for each server where Kaspersky Security for Windows Server is installed.

Con guring Network Attached Storage Protection settings using policies

By default, Network Attached Storage Protection tasks in the Kaspersky Security Center policy have the settings
described in the table below. You can change the values of these settings.

Network Attached Storage Protection tasks settings in the Kaspersky Security Center policies

Network Attached Options

Storage Protection
task

RPC-Network In the Real-Time File Protection (RPC) section click the Settings button to
Storage Protection con gure the following task settings:
Specify the protection scope.

Set the security level for the selected protection scope: you can select a
prede ned security level or con gure the security settings manually.

561
 Con gure the use of Heuristic Analyzer.

Con gure usage of the Trusted zone and KSN.

Con gure the network attached storage connection settings.

Con gure the task run settings.

ICAP-network In the Real-Time File Protection (ICAP) section click the Settings button to
storage protection con gure the following task settings:
Con gure the use of Heuristic Analyzer.

Con gure the network attached storage connection settings.

Set the security level for the selected protection scope: you can select a
prede ned security level or con gure the security settings manually.

Con gure the use of KSN.

Con gure the task run settings.

Anti-Cryptor for In the Anti-Cryptor for NetApp section click the Settings button to con gure
NetApp the following settings:

Task mode.

Heuristic analyzer usage.

Connection and authentication settings.

Specify exclusions from the protection scope.

To con gure settings of the Network Attached Storage Protection task in the Kaspersky Security Center policy:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree and select
the administration group for which you want to con gure application settings.

2. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of servers select a policy you want to con gure and open the
Properties: <Policy name> window using one of the following ways:

a. By selecting the Properties option in the policy context menu.

b. By clicking the Con gure policy link in the right details pane of the selected policy.

c. By double-clicking the selected policy.

3. When con guring a policy, select Network attached storage protection in the list of sections in the
Properties: <Policy name> window.

4. In the window that opens, perform the following operations:

562
 To con gure settings of the RPC Network Storage Protection task, in the Real-Time File Protection (RPC)
section click the Settings button.
In the setting window that opens, con gure the task settings according to your requirements. Click OK to
save changes made to the settings in the policy.

To con gure settings of the ICAP Network Storage Protection task, in the Real-Time File Protection (ICAP)
section click the Settings button.
In the setting window that opens, con gure the task settings according to your requirements. Click OK to
save changes made to the settings in the policy.

To con gure settings of the Anti-Cryptor for NetApp task, in the Anti-Cryptor for NetApp section click
the Settings button.
In the setting window that opens, con gure the task settings according to your requirements. Click OK to
save changes made to the settings in the policy.

5. In the Properties: <Policy name> window, click OK.

The con gured settings of the Network Attached Storage Protection tasks are saved and applied to the active
policy.

Detailed information about the operation of Kaspersky Security for Windows Server with Kaspersky Security
Center policies and information about Kaspersky Security Center policies is provided in the Kaspersky
Security Center Administrator's Guide and Kaspersky Security for Windows Server Administrator's Guide.

Con guring Network Attached Storage Protection settings for one server in
Kaspersky Security Center
To con gure Network Attached Storage Protection settings for one server in Kaspersky Security Center:

1. Expand the Managed Devices node in the Administration Console tree and select the group that the
protected server belongs to.

2. In the details pane, on the Devices tab open the context menu on the line with information about the protected
server and select Properties.

3. In the Properties: <Computer name> window of the Tasks section, open the context menu of the Network
Attached Storage Protection task that you want to con gure and select the Properties item.

4. In the window that opens, con gure the settings of the Network Attached Storage Protection task according
to your requirements:

RPC Network Storage Protection task.

ICAP Network Storage Protection task.

5. Click OK.

The con gured task settings are saved and applied to the running task for one server.

563
 If an application is covered by a Kaspersky Security Center policy and this policy prohibits changing the task
settings, these settings cannot be edited via the Properties: <Computer name> window.

Detailed information about the operation of Kaspersky Security for Windows Server with Kaspersky Security
Center policies and information about Kaspersky Security Center policies is provided in the Kaspersky
Security Center Administrator's Guide and Kaspersky Security for Windows Server Administrator's Guide.

Manually con guring the security level settings in the RPC Network Storage
Protection task
To manually con gure the security settings of an RPC network storage:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Policies tab.

4. Double-click the policy name you want to con gure.

5. In the Properties: <Policy name> window that opens, select the Network attached storage protection
section.

6. Click the Settings button in the Real-Time File Protection (RPC) subsection.
The RPC-Network Storage Protection window opens.

7. Open the Protection scope tab.

8. To add, edit, or delete network attached storage:

Click the Add button to add network attached storage via RPC protocol to the protection scope of
Kaspersky Security for Windows Server.

In the list of protected network attached storages, select the network attached storage and click the Edit
button to edit the network attached storage.

In the list of protected network attached storages, select the network attached storage and click the
Remove button to delete the network attached storage.

9. In the list of protected network attached storages, select the network attached storage and click the
Con gure button.
The Con gure RPC-network attached storage protection window opens.

You can apply a preset security settings template.

10. Click the Settings button.

564
11. Con gure the settings of the selected network attached storage in accordance with your computer security
requirements. To do this, perform the following actions:

On the General tab take the following actions:

In the Objects protection section, specify objects to be scanned by Kaspersky Security for Windows
Server:

All objects

Objects scanned by format

Objects scanned according to list of extensions speci ed in anti-virus database

Objects scanned by speci ed list of extensions

This setting can be also con gured in the network attached storage. If the setting is con gured in
Kaspersky Security for Windows Server, the network attached storage sends the inapplicable
object for scanning, and Kaspersky Security for Windows Server declares the object safe without
running a virus scan. If the setting is con gured in the network attached storage, the network
attached storage does not send the inapplicable object for scanning. To reduce network tra ic and
the load on the server with Kaspersky Security for Windows Server installed, it is recommended to
con gure settings that limit the number of objects scanned in the network attached storage.

In the Compound objects protection section, specify compound objects to be scanned by Kaspersky
Security for Windows Server.

On the Actions tab take the following actions:

In the Action to perform on infected and other objects section, select the action to be performed by
Kaspersky Security for Windows Server on detecting an infected object.

In the Action to perform on probably infected objects section, select the action to be performed by
Kaspersky Security for Windows Server on detecting a probably infected object.

Con gure actions to be performed on objects depending on the type of object detected.

Select the actions to perform on unmodi able compound les: select or clear the Entirely remove
compound le that cannot be modi ed by the application in case of embedded object detect
check box.

On the Performance tab take the following actions:

In the Exclusions section, specify objects that you want Kaspersky Security for Windows Server to
exclude from scanning:

To exclude les from scanning, select the Exclude les check box and specify the names or name
masks of les to be excluded.

To exclude detectable objects (such as remote administration utilities), select the Do not detect
check box and specify the names or name masks of detectable objects, according to the Virus
Encyclopedia classi cation.

In the Advanced settings section, specify the maximum duration of object scanning and the maximum
size of the compound le being scanned.

565
 If you are using a network attached storage under the Clustered Data ONTAP operating system, this
setting can be also con gured in the network attached storage. If the setting is con gured in
Kaspersky Security for Windows Server, the network attached storage sends the inapplicable
object for scanning, and Kaspersky Security for Windows Server declares the object safe without
running a virus scan. If the setting is con gured in the network attached storage, the network
attached storage does not send the inapplicable object for scanning. To reduce network tra ic and
the load on the server with Kaspersky Security for Windows Server installed, it is recommended to
con gure settings that limit the number of objects scanned in the network attached storage.

12. Click the OK button.

The con gured custom security level settings are saved and applied to the running task.

Manually con guring the security level settings in the ICAP Network Storage
Protection task
By default, the ICAP Network Storage Protection task has the settings described in the table below. You can
change the values of these settings.

When the task settings are modi ed (for example, a di erent security level is speci ed), Kaspersky Security for
Windows Server immediately applies the new settings in the running task. Kaspersky Security for Windows Server
logs the date and time when task settings were modi ed in the system audit log.

Settings of the ICAP Network Storage Protection task

Setting Default value Comment

Security The Recommended security You can apply one of the preset security levels to the
level level is applied. protected network attached storage, or specify the values
of the security settings manually.

Heuristic The Medium analysis level is The Heuristic Analyzer can be enabled or disabled and the
analyzer applied. analysis level con gured.

Use KSN Applied. You can enable or disable the use of KSN services for ICAP
for Network Storage Protection.
protection

ICAP- Network port number – You can also modify other network storage connection
service 1344. settings. These changes should be incorporated on the
connection network attached storages.
settings
Service ID – avscan.

Schedule Not applied. The Run by You can con gure the task to run by schedule, for example
settings schedule check box is cleared. at Kaspersky Security for Windows Server startup.
The task is run manually.

To manually con gure the security settings of an ICAP network storage:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Policies tab.

566
4. Double-click the policy name you want to con gure.

5. In the Properties: <Policy name> window that opens, select the Network attached storage protection
section.

6. Click the Settings button in the Real-Time File Protection (ICAP) subsection.
The ICAP-network storage protection window opens.

7. On the General tab of the ICAP-network storage protection window click the Settings button.
The Security settings window opens.

8. Con gure the settings in accordance with your computer security requirements. To do this, perform the
following actions:

On the General tab take the following actions:

In the Objects protection section, specify objects to be scanned by Kaspersky Security for Windows
Server:

All objects

Objects scanned by format

Objects scanned according to list of extensions speci ed in anti-virus database

Objects scanned by speci ed list of extensions

This setting can be also con gured in the network attached storage. If the setting is con gured in
Kaspersky Security for Windows Server, the network attached storage sends the inapplicable
object for scanning, and Kaspersky Security for Windows Server declares the object safe without
running a virus scan. If the setting is con gured in the network attached storage, the network
attached storage does not send the inapplicable object for scanning. To reduce network tra ic and
the load on the server with Kaspersky Security for Windows Server installed, it is recommended to
con gure settings that limit the number of objects scanned in the network attached storage.

In the Compound objects protection section, specify compound objects to be scanned by Kaspersky
Security for Windows Server.

On the Actions tab take the following actions:

In the Action to perform on infected and other objects section, select the action to be performed by
Kaspersky Security for Windows Server on detecting an infected object.

In the Action to perform on probably infected objects section, select the action to be performed by
Kaspersky Security for Windows Server on detecting a probably infected object.

Con gure actions to be performed on objects depending on the type of object detected.

On the Performance tab take the following actions:

In the Exclusions section, specify objects that you want Kaspersky Security for Windows Server to
exclude from scanning:

To exclude les from scanning, select the Exclude les check box and specify the names or name
masks of les to be excluded.
567
 To exclude detectable objects (such as remote administration utilities), select the Do not detect
check box and specify the names or name masks of detectable objects, according to the Virus
Encyclopedia classi cation.

In the Advanced settings section, specify the maximum duration of object scanning and the maximum
size of the compound le being scanned.

9. Click OK in the Security settings window.

The Security settings window closes.

10. Click OK in the ICAP-network storage protection window.

The con gured custom security level settings are saved.

568
Integrating with third-party systems
This section describes integration of Kaspersky Security for Windows Server with third-party features and
technologies.

Performance counters for System Monitor

This section contains information about performance counters for the Microsoft Windows System Monitor that
are registered by Kaspersky Security for Windows Server during installation.

About Kaspersky Security for Windows Server performance counters

The Performance Counters component is included in the installed components of Kaspersky Security for Windows
Server by default. Kaspersky Security for Windows Server registers its own performance counters for the
Microsoft Windows System Monitor during installation.

Using Kaspersky Security for Windows Server counters, you can monitor the application's performance while the
Real-Time Server Protection tasks are running. You can identify bottlenecks when it is running with other
applications and resource shortages. You can diagnose Kaspersky Security for Windows Server crashes and
identify undesirable settings.

You can view Kaspersky Security for Windows Server performance counters by opening the Performance console
in the Administration section of Windows Control Panel.

The following sections list de nitions of counters, recommended intervals for taking readings, threshold values, and
recommended Kaspersky Security for Windows Server settings if the counter values exceed the thresholds.

Total number of requests denied

Total number of requests denied

Name Total number of requests denied

De nition Total number of object processing requests made by the le interception driver and
not accepted by the application processes; counted from the time Kaspersky Security
for Windows Server was last started.
The application skips objects for which processing requests are denied by Kaspersky
Security for Windows Server processes.
Purpose This counter can help you detect:
Reduced Real-Time Server Protection because Kaspersky Security for Windows
Server processes are overworked.

