KASC Administrator Guide Full

Kaspersky Security Center 10
Administrator's Guide
Application version: 10 Service Pack 2

Dear User,
Thank you for choosing our product. We hope that this document will help you in your work and will
provide answers regarding this software product.
Warning! This document is the property of Kaspersky Lab: All rights to this document are protected
by the copyright laws of the Russian Federation and by international treaties. Illegal reproduction or
distribution of this document or parts hereof will result in civil, administrative, or criminal liability
under applicable law.
Any type of reproduction or distribution of any materials, including translations, is allowed only with
the written permission of Kaspersky Lab.
This document, and graphic images related to it, may only be used for informational, non-
commercial, and personal purposes.
This document may be amended without additional notification. The latest version of this document
can be found on the Kaspersky Lab website, at http://www.kaspersky.com/docs.
Kaspersky Lab assumes no liability for the content, quality, relevance, or accuracy of any materials
used herein the rights to which are owned by third parties, or for any potential damages associated
with the use of such documents.
Document revision date: 1/18/2016
2016 AO Kaspersky Lab. All Rights Reserved.
http://www.kaspersky.com
https://help.kaspersky.com
http://support.kaspersky.com
Table of Contents
About this document ...................................................................................................... 14
In this document ........................................................................................................ 14
Document conventions .............................................................................................. 18
Sources of information about the application ................................................................. 20
Sources for unassisted search of information ............................................................ 20
Discussing Kaspersky Lab applications on the forum ................................................ 22
Kaspersky Security Center ............................................................................................ 23
What's new ................................................................................................................ 24
Distribution kit ............................................................................................................ 28
Hardware and software requirements ........................................................................ 28
Application interface ...................................................................................................... 42
Main application window ............................................................................................ 43
Console tree .............................................................................................................. 44
Workspace................................................................................................................. 48
Workspace elements ............................................................................................. 50
Set of information blocks ....................................................................................... 52
Data filtering block ..................................................................................................... 52
Context menu ............................................................................................................ 54
Configuring the interface............................................................................................ 54
Application licensing ...................................................................................................... 57
About the End User License Agreement.................................................................... 57
About the license ....................................................................................................... 58
About the license certificate ....................................................................................... 59
About key................................................................................................................... 59
Kaspersky Security Center licensing options ............................................................. 60
About restrictions of the main functionality ................................................................ 63
About the activation code .......................................................................................... 64
About the key file ....................................................................................................... 65
About the subscription ............................................................................................... 65
Administration Server Quick Start Wizard ...................................................................... 67
Basic concepts............................................................................................................... 68
Administration Server ................................................................................................ 68
Administration Server hierarchy ................................................................................. 69
Virtual Administration Server ..................................................................................... 70
Mobile device server .................................................................................................. 71
Web server ................................................................................................................ 72
Network Agent Administration group ......................................................................... 73
Administrator's workstation ........................................................................................ 75
Application administration plug-in .............................................................................. 75
Policies, application settings, and tasks .................................................................... 75
How local application settings relate to policies ......................................................... 78
Update Agent............................................................................................................. 79
Managing Administration Servers .................................................................................. 82
Connecting to an Administration Server and switching between Administration
Servers ...................................................................................................................... 82
Access rights to Administration Server and its objects .............................................. 84
Conditions of connection to an Administration Server via the Internet ....................... 86
Secure connection to Administration Server .............................................................. 86
Administration Server certificate ............................................................................ 87
Administration Server authentication during client computer connection .............. 87
Administration Server authentication during Administration Console connection .. 88
Disconnecting from an Administration Server ............................................................ 88
Adding an Administration Server to the console tree ................................................. 89
Removing an Administration Server from the console tree ........................................ 89
Changing an Administration Server service account. Utility tool klsrvswch ............... 89
Viewing and modifying the settings of an Administration Server ............................... 91
Adjusting the general settings of Administration Server ........................................ 91
Event processing and storage on the Administration Server ................................. 92
Control of virus outbreaks...................................................................................... 92
Limiting traffic ........................................................................................................ 93
Configuring cooperation with Cisco Network Admission Control (NAC) ................ 93
Configuring Web Server ........................................................................................ 94
Working with internal users ................................................................................... 94
Table of Contents
4
Managing administration groups .................................................................................... 95
Creating administration groups .................................................................................. 96
Moving administration groups .................................................................................... 97
Deleting administration groups .................................................................................. 98
Automatic creation of a structure of administration groups ........................................ 99
Automatic installation of applications to computers in an administration group ....... 101
Managing applications remotely .................................................................................. 102
Managing policies .................................................................................................... 102
Creating policies .................................................................................................. 104
Displaying inherited policy in a subgroup ............................................................ 105
Activating a policy ................................................................................................ 105
Activating a policy automatically at the Virus outbreak event .............................. 106
Applying an out-of-office policy............................................................................ 106
Deleting a policy .................................................................................................. 106
Copying a policy .................................................................................................. 107
Exporting a policy ................................................................................................ 107
Importing a policy ................................................................................................ 108
Converting policies .............................................................................................. 108
Managing policy profiles .......................................................................................... 109
About the policy profile ........................................................................................ 109
Creating a policy profile ....................................................................................... 111
Modifying a policy profile ..................................................................................... 112
Deleting a policy profile ....................................................................................... 114
Managing tasks ....................................................................................................... 114
Creating a group task .......................................................................................... 116
Creating an Administration Server task ............................................................... 116
Creating a task for a set of computers ................................................................. 117
Creating a local task ............................................................................................ 118
Displaying an inherited group task in the workspace of a nested group .............. 119
Starting client computers automatically before launching a task ......................... 119
Turning off the computer after a task is complete................................................ 120
Limiting task run time .......................................................................................... 120
Exporting a task................................................................................................... 121
Importing a task ................................................................................................... 121
Table of Contents
5
Converting tasks .................................................................................................. 122
Starting and stopping a task manually ................................................................. 122
Pausing and resuming a task manually ............................................................... 123
Monitoring task execution .................................................................................... 124
Viewing task run results stored on Administration Server ................................... 124
Configuring filtering of information about task run results .................................... 124
Viewing and changing local application settings ...................................................... 125
Managing client computers .......................................................................................... 126
Connecting client computers to Administration Server ............................................ 127
Connecting a client computer to Administration Server manually. Klmover utility .... 128
Tunneling the connection between a client computer and Administration Server .... 130
Remote connection to the desktop of a client computer .......................................... 130
Configuring the restart of a client computer ............................................................. 133
Audit of actions on a remote client computer ........................................................... 134
Checking the connection between a client computer and Administration Server ..... 135
Automatic check of connection between a client computer and Administration
Server .................................................................................................................. 135
Manual check of connection between a client computer and Administration
Server. Klnagchk utility ........................................................................................ 136
Identifying client computers on Administration Server ............................................. 137
Adding computers to an administration group ......................................................... 138
Changing Administration Server for client computers .............................................. 139
Remote turning on, turning off and restarting client computers ............................... 140
Sending a message to the users of client computers .............................................. 140
Controlling changes in the status of virtual machines .............................................. 141
Automatic computer tagging .................................................................................... 142
Remote diagnostics of client computers. Kaspersky Security Center remote
diagnostics utility ..................................................................................................... 143
Connecting the remote diagnostics utility to a client computer ............................ 144
Enabling and disabling tracing, downloading the trace file .................................. 147
Downloading application settings ........................................................................ 147
Downloading event logs ...................................................................................... 148
Starting diagnostics and downloading its results ................................................. 148
Starting, stopping and restarting applications ...................................................... 149
Table of Contents
6
Managing user accounts .............................................................................................. 150
Handling user accounts ........................................................................................... 150
Adding a user account ............................................................................................. 151
Adding a user group ................................................................................................ 152
Adding a user to a group ......................................................................................... 153
Configuring rights. User roles .................................................................................. 153
Adding a user role ............................................................................................... 154
Assigning a role to a user or a user group ........................................................... 155
Appointing the user as a computer owner ............................................................... 156
Delivering messages to users.................................................................................. 157
Viewing the list of user mobile devices .................................................................... 157
Installing a certificate for a user ............................................................................... 158
Viewing the list of certificates handed to a user ....................................................... 158
Working with reports, statistics, and notifications ......................................................... 159
Working with reports ................................................................................................ 159
Creating a report template ................................................................................... 160
Creating and viewing a report.............................................................................. 160
Saving a report .................................................................................................... 161
Creating a report delivery task ............................................................................. 161
Working with the statistical information .................................................................... 162
Configuring event notification .................................................................................. 163
Creating a certificate for an SMTP server ................................................................ 165
Event selections ...................................................................................................... 166
Viewing an event selection .................................................................................. 166
Customizing an event selection ........................................................................... 167
Creating an event selection ................................................................................. 167
Exporting event selection to text file .................................................................... 168
Deleting events from selection ............................................................................ 168
Exporting events to an SIEM system ....................................................................... 169
Computer selections ................................................................................................ 170
Viewing computer selection ................................................................................. 170
Configuring a computer selection ........................................................................ 171
Creating a computer selection ............................................................................. 171
Exporting settings of a computer selection to file ................................................ 172
Table of Contents
7
Create a computer selection by using imported settings ..................................... 172
Removing computers from administration groups in a selection ......................... 173
Policies .................................................................................................................... 173
Tasks ....................................................................................................................... 173
Unassigned devices ..................................................................................................... 174
Network discovery ................................................................................................... 175
Viewing and modifying the settings for Windows network polling ........................ 176
Viewing and modifying Active Directory group properties ................................... 176
Viewing and modifying the settings for IP subnet polling ..................................... 177
Working with Windows domains. Viewing and changing the domain settings ......... 178
Working with IP subnets .......................................................................................... 178
Creating an IP subnet .......................................................................................... 178
Viewing and changing the IP subnet settings ...................................................... 179
Working with the Active Directory groups. Viewing and modifying group settings ... 179
Creating rules for moving computers to administration groups automatically .......... 180
Using VDI dynamic mode on client computers ........................................................ 180
Enabling VDI dynamic mode in the properties of an installation package for
Network Agent ..................................................................................................... 181
Searching for computers making part of VDI ....................................................... 182
Moving computers making part of VDI to an administration group ...................... 182
Managing applications on client computers ................................................................. 183
Groups of applications ............................................................................................. 183
Creating application categories ........................................................................... 186
Configuring applications launch management on client computers ..................... 186
Viewing the results of statistical analysis of startup rules applied to executable
files ...................................................................................................................... 188
Viewing the applications registry ......................................................................... 188
Creating groups of licensed applications ............................................................. 190
Managing keys for groups of licensed applications ............................................. 190
Kaspersky Anti-Virus software inventory ............................................................. 191
Kaspersky Anti-Virus software inventory ............................................................. 192
Viewing information about executable files.......................................................... 193
Application vulnerabilities ........................................................................................ 193
Viewing information about vulnerabilities in applications ..................................... 194
Scanning applications for vulnerabilities .............................................................. 195
Table of Contents
8
Fixing vulnerabilities in applications .................................................................... 195
Software updates ..................................................................................................... 196
Viewing information about available updates ...................................................... 197
Synchronizing updates from Windows Update with Administration Server ......... 198
Automatic installation of updates for Kaspersky Endpoint Security on client
computers............................................................................................................ 198
Offline model of update download ....................................................................... 201
Enabling and disabling the offline model of update download ............................. 203
Installing updates on client computers manually ................................................. 205
Configuring Windows updates in a Network Agent policy ................................... 207
Remote installation of operating systems and applications.......................................... 208
Creating images of operating systems..................................................................... 210
Adding drivers for Windows Preinstallation Environment (WinPE) .......................... 211
Adding drivers to an installation package with an operating system image ............. 212
Configuring sysprep.exe utility ................................................................................. 213
Deploying operating systems on new networked computers ................................... 213
Deploying operating systems on client computers ................................................... 215
Creating installation packages of applications ......................................................... 215
Issuing a certificate for installation packages of applications ................................... 216
Installing applications to client computers................................................................ 217
Mobile Device Management ........................................................................................ 218
Mobile Device Management using an MDM policy .................................................. 218
Handling commands for mobile devices .................................................................. 220
Commands for mobile device management ........................................................ 221
Using Google Cloud Messaging .......................................................................... 224
Sending commands ............................................................................................. 225
Viewing the statuses of commands in the command log ..................................... 226
Handling certificates ................................................................................................ 227
Installing a certificate ........................................................................................... 227
Configuring certificate handing rules ................................................................... 228
Integration with the public keys infrastructure...................................................... 229
Enabling support of Kerberos Constrained Delegation ........................................ 230
Adding a mobile device to the list of managed devices ........................................... 231
Managing Exchange ActiveSync mobile devices ..................................................... 235
Table of Contents
9
Adding a management profile.............................................................................. 236
Deleting a management profile............................................................................ 237
Viewing information about an EAS device ........................................................... 238
Disconnecting an EAS device from management ............................................... 239
Managing iOS MDM mobile devices ........................................................................ 239
Issuing a certificate for an iOS MDM profile ........................................................ 240
Adding a configuration profile .............................................................................. 241
Installing a configuration profile to a device ......................................................... 242
Removing a configuration profile from a device................................................... 243
Adding provisioning profile .................................................................................. 244
Installing a provisioning profile to a device .......................................................... 245
Removing a provisioning profile from a device .................................................... 246
Adding a managed application ............................................................................ 248
Installing an application on a device .................................................................... 249
Removing an application from a device ............................................................... 250
Installing Kaspersky Safe Browser on a device ................................................... 251
Viewing information about an iOS MDM device .................................................. 252
Disconnecting an iOS MDM device from management ....................................... 253
Managing KES devices............................................................................................ 253
Creating a mobile app package for KES devices ................................................ 254
Enabling two-factor authentication of KES devices ............................................. 255
Viewing information about a KES device ............................................................. 255
Disconnecting a KES device from management ................................................. 256
Self Service Portal ....................................................................................................... 257
About Self Service Portal ......................................................................................... 257
Adding a device ....................................................................................................... 260
Creating an account for Self Service Portal ............................................................. 261
Encryption and data protection .................................................................................... 263
Viewing the list of encrypted devices ....................................................................... 264
Viewing the list of encryption events ........................................................................ 265
Exporting the list of encryption events to a text file .................................................. 266
Creating and viewing encryption reports.................................................................. 266
Table of Contents
10
Managing devices access to an organization's network (Network Access Control,
NAC) ............................................................................................................................ 270
Switching to the NAC settings in the Network Agent properties .............................. 272
Selecting an operation mode for the NAC agent ..................................................... 272
Creating network elements ...................................................................................... 273
Creating network access restriction rules ................................................................ 274
Creating a white list ................................................................................................. 275
Creating a list of allowed network addresses........................................................... 276
Creating accounts to use on the authorization portal ............................................... 277
Configuring the authorization page interface ........................................................... 277
Configuring NAC in a Network Agent policy ............................................................ 278
Inventory of equipment detected on the network ......................................................... 279
Adding information about new devices .................................................................... 280
Configuring criteria used to define enterprise devices ............................................. 281
Updating databases and software modules ................................................................. 282
Creating the task of downloading updates to the repository .................................... 283
Configuring the task of downloading updates to the repository ............................... 284
Verifying downloaded updates................................................................................. 285
Configuring test policies and auxiliary tasks ............................................................ 286
Viewing downloaded updates .................................................................................. 288
Automatic distribution of updates............................................................................. 288
Distributing updates to client computers automatically ........................................ 289
Distributing updates to slave Administration Servers automatically ..................... 290
Installing updates for program modules of Network Agents automatically .......... 291
Assigning computers to act as Update Agents .................................................... 292
Removing a computer from the list of update agents .......................................... 294
Downloading updates by Update Agents ............................................................ 294
Rolling back installed updates ................................................................................. 295
Working with application keys ...................................................................................... 296
Viewing information about keys in use .................................................................... 296
Adding a key to the Administration Server repository .............................................. 297
Deleting an Administration Server key ..................................................................... 298
Deploying a key to client computers ........................................................................ 298
Automatic distribution of a key ................................................................................. 299
Table of Contents
11
Creating and viewing a key usage report................................................................. 300
Data storages .............................................................................................................. 301
Exporting a list of repository objects to a text file ..................................................... 302
Installation packages ............................................................................................... 302
Quarantine and Backup ........................................................................................... 302
Enabling remote management for files in the repositories ................................... 303
Viewing properties of a file placed in repository .................................................. 304
Removing files from repositories ......................................................................... 305
Restoring files from repositories .......................................................................... 305
Saving a file from repositories to disk .................................................................. 306
Scanning files in Quarantine................................................................................ 306
Unprocessed files .................................................................................................... 307
Postponed file disinfection ................................................................................... 307
Saving an unprocessed file to disk ...................................................................... 307
Deleting files from the Unprocessed files folder .................................................. 308
Kaspersky Security Network (KSN) ............................................................................. 309
About KSN ............................................................................................................... 309
About data provision ................................................................................................ 310
Setting up the access to KSN .................................................................................. 311
Enabling and disabling KSN .................................................................................... 312
Viewing the KSN proxy server statistics .................................................................. 313
Contacting Technical Support Service ......................................................................... 315
How to obtain technical support ............................................................................... 315
Technical support by phone..................................................................................... 316
Technical Support via Kaspersky CompanyAccount ............................................... 316
Appendices .................................................................................................................. 318
Advanced features ................................................................................................... 318
Kaspersky Security Center operation automation. Utility tool klakaut .................. 319
Out-of-office users ............................................................................................... 319
Events in application operation............................................................................ 323
Event notifications displayed by running an executable file ................................. 323
Managing Kaspersky Security for Virtualization .................................................. 324
Monitoring the anti-virus protection status using information from the system
registry................................................................................................................. 325
Table of Contents
12
Clusters and server arrays .................................................................................. 326
Searching for computers ..................................................................................... 327
Connecting to client computers through Windows Desktop Sharing ................... 330
About the accounts in use ................................................................................... 330
Custom tools ....................................................................................................... 331
Exporting lists from dialog boxes ......................................................................... 332
Network Agent disk cloning mode ....................................................................... 332
Backup copying and restoration of Administration Server data ........................... 334
Data backup and recovery in interactive mode .................................................... 340
Installing an application using Active Directory group policies............................. 342
Features of using the management interface .......................................................... 343
How to return to a properties window that disappeared ...................................... 344
How to navigate the console tree ........................................................................ 344
How to open the object properties window in the workspace .............................. 344
How to select a group of objects in the workspace .............................................. 345
How to change the set of columns in the workspace ........................................... 345
Reference information ............................................................................................. 345
Using Update Agent as gateway ......................................................................... 346
Using masks in string variables ........................................................................... 347
Context menu commands.................................................................................... 347
About connections manager ................................................................................ 351
User's rights to manage Exchange ActiveSync mobile devices .......................... 352
About the administrator of virtual Server ............................................................. 354
List of managed computers. Description ............................................................. 354
Statuses of computers, tasks, and policies.......................................................... 357
Using regular expressions in the search field ...................................................... 359
Glossary....................................................................................................................... 361
AO Kaspersky Lab ....................................................................................................... 370
Information about third-party code ............................................................................... 372
About NAC/ARP Enforcement technology ................................................................... 373
Enhanced protection with Kaspersky Security Network ............................................... 374
Trademark notices ....................................................................................................... 375
Index ............................................................................................................................ 377
Table of Contents
13
About this document
Kaspersky Security Center 10 ("Kaspersky Security Center") Administrator's Guide is intended for
professionals who install and administer Kaspersky Security Center, as well as for those who
provide technical support to organizations that use Kaspersky Security Center.
This guide provides instructions on how to configure and use Kaspersky Security Center.
This Guide also lists sources of information about the application and ways to get technical support.
In this section:
In this document ........................................................................................................................ 14
Document conventions .............................................................................................................. 18
In this document
Kaspersky Security Center Administrator's Guide contains an introduction, sections that describe
the application interface, settings, and maintenance, sections that describe how to manage main
tasks, and a glossary.
Sources of information about the application (see page 20)
This section describes sources of information about the application and lists websites that you can
use to discuss the application's operation.
Kaspersky Security Center (see page 23)
The section contains information on the purpose of Kaspersky Security Center, and its main
features and components.
Application interface (see page 42)
This section describes the main interface elements of Kaspersky Security Center, as well as how
to configure the interface.
Application licensing (see page 57)
This section provides information about general concepts related to the application activation. This
section describes the purpose of the End User License Agreement, the ways of activating the
application, and how to renew your license.
Quick Start Wizard (see page 67)
This section provides information about the Administration Server Quick Start Wizard operation.
Basic concepts (see page 68)
This section explains basic concepts related to Kaspersky Security Center.
Managing Administration Servers (see page 82)
This section provides information about how to handle Administration Servers and how to configure
them.
Managing administration groups (see page 95)
This section provides information about how to handle administration groups.
Managing applications remotely (see page 102)
This section provides information about how to perform remote management of Kaspersky Lab
applications installed on client computers, using policies, policy profiles, tasks, and local settings of
applications.
Managing client computers (see page 126)
This section provides information about how to handle client computers.
Working with reports, statistics, and notifications (see page 159)
This section provides information about how to handle reports, statistics, and selections of events
and client computers in Kaspersky Security Center, as well as how to configure Administration
Server notifications.
About this document
15
Unassigned devices (see page 174)
This section provides information about how to manage computers on an enterprise network if they
are not included in an administration group.
Managing applications on client computers (see page 183)
This section describes how to manage groups of applications and how to update software and fix
vulnerabilities that Kaspersky Security Center detects on client computers.
Remote installation of operating systems and applications (see page 208)
This section provides information about how to create images of operating systems and deploy
them on client computers over the network, as well as how to perform remote installation of
applications by Kaspersky Lab and other software vendors.
Mobile Device Management (see page 218)
This section describes how to manage mobile devices connected to Administration Server.
Self Service Portal (see page 257)
This section contains information about Self Service Portal. The section provides Self Service
Portal login instructions for users as well as instructions on creating Self Service Portal accounts
and adding mobile devices on Self Service Portal.
Data encryption and protection (see page 263)
This section provides information about how to manage encryption of data stored on hard drives of
various devices and removable drives.
Managing devices access to an organization's network (Network Access Control, NAC) (see
page 270)
This section provides information about how to control devices' access to an organization's
network with access restriction rules and the white list of devices.
Inventory of equipment detected on the network (see page 279)
This section provides information about inventory of hardware connected to the organization's
network.
About this document
16
Updating databases and software modules (see page 282)
This section describes how to download and distribute updates of databases and software
modules using Kaspersky Security Center.
Working with application keys (see page 296)
This section describes the features of Kaspersky Security Center related to handling keys of
managed Kaspersky Lab applications.
Data repositories (see page 301)
This section provides information about data stored on the Administration Server and used for
tracking the condition of client computers and servicing them.
Contacting the Technical Support Service (see page 315)
This section provides information about how to obtain technical support and what conditions should
be met to receive help from the Technical Support Service.
Glossary
This section lists terms used in the guide.
AO Kaspersky Lab (see page 370)
This section provides information about AO Kaspersky Lab.
Information about third-party code (see page 372)
This section provides information about third-party code used in Kaspersky Security Center.
Trademark notice (see page 375)
This section contains registered trademark notices.
Index
This section helps you find necessary data quickly.
About this document
17
Document conventions
Document conventions are used herein (see the table below).
Table 1. Document conventions
Sample text Document conventions description
Warnings are highlighted with red color and boxed. Warnings

Note that...
contain information about actions that may lead to some
unwanted outcome.
Notes are boxed. Notes contain additional and reference

We recommend that you
information.
use...
Examples are given on a blue background under the heading

Example:
"Example".
Update means... The following elements are italicized in the text:
The Databases are out of date New terms.

event occurs.
Names of application statuses and events.
Press ENTER. Names of keyboard keys appear in bold and are capitalized.
Press ALT+F4. Names of keys that are connected by a + (plus) sign indicate
the use of a key combination. Those keys must be pressed
simultaneously.
Click the Enable button. Names of application interface elements, such as entry fields,
menu items, and buttons, are set off in bold.
Introductory phrases of instructions are italicized and

To configure task
schedule: accompanied by the arrow sign.
About this document
18
Sample text Document conventions description
Enter help in the command The following types of text content are set off with a special
line font:
The following message then text in the command line;

appears: text of messages displayed on the screen by the application;
Specify the date in
data that the user have to enter from the keyboard.
dd:mm:yy format.
<User name> Variables are enclosed in angle brackets. Instead of a

variable, the corresponding value must be inserted, with angle
brackets omitted.
About this document
19
Sources of information about the
application
This section lists the sources of information about the application.
You can select the most suitable information source, depending on the issue's level of importance
and urgency.
In this section:
Sources for unassisted search of information ............................................................................ 20
Discussing Kaspersky Lab applications on the forum ................................................................ 22
Sources for unassisted search of

information
You can use the following sources to find information about Kaspersky Security Center:
Kaspersky Security Center page on the Kaspersky Lab website.
Kaspersky Security Center page on the Technical Support Service website.
Online help.
Documentation.
If you cannot find a solution for your issue, we recommend that you contact Kaspersky Lab
Technical Support (see the section "Contacting Technical Support" on page 315).
An Internet connection is required to use online information sources.

Kaspersky Security Center page on the Kaspersky Lab website
On the Kaspersky Security Center page (http://www.kaspersky.com/security-center), you can view

general information about the application, its functions and features.
The Kaspersky Security Center page contains a link to eStore. There you can purchase or renew
the application.
Page of Kaspersky Security Center in the Knowledge Base
Knowledge Base is a section on the Technical Support website.
On the Kaspersky Security Center page (http://support.kaspersky.com/ksc10), you can read

articles that provide useful information, recommendations, and answers to frequently asked
questions on how to purchase, install, and use the application.
Knowledge Base articles can answer questions relating to not only to Kaspersky Security Center
but also to other Kaspersky Lab applications. Knowledge Base articles can also include Technical
Support news.
Online help
The application includes full help files and context help files.
Full help provides information about how to configure and use Kaspersky Security Center.
Use the context help to find information about windows of Kaspersky Security Center, i.e., the
descriptions of various settings of Kaspersky Security Center and the links to the descriptions of
tasks that use those settings.
Help can be included in the application or published online on the Kaspersky Lab web resource. If
Help is published online, the browser window opens when you call it. An Internet connection is
required to view online Help.
Documentation
Application documentation consists of the files of application guides.
The administrator's guide provides information on how to configure and use Kaspersky Security
Center.
Sources of information about the application
21
The implementation guide provides instructions on:
Plan the application installation (taking into account the application operation principles,
system requirements, standard deployment schemes, and features of compatibility with
other applications).
Prepare Kaspersky Security Center for installation, installing and activating the application.
Configure the application after installation.
The Getting Started guide provides information needed to start using the application quickly (a
description of the interface and main tasks that can be performed using Kaspersky Security
Center).
Discussing Kaspersky Lab applications

on the forum
If your question does not require an immediate answer, you can discuss it with the Kaspersky Lab
experts and other users in our forum (http://forum.kaspersky.com).
In this forum you can view existing topics, leave your comments, create new topics.
Sources of information about the application
22
Kaspersky Security Center
The section contains information on the purpose of Kaspersky Security Center, and its main
features and components.
Kaspersky Security Center is designed for centralized execution of basic administration and
maintenance tasks in an organization's network. The application provides the administrator access
to detailed information about the organization's network security level; it allows configuring all the
components of protection built using Kaspersky Lab applications.
Kaspersky Security Center is an application aimed at corporate network administrators and

employees responsible for anti-virus protection in organizations.
Using Kaspersky Security Center, you can:
Create a hierarchy of Administration Servers to manage the organization's network, as well

as networks at remote offices or client organizations.
The client organization is an organization, whose anti-virus protection is ensured by service

provider.
Create a hierarchy of administration groups to manage a selection of client computers as a

whole.
Manage an anti-virus protection system built based on Kaspersky Lab applications.
Create images of operating systems and deploy them on client computers over the
network, as well as performing remote installation of applications by Kaspersky Lab and
other software vendors.
Remotely manage applications by Kaspersky Lab and other software vendors installed on
client devices: install updates, find and fix vulnerabilities.
Perform centralized deployment of keys for Kaspersky Lab applications to client devices,
monitor their use, and renew licenses.
Receive statistics and reports about the operation of applications and devices.
Receive notifications about critical events in the operation of Kaspersky Lab applications.
Control access of devices to an organization's network using access restriction rules and a
white list of devices. NAC agents are used to manage access of devices to an
organization's network.
Manage mobile devices that support Kaspersky Security for Android, Exchange
ActiveSync, or iOS Mobile Device Management (iOS MDM) protocols.
Manage encryption of information stored on the hard drives of devices and removable
drives and users' access to encrypted data.
Perform inventory of hardware connected to the organization's network.
Centrally manage files moved to Quarantine or Backup by anti-virus applications, as well as

objects for which processing by anti-virus applications has been postponed.
In this section:
What's new ............................................................................................................................... 24
Distribution kit ........................................................................................................................... 28
Hardware and software requirements........................................................................................ 28
What's new
Changes introduced in Kaspersky Security Center compared to the previous version:
The option of assigning update agents in accordance with the network topology, not only in
accordance with administration groups, has been implemented (see section "Update agent"
on page 79).
The option of assigning update agents automatically or manually in the Administration

Server properties has been implemented (see section "Assigning computers as update
agents" on page 292).
The option of assigning update agents automatically in a broadcast domain has been
implemented (see section "Update agent" on page 79).
The option of assigning update agents as standby has been implemented (see section
"Update agent" on page 79).
24
Display of the list of Update Agents in the properties of managed computers has been
implemented.
The offline model of update download has been implemented (see section "Offline model of
update download" on page 201).
The Network Agent disk cloning mode for cloning managed computers has been
implemented (see section "Network Agent disk cloning mode" on page 332).
A preset connection profile named "Home Administration Server" has been implemented.
Display of available Kaspersky Security Center updates delivered with patches in the
Software updates folder has been implemented.
The algorithm for automatic distribution of reserve keys has been improved (see section
"Automatic key distribution" on page 299).
Support has been implemented for the application use under subscription (see the section
"About the subscription" on page 65).
The Administration Console appearance has been redesigned (see section "Application
interface" on page 42).
The option of hiding Console tree folders has been implemented (see section "Console
tree" on page 44).
Graphic display of configuration profile distribution has been implemented.
File transfer over HTTP has been implemented to optimize performance.
The Administration Server database has been optimized for system scalability: the number
of supported virtual Administration Servers has been increased.
Traffic decompression during tunneling has been disabled in order to reduce the CPU load
and connect using RDP over the Internet.
Creation and updating of software and hardware inventorying and reporting has been
optimized.
User right reporting has been implemented.
25
A single set of rights and permissions for all applications managed by Kaspersky Security
Center has been implemented.
The option of setting a condition of policy profile activation by computer owner has been
added.
The option of assigning a policy profile to a user group or internal users has been added.
Administrators of virtual Administration Servers have no more read/write/remove rights in

the ACL of master Administration Server users.
Administrators whose rights have been restricted now can access only features that are
required by their working duties.
Restrictions have been imposed on passwords for internal users (see section "Adding a
user account" on page 151).
Logging of external connections and authentication attempts has been implemented.
Administration Server connection check has been implemented.
Connection blocking for TCP ports 13000 and 14000 using Administration Console has
been implemented.
The option of creating automatic tagging rules has been implemented (see section
"Automatic tagging of computers" on page 142).
Graphic presentation of tags in Administration Console has been improved.
Display of information about active policy profiles in the properties of a managed computer
has been implemented.
Selection of application categories in the Kaspersky Endpoint Security for Windows policy
has been implemented in the Application Control section.
Computer owner reporting has been implemented.
The report on the number of whitelisted computers has been implemented.
Display of the version number and patch number of the installed Network Agent and
klnagchk utility has been implemented.
26
The option of connecting Network Agent installed on a computer running Linux to the
Administration Server via a proxy server has been implemented.
Two-way SSL authentication has been implemented for email notification (see section
"Creating a certificate for an SMTP server" on page 165).
The "Tag" field has been added to all collections of settings in order to unify collections of
selection settings, moving rules, and lists.
The collection of settings that Kaspersky Security Center retrieves during hardware
inventorying has been extended.
The mechanism for removal of incompatible software has been improved.
Display of a list of category-related policies in the properties of an application category has

been implemented.
Display of the progress of distribution of user application categories on managed computers

has been implemented.
Deletion of outdated events in case the number of events in the database reaches the
maximum value set by the administrator has been implemented.
Signing of installation packages with certificates has been implemented (see section
"Issuing a certificate for application installation packages" on page 216).
Signing of iOS MDM profiles with certificates has been implemented (see section "Issuing a
certificate for an iOS MDM profile" on page 240).
In the properties of the Mobile devices folder, the Install Kaspersky Safe Browser at the
first connection of the device check box has been added for iOS MDM devices. Support
of the Install Kaspersky Safe Browser command has been implemented for iOS MDM
devices (see section "Installing Kaspersky Safe Browser on a device" on page 251).
Display of the status of the iOS MDM policy being applied has been implemented.
Policy profiles have been added to the iOS MDM policy.
The option of using iOS MDM Mobile device server by multiple virtual Administration
Servers has been implemented.
27
For new installations of Kaspersky Security Center and when upgrading from earlier
versions, if the NAC functionality has never been used, it will be hidden out of the Installer,
thereby becoming unavailable through Administration Console.
The option of forced deletion of applications before an upgrade has been implemented.
The Kaspersky Security Center Administration Server operation in WSUS mode has been
optimized.
Integration of Kaspersky Security Center with Microsoft System Center Operations

Manager (SCOM) has been implemented (see article in the Knowledge Base on Technical
Support website http://support.kaspersky.com/12603).
Distribution kit
You can purchase the application through online stores of Kaspersky Lab (for example,
http://www.kaspersky.com, the eStore section) or partner companies.
If you purchase Kaspersky Security Center in an online store, you copy the application from the
store's website. Information that is required for application activation is sent to you by email after
payment.
For more details on purchase methods and the distribution kit, please contact the Sales Department.
Hardware and software requirements

Administration Server
Hardware requirements:
CPU with operating frequency of 1 GHz or higher. For a 64-bit OS, the minimum CPU
frequency is 1.4 GHz.
RAM: 4 GB.
Available disk space: 10 GB. When using Systems Management, at least 100 GB free disk
space shall be available.
28
Software requirements:
Microsoft Data Access Components (MDAC) 2.8.
Windows DAC 6.0.
Microsoft Windows Installer 4.5.
Operating system:
Microsoft Windows 10 Home 32-bit / 64-bit.
Microsoft Windows 10 Pro 32-bit / 64-bit.
Microsoft Windows 10 Enterprise 32-bit / 64-bit.
Microsoft Windows 10 Education 32-bit / 64-bit.
Microsoft Windows 8.1 Pro 32-bit / 64-bit.
Microsoft Windows 8.1 Enterprise 32-bit / 64-bit.
Microsoft Windows 7 Professional SP1 32-bit / 64-bit.
Microsoft Windows 7 Enterprise SP1 32-bit / 64-bit.
Microsoft Windows 7 Ultimate SP1 32-bit / 64-bit.
Microsoft Windows 7 Professional 32-bit / 64-bit.
Microsoft Windows 7 Ultimate 32-bit / 64-bit.
Microsoft Small Business Server 2008 Standard 64-bit.
Microsoft Small Business Server 2008 Premium 64-bit.
Microsoft Small Business Server 2011 Essentials 64-bit.
Microsoft Small Business Server 2011 Premium Add-on 64-bit.
29
Microsoft Windows Server 2008 Datacenter SP1 32-bit / 64-bit.
Microsoft Windows Server 2008 Enterprise SP1 32-bit / 64-bit.
Microsoft Windows Server 2008 Foundation SP2 32-bit / 64-bit.
Microsoft Windows Server 2008 SP1 Server Core 32-bit / 64-bit.
Microsoft Windows Server 2008 Standard SP1 32-bit / 64-bit.
Microsoft Windows Server 2008 Standard 32-bit / 64-bit.
Microsoft Windows Server 2008 Enterprise 32-bit / 64-bit.
Microsoft Windows Server 2008 Datacenter 32-bit / 64-bit.
Microsoft Windows Server 2008 R2 Server Core 64-bit.
Microsoft Windows Server 2008 R2 Datacenter 64-bit.
Microsoft Windows Server 2008 R2 Datacenter SP1 64-bit.
Microsoft Windows Server 2008 R2 Enterprise 64-bit.
Microsoft Windows Server 2008 R2 Enterprise SP1 64-bit.
Microsoft Windows Server 2008 R2 Foundation 64-bit.
Microsoft Windows Server 2008 R2 Foundation SP1 64-bit.
Microsoft Windows Server 2008 R2 SP1 Core Mode 64-bit.
Microsoft Windows Server 2008 R2 Standard 64-bit.
Microsoft Windows Server 2008 R2 Standard SP1 64-bit.
Microsoft Windows Server 2012 Server Core 64-bit.
Microsoft Windows Server 2012 Datacenter 64-bit.
Microsoft Windows Server 2012 Essentials 64-bit.
Microsoft Windows Server 2012 Foundation 64-bit.
30
Microsoft Windows Server 2012 Standard 64-bit.
Microsoft Windows Server 2012 R2 Essentials 64-bit.
Database server (can be installed on a different computer):
Microsoft SQL Server 2005 Express Edition 32-bit.
Microsoft SQL Server 2008 Express 32-bit.
Microsoft SQL 2008 R2 Express 64-bit.
Microsoft SQL 2012 Express 64-bit.
Microsoft SQL 2014 Express 64-bit.
Microsoft SQL Server 2005 (all editions) 32-bit / 64-bit.
Microsoft SQL Server 2008 (all editions) 32-bit / 64-bit.
Microsoft SQL Server 2008 R2 (all editions) 64-bit.
Microsoft SQL Server 2008 R2 Service Pack 2 (all editions) 64-bit.
Microsoft SQL Server 2012 (all editions) 64-bit.
Microsoft SQL Server 2014 (all editions) 64-bit.
Microsoft Azure SQL Database.
MySQL 5.0.67, 5.0.77, 5.0.85, 5.0.87 (SP1), 5.0.91.
MySQL Enterprise 5.0.60 (SP1), 5.0.70, 5.0.82 (SP1), 5.0.90.
The following virtual platforms are supported:
VMware vSphere 5.5.
31
VMware vSphere 6.
VMware Workstation 9.x.
VMware Workstation 10.x.
Microsoft Hyper-V Server 2008.
Microsoft Hyper-V Server 2008 R2.
Microsoft Hyper-V Server 2012.
Microsoft Hyper-V Server 2012 R2.
Microsoft Virtual PC 2007 (6.0.156.0).
Citrix XenServer 6.1.
Citrix XenServer 6.2.
Parallels Desktop 7.
Oracle VM VirtualBox 4.0.4-70112 (Windows guest operating systems are supported).
Kaspersky Security Center Web Console
RAM: 512 MB.
Available disk space: 1 GB.
For Microsoft Windows operating systems with Kaspersky Security Center Administration
Server version Service Pack 2:
Microsoft Windows 10 Home 32-bit / 64-bit.
32
Microsoft Windows 10 Education 32-bit / 64-bit.
Microsoft Windows 8.1 Pro 32-bit / 64-bit.
Microsoft Windows 8.1 Enterprise 32-bit / 64-bit.
Microsoft Windows 7 Professional SP1 32-bit / 64-bit.
Microsoft Windows 7 Enterprise SP1 32-bit / 64-bit.
Microsoft Windows 7 Ultimate SP1 32-bit / 64-bit.
Microsoft Windows 7 Professional 32-bit / 64-bit.
Microsoft Windows 7 Ultimate 32-bit / 64-bit.
Microsoft Small Business Server 2008 Premium 64-bit.
Microsoft Small Business Server 2011 Essentials 64-bit.
Microsoft Small Business Server 2011 Premium Add-on 64-bit.
Microsoft Windows Server 2008 Datacenter SP1 32-bit / 64-bit.
Microsoft Windows Server 2008 Enterprise SP1 32-bit / 64-bit.
Microsoft Windows Server 2008 Foundation SP2 32-bit / 64-bit.
Microsoft Windows Server 2008 SP1 Server Core 32-bit / 64-bit.
Microsoft Windows Server 2008 Standard SP1 32-bit / 64-bit.
Microsoft Windows Server 2008 Standard 32-bit / 64-bit.
Microsoft Windows Server 2008 Enterprise 32-bit / 64-bit.
33
Microsoft Windows Server 2008 Datacenter 32-bit / 64-bit.
Microsoft Windows Server 2008 R2 Datacenter SP1 64-bit.
Microsoft Windows Server 2008 R2 Enterprise 64-bit.
Microsoft Windows Server 2008 R2 Enterprise SP1 64-bit.
Microsoft Windows Server 2008 R2 Foundation SP1 64-bit.
Microsoft Windows Server 2008 R2 SP1 Core Mode 64-bit.
Microsoft Windows Server 2008 R2 Standard SP1 64-bit.
Microsoft Windows Server 2012 Server Core 64-bit.
Microsoft Windows Server 2012 Datacenter 64-bit.
Microsoft Windows Server 2012 Essentials 64-bit.
Microsoft Windows Server 2012 Foundation 64-bit.
Microsoft Windows Server 2012 Standard 64-bit.
Microsoft Windows Server 2012 R2 Essentials 64-bit.
Debian GNU/Linux 7.x (up to 7.8) 32-bit.
Debian GNU/Linux 7.x (up to 7.8) 64-bit.
34
Ubuntu Server 14.04 LTS 32-bit.
Ubuntu Server 14.04 LTS 64-bit.
CentOS 6.x (up to 6.6) 64-bit.
CentOS 7.0 64-bit.
Red Hat Enterprise Linux Server 7.0 64-bit.
SUSE Linux Enterprise Server 12 64-bit.
Kaspersky Security Center Web Console does not support versions of operating systems
that are compatible with systemd, such as Fedora 17.
Web server:
Apache 2.4.10 (for Windows) 32-bit.
Apache 2.4.10 (for Linux) 32-bit / 64-bit.
Apache 2.4.12 (for Windows) 32-bit.
Apache 2.4.12 (for Linux) 32-bit / 64-bit.
You can use the following browsers for working with Kaspersky Security Center Web Console:
Microsoft Internet Explorer 9 and later.
Microsoft Edge.
Chrome 45 and later;
Firefox 38 and later;
Safari 8 under Mac OS X 10.10 (Yosemite).
Safari 9 under Mac OS X 10.11 (El Capitan).
35
iOS Mobile Device Management (iOS MDM) mobile device server
RAM: 2 GB.
Software requirements: Microsoft Windows operating system (supported version of the operating
system is determined by the requirements of Administration Server).
Exchange ActiveSync Mobile Device Server
All software and hardware requirements for Exchange ActiveSync Mobile device server are
included in requirements for the Microsoft Exchange Server.
Co-operation with Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and
Microsoft Exchange Server 2013 supported.
Administration Console
RAM: 512 MB.
Microsoft Windows operating system (supported version of the operating system is

determined by the requirements of Administration Server).
Microsoft Management Console 2.0.
Microsoft Windows Installer 4.5.
36
Microsoft Internet Explorer 7.0 or later when working with Microsoft Windows XP, Microsoft
Windows Server 2003, Microsoft Windows Server 2008, Microsoft Windows Server 2008
R2, or Microsoft Windows Vista.
Microsoft Internet Explorer 8.0 or later when using Microsoft Windows 7.
Microsoft Internet Explorer 10.0 or later when using Microsoft Windows 8 and 10.
Microsoft Edge when using Microsoft Windows 10.
Network Agent
RAM: 512 MB.
If the computer on which Network Agent is installed will perform the functions of an Update Agent,
too, this computer must meet the following requirements:
RAM: 1 GB.
Windows Embedded POSReady 7 32-bit / 64-bit.
Windows Embedded Standard 7 SP1 32-bit / 64-bit.
Windows Embedded 8 Standard 32-bit / 64-bit.
Windows Embedded 8 Industry Pro 32-bit / 64-bit.
Windows Embedded 8 Industry Enterprise 32-bit / 64-bit.
37
Windows Embedded 8.1 Industry Pro 32-bit / 64-bit.
Windows Embedded 8.1 Industry Enterprise 32-bit / 64-bit.
Windows Embedded 8.1 Industry Update 32-bit / 64-bit.
Windows 10 Home 32-bit / 64-bit.
Windows 10 Pro 32-bit / 64-bit.
Windows 10 Enterprise 32-bit / 64-bit.
Windows 10 Education 32-bit / 64-bit.
Windows 8.1 Pro 32-bit / 64-bit.
Windows 8.1 Enterprise 32-bit / 64-bit.
Windows 8 Pro 32-bit / 64-bit.
Windows 7 Professional SP1 32-bit / 64-bit.
Windows 7 Enterprise SP1 32-bit / 64-bit.
Windows 7 Ultimate SP1 32-bit / 64-bit.
Windows 7 Professional 32-bit / 64-bit.
Windows 7 Ultimate 32-bit / 64-bit.
Windows 7 Home Basic 32-bit / 64-bit.
Windows 7 Premium 32-bit / 64-bit.
Windows Vista Business SP1 32-bit / 64-bit.
Windows Vista Enterprise SP1 32-bit / 64-bit.
Windows Vista Ultimate SP1 32-bit / 64-bit.
Windows Vista Business SP2 32-bit / 64-bit.
38
Windows Vista Enterprise SP2 32-bit / 64-bit.
Windows Vista Ultimate SP2 32-bit / 64-bit.
Windows XP Professional SP3 32-bit.
Windows XP Professional SP2 32-bit / 64-bit.
Windows XP Home SP3 32-bit.
Essential Business Server 2008 Standard 64-bit.
Essential Business Server 2008 Premium 64-bit.
Small Business Server 2003 Standard SP1 32-bit.
Small Business Server 2003 Premium SP1 32-bit.
Small Business Server 2008 Standard 64-bit.
Small Business Server 2008 Premium 64-bit.
Small Business Server 2011 Essentials 64-bit.
Small Business Server 2011 Premium Add-on 64-bit.
Small Business Server 2011 Standard 64-bit.
Windows Home Server 2011 64-bit.
Windows MultiPoint Server 2011 Standard 64-bit.
Windows MultiPoint Server 2011 Premium 64-bit.
Microsoft Windows 2000 Server 32-bit.
Windows Server 2003 Enterprise SP2 32-bit / 64-bit.
Windows Server 2003 Standard SP2 32-bit / 64-bit.
Windows Server 2003 R2 Enterprise SP2 32-bit / 64-bit.
Windows Server 2003 R2 Standard SP2 32-bit / 64-bit.
Windows Server 2008 Datacenter SP1 32-bit / 64-bit.
39
Windows Server 2008 Enterprise SP1 32-bit / 64-bit.
Windows Server 2008 Foundation SP2 32-bit / 64-bit.
Windows Server 2008 SP1 Server Core 32-bit / 64-bit.
Windows Server 2008 Standard SP1 32-bit / 64-bit.
Windows Server 2008 Standard 32-bit / 64-bit.
Windows Server 2008 Enterprise 32-bit / 64-bit.
Windows Server 2008 Datacenter 32-bit / 64-bit.
Windows Server 2008 R2 Server Core 64-bit.
Windows Server 2008 R2 Datacenter 64-bit.
Windows Server 2008 R2 Datacenter SP1 64-bit.
Windows Server 2008 R2 Enterprise 64-bit.
Windows Server 2008 R2 Enterprise SP1 64-bit.
Windows Server 2008 R2 Foundation 64-bit.
Windows Server 2008 R2 Foundation SP1 64-bit.
Windows Server 2008 R2 SP1 Core Mode 64-bit.
Windows Server 2008 R2 Standard 64-bit.
Windows Server 2008 R2 Standard SP1 64-bit.
Windows Server 2012 Server Core 64-bit.
Windows Server 2012 Datacenter 64-bit.
Windows Server 2012 Essentials 64-bit.
Windows Server 2012 Foundation 64-bit.
Windows Server 2012 Standard 64-bit.
Windows Server 2012 R2 Server Core 64-bit.
40
Windows Server 2012 R2 Datacenter 64-bit.
Windows Server 2012 R2 Essentials 64-bit.
Windows Server 2012 R2 Foundation 64-bit.
Windows Server 2012 R2 Standard 64-bit.
Debian GNU / Linux 7.x (up to 7.8) 32-bit.
Debian GNU / Linux 7.x (up to 7.8) 64-bit.
Ubuntu Server 14.04 LTS x32 32-bit.
Ubuntu Server 14.04 LTS x64 64-bit.
CentOS 6.x (up to 6.6) 64-bit.
CentOS 7.0 64-bit.
Red Hat Enterprise Linux Server 7.0 64-bit.
SUSE Linux Enterprise Server 12 64-bit.
Mac OS X 10.4 (Tiger).
Mac OS X 10.5 (Leopard).
Mac OS X 10.6 (Snow leopard).
OS X 10.10 (El Capitan).
You can obtain information about the latest version of the hardware and software requirements
from Technical Support website, on the page of Kaspersky Security Center 10, in the System
requirements section (http://support.kaspersky.com/ksc10#requirements).
41
Application interface
This section describes the main interface elements of Kaspersky Security Center, as well as how
to configure the interface.
Viewing, creation, modification and configuration of administration groups, and centralized

management of Kaspersky Lab applications installed on client devices are performed from the
administrator's workstation. The management interface is provided by the Administration Console
component. It is a specialized stand-alone snap-in that is integrated with Microsoft Management
Console (MMC); so the Kaspersky Security Center interface is standard for MMC.
Administration Console allows remote connection to Administration Server over the Internet.
For local work with client computers, the application supports remote connection to a computer
through Administration Console by using the standard Microsoft Windows Remote Desktop
Connection application.
To use this functionality, you must allow remote connection to the desktop on the client
computer.
In this section:
Main application window ........................................................................................................... 43
Console tree.............................................................................................................................. 44
Workspace ................................................................................................................................ 48
Data filtering block..................................................................................................................... 52
Context menu............................................................................................................................ 54
Configuring the interface ........................................................................................................... 54

Main application window
The main application window (see figure below) contains a menu, a toolbar, a console tree, and a
workspace. The menu bar allows you to use the windows and provides access to the Help system.
The Action menu duplicates the context menu commands for the current console tree object.
The set of toolbar buttons provides direct access to some of the menu items. The set of buttons
may change depending on the current node or folder selected in the console tree.
The appearance of the workspace of the main window depends on which node (folder) of the
console tree it is associated with, and what functions it performs.
Figure 1. Kaspersky Security Center main application window
43
Console tree
The console tree (see figure below) is designed to display the hierarchy of Administration Servers
in the corporate network, the structure of their administration groups, and other objects of the
application, such as the Repositories or Application management folders. The name space of
Kaspersky Security Center can contain several nodes including the names of servers
corresponding to the installed Administration Servers included in the hierarchy.
Figure 2. Console tree
44
Administration Server node
The Administration Server <Computer name> node is a container that shows the structural
organization of the selected Administration Server.
The workspace of the Administration Server node contains summary information about the
current status of the application and computers managed by Administration Server. Information in
the workspace is distributed between various tabs:
Monitoring. The Monitoring tab displays information about the application operation and
the current status of client computers in real-time mode. Important messages for the
administrator (such as messages on vulnerabilities, errors, or viruses detected) are
highlighted in a specific color. You can use links on the Monitoring tab to perform the
standard administrator tasks (for example, install and configure Kaspersky Anti-Virus on
client computers), as well as to go to other console tree folders.
Statistics. Contains a set of charts grouped by topics (protection status, Anti-Virus

statistics, updates, etc.). These charts visualize current information about the application
operation and the status of client computers.
Reports. Contains templates for reports generated by the application. On this tab, you can
create reports using preset templates, as well as create custom report templates.
Events. Contains records on events that have been registered during the application
operation. Those records are distributed between topics for ease of reading and filtering.
On this tab, you can view selections of events that have been generated automatically, as
well as create custom selections.
Folders in the Administration Server node
The Administration Server <Computer name> node includes the following folders:
Managed computers. This folder is intended for storage, display, configuration, and
modification of the structure of administration groups, group policies, and group tasks.
Computer selections. This folder is intended for quick selection of computers that meet
specified criteria (a selection of computers), among all managed computers. For example,
you can quickly select computers on which Kaspersky Anti-Virus has not been installed,
and proceed to these computers (view the list). You can perform some actions on these
selected computers, for example, assign them some tasks. You can use preset selections
or create your own custom selections.
45
Unassigned devices. This folder contains a list of computers that have not been included
in any of the administration groups. You can perform some actions on unassigned
computers: move their administration groups or install applications on them.
Policies. This folder is intended for viewing and creating policies.
Tasks. This folder is intended for viewing and creating tasks.
Advanced. This folder contains a set of subfolders that correspond to various groups of
application features.
Advanced folder. Moving folders in the console tree
The Advanced folder includes the following subfolders:
User accounts. This folder contains a list of network user accounts.
Application management. This folder is intended for managing applications installed on

computers in the network. The Application management folder contains the following
subfolders:
Application categories. Intended for handling user categories of applications.
Applications registry. Contains a list of applications on client computers with Network

Agent installed.
Executable files. Contains the list of executable files stored on client computers with
Network Agent installed.
Software vulnerabilities. Contains a list of vulnerabilities in applications on client

computers with Network Agent installed.
Software updates. Contains a list of application updates received by Administration

Server that can be distributed on client computers.
Kaspersky Lab licenses. Contains a list of available keys for Kaspersky Lab
applications. In the workspace of this folder, you can add new keys to the key repository,
distribute keys on managed computers, and view reports on the usage of keys.
Third-party licenses usage. Contains a list of groups of licensed applications. You can
use groups of licensed applications to monitor the usage of licenses for third-party
software (non-KL applications) and possible violations of licensing restrictions.
46
Remote installation. This folder is intended for managing remote installation of operating
systems and applications. The Remote installation folder contains the following
subfolders:
Deploy computer images. Intended for deploying images of operating systems on

client computers.
Installation packages. Contains a list of installation packages that can be used for
remote installation of applications on client computers.
Mobile Device Management. This folder is intended for managing mobile devices. The
Mobile Device Management folder contains the following subfolders:
Mobile devices It is intended for managing mobile devices, KES, Exchange

ActiveSync, and iOS MDM.
Certificates. It is intended for managing certificates of mobile devices.
Data encryption and protection. This folder is intended for managing the process of data
encryption on hard drives and removable drives.
Network poll. This folder displays the computer network where the Administration Server is
installed. Information about the structure of the network and computers in this network is
received by the Administration Server through regular polling of the Windows network, IP
subnets, and Active Directory in the corporate network. Polling results are displayed in the
workspaces of the corresponding folders: Domains, IP subnets, and Active Directory.
Repositories. This folder is intended for operations with objects used to monitor the status
of client computers and perform maintenance. The Repositories folder contains the
following subfolders:
Updates. Contains a list of updates received by Administration Server that can be

distributed to client computers.
Hardware. Contains a list of hardware connected to the organization's network.
Quarantine. Contains a list of objects moved to Quarantine by anti-virus software on

client computers.
47
Backup. This folder contains a list of backup copies of files that have been deleted or
modified during the disinfection process on client computers.
Unprocessed files. Contains a list of files assigned for later scanning by anti-virus
applications.
You can change the set of subfolders included in the Advanced folder. Frequently used subfolders
can be moved from the Advanced folder one level up. Subfolders that are used rarely can be
moved to the Advanced folder.
To move a subfolder out of the Advanced folder:

1. In the console tree, select the subfolder that you want to move out of the Advanced folder.
2. In the context menu of the subfolder, select View Move from Advanced folder.
You can also move a subfolder out of the Advanced folder in the workspace of the
Advanced folder by clicking the Move from Advanced folder link in the section with the
name of that subfolder.
To move a subfolder to the Advanced folder:
1. In the console tree, select the subfolder that you need to move to the Advanced folder.
2. In the context menu of the subfolder, select View Move to Advanced folder.
Workspace
The workspace (see figure below) contains the following elements:
Lists of objects that the administrator manages through the application (computers,
administration groups, user accounts, policies, tasks, event records, other applications,
etc.) (see section "Workspace elements" on page 50).
Controls (buttons that expand lists of commands, links for command execution and
proceeding to other console tree folders).
Text and graphic information (application messages, charts in information panes, statistical
and reference information) (see section "Set of information blocks" on page 52).
48
The contents of the workspace correspond to the node or folder selected in the console tree.
Figure 3. Workspace
49
The workspace of a node or folder can contain multiple tabs (see figure below). Each tab
corresponds to a specific group (type) of objects or application features.
Figure 4. Workspace divided into tabs
In this section:
Workspace elements................................................................................................................. 50
Set of information blocks ........................................................................................................... 52
Workspace elements
The workspace of a folder or a node can contain the following elements (see figure below).
List management block. Contains buttons that expand lists of commands and links.
Designed for operations with objects selected in the list.
List of objects. Contains management objects (such as computers, user accounts, policies,
tasks). You can sort and filter objects on the list, perform actions on them using the
management block and commands from the object context menu. You can also configure
the set of columns displayed in the list.
50
Block for handling a selected object. Contains summary information about a selected
object. This block can also contain links for quick operations with the selected object. For
example, the block for handling a selected policy contains a link to the policy settings
window.
Data filtering block. You can use the filtering block to configure the display of objects on the
list. For example, you can use the data filtering block to configure the list of computers so
that only computers that have Critical status are displayed.
Figure 5. Information area represented by a list of management objects
51
Set of information blocks
The workspace of the Administration Server node displays statistics on information panes on the
Statistics tab. Information panes are distributed among a few topics (see figure below). You can
configure the data display on information panes by changing the types of charts and the set of data
presented on them, as well as by modifying and adding information panes or entire pages on the
Statistics tab (see section "Working with the statistical information" on page 162).
Figure 6. Workspace divided into pages
Data filtering block

Data filtering block (hereinafter also referred to as filtering block) is used in workspaces and
sections of dialog boxes that contain lists objects (such as computers, applications, vulnerabilities,
or users).
52
The filtering block can contain a search field, a filter, and buttons (see figure below).
Extended filtering block. Filtering settings
You can use the filtering block in standard or extended mode to filter data (see figure). In standard
mode of the filtering block, you can filter data using the search field and the buttons in the
Including statuses section. In extended mode of the filtering block, you can use additional filtering
criteria. Additional filtering criteria are available on the Adjust filter link.
To configure filtering.
1. Click the No filter specified area.
The right part of the window displays the Adjust filter link.
2. Click the Adjust filter link to select filtering criteria.
The selected criteria will be displayed on a grey background in the Filter field.
3. Specify a value for each criterion (for example, "Agent is installed").
4. In the Including statuses section, configure additional computer filtering by statuses

(Critical, Warning, OK).
53
Computers that pass the filter will be displayed in the list. You can also find computers using
keywords and regular expressions (see section "What's new" on page 24) in the Search field.
Context menu
In the console tree of Kaspersky Security Center each object features its own context menu. Here
the standard commands of the Microsoft Management Console context menu are supplemented
with commands used for operations with the object. The additional context menu commands that
correspond to various console tree objects are listed in the Appendices (see section "Context
menu commands" on page 347).
Some of the objects in the workspace (such as computers on the list of managed computers, or
other listed objects) also have a context menu with additional commands.
Configuring the interface

You can configure the interface of Kaspersky Security Center:
Show and hide objects in the console tree, workspace, properties windows of objects
(folders, sections) depending on the features being used.
Show and hide elements of the main window (for example, console tree, standard menus
such as Actions and View).
54
To configure the Kaspersky Security Center interface in accordance with the currently
used feature:
1. In the console tree, select the Administration Server node.
2. In the application window menu, select View Configure interface.
3. In the Configure interface window that opens, configure the display of interface elements
using the following check boxes:
Display Systems Management.
If this check box is selected, in the Remote installation folder the Deploy
computer images nested folder is displayed, while in the Repositories folder
the Hardware nested folder is displayed.
By default, this check box is cleared.
Display encryption and data protection.
If this check box is selected, data encryption management is available on

devices connected to the network. After you restart the application, the console
tree displays the Data encryption and protection folder.
Display endpoint control settings.
If this check box is selected, the following subsections are displayed in the
Endpoint control section of the properties window of the Kaspersky Endpoint
Security 10 for Windows policy:
Application Startup Control.
Vulnerability Monitor.
Device Control.
Web Control.
If this check box is cleared, the above-specified subsections are not displayed
in the Endpoint control section.
55
Display Mobile Devices Management.
If this check box is selected, the Mobile Device Management feature is

available. After you restart the application, the console tree displays the Mobile
devices folder.
Display slave Administration Servers.
If the check box is selected, the console tree displays the nodes of slave and
virtual Administration Servers within administration groups. The functionality
connected with slave and virtual Administration Servers in particular, creation
of tasks for remote installation of applications to slave Administration Servers
is available at that.
By default, this check box is selected.
Display security settings sections.
If this check box is selected, the Security section is displayed in the properties
of Administration Server, administration groups and other objects. This check
box allows you to give custom permissions for working with objects to users
and groups of users.
By default, this check box is selected.
4. Click OK.
To apply some of the changes, you have to close the main application window and then open it
again.
To configure the display of elements in the main application window:
1. In the application window menu, select View Configure.
2. In the Configure view window that opens, configure the display of main window elements
using check boxes.
3. Click OK.
56
Application licensing
This section provides information about general concepts related to the application licensing.
In this section:
About the End User License Agreement ................................................................................... 57
About the license....................................................................................................................... 58
About the license certificate ...................................................................................................... 59
About key .................................................................................................................................. 59
Kaspersky Security Center licensing options ............................................................................. 60
About restrictions of the main functionality ................................................................................ 63
About the activation code .......................................................................................................... 64
About the key file....................................................................................................................... 65
About the subscription ............................................................................................................... 65
About the End User License Agreement

The End User License Agreement is a binding agreement between you and AO Kaspersky Lab,
stipulating the terms on which you may use the application.
Read through the terms of the License Agreement carefully before you start using the application.
You can view the terms of the End User License Agreement using the following methods:
While installing Kaspersky Security Center.
By reading the document license.txt. This document is included in the application

distribution kit.
You accept the terms of the End User License Agreement by confirming that you agree with the
End User License Agreement when installing the application. If you do not accept the terms of the
End User License Agreement, you should abort the application installation and renounce the use of
the application.
About the license