Interruption of Real-Time Server Protection because of failures of le interception

dispatchers.

Normal / 0 / 1.
threshold value

Recommended 1 hour.

569
 reading interval

Recommendations The number of denied processing requests corresponds to the number of skipped
for con guration objects.
if value exceeds
The following situations are possible depending on counter behavior:
the threshold
The counter shows several requests denied over an extended period of time: all
Kaspersky Security for Windows Server processes were fully loaded, so Kaspersky
Security for Windows Server could not scan objects.
To avoid skipping objects, increase the number of application processes for the
Real-Time Server Protection tasks. You can use such Kaspersky Security for
Windows Server settings as Maximum number of active processes and Number
of processes for real-time protection.

The number of request denied signi cantly exceeds the critical threshold and is
growing quickly: the le interception dispatcher has crashed. Kaspersky Security for
Windows Server is not scanning objects when they are accessed.
Restart Kaspersky Security for Windows Server.

Total number of requests skipped

Total number of requests skipped

Name Total number of requests skipped

De nition The total number of object processing requests made by the le interception driver
that have been received by Kaspersky Security for Windows Server and have not
generated events indicating that processing is complete; this number is counted
starting from the moment when the application was last started.
If an object processing request is accepted by one of the work processes but does
not send an event indicating that processing is complete, the driver will transfer the
request to another process and the value of the Total Number of Skipped Requests
counter will increase by 1. If the driver has gone through all of the work processes and
none of them has accepted the processing request (all were busy) or has not sent an
event indicating that processing is complete, Kaspersky Security for Windows Server
will skip the object, so the value of the Total Number of Skipped Requests counter will
increase by 1.
Purpose This counter enables you to detect drops in performance due to failures of le
interception dispatchers.
Normal / 0/1
threshold value

Recommended 1 hour
reading interval

Recommendations If the counter is anything other than zero, this means that one or more le interception
for con guration dispatcher streams have frozen and are down. The counter value corresponds to the
if value exceeds number of streams currently down.
the threshold
If the scan speed is not satisfactory, restart Kaspersky Security for Windows Server to
restore the o -line streams.

Number of requests not processed because of lack of system resources

570
Number of requests not processed because of lack of system resources

Name Number of requests not processed due to a lack of resources.

De nition Total number of requests from the le interception driver which were not
processed because of a lack of system resources (for example, RAM); counted
from the time Kaspersky Security for Windows Server was last started.
Kaspersky Security for Windows Server skips object processing requests that are
not processed by the le interception driver.
Purpose This counter can be used to detect and eliminate potentially lower quality in Real-
Time Server Protection that occurs because of low system resources.
Normal / threshold 0 / 1.
value

Recommended 1 hour.
reading interval

Recommendations for If the counter value is anything other than zero, Kaspersky Security for Windows
con guration if value Server work processes need more RAM to process requests.
exceeds the threshold
Active processes of other applications may be using all available RAM.

Number of requests sent to be processed

Number of requests sent to be processed

Name Number of requests sent to be processed.

De nition The number of objects waiting to be processed by work processes.
Purpose This counter can be used to monitor the load on Kaspersky Security for
Windows Server work processes and the overall level of le activity on the
protected device.
Normal / threshold value The counter may vary depending on the level of le activity on the
protected device.
Recommended reading 1 minute
interval

Recommendations for N/A

con guration if value
exceeds the threshold

Average number of le interception dispatcher streams

Average number of le interception dispatcher streams

Name Average number of le interception dispatcher streams.

De nition The number of le interception dispatcher streams in one process and the average for
all processes currently involved in the Real-Time Server Protection tasks.
Purpose This counter can be used to detect and eliminate a potential reduction in Real-Time
Server Protection due to a full load on Kaspersky Security for Windows Server
processes.
Normal / Varies / 40
threshold value

571
 Recommended 1 minute
reading interval

Recommendations Up to 60 le interception dispatcher streams can be created in each work process. If

for con guration the counter approaches 60, there is a risk that none of the work processes will be able
if value exceeds to process the next request in the queue from the le interception driver and
the threshold Kaspersky Security for Windows Server will skip the object.
Increase the number of Kaspersky Security for Windows Server processes for the
Real-Time Server Protection tasks. You can use such Kaspersky Security for Windows
Server settings as Maximum number of active processes and Number of processes
for real-time protection.

Maximum number of le interception dispatcher streams

Maximum number of le interception dispatcher streams

Name Maximum number of le interception dispatcher streams.

De nition The number of le interception dispatcher streams in one process and the
maximum for all processes currently involved in the Real-Time Server Protection
tasks.
Purpose This counter enables you to detect and eliminate drops in performance because of
uneven distribution of loads in running processes.
Normal / threshold Varies / 40
value

Recommended 1 minute
reading interval

Recommendations If the value of this counter signi cantly and continuously exceeds the Average
for con guration if number of le interception dispatcher streams counter, Kaspersky Security for
value exceeds the Windows Server is distributing the load to running processes unevenly.
threshold
Restart Kaspersky Security for Windows Server.

Number of elements in the infected objects queue

Number of elements in the infected objects queue

Name Number of elements in the infected objects queue.

De nition Number of infected objects currently waiting to be processed (disinfected or
deleted).
Purpose This counter can help you detect:
Interruption of Real-Time Server Protection due to potential failures of le
interception dispatchers.

Overloading of processes due to uneven distribution of processor time among

di erent work processes and Kaspersky Security for Windows Server.

Virus outbreaks.

Normal / threshold This value may be something other than zero while Kaspersky Security for Windows
value Server is processing infected or probably infected objects but will return to zero
572
 after processing is nished / The value remains non-zero for an extended period of
time.
Recommended 1 minute
reading interval

Recommendations If the value of the counter does not return to zero for an extended period of time:
for con guration if
Kaspersky Security for Windows Server is not processing objects (the le
value exceeds the
interception dispatcher may have crashed).
threshold
Restart Kaspersky Security for Windows Server.

There may be insu icient processor time to process the objects.

Make sure Kaspersky Security for Windows Server receives additional processor
time (by reducing other applications' load on the protected device, for example).

There has been a virus outbreak.

A large number of infected or probably infected objects in the Real-Time File
Protection task is also a sign of a virus outbreak. You can view information about
the number of detected objects in the task statistics or task logs.

Number of objects processed per second

Number of objects processed per second

Name Number of objects processed per second.

De nition Number of objects processed divided by the amount of time that it took to process
those objects (calculated over equal time intervals).
Purpose This counter re ects the speed of object processing; it can be used to detect and
eliminate low points in protected device performance that occur because of
insu icient processor time being allotted to Kaspersky Security for Windows Server
processes or errors in Kaspersky Security for Windows Server operation.
Normal / Varies / No.
threshold value

Recommended 1 minute.
reading interval

Recommendations The values of this counter depend on the values set in Kaspersky Security for
for con guration Windows Server settings and the load on the protected device from other
if value exceeds applications' processes.
the threshold
Observe the average counter value over an extended period of time. If the general
counter value decreases, one of the following situations is possible:
Kaspersky Security for Windows Server processes do not have enough processor
time to process the objects.
Make sure Kaspersky Security for Windows Server receives additional processor
time (by reducing other applications' load on the protected device, for example).

Kaspersky Security for Windows Server has experienced an error (several streams
are idle).
Restart Kaspersky Security for Windows Server.

573
Kaspersky Security for Windows Server SNMP counters and traps
This section contains information about Kaspersky Security for Windows Server counters and traps.

About Kaspersky Security for Windows Server SNMP counters and traps
If you included SNMP Counters and Traps in the set of anti-virus components to be installed, you can view
Kaspersky Security for Windows Server counters and traps using Simple Network Management Protocol (SNMP).

To view Kaspersky Security for Windows Server counters and traps from the administrator's workstation, start
SNMP Service on the protected device and start SNMP and SNMP Trap Services on the administrator's
workstation.

Kaspersky Security for Windows Server SNMP counters

This section contains tables with a description of the settings for Kaspersky Security for Windows Server SNMP
counters.

Performance counters
Performance counters

Counter De nition

currentRequestsAmount Number of requests sent to be processed

currentInfectedQueueLength Number of elements in the infected objects queue

currentObjectProcessingRate Number of objects processed per second

currentWorkProcessesNumber Current number of work processes used by Kaspersky Security for

Windows Server

Quarantine counters
Quarantine counters

Counter De nition

totalObjects Number of objects currently in Quarantine

totalSuspiciousObjects Number of probably infected objects currently in Quarantine

currentStorageSize Total amount of data in Quarantine (MB)

Backup counter
574
Backup counter

Counter De nition

currentBackupStorageSize Total amount of data in Backup (MB)

General counters
General counters

Counter De nition

lastCriticalAreasScanAge The period since the last complete scan of the protected device's
critical areas (time elapsed in seconds since the last Critical Areas
Scan task was completed).

licenseExpirationDate License expiration date. If an active and additional key have been
added, the date of expiry of the license associated with the
additional key is displayed.

currentApplicationUptime The amount of time that Kaspersky Security for Windows Server
has been running since it was last started, in hundredths of seconds.

currentFileMonitorTaskStatus Real-Time File Protection task status: On – running; O – stopped

or paused.

currentScriptCheckerTaskStatus Script Monitoring task status: On – running; O – stopped or

paused.

currentWebTra icMonitorTaskStatus Tra ic Security task status: On – running; O – stopped or paused.

Update counter
Update counter

Counter De nition

avBasesAge "Age" of databases (time elapsed in hundredths of seconds since the creation date of the
latest installed database updates).

Real-Time File Protection counters

Real-Time File Protection counters

Counter De nition

totalObjectsProcessed Total number of objects scanned since the time the last Real-Time File
Protection task was run

totalInfectedObjectsFound Total number of infected and other objects detected since the time the
last Real-Time File Protection task was run

totalSuspiciousObjectsFound Total number of probably infected objects detected since the time the last
Real-Time File Protection task was run

totalVirusesFound Total number of objects detected since the time the Real-Time File
Protection task was last run

totalObjectsQuarantined Total number of infected, probably infected and other objects which were
575
 placed into Quarantine by Kaspersky Security for Windows Server;
calculated from the time the Real-Time File Protection task was last
started

totalObjectsNotQuarantined Total number of infected or probably infected objects Kaspersky Security

for Windows Server attempted to quarantine but was unable to; calculated
from the time the Real-Time File Protection task was last started

totalObjectsDisinfected Total number of infected objects which were disinfected by Kaspersky

Security for Windows Server; calculated from the time the Real-Time File
Protection task was last started

totalObjectsNotDisinfected Total number of infected and other objects which Kaspersky Security for
Windows Server attempted to disinfect but was unable to; calculated from
the time Real-Time File Protection task was last started

totalObjectsDeleted Total number of infected, probably infected and other objects which were
deleted by Kaspersky Security for Windows Server; calculated from the
time the Real-Time File Protection task was last started

totalObjectsNotDeleted Total number of infected, probably infected and other objects which
Kaspersky Security for Windows Server attempted to delete but was
unable to; calculated from the time Real-Time File Protection task was last
started

totalObjectsBackedUp Total number of infected objects and other which were placed into Backup
by Kaspersky Security for Windows Server; calculated from the time the
Real-Time File Protection task was last started

totalObjectsNotBackedUp Total number of infected objects and other which Kaspersky Security for
Windows Server attempted to place into Backup but was unable to;
calculated from the time Real-Time File Protection task was last started

Script Monitoring counters

Script Monitoring counters

Counter De nition

totalScriptsProcessed Total number of scripts scanned since the time the last Script
Monitoring task was run

totalInfectedDangerousSriptsFound Total number of infected and dangerous scripts detected since the
time the last Script Monitoring task was run

totalSuspiciousScriptsFound Total number of probably infected scripts detected since the time
the last Script Monitoring task was run

totalScriptsBlocked Total number of scripts blocked since the time the Script Monitoring
task was last run

Tra ic Security counters

Tra ic Security counters

Counter De nition

wtTotalObjectsProcessed Total number of objects processed since the time the last
Tra ic Security task was run

576
 wtTotalInfectedObjectsFound Total number of infected and other objects detected since
the time the last Tra ic Security task was run

wtTotalVirusesFound Total number of objects detected since the time the Tra ic
Security task was last run

wtTotalPhishingResourcesAccess Total number of accesses to phishing resources since the time

the Tra ic Security task was last run

wtTotalURLProcessed Total number of URL processed since the time the last Tra ic
Security task was run

wtTotalInfectedObjectsDownloadsBlocked Total number of infected objects downloads blocked since the

time the Tra ic Security task was last run

Kaspersky Security for Windows Server SNMP traps and their options
The SNMP traps options in Kaspersky Security for Windows Server are summarized as follows:

eventThreatDetected: an object has been detected.