A license is a time-limited right to use the application, granted under the End User License
Agreement.
A valid license entitles you to use the following services:
Use of the application in accordance with the terms of the End User License Agreement.
Technical Support.
The scope of service and the application usage term depend on the type of license under which
the application has been activated.
The following license types are provided:
Trial a free license intended for trying out the application.
A trial license usually has a short term. As soon as the trial license expires, all Kaspersky
Security Center features are disabled. To continue using the application, you need to
purchase the commercial license.
You can activate the application under the trial license only once.
Commercial a paid license granted upon purchase of the application.
When the commercial license expires, the application keeps running though with a limited
functionality (for example, updates of the Kaspersky Security Center databases are not
available). To continue using Kaspersky Security Center in fully functional mode, you have
to renew your commercial license.
We recommend renewing the license before its expiration to ensure maximum protection against
all security threats.
58
About the license certificate
License certificate is a document that you receive along with a key file or an activation code.
A license certificate contains the following information about the license provided:
Order number.
Information about the user who has been granted the license.
Information about the application that can be activated under the license provided.
Limit of the number of licensing units (e.g., devices on which the application can be used
under the license provided).
License term start date.
License expiration date or license term.
License type.
About key
Key is a sequence of bits that you can apply to activate and then use the application in accordance
with the terms of the End User License Agreement. Keys are generated by Kaspersky Lab
specialists.
You can add a key to the application using one of the following methods: by applying a key file or
by entering an activation code. The key is displayed in the application interface as a unique
alphanumeric sequence after you add it to the application.
The key may be blocked by Kaspersky Lab in case the terms of the License Agreement have been
violated. If the key has been blocked, you need to add another one if you want to use the
application.
A key may be active or additional.
59
Active key a key used at the moment to work with the application. A key for the trial or
commercial license can be added as the active key. The application cannot use more than one
active key.
Additional key a key that verifies the use of the application but is not used at the moment. The
additional key automatically becomes active when the license associated with the current active
key expires. An additional key can be added only if an active key has already been added.
A key for the trial license can be added as the active key only. A key for the trial license cannot be
added as the additional key.
Kaspersky Security Center licensing

options
In Kaspersky Security Center, the license can apply to different groups of functionality.
Basic functionality of Administration Console
The following functions are available:
Creation of virtual Administration Servers that are used to administer a network of remote
offices or client organizations.
Creation of hierarchy of administration groups to manage a set of devices as a single entity.
Control of the anti-virus security status of an organization.
Remote installation of applications.
Viewing the list of operation system images available for remote installation.
Centralized configuration of settings for applications that are installed on client computers.
Viewing and editing of existing groups of license programs.
Statistics and reports on the application's operation, as well as notifications about critical
events.
Data encryption and protection management.
60
Viewing and manual editing of the list of hardware components detected by polling the
network.
Centralized operations with files that were moved to Quarantine or Backup and files whose
processing was postponed.
Kaspersky Security Center with support of the Administration Console basic functionality is
delivered as a part of Kaspersky Lab products for protection of corporate networks. You can also
download it from the Kaspersky Lab website (http://www.kaspersky.com).
Until the application is activated, or after the commercial license expires, Kaspersky Security
Center runs in basic functionality mode of Administration Console (see the section "About
restrictions of the basic functionality" on page 63).
Systems Management feature
The following functions are available:
Remote installation of operating systems.
Remote installation of software updates, scanning and fixing of vulnerabilities.
Management of device access to the corporate network (Network Access Control, NAC).
Hardware components inventory.
Licensed applications group management.
Remote permission of connection to client computers through a Microsoft Windows

component named Remote Desktop Connection.
Remote connection to client computers through Windows Desktop Sharing.
Management of user roles.
The management unit for System Management is a client computer in the "Managed computers"
group.
Detailed information about computer hardware is available during the inventory process as part
of the Systems Management feature.
61
For a proper functioning of Systems Management, at least 100 GB free disk space must be
available.
Mobile Device Management
The Mobile Device Management is used to Administer Exchange ActiveSync and iOS MDM mobile
devices.
The following functions are available for Exchange ActiveSync mobile devices:
Creation and editing of mobile device management profiles, assignment of profiles to users'
mailboxes.
Configuration of mobile devices (email synchronization, apps usage, user password, data
encryption, connection of removable drives).
Installation of certificates on mobile devices.
The following functions are available for iOS MDM mobile devices:
Creation and editing of configuration profiles, installation of configuration profiles on mobile

devices.
Installation of applications on mobile devices via App Store or using manifest files (.plist).
Locking of mobile devices, resetting of the mobile device password, and deleting of all data
from the mobile device.
In addition, Mobile Devices Management allows executing commands provided by relevant

protocols.
The management unit for Mobile Devices Management is a mobile device. A mobile device is
considered to be managed after it is connected to the Mobile Devices Server.
62
About restrictions of the main
functionality
Until the application is activated or after the commercial license expires, Kaspersky Security Center
provides the basic functionality of Administration Console. The limitations imposed on the
application operation are described below.
You cannot create a new profile and assign it to a mobile device (iOS MDM) or to a mailbox
(Exchange ActiveSync). Edition of existing profiles and assignment of profiles to mailboxes are
always available.
Managing applications
You cannot run the update installation task and the update removal task. All tasks that had been
started before the license expired will be completed, but the latest updates will not be installed. For
example, if the critical update installation task had been started before the license expired, only
critical updates found before the license expiration will be installed.
Launch and editing of the synchronization, vulnerability scan, and vulnerabilities database update
tasks are always available. Also, no limitations are imposed on viewing, searching, and sorting of
entries on the list of vulnerabilities and updates.
Remote installation of operating systems and applications
Cannot run tasks of operating system image capturing and installation. Tasks that had been
started before the license expired, will be completed.
Network access control
The NAC Agent and NAC switch to "Disabled" mode without an option to enable them.
Hardware inventory
You cannot collect information about new devices using NAC and the Mobile device server.
Information about computers and connected devices is updated at that.
63
You receive no notifications of changes in the configurations of devices.
The equipment list is available for viewing and editing manually.
Managing groups of licensed applications
You cannot add a new key.
You receive no notifications of violated limitations imposed on the use of keys.
Remote connection to client computers
Remote connection to client computers is not available.
Anti-virus security
Anti-Virus uses databases that had been installed before the license expired.
About the activation code

Activation code is a unique sequence of 20 alphanumeric characters. You enter an activation code
to add a key that activates Kaspersky Security Center. You receive the activation code through the
email address that you have specified, after purchasing Kaspersky Security Center or after
ordering the trial version of Kaspersky Security Center.
To activate the application with an activation code, you need Internet access to establish
connection with Kaspersky Lab activation servers.
If the application was activated with an activation code, the application in some cases sends
regular requests to Kaspersky Lab activation servers in order to check the current status of the
key. You need provide the application Internet access to make it possible to send requests.
If you lost your activation code after you had activated the application, it can be restored. You may
need your activation code, e.g., to register with Kaspersky CompanyAccount. To restore the
activation code, you have to contact Kaspersky Lab Technical Support (see section "How to obtain
technical support" on page 315).
64
About the key file
Key file is a file with the .key extension provided to you by Kaspersky Lab. A key file is intended for
adding a key that activates the application.
You receive your key file through the email address that you have specified, after purchasing
Kaspersky Security Center or after ordering the trial version of Kaspersky Security Center.
To activate the application using a key file, you do not have to connect to Kaspersky Lab activation
servers.
If the key file has been accidentally deleted, you can restore it. You may need your key file, e.g., to
register with Kaspersky CompanyAccount.
To restore your key file, you should perform any of the following actions:
Contact Technical Support (http://support.kaspersky.com/).
Receive a key file through Kaspersky Lab website (https://activation.kaspersky.com/en/) by

using your available activation code.
About the subscription

Subscription to Kaspersky Security Center is an order request for the use of the application under
selected settings (subscription expiration date, number of protected devices). You can register your
subscription to Kaspersky Security Center with your service provider (e.g., your Internet provider).
A subscription can be renewed manually or in automatic mode; also, you can cancel it.
A subscription can be limited (e.g., 1-year) or unlimited (with no expiration date). To continue using
Kaspersky Security Center after a limited subscription expires, you must renew it. An unlimited
subscription is renewed automatically if it has been prepaid to the service provider in due dates.
When a limited subscription expires, you may be provided a grace period for renewal during which
the application keeps functioning. The availability and duration of the grace period is defined by the
service provider.
65
To use Kaspersky Security Center under subscription, you must apply the activation code received
from the service provider.
You can apply a different activation code for Kaspersky Security Center only after your subscription
expires or when you cancel it.
Depending on the service provider, the set of possible actions for subscription management may
vary. The service provider can provide no grace period for subscription renewal so the application
loses its functionality.
Activation codes purchased under subscription cannot be used for activating earlier versions of
Kaspersky Security Center.
When using the application under subscription, Kaspersky Security Center automatically attempts
to access the activation server in specified time intervals until the subscription expires. You can
renew your subscription on the service provider's website.
66
Administration Server Quick Start
Wizard
This section provides information about the Administration Server Quick Start Wizard operation.
Kaspersky Security Center allows adjusting a minimum set of settings required to build a centralized
management system for anti-virus protection. This configuration is performed by using the Quick Start
Wizard. While the Quick Start Wizard is running, the following changes are made to the application:
The Wizard adds keys or codes that can be automatically distributed to computers within
administration groups.
Configures interaction with Kaspersky Security Network (KSN). KSN allows you to retrieve
information about applications installed on managed computers if such information can be
found in Kaspersky Lab reputation databases. If you have allowed the use of KSN, the
wizard enables the KSN Proxy service, which ensures connection between KSN and client
computers.
It sets up email delivery of notifications informing of events in the operation of Administration

Server and managed applications (a successful notification delivery requires the Messenger
service to keep running on the Administration Server and all of the recipient computers).
Then the Wizard adjusts the update settings and vulnerability fixing settings of applications
installed on client computers.
A protection policy for workstations and servers is created at the top level of the hierarchy
of managed computers; virus scan tasks, update tasks, and backup tasks are also created.
The Quick Start Wizard creates protection policies only for applications for which the
Managed computers folder does not contain any. The Quick Start Wizard creates no
tasks if ones with the same names have already been created for the top level in the
hierarchy of managed computers.
The application prompts you to run the Quick Start Wizard after Administration Server installation,
at the first connection to it. You can also start the Quick Start Wizard manually using the context
menu of the Administration Server <Computer name> node.
Basic concepts
This section explains basic concepts related to Kaspersky Security Center.
In this section:
Administration Server ................................................................................................................ 68
Administration Server hierarchy ................................................................................................ 69
Virtual Administration Server ..................................................................................................... 70
Mobile device server ................................................................................................................. 71
Web server................................................................................................................................ 72
Network Agent Administration group ......................................................................................... 73
Administrator's workstation........................................................................................................ 75
Application administration plug-in .............................................................................................. 75
Policies, application settings and tasks ..................................................................................... 75
How local application settings relate to policies ......................................................................... 78
Update Agent ............................................................................................................................ 79
Kaspersky Security Center components allow remotely managing Kaspersky Lab applications
installed on client computers.
Computers with the Administration Server component installed will be referred to as Administration
Servers (hereinafter also referred to as Servers).
Administration Server is installed on a computer as a service with the following set of attributes:
With the name "Kaspersky Security Center Administration Server".
Using automatic startup when the operating system starts.
With the Local System account or the user account selected during the installation of the
Administration Server.
The Administration Server performs the following functions:
storage of the administration groups structure;
storage of information about the configuration of client computers;
organization of storages for application distribution packages;
remote installation of applications to client devices and removal of applications;
updating of application databases and software modules of Kaspersky Lab applications;
management of policies and tasks on client computers;
storage of information about events that have occurred on client devices;
generation of reports on the operation of Kaspersky Lab applications;
deployment of keys to client devices, and storage of information about keys;
sending notifications of the progress of tasks (for example, of viruses detected on a client
computer).
Administration Server hierarchy

Administration Servers can be arranged in a master/slave hierarchy. Each Administration Server
can have several slave Administration Servers (referred to as slave Servers) on different nesting
levels of the hierarchy. The nesting level for slave Servers is unrestricted. The administration
groups of the master Administration Server will then include the client computers of all slave
Administration Servers. Thus, isolated and independent sections of computer networks can be
controlled by different Administration Servers which are in turn managed by the master Server.
Basic concepts
69
Virtual Administration Servers (see the section "Virtual Administration Server" on page 70) are a
particular case of slave Administration Servers.
The hierarchy of Administration Servers can be used to do the following:
Decrease the load on Administration Server (compared to a single installed Administration

Server in an entire network).
Decrease intranet traffic and simplify work with remote offices. It is unnecessary to establish
connections between the master Administration Server and all network computers, which
may be located, for example, in other regions. It is sufficient to install in each network node
a slave Administration Server, distribute computers among administration groups of slave
Servers and establish connections between the slave Servers and master Server over fast
communication channels.
Distribute responsibilities among the anti-virus security administrators. All capabilities for
centralized management and monitoring of anti-virus security status in corporate networks
remain available.
How service providers use Kaspersky Security Center. The service provider needs only
installed Kaspersky Security Center and Kaspersky Security Center Web Console. To
manage more client computers of several organizations, a service provider can add virtual
Administration Servers to an Administration Server hierarchy.
Each computer included in the hierarchy of administration groups can be connected to one
Administration Server only. You must control the state of connection of computers to
Administration Servers. Use the features for computer search in administration groups of
different Servers based on network attributes.
Virtual Administration Server

Virtual Administration Server (also referred to as virtual Server) is a component of Kaspersky
Security Center intended for managing anti-virus protection of a client organization's network.
Basic concepts
70
Virtual Administration Server is a particular case of a slave Administration Server and has the
following restrictions as compared with physical Administration Server:
Virtual Administration Server can be created only on master Administration Server.
Virtual Administration Server uses the master Administration Server database. Thus, the
following tasks are not supported on virtual Server: backup copying, restoration, updates
verification and updates downloading. These tasks exist only on master Administration
Server.
Virtual Server does not support creation of slave Administration Servers (including virtual
Servers).
Besides, virtual Administration Server has the following restrictions:
In the virtual Administration Server properties window the number of sections is restricted.
To carry out remote installation of Kaspersky Lab applications on client computers

managed by the virtual Administration Server, you should make sure that the Network
Agent is installed on one of the client computers in order to ensure communication with the
virtual Administration Server. At the first connection to the virtual Administration Server, that
computer is automatically appointed Update Agent, thus functioning as a gateway for
connection between the client computers and the virtual Administration Server.
A virtual Server can poll the network only through Update Agents.
To restart a malfunctioning virtual Server, Kaspersky Security Center restarts the master
Administration Server and all virtual Administration Servers.
The administrator of a virtual Administration Server has all privileges on this particular virtual
Server.
Mobile device server

A mobile device server is a component of Kaspersky Security Center that provides access to
mobile devices and allows managing them through Administration Console. The Mobile device
server retrieves information about mobile devices and stores their profiles.
Basic concepts
71
There are two types of mobile devices servers:
Mobile devices server supporting Exchange ActiveSync. Installed to a client computer

where a Microsoft Exchange server has been installed, allowing retrieving data from the
Microsoft Exchange server and passing them to Administration Server. This mobile devices
server is used for management of mobile devices that support Exchange ActiveSync
protocol.
iOS MDM Mobile Devices Server. This mobile devices server is used for management of
mobile devices that support the Apple Push Notification service (APNs).
Mobile devices servers of Kaspersky Security Center allow managing the following objects:
An individual mobile device.
Several mobile devices.
Several mobile devices connected to a cluster of servers, simultaneously. After connecting

to a cluster of servers, the mobile devices server installed on this cluster is displayed in
Administration Console as a single server.
Web server
Kaspersky Security Center Web Server (hereinafter also referred to as Web Server) is a
component of Kaspersky Security Center that is installed together with Administration Server. Web
Server is designed for transfer of standalone installation packages, iOS MDM profiles, and files
from the shared folder over the network.
When you create a standalone installation package, it is automatically published on Web Server. A
link for download of the standalone package is displayed in the list of standalone installation
packages. If necessary, you can cancel publication of the standalone package or publish it on Web
Server again.
When you create an iOS MDM profile for a user's mobile device, it is also automatically published
on Web Server. When the profile is published, it is automatically removed from Web Server after it
is successfully installed to the user's mobile device (for more details on how to create and install an
iOS MDM profile, please refer to the Kaspersky Security Center Implementation Guide).
Basic concepts
72
The shared folder is designed as a storage area for information that is available to all users whose
computers are managed via Administration Server. If a user has no direct access to the shared
folder, he or she can be given information from that folder by means of Web Server.
To provide users with information from a shared folder by means of Web Server, the administrator
must create a subfolder named "public" in the shared folder and paste the relevant information.
The syntax of the information transfer link is as follows:
https://<Web Server name>:<HTTPS port>/public/<object>
where:
<Web Server name> is the name of the Kaspersky Security Center Web Server.
<HTTPS port> is an HTTPS port of Web Server that has been defined by the
administrator. The HTTPS port can be set in the Web Server section of the properties
window of Administration Server. The default port number is 8061.
<object> is the subfolder or file to which the user will receive access.
The administrator can send the new link to the user in any convenient way, such as by email.
By clicking the link, the user can download the required information to a local computer.
Network Agent Administration group

Interaction between the Administration Server and client computers is performed by a component
of the Kaspersky Security Center application named Network Agent. Network Agent should be
installed on all client computers on which Kaspersky Security Center is used to manage Kaspersky
Lab applications.
Network Agent is installed on a computer as a service with the following set of attributes:
With the name "Kaspersky Security Center Network Agent".
Set to automatically start when the operating system starts.
Using the Local system account.
Basic concepts
73
Network Agent is installed on the target computer together with a plug-in for work with Cisco
Network Admission Control (NAC). This plug-in is used if the computer has Cisco Trust Agent
installed. The settings for joint operation with Cisco NAC are specified in the properties window of
the Administration Server.
When integrated with Cisco NAC, Administration Server acts as a standard Posture Validation
Server (PVS) policy server, which an administrator may use to either allow or block access by
a computer to the network, based upon the anti-virus protection status.
A computer, server, or workstation on which Network Agent and managed Kaspersky Lab
applications are installed will be referred to as the Administration Server client (also, client
computer or just computer).
The computers in a corporate network can be subdivided into groups arranged in a certain
hierarchical structure. Such groups are called administration groups. The hierarchy of
administration groups is displayed in the console tree, in the Administration Server node.
An administration group (hereinafter also referred to as group) is a set of client computers

combined on the basis of a certain trait for the purpose of managing the grouped computers as a
single unit. All client computers within a group are configured to.
Use the same application settings (which are defined in group policies).
Use a common mode of applications' operation thanks to creation of group tasks with a
specified collection of settings. For example, creating and installing a common installation
package, updating the application databases and modules, scanning the computer on
demand, and ensuring real-time protection.
A client computer can be included only in one administration group.
You can create hierarchies for Servers and groups with any degree of nesting. A single hierarchy
level can include slave and virtual Administration Servers, groups, and client computers.
Basic concepts
74
Administrator's workstation
Computers on which the Administration Console component is installed are referred to as
administrator's workstations. Administrators can use those computers for centralized remote
management of Kaspersky Lab applications installed on client computers.
After Administration Console is installed to the computer, its icon appears in the
Start Applications Kaspersky Security Center menu allowing to start it.
There are no restrictions on the number of administrator's workstations. From any administrator's
workstation you can manage administration groups of several Administration Servers on the
network at once. You can connect an administrator's workstation to an Administration Server
(either physical, or virtual one) of any level of hierarchy.
You can include an administrator's workstation in an administration group as a client computer.
Within the administration groups of any Administration Server, the same computer can function as
an Administration Server client, an Administration Server, or an administrator's workstation.
Application administration plug-in

Management of Kaspersky Lab applications via the Administration Console is performed using a
special component named management plug-in. It is included in all Kaspersky Lab applications
that can be managed by using Kaspersky Security Center.
The management plug-in is installed on an administrator's workstation. Using the management

plug-in, you can perform the following actions in the Administration Console:
Creating and editing application policies and settings, as well as the settings of application
tasks.
Obtaining information about application tasks, application events, as well as application

operation statistics received from client computers.
Policies, application settings, and tasks

A named action performed by a Kaspersky Lab application is called a task. Tasks are organized by
types according to their function.
Basic concepts
75
Each task is associated with a set of settings that are used during performance of the task. The set of
application settings that are common to all types of application tasks form the application settings.
Application settings that are specific to each task type form the corresponding task settings.
A detailed description of task types for each Kaspersky Lab application can be found in the
respective application guides.
Application settings defined for an individual client computer through the local interface or remotely
through Administration Console are referred to as local application settings.
The applications installed on client computers are configured centrally by configuring policies.
A policy is a collection of application settings that are defined for an administration group. The
policy does not define all application settings.
Several policies with different values can be defined for a single application. However, there can be
only one active policy for an application at a time.
An application can run in different ways for different groups of settings. Each group can have its
own policy for an application.
The application settings are defined by the policy settings and the task settings.
Nested groups and slave Administration Servers inherit the tasks from groups that belong to higher
hierarchy levels. A task defined for a group is performed not only on client computers included in
that group, but also on client computers included in its child groups and belonging to slave Servers
on all lower hierarchy levels.
Each setting represented in a policy has a "lock" attribute: . The "lock" shows whether the setting
is allowed for modification in the policies of lower hierarchy levels (for nested groups and slave
Administration Servers), in task settings and local application settings. If a parameter is "locked" in
the policy, its value cannot be redefined (see the section "How local application settings relate to
policies" on page 78).
If you clear the Inherit settings from parent policy check box in the Inheritance of settings
section of the General section in the properties window of an inherited policy, the "lock" is lifted for
that policy.
You can activate a disabled policy based on occurrence of a certain event. This means that you
can, for example, enforce stricter anti-virus protection settings during virus outbreaks.
Basic concepts
76
You can also create an out-of-office policy.
Tasks for objects that are managed by a single Administration Server are created and configured
in a centralized way. The following types of tasks can be defined:
Group task is a task that defines settings for an application installed on computers within an
administration group.
Local task is a task for an individual computer.
Task for selection of computers is a task for an arbitrary set of computers included or not
included in administration groups.
Administration Server task is a task defined directly for an Administration Server.
A group task can be defined for a group even if a corresponding Kaspersky Lab application is
installed only on certain client computers of that group. In that case, the group task is performed
only on the computers on which the application is installed.
Tasks created for a client computer locally are only performed for this computer. When a client
computer is synchronized with the Administration Server, local tasks are added to the list of
tasks created for that client computer.
Because application settings are defined by policies, task settings can redefine the settings that
are not locked by the policy. Task settings also can redefine the settings that can be configured
only for a specific instance of a task. For example, the drive name and masks of files to be
scanned are configurable settings for the drive scan task.
A task can be run automatically (according to a schedule) or manually. Task results are saved
locally and on the Administration Server. The administrator can receive notifications about
particular performed tasks and view detailed reports.
Information about policies, application settings, and task settings for specific computers, as well as
information about group tasks, is saved on Administration Server and distributed to client
computers during synchronization. During synchronization, the Administration Server stores
information about the local changes allowed by the policy that have been performed on client
computers. Additionally, the list of applications running on the client computer, their status, and the
existing tasks are updated.
Basic concepts
77
How local application settings relate to
policies
You can use policies to set identical values of the application settings for all computers in a group.
The values of settings specified by a policy can be redefined for individual computers in a group by
using local application settings. You can only set the values of settings that the policy allows to be
modified, that is, "unlocked" settings.
The value of a setting that the application uses on a client computer (see figure below) is defined
by the "lock" position for that setting in the policy:
If setting modification is "locked", the same value (defined in the policy) is used on all client
computers.
If setting modification is "unlocked", the application uses a local value on each client
computer instead of the value specified in the policy. The setting can then be changed in
the local application settings.
Figure 7. Policy and local application settings
Basic concepts
78
This means that, when a task is run on a client computer, the application applies settings that have
been defined in two different ways:
By task settings and local application settings, if the setting is not locked against changes in
the policy.
By the group policy, if the setting is locked against changes.
Local application settings are changed after the policy is first applied in accordance with the policy
settings.
Update Agent
Update Agent is a computer with installed Network Agent, which is used for update distribution,
remote installation of applications, and collection of information about networked computers. An
Update Agent can perform the following functions:
Manage updates and installation packages received from the Administration Server by
distributing them to client computers in the group (including such method as multicasting
via UDP). Updates can be retrieved either from the Administration Server, or from
Kaspersky Lab update servers. In the latter case, an update task must be created for the
computer, which acts as the Update Agent (see section "Automatic installation of updates
for Kaspersky Endpoint Security on client computers" on page 198).
Update Agents accelerate update distribution and allow you to free up Administration
Server resources.
Distribute policies and group tasks through multicasting via UDP.
Act as a gateway for connection to the Administration Server for computers in an

administration group (see section "Using Update Agent as gateway" on page 346).
If direct connection between managed computers in the group and the Administration
Server cannot be established, the Update Agent can be used as a connection gateway to
the Administration Server for this group. In this case, managed computers will be
connected to the connection gateway, which, in its turn, will be connected to the
Basic concepts
79
Presence of an Update Agent that operates as the connection gateway does not block the
option of direct connection between managed computers and the Administration Server. If
the connection gateway is not available, but direct connection with the Administration
Server is technically possible, managed computers will be connected to the Server directly.
Poll the network to detect new computers and update information about existing ones. An
Update Agent can apply the same network polling methods as the Administration Server.
Perform remote installation of third-party software and Kaspersky Lab applications using
Microsoft Windows tools, including installation on client computers without Network Agent.
This feature allows remotely transfer installation packages of Network Agent to client
computers located on networks to which the Administration Server has no direct access.
Computers with Network Agent installed can be appointed to act as Update Agents either
manually, by the administrator, or automatically, by Administration Server (see section "Appointing
computers to act as Update Agents" on page 292). You can view the full list of Update Agents for
specified administration groups by creating a report on the list of Update Agents.
The scope of an Update Agent is the administration group to which it has been assigned by the
administrator, as well as its subgroups of all levels of embedding. If several Update Agents have
been assigned in the hierarchy of administration groups, the Network Agent of the managed
computer connects to the hierarchically closest Update Agent.
An NLA subnet can also be the scope of Update Agents. The NLA subnet is then used for manual
creation of a set of computers on which the Update Agent will distribute updates.
If Update Agents are assigned automatically by the Administration Server, it assigns them by
broadcast domains, not by administration groups. This occurs when all broadcast domains are
known. Network Agent exchanges messages with other Network Agents in the same subnet and
then sends Administration Server information about itself and other Network Agents. Administration
Server can use that information to group Network Agents by broadcast domains. Broadcast
domains are known to Administration Server after more than 70% Network Agents in
administration groups are polled. Administration Server polls broadcast domains every two hours.
After Update Agents are assigned by broadcast domains, it cannot be re-assigned by

administration groups.
Basic concepts
80
Network Agents with the active connection profile do not participate in broadcast domain
detection.
When two or more Update Agents are assigned in a single network area or in a single
administration group, one of them become the active Update Agent, the rest of them become
standby Update Agents. The active Update Agent downloads updates and installation packages
directly from the Administration Server, while standby Update Agents retrieve updates from the
active Update Agent only. In this case, files are once downloaded from the Administration Server
after which they are distributed among Update Agents. If the active Update Agent becomes
unavailable for any reason, one of the standby Update Agents becomes active. The Administration
Server automatically assigns an Update Agent to act as standby.
The Update Agent status (Active / Standby) is displayed with a check box in the klnagchk utility
report (see section "Checking the connection between a client computer and the
Administration Server manually. Utility tool klnagchk" on page 136).
An Update Agent requires at least 4 GB of free disk space for the operation.
If any remote installation tasks are available on Administration Server, the computer with the
Update Agent will also require an amount of free disk space equal to the total size of the
installation packages to be installed.
If one or multiple instances of the task for update (patch) installation and vulnerability repair are
available on Administration Server, the computer with the Update Agent will also require an
amount of free disk space equal to twice the total size of all patches to be installed.
Basic concepts
81
Managing Administration Servers
This section provides information about how to handle Administration Servers and how to configure
them.
In this section:
Connecting to an Administration Server and switching between Administration Servers ........... 82
Access rights to Administration Server and its objects .............................................................. 84
Conditions of connection to an Administration Server via the Internet ....................................... 86
Secure connection to Administration Server .............................................................................. 86
Disconnecting from an Administration Server ............................................................................ 88
Adding an Administration Server to the console tree ................................................................. 89
Removing an Administration Server from the console tree ........................................................ 89
Changing an Administration Server service account. Utility tool klsrvswch ................................ 89
Viewing and modifying the settings of an Administration Server ................................................ 91
Connecting to an Administration Server

and switching between Administration
Servers
After Kaspersky Security Center is started, it attempts to connect to an Administration Server. If
several Administration Servers are available on the network, the application requests the server to
which it was connected during the previous session of Kaspersky Security Center.
When the application is started for the first time after installation, it attempts to connect to the
Administration Server that was specified during installation of Kaspersky Security Center.
After a connection to an Administration Server is established, the folders tree of that Server is
displayed in the console tree.
If several Administration Servers have been added to the console tree, you can switch between them.
To switch to another Administration Server:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the context menu of the node, select Connect to Administration Server.
3. In the Connection settings window that opens, in the Server address field specify the
name of the Administration Server to which you want to connect. You can specify an IP
address or the name of a computer on a Windows network as the name of the
Administration Server. You can click the Advanced button in the bottom part of the window
to configure the connection to the Administration Server (see the following figure).
To connect to the Administration Server via a port that differs from the default one, enter a
value in the Server address field in <Administration Server name>:<Port> format.
Users who have no rights to read will be denied access to Administration Server.
Figure 8. Connecting to Administration Server
4. Click OK to complete the switch between Servers.
83
After the Administration Server is connected, the folders tree of the corresponding node in the
console tree is updated.
Access rights to Administration Server

and its objects
The KLAdmins and KLOperators groups are created automatically during Kaspersky Security
Center installation. These groups are granted rights to connect to the Administration Server and to
work with Administration Server objects.
Depending on which account is used for installation of Kaspersky Security Center, the KLAdmins
and KLOperators groups are created as follows:
If the application is installed under a user account included in a domain, the groups are
created on the Administration Server and in the domain that includes the Administration
Server.
If the application is installed under a system account, the groups are created on the
Administration Server only.
You can view the KLAdmins and KLOperators groups and modify the access privileges of the
users that belong to the KLAdmins and KLOperators groups by using the standard administrative
tools of the operating system.
The KLAdmins group is granted all access rights; the KLOperators group is granted only Read
and Execution rights. The rights granted to the KLAdmins group are locked.
Users that belong to the KLAdmins group are called Kaspersky Security Center administrators,
while users from the KLOperators group are called Kaspersky Security Center operators.
In addition to users included in the KLAdmins group, administrator rights for Kaspersky Security
Center are also provided to the local administrators of computers on which Administration Server is
installed.
84
You can exclude local administrators from the list of users who have Kaspersky Security
Center administrator rights.
All operations started by the administrators of Kaspersky Security Center are performed using the
rights of the Administration Server account.
An individual KLAdmins group can be created for each Administration Server from the network;
the group will have the necessary rights for that Administration Server only.
If computers belonging to the same domain are included in the administration groups of different
Administration Servers, the domain administrator is the Kaspersky Security Center administrator
for all the groups. The KLAdmins group is the same for those administration groups; it is created
during installation of the first Administration Server. All operations initiated by a Kaspersky Security
Center administrator are performed using the account rights of the Administration Server for which
these operations have been started.
After the application is installed, an administrator of Kaspersky Security Center can:
Modify the rights granted to the KLOperators groups.
Grant rights to access the functionality of Kaspersky Security Center to other user groups
and individual users who are registered on the administrator's workstation.
Assign access rights within each administration group.
The Kaspersky Security Center administrator can assign access rights to each administration
group or to other objects of Administration Server in the Security section in the properties window
of the selected object.
You can track user activity by using the records of events in the Administration Server operation.
Event records are displayed in the Administration Server node on the Events tab. These events
have the importance level Info and the event types begin with "Audit".
85
Conditions of connection to an
Administration Server via the Internet
If an Administration Server is remotely located outside of a corporate network, client computers
can connect to it via the Internet. For client computers to connect to an Administration Server over
the Internet, the following requirements must be met:
The remote Administration Server must have an external IP address and the incoming ports
13000 and 14000 must remain open.
Network Agents must be installed on client computers.
When installing Network Agent on client computers, you must specify the external IP
address of the remote Administration Server. If an installation package is used for
installation, specify the external IP address manually in the properties of the installation
package, in the Settings section.
To use the remote Administration Server to manage applications and tasks for a client
computer, in the properties window of that computer in the General section, select the Do
not disconnect from the Administration Server check box. After the check box is
selected, wait until the Server is synchronized with the remote client computer. The number
of client computers maintaining a continuous connection with an Administration Server
cannot exceed 100.
To increase the performance of tasks initiated by a remote Administration Server, you can open
port 15000 on a client computer. In this case, to run a task, the Administration Server sends a
special packet to Network Agent over port 15000 without waiting until completion of
synchronization with the client computer.
Secure connection to Administration

Server
Data exchange between client computers and Administration Server, as well as the Administration
Console connection to Administration Server, can be performed using the Secure Sockets Layer
(SSL) protocol. The SSL protocol can identify the interacting parties, encrypt the data that is
transferred, and protect data against modification during transfer. The SSL protocol uses public
keys to authenticate the interacting parties and encrypt data.
86
In this section:
Administration Server certificate ................................................................................................ 87
Administration Server authentication during client computer connection ................................... 87
Administration Server authentication during Administration Console connection ....................... 88
Administration Server certificate

Authentication of an Administration Server during connection by Administration Console and data
exchange with client computers is based on the Administration Server certificate. The certificate is
also used for authentication when a connection is being established between master and slave
Administration Servers.
The Administration Server certificate is created automatically during installation of the

Administration Server component and is stored in the ALLUSERSPROFILE%\Application
Data\KasperskyLab\adminkit\1093\cert folder.
The Administration Server certificate is created only once, during Administration Server installation.
If the Administration Server certificate is lost, you need to reinstall the Administration Server
component and perform a data recovery in order to restore the certificate (see section "Backup
copying and restoration of Administration Server data" on page 334).
Administration Server authentication during

client computer connection
When a client computer connects to Administration Server for the first time, Network Agent on the
client computer downloads a copy of the Administration Server certificate and stores it locally.
If you install Network Agent to a client computer locally, you can select the Administration
Server certificate manually.
87
The downloaded copy of the certificate is used to verify Administration Server rights and
permissions during subsequent connections.
During future sessions, Network Agent requests the Administration Server certificate at each
connection of the client computer to Administration Server and compares it with the local copy. If
the copies do not match, the client computer is not allowed access to Administration Server.
Administration Server authentication during