The trap has the following options:

eventDateAndTime

eventSeverity

computerName

userName

objectName

threatName

detectType

detectCertainty

eventBackupStorageSizeExceeds: maximum Backup size exceeded. The total amount of data in Backup
exceeds the value speci ed by Maximum Backup size (MB). Kaspersky Security for Windows Server continues
to back up infected objects.
The trap has the following options:

eventDateAndTime

eventSeverity

eventSource

eventThresholdBackupStorageSizeExceeds: Backup free space threshold reached. The amount of free space
in Backup is less than or equal to the value speci ed by Threshold value for space available (MB). Kaspersky
Security for Windows Server continues to back up infected objects.
The trap has the following options:

eventDateAndTime
577
 eventSeverity

eventSource

eventQuarantineStorageSizeExceeds: maximum Quarantine size exceeded. The total size of data in Quarantine
has exceeded the value speci ed by the Maximum Quarantine size (MB). Kaspersky Security for Windows
Server continues to quarantine probably infected objects.
The trap has the following options:

eventDateAndTime

eventSeverity

eventSource

eventThresholdQuarantineStorageSizeExceeds: Quarantine free space threshold reached. The amount of free

size in Quarantine assigned by the Threshold value for space available (MB) is equal to or less than the
speci ed value. Kaspersky Security for Windows Server continues to back up infected objects.
The trap has the following options:

eventDateAndTime

eventSeverity

eventSource

eventObjectNotQuarantined: Quarantine error.

The trap has the following options:

eventSeverity

eventDateAndTime

eventSource

userName

computerName

objectName

storageObjectNotAddedEventReason

eventObjectNotBackuped: Error while saving an object copy in Backup.

The trap has the following options:

eventSeverity

eventDateAndTime

eventSource

objectName

userName
578
 computerName

storageObjectNotAddedEventReason

eventQuarantineInternalError: Quarantine internal error.

The trap has the following options:

eventSeverity

eventDateAndTime

eventSource

eventReason

eventBackupInternalError: Backup error.

The trap has the following options:

eventSeverity

eventDateAndTime

eventSource

eventReason

eventAVBasesOutdated: Anti-virus database is out of date. Number of days since the last time the Database
Update task (local task, or group task, or task for sets of protected devices) was run.
The trap has the following options:

eventSeverity

eventDateAndTime

eventSource

days

eventAVBasesTotallyOutdated: Anti-virus database is obsolete. Number of days since the last time the
Database Update task (local task, or group task, or task for sets of protected devices) was run.
The trap has the following options:

eventSeverity

eventDateAndTime

eventSource

days

eventApplicationStarted: Kaspersky Security for Windows Server is running.

The trap has the following options:

eventSeverity

579
 eventDateAndTime

eventSource

eventApplicationShutdown: Kaspersky Security for Windows Server is stopped.

The trap has the following options:

eventSeverity

eventDateAndTime

eventSource

eventCriticalAreasScanWasntPerformForALongTime: Critical areas have not been scanned for a long time.
Number of days since the last time the Critical Areas Scan task completed.
The trap has the following options:

eventSeverity

eventDateAndTime

eventSource

days

eventLicenseHasExpired: License has expired.

The trap has the following options:

eventSeverity

eventDateAndTime

eventSource

eventLicenseExpiresSoon: License expires soon. Calculated as the number of days until the expiration date for
the license.
The trap has the following options:

eventSeverity

eventDateAndTime

eventSource

days

eventTaskInternalError: Task completion error.

The trap has the following options:

eventSeverity

eventDateAndTime

eventSource

580
 errorCode

knowledgeBaseId

taskName

eventUpdateError: Error while running the update task.

The trap has the following options:

eventSeverity

eventDateAndTime

taskName

updaterErrorEventReason

Kaspersky Security for Windows Server SNMP traps options descriptions

and possible values
Descriptions of the traps options and their possible values are given below:

eventDateAndTime: event date and time.

eventSeverity: importance level.

The option can take the following values:

critical (1) – critical

warning (2) – warning

info (3) – informational

userName: user name (for example, the name of a user that attempted to access an infected le).

computerName: protected device name (for example, the name of a protected device from which a user
attempted to access an infected le).

eventSource: functional component that generated the event.

The option can take the following values:

unknown (0) – functional component not known

quarantine (1) – Quarantine

backup (2) – Backup

reporting (3) – task logs

updates (4) – Update

realTimeProtection (5) – Real-Time File Protection

581
 onDemandScanning (6) – On-Demand Scan

product (7) – event related to operation of Kaspersky Security for Windows Server as a whole rather than
operation of individual components

systemAudit (8) – system audit log

eventReason: event trigger: what triggered the event.

The option can take the following values:

reasonUnknown (0) – reason is unknown.

reasonInvalidSettings (1) – only for Backup and Quarantine events, displayed if Quarantine or Backup is
unavailable (insu icient access permissions or an invalid folder is speci ed in the Quarantine settings -- for
example, the a network path is speci ed). In this case, Kaspersky Security for Windows Server will use the
default Backup or Quarantine folder.

objectName: an object name (for example, the name of the le where the virus was detected).

threatName: The name of the object according to the Virus Encyclopedia classi cation. This name is included in
the full name that Kaspersky Security for Windows Server returns on detecting an object. You can view the full
name of a detected object in the task log.

detectType: type of object detected.

The option can take the following values:

unde ned (0) – unde ned

virware – classic viruses and network worms

trojware – Trojans

malware – other malicious applications

adware – advertising software

pornware – pornographic software

riskware – legitimate applications that may be used by intruders to damage the user's device or personal
data

detectCertainty: certainty level for threat detection.

The option can take the following values:

Suspicion (probably infected) – Kaspersky Security for Windows Server has detected a partial match
between a section of object code and a known section of malicious code.

Sure (infected) – Kaspersky Security for Windows Server has detected a complete match between a
section of code in the object and a known section of malicious code.

days: number of days (for example, the number of days until the license expiration date).

errorCode: an error code.

knowledgeBaseId: address of a knowledge base article (for example, address of an article that explains a
particular error).
582
taskName: a task name.

updaterErrorEventReason: the reason for the update error.

The option can take the following values:

reasonUnknown(0) – reason is unknown.

reasonAccessDenied – access denied.

reasonUrlsExhausted – the list of update sources is exhausted.

reasonInvalidCon g – invalid con guration le.

reasonInvalidSignature – invalid signature.

reasonCantCreateFolder – folder cannot be created.

reasonFileOperError – le error.

reasonDataCorrupted – object is corrupted.

reasonConnectionReset – connection reset.

reasonTimeOut – connection timeout exceeded.

reasonProxyAuthError – proxy authentication error.

reasonServerAuthError – server authentication error.

reasonHostNotFound – device not found.

reasonServerBusy – server unavailable.

reasonConnectionError – connection error.

reasonModuleNotFound – object not found.

reasonBlstCheckFailed(16) – error while checking the key blacklist. It is possible that database updates were
being published at the time of the update; please repeat the update in a few minutes.

storageObjectNotAddedEventReason: the reason why the object was not backed up or quarantined.
The option can take the following values:

reasonUnknown (0) – reason is unknown.

reasonStorageInternalError – database error; Kaspersky Security for Windows Server must be restored.

reasonStorageReadOnly – database is read-only; Kaspersky Security for Windows Server must be restored.

reasonStorageIOError – input-output error: a) Kaspersky Security for Windows Server is corrupted,

Kaspersky Security for Windows Server must be restored; b) disk with Kaspersky Security for Windows
Server les is corrupted.

reasonStorageCorrupted – storage is corrupted; Kaspersky Security for Windows Server must be restored.

583
 reasonStorageFull – database is full; free disk space is required.

reasonStorageOpenError – database le could not be opened; Kaspersky Security for Windows Server
must be restored.

reasonStorageOSFeatureError – some operating system features do not correspond to Kaspersky Security

for Windows Server requirements.

reasonObjectNotFound – object being placed in Quarantine does not exist on the disk.

reasonObjectAccessError – insu icient permissions to use Backup API: the account being used to perform
the operation does not have Backup Operator permissions.

reasonDiskOutOfSpace – not enough space on the disk.

Integrating with WMI

Kaspersky Security for Windows Server supports integration with Windows Management Instrumentation (WMI):
you can use client systems that use WMI to receive data via the Web-Based Enterprise Management (WBEM)
standard in order to receive information about the status of Kaspersky Security for Windows Server and its
components.

When Kaspersky Security for Windows Server is installed, it registers a proprietary module on the system to create
a Kaspersky Security for Windows Server namespace on the protected device. A Kaspersky Security for Windows
Server namespace lets you work with Kaspersky Security for Windows Server classes and instances and their
properties.

The values of some instance properties depend on task types.

A non-periodic task is an application task that is not time-limited and can either be constantly running or stopped.
Such tasks have no execution progress. The task results are logged continuously while the task is running as single
events (for example, detection of an infected object by any Real-Time Server Protection tasks). This type of tasks
is managed via Kaspersky Security Center policies.

A periodic task is an application task that is time-limited and has execution progress displayed as a percentage.
The task results are generated when task is complete and are represented as a single item or changed application
state (for example, completed application database update, generated con guration les for rule generation
tasks). Several periodic tasks of the same type can run on a single protected device simultaneously (e.g. three On-
Demand scan tasks with di erent scan scopes). Periodic tasks can be managed via Kaspersky Security Center as
group tasks.

If you use tools to generate WMI namespace queries and receive dynamic data from WMI namespaces on your
corporate network, you will be able to receive information about the current application state (see the table
below).

Information about the application state

Instance property Description Values

ProductName Name of the installed Full name of application without version

application. number.

ProductVersion Full version of the installed Full application version number, including the
application. build number.

InstalledPatches Set of display names for List of critical xes installed for the
installed patches. application.
584
IsLicenseInstalled Application activation Status of the key used to activate the
status. application.
Possible values:
False - A license key has not been added to
the application.

True - A license key has been added to the

application.

LicenseDaysLeft Shows how many days are Number of days remaining before expiration of
left before a current license the current license.
expiration.
Possible non-positive values:
0 - License has expired.

-1 - Unable to get information on the

current key or the speci ed key cannot be
used to activate the application (for
example, it is blocked based on key
blacklist).

AVBasesDatetime Timestamp for the current Date and time of the creation of the anti-virus
anti-virus database version. databases currently in use.
If the installed application does not use anti-
virus databases, then the eld has the value
“Not installed”.

IsExploitPreventionEnabled Status of the Exploit Status of the Exploit Prevention component.

Prevention component.
Possible values:
True - The Exploit Prevention component is
enabled and providing protection.

False - The Exploit Prevention component

is not providing protection. For example:
disabled, not installed, the License
Agreement has been violated.

ProtectionTasksRunning Set of protection tasks that List of protection, control, and monitoring
are currently running. tasks currently running. This eld should
account for all running non-periodic tasks.
If no non-periodic task is running, the eld has
the value “None”.

IsAppControlRunning Status of the Applications Status of the Applications Launch Control

Launch Control task. task.
True - The Applications Launch Control
task is currently running.

False - The Applications Launch Control is

not currently running or the Applications
Launch Control component is not installed.

AppControlMode Applications Launch Control Describes the current status of the

task mode. Applications Launch Control component, and
585
 describes the selected mode for the
corresponding task.
Possible values:
Active - Active mode is selected in the
task settings.

Statistics Only - Statistics only mode is

selected in the task settings.

Not installed - The Applications Launch

Control component is not installed.

AppControlRulesNumber Total number of applications The number of rules currently speci ed in the
launch control rules. Applications Launch Control task settings.

AppControlLastBlocking The timestamp for the last Date and time when the Applications Launch
application launch blocking Control component last blocked the launch of
by the Applications Launch an application. This eld includes all blocked
Control task in any mode. applications, regardless of the task mode.
If no instances of blocked application launches
are registered at the time the WMI query is
processed, the eld is assigned the value
“None”.

PeriodicTasksRunning Set of periodic tasks that List of On-Demand Scan, Update, and
are currently running. inventory-taking tasks currently running. This
eld should include all running periodic tasks.
If no periodic tasks are currently running, then
the eld has the value “None”.

ConnectionState Status of the connection Information about the status of the

between the WMI Provider connection between the WMI Provider
component and the component and the Kaspersky Security
Kaspersky Security Service Service.
(KAVFS).
Possible values:
Success - The connection was
successfully established: the WMI client
can receive the application status.

Failed. Error Code: <code> - The

connection could not be established due
to an error with the speci ed code.

This data represents instance properties KasperskySecurity_ProductInfo.ProductName=Kaspersky Security,

where:

KasperskySecurity_ProductInfo is the name of the Kaspersky Security for Windows Server class

.ProductName=Kaspersky Security are the Kaspersky Security for Windows Server key properties

The instance is created in the ROOT\Kaspersky\Security namespace.

586
Working with Kaspersky Security for Windows Server from the command
line
This section describes working with Kaspersky Security for Windows Server from the command line.

Commands
You can perform basic Kaspersky Security for Windows Server management commands from the command line of
the protected device using the Command Line utility component, which is included in the Kaspersky Security for
Windows Server software components group.

You can use commands to manage only those functions accessible to you based on the permissions assigned to
you in Kaspersky Security for Windows Server.

Certain Kaspersky Security for Windows Server commands are executed in the following modes:

Synchronous mode: control returns to the Console only after the command is complete.

Asynchronous mode: control returns to the Console immediately after the command is started.

To interrupt a command being executed in synchronous mode,

press the Ctrl+C keyboard shortcut.

Follow these rules when entering Kaspersky Security for Windows Server commands:

Enter modi ers and commands using upper and lower case.

Separate modi ers with a space.

If the path of a le/folder speci ed as a value includes a space, enclose the path in quotes, for example:
"C:\TEST\test cpp.exe".

If necessary, you can use wildcards in the lename or path, for example: "C:\Temp\Temp*\",
"C:\Temp\Temp???.doc", "C:\Temp\Temp*.doc".

You can use the command line to perform every operation required for management and administration of
Kaspersky Security for Windows Server (see the table below).

Kaspersky Security for Windows Server commands

Command Description

KAVSHELL Update the rule list according to the selected import rule.
APPCONTROL

KAVSHELL Set the operating mode of the Applications Launch Control task
APPCONTROL
/CONFIG

KAVSHELL Start the Rule Generator for Applications Launch Control task.
APPCONTROL
/GENERATE

KAVSHELL VACUUM Defragment Kaspersky Security for Windows Server log les.
587
 KAVSHELL Manage password protection settings.
PASSWORD

KAVSHELL HELP Display Kaspersky Security for Windows Server command help.

KAVSHELL START Start the Kaspersky Security Service.

KAVSHELL STOP Stop the Kaspersky Security Service.

KAVSHELL SCAN Create and start a temporary On-Demand Scan task with the scan scope and
security settings speci ed by the command-line options.

KAVSHELL Start the Critical Areas Scan system task.

SCANCRITICAL

KAVSHELL TASK Start, pause / resume, stop the speci ed task asynchronously, returns the current
task status / statistics.

KAVSHELL RTP Start or stop all Real-Time Server Protection tasks.

KAVSHELL UPDATE Start the Database Update task with the settings speci ed by the command-line
options.

KAVSHELL Roll back the databases to the previous version.

ROLLBACK

KAVSHELL LICENSE Add or delete the keys and activation codes. Display information about the added
keys and activation codes.

KAVSHELL TRACE Enable or disable trace logs. Manage trace log settings.

KAVSHELL DUMP Enable or disable creation of dump les when Kaspersky Security for Windows
Server processes terminate abnormally.

KAVSHELL IMPORT Import general Kaspersky Security for Windows Server settings, functions, and
tasks from a con guration le.

KAVSHELL EXPORT Export all Kaspersky Security for Windows Server settings and existing tasks to a
con guration le.

KAVSHELL Add to the list of generated device control rules according to selected method.
DEVCONTROL

Displaying Kaspersky Security for Windows Server command help:

KAVSHELL HELP
To view the list of all Kaspersky Security for Windows Server commands, run one of the following commands:

KAVSHELL

KAVSHELL HELP

KAVSHELL /?

To view a description of a command and its syntax, run one of the following commands:

KAVSHELL HELP <command>

588
 KAVSHELL <command> /?

KAVSHELL HELP examples

To view detailed information about the KAVSHELL SCAN command, execute the following command:

KAVSHELL HELP SCAN

Starting and stopping the Kaspersky Security Service KAVSHELL START:

KAVSHELL STOP
To run the Kaspersky Security Service, execute the command

KAVSHELL START

By default, when the Kaspersky Security Service is started, Real-Time File Protection and Scan at Operating
System Startup, as well as other tasks scheduled to start At application launch, will be started.

To stop the Kaspersky Security Service, execute the following command:

KAVSHELL STOP

A password might be required to execute the command. To enter the current password, use [/pwd:
<password>].

Scanning a selected area: KAVSHELL SCAN

To start a task to scan speci c areas of the protected device, use KAVSHELL SCAN. The command-line options
specify the scan scope and security settings of the selected node.

An On-Demand Scan task started using the KAVSHELL SCAN command is a temporary task. It is displayed in the
Application Console only while being executed (you cannot view its task settings in the Application Console).
However, a task performance log is generated and displayed under the Task logs node in the Application Console.

When specifying paths in scan tasks for speci c areas, you can use environment variables. If you use a user
environment variable, execute the KAVSHELL SCAN command as the corresponding user.

The KAVSHELL SCAN command is executed in synchronous mode.

To start an existing On-Demand Scan task from the command line, use the KAVSHELL TASK command.

KAVSHELL SCAN command syntax

589
KAVSHELL SCAN <scan scope> [/MEMORY|/SHARED|/STARTUP|/REMDRIVES|/FIXDRIVES|/MYCOMP] [/L:<
path to file with the list of scan scopes >] [/F<A|C|E>] [/NEWONLY] [/AI:
<DISINFECT|DISINFDEL|DELETE|REPORT|AUTO>] [/AS:<QUARANTINE|DELETE|REPORT|AUTO>]
[/DISINFECT|/DELETE] [/E:<ABMSPO>] [/EM:<"masks">] [/ES:<size>] [/ET:<number of seconds>]
[/TZOFF] [/OF:<SKIP|RESIDENT|SCAN[=<days>] [NORECALL]>] [/NOICHECKER][/NOISWIFT]
[/ANALYZERLEVEL][/NOCHECKMSSIGN][/W:<path to task log file>] [/ANSI] [/ALIAS:<task
alias>]

The KAVSHELL SCAN command has both mandatory and optional parameters/options (see the table below).

KAVSHELL SCAN command examples

KAVSHELL SCAN Folder56 D:\Folder1\Folder2\Folder3\ C:\Folder1\ C:\Folder2\3.exe

"\\another server\Shared\" F:\123\*.fgb /SHARED /AI:DISINFDEL /AS:QUARANTINE /FA /E:ABM
/EM:"*.xtx;*.fff;*.ggg;*.bbb;*.info" /NOICHECKER /ANALYZERLEVEL:1 /NOISWIFT /W:log.log

KAVSHELL SCAN /L:scan_objects.lst /W:c:\log.log

KAVSHELL SCAN command-line parameters/options

Parameter/option Description

Scan scope. Mandatory parameter.

< les> Speci es the scan scope - list of les, folders, network paths and prede ned areas.
Specify network paths in Universal Naming Convention (UNC) format.
In the following example, the Folder4 folder is speci ed without a path, which implies
that it is located in the folder from which the KAVSHELL command is run:
<folders>
KAVSHELL SCAN Folder4
If the name of the object to be scanned has spaces, it must be wrapped in quotation
marks.
<network path> If a folder is speci ed, Kaspersky Security for Windows Server will also scan all its
subfolders.
The symbols * or ? can be used to scan a group of les.

/MEMORY Scan objects in RAM

/SHARED Scan shared folders on the protected device

/STARTUP Scan autorun objects

/REMDRIVES Scan removable drives

/FIXDRIVES Scan hard drives

/MYCOMP Scan all areas of the protected device

/L:<path to le with Full path to le with a list of scan scopes.

a list of scan
Use line breaks to separate the scan scopes in the le. You can specify prede ned
scopes>
scan areas as shown in the following example of the content of a le with a list of scan
scopes:
C:\
D:\Docs\*.doc
E:\My Documents
/STARTUP
/SHARED

590
Scan objects (File types). If you do not specify this option, Kaspersky Security for Windows Server will scan
objects by their format.

/FA Scan all objects

/FC Scan objects by format (default). Kaspersky Security for Windows Server scans only
objects whose formats are included in the list of formats of infectable objects.

/FE Scan objects by extension. Kaspersky Security for Windows Server scans only objects
with extensions included into the list of extensions of infectable objects.

/NEWONLY Scan only new and modi ed les.

If you do not specify this option, Kaspersky Security for Windows Server will scan all
objects.

Action to perform on infected and other objects. If you do not specify values for this modi er, Kaspersky
Security for Windows Server will perform the Skip action.

DISINFECT Disinfect, skip if disinfection is not possible

The DISINFECT and DELETE options are preserved in the current version Kaspersky
Security for Windows Server in order to ensure compatibility with previous versions.
These options can be used instead of the /AI and /AS options. In this case, Kaspersky
Security for Windows Server will not process probably infected objects.

DISINFDEL Disinfect, delete if disinfection is not possible

DELETE Delete
The DISINFECT and DELETE options are saved in the current version of Kaspersky
Security for Windows Server in order to ensure compatibility with previous versions.
These options can be used instead of the /AI and /AS options. In this case, Kaspersky
Security for Windows Server will not process probably infected objects.

REPORT Send report (default)

AUTO Perform recommended action

/AS: Action to perform on probably infected objects. If you do not specify this option, Kaspersky Security
for Windows Server will perform the Skip action.

QUARANTINE Quarantine

DELETE Delete

REPORT Send report (default)

AUTO Perform recommended action

Exclusions

/E:ABMSPO Exclude the following types of compound objects:

A – archives (scan SFX archives only)
B – email databases
M – plain mail
S – archives and SFX-archives
P – packed objects
O – embedded OLE objects

/EM:<"masks"> Exclude les by mask

You can specify several masks, for example: EM:"*.txt; *.png;
C\Videos\*.avi".

/ET:<number of Stop processing an object if it takes longer than the number of seconds speci ed by

591
 seconds> <number of seconds>.
By default, there is no time restriction.

/ES:<size> Do not scan compound objects larger than the size (in MB) speci ed by the value
<size>.
By default, Kaspersky Security for Windows Server scans objects of all sizes.

/TZOFF Disable Trusted Zone exclusions

Advanced settings (Options)

/NOICHECKER Disable the use of iChecker (enabled by default)

/NOISWIFT Disable the use of iSwift (enabled by default)

/ANALYZERLEVEL: Enable Heuristic Analyzer, con gure analysis level.

<heuristic analysis
The following heuristic analysis levels are available:
level>
1 – light
2 – medium
3 – deep
If you omit this option, Kaspersky Security for Windows Server will not use Heuristic
Analyzer.

/ALIAS:<task alias> Assigns a temporary name to an On-Demand Scan task, allowing you to reference it
while it runs, for example, in order to view its statistics using the TASK command. The
task alias must be unique among the task aliases of all Kaspersky Security for
Windows Server components.
If this option is not speci ed, a temporary name in the form of scan_<kavshell_pid> is
assigned, for example, scan_1234. In the Application Console, the task is assigned the
name "Scan objects <date and time>", for example, Scan objects 8/16/2007 5:13:14 PM.

Task log settings (Report settings)

/W:<path to task If this parameter is speci ed, Kaspersky Security for Windows Server will save the
log le> task log le using the name speci ed by the parameter value.
The log le contains task execution statistics, the time when the task was started and
completed (stopped), and information about events that occurred during the task.
The log is used to register events de ned by the task log settings and the Kaspersky
Security for Windows Server event log settings in Event Viewer.

You can specify either the absolute or relative path to the log le. If you specify only a
lename without a path, the log le will be created in the current folder.
Restarting the command with the same log settings will overwrite the existing log le.
The log le can be viewed while a task is running.
The log appears in the Task logs node of the Application Console.
If Kaspersky Security for Windows Server fails to create the log le, it will display an
error message but will still execute the command.