Administration Console connection
At the first connection to Administration Server, Administration Console requests the Administration
Server certificate and saves it locally on the administrator's workstation. After that, each time when
Administration Console tries to connect to this Administration Server, the Administration Server is
identified based on the certificate copy.
If the Administration Server certificate does not match the copy stored on the administrator's
workstation, the Administration Console offers to confirm connection to the Administration Server
with the specified name and download a new certificate. After the connection is established,
Administration Console saves a copy of the new Administration Server certificate, which will be
used to identify the Administration Server in the future.
Disconnecting from an Administration

Server
To disconnect from an Administration Server:
1. In the console tree select the node corresponding to the Administration Server that should
be disconnected.
2. From the context menu of the node select Disconnect from Administration Server.
88
Adding an Administration Server to the
console tree
To add an Administration Server to the console tree:
1. In the main window of Kaspersky Security Center select the Kaspersky Security Center
node from the console tree.
2. From the context menu of the node select Create Administration Server.
After it's done, a node named Administration Server - <Computer name> (Not connected)
will be created in the console tree from which you will be able to connect to any of the
Administration Servers on the network.
Removing an Administration Server

from the console tree
To remove an Administration Server from the console tree:
1. In the console tree select the node corresponding to the Administration Server that you
want to remove.
2. From the context menu of the node select Remove.
Changing an Administration Server

service account. Utility tool klsrvswch
If you need to change the Administration Server service account set when installing Kaspersky
Security Center, you can use a utility named klsrvswch and designed for changing the
Administration Server account.
When installing Kaspersky Security Center, the utility is automatically copied in the application
installation folder.
Number of launches of the utility is virtually unlimited.
89
To change an Administration Server service account:
1. Launch the klsrvswch utility from the installation folder of Kaspersky Security Center.
This action also launches the wizard for modification of Administration Server service
account. Follow the Wizard's instructions.
2. In the Administration Server service account window select any of the two options for
setting an account:
Local System Account. The Administration Server service will start under the Local
System Account and using its credentials.
Correct operation of Kaspersky Security Center requires that the account used to
start the Administration Server service had the rights of administrator of the
resource where the Administration Server database is hosted.
User account. The Administration Server service is started under the account of a user
within the domain. In this case the Administration Server is to initiate all operations by
using the rights of that account.
To select the user whose account will be used to start the Administration Server
service:
1. Click the Find now button and select a user in the Select: User window that opens.
Close the Select: User window and click Next.
2. In the Account password window set a password for the selected user account, if
necessary.
After the wizard completes its operations, the Administration Server account is changed.
When using an SQL server in a mode that presupposes authenticating user accounts with
Microsoft Windows tools, access to the database should be granted. The user must have the
status of owner of the Kaspersky Anti-Virus database. The dbo schema is used by default.
90
Viewing and modifying the settings of
an Administration Server
You can adjust the settings of an Administration Server in the properties window of this Server.
To open the Properties: Administration Server window,

select Properties from the context menu of the Administration Server node in the console tree.
In this section:
Adjusting the general settings of Administration Server ............................................................. 91
Event processing and storage on the Administration Server ..................................................... 92
Control of virus outbreaks ......................................................................................................... 92
Limiting traffic ............................................................................................................................ 93
Configuring cooperation with Cisco Network Admission Control (NAC) ..................................... 93
Configuring Web Server ............................................................................................................ 94
Working with internal users ....................................................................................................... 94
Adjusting the general settings of

You can adjust the general settings of Administration Server in the General, Settings, Events
Storage, and Security of the properties window of Administration Server.
The Security section may not be displayed in the Administration Server properties window if the
display has been disabled in the Administration Console interface.
To enable the display of the Security section in Administration Console:

1. In the View menu of the main application window, select Configure interface.
2. In the Configure interface window that opens, select the Display security settings
sections check box and click OK.
3. In the window with the application message, click OK.
The Security section will be displayed in the Administration Server properties window.
91
Event processing and storage on the
Information about events in the operation of the application and managed computers is saved in
the Administration Server database. Each event is attributed to a certain type and level of severity
(Critical event, Functional failure, Warning, or Info). Depending on the conditions under which an
event occurred, the application can assign different levels of severity to events of the same type.
You can view types and levels of severity assigned to events in the Event notification section of
the Administration Server properties window. In the Event notification section, you can also
configure processing of every event by the Administration Server:
Registration of events on the Administration Server and in event logs of the operating
system on a client computer and on the Administration Server.
Method used for notifying the administrator of an event (for example, an SMS or an email
message).
In the Events storage section of the Administration Server properties window, you can configure
event storage in the Administration Server database by limiting the number of event records or the
record storage time. The default capacity of the Administration Server database is 400,000 events.
The maximum recommended capacity of the database is 15,000,000 events. If the number of
events in the database reaches the maximum value specified by the administrator, the application
deletes the oldest events and rewrites them with new ones.
Control of virus outbreaks

Kaspersky Security Center allows you to quickly respond to emerging threats of virus outbreaks.
Risks of virus outbreaks are assessed by controlling virus activity on client computers.
You can configure assessment rules for threats of virus outbreaks and actions to take in case one
emerges; to do this, use the Virus outbreak section of the properties window of Administration
Server.
You can specify the notification procedure for the Virus outbreak event in the Event notification
section of the Administration Server properties window (see section "Processing and storing
events on the Administration Server" on page 92), in the Virus outbreak event properties window.
92
The Virus outbreak event is generated in case of detection of Malicious object detected events in
the operation of anti-virus applications. So, you should save information about all Malicious object
detected events on Administration Server in order to recognize virus outbreaks.
You can specify the settings of saving information about any Malicious object detected event in the
policies of anti-virus applications.
When counting Malicious object detected events, only information from the client computers of
the master Administration Server is to be taken into account. The information from slave
Administration Servers is not taken into account. For each slave Server the Virus outbreak
event is configured individually.
Limiting traffic
To reduce traffic volumes within a network, the application provides the option to limit the speed of
data transfer to an Administration Server from specified IP ranges and IP subnets.
You can create and configure traffic limiting rules in the Traffic section of the Administration Server
properties window.
Configuring cooperation with Cisco

Network Admission Control (NAC)
You can set correspondence links between conditions of anti-virus protection of client computers
and security statuses of Cisco Network Admission Control (NAC).
To set such correspondence, you should create conditions under which a client computer is
assigned certain security statuses of Cisco Network Admission Control (NAC): Healthy, Checkup,
Quarantine or Infected.
You can configure correspondence between statuses of Cisco NAC and conditions of anti-virus
protection of client computers in the Cisco NAC section of the Administration Server properties
window.
93
The Cisco NAC section is displayed in the properties window of Administration Server if
Kaspersky Lab Cisco NAC Posture Validation component has been installed together with
Administration Server during the application installation (for details refer to the Kaspersky
Security Center Implementation Guide). Otherwise, the Cisco NAC section is not displayed in
the properties window of Administration Server.
For additional information about how to configure cooperation with Cisco NAC see article in the
Knowledge Base on Technical Support website http://support.kaspersky.com/12602.
Cooperation with Cisco NAC will not be supported starting from the next application version,
i.e., Kaspersky Security Center 10 Service Pack 2 Maintenance Release 1.
Configuring Web Server

Web Server is designed for publishing standalone installation packages, iOS MDM profiles, and
files from the shared folder.
You can define the settings for connection of Web Server to the Administration Server and set a
Web Server certificate in the Web Server section of the Administration Server properties window.
Working with internal users

The accounts of internal users are used to work with virtual Administration Servers. Under the
account of an internal user, the administrator of a virtual Administration Server can start Kaspersky
Security Center Web Console to check the anti-virus security status of a network. Kaspersky
Security Center grants the rights of real users to internal users of the application.
The accounts of internal users are created and used only within Kaspersky Security Center. No
data on internal users is transferred to the operating system. Kaspersky Security Center
authenticates internal users.
You can configure the settings of accounts of internal users in the Internal users section of the
Administration Server properties window.
The Internal users section is only displayed in the Administration Server properties window if
the Administration Server is virtual or contains virtual Administration Servers.
94
Managing administration groups
This section provides information about how to handle administration groups.
You can perform the following actions on administration groups:
add any number of nested groups of any level of hierarchy to administration groups;
add client computers to administration groups;
change the hierarchy of administration groups by moving individual client computers and
whole groups to other groups;
remove nested groups and client computers from administration groups;
add slave and virtual Administration Servers to administration groups;
move client computers from the administration groups of an Administration Server to those
of another Server;
define which Kaspersky Lab applications will be automatically installed on client computers
included in a group.
In this section:
Creating administration groups.................................................................................................. 96
Moving administration groups ................................................................................................... 97
Deleting administration groups .................................................................................................. 98
Automatic creation of a structure of administration groups ........................................................ 99
Automatic installation of applications to computers in an administration group ........................ 101

Creating administration groups
The hierarchy of administration groups is created in the main application window of Kaspersky
Security Center, in the Managed computers folder. Administration groups are displayed as folders
in the console tree (see figure below).
Immediately after the installation of Kaspersky Security Center, the Managed computers folder
only contains the Administration Servers folder, which is empty.
The user interface settings determine whether the Administration Servers folder appears in
the console tree. To make this section displayed, go to the View Configure interface and,
in the Configure interface window that opens, select the Display slave Administration
Servers check box.
When creating a hierarchy of administration groups, you can add client computers and virtual
machines to the Managed computers folder, as well as add nested groups. You can add slave
Administration Servers to the Administration Servers folder.
Identically to the Managed computers group, each created group initially only contains the
Administration Servers folder, which is empty, intended to handle slave Administration Servers of
this group. Information about policies, tasks of this group, and computers included is displayed on
the corresponding tabs in the workspace of this group.
Figure 9. Viewing administration groups hierarchy
96
To create an administration group:
1. In the console tree, open the Managed computers folder.
2. If you want to create a subgroup in an existing administration group, in the Managed

computers folder select a nested folder corresponding to the group, which should
comprise the new administration group.
If you create a new top-level administration group, you can skip this step.
3. Start the administration group creation process in one of the following ways:
By using the Create Group command from the context menu.
By clicking the New group button located in the workspace of the main application
window, on the Groups tab.
4. In the Group name window that opens, enter a name for the group and click the OK button.
As a result, a new administration group folder with the specified name appears in the console
tree.
The application allows creating a hierarchy of administration groups based on the structure of
Active Directory or the domain network's structure. Also, you can create a structure of groups from
a text file.
To create a structure of administration groups:
1. In the console tree select the Managed computers folder.
2. In the context menu of the Managed computers folder, select All Tasks Create groups
structure.
As a result, the New Administration Group Structure Wizard launches. Follow the Wizard's
instructions.
Moving administration groups

You can move nested administration groups within the groups hierarchy.
97
An administration group is moved together with all child groups, slave Administration Servers,
client computers, group policies, and tasks. The system will apply to the group all the settings that
correspond to its new position in the hierarchy of administration groups.
The name of the group should be unique within one level of the hierarchy. If a group with the same
name already exists in the folder into which you move the administration group, you should change
the name of the latter. If you have not changed the name of the group being moved, an index in
(<serial number>) format is automatically added to its name when it is moved, for example: (1), (2).
You cannot rename the Managed computers folder because it is a built-in element of
Administration Console.
To move a group to another folder of the console tree:
1. Select a group to move from the console tree.
2. Do one of the following:
Move the group using the context menu:
1. Select Cut from the context menu of the group.
2. Select Paste from the context menu of the administration group to which you need
to move the selected group.
Move the group using the main application menu:
a. In the main menu, select Action Cut.
b. Select the administration group to which you need to move the selected group, from
the console tree.
c. In the main menu, select Action Paste.
Move the group to another one in the console tree using the mouse.
Deleting administration groups

You can delete an administration group if it contains no slave Administration Servers, nested
groups, or client computers, and if no group tasks or policies have been created for it.
98
Before deleting an administration group, you should delete all slave Administration Servers, nested
groups, and client computers from that group.
To delete a group:
1. Select an administration group in the console tree.
Select Remove from the context menu of the group.
In the main application menu, select Action Remove.
Press the DEL key.
Automatic creation of a structure of

administration groups
Kaspersky Security Center allows you to create a structure of administration groups using the
Groups hierarchy creation wizard.
The Wizard creates a structure of administration groups based on the following data:
structures of Windows domains and workgroups;
structures of Active Directory groups;
contents of a text file created by the administrator manually.
When generating the text file, the following requirements should be met:
The name of each new group must begin with a new line; and the delimiter must begin with
a line break. Blank lines are ignored.
Example:
Office 1
Office 2
Office 3
Three groups of the first hierarchy level will be created in the target group.
99
The name of the nested group must be entered with a slash mark (/).
Example:
Office 1/Division 1/Department 1/Group 1
Four subgroups nested into each other will be created in the target group.
To create several nested groups of the same hierarchy level, you must specify the "full path
to the group".
Example:
Office 1/Division 1/Department 1
One group of the first hierarchy level Office 1 will be created in the destination group; this group
will include four nested groups of the same hierarchy level: "Division 1", "Division 2", "Division
3", and "Division 4". Each of these groups will include the "Department 1" group.
If you use a Wizard to create the administration groups structure, the network integrity is
preserved: new groups do not replace the existing ones. A client computer cannot be included in
an administration group again, because it is removed from the Unassigned computers group
after the client computer is moved to the administration group.
If, when creating a structure of administration groups, a client computer has not been included
in the Unassigned computers group by any reason (it has been shut down or lost the network
connection), it will not be automatically moved to the administration group. You can add client
computers to administration groups manually after the Wizard finishes its operation.
To launch the automatic creation of a structure of administration groups:

1. Select the Managed computers folder in the console tree.
2. In the context menu of the Managed computers folder, select All Tasks Create groups
structure.
As a result, the New Administration Group Structure Wizard launches. Follow the Wizard's
instructions.
100
Automatic installation of applications to
computers in an administration group
You can specify which installation packages should be used for automatic remote installation of
Kaspersky Lab applications to client computers that have recently been added to a group.
To configure automatic installation of applications to new devices in an administration

group:
1. In the console tree, select the required administration group.
2. Open the properties window of this administration group.
3. In the Automatic installation section, select the installation packages to be installed to

new computers by selecting the check boxes next to the names of the installation packages
of the required applications. Click OK.
As a result, group tasks will be created that will be run on the client devices immediately after
they are added to the administration group.
If some installation packages of one application were selected for automatic installation, the
installation task will be created for the most recent application version only.
101
Managing applications remotely
This section provides information about how to perform remote management of Kaspersky Lab
applications installed on client computers, using policies, policy profiles, tasks, and local settings of
applications.
In this section:
Managing policies ................................................................................................................... 102
Managing policy profiles .......................................................................................................... 109
Managing tasks ....................................................................................................................... 114
Viewing and editing the local application settings .................................................................... 125
Managing policies
The applications installed on client computers are configured centrally through definition of policies.
Policies created for applications in an administration group are displayed in the workspace, on the
Policies tab. The name of each policy is preceded by an icon that indicates its status (see section
"Statuses of computers, tasks, and policies" on page 357).
After a policy is deleted or revoked, the application continues working with the settings specified in
the policy. Those settings can be subsequently modified manually.
A policy applies as follows: if a client computer is running resident tasks (real-time protection
tasks), they keep running with the new values of the settings. Any periodic tasks (on-demand scan,
update of application databases) started keep running with the values unchanged. Next time they
are run with the new values of the settings.
If Administration Servers are structured hierarchically, slave Administration Servers receive policies
from the master Administration Server and distribute them to client computers. When inheritance is
enabled, policy settings can be modified on the master Administration Server. After that, any
changes made to the policy settings are propagated to inherited policies on slave Administration
Servers.
If the connection is terminated between the master and slave Administration Servers, the policy on
the slave Server continues, using the applied settings. Policy settings modified on the master
Administration Server are distributed to a slave Administration Server after the connection is re-
established.
If inheritance is disabled, policy settings can be modified on a slave Administration Server

independently from the master Administration Server.
If the connection between Administration Server and a client computer is interrupted, the client
computer starts running under the out-of-office policy (if it is defined), or the policy keeps running
under the applied settings until the connection is re-established.
The results of policy distribution to the slave Administration Server are displayed in the policy
properties window of the console on the master Administration Server.
Results of propagation of policies to client computers are displayed in the policy properties window
of Administration Server to which they are connected.
In this section:
Creating a policy ..................................................................................................................... 104
Displaying inherited policy in a subgroup ................................................................................ 105
Activating a policy ................................................................................................................... 105
Activating a policy automatically at the Virus outbreak event ................................................... 106
Applying an out-of-office policy................................................................................................ 106
Deleting a policy ...................................................................................................................... 106
Copying a policy ...................................................................................................................... 107
Exporting a policy .................................................................................................................... 107
Importing a policy .................................................................................................................... 108
Converting policies .................................................................................................................. 108
103
Creating policies
In Administration Console, you can create policies directly in the folder of the administration group
for which a policy is to be created, or in the workspace of the Policies folder.
To create a policy in the folder of an administration group:
1. In the console tree, select an administration group for which you want to create a policy.
2. In the workspace of the group, open the Policies tab.
3. Run the New Policy Wizard by clicking the Create a policy button.
This starts the New Policy Wizard. Follow the Wizard's instructions.
To create a policy in the workspace of the Policies folder:
1. In the console tree, select the Policies folder.
2. Run the New Policy Wizard by clicking the Create a policy button.
This starts the New Policy Wizard. Follow the Wizard's instructions.
You can create several policies for one application from the group, but only one policy can be
active at a time. When you create new active policy, the previous active policy becomes
inactive.
When creating a policy, you can specify a minimum set of parameters required for the application
to function properly. All other values are set to the default values applied during the local
installation of the application. You can change the policy after it is created.
Settings of Kaspersky Lab applications changed after policies are applied are described in details
in their respective Guides.
After the policy is created, settings prohibited to modify (marked with the "lock" ) take effect
on client computers regardless of what settings had been specified for the application earlier.
104
Displaying inherited policy in a subgroup
To enable the display of inherited policies for a nested administration group:
1. In the console tree select the administration group for which inherited policies should be
displayed.
2. In the workspace for the selected group select the Policies tab.
3. From the context menu of the list of policies select View Inherited Policies.
As a result, inherited policies are displayed on the list of policies with the icon (light-
colored icon). When the settings inheritance mode is enabled, inherited policies are only
available for modification in the group in which they have been created. Modification of those
inherited policies is not available in the group, which inherits them.
Activating a policy
To make a policy active for the selected group:
1. In the workspace of the group, on the Policies tab select the policy that you need to make
active.
2. To activate the policy, perform one of the following actions:
From the context menu of the policy select Active policy.
In the policy properties window open the General section and select Active policy from
the Policy status settings group.
As a result, the policy becomes active for the selected administration group.
When a policy is applied to a large number of client computers, both the load on the
Administration Server and the network traffic increase significantly for a period of time.
105
Activating a policy automatically at the
Virus outbreak event
To make a policy perform the automatic activation at the Virus outbreak event:
1. In the Administration Server properties window open the Virus outbreak section.
2. Open the Policy activation window by clicking the Configure policies to activate on
"Virus outbreak" event link and add the policy to the selected list of policies activated
upon detection of a virus outbreak.
If a policy has been activated on the Virus outbreak event, the manual mode is the only
way that you can use to return to the previous policy.
Applying an out-of-office policy

An out-of-office policy takes effect on a computer in case it is disconnected from the enterprise
network.
To apply the selected out-of-office policy,

in the properties window of the policy open the General section and select Out-of-office
policy from the Policy status settings group.
As a result, the policy applies to the computers in case they are disconnected from the
enterprise network.
Deleting a policy
To delete a policy:
1. In the workspace of an administration group, on the Policies tab, select the policy that you
need to delete.
2. Delete the policy using one of the following methods:
By selecting Remove from the context menu of the policy.
By clicking the Delete policy link located in the workspace, in the section intended for
handling the selected policy.
106
Copying a policy
To copy a policy:
1. In the workspace of the required group, on the Policies tab select a policy.
2. From the context menu of the policy select Copy.
3. In the console tree, select a group to which you want to add the policy.
You can add a policy to the group, from which it was copied.
4. From the context menu of the list of policies for the selected group, on the Policies tab
select Paste.
As a result, the policy will be copied with all its settings and applied to the computers within the
group into which it was copied. If you paste the policy to the same group from which it has been
copied, the (<sequence number>) index is automatically added to the name of the policy: for
example, (1), (2).
An active policy becomes inactive while it is copied. If necessary, you can make it active.
Exporting a policy
To export a policy:
1. Export a policy in one of the following ways:
In the context menu of the policy, select All Tasks Export.
By clicking the Export policy to file link located in the workspace, in the section
intended for handling the selected policy.
2. In the Save as window that opens, specify the name of the policy file and the path to save
it. Click the Save button.
107
Importing a policy
To import a policy:
1. In the workspace of the required group, on the Policies tab select one of the following
methods of importing policies:
By selecting All tasks Import from the context menu of the list of policies.
Click the Import policy from file link in the management block for policy list.
2. In the window that opens, specify the path to the file from which you want to import a policy.
Click the Open button.
The policy is then displayed in the list of policies.
If a policy with the name coinciding with that of the imported policy is already included on the
list of policies, the name of the imported policy will be expanded with the with a suffix (<next
number>), for example: (1), (2).
Converting policies
Kaspersky Security Center can convert policies from earlier versions of Kaspersky Lab applications
into those from up-to-date versions of the same applications.
Conversion is available for policies of the following applications:
Kaspersky Anti-Virus 6.0 for Windows Workstations MP4.
Kaspersky Endpoint Security 8 for Windows.
To convert policies:
1. From the console tree select Administration Server for which you want to convert policies.
2. In the Administration Server context menu, select All Tasks Policies and Tasks
Conversion Wizard.
This will start the Policies and Tasks Conversion Wizard. Follow the Wizard's instructions.
108
After the wizard finishes its operation, new policies are created, which use the settings of policies
from earlier versions of Kaspersky Lab applications.
Managing policy profiles

This section provides information about policy profiles that are used for efficient management of
groups of client computers. The advantages of policy profiles are described, as well as ways of
applying them. This section also provides instructions on how to create, configure and delete policy
profiles.
About the policy profile

Policy profile is a named set of variable settings of a policy that is activated on a client device
(computer or mobile device) when specific conditions are met. Activation of a profile modifies the
policy settings that had been active on the device before the profile was activated. Those settings
take values that have been specified in the profile.
Policy profiles are only supported for Kaspersky Endpoint Security 10 Service Pack 1 for
Windows and Kaspersky Mobile Device Management 10 Service Pack 1.
Advantages of policy profiles
Policy profiles simplify the management of client devices through policies:
Profiles contain only settings that differ from the basic policy.
You do not have to maintain and manually apply several instances of a single policy that
differ only by a few settings.
You do not have to allocate an individual out-of-office policy.
New policy profiles are easy to create since export and import of profiles are supported, as
well as creation of new profiles based on existing ones by copying.
Several policy profiles can be active on a single client device simultaneously.
The hierarchy of policies is supported.
109
Profile activation rules. Priorities of profiles
A policy profile is activated on a client device when an activation rule triggers. An activation rule
can contain the following conditions:
Network Agent on a client device connects to the Server with a specified set of connection
parameters, such as Server address, port number, etc.
The client device is running in offline mode.
The client device has been assigned specified tags.
The client device is located in a specific unit of Active Directory, the device or its owner is
located in a security group of Active Directory.
The client device belongs to a specified owner, or the owner of the device is included in an
internal security group of Kaspersky Security Center.
Profiles that have been created for a policy are sorted in descending order of priority. If the X
profile precedes the Y profile on the list of profiles, this means that X has a higher priority than Y.
The priorities of profiles are necessary because several profiles may be active simultaneously on a
client device.
Policies in the hierarchy of administration groups
While policies influence each other in accordance with the hierarchy of administration groups,
profiles with identical names merge. Profiles of a 'higher' policy have a higher priority. For example,
in administration group A, policy P(A) has profiles X1, X2, and X3 (in descending order of priority).
In administration group B, which is a subgroup of group A, policy P(B) has been created with
profiles X2, X4, X5. Then policy P(B) will be modified with policy P(A) so that the list of profiles in
policy P(B) will look as: X1, X2, X3, X4, X5 (in descending order of priority). The priority of profile
X2 will depend on the initial state of X2 of policy P(B) and X2 of policy P(A).
The active policy is the sum of the main policy and all active profiles of that policy, i.e., profiles for
which the activation rules trigger. The active policy is recalculated when you run Network Agent,
enable and disable offline mode, or edit the list of tags assigned for the client device.
110
Properties and restrictions of policy profiles
Profiles have the following properties:
Profiles of an inactive policy have no impact on client devices.
If a policy is active in offline mode, profiles of that policy will also be applied in offline mode
only.
Profiles do not support static analysis of access to executable files.
A policy cannot contain notification settings.
If UDP port 15000 is used for connection of a client computer to Administration Server, you
should activate the corresponding policy profile within one minute when assigning a tag to
the client computer.
You can use rules of connection between Network Agent and Administration Server when
creating profile activation rules.
Creating a policy profile

Creating a policy profile is only available for policies of Kaspersky Endpoint Security 10
Service Pack 1 for Windows.
To create a policy profile for an administration group:
1. In the console tree, select the administration group for which you want to create a policy
profile.
3. Select a policy and switch to the policy properties window using the context menu.
4. Open the Policy profile section in the policy properties window and click the Add button.
5. In the Properties: New profile window, configure the policy profile:
In the General section, specify the name of the profile.
The name of a profile cannot include more than 100 characters.
111
Enable or disable the profile using the Enable profile check box.
If this check box is cleared, the profile cannot be used for managing the client computer.
6. In the Activation rules section, create activation rules for the profile.
Click Add.
Define the policy profile activation rules in the Property: New rule.
Click OK.
7. Edit the policy settings in the corresponding sections.
8. After the profile is configured and activation rules are created, save the changes by clicking
the OK button.
As a result, the profile will be saved. The profile will be activated on the client computer when
the activation rules trigger.
Profiles that have been created for a policy are displayed in the policy properties, in the Policy
profiles section. You can modify a policy profile and change the profile's priority (see the section
"Editing a policy profile" on page 112), as well as delete the profile (see the section "Deleting a
policy profile" on page 114).
Several policy profiles can be activated simultaneously when the activation rules trigger.
Modifying a policy profile

Editing the settings of a policy profile
Editing a policy profile is only available for policies of Kaspersky Endpoint Security 10 Service
Pack 1 for Windows.
112
To modify a policy profile:
1. In the console tree, select the administration group for which the policy profile should be
modified.
4. Open the Policy profile section in the policy properties.
This section contains a list of profiles that have been created for the policy. Profiles are
displayed on the list in accordance with their priorities.
5. Select a policy profile and click the Properties button.
6. Configure the profile in the properties window:
If necessary, in the General section, change the profile name and enable or disable the
profile using the Enable profile check box.
In the Activation rules section, edit the profile activation rules.
Edit the policy settings in the corresponding sections.
7. Click OK.
The settings that you have modified will be applied either after the client computer is synchronized
with Administration Server (if the policy profile is active), or after the activation rule triggers (if the
policy profile is inactive).
Changing the priority of a policy profile
The priorities of policy profiles define the activation order of profiles on a client computer. Priorities
are used if identical activation rules are set for different policy profiles.
For example, two policy profiles have been created: Profile 1 and Profile 2, which differ by the
respective values of a single setting (Value 1 and Value 2). The priority of Profile 1 is higher than
that of Profile 2. Moreover, there are also profiles with priorities that are lower than that of Profile 2.
The activation rules for those profiles are identical.
113
When an activation rule triggers, Profile 1 will be activated. The setting on the client computer will
take Value 1. If you delete Profile 1, then Profile 2 will have the highest priority, so the setting will
take Value 2.
On the list of policy profiles, profiles are displayed in accordance with their respective priorities.
The profile with the highest priority is ranked first. You can change the priority of a profile using the
and buttons.
Deleting a policy profile

To delete a policy profile:
1. In the console tree, select the administration group for which you want to delete a policy
profile.
2. In the workspace of the administrative group, open the Policies tab.
4. Open the Policy profile section in the properties of the policy of Kaspersky Endpoint
Security.
5. Select the policy profile that you want to delete and click the Remove button.
As a result, the policy profile will be deleted. The active status will pass either to another policy
profile of which the activation rules trigger on the client computer, or to the policy.
Managing tasks
Kaspersky Security Center manages application installed on client computers by creating and
running tasks. Tasks are required for installing, launching and stopping applications, scanning files,
updating databases and software modules, and taking other actions on applications.
Tasks are subdivided into the following types:
Group tasks. Tasks that are performed on the client computers of the selected
Administration Server tasks. Tasks that are performed on the Administration Server.
114
Tasks for specific computers. Tasks that are performed on selected computers, regardless
of whether they are included in any administration groups.
Local tasks. Tasks that are performed on an individual client computer.
An application task can only be created if the management plug-in for that application is
installed on the administrator's workstation.
You can compile a list of computers for which a task should be created, by using one of the
following methods:
Select computers detected by Administration Server on the network.
Specify a list of computers manually. You can use an IP address (or an IP range), NetBIOS
name, or DNS name as the computer address.
Import a list of computers from a TXT file containing the addresses of computers to be
added (each address should be placed in an individual line).
If you import a list of computers from a file or create one manually, and client computers are
identified by their names, the list should contain only computers for which information has
already been added to the Administration Server database when connecting the computers
or in the course of a network poll.
For each application you can create any number of group tasks, tasks for specific computers, or
local tasks.
Exchange of information about tasks between an application installed on a client computer and the
Kaspersky Security Center database is carried out in the moment Network Agent is connected to
You can make changes to the settings of tasks, view their progress, copy, export, import, and
delete them.
Tasks are launched on a client computer only if the application for which the task was created
is running. When the application is not running, all running tasks are canceled.
115
Results of tasks run are saved in the events log of Microsoft Windows and Kaspersky Security
Center as in centralized mode on Administration Server, so in local mode on each client
computer.
Creating a group task

In Administration Console, you can create tasks directly in the folder of the administration group for
which a group task is to be created, or in the workspace of the Tasks folder.
To create a group task in the folder of an administration group:

1. In the console tree, select the administration group for which you want to create a task.
2. In the group workspace, open the Tasks tab.
3. Run the task creation by clicking the Create a task button.
This starts the New Task Wizard. Follow the Wizard's instructions.
To create a task in the workspace of the Tasks folder:

1. In the console tree, select the Tasks folder.
2. Run the task creation by clicking the Create a task button.
Creating an Administration Server task

The Administration Server performs the following tasks:
Automatic distribution of reports.
Downloading of updates to the repository.
Backup of Administration Server data.
Maintenance of the database.
Windows Update synchronization.
Creation of an installation package based on the OS image of a reference computer.
116
On a virtual Administration Server, only the automatic report delivery task and the installation
package creation task from reference computer OS image are available. The repository of the
virtual Administration Server displays updates downloaded to the master Administration
Server. Backup of virtual Server's data is performed along with backup of master
Administration Server's data.
To create an Administration Server task:
2. Start creating the task in one of the following ways:
In the console tree, in the context menu of the Tasks folder, select Create Task.
By clicking the Create a task button in the workspace of the Tasks folder.
The Download updates to the repository, Perform Windows Update synchronization,

Database maintenance, and Backup of Administration Server data tasks can be created
only once. If the Download updates to the repository, Database maintenance, Back up
Administration Server data, and Windows Update synchronization tasks have been
already created for Administration Server, they will not be displayed in the task type selection
window of the New Task Wizard.
Creating a task for a set of computers

In Kaspersky Security Center, you can create tasks for specific computers. Computers joined in a
set can be included in various administration groups or be out of any administration groups.
Kaspersky Security Center can perform the following main tasks:
Install application remotely (for more information, see Kaspersky Security Center
Implementation Guide).
Send message for user (see the section "Sending a message to the users of client
computers" on page 140).
117
Change Administration Server (see the section "Changing Administration Server for client
computers" on page 139).
Manage client computer (see the section "Remote turning on, turning off and restarting
client computers" on page 140).
Verify updates (see the section "Verifying downloaded updates" on page 285).
Distribute installation package (for more information, see Kaspersky Security Center
Install application remotely on the slave Administration Servers (for more information, see
Kaspersky Security Center Implementation Guide).
Uninstall application remotely (for more information, see Kaspersky Security Center
To create a task for a set of computers:
By clicking the Create a task button in the workspace of the Tasks folder.
Creating a local task