/ANSI This option uses ANSI encoding to record events to the task log.
The ANSI option will not be applied if the W parameter is not speci ed.
If the ANSI option is not speci ed, UNICODE is used to generate the task log.

Starting the Critical Areas Scan task: KAVSHELL SCANCRITICAL

592
Use the KAVSHELL SCANCRITICAL command to start the Critical Areas Scan task with the settings de ned in the
Application Console.

KAVSHELL SCANCRITICAL command syntax

KAVSHELL SCANCRITICAL [/W:<path to task log file>]

KAVSHELL SCANCRITICAL command examples

To run the Critical Areas Scan task and save a task log named scancritical.log in the current folder, execute the
following command:

KAVSHELL SCANCRITICAL /W:scancritical.log

You can use the /W parameter to con gure the location of the task log (see the table below).

Syntax of the /W parameter for the KAVSHELL SCANCRITICAL command

Parameter/option Description

/W:<path to task If this parameter is speci ed, Kaspersky Security for Windows Server will save the task
log le> log le using the name speci ed by the parameter value.
The log le contains task execution statistics, the time when the task was started and
completed (stopped), and information about events that occurred during the task.
The log is used to register events de ned by the task log settings and the Kaspersky
Security for Windows Server event log settings in Event Viewer.
You can specify either the absolute or relative path to the log le. If you specify only a
lename without a path, the log le will be created in the current folder.
Restarting the command with the same log settings will overwrite the existing log le.
The log le can be viewed while a task is running.
The log appears in the Task logs node of the Application Console.
If Kaspersky Security for Windows Server fails to create the log le, it will display an
error message but will still execute the command.

Managing tasks asynchronously: KAVSHELL TASK

You can use the KAVSHELL TASK command to manage the speci ed task: run, pause, resume and stop the task
and view the current task status and statistics. The command is performed in asynchronous mode.

A password might be required to execute the command. To enter the current password, use [/pwd:
<password>].

KAVSHELL TASK command syntax

KAVSHELL TASK [<task name alias> </START | /STOP | /PAUSE | /RESUME | /STATE |
/STATISTICS >]

593
KAVSHELL TASK command examples

KAVSHELL TASK

KAVSHELL TASK on-access /START

KAVSHELL TASK user-task_1 /STOP

KAVSHELL TASK scan-computer /STATE

KAVSHELL TASK network-attack-blocker /START

The KAVSHELL TASK command can run without parameters/options or with one or more parameters/options (see
the table below).

KAVSHELL TASK command-line parameters/options

Parameter/option Description

No parameters Return the list of all existing Kaspersky Security for Windows Server tasks. The list
includes the following elds: task alias, task category (system or custom) and current
task status.

<task alias> Instead of the task name, in the SCAN TASK command, use its task alias, an additional
abbreviated name that Kaspersky Security for Windows Server assigns to tasks. To
view Kaspersky Security for Windows Server task aliases, enter the KAVSHELL TASK
command without any parameters.

/START Start the speci ed task in asynchronous mode.

/STOP Stop the speci ed task.

/PAUSE Pause the speci ed task.

/RESUME Resume the speci ed task in asynchronous mode.

/STATE Return the current task status (for example, Running, Completed, Paused, Stopped,
Failed, Starting, Resuming).
/STATISTICS Retrieve task statistics - Information about the number of objects processed from the
time the task started

Note that not all Kaspersky Security for Windows Server tasks fully support /PAUSE, /RESUME and /STATE
keys.

Return codes for the KAVSHELL TASK command.

Removing the PPL attribute: KAVSHELL CONFIG

The KAVSHELL CONFIG command lets you remove the PPL (Protected Process Light) attribute for the Kaspersky
Security Service using the ELAM driver installed during installation of the application.

KAVSHELL CONFIG command syntax

KAVSHELL CONFIG /PPL:<OFF>

594
KAVSHELL CONFIG command-line parameters/options

Parameter/option Description

/PPL:OFF Remove the PPL attribute for the Kaspersky Security Service.

Starting and stopping Real-Time Server Protection tasks: KAVSHELL RTP

You can use the KAVSHELL RTP command to start or stop all Real-Time Server Protection tasks.

A password might be required to execute the command. To enter the current password, use [/pwd:
<password>].

KAVSHELL RTP command syntax

KAVSHELL RTP {/START | /STOP}

KAVSHELL RTP command examples

To start all Real-Time Server Protection tasks, execute the following command:

KAVSHELL RTP /START

The KAVSHELL RTP command must include one of two options (see the table below).

KAVSHELL RTP command-line options

Parameter/options Description

/START Start all Real-Time Server Protection tasks: Real-Time File Protection, Script
Monitoring, and KSN Usage.

/STOP Stop all Real-Time Server Protection tasks.

Managing the Applications Launch Control task: KAVSHELL APPCONTROL

/CONFIG
You can use the KAVSHELL APPCONTROL /CONFIG command to con gure the mode in which the Applications
Launch Control task runs and monitors the loading of DLL modules.

KAVSHELL APPCONTROL /CONFIG command syntax

/config /mode:<applyrules|statistics> [/dll:<no|yes>] | /config /savetofile:<full path to

XML file>

KAVSHELL APPCONTROL /CONFIG command examples

595
To run the Applications Launch Control task in Active mode without monitoring DLL loading save the task settings
upon completion, run the following command:

KAVSHELL APPCONTROL /CONFIG /mode:applyrules /dll:<no>

/savetofile:c:\appcontrol\config.xml

You can con gure Applications Launch Control task settings using the command-line parameters (see the table
below).

KAVSHELL APPCONTROL /CONFIG command-line parameters/options

Parameter/option Description

/mode:<applyrules|statistics> Operating mode of the Applications Launch Control

task.
You can select one of the following modes:
active - Apply Applications Launch Control rules;

statistics - Only generate statistics.

/dll:<no|yes> Enable or disable monitoring of DLL loading.

/savetofile: <path to XML file> Export the speci ed rules to the indicated le in XML
format.

/savetofile: <the fullname to xml file> Save the list of rules to le.

/savetofile: <the fullname to xml file> Save the list of Software Distribution Control rules to
/sdc le.

/clearsdc Delete all Software Distribution Control rules from the

list.

Rule Generator for Applications Launch Control: KAVSHELL APPCONTROL

/GENERATE
You can use the KAVSHELL APPCONTROL /GENERATE command to generate Applications Launch Control rule
lists.

A password might be required to execute the command. To enter the current password, use [/pwd:
<password>].

KAVSHELL APPCONTROL /GENERATE command syntax

KAVSHELL APPCONTROL /GENERATE <path to folder> | /source:<path to file with folders list>
[/masks:<edms>] [/runapp] [/rules:<ch|cp|h>] [/strong] [/user:<user or group of users>]
[/export:<path to XML file>] [/import:<a|r|m>] [/prefix:<prefix for rules names>]
[/unique]

KAVSHELL APPCONTROL /GENERATE command examples

596
To generate rules for les from speci ed folders, execute the following command:

KAVSHELL APPCONTROL /GENERATE /source:c\folderslist.txt

/export:c:\rules\appctrlrules.xml

To generate rules for executable les with any extension in the speci ed folder and, upon the task completion, save
the generated rules in the speci ed le XML le, execute the following command:

KAVSHELL APPCONTROL /GENERATE c:\folder /masks:edms /export:c\rules\appctrlrules.xml

You can use command-line parameters/options to con gure automatic rule generation settings for the
Applications Launch Control task (see the table below).

KAVSHELL APPCONTROL /GENERATE command-line parameters/options

Parameter/option Description

Allowing rules scope

<path to folder> Specify the path to the folder with executable les for which allowing rules will be
automatically generated.

/source: <path to Specify the path to a TXT le with a list of folders with executable les for which
le with folders allowing rules will be automatically generated.
list>

/masks: <edms> Specify the extensions of executable les for which allowing rules will be automatically
generated.
You can include les with the following extensions in the rules scope:
e - EXE les

d - DLL les

m - MSI les

s - scripts

/runapp When generating allowing rules, account for applications currently running on the
protected device.
Actions when automatically generating allowing rules

/rules: <ch|cp|h> Specify actions to perform while generating allowing rules for the Applications Launch
Control task:
ch – Use the digital certi cate. If the certi cate is missing, use the SHA256 hash.

cp – Use the digital certi cate. If the certi cate is missing, use the path to the
executable le.

h - Use the SHA256 hash.

/strong Use the digital certi cate's subject and thumbprint while automatically generating
allowing rules for the Applications Launch Control task. The command is executed if the
/rules: <ch|cp> parameter is speci ed.

/user: <user or Specify the user or group of users for which the rules will be applied. The application will
group of users> monitor any applications run by the speci ed user and / or group of users.

597
 Actions on completion of the Rule Generator for Applications Launch Control task

/export: <path to Save the generated rules to an XML le.

XML le>

/unique Add information about the protected device with installed applications that are the
basis for generating the Applications Launch Control allowing rules.

/pre x: <pre x for Specify a pre x for the names of Applications Launch Control allowing rules.
rule names>

/import: <a|r|m> Import the generated rules into the speci ed list of Applications Launch Control rules
according to the selected import rule:
a - Add to existing rules (rules with identical settings are duplicated)

r - Replace existing rules (rules with identical settings are not added; a rule is added
if at least one rule setting is unique)

m - Merge with existing rules (rules with identical settings are not added; a rule is
added if at least one rule setting is unique)

Filling the list of Applications Launch Control rules: KAVSHELL

APPCONTROL
You can use the KAVSHELL APPCONTROL command to add rules from an XML le to the Applications Launch
Control task’s rule list according to the selected import rule and to delete all existing rules from the list.

A password might be required to execute the command. To enter the current password, use [/pwd:
<password>].

KAVSHELL APPCONTROL command syntax

KAVSHELL APPCONTROL /append <path to XML file> | /replace <path to XML file> | /merge
<path to XML file> | /clear

KAVSHELL APPCONTROL command examples

To add rules from an XML le to existing Applications Launch Control rules according to the Add to existing rules
import rule, execute the following command:

KAVSHELL APPCONTROL /append c:\rules\appctrlrules.xml

You can use command-line parameters to select principle to add new rules from the speci ed XML le to the
de ned list of Applications Launch Control rules (see the table below).

KAVSHELL APPCONTROL command-line parameters/options

Parameter/option Description

/append <path to Update the list of Applications Launch Control rules based on the speci ed XML le.
XML le> Import rule - Add to existing rules (rules with identical settings are duplicated).
598
 /replace <path to Update the list of Applications Launch Control rules based on the speci ed XML le.
XML le> Import rule - Replace existing rules (rules with identical settings are not added; a rule is
added if at least one rule setting is unique).

/merge <path to Update the list of Applications Launches Control rules based on the speci ed XML le.
XML le> Import rule - Merge with existing rules (new rules do not duplicate existing rules).

/clear Clear the list of Applications Launch Control rules.

Filling the list of Device Control rules: KAVSHELL DEVCONTROL

You can use the KAVSHELL DEVCONTROL command to add rules from an XML le to the Device Control task's rule
list according to the selected import rule and to delete all existing rules from the list.

A password might be required to execute the command. To enter the current password, use [/pwd:
<password>].

KAVSHELL DEVCONTROL command syntax

KAVSHELL DEVCONTROL /append <path to XML file> | /replace <path to XML file> | /merge
<path to XML file> | /clear

KAVSHELL DEVCONTROL command examples

To add rules from an XML le to the Device Control task's existing rules according to Add to existing rules import
rule, execute the following command:

KAVSHELL DEVCONTROL /append :c:\rules\devctrlrules.xml

You can use command-line parameters to select the import rule used to add new rules from the speci ed XML le
to the de ned list of Device Control rules (see the table below).

KAVSHELL DEVCONTROL command-line parameters/options

Key Description

/append Update the list of Device Control rules based on the speci ed XML le. Import rule - Add to
<path to existing rules (rules with identical settings are duplicated).
XML le>

/replace Update the list of Device Control rules based on the speci ed XML le. Import rule - Replace
<path to existing rules (rules with identical parameters are not added; the rule is added if at least one
XML le> rule setting is unique).

/merge Update the list of Device Control rules based on the speci ed XML le. Import rule - Merge
<path to with existing rules (new rules do not duplicate existing rules).
XML le>

/clear Clear the list of Device Control rules.