To create a local task for client computer:
1. Select the Computers tab in the workspace of the group that includes the client computer.
2. From the list of computers on the Computers tab select the computer for which a local task
should be created.
3. Start creating the task for the selected computer in one of the following ways:
By clicking the Create a task link in the workspace of the computer.
118
From the computer properties window in the following way:
a. From the computer context menu, select Properties.
b. In the computer properties window that opens, select the Tasks section and click Add.
Detailed instructions on how to create and configure local tasks are provided in the Guides for the
respective Kaspersky Lab applications.
Displaying an inherited group task in the

workspace of a nested group
To enable the display of inherited tasks of a nested group in the workspace:
1. Select the Tasks tab in the workspace of a nested group.
2. In the workspace of the Tasks tab, click the Show inherited tasks button.
As a result, inherited tasks are displayed on the list of tasks with the icon. If the
inheritance mode is enabled, inherited tasks can only be edited in the group in which they have
been created. Inherited tasks cannot be edited in the group that inherits the tasks.
Starting client computers automatically

before launching a task
Kaspersky Security Center allows you to adjust the settings of a task so that the operating system
starts loading on client computers, which are turned off, before the task is launched.
To configure the automatic startup of client computers before launching a task:

1. In the task properties window, select the Schedule section.
2. Open the window intended for configuration of actions on client computers, by clicking the
Advanced link.
3. In the Advanced window that opens, select the Activate computer before the task is started
by the Wake On LAN function (min) check box and specify the time interval in minutes.
119
As a result, the operating system will start loading on client computers, which are turned off, the
specified time interval before the task is launched.
Automatic loading of the operating system is only available on computers that support the
Wake On Lan feature.
Turning off the computer after a task is

complete
Kaspersky Security Center allows you to adjust the settings of a task so that the client computers,
to which it is applied, turn off automatically after it is complete.
To turn off the client computers after the task is complete:
Advanced link.
3. In the Advanced window that opens, select the Turn off computer after task is complete
check box.
Limiting task run time

To limit the time of task run on client computers:
Advanced link.
3. In the Advanced window that opens, select the Stop if the task is taking longer than
(min) check box and specify the time interval in minutes.
As a result, if the task is not yet complete on the client computer when the specified time
interval expires, Kaspersky Security Center stops the task run automatically.
120
Exporting a task
You can export group tasks and tasks for specific computers into a file. Administration Server tasks
and local tasks are not available for export.
To export a task:
1. In the context menu of the task, select All Tasks Export.
2. In the Save as window that opens, specify the name of the file and the path to save it.
3. Click the Save button.
The rights of local users are not exported.
Importing a task
You can import group tasks and tasks for specific computers. Administration Server tasks and local
tasks are not available for import.
To import a task:
1. Select the task list to which the task should be imported:
If you want to import the task to the list of group tasks, in the workspace of the relevant
administration group, select the Tasks tab.
If you want to import a task into the list of tasks for specific computers, select the Tasks
for specific computers folder from the console tree.
2. Select one of the following options to import the task:
In the context menu of the task list, select All Tasks Import.
Click the Import task from file link in the task list management block.
3. In the window that opens, specify the path to the file from which you want to import task.
4. Click the Open button.
As a result, the task is displayed in the list of tasks.
121
If a task with the same name as that of the imported task is already included in the selected
list, an index in (<serial number>) format will be added to the name of the imported one, for
example: (1), (2).
Converting tasks
You can use Kaspersky Security Center to convert tasks from earlier versions of Kaspersky Lab
applications into those from up-to-date versions of the applications.
Conversion is available for tasks of the following applications:
Kaspersky Anti-Virus 6.0 for Windows Workstations MP4.
To convert tasks:
1. In the console tree, select an Administration Server for which you want to convert tasks.
2. In the Administration Server context menu, select All Tasks Policies and Tasks
Conversion Wizard.
This will start the Policies and Tasks Conversion Wizard. Follow the Wizard's instructions.
After the wizard completes its operation, new tasks are created, which use the settings of tasks
from earlier versions of the applications.
Starting and stopping a task manually

You can start and stop tasks in any of the two methods: from the context menu of the task or in the
properties window of the client computer to which this task has been assigned.
Running group tasks from the context menu of a client computer is allowed to users included in
the KLAdmins group (see the section "Rights of access to Administration Server and its
objects" on page 84).
122
To start or stop a task from the context menu or the properties window of the task:
1. In the list of tasks, select a task.
2. Start or stop the task in one of the following ways:
In the context menu of the task, select Start or Stop.
In the task properties window, in the General section, click Start or Stop.
To start or stop a task from the context menu or the properties window of the client
computer:
1. Select a computer from the list of computers.
2. Start or stop the task in one of the following ways:
In the context menu of the client computer, select All tasks Run a Task. Select the
relevant task from the list of tasks.
The list of computers to which the task is assigned will be replaced with the computer
that you have selected. The task starts.
In the properties window of the client computer, in the Tasks section, click the or
button.
Pausing and resuming a task manually

To pause or resume a running task:
1. In the list of tasks, select a task.
2. Pause or resume the task using one of the following methods:
In the context menu of the task, select Pause or Resume.
In task properties window, select the General section and click Pause or Resume.
123
Monitoring task execution
To monitor task execution,
In the task properties window, select the General section.
In the middle part of the General section, the current task status is displayed.
Viewing task run results stored on

Kaspersky Security Center allows you to view run results for group tasks, tasks for specific
computers, and Administration Server tasks. No run results can be viewed for local tasks.
To view the task results:

1. In the task properties window, select the General section.
2. Click the Results link to open the Task results window.
Configuring filtering of information about

task run results
Kaspersky Security Center allows you to filter information about run results for group tasks, tasks
for specific computers, and Administration Server tasks. No filtering is available for local tasks.
To configure filtering of information about task run results:

1. In the task properties window, select the General section.
2. Click the Results link to open the Task results window.
The table in the upper part of the window contains all client computers for which the task is
assigned. The table in the lower part of the window displays the results of the task
performed on the selected client computer.
3. Right-click the relevant table to open the context menu and select Filter.
4. In the Set filter window that opens, configure the filter in the Events, Computers and Time
sections. Click OK.
As a result, the Task results window displays information that meets the settings specified in
the filter.
124
Viewing and changing local application
settings
The Kaspersky Security Center administration system allows remote management of local
application settings on client computers through Administration Console.
Local application settings are the settings of an application that are specific for a client computer.
You can use Kaspersky Security Center to specify local application settings on client computers
included in administration groups.
Detailed descriptions of settings of Kaspersky Lab applications are provided in the respective
guides.
To view or change application's local settings:
1. In the workspace of the group to which the required client computer belongs to, select the
Computers tab.
2. In the client computer properties window, in the Applications section, select the required
application.
3. Open the application properties window by double-clicking the application name or by

clicking the Properties button.
As a result, the local settings window of the selected application opens so that you can view
and edit those settings.
You can change the values only of the settings that have not been prohibited for modification
by a group policy (that is, those settings not marked with the "lock" in a policy).
125
Managing client computers
This section provides information about how to handle client computers.
In this section:
Connecting client computers to Administration Server ............................................................ 127
Connecting a client computer to Administration Server manually. Klmover utility .................... 128
Tunneling the connection between a client computer and Administration Server .................... 130
Remote connection to the desktop of a client computer .......................................................... 130
Configuring the restart of a client computer ............................................................................. 133
Audit of actions on a remote client computer ........................................................................... 134
Checking the connection between a client computer and Administration Server ..................... 135
Identifying client computers on Administration Server ............................................................. 137
Adding computers to an administration group ......................................................................... 138
Changing Administration Server for client computers .............................................................. 139
Remote turning on, turning off and restarting client computers ................................................ 140
Sending a message to the users of client computers .............................................................. 140
Controlling changes in the status of virtual machines .............................................................. 141
Automatic computer tagging .................................................................................................... 142
Remote diagnostics of client computers. Kaspersky Security Center remote diagnostics

utility........................................................................................................................................ 143
Connecting client computers to
The connection of the client computer to the Administration Server is established through Network
Agent installed on client computer.
When a client computer connects to Administration Server, the following operations are performed:
Automatic data synchronization:
synchronization of applications installed on the client computer;
synchronization of the policies, application settings, tasks, and task settings.
Retrieval of up-to-date information about the condition of applications, execution of tasks

and applications' operation statistics by the Server.
Delivery of the event information to Administration Server for processing.
Automatic data synchronization is performed regularly in accordance with the Network Agent
settings (for example, every 15 minutes). You can specify the connection interval manually.
Information about an event is delivered to Administration Server as soon as it occurs.
Kaspersky Security Center allows you to configure connection between a client computer and
Administration Server so that the connection remains active after all operations are completed.
Uninterrupted connection is necessary in cases when real-time control of application status is
required and Administration Server is unable to establish a connection to the client for some
reason (connection is protected by a firewall, opening of ports on the client computer is not
allowed, the client IP address is unknown, and so on). You can establish an uninterrupted
connection between a client computer and the Administration Server in the client computer
properties window, in the General section.
We recommend that you establish an uninterrupted connection with the most important client
computers. The total number of connections simultaneously maintained by the Administration
Server is limited to a few hundreds.
127
When synchronizing manually, the system uses an auxiliary connection method, with which
connection is initiated by Administration Server. Before establishing the connection on a client
computer, you should open the UDP port. Administration Server sends a connection request to the
UDP port of the client computer. In response, the Administration Server's certificate is verified. If
the Server's certificate matches the certificate copy stored on the client computer, the connection
starts establishing.
The manual launch of synchronization is also used for obtaining up-to-date information about the
condition of applications, execution of tasks, and applications' operation statistics.
Connecting a client computer to

Administration Server manually.
Klmover utility
If you want to connect a client computer to the Administration Server, you can use the klmover
utility on the client computer.
When installing Network Agent on a client computer, the utility is automatically copied to the
Network Agent installation folder.
To connect a client computer to the Administration Server manually by using the

klmover utility,
on the client computer, start the klmover utility from the command line.
When started from the command line, the klmover utility can perform the following actions
(depending on the keys in use):
connects Network Agent to Administration Server with the specified settings;
records the operation results into the event log file or displays them on the screen.
Utility command line syntax:
klmover [-logfile <file name>] [-address <server address>] [-

pn <port number>] [-ps <SSL port number>] [-nossl] [-cert
<path to certificate file>] [-silent] [-dupfix]
128
The command-line parameters are as follows:
-logfile <file name> record the utility run results into a log file.
By default information is saved in the standard output stream (stdout). If the key is not in
use, results and error messages are displayed on the screen.
-address <server address> address of Administration Server for connection.
You can specify an IP address, the NetBIOS name or DNS name of a computer as an
address.
-pn <port number> number of the port via which non-encrypted connection to
Administration Server will be established.
The default port number is 14000.
-ps <SSL port number> number of the SSL port via which encrypted connection to
Administration Server is established using the SSL protocol.
The default port number is 13000.
-nossl use non-encrypted connection to Administration Server.
If the key is not in use, Network Agent is connected to Administration Server over the
encrypted SSL protocol.
-cert <path to certificate file> use the specified certificate file for
authentication of access to Administration Server.
If the key is not in use, Network Agent receives a certificate at the first connection to
-silent run the utility in silent mode.
Using the key may be useful if, for example, the utility is started from the logon script at the
user's registration.
-dupfix the key is used if Network Agent has been installed using a method that differs
from the usual one (with the distribution package) for example, by recovering it from an
ISO disk image.
129
Tunneling the connection between a
client computer and Administration
Server
Tunneling of the connection between a client computer and Administration Server is required if the
port for connection to Administration Server is not available on the client computer. The port on the
client computer may be unavailable in the following cases:
The remote computer is connected to a local network that uses NAT mechanism.
The remote computer is part of the local network of Administration Server, but its port is
closed by a firewall.
To tunnel the connection between a client computer and Administration Server:
1. In the console tree, select the administration group that contains the client computer.
2. On the Computers tab, select the client computer.
3. In the context menu of the client computer, select All Tasks Connection Tunneling.
4. Create a tunnel in the Connection Tunneling window that opens.
Remote connection to the desktop of a

client computer
The administrator can obtain remote access to the desktop of a client computer through a Network
Agent installed on the client computer. Remote connection to a client computer through the
Network Agent is also possible if the TCP and UDP ports of the client computer are closed.
Upon establishing the connection with the client computer, the administrator gains full access to
information stored on this computer so he or she can manage applications installed on it.
130
Remote connection with a client computer can be established using one of the two methods:
Using a standard Microsoft Windows component named Remote Desktop Connection.

Connection to a remote desktop is established through the standard Windows utility
mstsc.exe in accordance with the utility's settings.
Connection to the current remote desktop session of the user is established without the
user's knowledge. Once the administrator connects to the session, the client computer user
is disconnected from the session without an advance notification.
Using the Windows Desktop Sharing technology. When connecting to an existing session
of the remote desktop, the session user on the client computer receives a request for
connection from the administrator. No information about remote activity on the computer
and its results will be saved in reports created by Kaspersky Security Center.
The administrator can connect to an existing session on a client computer without

disconnecting the user who is operating in this session. In this case, the administrator and
the session user on the client computer will share access to the desktop.
The administrator can configure an audit of user activity on a remote client computer.
During the audit, the application saves information about files on the client computer that
have been opened and / or modified by the administrator (see the section "Audit of actions
on a remote client computer" on page 134).
To connect to the desktop of a client computer through Windows Desktop Sharing, you should
meet the following conditions:
Microsoft Windows Vista or a later Windows operating system is installed on the client
computer.
Microsoft Windows Vista or a later Windows operating system is installed on the

administrator's workstation. The type of the operating system of the computer hosting the
Administration Server imposes no restrictions on connection through Windows Desktop
Sharing.
Kaspersky Security Center uses a license for Systems Management.
131
To connect to the desktop of a client computer through the Remote Desktop
Connection component:
1. In the administration console tree, select a client computer to which you need to obtain
access.
2. In the context menu of the client computer, select All Tasks Connect to computer
Create new RDP session.
As a result, the standard Windows utility mstsc.exe starts, which helps establishing
connection to the remote desktop.
3. Follow the instructions shown in the utility's dialog boxes.
Upon establishing the connection to the client computer, the desktop is available in the remote
connection window of Microsoft Windows.
To connect to the desktop of a client computer through the Windows Desktop Sharing
technology:
1. In the administration console tree, select a client computer to which you need to obtain
access.
2. In the context menu of the client computer, select All Tasks Connect to computer
Desktop Sharing.
3. In the Select remote desktop session window that opens, select the session on the client
computer to which you need to connect.
If connection to the client computer is established successfully, the desktop of the client
computer will be available in the Kaspersky Remote desktop session viewer window.
4. To start interaction with the client computer, in the main menu of the Kaspersky Remote
desktop session viewer window, select Actions Interactive mode.
See also:
Kaspersky Security Center licensing options ............................................................................. 60
132
Configuring the restart of a client
computer
While using, installing, or removing Kaspersky Security Center, a restart of a client computer may
be required. The application allows you to configure the restart of client computers.
To configure the restart of a client computer:
1. In the console tree, select the administration group for which you need to configure the
restart.
3. Select a policy of Kaspersky Security Center Network Agent in the list of policies, then
select Properties in the context menu of the policy.
4. In the properties window of the policy, select the Restart management section.
5. Select the action that must be performed if a restart of the client computer is required:
Select Do not restart the operating system to block the automatic restart.
Select Restart the operating system automatically if necessary to allow the

automatic restart.
Select Prompt user for action to enable prompting the user to allow the restart.
You can specify the frequency of restart requests, enable forced restart and forced closure
of applications in blocked sessions on the client computer, by selecting the corresponding
check boxes.
6. Click the OK button to save the changes and close the policy properties window.
As a result, the restart of the client computer will be configured.
133
Audit of actions on a remote client
computer
The application allows performing the audit of the administrator's actions on a remote client
computer. During the audit, the application saves information about files on the client computer that
have been opened and / or modified by the administrator. Audit of the administrator's actions is
available when the following conditions are met:
An active Systems Management license is available.
The administrator has the right to run the shared access to the desktop of the remote
computer.
To enable audit of actions on a remote client computer:
1. In the console tree, select the administration group for which the audit of the administrator's
actions should be configured.
3. Select a policy of Kaspersky Security Center Network Agent, then select Properties in the
context menu of the policy.
4. In the policy properties window, select the Desktop sharing section.
5. Select the Enable audit check box.
6. In the Masks of files of which reading should be monitored and Masks of files of
which modifications should be monitored lists, add file masks on which actions should
be monitored during the audit.
By default, the application monitors actions on files with txt, rtf, doc, xls, docx, xlsx, odt, pdf
extensions.
7. Click the OK button to save the changes and close the policy properties window.
Thus, the audit of the administrator's actions on the user's remote computer with shared desktop
access is configured.
134
Records of the administrator's actions on the remote computer are logged:
In the event log on the remote computer.
In a file with syslog extension located in the Network Agent folder on a remote computer
(e.g., C:\ProgramData\KasperskyLab\adminkit\1103\logs).
In the events database of Kaspersky Security Center.
Checking the connection between a

client computer and Administration
Server
Kaspersky Security Center allows you to check connections between a client computer and
Administration Server automatically or manually.
Automatic check of connection is performed on Administration Server. Manual check of connection

is performed on the client computer.
In this section:
Checking the connection between a client computer and Administration Server
automatically ........................................................................................................................... 135
Manual check of connection between a client computer and Administration Server.

Klnagchk utility ........................................................................................................................ 136
Automatic check of connection between a

client computer and Administration Server
To start an automatic check of connection between a client computer and
Administration Server:
1. In the console tree select the administration group that includes the client computer.
2. In the workspace of the administration group, on the Computers tab select the client computer.
3. In the context menu of the client computer, select Check computer accessibility.
As a result, a window opens that provides information about the computer's accessibility.
135
Manual check of connection between a
client computer and Administration Server.
Klnagchk utility
You can check connection and obtain detailed information about the settings of connection
between a client computer and Administration Server using the klnagchk utility.
When installing Network Agent on a client computer, the klnagchk utility is automatically copied to
the Network Agent installation folder.
When started from the command line, the klnagchk utility can perform the following actions
(depending on the keys in use):
Displays on the screen or records into an event log file the values of the connection settings
of Network Agent installed on the client computer to Administration Server.
Records into an event log file Network Agent statistics (since its last startup) and utility
operation results, or displays the information on the screen.
Makes an attempt to establish connection between Network Agent and Administration

Server.
If the connection attempt fails, the utility sends an ICMP packet to check the status of the
computer on which Administration Server is installed.
To check connection between a client computer and Administration Server using the
klnagchk utility,
on the client computer, start the klnagchk utility from the command line.
klnagchk [-logfile <file name>] [-sp] [-savecert <path to

certificate file>] [-restart]
136
-logfile <file name> record the values of the settings of connection between
Network Agent and Administration Server and the utility operation results into a log file.
By default information is saved in the standard output stream (stdout). If the key is not in
use, settings, results, and error messages are displayed on the screen.
-sp show the password for the user's authentication on the proxy server.
The setting is in use if the connection to Administration Server is established via a proxy
server.
-savecert <filename> save the certificate used to access the Administration Server
in the specified file.
-restart restart the Network Agent after the utility has completed.
Identifying client computers on

Identifying client computers is based on their names. A client computer name is unique among all
the names of computers connected to Administration Server.
The name of a client computer is transferred to the Administration Server either when the Windows
network is polled and a new computer is discovered in it, or during the first connection of the
Network Agent installed on a client computer to the Administration Server. By default, the name
matches the computer name in the Windows network (NetBIOS name). If a client computer with
this name is already registered on Administration Server, an index with the next sequence number
will be added to the new client computer name, for example: <Name>-1, <Name>-2. The client
computer is added to the administration group under that name.
137
Adding computers to an administration
group
To include one or several computers in a selected administration group:
1. In the console tree, open the Managed computers folder.
2. In the Managed computers folder select the nested folder that corresponds to the group,
which should include the client computers.
If you want to include the client computers in the Managed computers group, you can skip
this step.
3. In the workspace of the selected administration group, on the Computers tab run the
process of including the client computers in the group using one of the following methods:
Add the computers to the group by clicking the Add computers link in the section
intended for managing the list of computers.
By selecting New Computer from the context menu of the list of computers.
This will start the Add client computers wizard. Following its instructions, select a method of
adding the client computers to the group and create a list of computers to include in the group.
If you create the list of computers manually, you can use an IP address (or an IP range), a
NetBIOS name, or a DNS name as the address of a computer. You can add to the list manually
only computers for which information has already been added to the Administration Server
database when connecting the computer, or after a network poll.
To import a list of computers from a file, specify a.txt file with a list of addresses of computers
to be added. Each address must be specified in a separate line.
After the wizard finishes its operation, the selected client computers are included in the
administration group and displayed in the list of computers under names generated by
You can add a client computer to the selected administration group by dragging it from the
Unassigned devices folder to the folder of that administration group.
138
Changing Administration Server for
client computers
You can change Administration Server that manages client computers with another one using the
Change Administration Server task.
To change Administration Server that manages client computers with another one:
1. Connect to the Administration Server which manages the client computers.
2. Create the Administration Server change task using one of the following methods:
If you need to change Administration Server for computers included in the selected
administration group, create a group task (see the section "Creating a group task" on
page 116).
If you need to change Administration Server for computers included in different

administration groups or in none of the existing groups, create a task for specific
computers (see the section "Creating a task for specific computers" on page 117).
This starts the New Task Wizard. Follow the Wizard's instructions. In the Task type window
of the New Task Wizard select the Kaspersky Security Center node, open the Advanced
folder, and select the Change Administration Server task.
3. Run the created task.
After the task is completed, the client computers for which it had been created are passed
under the management of the Administration Server specified in the task settings.
If Administration Server supports the feature of encryption and data protection, when you
create the Change Administration Server task, a warning is displayed stating that in case
any encrypted data are stored on computers, you will be provided access only to encrypted
data that you have handled earlier, after the computers are switched under the management of
the new server. In other cases, no access to encrypted data is provided. For the detailed
descriptions of scenarios in which no access to encrypted data is provided please refer to the
Kaspersky Endpoint Security 10 for Windows Administrator's Guide.
139
Remote turning on, turning off and
restarting client computers
Kaspersky Security Center allows you to manage client computers remotely: turn on, turn off, and
restart them.
To manage client computers remotely:

2. Create the management task for a client computer using one of the following methods:
If you need to turn on, turn off or restart computers included in the selected administration
group, create a group task (see the section "Creating a group task" on page 116).
If you need to turn on, turn off or restart computers included in various administration
groups or belonging to none of them, create a task for specific computers (see the
section "Creating a task for specific computers" on page 117).
This starts the New Task Wizard. Follow the Wizard's instructions. In the Task type window
of the New Task Wizard select the Kaspersky Security Center node, open the Advanced
folder, and select the Manage client computer task.
After the task is complete, the command (turn on, turn off, or restart) will be executed on the
selected client computers.
Sending a message to the users of

client computers
To send a message to the users of client computers:
2. Create a message sending task for client computer users in one of the following ways:
If you want to send message to the users of client computers that belong to the selected
administration group, create a task for the selected group (see the section "Creating a
group task" on page 116).
140
If you want to send message to the users of client computers that belong to different
administration groups or do not belong to administration groups at all, create a task for
specific computers (see the section "Creating a task for specific computers" on page 117).
This starts the New Task Wizard. Follow the Wizard's instructions. In the Task type
window, select the Kaspersky Security Center node, open the Advanced folder and
select the Send message to user task.
After the task completes, the created message will be sent to the users of selected client
computers.
Controlling changes in the status of

virtual machines
Administration Server stores information about the status of managed computers, such as the
hardware registry and the list of installed applications, or the settings of managed applications,
tasks and policies. If a virtual machine functions as a managed computer, the user can restore its
status at any time using a snapshot of the virtual machine. As a result, information about the status
of the virtual machine on Administration Server may become outdated.
For example, the administrator had created a protection policy on Administration Server at 12:00
P.M., which started to run on virtual machine VM_1 at 12:01 P.M. At 12:30 P.M., the user of virtual
machine VM_1 changed its status by restoring it from a snapshot made at 11:00 A.M. As a result,
the protection policy stops running on the virtual machine. However, outdated information on
Administration Server states that the protection policy on virtual machine VM_1 keeps running.
Kaspersky Security Center helps controlling all changes in the status of virtual machines.
After each synchronization with a client computer, Administration Server generates a unique ID,
which is stored both on the client computer's side and on the Administration Server's side. Before
starting the next synchronization, Administration Server compares the values of those IDs on both
sides. If the values of the IDs mismatch, Administration Server recognizes the virtual machine as
restored from a snapshot. Administration Server resets all the settings of policies and tasks that
are active for the virtual machine and sends the up-to-date policies and the list of group tasks to it.
141
Automatic computer tagging
The application can tag client computers automatically. Automatic computer tagging is performed
by means of rules. You can create and edit tagging rules in the Administration Server properties
window and / or in the properties window of a client computer.
To create and configure rules for automatic computer tagging:

2. In the context menu of the Administration Server, select Properties.
3. In the Administration Server properties window, select the Tagging rules section.
4. In the Tagging rules section, click the Add button.
This opens the Properties: New rule window.
5. In the General section of the Properties: New rule window, configure the general
properties of the rule:
Specify the rule name.
The name of a rule contains a maximum 255 characters and cannot include any special
symbols (*<>-_?:\"|).
In the Tag to assign dropdown list, select a previously added tag or enter a new one.
Enable or disable the rule using the Enable rule check box.
6. In the Conditions section, click the Add button to add a new condition, or click the
Properties button to edit an existing condition.
This opens the properties window of the new condition or the selected one.
7. In the window that opens, configure the tagging condition:
In the General section, specify the condition name.
In the Network section, configure the rule triggering on the computer network properties
(computer name in the Windows network, belonging to a domain or an IP subnet, etc.).
In the Active Directory section, configure the rule triggering on the belonging of the
computer to an Active Directory OU and on the membership of the computer in an
Active Directory group.
142
In the Applications section, configure the rule triggering on the presence of Network
Agent on the computer, on the operating system type, version, and architecture.
In the Virtual machines section, configure the rule triggering on the belonging of the
computer to various types of virtual machines.
In the Applications registry section, configure the rule triggering on the presence of
applications by various publishers on the computer.
8. After the condition is configured, click the OK button in the Property: New condition
window.
9. Add or configure other conditions of the tagging rule.
The tagging rule conditions that you have added will be displayed in the Conditions
section of the rule properties window.
10. Click OK in the rule properties window.
The tag activation rule is saved. The rule will be applied on client computers that meet the rule
conditions. When the rule is applied, the tag will be assigned to the computers. A computer is
automatically assigned multiple tags if the corresponding tagging rules trigger simultaneously.
You can view the list of all added tags in the properties window of any client computer, in the
Tags section. In the Tags section, you can also proceed to the automatic tagging rules by
clicking the corresponding link.
Remote diagnostics of client

computers. Kaspersky Security Center
remote diagnostics utility
The utility for remote diagnostics of Kaspersky Security Center (here in after referred to as the
remote diagnostics utility) is designed for remote performing of the following operations on client
computers:
Enabling and disabling tracing, changing the tracing level, downloading the trace file.
Downloading application settings.
Downloading event logs.
143
Starting diagnostics and downloading diagnostics results.
Starting and stopping applications.
The remote diagnostics utility is installed on the computer automatically together with the
In this section:
Connecting the remote diagnostics utility to a client computer................................................. 144
Enabling and disabling tracing, downloading the trace file....................................................... 147
Downloading applications' settings .......................................................................................... 147
Downloading event logs .......................................................................................................... 148
Starting diagnostics and downloading its results ..................................................................... 148
Starting, stopping and restarting applications .......................................................................... 149
Connecting the remote diagnostics utility to

a client computer
To connect the remote diagnostics utility to a client computer:
1. Select any administration group from the console tree.
2. In the workspace, on the Computers tab, in the context menu of any client computer,
select Custom tools Remote diagnostics.
As a result, the main window of the remote diagnostics utility opens.
3. In the first field of the main window of the remote diagnostics utility specify the tools that
you intend to use to connect to the client computer:
Access using Microsoft Windows network.
Access using Administration Server.
144
4. If you have selected Access using Microsoft Windows network in the first field of the
main utility window, perform the following actions:
In the Computer field specify the computer that should be connected to.
You can use an IP address, NetBIOS or DNS name as the computer address.
The default value is the address of the computer from the context menu of which the
utility has been run.
Specify an account to connect to the computer:
Connect as current user (selected by default). Connecting under the current user
account.
Use provided user name and password to connect. Connecting under a provided
user account. Specify the User name and the Password of the required account.
Connection to a client computer is only possible under the account of the local
administrator of the client computer.
5. If you have selected Access using Administration Server in the first field of the main
utility window, perform the following actions:
In the Administration Server field specify the address of Administration Server from
which you intend to connect to the client computer.
You can use an IP address, NetBIOS or DNS name as the server address.
The default value is the address of Server from which the utility has been run.
If required, select the Use SSL, Compress traffic, and Computer belongs to slave
Administration Server check boxes.
If the Computer belongs to slave Administration Server check box is selected, you
can fill in the Slave Server field with the name of the slave Administration Server, which
manages the client computer. To do this, click the Browse button.
6. To connect to the client computer, click the Sign in button.
145
This opens the window intended for remote diagnostics of the client computer (see fig. below).
The left part of the window contains links to operations of client computer diagnostics. The right
part of the window contains the objects tree of the client computer that the utility can handle.
The bottom part of the window displays the progress of the utility's operations.
Figure 10. Remote diagnostics utility. Window of remote diagnostics of client computer
146
The remote diagnostics utility saves files downloaded from client computers on the desktop of
the computer from which it has been run.
Enabling and disabling tracing,

downloading the trace file
To enable tracing on a remote computer, download the trace file, and disable tracing:
1. Run the remote diagnostics utility and connect to the required computer.
2. In the objects tree of the client computer, select the application for which you need to build
a trace, and enable tracing by clicking the Enable tracing link in the left part of the remote
diagnostics utility window.
Tracing can be enabled and disabled for applications with self-defense only if the client
computer is connected using tools of Administration Server.
In some cases an anti-virus application and its task should be restarted in order to enable
tracing.
3. In the node of the application for which tracing is enabled, in the Trace files folder select
the required file and download it by clicking the Download file link. For large-sized files
only the most recent trace parts can be downloaded.
You can delete the highlighted trace file. The file can be deleted after tracing is disabled.
4. Disable tracing for the selected application by clicking the Disable tracing link.
Downloading application settings

To download application settings from a remote computer:
2. From the objects tree of the remote diagnostics window select the top node with the name
of the computer and select the required action in the left part of the window:
Load system information.
147
Load application settings.
Generate process memory dump.
In the window that opens after you click this link, specify the executable file of the
selected application for which you need to generate a memory dump file.
Start utility.
In the window that opens after you click this link, specify the executable file of the
selected utility and its startup settings.
As a result, the selected utility is downloaded and run on the client computer.
Downloading event logs

To download an event log from a remote computer:
2. In the Event logs folder of the computer object tree, select the relevant log and download it
by clicking the Download event log Kaspersky Event Log link in the left part of the
remote diagnostics utility window.
Starting diagnostics and downloading its

results
To start diagnostics for an application on a remote computer and download its results:
2. From the objects tree of the client computer select the required application and start
diagnostics by clicking the Run diagnostics link.
As a result, a diagnostics report appears in the node of the selected application in the
objects tree.
3. Select the newly generated diagnostics report in the objects tree and download it by
clicking the Download file link.
148
Starting, stopping and restarting
applications
You can only start, stop, and restart applications if you have connected the client computer
using Administration Server tools.
To start, stop, or restart an application:
1. Run the remote diagnostics utility and connect to the required client computer.
2. From the objects tree of the client computer select the required application and select an
action in the left part of the window:
Stop application.
Restart application.
Start application.
Depending on the action that you have selected, the application will be started, stopped, or
restarted.
149
Managing user accounts
This section provides information about users' accounts and roles supported by the application.
This section contains instructions on how to create accounts and roles for users of Kaspersky
Security Center. This section also contains instructions on how to handle list of the user's
certificates and mobile devices and how to deliver messages to users.
In this section:
Handling user accounts ........................................................................................................... 150
Adding a user account ............................................................................................................ 151
Adding a user group ................................................................................................................ 152
Adding a user to a group ......................................................................................................... 153
Configuring rights. User roles .................................................................................................. 153
Appointing the user as a computer owner ............................................................................... 156
Delivering messages to users ................................................................................................. 157
Viewing the list of a user's mobile devices ............................................................................... 157
Installing a certificate for a user ............................................................................................... 158
Viewing the list of certificates handed to a user ....................................................................... 158
Handling user accounts