599
Starting the Database Update task: KAVSHELL UPDATE
The KAVSHELL UPDATE command can be used to start the Kaspersky Security for Windows Server Database
Update task in synchronous mode.

A Database Update task started using the KAVSHELL UPDATE command is a temporary task. It is only displayed in
the Application Console while being executed. However, a task log is generated and displayed in the Task logs in
the Application Console. Kaspersky Security Center policies may apply to update tasks created and started using
the KAVSHELL UPDATE command and update tasks created in the Application Console. For information about
using Kaspersky Security Center to manage Kaspersky Security for Windows Server on protected devices, see
Section "Managing Kaspersky Security for Windows Server using Kaspersky Security Center".

Environment variables can be used when specifying the path to an update source in this task. If a user environment
variable is used, run the KAVSHELL UPDATE command as the corresponding user.

KAVSHELL UPDATE command syntax

KAVSHELL UPDATE < Path to update source | /AK | /KL> [/NOUSEKL] [/PROXY:<address>:<port>]
[/AUTHTYPE:<0-2>] [/PROXYUSER:<user name>] [/PROXYPWD:<password>] [/NOPROXYFORKL]
[/USEPROXYFORCUSTOM] [/NOFTPPASSIVE] [/TIMEOUT:<seconds>] [/REG:<iso3166 code>] [/W:<path
to task log file>] [/ALIAS:<task alias>]

The KAVSHELL UPDATE command has both mandatory and optional parameters/options (see the following table).

KAVSHELL UPDATE command examples

To start a custom Database Update task, execute the following command:

KAVSHELL UPDATE

To run the Database Update task using update les in the \\server\databases network folder, run the following
command:

KAVSHELL UPDATE \\server\databases

To start a Database Update from the FTP server ftp://dnl-ru1.kaspersky-labs.com/ and write all task events to a le
named c:\update_report.log, execute the following command:

KAVSHELL UPDATE ftp://dnl-ru1.kaspersky-labs.com /W:c:\update_report.log

To download Kaspersky Security for Windows Server database updates from Kaspersky's update server, connect
to the updates source through a proxy server (proxy server address: proxy.company.com, port: 8080). To access
the protected device using the in-built Microsoft Windows NTLM authentication with user name "inetuser" and
password "123456" execute the following command:

KAVSHELL UPDATE /KL /PROXY:proxy.company.com:8080 /AUTHTYPE:1 /PROXYUSER:inetuser

/PROXYPWD:123456

KAVSHELL UPDATE command-line parameters/options

Parameter/option Description

Update source (mandatory parameter). Specify one or more sources. Kaspersky Security for Windows Server
600
will access the sources in the order in which they are listed. Separate sources with a space.

<path in UNC format> User-de ned update source. Path to network update folder in the UNC format.

<URL> User-de ned update source. HTTP or FTP server address where the update
folder is located.

<Local folder> User-de ned update source. Folder on the protected device.

/AK Use the Kaspersky Security Center Administration server as the updates
source.

/KL Use the Kaspersky's update Servers as the update source.

/NOUSEKL Do not use Kaspersky's update servers if other update sources are not
available (used by default).

Proxy server settings

/PROXY:<address>:<port> Network name or IP address of the proxy server and its port. If this parameter is
not speci ed, Kaspersky Security for Windows Server will automatically detect
the proxy server settings used in the local area network.

/AUTHTYPE:<0-2> This parameter speci es the authentication method used to access the proxy
server. It can have the following values:
0 – Microsoft Windows NTLM authentication; Kaspersky Security for Windows
Server will contact the proxy server using the Local system (SYSTEM) account
1 – Microsoft Windows NTLM authentication; Kaspersky Security for Windows
Server will contact the proxy server using the user name and password
speci ed by the /PROXYUSER and /PROXYPWD parameters
2 – Authentication using the user name and password speci ed by the
/PROXYUSER and /PROXYPWD parameters (basic authentication)
If the proxy server does not require authentication, there is no need to specify
this parameter.

/PROXYUSER:<user User name that will be used to access the proxy server. If /AUTHTYPE:0 is
name> speci ed, then the /PROXYUSER:<user name> and /PROXYPWD:<password>
parameters will be ignored.

/PROXYPWD:<password> User password that will be used to access the proxy server. If /AUTHTYPE:0 is
speci ed, then the /PROXYUSER:<user name> and /PROXYPWD:<password>
parameters will be ignored. If the /PROXYUSER parameter is speci ed and the
/PROXYPWD parameter is omitted, the password will be considered an empty
string.

/NOPROXYFORKL Do not use proxy server settings to connect to Kaspersky's update servers
(used by default).

/USEPROXYFORCUSTOM Use proxy server settings to connect to user-de ned update sources (not
used by default).

/USEPROXYFORLOCAL Use proxy server settings to connect to local update sources. If not speci ed,
the Do not use proxy server for local addresses setting will apply.

General FTP and HTTP server settings

/NOFTPPASSIVE If this key is speci ed, Kaspersky Security for Windows Server will use active
FTP server mode to connect to the protected device. If this key is not
speci ed, Kaspersky Security for Windows Server will use the passive FTP
server mode, if possible.

/TIMEOUT:<number of FTP or HTTP server connection timeout. If you do not specify this parameter,
seconds> Kaspersky Security for Windows Server will use the default value of 10
seconds. The value must be a whole number.

601
 /REG:<iso3166 code> Regional settings. This parameter is used when receiving updates from
Kaspersky's update servers. Kaspersky Security for Windows Server minimizes
the load on the protected device by selecting the closest update server.
The value of this parameter should be the ISO 3166-1 alpha-2 code of the
country where the protected device is located, for example /REG: gr or
/REG:US. If this key is omitted or an invalid country code is speci ed, Kaspersky
Security for Windows Server will detect the location of the protected device
based on the regional settings of the protected device where the Application
Console is installed.

/ALIAS:<task alias> This parameter lets you assign a temporary name to the task, allowing you to
reference the task while it runs. For example, task statistics can be viewed
using the TASK command. The task alias must be unique among the task aliases
of all Kaspersky Security for Windows Server components.
If this key is not speci ed, a temporary name in the form update_<kavshell_pid>
is used; for example, update_1234. In the Application Console, the task is
assigned the name "Update-databases <date time>"; for example, Update-
databases 8/16/2007 5:41:02 PM.

/W:<path to task log le> If this parameter is speci ed, Kaspersky Security for Windows Server will save
the task log le using the name speci ed by the parameter value.
The log le contains task execution statistics, the time when the task was
started and completed (stopped), and information about events that occurred
during the task.
The log is used to register events de ned by the task log settings and the
Kaspersky Security for Windows Server event log settings in Event Viewer.
You can specify either the absolute or relative path to the log le. If you specify
only a lename without a path, the log le will be created in the current folder.
Restarting the command with the same log settings will overwrite the existing
log le.
The log le can be viewed while a task is running.
The log appears in the Task logs node of the Application Console.
If Kaspersky Security for Windows Server fails to create the log le, it will
display an error message but will still execute the command.

Return codes for the KAVSHELL UPDATE command.

Rolling back Kaspersky Security for Windows Server database updates:

KAVSHELL ROLLBACK
The KAVSHELL ROLLBACK command can be used to perform a Rollback of Database Update system task (rolls
back Kaspersky Security for Windows Server databases to the previously installed version). The command is
performed synchronously.

Command syntax:

KAVSHELL ROLLBACK

Return codes for the KAVSHELL ROLLBACK command.

Managing log inspection: KAVSHELL TASK LOG-INSPECTOR

602
The KAVSHELL TASK LOG-INSPECTOR command can be used to monitor the integrity of the environment based
on an analysis of the Windows Event Log.

Command syntax

KAVSHELL TASK LOG-INSPECTOR

Command examples

KAVSHELL TASK LOG-INSPECTOR /stop

KAVSHELL TASK LOG-INSPECTOR command-line options

Option Description

/START Start the speci ed task in asynchronous mode.

/STOP Stop the speci ed task.

/STATE Return the current task status (for example, Running, Completed, Paused, Stopped, Failed,
Starting, Resuming)
/STATISTICS Retrieve task statistics - Information about the number of objects processed from the time
the task started.

Return codes for the KAVSHELL TASK LOG-INSPECTOR command.

Activating the application: KAVSHELL LICENSE

Kaspersky Security for Windows Server keys and activation codes can be managed using the KAVSHELL LICENSE
command.

A password might be required to execute the command. To enter the current password, use [/pwd:
<password>].

KAVSHELL LICENSE command syntax

KAVSHELL LICENSE [/ADD:<key file | activation code> [/R] | /DEL:<key | activation code
number>]

KAVSHELL LICENSE command examples

To activate the application, execute the command:

KAVSHELL.EXE LICENSE /ADD: <activation code or key>

To view information on added keys, execute the command:

KAVSHELL LICENSE

To remove an added key with number 0000-000000-00000001, execute the command:

603
KAVSHELL LICENSE /DEL:0000-000000-00000001

The KAVSHELL LICENSE command can run with or without keys (see the table below).

KAVSHELL LICENSE command-line parameters/options

Parameter Description

Without keys The command returns the following information about added keys:
Key.

License type (commercial).

Duration of the license associated with the key.

Key status (active or additional). If the status is *, the key was added as an additional
key.

/ADD:<key le Add a key via the speci ed le or activation code.

name or System environment variables can be used when specifying the path to a key le; user
activation code> environment variables are not allowed.

/R The /R activation code or key is in addition to the /ADD activation code or key and
indicates that the activation code or key being added is an additional activation code or
key.

/DEL:<key or Deletes the key with the speci ed number or activation code.
activation code>

Return codes for the KAVSHELL LICENSE command.

Enabling, con guring and disabling trace logs: KAVSHELL TRACE

The KAVSHELL TRACE command can be used to enable and disable the trace log for all Kaspersky Security for
Windows Server subsystems and to set the log detail level.

Kaspersky Security for Windows Server writes information to trace les and the dump le in unencrypted
form.

KAVSHELL TRACE command syntax

KAVSHELL TRACE </ON /F:<path to trace log file folder> [/S:<maximum log size in
megabytes>] [/LVL:debug|info|warning|error|critical] | /OFF>

If the trace log is enabled and you wish to change its settings, enter the KAVSHELL TRACE command with the /ON
option and use the /S and /LVL parameters to specify the trace log settings (see the table below).

KAVSHELL TRACE command keys

Key Description

/ON Enables the trace log.

/F:<folder with trace log les> This parameter speci es the full path to the folder where trace log
les will be saved (required).
604
 If a path to a non-existent folder is speci ed, no trace log will be
created. Paths to folders on the network drives of other protected
devices cannot be speci ed.
If the path speci ed by the parameter has a space, it needs to be
enclosed in quotes, for example, /F:"C:\Trace Folder".
System environment variables can be used when specifying the path
to the trace log les; user environment variables are not allowed.

/S: <maximum log le size in This key sets the maximum size of a single trace log le. As soon as
megabytes> the log le reaches the maximum size, Kaspersky Security for
Windows Server will start recording information in a new le; the
previous log le will be saved.
If the value of this parameter is not speci ed, the maximum size of
one log le will be 50 MB.

/LVL:debug|info|warning|error|critical This parameter sets the log detail level from maximum (All debug
information), in which all events are recorded in the log, to minimum
(Critical events), in which only critical events are recorded.
If this parameter is not speci ed, all events included in the All debug
information level of detail will be recorded in the trace log.

/OFF This option disables the trace log.

KAVSHELL TRACE command examples

To enable the trace log using the All debug information level of detail and a maximum log size of 200MB, saving
the log le to the "C:\Trace Folder" folder, execute the command:

KAVSHELL TRACE /ON /F:"C:\Trace Folder" /S:200

To enable the trace log using the Important events level of detail, saving the log le to the "C:\Trace Folder" folder,
execute the command:

KAVSHELL TRACE /ON /F:"C:\Trace Folder" /LVL:warning

To disable the trace log, execute the command:

KAVSHELL TRACE /OFF

Return codes for the KAVSHELL TRACE command.

Defragmenting Kaspersky Security for Windows Server log les: KAVSHELL

VACUUM
You can use the KAVSHELL VACUUM command to defragment the application's log les. This helps avoid system
and application errors due to storing a large number of log les containing application events.

A password might be required to execute the command. To enter the current password, use [/pwd:
<password>].

605
We recommend that you apply the KAVSHELL VACUUM command to optimize log le storage in case On-Demand
Scan and update tasks are run frequently. This command causes Kaspersky Security for Windows Server update
the logical structure of the application's log les stored on a protected device at the speci ed path.

By default, the application's log les are stored at "C:\ProgramData\Kaspersky Lab\Kaspersky Security for
Windows Server\11\Reports". If you have manually speci ed another path for storing logs, the KAVSHELL VACUUM
command defragments the les in the folder speci ed in the Kaspersky Security for Windows Server log settings.

Large le sizes increase the time required for the KAVSHELL VACUUM command to complete the defragment
operation.

The Real-Time Protection and Server Control tasks are not available while the KAVSHELL VACUUM command is
executed. The defragmentation process restricts access to the Kaspersky Security for Windows Server log
and prevents event logging. To avoid a reduction in protection, we recommend that you plan when you will run
the KAVSHELL VACUUM command.

To defragment the Kaspersky Security for Windows Server log les, execute the following command:

KAVSHELL VACUUM

This command requires Local System account rights.

Cleaning iSwift base: KAVSHELL FBRESET

Kaspersky Security for Windows Server uses iSwift technology, which lets the application avoid rescanning les
that have not been modi ed since the last scan (Use iSwift technology).

Kaspersky Security for Windows Server creates klamfb.dat and klamfb2.dat les in the "%SYSTEMDRIVE%\System
Volume Information" folder. These les contain information about clean objects that have already been scanned.
The klamfb.dat (klamfb2.dat) le grows with the number of les scanned by Kaspersky Security for Windows
Server. It only contains current information about les in the system: if a le is removed, Kaspersky Security for
Windows Server purges the corresponding information from klamfb.dat.

To clear a le, use the KAVSHELL FBRESET command.

Please keep in mind the following speci cs when using the KAVSHELL FBRESET command:

When using the KAVSHELL FBRESET command to clear the klamfb.dat le, Kaspersky Security for Windows
Server does not pause the protection (unlike what happens if klamfb.dat is deleted manually).

Kaspersky Security for Windows Server may increase the protected device workload after the data in
klamfb.dat is cleared. In this case, Kaspersky Security for Windows Server scans all les accessed for the rst
time after klamfb.dat is cleared. After the scan, Kaspersky Security for Windows Server puts information about
each scanned object back into klamfb.dat. If there are new attempts to access an object, iSwift technology
prevents rescanning of the le if it has not been changed.

The KAVSHELL FBRESET command is available only if the command-line interpreter is started under the
SYSTEM account.

606
Enabling and disabling dump le creation: KAVSHELL DUMP
You can use the KAVSHELL DUMP command to enable or disable creation of snapshots (dump les) of Kaspersky
Security for Windows Server processes if they terminate abnormally (see the following table). Additionally, you can
create a dump le of running Kaspersky Security for Windows Server processes at any time.

To create a dump le successfully, the KAVSHELL DUMP command must be executed under the local system
account (SYSTEM).

Kaspersky Security for Windows Server writes information to trace les and the dump le in unencrypted
form.

The KAVSHELL DUMP command can not be used for x64 processes.

KAVSHELL DUMP command syntax

KAVSHELL DUMP </ON /F:<folder with the dump file>|/SNAPSHOT /F:< folder with the dump
file> / P:<pid> | /OFF>

KAVSHELL DUMP command-line parameters/options

Key Description

/ON Enables creation of a dump le if a process terminates abnormally.

/F:<path to This is a mandatory parameter. It speci es the path to the folder where the dump le will
folder with be saved. Paths to folders on the network drives of other unprotected devices are not
dump les> allowed.
System environment variables can be used when specifying the path to the folder for the
dump le; user environment variables are not allowed.

/SNAPSHOT Takes a snapshot of the memory of the running process with the speci ed PID and saves
the dump le in the folder speci ed by the /F parameter.

/P The process identi er (PID) is displayed in the Microsoft Windows Task Manager.

/OFF Disables the creation of a dump le if a process terminates abnormally.

Return codes for the KAVSHELL DUMP command.

KAVSHELL DUMP command examples

To enable creation of a dump le; saving the dump le to the "C:\Dump Folder" folder, execute the command:

KAVSHELL DUMP /ON /F:"C:\Dump Folder"

To make a dump for the process with ID 1234 in the "C:/Dumps" folder, execute the command:

KAVSHELL DUMP /SNAPSHOT /F:C:\dumps /F:1234

607
To disable creation of dump les, execute the command:

KAVSHELL DUMP /OFF

Importing settings: KAVSHELL IMPORT

The KAVSHELL IMPORT command lets you import the settings of Kaspersky Security for Windows Server and its
current tasks from a con guration le to a copy of Kaspersky Security for Windows Server on the protected
device. A con guration le can be created using the KAVSHELL EXPORT command.

A password might be required to execute the command. To enter the current password, use [/pwd:
<password>].

KAVSHELL IMPORT command syntax

KAVSHELL IMPORT <name of configuration file and path to file>

KAVSHELL IMPORT command examples

KAVSHELL IMPORT Host1.xml

KAVSHELL IMPORT command-line parameter

Parameter Description

<name of con guration le Name of con guration le used as the import source for settings.
and path to le>
System environment variables can be used when specifying the path to the
le; user environment variables are not allowed.

Return codes for the KAVSHELL IMPORT command.

Exporting settings: KAVSHELL EXPORT

The KAVSHELL EXPORT command lets you export all of the settings of Kaspersky Security for Windows Server
and its current tasks to a con guration le in order to import them later into copies of Kaspersky Security for
Windows Server installed on another protected device.

KAVSHELL EXPORT command syntax

KAVSHELL EXPORT <name of configuration file and path to file>

KAVSHELL EXPORT command examples

KAVSHELL EXPORT Host1.xml

KAVSHELL EXPORT command-line parameters

Parameter Description

608
 <name of con guration le Name of the con guration le that will contain the settings.
and path to le>
Any le extension can be assigned to the con guration le.
System environment variables can be used when specifying the path to the
le; user environment variables are not allowed.

Return codes for the KAVSHELL EXPORT command.

Integration with Microsoft Operations Management Suite: KAVSHELL

OMSINFO
You can use the KAVSHELL OMSINFO command to review the status of the application and information about
threats detected by anti-virus databases and the KSN service. The information about threats is taken from the
available event logs.

KAVSHELL OMSINFO command syntax

KAVSHELL OMSINFO <full path to generated file with file name>

KAVSHELL OMSINFO command examples

KAVSHELL OMSINFO C:\Users\Admin\Desktop\omsinfo.json

KAVSHELL OMSINFO command-line parameter

Parameter Description

<path to generated le Name of the generated le that will contain information about the application
with le name> status and any detected threats.

Managing the Baseline File Integrity Monitor task: KAVSHELL FIM

/BASELINE
You can use the KAVSHELL FIM /BASELINE command to con gure the mode in which the Baseline File Integrity
Monitor task runs and monitors the loading of DLL modules.

A password might be required to execute the command. To enter the current password, use [/pwd:
<password>].

KAVSHELL FIM /BASELINE command syntax

KAVSHELL FIM /BASELINE [/CREATE: [<monitoring scope> | /L:<path to TXT file containing
the list of monitoring areas>] [/MD5 | /SHA256] [/SF]] | [/CLEAR [/BL:<baseline id> |
/ALIAS:<existing alias>]] | [/EXPORT:<path to TXT file> [/BL:<baseline id> | /ALIAS:
<existing alias>]] | [/SHOW [/BL:<baseline id> | /ALIAS:<existing alias>]] | [/SCAN [/BL:
<baseline id> | /ALIAS:<existing alias>]] | [/PWD:<password>]

609
KAVSHELL FIM /BASELINE command examples

To delete a baseline, run the following command:

KAVSHELL FIM /BASELINE /CLEAR /BL:<baseline id>

You can con gure Baseline File Integrity Monitor task settings using the command-line parameters (see the table
below).

KAVSHELL FIM/ BASELINE command-line parameters/options

Parameter/option Description

/CREATE Create a new Baseline File Integrity Monitor task.

Kaspersky Security for Windows Server will start the new

Baseline File Integrity Monitor task in order to create a baseline.

/L Specify the path to the TXT le containing the list of monitoring

areas.

/MD5 Specify the MD5 algorithm for calculating a checksum (optional

parameter).
/MD5 parameter can not be used together with /SHA256.
MD5 algorithm is used by default.
/SHA256 Specify the SHA256 algorithm for calculating a checksum
(optional parameter).
/SHA256 parameter can not be used together with /MD5.
MD5 algorithm is used by default.
/SF Includes all subfolders in the Baseline File Integrity Monitor task
scope (optional parameter).
By default all subfolders are excluded from the Baseline File
Integrity Monitor task scope.

/CLEAR Delete the baseline with speci ed <baseline id> or the

baseline for the task with speci ed <existing alias>.
Delete all baselines if neither <baseline id> nor <existing
alias> was speci ed.
Optional parameter.
/BL Specify the unique ID of a baseline (optional parameter).

/EXPORT Export the data about all baselines in a TXT le.

/SHOW Show data about all baselines.

/SCAN Start the new Baseline File Integrity Monitor task with speci ed
<baseline id> or speci ed <existing alias>.

/ALIAS Specify the name of an existing task or the name for a new task.

<monitoring scope> Specify the le or folder that you want to include in the Baseline
File Integrity Monitor task scope.

This parameter allows to specify only one area.

<path to TXT file containing Specify the path to the TXT le containing the list of monitoring
the list of monitoring areas> areas.
610
 The le must be UTF-8 encoded, and each path to a monitoring
area must be speci ed in a separate row.

<path to TXT file> Specify the path to the le to which you want to export the data
about all baselines.

<baseline id> Specify the unique ID of a baseline.

You can use the /SHOW parameter to learn the ID of a baseline.

<existing alias> Specify the name of an existing task.

<new alias> Specify the name of a new task.

Command return codes

Return code for the KAVSHELL START and KAVSHELL STOP commands
Return code for the KAVSHELL START and KAVSHELL STOP commands

Return Description
code

0 Operation completed successfully

-3 Permission error

-5 Invalid command syntax

-6 Invalid operation (for example, the Kaspersky Security Service is already running or already
stopped)

-7 Service not registered

-8 Automatic Service startup is disabled.

-9 Attempt to start the protected device under another user account failed (by default, the
Kaspersky Security Service runs under the Local system user account)

-99 Unknown error

Return code for KAVSHELL SCAN and KAVSHELL SCANCRITICAL

commands
Return code for the KAVSHELL SCAN and KAVSHELL SCANCRITICAL commands

Return code Description

0 Operation completed successfully (no threats detected)

1 Operation canceled

-2 Service not running

-3 Permission error

-4 Object not found ( le with the list of scan scopes not found)

-5 Invalid command syntax or scan scope not de ned

611
 -80 Infected and other objects detected

-81 Probably infected objects detected

-82 Processing errors detected

-83 Unscanned objects found

-84 Corrupted objects detected

-85 Failed to create task log

-99 Unknown error

-301 Invalid key

Return codes for the KAVSHELL TASK LOG-INSPECTOR command

Return code for the KAVSHELL TASK LOG-INSPECTOR command

Return Description
code

0 Operation completed successfully

-6 Invalid operation (for example, the Kaspersky Security Service is already running or already
stopped)

402 Task is already running (for the /STATE option)

Return codes for the KAVSHELL TASK command

Return codes for the KAVSHELL TASK command

Return code Description

0 Operation completed successfully

-2 Service not running

-3 Permission error

-4 Object not found (task not found)

-5 Invalid command syntax

-6 Invalid operation (for example, task not running, already running, or cannot be paused)

-99 Unknown error

-301 Invalid key

401 Task not running (for the /STATE option)

402 Task already running (for the /STATE option)

403 Task already paused (for the /STATE option)

-404 Operation failed (a change in task status resulted in a crash)

612
Return codes for the KAVSHELL RTP command
Return codes for the KAVSHELL RTP command

Return code Description

0 Operation completed successfully

-2 Service not running

-3 Permission error

-4 Object not found (one or all of the Real-Time Server Protection tasks not found)

-5 Invalid command syntax

-6 Invalid operation (for example, the task is already running or already stopped)