Kaspersky Security Center allows managing user accounts and groups of accounts. The
application supports two types of accounts:
Accounts of organization employees. Administration Server retrieves data of the accounts

of those users when polling the organization's network.
Accounts of internal users (see the section "Handling internal users" on page 94). Those
are applied when handling virtual Administration Servers. Accounts of internal users are
created (see the section "Adding a user account" on page 151) and used only within
Kaspersky Security Center.
All user accounts can be viewed in the User accounts folder of the console tree. The User
accounts folder is a subfolder of the Advanced folder by default.
You can perform the following actions on user accounts and groups of accounts:
Configure users' rights of access to the application's features by means of roles (see the
section "Configuring rights. User roles" on page 153).
Send messages to users by email and SMS (see the section "Delivering messages to
users" on page 157).
View the list of the user's mobile devices (see the section "Viewing the list of the user's
mobile devices" on page 157).
Hand and install certificates on the user's mobile devices (see the section "Installing a
certificate for a user" on page 158).
View the list of certificates handed to the user (see the section "Viewing the list of
certificates handed to the user" on page 158).
Adding a user account

To add a new Kaspersky Security Center user account:
1. In the console tree, open the User accounts folder.
The User accounts folder is a subfolder of the Advanced folder by default.
2. In the workspace, click the Add new user link to open the Properties window.
3. In the Properties window, specify the account settings and set a password for the user
connection to Kaspersky Security Center.
The password must contain uppercase or lowercase Latin letters, digits, or special symbols
(@#$%^&*-_!+=[]{}|\\\\:',.?/`~()\\"). The password must contain from 8 to 16 characters.
The number of attempts for entering the password is limited. By default, the maximum
number of password entry attempts is 10. The number of allowed password entry
attempts can be changed in the registry with the SrvSplPpcLogonAttempts key.
If the user entered an invalid password the specified number of times, the user account
will be blocked for one hour. The administrator can unblock the user account only by
changing the password.
151
If the Disable account check box is selected, an internal user (such as a user with
administrator or operator privileges) is unable to connect to the application. You can select
this check box, for example, in case of the dismissal of an employee. By default, this check
box is cleared.
4. Click OK.
The newly created user account will be displayed in the workspace of the User accounts
folder.
Adding a user group

You can add groups of users, perform flexible configuration of groups and user group access to
various application features. User groups can be assigned names that correspond to their
respective purposes. For example, the name can correspond to where users are located in the
office or to the name of the company's organizational unit to which the users belong.
One user can belong to several user groups. A user account managed by a virtual Administration
Server can belong only to user groups of this virtual Server and have access rights only within this
virtual Server.
To add a user group:

1. In the console tree select the User accounts folder.
2. Click the Add group button.
In the Properties: New group window, configure the settings of the user group you are
adding:
3. In the General section, specify the name of the group.
The group name cannot be more than 100 characters long. The group name must be unique.
4. In the Users section, add user accounts to the group.
5. Click OK.
The user group that you have added appears in the User accounts folder of the console tree.
152
Adding a user to a group
To add a user to a group:
2. In the list of user accounts and groups, select the group to which you want to add the user.
3. From the context menu of the group, select Properties.
4. In the group properties window, select the Group users section and click the Add button.
A window with a list of users opens.
5. In the list, select a user or users that you want to include in the group.
6. Click OK.
As a result, the user or users are added to the group.
Configuring rights. User roles

You can flexibly configure administrator access to various features of the application by users and
user groups. You can provide users rights of access to the application's features, using one of the
two methods:
Configuring the rights for each user or group of users individually.
Create standard user roles with a predefined set of rights and assign those roles to users
depending on their scope of duties.
User role is an exclusively created and predefined set of rights of access to the application's
features. A role can be provided to a user of a group of users. Applying roles simplifies and
reduces routine procedures of configuring users' rights of access to the application. Access rights
within a role are configured in accordance with the 'standard' tasks and the users' scope of duties.
For example, a user role can only have rights to read and send information commands to mobile
devices of other users through Self Service Portal.
153
User roles can be assigned names that correspond to their respective purposes. You can create
an unlimited number of roles in the application.
Adding a user role

To add a user role:
3. In the Administration Server properties window, select the User roles section and click the
Add button.
4. In the Properties: New role window, configure the role:
In the General section, specify the name of the role.
The name of a role cannot include more than 100 characters.
In the Rights section, configure the set of rights, by selecting the Allow and Deny
check boxes next to the application's features.
5. Click OK.
As a result, the role will be saved.
User roles that have been created for Administration Server are displayed in the Server properties
window, in the User roles section. You can edit and delete user roles, as well as assign roles to
user groups (see the section "Assigning a role to a user or a user group" on page 155) or individual
users.
The User roles section is available if the Display security settings sections check box is
selected in the interface settings window. (see the section "Configuring the interface" on
page 54).
154
Assigning a role to a user or a user group
To assign a role to a user or a group of users:
3. In the Administration Server properties window, select the Security section.
4. In the Names of groups or users field, select a user or a group of users that should be
assigned a role.
If the user or the group is not contained in the field, you can add it by clicking the Add
button.
When you add a user by clicking the Add button, you can select the type of user
authentication (Microsoft Windows or Kaspersky Security Center). Kaspersky Security
Center authentication is used for selecting the accounts of internal users that are used for
handling virtual Administration Servers.
5. Open the Roles tab and click the Add button.
The User roles window opens. This window displays user roles that have been created.
6. In the User roles window, select a role for the user group.
7. Click OK.
As a result, the role with a set of rights for handling Administration Server will be assigned to the
user of the user group. Roles that have been assigned are displayed on the Roles tab in the
Security section of the Administration Server properties window.
The Security section is available if the Display sections with security settings check box is
selected in the interface settings window (see the section "Configuring the interface" on
page 54).
155
Appointing the user as a computer
owner
You can appoint the user as a computer owner to allocate a computer to that user. If you need to
perform some actions on the computer (for example, upgrade software), the administrator can
notify the computer owner for him or her to authorize those actions.
To appoint a user as the owner of a client computer:
2. In the workspace of the folder, on the Computers tab, select the computer for which you
need to appoint the owner.
3. From the computer context menu, select Properties.
4. In the computer properties window, select the System Info Sessions section.
5. Click the Assign button next to the Computer owner field.
6. In the User selection window, select the user whom you want to appoint as the computer
owner and click the OK button.
7. Click OK.
As a result, the computer owner is appointed. By default, the Computer owner field contains the
value from Active Directory and is updated at each Active directory poll (see section "Viewing and
modifying Active Directory group properties" on page 176). You can view the list of computer
owners in the Report on computer owners. You can create a report using the New Report
Wizard (see section "Creating a report template" on page 160).
156
Delivering messages to users
To send a message to a user by email:
1. In the console tree, in the User accounts folder, select a user.
2. In the user's context menu, select Notify by email.
3. Fill in the relevant fields in the Send message to user window and click the OK button.
As a result, the message will be sent to the email that has been specified in the user's
properties.
To send an SMS message to a user:
2. In the user's context menu, select Notify by SMS.
3. Fill in the relevant fields in the SMS text window and click the OK button.
As a result, the message will be sent to the mobile device with the number that has been
specified in the user's properties.
Viewing the list of user mobile devices

To view a list of a user's mobile devices:
2. In the context menu of the user account, select Properties.
3. In the properties window of the user account, select the Mobile devices section.
In the Mobile devices section, you can view the list of the user's mobile devices and information
about each of them. You can click the Export to file button to save the list of mobile devices to a file.
157
Installing a certificate for a user
You can install three types of certificates for a user:
General certificate, which is required to identify the user's mobile device.
Mail certificate, which is required to set up the corporate mail on the user's mobile device.
VPN certificate, which is required to set up the virtual private network on the user's mobile
device.
To hand a certificate to a user and then install it:

1. In the console tree, open the User accounts folder and select a user account.
2. In the context menu of the user account, select Install certificate.
The Certificate Installation Wizard starts. Follow the Wizard's instructions.
After the Certificate Installation Wizard has finished, the certificate will be created and installed for
the user. You can view the list of installed certificates of a user and export it to a file (see the
section "Viewing the list of certificates handed to a user" on page 158).
Viewing the list of certificates handed to

a user
To view a list of all certificates handed to a user:
2. In the context menu of the user account, select Properties.
3. In the properties window of the user account, select the Certificates section.
In the Certificates section, you can view the list of the user's certificates and information about
each of them. You can click the Export to file button to save the list of certificates to a file.
158
Working with reports, statistics,
and notifications
This section provides information about how to handle reports, statistics, and selections of events
and client computers in Kaspersky Security Center, as well as how to configure Administration
Server notifications.
In this section:
Working with reports ............................................................................................................... 159
Working with the statistical information.................................................................................... 162
Configuring event notification .................................................................................................. 163
Creating a certificate for an SMTP server ................................................................................ 165
Event selections ...................................................................................................................... 166
Exporting events to an SIEM system ....................................................................................... 169
Computer selections ............................................................................................................... 170
Policies ................................................................................................................................... 173
Tasks ...................................................................................................................................... 173
Working with reports

Reports in Kaspersky Security Center contain information about the status of managed computers.
Reports are generated based on information stored on Administration Server. You can create
reports for the following types of objects:
For selections of client computers created according to specific settings.
For administration groups.

For sets of computers from different administration groups.
For all the computers on the network (in the deployment report).
The application has a selection of standard report templates. It is also possible to create custom
report templates. Reports are displayed in the main application window, in the Administration
Server folder of the console tree.
In this section:
Creating a report template ....................................................................................................... 160
Creating and viewing a report ................................................................................................. 160
Saving a report ........................................................................................................................ 161
Creating a report delivery task................................................................................................. 161
Creating a report template

To create a report template:
2. In the workspace of the node, select the Reports tab.
3. Click the Create a report template button.
As a result, the New Report Template Wizard starts. Follow the Wizard's instructions.
After the Wizard finishes its operation, the newly created report template is added to the selected
Administration Server folder of the console tree. You can use this template for generating and
viewing reports.
Creating and viewing a report

To create and view a report:
3. Select the report template that you need in the list of templates.
As a result, the workspace will display a report created on the selected template.
Working with reports, statistics, and notifications
160
The report displays the following data:
The name and type of report, its brief description and the reporting period, as well as
information about the group of devices for which the report is generated.
Chart showing most representative report data.
Consolidated table with calculated report indicators.
Table with detailed report data.
Saving a report
To save a created report:
3. Select the report template that you need in the list of templates.
4. From the context menu of the selected report template select Save.
The Report Saving Wizard starts. Follow the Wizard's instructions.
After the Wizard finishes its operation, the folder opens into which you have saved the report file.
Creating a report delivery task

Reports can be emailed. Delivery of reports in Kaspersky Security Center is carried out using the
report delivery task.
To create a delivery task for a report:

3. Select the report template that you need in the list of reports.
4. In the report template's context menu, select the Deliver reports item.
This will start the Report Delivery Task Creation Wizard. Follow the Wizard's instructions.
161
To create a task of sending several reports:
1. In the console tree, in the node with the name of the relevant Administration Server, select
the Tasks folder.
2. In the workspace of the Tasks folder, click the Create a Task button.
This starts the New Task Wizard. Follow the Wizard's instructions. In the Task type wizard
window select Deliver reports.
The newly created report delivery task is displayed in the Tasks folder of the console tree.
A report delivery task is created automatically if the email settings were defined during
Kaspersky Security Center installation (see section "Kaspersky Security Center Quick Start
Wizard" on page 67).
Working with the statistical information

Statistics on the status of the protection system and managed computers are displayed in the
workspace of the Administration Server node, on the Statistics tab. The Statistics tab contains
a few second-level tabs (pages). Each page displays information panes with statistics. The
statistical information is displayed in information panes as a table or chart (pie or bar). The data in
the information panes are updated while the application is running, reflecting the current condition
of the anti-virus protection system.
You can modify the set of pages on the Statistics tab, the number of information panes on each
page, and the data display mode in information panes.
To add a new page with information panes on the Statistics tab:

1. Click the Customize view button in the top right corner of the Statistics tab.
The Properties: Statistics window opens. This window contains a list of pages that are
currently shown on the Statistics tab. In this window, you can change the display order for
the pages on the tab, add and remove pages, and proceed to configuration of page
properties by clicking the Properties button.
2. Click Add.
This opens the properties window of a new page.
162
3. Configure the new page:
In the General section, specify the page name.
In the Information panes section, click the Add button to add information panes that
must be displayed on the page.
Click the Properties button in the Information panes section to configure the
properties of information panes that have been added: name, type and appearance of
the chart on the pane, and data used to build the chart.
4. Click OK.
The page with information panes that you have added appears on the Statistics tab. You can
click the button to quickly switch to the page configuration or to the selected information
pane on the page.
Configuring event notification

Kaspersky Security Center allows you to select a method of notifying the administrator of events on
client devices and to configure notification.
Email. When an event occurs, the application sends a notification to email addresses
specified. You can edit the text of the notification.
SMS. When an event occurs, the application sends a notification to the phone numbers
specified. You can configure SMS notifications to be sent via the mail gateway or by means
of the Kaspersky SMS Broadcasting utility.
Executable file. When an event occurs on a client computer, the executable file is launched
on the administrator's workstation. Using this executable file, the administrator can receive
the parameters of an event that occurred (see section "Event notifications displayed by
running an executable file" on page 323).
To configure notification of events occurring on client devices:
2. In the workspace of the node, select the Events tab.
163
3. Click the General settings of selections link and select the Configure notifications value
in the dropdown list.
This opens the Properties: Events window.
4. In the Notification section, select a notification method (by email, by SMS, or by running
an executable file) and define the notification settings.
5. In the Notification message field, enter the text that the application will send when an
event occurs.
You can use the dropdown list on the right from the text field to add substitution settings
with event details (for example, event description, time of occurrence, etc.).
If the notification text contains a % character, you have to specify it twice in a row to
allow message sending. For example, "CPU load is 100%%".
6. Click the Send test message button to check if notification has been configured correctly.
The application sends a test notification to the specified user.
7. Click OK to save the changes.
As a result, the re-adjusted notification settings are applied to all events occurring on client
devices.
You can also quickly configure event notifications in the event properties window by clicking the
Edit settings for Kaspersky Endpoint Security and Modify Administration Server event
settings links.
See also:
Event processing and storage on the Administration Server ..................................................... 92
164
Creating a certificate for an SMTP
server
To create a certificate for an SMTP server:
3. Click the General settings of selections link and select the Configure notifications value
The event properties window opens.
4. On the Email tab, click the Settings link to open the Settings window.
5. In the Settings window click the Specify certificate link to open the Certificate for
signing window.
6. In the Certificate for signing window, click the Specify button.
This opens the Certificate window.
7. In the Certificate type dropdown list, specify the public or private type of certificate:
If the private type of certificate (PKCS#12 container) is selected, specify the certificate
file and the password.
If the public type of certificate (X.509 certificate) is selected:
a. Specify the private key file (one with the *.prk or *.pem extension).
b. Specify the private key password.
c. Specify the public key file (one with the *.cer extension).
8. Click OK.
As a result, the certificate for the SMTP server is issued.
165
Event selections
Information on the events in Kaspersky Security Center operation and managed applications is
saved both in the Microsoft Windows system log and in the Kaspersky Security Center event log.
You can view information from the Kaspersky Security Center event log in the workspace of the
Administration Server node, on the Events tab.
Information on the Events tab is represented as a list of event selections. Each selection includes
events of a specific type only. For example, the "Computer status Critical" selection contains only
records on changes of computer statuses to "Critical". After application installation, the Events tab
contains some standard event selections. You can create additional (custom) event selections or
export event information to a file.
In this section:
Viewing an event selection ...................................................................................................... 166
Customizing an event selection ............................................................................................... 167
Creating an event selection ..................................................................................................... 167
Exporting event selection to text file ........................................................................................ 168
Deleting events from selection ................................................................................................ 168
Viewing an event selection

To view the event selection:
3. In the Selection events dropdown list, select the relevant event selection.
If you want events from this selection to be constantly displayed in the workspace, click the
button next to the selection.
As a result, the workspace will display a list of events, stored on the Administration Server, of
the selected type.
166
You can sort information in the list of events, either in ascending or descending order in any
column.
Customizing an event selection

To customize an event selection:
3. Open the relevant event selection on the Events tab.
4. Click the Selection properties button.
In the event selection properties window that opens you can configure the event selection.
Creating an event selection

To create an event selection:
3. Click the Create a selection button.
4. In the New event selection window that opens, enter the name of the new selection and
click OK.
As a result, a selection with the name that you have specified is created in the Selection
events dropdown list.
By default, a created event selection contains all events stored on the Administration Server. To
make a selection display only the events you are particularly interested in, you should customize
the selection.
167
Exporting event selection to text file
To export an event selection to text file:
3. Click the Import/Export button.
4. In the dropdown list, select Export events to file.
This starts the Events Export Wizard. Follow the Wizard's instructions.
Deleting events from selection

To delete events from a selection:
3. Select the events that you want to delete by using a mouse, the Shift or Ctrl key.
4. Delete the selected events by one of the following ways:
In the context menu of any of the selected events, select Remove.
If you select the Delete All item from the context menu, all displayed events will be
deleted from the selection, regardless of your choice of events for deletion.
Click the Delete event link if one event is selected, or Delete events link if several
events are selected in the working block for these events.
As a result, the selected events are deleted.
168
Exporting events to an SIEM system
The application allows exporting events that have been registered in the operation of
Administration Server and other Kaspersky Lab applications installed on client computers, to an
SIEM system (where SIEM stands for Security Information and Event Management).
To configure events export to an SIEM system:
3. Click the General settings of selections link and select the Configure export to SIEM
system value in the dropdown list.
The events properties window opens, displaying the Exporting events section.
4. Select the Automatically export events to SIEM system database check box.
5. In the SIEM system dropdown list, select the system to which you need to export events.
Events can be exported to SIEM systems, such as QRadar (LEEF format), ArcSight (CEF
format), and Splunk (CEF format). The ArcSight (CEF format) system is selected by default.
6. Specify the address of an SIEM system server and a port for connection to that server in
the corresponding fields.
Clicking the Export archive button causes the application to export newly created events
to the database of the SIEM system starting from the specified date. By default, the
application exports events starting from the current date.
7. Click OK.
As a result, after you select the Automatically export events to SIEM system database check
box and configure connection with the server, the application will automatically export all events to
the SIEM system when they are registered in the operation of Administration Server and other
Kaspersky Lab applications.
169
Computer selections
Information about the statuses of client computers is available in the Reports and notifications
folder of the console tree, in the Computer selections subfolder.
In the Computer selections folder the data is represented as a set of selections, each of which
displays information about computers matching the specified conditions. After application installation,
the folder contains some standard selections. You can create additional computer selections, export
selection settings to file or create selections with settings imported from another file.
In this section:
Viewing computer selection ..................................................................................................... 170
Configuring a computer selection ............................................................................................ 171
Creating a computer selection ................................................................................................. 171
Exporting settings of a computer selection to file ..................................................................... 172
Create a computer selection by using imported settings.......................................................... 172
Removing computers from administration groups in a selection .............................................. 173
Viewing computer selection

To view a computer selection:
1. In the console tree, select the Computer selections folder.
2. In the workspace of the folder, in the Selection computers dropdown list, select the
relevant computer selection.
If you want computers from this selection to be constantly displayed in the workspace, click
the button next to the selection.
The workspace will display a list of computers that meet the selection criteria.
You can sort the information in the computers list, either in ascending or descending order in any
column.
170
Configuring a computer selection
To customize a computer selection:
2. Select the relevant computer selection.
3. Click the Selection properties button.
4. In the properties window that opens, configure the general properties of the selection and
the criteria for including computers in this selection.
5. Click OK.
Creating a computer selection

To create a computer selection:
2. In the workspace of the folder, click the Advanced button and select the Create selection
3. In the New computer selection window that opens, enter the name of the new selection
and click the OK button.
As a result, a new folder with the name you entered will appear in the console tree in the
Computer selections folder. By default, the new computer selection contains all computers
included in administration groups of the Server on which the selection was created. To make a
selection display only the computers you are particularly interested in, configure the selection
by clicking the Selection properties button.
171
Exporting settings of a computer selection
to file
To export the settings of a computer selection to text file:
2. In the workspace of the folder, click the Advanced button and select Export settings in the
dropdown list.
3. In the Save as window that opens, specify a name for the selection settings export file,
select a folder to save it to, and click the Save button.
The settings of the computer selection will be saved to the specified file.
Create a computer selection by using

imported settings
To create a computer selection by using imported settings:
2. In the workspace of the folder, click the Advanced button and select Import in the
dropdown list.
3. In the window that opens, specify the path to the file from which you want to import the
selection settings. Click the Open button.
As a result, in the Computer selections folder, a New selection is created. Its settings are
imported from the file that you specified.
If a selection named New selection already exists in the Computer selections folder, an
index in (<serial number>) format is added to the name of the selection being created, for
example: (1), (2).
172
Removing computers from administration
groups in a selection
When handling a computer selection, you can remove computers from administration groups right
in this selection, without switching to the administration groups from which these computers need
to be removed.
To remove computers from administration groups:

2. Select the computers that you want to remove by using the Shift or Ctrl keys.
3. Remove the selected computers from administration groups in one of the following ways:
In the context menu of any of the selected computers, select Remove.
Click the Perform action button and select Remove from group in the dropdown list.
As a result, the selected computers will be removed from their respective administration groups.
Policies
Information about policies is stored in the Policies folder.
The Policies folder displays a list of policies that have been created in administration groups. After
the application installation, the folder contains a list of policies that have been created
automatically. You can update the list of policies and create policies, as well as view the properties
of any policy selected in the list.
Tasks
Information about tasks is stored in the Tasks folder.
The Tasks folder displays a list of tasks that have been assigned to client computers in
administration groups and to Administration Server. After the application installation, the folder
contains a list of tasks that have been created automatically. You can update the list of tasks and
create tasks, as well as view the properties of tasks, run and stop tasks.
173
Unassigned devices
This section provides information about how to manage computers on an enterprise network if they
are not included in an administration group.
Information about computers within the enterprise's network that have not been included in any
administration group can be found in the Unassigned devices folder. The Unassigned devices
folder contains three subfolders: Domains, IP subnets, and Active Directory.
The Unassigned devices folder of the virtual Administration Server does not contain the IP
subnets folder. Client computers found while polling IP subnets on the virtual Administration
Server are displayed in the Domains folder.
The Domains folder contains the hierarchy of subfolders that show the structure of domains and
workgroups in the Windows network of the organization that were not included in the administration
groups. Each subfolder of the Domains folder at the lowest level contains a list of computers of the
domain or of the workgroup. If you add a computer to an administration group, the information on it
is deleted from the Domains folder. If you remove a computer from the administration group, the
information on it is displayed in the Domains folder, in the domain subfolder or in the workgroup of
this computer.
The Active Directory folder displays computers reflecting the Active Directory groups structure.
The IP subnets folder displays computers reflecting the structure of IP subnetworks created within
the corporate network. You can change the IP subnets folder structure by creating and modifying
the settings of existing IP subnets.
In this section:
Network discovery ................................................................................................................... 175
Working with Windows domains. Viewing and changing the domain settings .......................... 178
Working with IP subnets .......................................................................................................... 178
Working with the Active Directory groups. Viewing and modifying group settings .................... 179
Creating rules for moving computers to administration groups automatically ........................... 180
Using VDI dynamic mode on client computers ........................................................................ 180

Network discovery
Information about the structure of the network and computers on this network is received by the
Administration Server through regular polling of the Windows network, IP subnets, and Active
Directory within the corporate computer network. The contents of the Unassigned devices folder
will be updated on the basis of the results of this polling.
The Administration Server can use the following types of network scanning:
Windows network polling. You can run either a quick or a full scan of the Windows
network. During a quick poll, the Administration Server only retrieves information from the
list of the NetBIOS names of computers in all network domains and workgroups. During the
full scan the following information is requested from each client computer: operating
system, IP address, DNS name, NetBIOS name.
IP subnets polling. The Administration Server polls the specified IP subnets using ICMP
packets, and compiles a complete set of data on hosts within the IP subnets.
Active Directory groups polling. The information on the Active Directory unit structure
and DNS names of the computers from the Active Directory is recorded into the
Administration Server database.
Kaspersky Security Center uses the collected information and the data on the corporate network's
structure to update the contents of the Unassigned devices and Managed computers folders. If
the computers in the corporate network are configured to be moved to administration groups
automatically, the discovered computers are included in the administration groups.
In this section:
Viewing and modifying the settings for Windows network polling ............................................ 176
Viewing and modifying Active Directory group properties ........................................................ 176
Viewing and modifying the settings for IP subnet polling ......................................................... 177
Unassigned devices
175
Viewing and modifying the settings for
Windows network polling
To modify the settings for the Windows network polling:
1. In the console tree, select the Unassigned devices folder, then the Domains subfolder.
2. Open the Properties: Domains window in one of the following ways:
From the context menu of the folder, select Properties.
By clicking the Edit polling settings link in the folder management block.
This will open the Properties: Domains window in which you can change the settings of
Windows network polling.
You can also edit the settings of Windows network polling in the workspace of the Unassigned
devices folder by using the Edit polling settings link in the Windows network polling section.
On the virtual Administration Server you can view and edit the polling settings of the Windows
network in the properties window of the update agent, in the Network poll section.
Viewing and modifying Active Directory

group properties
To modify the settings for polling Active Directory groups:
1. In the console tree, select the Unassigned devices folder, then the Active Directory
subfolder.
2. Open the Properties: Active Directory window in one of the following ways:
This will open the Properties: Active Directory window in which you can change the settings
of Active Directory polling.
Unassigned devices
176
You can also edit the settings of the Active Directory groups polling in the workspace of the
Unassigned devices folder by using the Edit polling settings link in the Active Directory
polling section.
On the virtual Administration Server you can view and edit the settings of polling Active
Directory groups in the properties window of the update agent, in the Network poll section.
Viewing and modifying the settings for IP

subnet polling
To modify the settings for IP subnets polling:
1. In the console tree, select the Unassigned devices folder, then the IP subnets subfolder.
2. Open the Properties: IP subnets window in one of the following ways:
This will open the Properties: IP subnets window in which you can change the settings of IP
subnets polling.
You can also edit the settings of IP subnets polling in the workspace of the Unassigned devices
folder by using the Edit polling settings link in the IP subnets polling section.
On the virtual Administration Server you can view and edit the settings of polling IP subnets in
the properties window of the update agent, in the Network poll section. Client computers
found during the polling of IP subnets are displayed in the Domains folder of the virtual
Unassigned devices
177
Working with Windows domains.
Viewing and changing the domain
settings
To modify the domain settings:
1. In the console tree, select the Unassigned devices folder, then the Domains subfolder.
2. Select a domain and open its properties window in one of the following ways:
From the context menu of the domain, select Properties.
By clicking the Show group properties link.
This will open the Properties: <Domain name> properties window in which you can configure
the properties of the selected domain.
Working with IP subnets

You can customize existing IP subnets and create the new ones.
In this section:
Creating an IP subnet ............................................................................................................. 178
Viewing and changing the IP subnet settings .......................................................................... 179
Creating an IP subnet
To create an IP subnet:
2. In the context menu of the folder, select Create IP subnet.
3. In the New IP subnet window that opens customize the new IP subnet.
As a result, new IP subnet appears in the IP subnets folder.
Unassigned devices
178
Viewing and changing the IP subnet
settings
To modify the IP subnet settings:
2. Select an IP subnet and open its properties window in one of the following ways:
From the context menu of the IP subnet, select Properties.
This will open the Properties: <IP subnet name> properties window in which you can
configure the properties of the selected IP subnet.
Working with the Active Directory

groups. Viewing and modifying group
settings
To modify the settings for the Active Director group:
1. In the console tree, select the Unassigned devices folder, then the Active Directory
subfolder.
2. Select an Active Directory group and open its properties window in one of the following
ways:
From the context menu of the group, select Properties.
This will open the Properties: <Active Directory group name> window in which you can
customize the selected Active Directory group.
Unassigned devices
179
Creating rules for moving computers to
administration groups automatically
You can configure the computers to be moved automatically to administration groups after they are
found.
To configure rules for moving computers to administration groups automatically,
open the properties window of the Unassigned devices folder in one of the following ways:
Click the Configure rules of computer allocation to administration groups link in the
workspace of this folder.
This will open the Properties: Unassigned devices window. Configure the rules to move
computers to administration groups automatically in the Computer relocation section.
Using VDI dynamic mode on client

computers
A virtual infrastructure can be deployed on a corporate network using temporary virtual machines.
Kaspersky Security Center detects temporary virtual machines and adds information about them to
the Administration Server database. After a user finishes using a temporary virtual machine, this
machine is removed from the virtual infrastructure. However, a record about the removed virtual
machine may be saved in the database of the Administration Server. Also, non-existent virtual
machines may be displayed in Administration Console.
To prevent information about non-existent virtual machines from being saved, Kaspersky Security
Center supports dynamic mode for Virtual Desktop Infrastructure (VDI). The administrator can
enable the support of dynamic mode for VDI (see the section "Enabling the VDI dynamic mode in
the properties of a Network Agent installation package" on page 181) in the properties of a
Network Agent installation package that will be installed on a temporary virtual machine.
Unassigned devices
180
When a temporary virtual machine is disabled, Network Agent notifies the Administration Server
that the machine has been disabled. After a virtual machine has been disabled successfully, it is
removed from the list of computers connected to the Administration Server. If the virtual machine is
disabled with errors and Network Agent does not send a notification about the disabled virtual
machine to the Administration Server, a backup scenario is used. Under to this scenario, a virtual
machine is removed from the list of computers connected to the Administration Server after three
unsuccessful attempts at synchronization with the Administration Server.
In this section:
Enabling VDI dynamic mode in the properties of an installation package for Network Agent ... 181
Searching for computers making part of VDI ........................................................................... 182
Moving computers making part of VDI to an administration group ........................................... 182
Enabling VDI dynamic mode in the

properties of an installation package for
Network Agent
To enable the VDI dynamic mode:
1. In the Remote installation folder of the console tree select the Installation packages
subfolder.
2. In the context menu of the Network Agent installation package, select Properties.
The Properties: Kaspersky Security Center Network Agent window opens.
3. In the Properties: Kaspersky Security Center Network Agent window, select the
Advanced section.
4. In the Advanced section, select the Enable dynamic mode for VDI check box.
The client computer to which Network Agent is being installed will be a part of Virtual Desktop
Infrastructure.
Unassigned devices
181
Searching for computers making part of VDI
To find computers that make part of VDI:
1. In the workspace of the Unassigned devices folder, click the Find unassigned
computers link to open the Search window.
2. In the Search window, on the Virtual machines tab, in the Part of Virtual Desktop
Infrastructure dropdown list, select Yes.
3. Click the Find now button.
The application search for computers that make part of Virtual Desktop Infrastructure.
Moving computers making part of VDI to an

administration group
To move computers that make part of VDI to an administration group:
1. In the workspace of the Unassigned devices folder, click the Configure rules of
computer allocation to administration groups link to open the properties window of the
Unassigned devices folder.
2. In the properties window of the Unassigned devices folder, in the Computer relocation
section, click the Add button.
The New rule window opens.
3. In the New rule window, select the Virtual machines section.
4. In the Part of Virtual Desktop Infrastructure dropdown list, select Yes.
A rule will be created for computer relocation to an administration group.
Unassigned devices
182
Managing applications on client
computers
Kaspersky Security Center allows you to manage applications by Kaspersky Lab and other
vendors installed on client computers.
The administrator can perform the following actions:
Create categories of applications based on specified criteria.
Manage categories of applications using dedicated rules.
Manage applications startup on client computers.
Perform inventories and maintain a registry of software installed on client computers.
Fix vulnerabilities in software installed on client computers.
Install updates from Windows Update and other software vendors to client computers.
Monitor the use of keys for groups of licensed applications.
In this section:
Groups of applications ............................................................................................................ 183
Application vulnerabilities ........................................................................................................ 193
Software updates .................................................................................................................... 196
Groups of applications
This section describes how to handle groups of applications installed on client computers.
Creating application categories
Kaspersky Security Center allows creating categories of applications installed on client computers.
You can create categories of applications using the following methods:
The administrator specifies a folder in which executable files have been included in the
selected category.
The administrator specifies a computer from which executable files are to be included in the
selected category.
The administrator sets criteria that should be used to include applications in the selected
category.
When the category of applications is created, the administrator can set rules for that category.
Rules define the behavior of applications included in the specified category. For example, you can
block or allow launching applications included in the category.
Managing launch of applications on client computers
Kaspersky Security Center allows managing launch of applications on client computers in White
List mode (for details refer to the Administrator's Guide for Kaspersky Endpoint Security 10 for
Windows). While in White List mode, on selected client computers you can only launch
applications included in the specified categories. The administrator can view results of static
analysis applied to rules of applications run on client computers for each of the users.
Inventory of software installed on client computers
Kaspersky Security Center allows performing inventory of software on client computers. Network
Agent retrieves information about all of the applications installed on client computers. Information
collected during inventory is displayed in the workspace of the Applications registry folder. The
administrator can view detailed information about any application, including its version and
manufacturer.
Managing groups of licensed applications
Kaspersky Security Center allows creating groups of licensed applications. A group of licensed
applications includes applications that meet criteria set by the administrator. The administrator can
specify the following criteria for groups of licensed applications:
Application name.
Application version.
Managing applications on client computers
184
Manufacturer.
Application tag.
Applications that meet one or several criteria are automatically included in a group. To create a
group of licensed applications, you should set at least one criterion of including applications in such
group.
Each licensed applications group has its own key. The key of a group of licensed applications
defines the maximum allowed number of installations for applications included in this group. If the
number of installations has exceeded the limit set by the key, an informational event is logged on
Administration Server. The administrator can specify an expiration date for the key. When this date
arrives, an informational event is logged on Administration Server.
Viewing information about executable files
Kaspersky Security Center retrieves all information about executable files that have been run on
client computers since the operating system had been installed on them. Collected information
about executable files is displayed in the main application window, in the workspace of the
Executable files folder.
In this section:
Creating application categories ............................................................................................... 186
Configuring applications launch management on client computers ......................................... 186
Viewing the results of statistical analysis of startup rules applied to executable files ............... 188
Viewing the applications registry ............................................................................................. 188
Creating groups of licensed applications ................................................................................. 190
Managing keys for groups of licensed applications.................................................................. 190
Kaspersky Anti-Virus software inventory ................................................................................. 191
Kaspersky Anti-Virus software inventory ................................................................................. 192
Viewing information about executable files .............................................................................. 193
185
Creating application categories
To create an application category:
1. In the Application management folder of the console tree, select the Application
categories subfolder.
2. Click the Create a category link to start the Create User Category Wizard.
3. In the Wizard window select a type of user category:
Category with content added manually. In this case, you can manually specify criteria
according to which executable files will be assigned to the category being created.
Category with content added automatically. In this case, you can specify a folder from
which executable files will be automatically assigned to the category being created.
Category which includes executable files from selected computers. In this case,
you can specify a computer. Executable files detected on this computer will be
automatically assigned to that category.
4. Follow the Wizard's instructions.
When you have finished with the Wizard, a custom application category is created. You can
view newly created categories using the list of categories in the workspace of the Application
categories folder.
Configuring applications launch

management on client computers
To configure the applications launch management on client computers:
1. In the Application management folder of the console tree, select the Application
categories subfolder.
2. In the workspace of the Application categories folder, create a category of applications