-99 Unknown error

-301 Invalid key

Return codes for the KAVSHELL UPDATE command

Return codes for the KAVSHELL UPDATE command

Return Description
code

0 Operation completed successfully

200 All objects are up-to-date (database or program components are current)

-2 Service not running

-3 Permission error

-5 Invalid command syntax

-99 Unknown error

-206 Extension les are missing in the speci ed source or have unknown format

-209 Error while connecting to the update source

-232 Authentication error while connecting to proxy server

-234 Error while connecting to Kaspersky Security Center

-235 Kaspersky Security for Windows Server was not authenticated when connecting to the
update source

-236 Application database is corrupted

-301 Invalid key

Return codes for the KAVSHELL ROLLBACK command

Return codes for the KAVSHELL ROLLBACK command

Return code Description

613
 0 Operation completed successfully

-2 Service not running

-3 Permission error

-99 Unknown error

-221 Backup copy of database not found or corrupted

-222 Backup copy of database corrupted

Return codes for the KAVSHELL LICENSE command

Return codes for the KAVSHELL LICENSE command

Return code Description

0 Operation completed successfully

-2 Service not running

-3 Insu icient privileges to manage keys

-4 Key with speci ed number not found

-5 Invalid command syntax

-6 Invalid operation (key already added)

-99 Unknown error

-301 Invalid key

-303 License applies to a di erent application

Return codes for the KAVSHELL TRACE command

Return codes for the KAVSHELL TRACE command

Return Description
code

0 Operation completed successfully

-2 Service not running

-3 Permission error

-4 Object not found (path speci ed for the trace log folder not found)

-5 Invalid command syntax

-6 Invalid operation (attempt to execute the KAVSHELL TRACE /OFF command when trace logs
are already disabled)

-99 Unknown error

Return codes for the KAVSHELL FBRESET command

614
Return codes for the KAVSHELL FBRESET command

Return code Description

0 Operation completed successfully

-99 Unknown error

Return codes for the KAVSHELL DUMP command

Return codes for the KAVSHELL DUMP command

Return Description
code

0 Operation completed successfully

-2 Service not running

-3 Permission error

-4 Object not found (path speci ed for dump le folder not found; process with speci ed PID not
found)

-5 Invalid command syntax

-6 Invalid operation (attempt of KAVSHELL DUMP/OFF command execution if dump le creation is

already disabled)

-99 Unknown error

Return codes for the KAVSHELL IMPORT command

Return codes for the KAVSHELL IMPORT command

Return Description
code

0 Operation completed successfully

-2 Service not running

-3 Permission error

-4 Object not found (unable to nd a con guration le that can be imported)

-5 Invalid syntax

-99 Unknown error

501 Operation completed successfully with an error/comment, for example, Kaspersky Security for
Windows Server did not import parameters for some functional component

-502 Import le is missing or has an unrecognized format

-503 Incompatible settings (con guration le exported from a di erent program or a later and
incompatible version of Kaspersky Security for Windows Server)

Return codes for the KAVSHELL EXPORT command

615
Return codes for the KAVSHELL EXPORT command

Return Description
code

0 Operation completed successfully

-2 Service not running

-3 Permission error

-5 Invalid syntax

-10 Unable to create a con guration le (for example no access to the folder speci ed in the path to
the le)

-99 Unknown error

501 Operation completed successfully with an error/comment, for example, Kaspersky Security for
Windows Server did not export parameters for some functional component

Return codes for the KAVSHELL FIM /BASELINE command

Return codes for the KAVSHELL FIM /BASELINE command

Return Description
code

0 Operation completed successfully

-2 Service not running

-3 Permission error

-4 Object not found (task not found)

-5 Invalid command syntax

-6 Invalid operation (for example, the baseline already was deleted)

-10 Unable to create a con guration le (for example no access to the folder speci ed in the path
to the le)

-12 Invalid password

-80 Inconsistent with the baseline objects detected

-85 Failed to create task log

-99 Internal error

-303 Invalid license key

-502 Task not running

200 All objects are consistent with the baseline

501 Task completed successfully with an error/comment

616
Contacting Technical Support
This section describes the ways to receive technical support and the conditions on which it is available.

How to get technical support

If you cannot nd a solution to your problem in the application documentation or in one of the sources of
information about the application, we recommend that you contact Technical Support. Technical Support
specialists will answer your questions about installing and using the application.

Technical support is available only to users who have purchased a commercial license for the application. Technical
support is not available to users who have a trial license.

Before contacting Technical Support, please read through the Technical Support rules .

You can contact Technical Support by sending a request to Kaspersky Technical Support through the Kaspersky
CompanyAccount portal .

Technical Support via Kaspersky CompanyAccount

Kaspersky CompanyAccount is a portal for companies that use Kaspersky applications. Kaspersky
CompanyAccount is designed to facilitate interaction between users and Kaspersky specialists via online requests.
Kaspersky CompanyAccount lets you monitor the progress of electronic request processing by Kaspersky
specialists and store a history of electronic requests.

You can register all of your organization's employees under a single user account on Kaspersky CompanyAccount.
A single account lets you centrally manage electronic requests from registered employees to Kaspersky and also
manage the privileges of these employees via Kaspersky CompanyAccount.

Kaspersky CompanyAccount is available in the following languages:

English

Spanish

Italian

German

Polish

Portuguese

Russian

French

Japanese

To learn more about Kaspersky CompanyAccount, visit the Technical Support website .
617
Using trace les and AVZ scripts
After you report a problem to Kaspersky Technical Support specialists, they may ask you to generate a report with
information about the operation of Kaspersky Security for Windows Server and to send it to Kaspersky Technical
Support. Kaspersky Technical Support specialists may also ask you to create a trace le. The trace le allows
following the process of how application commands are performed, step by step, in order to determine the stage
of application operation at which an error occurs.

After analyzing the data you send, Kaspersky Technical Support specialists can create an AVZ script and send it to
you. With AVZ scripts, it is possible to analyze active processes for threats, scan the protected device for threats,
disinfect or delete infected les, and create system scan reports.

Providing extended diagnostic information to the Technical Support

specialists
For more e ective support and troubleshooting of application problems, Technical Support specialists may ask
you to change application settings temporarily for purposes of debugging during diagnostics. This may require
doing the following:

Activating the functionality that processes and stores extended diagnostic information.

Fine-tuning the settings of individual software components, which are not available via standard user interface
elements.

Changing the settings of storage and transmission of diagnostic information that was processed.

Con guring the interception and logging of network tra ic.

All information required to perform the listed actions (description of the sequence of steps, changeable settings,
con guration les, scripts, additional command line features, debugging modules, specialized utilities, etc.), as well
as the composition of data analyzed for debugging purposes, will be announced by the Technical Support
specialists. The advanced diagnostic information is stored on the user computer. Automatic transfer of the stored
data to Kaspersky is not performed.

The actions listed above can only be performed under the guidance of the Technical Support specialists
following the instructions received from them. Unassisted modi cation of the application settings in the ways
not described in the application documentation or in the recommendations from the Technical Support
specialists can lead to slowdowns and malfunctions of the operating system, decrease of the computer
protection level, as well as to a violation of the availability and integrity of the processed information.

618
Glossary

Active key
A license key that is currently used by the application.

Administration Server
A component of Kaspersky Security Center that centrally stores information about all Kaspersky applications that
are installed on the corporate network. It can also be used to manage these applications.

Anti-virus databases
Databases that contain information about computer security threats known to Kaspersky as of when the anti-
virus databases are released. Entries in anti-virus databases allow malicious code to be detected in scanned
objects. Anti-virus databases are created by Kaspersky specialists and updated hourly.

Archive
One or more le(s) packaged into a single le through compression. A dedicated application, called an archiver, is
required for packing and unpacking the data.

Backup
A special storage for backup copies of les, which are created before disinfection or deletion is attempted.

Disinfection
A method of processing infected objects that results in full or partial recovery of data. Not all infected objects can
be disinfected.

Event severity
Property of an event encountered during the operation of a Kaspersky application. There are the following severity
levels:

Critical event

Functional failure

Warning

619
 Info

Events of the same type can have di erent severity levels depending on the situation in which the event occurred.

False positive
A situation when a Kaspersky application considers a non-infected object to be infected because the object's
code is similar to that of a virus.

File mask
Representation of a le name using wildcards. The standard wildcards used in le masks are * and ?, where *
represents any number of any characters and ? stands for any single character.

Heuristic analyzer
A technology for detecting threats about which information has not yet been added to Kaspersky databases. The
heuristic analyzer detects objects whose behavior in the operating system may pose a security threat. Objects
detected by the heuristic analyzer are considered to be probably infected. For example, an object may be
considered probably infected if it contains sequences of commands that are typical of malicious objects (open
le, write to le).

Infectable le
A le that, due to its structure or format, can be used by criminals as a "container" to store and spread malicious
code. As a rule, these are executable les, with such le extensions as .com, .exe, and .dll. The risk of penetration of
malicious code into such les is quite high.

Infected object
An object of which a portion of code completely matches part of the code of known malware. Kaspersky does not
recommend accessing such objects.

Kaspersky Security Network (KSN)

An infrastructure of cloud services that provides access to the Kaspersky database with constantly updated
information about the reputation of les, web resources, and software. Kaspersky Security Network ensures faster
responses by Kaspersky applications to threats, improves the performance of some protection components, and
reduces the likelihood of false positives.

License term

620
A time period during which you have access to the application features and rights to use additional services. The
services you can use depend on the type of the license.

Local task
A task de ned and running on a single client computer.

OLE object
An object attached to another le or embedded into another le through the use of the Object Linking and
Embedding (OLE) technology. An example of an OLE object is a Microsoft O ice Excel® spreadsheet embedded
into a Microsoft O ice Word document.

Policy
A policy determines an application's settings and manages the ability to con gure that application on computers
within an administration group. An individual policy must be created for each application. You can create multiple
policies for applications installed on computers in each administration group, but only one policy can be applied at
a time to each application within an administration group.

Protection status
Current protection status, which re ects the level of computer security.

Quarantine
The folder to which the Kaspersky application moves probably infected objects that have been detected. Objects
are stored in Quarantine in encrypted form in order to avoid any impact on the computer.

Real-time protection
The application's operating mode under which objects are scanned for the presence of malicious code in real time.

The application intercepts all attempts to open any object (read, write, or execute) and scans the object for
threats. Uninfected objects are passed on to the user; objects containing threats or probably infected objects are
processed according to the task settings (disinfected, deleted or quarantined).

Security level
The security level is de ned as a pre-con gured set of application component settings.

621
SIEM
A technology that analyzes security events originating from various network devices and applications.

Startup objects
A set of applications needed for the operating system and software that is installed on the computer to start and
operate correctly. These objects are executed every time the operating system is started. There are viruses
capable of infecting such objects speci cally, which may lead, for example, to blocking of operating system startup.

Task
Functions performed by the Kaspersky application are implemented as tasks, such as: Real-time le protection, Full
computer scan, and Database update.

Task settings
Application settings that are speci c for each task type.

Update
The procedure of replacing / adding new les (databases or application modules) retrieved from the Kaspersky
update servers.

Vulnerability
A aw in an operating system or an application that may be exploited by malware makers to penetrate the
operating system or application and corrupt its integrity. Presence of a large number of vulnerabilities in an
operating system makes it unreliable, because viruses that penetrate the operating system may cause disruptions
in the operating system itself and in installed applications.

622
Information about third-party code
Information about third-party code is contained in the le legal_notices.txt, in the application installation folder.

623
Trademark notices
Registered trademarks and service marks are the property of their respective owners.

Apache and the Apache feather logo are trademarks of The Apache Software Foundation.

Citrix, XenApp, and XenDesktop are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and
may be registered in the United States Patent and Trademark O ice and in other countries.

Dell and Dell Compellent are trademarks of Dell, Inc. or its subsidiaries.

Dropbox is a trademark of Dropbox, Inc.

EMC, Celerra, Isilon, OneFS, and VNX are either registered trademarks or trademarks of EMC Corporation in the
United States and/or other countries.

Hitachi is a trademark of Hitachi, Ltd.

IBM and System Storage are trademarks of International Business Machines Corporation, registered in many
jurisdictions worldwide.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Microsoft, Active Directory, Internet Explorer, Excel, Hyper-V, JScript, MultiPoint, Outlook, PowerShell, Windows,
Windows Server, and Windows Vista are registered trademarks of Microsoft Corporation in the United States and
other countries.

NetApp and Data ONTAP are trademarks or registered trademarks of NetApp, Inc. in the United States and/or
other countries.

Oracle is a registered trademark of Oracle and/or its a iliates.

UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open
Company Limited.

624