(see the section "Creating application categories on page 186) that you want to manage.
186
3. In the Managed computers folder, on the Policies tab click the Create Kaspersky
Endpoint Security policy link to run the New Policy Wizard for Kaspersky Endpoint
Security 10 for Windows and follow the Wizard's instructions.
If such a policy already exists, you can skip this step. You can configure the applications
launch management in a specified category through the settings of the policy. The newly
created policy is displayed in the Managed computers folder, on the Policies tab.
4. Select Properties from the context menu of the policy for Kaspersky Endpoint Security 10
for Windows.
The properties window of the policy for Kaspersky Endpoint Security 10 for Windows
opens.
5. In the properties window of the policy for Kaspersky Endpoint Security 10 for Windows, in
the Application Startup Control section click the Add button.
The Application Startup Control window opens.
6. In the Application Startup Control rule window, in the Category drop-down list select a
category of applications that the launch rule will cover. Configure the launch rule for the
selected category of applications.
For more details on the application startup control rules, refer to the Kaspersky Endpoint
Security 10 for Windows Administrator's Guide.
7. Click OK.
Launch of applications included in the specified category will be performed on client computers
according to the rule that you have created. The created rule is displayed in the properties
window of the policy for Kaspersky Endpoint Security 10 for Windows, in the Application
Startup Control section.
187
Viewing the results of statistical analysis of
startup rules applied to executable files
To view information about which executable files are prohibited for users to run:
1. In the Managed computers folder of the console tree select the Policies tab.
2. In the Protection policies context menu select Properties.
The properties window of the protection policy opens.
3. In the protection policy properties window select the Application Startup Control section
and click the Statistical analysis button.
The Analysis of the access rights list window opens.
4. The left part of the Analysis of the access rights list window displays a list of users
based on Active Directory data.
5. Select a user from the list.
The right part of the window displays categories of applications assigned to this user.
6. To view executable files which are prohibited for the user to run, in the Analysis of the
access rights list window click the View files button.
A window opens, displaying a list of executable files, which are prohibited for the user to run.
7. To view the list of executable files included in a category, select a category of applications
and click the View files in category button.
A window opens, displaying a list of executable files included in the category of applications.
Viewing the applications registry

Gathering of information about installed applications is available only for computers running on
Microsoft Windows.
188
To view the registry of applications installed on client computers,
In the Application management folder of the console tree, select the Applications registry
subfolder.
The workspace of the Applications registry folder contains a list of applications that have
been detected by Network Agent installed on the client computers.
You can view detailed information about any application on the list by opening its context menu
(select Properties). The application properties window displays the application details and
information about its executable files, as well as a list of computers on which the application is
installed.
To view applications that meet specific criteria, you can use filtering fields in the workspace of the
Applications registry folder.
Information about Kaspersky Lab applications and third-party software installed on client computers
that are connected to slave and virtual Administration Servers is also stored in the applications
registry of the master Administration Server. Use the applications registry report to view this
information, enabling collection of data from slave and virtual Administration Servers into it.
To add information from slave Administration Servers to the report:
2. In the workspace of the tab node, select the Reports tab.
3. In the workspace of the Reports tab, select Kaspersky Lab software version report.
4. Select Properties from the context menu of the report.
The Properties: Kaspersky Lab software version report window opens.
5. In the Administration Servers hierarchy section select the Include data from slave and
virtual Administration Servers check box.
6. Click OK.
As a result, information from slave and virtual Administration Servers will be included in the
Kaspersky Lab software version report.
189
Creating groups of licensed applications
To create a group of licensed applications:
1. In the Application management folder of the console tree, select the Third-party licenses
usage subfolder.
2. Click the Add a group of licensed applications link to run the Licensed Application
Group Addition Wizard.
After the Wizard completes its operation, a group of licensed applications is created and
displayed in the Third-party licenses usage folder.
Managing keys for groups of licensed

applications
To create a key for a group of licensed applications:
1. In the Application management folder of the console tree, select the Third-party
licenses usage subfolder.
2. In the workspace of the Third-party licenses usage folder click the Manage keys of
licensed applications link to open the Key Management in licensed applications window.
3. In the Key Management in licensed applications window click the Add button.
The Key window opens.
4. In the Key window specify the settings of the key and restrictions that the key imposes on
the group of licensed applications.
Name. The name of the key.
Comment. Notes on the selected key.
Restriction. The number of client computers to which the application using this key can
be installed.
Expiration date. The expiration date of the key.
Created keys are displayed in the Key Management in licensed applications window.
190
To apply a key to a group of licensed applications:
1. In the Application management folder of the console tree, select the Third-party
licenses usage subfolder.
2. In the Third-party licenses usage folder, select a group of licensed applications to which
you want to apply a key.
3. Select Properties from the context menu of the group of licensed applications.
The properties window of the group of licensed applications opens.
4. In the properties window of the group of licensed applications, in the Keys section select
Control if license limit is exceeded.
5. Click Add.
The Selecting a key window opens.
6. In the Selecting a key window select a key that you want to apply to a group of licensed
applications.
7. Click OK.
Restrictions imposed on a group of licensed applications and specified in the key will also cover
the selected group of licensed applications.
Kaspersky Anti-Virus software inventory

Kaspersky Anti-Virus performs inventory of all software installed on managed client computers.
Network Agent compiles a list of applications installed on a client computer, and then transmits this
list to Administration Server. Network Agent automatically receives information about installed
applications from the Windows registry.
To save the client computer resources, Network Agent starts receiving information about
installed applications 10 minutes after the Network Agent service starts, by default.
191
To change the software inventory start time, which elapses after the Network Agent
service runs on a computer:
1. Open the system registry of the client computer on which Network Agent is installed (for
example, locally, using the regedit command in the Start Run menu).
2. Go to the following hive:
For a 64-bit system:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34
\1103\1.0.0.0\NagentFlags
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1103\1.0.0.0\N
agentFlags
3. For the KLINV_INV_COLLECTOR_START_DELAY_SEC key, set the required value in

seconds.
The default value is 600 seconds.
4. Restart the Network Agent service.
As a result, the software inventory start time, which elapses after the Network Agent service
runs, will be changed.
Kaspersky Anti-Virus software inventory

You can use an inventory task to perform inventory of executable files on client computers.
Kaspersky Endpoint Security 10 for Windows provides the feature of inventory of executable files.
To create an inventory task for executable files on client computers:
This starts the New Task Wizard
192
3. In the Select the task type window of the Wizard, select Kaspersky Endpoint Security
as the task type, then select Inventory as the task subtype, and click Next.
4. Follow the further instructions of the Wizard.
After the Wizard is done, an inventory task for Kaspersky Endpoint Security is created. The
newly created task is displayed in the list of tasks in the workspace of the Tasks folder.
A list of executable files that have been detected on client computers during inventory, is displayed
in the workspace of the Executable files folder.
Viewing information about executable files

To view a list of all executable files detected on client computers,
In the Application management folder of the console tree, select the Executable files
subfolder.
The workspace of the Executable files folder displays a list of executable files that have been
run on client computers since the installation of the operating system or have been detected
while running the inventory task of Kaspersky Endpoint Security 10 for Windows.
To view details of executable files that match specific criteria, you can use filtering.
To view the properties of an executable file,
From the context menu of the file, select Properties.
A window opens displaying information about the executable file and a list of client computers
on which this executable file can be found.
Application vulnerabilities
The Software vulnerabilities folder included in the Application management folder contains a
list of vulnerabilities in applications that have been detected on client computers by the Network
Agent installed on them.
193
The feature of analysis of information about vulnerabilities in applications is only available for
computers running on Microsoft Windows operating systems.
By opening the properties window of a selected application in the Software vulnerabilities folder,
you can obtain general information about a vulnerability, about the application where it has been
detected, view the list of computers on which the vulnerability has been found, and information
about the fixing of this vulnerability.
Viewing information about vulnerabilities in

applications
To view a list of vulnerabilities detected on client computers,
In the Application management folder of the console tree, select the Software
vulnerabilities subfolder.
The workspace of the folder displays a list of vulnerabilities in applications detected on client
computers by Network Agent installed on them.
To obtain information about a selected vulnerability,

select Properties from the context menu of the vulnerability.
The properties window of the vulnerability opens, displaying the following information:
Application in which the vulnerability has been detected.
List of computers on which the vulnerability has been detected.
Information on whether the vulnerability has been fixed.
To view the report on all detected vulnerabilities,

click the View vulnerabilities report link in the Software vulnerabilities folder.
A report on vulnerabilities in applications installed on client computers will be generated. You

can view the report in the Reports and notifications folder.
The feature of analysis of information about vulnerabilities in applications is only available for
computers running on Microsoft Windows operating systems.
194
Scanning applications for vulnerabilities
If you have configured the application through the Quick Start Wizard, the vulnerability scan task is
created automatically. You can view the task in the Managed computers folder, on the Tasks tab.
To create a task for vulnerability scan in applications installed on client computers:
1. In the Application management folder of the console tree, select the Software
vulnerabilities subfolder.
2. Click the Configure vulnerability scan link in the workspace to run the Vulnerabilities and
Required Updates Search Task Creation Wizard.
The Task Creation Wizard window opens.
After the Wizard completes its operation, the Find vulnerabilities and application updates
task is created and displayed on the list of tasks in the Managed computers folder on the
Tasks tab.
Fixing vulnerabilities in applications

If you have selected Find and install application updates in the Update management settings
window of the Quick Start Wizard, the Installing application updates and fix vulnerabilities task is
created automatically. The task is displayed in the Managed computers folder on the Tasks tab.
To create the vulnerabilities fix task using available updates for applications:
1. In the console tree select the Managed computers folder on the Tasks tab.
2. Click the Create a task link to run the New Task Wizard.
3. In the Select the task type window of the Wizard specify the Installing application
updates and fixing vulnerabilities task type.
After the Wizard completes its operation, the Installing application updates and fix
vulnerabilities task is created and displayed in the Managed computers folder on the
Tasks tab.
195
Software updates
Kaspersky Security Center allows managing updates of software installed on client computers, and
fixing vulnerabilities in Microsoft applications and other vendors' products through installation of
required updates.
Kaspersky Security Center searches for updates through the update search task and downloads
them to the updates storage. After completing the search of updates, the application provides the
administrator with information about available updates and vulnerabilities in applications that can
be fixed using those updates.
Information about available updates for Microsoft Windows is provided by Windows Update
service. Administration Server can be used as Windows Update server (WSUS). To use
Administration Server as Windows Update server, you should configure synchronization of updates
with Windows Update. After you have configured data synchronization with Windows Update,
Administration Server provides updates to Windows Update services on client computers in
centralized mode and with the set frequency.
You can also manage software updates through a Network Agent policy. To do this, you should
create a Network Agent policy and configure software updating in the corresponding windows of
the New Policy Wizard.
The administrator can view a list of available updates in the Software updates subfolder included
in the Application management folder. This folder contains a list of updates for Microsoft
applications and other vendors' products retrieved by Administration Server that can be distributed
to client computers. After viewing information about available updates, the administrator can install
them to client computers.
Kaspersky Security Center updates some applications by removing the previous version of the
application and installing the new one.
Before installing the updates to all of the client computers, you can perform a test installation to
make sure installed updates will cause no failures to the operation of applications on the client
computers.
196
In this section:
Viewing information about available updates........................................................................... 197
Synchronizing updates from Windows Update with Administration Server .............................. 198
Automatic installation of updates for Kaspersky Endpoint Security on client computers .......... 198
Offline model of update download ........................................................................................... 201
Enabling and disabling the offline model of update download ................................................. 203
Installing updates on client computers manually ..................................................................... 205
Configuring Windows updates in a Network Agent policy ........................................................ 207
Viewing information about available

updates
To view a list of available updates for applications installed on client computers,
In the Application management folder of the console tree, select the Software updates
subfolder.
In the workspace of the folder you can view a list of available updates for applications installed
on client computers.
To view the properties of an update,
in the workspace of the Software updates folder select Properties from the context menu of
the update.
The following information is available for viewing in the properties window of the update:
List of client computers for which the update is intended (target computers).
List of system components (prerequisites) that need to be installed before the update (if any).
Vulnerabilities in applications that the update should fix.
197
Synchronizing updates from Windows
Update with Administration Server
If you have selected Use Administration Server as WSUS server in the Update management
settings window of the Quick Start Wizard, the Windows Update synchronization task is created
automatically. You can run the task in the Administration Server tasks folder. The functionality of
a software update is only available after the Perform Windows Update synchronization task is
successfully completed.
To create a task for synchronizing Windows Updates with Administration Server:
1. In the Application management folder of the console tree, select the Software updates
subfolder.
2. Click the Configure Windows Update synchronization link to run the Windows Update
Center Data Retrieval Task Creation Wizard.
The Wizard creates the Perform Windows Update synchronization task displayed in the
Administration Server tasks folder.
You can also create the Windows Update synchronization task in the Administration Server
tasks folder by clicking the Create a task link.
Automatic installation of updates for

Kaspersky Endpoint Security on client
computers
You can configure automatic updates of databases and application modules of Kaspersky
Endpoint Security on client computers.
198
To configure download and automatic installation of updates of Kaspersky Endpoint
Security on client computers:
2. Create an Update task in one of the following ways:
In the workspace of the Tasks folder, click the Create a Task button.
This starts the New Task Wizard.
3. In the Select the task type window of the Wizard, select Kaspersky Endpoint Security
as the task type, then select Update as the task subtype, and click Next.
After the Wizard is done, an update task for Kaspersky Endpoint Security is created. The
newly created task is displayed in the list of tasks in the workspace of the Tasks folder.
5. In the workspace of the Tasks folder, select an update task that you have created.
6. From the context menu of the task, select Properties.
7. In the task properties window, select the Settings section.
In the Settings section, you can define the update task settings in local or out-of-office
mode:
Local mode update settings: a connection is established between the Administration

Server and the client computer.
Out-of-office mode update settings: no connection is established between Kaspersky

Security Center and the client computer (for example, when the computer is not
connected to the Internet).
8. Click the Setting up button to select the update source.
199
9. Select the Download application module updates check box to download and install
application module updates together with application databases.
If the check box is selected, Kaspersky Endpoint Security notifies the user about available
application module updates and includes application module updates in the update
package while running the update task. Configure the use of update modules:
Install critical and approved updates. If any updates are available for application
modules, Kaspersky Endpoint Security automatically installs them with the Critical
status; the remaining updates will be installed after they are approved by the
administrator.
To approve software updates:
a. In the console tree, open the Software update folder.
b. In the update properties window, in the General section, in the Update approved
field, set the Yes value.
The default value is set on Not defined.
Install approved updates only. If any application module updates are available,
Kaspersky Endpoint Security installs them after their installation is approved; they will
be installed locally through the application interface or on the Kaspersky Security
Center side.
If application module updates require reviewing and accepting the terms of the End User
License Agreement, the application installs updates after the terms of the End User License
Agreement have been accepted by the user.
10. Select the Copy updates to folder check box in order for the application to save
downloaded updates to the folder specified by clicking the Browse button.
11. Click OK.
When running the Update task, the application sends requests to Kaspersky Lab update
servers.
200
Offline model of update download
Network Agents on managed computers may not connect to the Administration Server to receive
updates sometimes. For example, Network Agent may have been installed on a laptop that
sometimes has no Internet connection and no local network access. Moreover, the administrator
may limit the time for connection of client computers to the network. In such cases, Network
Agents cannot receive updates from the Administration Server upon the existing schedule. If you
have configured the updating of managed applications (such as Kaspersky Endpoint Security)
using Network Agent, each update will require a connection to the Administration Server. When no
connection is established between Network Agent and the Administration Server, updating is
impossible. You can configure the connection between Network Agent and the Administration
Server so that Network Agent connects to the Administration Server at specified time intervals. At
worst, if the specified connection intervals are overlaid with periods when no connection is
available, the databases will never be updated. Besides that, issues may occur when multiple
managed applications simultaneously attempt to access the Administration Server to receive
updates. In this case, the Administration Server may stop responding to requests (similarly to a
DDoS attack).
To reduce the load on the Administration Server and improve update distribution, Kaspersky
Security Center features an offline model for downloading updates for databases and modules of
managed applications.
How the offline model of update download works
Every time the Administration Server receives updates, it notifies Network Agents of which updates
will be required for managed applications. When Network Agents receive information on which
updates will soon be required by managed applications, they download the relevant files from the
Administration Server beforehand. At the first connection with a Network Agent, the Administration
Server initiates an update download by that Agent. To distribute the load on the Administration
Server, Network Agents start connecting to the Administration Server and download updates in a
random order during the time interval specified by the Administration Server. This time interval
depends on the number of Network Agents that download updates and on the size of those
updates. After Network Agent on a client computer downloads all the updates, they become
available for applications on that computer.
To reduce the load on the Administration Server, you can use Network Agents as Update Agents.
201
When a managed application on a client computer attempts to access Network Agent for updates,
this Network Agent checks if it has all required updates. If the updates were received from the
Administration Server 25 hours since they had been requested for by the managed application, or
less, Network Agent does not connect to the Administration Server and supplies the managed
application with the updates from the local cache. Connection with the Administration Server may
not be established at that, but it is not required for updating. Otherwise, update installation is
performed in standard mode, according to the schedule of the update download task.
By default, the offline model of update download is enabled. You can enable or disable the offline
model in the registry of the computer on which Administration Server is installed (see section
Enabling and disabling the offline model of update download" on page 203).
Advantages and disadvantages of the offline model of update download
The offline model of update download has the following advantages:
Kaspersky Security Center can choose the time for downloading updates, thus avoiding
errors in updates of managed applications. Applications always have reliable access to the
latest updates that can be downloaded from the Administration Server.
Administration Server can manage the load when distributing updates.
The offline model of update download has the following disadvantages:
Network traffic may increase between the Administration Server and Network Agent
because the offline model implies that updates are distributed on Network Agents every
time after the Administration Server receives new updates. In standard mode, updates are
distributed upon the update task schedule.
Added load on the Administration Server is possible because the Administration Server
defines which updates are needed by each managed computer.
202
Tips on using the offline update model
A certain time interval is always observed between the moment the Administration Server
received new updates for applications and the moment Network Agent finishes
downloading the updates from the Administration Server. If the update task starts running
during this time interval, managed computers will receive outdated database updates from
Network Agent.
We recommend that you set the update task schedule so that the update starts after the
Administration Server receives updates. In this case, the update task is run by Kaspersky
Security Center, so applications receive updates as soon as possible.
If the update download task is run too frequently, Network Agent may lack time to download
all the required updates before the next task run.
We recommend that you increase the interval between runs of the update download task.
Enabling and disabling the offline model of

update download
To enable the offline model of update download:
1. Open the system registry of the computer on which Administration Server is installed (for
\1093\1.0.0.0\ServerFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Components\34\1093\1.0.0.0\S
erverFlags
203
3. For the SrvDisableOfflineUpdates (DWORD) key, set the 0 value.
By default, the 0 value is specified for this key (the offline model of update download is
enabled).
4. For the SrvOfflineUpdatesDelay (DWORD) key, set the value of the time period during
which the Administration Server distributes updates in a random manner (in seconds).
By default, the 0 value is set; in this case, the time interval is calculated automatically.
5. Restart the Administration Server service.
As a result, the offline model of update download is enabled.
To disable the offline model of update download:
1. Open the system registry of the computer on which Administration Server is installed (for
\1093\1.0.0.0\ServerFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Components\34\1093\1.0.0.0\S
erverFlags
3. For the SrvDisableOfflineUpdates (DWORD) key, set the 1 value.
By default, the 0 value is specified for this key (the offline model of update download is
enabled).
As a result, the offline model of update download is disabled.
204
Installing updates on client computers
manually
If you have selected Find and install application updates in the Update management settings
window of the Quick Start Wizard, the Installing application updates and fix vulnerabilities task
is created automatically. You can run or stop the task in the Managed computers folder on the
Tasks tab.
If you have selected Search for critical updates in the Quick Start Wizard, you can install
software updates to client computers through the Installing application updates and fix
vulnerabilities task.
To create an update installation task, do the following:
subfolder.
2. In the Software updates folder open the context menu of an update and select Install
update New task, or click the Install update (create task) link in the section intended
for handling selected updates.
This opens the Updates Installation and Vulnerabilities Fix Task Creation Wizard.
After the Wizard completes its operation, the Installing application updates and fix
vulnerabilities task is created and displayed in the Managed computers folder on the
Tasks tab.
You can enable automatic installation of system components (prerequisites) prior to installation of
an update in Install Applications and Fix Vulnerabilities task properties. When this option is
enabled, all required system components are installed before the update. A list of the required
components can be found in properties of the update.
In the properties of Install Applications and Fix Vulnerabilities task, you can allow installation of
updates that upgrade application to a new version.
205
Upgrading to a new version of an application may cause misoperation of dependent
applications on client computers.
In the settings of the updates installation task you can configure a test installation of updates.
To configure a test installation of updates:
1. In the console tree select the Installing application updates and fixing vulnerabilities
task in the Managed computers folder, on the Tasks tab.
2. From the context menu of the task, select Properties.
The properties window of the Installing application updates and fix vulnerabilities task
opens.
3. In the properties window of the task, in the Test installation section select one of the
available options for test installation:
Do not scan. Select this option if you do not want to perform a test installation of
updates.
Run scan on selected computers. Select this option if you want to test updates
installation on selected computers. Click the Add button and select computers on which
you want to perform a test installation of updates.
Run scan on computers in the specified group. Select this option if you want to test
updates installation on a group of computers. In the Specify a test group field specify a
group of computers on which you want to perform a test installation.
Run scan on the specified percentage of computers. Select this option if you want
to test updates installation on some portion of target computers. In the Percentage of
test computers from all target computers field specify the percentage of computers
on which you want to perform a test installation of updates.
4. Upon selecting any of the options but the first one, in the Time to take the decision if the
installation is to be continued field specify the number of hours that should elapse from
the test installation of updates until the start of installation of the updates to all the target
computers.
206
Configuring Windows updates in a Network
Agent policy
To configure Windows Updates in a Network Agent policy:
1. In the Managed computers folder, on the Policies tab select a Network Agent policy.
2. In the context menu of the policy, select Properties.
Open the properties window of the Network Agent policy.
3. In the policy properties window, select the Software updates and vulnerabilities section.
4. Select the Use Administration Server as WSUS server check box to download Windows
updates to the Administration Server and then distribute them on client computers by
means of Network Agents.
If this check box is cleared, Windows updates are not downloaded to the Administration
Server. In this case, client computers receive Windows updates on their own.
5. Select the Windows Update search mode:
Active. The Administration Server initiates a request from Windows Update Agent on a
client computer to the update source: Windows Update Servers, or WSUS. After that,
Network Agent passes information received from Windows Update Agent to
Passive. In this mode, Network Agent periodically passes the Administration Server
information about updates retrieved at the last synchronization of Windows Update
Agent with the update source. If no synchronization of Windows Update Agent with an
update source is performed, information about updates on the Administration Server
becomes out-of-date.
Disabled. The Administration Server retrieves no information about updates.
6. Click Apply.
207
Remote installation of operating
systems and applications
Kaspersky Security Center allows creating images of operating systems and deploying them on
client computers over the network, as well as performing remote installation of applications by
Kaspersky Lab and other vendors.
Capturing images of operating systems
Kaspersky Security Center can capture images of operating systems from target computers and
transfer those images to Administration Server. Such images of operating systems are stored on
Administration Server in a dedicated folder. The operating system image of a reference computer
can be captured and created by using the Add new package task (see the section "Creating an
installation package of an application on page 215).
To create images of operating systems, Windows Automated Installation Kit (WAIK) tool
package should be installed on Administration Server.
The functionality of operating system image capturing has the following features:
An operating system image cannot be captured on a computer on which Administration

Server is installed.
While capturing an operating system image, a utility named sysprep.exe resets the settings
of the reference computer. If you need to restore the settings of the reference computer,
you should select the Save computer backup copy check box in the Operating System
Image Creation Wizard.
The image capturing process provides for a restart of the reference computer.
Deploying images of operating systems on new computers
The administrator can use images to deploy on new networked computers on which no operating
system has been installed yet. A technology named Preboot eXecution Environment (PXE) is used
in this case. The administrator selects a networked computer that will be used as the PXE server.
This computer should meet the following requirements:
Network Agent should be installed on the computer.
No DHCP server should be active on the computer, since a PXE server uses the same
ports as a DHCP server.
The network segment comprising the computer should not contain any other PXE servers.
The following conditions should be met to deploy an operating system: a network card should be
mounted on the computer, the computer should be connected to the network, and the Network
boot option should be selected in BIOS when booting the computer.
Deployment of an operating system is performed as follows:
1. The PXE server establishes a connection with a new client computer while it boots up.
2. The client computer becomes included in Windows Preinstallation Environment (WinPE).
Adding the client computer to WinPE environment may require configuration of the set
of drivers for WinPE.
3. The client computer is registered on Administration Server.
4. The administrator assigns the client computer an installation package with an operating
system image.
The administrator can add required drivers to the installation package with the
operating system image and specify a configuration file with the operating system
settings (answer file) that should apply during installation.
5. The operating system is deployed on the client computer.
209
The administrator can manually specify the MAC addresses of client computers that have not yet
connected, and assign them the installation package with the operating system image. When the
selected client computers connect to the PXE server, the operating system is automatically
installed to those computers.
Deploying images of operating systems on computers where another operating system has
already been installed
Deployment of images of operating systems on client computers where another operating system
has already been installed is performed through the remote installation task for specific computers.
Installing applications by Kaspersky Lab and other vendors
The administrator can create installation packages of any applications, including those specified by
the user, and install the applications to client computers through the remote installation task.
In this section:
Creating images of operating systems .................................................................................... 210
Adding drivers for Windows Preinstallation Environment (WinPE) ........................................... 211
Adding drivers to an installation package with an operating system image .............................. 212
Configuring sysprep.exe utility................................................................................................. 213
Deploying operating systems on new networked computers ................................................... 213
Deploying operating systems on client computers ................................................................... 215
Creating installation packages of applications ......................................................................... 215
Issuing a certificate for installation packages of applications ................................................... 216
Installing applications to client computers ............................................................................... 217
Creating images of operating systems

Images of operating systems are created through the reference computer operating system image
making task.
210
To create the reference computer operating system image making task:
subfolder.
2. Click the Create installation package link to run the New Package Wizard.
3. In the Select installation package type window of the Wizard click the Create installation
package based on OS image of reference computer button.
The Wizard's activities create an Administration Server task named Copy the OS image from
the computer. You can view the task in the Administration Server tasks folder.
When the Copy the OS image from the computer task is completed, an installation package is
created that you can use to deploy the operating system on client computers through a PXE server
or the remote installation task. You can view the installation package in the Installation packages
folder.
Adding drivers for Windows

Preinstallation Environment (WinPE)
To add drivers for WinPE:
1. In the Remote installation folder of the console tree select the Deploy computer images
subfolder.
2. In the workspace of the Deploy computer images folder, click the Configure driver set
for Windows Preinstallation Environment (WinPE) link to open the Windows
Preinstallation Environment drivers window.
3. In the Windows Preinstallation Environment drivers window click the Add button.
The Add driver window opens.
4. In the Add driver window specify the name of a driver and the path to the driver installation
package. You can specify the path to an installation package by clicking the Select button
in the Add driver window.
211
5. Click OK.
The driver will be added to the Administration Server repository. When added to the
repository, the driver is displayed in the Select driver window.
6. Click OK in the Select driver window.
The driver will be added to Windows Preinstallation Environment (WinPE).
Adding drivers to an installation

package with an operating system
image
To add drivers to an installation package with an operating system image:
subfolder.
2. From the context menu of an installation package with an operating system image select
Properties.
The installation package properties window opens.
3. In the installation package properties window select the Additional drivers section.
4. Click the Add button in the Additional drivers section.
The Select driver window opens.
5. In the Select driver window select drivers that you want to add to the installation package
with the operating system image.
You can add new drivers to the Administration Server repository by clicking the Add button
in the Select driver window.
6. Click OK.
Added drivers are displayed in the Additional drivers section of the properties window of the
installation package with the operating system image.
212
Configuring sysprep.exe utility
The utility sysrep.exe is intended to prepare the computer to creation of an operating system image.
To configure sysprep.exe utility:

subfolder.
2. From the context menu of an installation package with an operating system image select
Properties.
The installation package properties window opens.
3. In the installation package properties window select the sysprep.exe settings section.
4. In the sysprep.exe settings section specify a configuration file that will be used when
deploying the operating system on the client computer:
Use default configuration file. Select this option to use the answer file generated by
default when capturing the operating system image.
Specify custom values of main settings. Select this option to specify values for
settings via the user interface.
Specify configuration file. Select this option to use a custom answer file.
5. To apply the changes made, click the Apply button.
Deploying operating systems on new

networked computers
To deploy an operating system on new computers that have not yet had any operating
system installed:
1. In the Remote installation folder of the console tree select the Deploy computer images
subfolder.
2. Click the Manage the list of PXE servers in the network link in the Deploy computer
images folder to open the Properties: Deploy computer images window on the PXE
servers section.
213
3. Click the Add button in the PXE servers section, and in the PXE servers window that
opens, select a computer that will be used as PXE server.
The added computer will be displayed in the PXE servers section.
4. In the PXE servers section select a PXE server and click the Properties button.
5. In the properties window of the selected PXE server, on the PXE server connection
settings tab configure connection between Administration Server and the PXE server.
6. Boot the client computer on which you want to deploy the operating system.
7. In the BIOS of the client computer select the Network boot installation option.
The client computer connects to the PXE server and is then displayed in the workspace of
the Deploy computer images folder.
8. In the Actions section click the Assign installation package link to select an installation
package that will be used for installing the operating system to the selected computer.
After you have added a computer and assigned an installation package to it, the operating
system deployment starts automatically on this computer.
9. To cancel the deployment of an operating system on a client computer, click the Cancel
OS image installation link in the Actions section.
To add computers by MAC address,
click the Add MAC address of target computer link in the Deploy computer images
folder to open the New target computer window, and specify the MAC address of a
computer that you want to add;
click the Import MAC addresses of target computers from file link in the Deploy
computer images folder to select a file containing a list of MAC addresses of all computers
on which you want to deploy an operating system.
214
Deploying operating systems on client
computers
To deploy an operating system on client computers with another operating system
installed:
1. In the Remote installation folder of the console tree click the Start Remote Installation
Wizard link to run the Remote Installation Wizard.
2. In the Select installation package window of the Wizard specify an installation packages
with an operating system image.
The Wizard's activities create a remote installation task intended for installation of the operating
system to the client computers. You can start or stop the task in the Tasks for specific
computers folder.
Creating installation packages of

applications
To create an installation package of an application:
subfolder.
2. Click the Create installation package link to run the New Package Wizard.
3. In the Select installation package type window of the Wizard click one of the following
buttons:
Create installation package for a Kaspersky Lab application. Select this option if
you want to create an installation package for a Kaspersky Lab application.
Create installation package for specified executable file. Select this option if you
want to create an installation package for an application requested by the user.
215
Create installation package based on OS image of reference computer. Select this
option if you want to create an installation package with an image of the operating
system of a reference computer.
The Wizard's activities create an Administration Server task named Copy the OS
image from the computer. When this task is completed, an installation package is
created that you can use to deploy the operating system image through a PXE server or
the remote installation task.
The Wizard's activities create an installation package that you can use to install the application
to client computers. You can view the installation package in the Installation packages folder.
For detailed information on installation packages, see Kaspersky Security Center Implementation
Guide.
Issuing a certificate for installation

packages of applications
To create a certificate for the installation package of an application:
subfolder.
The Remote installation folder is a subfolder of the Advanced folder by default.
2. Click the Additional actions button and select View list of stand-alone packages from
the dropdown list.
3. In the General list of stand-alone packages window, in the Certificate for signing field,
click the Configure link.
This opens the Certificate for signing window.
4. In the Certificate for signing window, click the Specify button.
216
5. In the Certificate type field, specify the public or private certificate type:
If the PKCS#12 container value is selected, specify the certificate file and the
password.
If the X.509 certificate value is selected:
6. Click OK.
As a result, a certificate for the installation package of the application is issued.
Installing applications to client

computers
To install an application to client computers:
1. In the Remote installation folder of the console tree click the Start Remote Installation
Wizard link to run the Remote Installation Wizard.
2. In the Select installation package window of the Wizard specify the installation package
of an application that you want to install.
The Wizard's activities create a remote installation task to install the application to client
computers. You can start or stop the task in the Tasks for specific computers folder.
217
This section describes how to manage mobile devices connected to Administration Server. For
details on how to connect mobile devices, please refer to the Kaspersky Security Center
Implementation Guide.
In this section:
Managing mobile devices using an MDM policy ...................................................................... 218
Handling commands for mobile devices .................................................................................. 220
Handling certificates ................................................................................................................ 227
Adding a mobile device to the list of managed devices ........................................................... 231
Managing Exchange ActiveSync mobile devices ..................................................................... 235
Managing iOS MDM mobile devices........................................................................................ 239
Managing KES devices ........................................................................................................... 253
Mobile Device Management using an

MDM policy
To manage iOS MDM and EAS devices, you can use the management plug-in of Kaspersky Mobile
Device Management 10 Service Pack 1, which is included in the distribution kit of Kaspersky Security
Center. Kaspersky Mobile Device Management lets you create group policies for specifying the
configuration settings of iOS MDM and EAS devices. A group policy that allows modifying the
configuration settings of iOS MDM and EAS devices without using iPhone Configuration Utility and
the management profile of Exchange Active Sync, is called an MDM policy.
An MDM policy provides the administrator with the following options:
For managing EAS devices:
Configuring the device unlocking password.

Configuring the data storage on the device in encrypted form.
Configuring the synchronization of the corporate mail.
Configuring the hardware features of mobile devices, such as the use of removable
media, the use of the camera, or the use of Bluetooth.
Configuring restrictions on the use of mobile applications on the device.
For managing iOS MDM devices:
Configuring device password security settings.
Configuring restrictions on usage of hardware features of the device and restrictions on

installation and removal of mobile apps.
Configuring restrictions on the use of pre-installed mobile apps, such as YouTube,

iTunes Store, Safari.
Configuring restrictions on media content viewed (such as movies and TV shows) by

region where the device is located.
Configuring settings of device connection to the Internet via the proxy server (Global
HTTP proxy).
Configuring the settings of the account using which the user can access corporate apps
and services (Single Sign On technology).
Monitoring Internet usage (visits to websites) on mobile devices.
Configuring settings of wireless networks (Wi-Fi), access points (APN), and virtual
private networks (VPN) that use different authentication mechanisms and network
protocols.
Configuring settings of the connection to AirPlay devices for streaming photos, music,
and videos.
Configuring settings of the connection to AirPrint printers for wireless printing of

documents from the device.
219
Configuring settings of synchronization with the Microsoft Exchange server and user
accounts for using corporate email on devices.
Configuring user credentials for synchronization with the LDAP directory service.
Configuring user credentials for connecting to CalDAV and CardDAV services that give
users access to corporate calendars and contact lists.
Configuring settings of the iOS interface on the user's device, such as fonts or icons for
favorite websites.
Adding new security certificates on devices.
Configuring settings of the SCEP server for automatic retrieval of certificates by the
device from the Certification Center.
Adding custom settings for operation of mobile apps.
The general operating principles of an MDM policy do not differ from the operating principles of
policies created for managing other apps. An MDM policy is special in that it is assigned to an
administration group that includes the iOS MDM Mobile Device Server and the Exchange
ActiveSync mobile device server (hereinafter "mobile device servers"). All settings specified in an
MDM policy are first applied to mobile device servers and then to mobile devices managed by such
servers. In the case of a hierarchical structure of administration groups, slave mobile device
servers receive MDM policy settings from master mobile device servers and distribute them to
mobile devices.
For detailed information about how to use the MDM policy in Administration Console of Kaspersky
Security Center, please refer to the Administrator's Guide for Kaspersky Security for Mobile
Integrated Solution.
Handling commands for mobile devices

This section contains information about commands for mobile devices management supported by
the application. The section provides instructions on how to send commands to mobile devices, as
well as how to view the execution statuses of commands in the commands log.
220
Commands for mobile device management
The application supports commands for mobile devices management.
Such commands are used for remote mobile device management. For example, in case your
mobile device is lost, you can delete all corporate data from the device by using a command.
Commands are used on three types of mobile devices:
iOS MDM devices.
KES devices.
EAS devices.
Each device type supports a dedicated set of commands. The following table shows sets of
commands for each of the device types.
For all types of devices, if the Delete data command is successfully executed, all data will be
deleted from the device, the device settings will be rolled back to their default values.
After successful execution of the Remove corporate data from device command on an iOS
MDM device, all installed configuration profiles, provisioning profiles, the iOS MDM profile, and
applications for which the Remove together with iOS MDM profile check box has been
selected, are removed from the device.
If the Delete corporate data command is successfully executed on a KES device, all
corporate data, entries in Contacts, the SMS history, the call log, the calendar, the Internet
connection settings, and the user's accounts, except for the Google account, will be deleted
from the device. For a KES device, all data from the memory card will also be deleted.
221
Table 2. List of supported commands
Mobile device type Commands Command execution result
iOS MDM device Lock Device locked.
Unlock Device locking with a PIN code is

disabled. The previously specified PIN
code has been reset.
Reset settings to default All data deleted from the device, settings
rolled back to the default values.
Delete corporate data All installed configuration profiles,

provisioning profiles, the iOS MDM
profile, and applications for which the
Remove together with iOS MDM profile
check box has been selected, are
removed from the device.
Refresh device info Device data synchronized with

Install profile Configuration profile installed on the

device.
Delete profile Configuration profile deleted from the

device.
Install provisioning profile Provisioning profile installed on the

device.
Delete provisioning profile Provisioning profile deleted from the

device.
Install application Application installed on the device.
Remove application Application removed from the device.
222
Enter redemption code Redemption code entered for a paid

application.
Configure roaming Data roaming and voice roaming enabled

or disabled.
Install Kaspersky Safe Kaspersky Safe Browser is installed on

Browser the device.
KES device Lock Device locked.
Unlock Device locking with a PIN code is

disabled. The previously specified PIN
code has been reset.
Reset settings to default All data deleted from the device, settings
Delete corporate data All installed configuration profiles,

provisioning profiles, the iOS MDM
profile, and applications for which the
Remove together with iOS MDM profile
check box has been selected, are
removed from the device.
Refresh device info Device data synchronized with

Locate Device locked. Device located and shown

on Google Maps. The mobile carrier
charges a fee for sending the text
message and for providing Internet
connection.
223
Mugshot Device locked. The photo has been taken

by the front camera of the device and
saved on Administration Server. Photos
can be viewed in the command log. The
mobile carrier charges a fee for sending
the text message and for providing
Internet connection.
Alarm Device locked. The device emits a sound

signal.
EAS device Delete data All data deleted from the device, settings
Using Google Cloud Messaging

To ensure timely delivery of commands to KES devices managed by Android operating systems,
Kaspersky Security Center uses the mechanism of push notifications. Push notifications are
exchanged between KES devices and Administration Server through Google Cloud Messaging. In
Kaspersky Security Center Administration Console, you can define the settings of Google Cloud
Messaging to connect KES devices to the service.
To retrieve the settings of Google Cloud Messaging, the administrator must have a Google
account. For more details on how to retrieve the settings of Google Cloud Messaging, please
refer to the corresponding article in the Knowledge Base on the website of Technical Support
http://support.kaspersky.com/11770.
To configure Google Cloud Messaging:
1. In the Mobile Device Management folder of the console tree, select the Mobile devices
subfolder.
2. In the context menu of the Mobile devices folder, select Properties.
This opens the properties window of the Mobile devices folder.
224
3. Select the Google Cloud Messaging settings section.
4. In the Sender ID field, specify the number of a Google API project that you have received
when creating one in the Google Developer Console.
5. In the API key field, enter a common API key that you have created in the Google
Developer Console.
At the next synchronization with Administration Server, KES devices managed by Android
operating systems will be connected to Google Cloud Messaging.
You can edit the settings of Google Cloud Messaging by clicking the Reset settings button.
Sending commands
To send a command to the user's mobile device:
subfolder.
The folder workspace displays a list of managed mobile devices.
2. Select the user's mobile device to which you need to send a command.
3. In the context menu of the mobile device, select Show command log.
4. In the Commands for mobile devices management window, proceed to the section with
the name of the command that you need to send to the mobile device, then click the Send
command button.
Depending on the command that you have selected, clicking the Send command button
may open the window of advanced settings of the application. For example, when you send
the command for deleting a provisioning profile from a device, the application prompts you
to select the provisioning profile that should be deleted from the device. Define the
advanced settings of the command in that window and confirm your selection. After that,
the command will be sent to the mobile device.
You can click the Resend button to send the command to the user's mobile device once
again.
225
You can click the Remove from queue button to cancel execution of a command that had
been sent if the latter has not yet been executed.
The Command log section displays commands that have been sent to the device, with the
respective execution statuses. You can click the Refresh button to refresh the list of
commands.
5. Click the OK button to close the Commands for mobile devices management window.
Viewing the statuses of commands in the

command log
The application saves to the command log information about all commands that have been sent to
mobile devices. The command log contains information about the time and date each command
was sent to the device, their statuses, and detailed descriptions of command execution results. For
example, in case a command fails to be executed, the log displays the cause of the error. Records
are stored in the command log for 30 days at most.
Commands sent to mobile devices can have the following statuses:
Running the command has been sent to the device.
Completed the command execution has been successfully completed.
Completed with error the command execution has failed.
Deleting the command is being removed from the queue of commands sent to the mobile
device.
Deleted the command has been removed from the queue of commands sent to the
mobile device.
Error deleting the command could not be removed from the queue of commands sent to
the mobile device.
The application maintains a command log for each mobile device.
226
To view the log of commands that have been sent to a mobile device:
subfolder.
2. In the list of mobile devices, select the one for which you want to view the command log.
The Commands for mobile devices management window opens. The sections of the
Commands for mobile devices management window correspond to the commands that
can be sent to the mobile device.
4. Select sections with the commands that you need and view information about how the
commands are sent and executed by opening the Command log section.
In the Command log section, you can view the list of commands that have been sent to the mobile
device and details on those commands. The Show commands filter lets you display only
commands with the selected status in the list.
Handling certificates
This section contains information about how to handle certificates of mobile devices. The section
contains instructions on how to install certificates on users' mobile devices and how to configure
certificate handing rules. The section also contains instructions on how to integrate the application
with the public keys infrastructure and how to configure the support of Kerberos.
Installing a certificate
You can install three types of certificates to a user's mobile device:
General certificates for identifying the mobile device.
Mail certificates for configuring the corporate mail on the mobile device.
VPN certificate for setting up access to a virtual private network on the mobile device.
227
To install a certificate on a user's mobile device:
1. In the console tree, open the Mobile Device Management folder and select the
Certificates subfolder.
2. In the workspace of the Certificates folder, click the Add certificate link to run the
Certificate Installation Wizard.
Follow the Wizard's instructions.
After the Wizard completes its activities, a certificate will be created and added to the list of the
user's certificates; in addition, a notification will be sent to the user providing him or her with a link
for downloading and installing the certificate on the mobile device. You can view the list of all
certificates and export it to a file (see the section "Viewing the list of certificates handed to a user"
on page 158). You can delete and re-hand certificates, as well as view their properties.
Configuring certificate handing rules

To configure certificate handing rules:
By default, the Mobile Device Management folder is a subfolder of the Advanced folder.
2. In the workspace of the Certificates folder, click the Configure certificate issuance rules
button to open the Certificate generation rules window.
3. Proceed to the section with the name of a certificate type:
Generation of general type certificates to configure handing of general-type certificates.
Generation of mail certificates to configure handing of mail certificates.
Generation of VPN certificates to configure handing of VPN certificates.
4. In the Generation settings section, configure the handing of the certificate:
Select a source of certificates (Administration Server or Certificates are specified

manually).
Administration Server is selected as the default source of certificates.
Specify a certificate template (Default template, Other template).
228
Configuration of templates is available if the PKI integration section features the
integration with the public keys infrastructure configured (on page 229).
5. In the Automatic update settings section, configure automatic updates of the certificate:
In the Update when certificate expires in (days) field, specify how many days should
remain until the validity term expiration to update the certificate.
To enable automatic updates of certificates, select the Renew certificate

automatically if possible check box.
A general-type certificate can be renewed manually only.
6. In the Encryption settings section, enable and configure encryption of generated

certificates.
Encryption is only available for general-type certificates.
a. Select the Enable encryption of certificates check box.
b. Use the slider to define the maximum number of symbols in the password for
encryption.
7. Click OK.
Integration with the public keys

infrastructure
Integration of the application with the Public Key Infrastructure (PKI) is required to simplify
generation of domain certificates for users. Following integration, certificates are issued
automatically.
You need to configure the account for integration with PKI. The account must meet the following
requirements:
Be a domain user and administrator of the computer hosting the Administration Server.
Be granted the SeServiceLogonRight privilege on the computer hosting the Administration

Server.
229
To create a permanent user profile, log on at least once under the configured account on the
computer hosting the Administration Server. In this user's repository of certificates on the computer
hosting the Administration Server, install the Enrollment Agent certificate provided by domain
administrators.
To configure integration with the public keys infrastructure:

By default, the Mobile Device Management folder is a subfolder of the Advanced folder.
2. In the workspace, click the Integrate with public-key infrastructure button to open the
Integration with PKI section of the Certificate generation rules window.
This opens the Integration with PKI section of the Certificate generation rules window.
3. Select the Integrate issuance of certificates with PKI check box.
4. In the Account field, specify the name of the user account to be used for integration with
the public key infrastructure.
5. In the Password field, enter the domain password for the account.
6. In the Specify certificate template name in PKI system list, select the certificate template
based on which certificates will be generated for domain users.
A dedicated service is launched in Kaspersky Security Center under the specified account.
This service is responsible for issuing domain certificates of users. The service is started
when the list of certificate templates is loaded by clicking the Update list button or when a
certificate is generated.
7. Click OK to save the settings.
Following integration, certificates are issued automatically.
Enabling support of Kerberos Constrained

Delegation
The application supports usage of Kerberos Constrained Delegation.
230
To enable support of Kerberos Constrained Delegation:
1. In the console tree, select the Mobile Device Management folder.
2. In the workspace of the Mobile Device Management folder, select an iOS MDM Mobile
devices server.
3. Select Properties from the context menu of the iOS MDM Mobile devices server.
The Mobile devices server properties window opens.
4. In the properties window of the iOS MDM Mobile Devices Server, select the Settings
section.
5. In the Settings section, select the Ensure compatibility with Kerberos Constrained
Delegation check box.
6. Click OK.
Adding a mobile device to the list of

managed devices
To add a mobile device of a user to the list of managed devices, a shared certificate must be
delivered and installed on the device. Shared certificates are used for identifying mobile devices by
Administration Server. After a shared certificate is delivered and installed on a mobile device, the
latter appears on the list of managed devices. Mobile devices of users are added to the list of
managed devices by means of a Wizard.
Running the Add new device wizard
To run the Add new device wizard:
By default, the User accounts folder is a subfolder of the Advanced folder.
2. Select the account of the user of which you want to add a mobile device to the list of
managed devices.
3. In the context menu of the user account, select Add device.
231
The Add new device wizard starts running. In the Certificate source window of the Wizard,
you have to specify the method of creation of the shared certificate that Administration
Server will use to identify the mobile device. You can specify a shared certificate using any
of the two methods:
Create a shared certificate automatically, by means of Administration Server tools, then

deliver the certificate to the device.
Specify a shared certificate file.
4. In the Device type window, select the method of delivery of the shared certificate to the
device (device adding method):
Within iOS MDM profile. Select this option to connect an iOS device to the
Administration Server via the iOS MDM protocol.
Within installation package of mobile app. Select this option to install Kaspersky
Endpoint Security for Mobile on an Android device, then connect the device to the
Administration Server. Kaspersky Endpoint Security for Mobile published on the
Administration Server is used for installation.
Using Google Play link. Select this option to install Kaspersky Endpoint Security for
Android from Google Play on a KES device, then connect the device to the
Using App Store link. Select this option to install Kaspersky Safe Browser from App
Store on an iOS device, then connect the device to the Administration Server.
Further actions in the Add new device wizard depend on the shared certificate delivery
method you selected (see instructions below).
Adding a device if a shared certificate is delivered within an iOS MDM profile
To deliver a certificate within an iOS MDM profile:
1. In the Device type window of the Wizard, select Within iOS MDM profile.
2. In the iOS MDM Mobile Device Server window of the Wizard, select an iOS MDM Mobile
Device Server.
232
3. In the User notification method window of the Wizard, define settings for mobile device
user notification of certificate creation (with an SMS message or by email).
4. In the Certificate info window of the Wizard, click the Finish button to close the Wizard.
As a result, the iOS MDM profile is automatically published on the Kaspersky Security Center
Web Server. The mobile device user receives a notification with a link for downloading the iOS
MDM profile from the Web Server. The user clicks the link. After that, the device's operating
system prompts the user to accept the installation of the iOS MDM profile. If the user accepts,
the iOS MDM profile will be downloaded to the device. After the iOS MDM profile is
downloaded and the mobile device is synchronized with the Administration Server, the device
is displayed in the Mobile devices folder, which is a subfolder of the Mobile Device
Management folder of the console tree.
To allow the user to proceed to the Kaspersky Security Center Web Server using the link,
connection with the Administration Server over port 8061 must be available on the mobile
device.
Adding a device if a shared certificate is delivered within a mobile app
To deliver a certificate within a mobile app:

1. In the Device type window of the Wizard, select Within installation package of mobile app:
2. In the Installation packages window of the Wizard, select an installation package.
4. In the Certificate info window of the Wizard, click the Finish button to close the Certificate
Installation Wizard.
As a result, the package of Kaspersky Endpoint Security for Android is automatically published
on the Kaspersky Security Center Web Server. The mobile app package contains the app,
settings for connection of the mobile device to the Administration Server, and a certificate. The
mobile device user will receive a notification containing a link for downloading the package from
the Web Server. The user clicks the link. After that, the operating system of the device prompts
the user to accept the iOS MDM profile installation. If the user agrees, the package will be
downloaded on the device. After the package is downloaded and the mobile device is
synchronized with the Administration Server, the device is displayed in the Mobile devices
folder, which is a subfolder of the Mobile Device Management folder of the console tree.
233
Adding a device if a shared certificate is delivered using a Google Play link
To deliver a certificate using a Google Play link:
1. In the Device type window of the Wizard, select Link to Google Play.
After the Wizard finishes its activities, a link and a QR code will be sent to the mobile device of
the user thus allowing him or her to download Kaspersky Endpoint Security for Android. The
user clicks the link or scans the QR code. After that, the operating system of the device
prompts the user to accept Kaspersky Endpoint Security for Android installation. After
Kaspersky Endpoint Security for Android is downloaded and installed, the mobile device
connects to the Administration Server and downloads a shared certificate. After the certificate
is installed on the mobile device, the latter is displayed in the Mobile devices folder, which is a
subfolder of the Mobile Device Management folder of the console tree.
Adding a device if a shared certificate is delivered using a link to App Store
To deliver a shared certificate to a device using a link to App Store:
1. In the Device type window of the Wizard, select Link to App Store.
2. In the User notification method window of the Wizard, define the settings for notification
of the mobile device user of certificate creation with an SMS message or by email.
After the Wizard finishes its activities, a link and a QR code will be sent to the user device thus
allowing him or her to download Kaspersky Safe Browser from App Store. The user clicks the
link or scans the QR code. After that, the operating system of the device prompts the user to
accept Kaspersky Safe Browser installation. The user installs Kaspersky Safe Browser on the
mobile device. When Kaspersky Safe Browser is installed, the user rescans the QR code to
retrieve the Administration Server connection settings. When the QR code is rescanned in Safe
Browser, the user retrieves the Administration Server connection settings and a shared
234
certificate. The mobile device connects to the Administration Server and downloads a shared
certificate. After the certificate is installed on the mobile device, the latter is displayed in the
Mobile devices folder, which is a subfolder of the Mobile Device Management folder of the
console tree.
If Kaspersky Safe Browser has been previously installed on the mobile device, the user
has to enter the settings for connection to the Administration Server on his or her own. In
this case, Kaspersky Safe Browser will not be downloaded and installed.
Managing Exchange ActiveSync mobile

devices
This section describes advanced features for management of EAS devices through Kaspersky
Security Center.
In addition to management of EAS devices by means of commands, the administrator can use the
following options:
Create management profiles for EAS devices, assign them to users' mailboxes (see
page 236). EAS device management profile is a policy of Exchange ActiveSync that is used
on a Microsoft Exchange server to manage EAS devices. In an EAS device management
profile, you can configure the following groups of settings:
User password management settings.
Mail synchronization settings.
Restrictions on the use of the device features.
Restrictions on the use of mobile applications on the device.
Depending on the device model, settings of a management profile can be applied

partially. The status of an Exchange ActiveSync policy that has been applied can be
viewed in the device's properties.
235
View information about the settings of EAS device management (see page 238). For
example, the administrator can refer to the properties of a mobile device to know the time of
the last synchronization with a Microsoft Exchange server, the ID of the EAS device, the
name of the Exchange ActiveSync policy, and its current status on the device.
Disconnect EAS devices from management if they are out of use (see page 239).
Define the settings of Active Directory polling by Exchange ActiveSync Mobile Device
Server, which allows updating the information about users' mailboxes and mobile devices.
For information about how to connect Exchange ActiveSync mobile devices to Exchange
ActiveSync mobile devices server, refer to the Kaspersky Security Center Implementation Guide.
Adding a management profile

To manage EAS devices, you can create EAS device management profiles and assign them to
selected Microsoft Exchange mailboxes.
Only one EAS device management profile can be assigned to a Microsoft Exchange mailbox.
To add an EAS device management profile for a Microsoft Exchange mailbox:
Device Server.
3. Select Properties in the context menu of the Exchange ActiveSync Mobile Device Server.
4. In the properties window of the Exchange ActiveSync Mobile Devices Server, select the
Mailboxes section.
5. Select a mailbox and click the Assign profile button.
The Policy profiles window opens.
6. In the Policy profiles window, click the Add button.
The New profile window opens.
236
7. Configure the profile on the tabs of the New profile window.
If you want to specify the profile name and the refreshing interval, select the General tab.
If you want to configure the password of the mobile device user, select the Password tab.
If you want to configure synchronization with the Microsoft Exchange server, select the
Synchronization settings tab.
If you want to configure restrictions of the device features, select the Device tab.
If you want to configure restriction of the use of mobile applications on the device, select
the Applications on device tab.
8. Click OK.
The new profile will be displayed on the list of profiles in the Policy profiles window.
If you want this profile to be automatically assigned to new mailboxes, as well as to those of
which the profiles have been deleted, select it on the list of profiles and click the Set as
default profile button.
The default profile cannot be deleted. To delete the current default profile, you should
assign the "default profile" attribute to a different profile.
9. Click OK in the Policy profiles window.
The management profile settings will be applied on the EAS device at the next
synchronization of the device with the Exchange ActiveSync Mobile device server.
Deleting a management profile

To delete an EAS device management profile for a Microsoft Exchange mailbox:
Device Server.
237
3. Select Properties in the context menu of the Exchange ActiveSync Mobile Device Server.
4. In the properties window of the Exchange ActiveSync Mobile Devices Server, select the
Mailboxes section.
5. Select a mailbox and click the Change profiles button.
The Policy profiles window opens.
6. In the Policy profiles window, select the profile that you want to delete and click the
deletion button marked with a red cross.
The selected profile will be removed from the list of management profiles. The current
default profile will be applied to EAS devices managed by the profile that has been deleted.
If you want to delete the current default profile, re-assign the 'default profile' property to
another profile, then delete the first one.
Viewing information about an EAS device

To view information about an EAS device:
subfolder.
2. In the workspace, filter EAS devices by clicking the Exchange ActiveSync (EAS) link.
3. From the context menu of the mobile device select Properties.
As a result, the properties window of the EAS device opens.
The properties window of the mobile device displays information about the connected EAS device.
238
Disconnecting an EAS device from
management
To disconnect an EAS device from management by the Exchange ActiveSync Mobile
Device Server:
subfolder.
2. In the workspace, filter EAS devices by clicking the Exchange ActiveSync (EAS) link.
3. Select the mobile device that you need to disconnect from management by the Exchange
ActiveSync Mobile Device Server.
4. In the context menu of the mobile device, select Remove.
As a result, the EAS device is marked for removal with a red cross icon. The device is removed
from the list of managed devices after it is removed from the database of the Exchange
ActiveSync Mobile Device Server. To do so, the administrator has to remove the user's account
on the Microsoft Exchange server.
Managing iOS MDM mobile devices

This section describes advanced features for management of iOS MDM devices through
Kaspersky Security Center. The application supports the following options for management of iOS
MDM mobile devices:
Define the settings of managed iOS MDM devices in centralized mode and restrict features
of devices by means of configuration profiles. You can add or modify configuration profiles
and install them on mobile devices.
Install apps on mobile devices bypassing App Store by means of provisioning profiles. For
example, you can use provisioning profiles for installation of in-house corporate apps on
users' devices. A provisioning profile contains information about an app and a device.
Install apps on an iOS MDM mobile device via App Store. Before installing an application to
an iOS MDM mobile device, you should add the application to the iOS MDM mobile devices
server.
239
Every 24 hours, a PUSH notification is sent to all connected iOS MDM mobile devices in order to
synchronize the data with the iOS MDM Mobile Device Server.
For information about how to install an iOS MDM Mobile Device Server please refer to the
Kaspersky Security Center Implementation Guide.
You can use the device properties window to view information about the configuration profile and
the provisioning profile, as well as applications installed on the iOS MDM device (see the section
"Viewing information about an iOS MDM device" on page 252).
Issuing a certificate for an iOS MDM profile

You can issue a certificate for an iOS MDM profile to allow a mobile device to verify it.
To create an iOS MDM profile certificate:

subfolder.
The Mobile Device Management folder is a subfolder of the Advanced folder by default.
2. In the context menu of the Mobile devices folder, select Properties.
3. In the properties window of the folder, select the Connection settings for iOS devices
section.
4. Click the Specify button next to the Select certificate field.
5. In the Certificate type field, specify the public or private certificate type:
If the PKCS#12 container value is selected, specify the certificate file and the password.
If the X.509 certificate value is selected:
6. Click OK.
As a result, the iOS MDM profile certificate is issued.
240
Adding a configuration profile
To create a configuration profile, you should install iPhone Configuration Utility to the computer
where Administration Console is installed. You should download iPhone Configuration Utility
from Apple Inc. website and install it by using standard tools of your operating system.
To create a configuration profile and add it to an iOS MDM Mobile devices server:
devices server.
4. In the properties window of the iOS MDM Mobile devices server, select the
Configuration profiles section.
5. In the Configuration profiles section, click the Create button.
The Add new configuration profile window opens.
6. In the Add new configuration profile window, specify a name and ID for the profile.
The configuration profile ID should be unique; the value should be specified in Reverse-
DNS format, for example, com.companyname.identifier.
7. Click OK.
An application named iPhone Configuration Utility then starts.
8. Reconfigure the profile in iPhone Configuration Utility.
For a description of the profile settings and instructions on how to configure the profile,
please refer to the documentation enclosed with iPhone Configuration Utility.
241
After you have configured the profile with iPhone Configuration Utility, the new configuration
profile is displayed in the Configuration profiles section in the properties window of the iOS
MDM Mobile devices server.
You can click the Modify button to modify the configuration profile.
You can click the Import button to load the configuration profile to a program.
You can click the Export button to save the configuration profile to a file.
The profile that you have created should be installed on iOS MDM devices (see the section
"Installing a configuration profile on a device" on page 242).
Installing a configuration profile to a device

To install a configuration profile to a mobile device:
subfolder.
2. In the workspace, filter iOS MDM devices by clicking the iOS MDM link.
3. Select the user's mobile device on which you need to install a configuration profile.
You can select multiple mobile devices to install the profile simultaneously.
5. In the Commands for mobile devices management window, go to the Install profile
section and click the Send command button.
You can also send the command to the device by selecting All commands in the context
menu of the device, and then Install profile.
As a result, the Select profiles window opens showing a list of profiles. Select from the list
the profile that you need to install on the mobile device. You can select several profiles to
install them on the device simultaneously. To select the range of profiles, use the SHIFT
key. To combine profiles into a group, use the CTRL key.
242
6. Click the OK button to send the command to the mobile device.
When the command is executed, the selected configuration profile will be installed on the
user's mobile device. If the command is successfully executed, the current status of the
command in the commands log will be shown as Done.
again.
commands.
The profile that you have installed can be viewed and removed, if necessary (see the section
"Removing a configuration profile from a device" on page 243).
Removing a configuration profile from a

device
To remove a configuration profile from a mobile device:
subfolder.
3. Select the user's mobile device from which you need to remove the configuration profile.
You can select multiple mobile devices to remove the profile simultaneously.
243
5. In the Commands for mobile devices management window, go to the Remove profile
section and click the Send command button.
You can also send the command to the mobile device by selecting All commands from the
context menu of the device, then selecting Remove profile.
As a result, the Remove profiles window opens showing the list of profiles.
6. Select from the list the profile that you need to remove from the mobile device. You can
select multiple profiles to remove them from the device simultaneously. To select the range
of profiles, use the SHIFT key. To combine profiles into a group, use the CTRL key.
When the command is executed, the selected configuration profile will be removed from the
user's mobile device. If the command is executed successfully, the current status of the
command will be shown as Completed.
again.
commands.
Adding provisioning profile

To add a provisioning profile to iOS MDM mobile devices server:
devices server.
244
4. In the properties window of the iOS MDM Mobile Devices Server, go to the Provisioning
profiles section.
5. In the Provisioning profiles section, click the Import button and specify the path to a
provisioning profile file.
The profile will be added to the iOS MDM mobile devices server settings.
You can click the Export button to save the provisioning profile to a file.
The provisioning profile that you have imported can be installed on iOS MDM devices (see the
section "Installing a provisioning profile on a device" on page 245).
Installing a provisioning profile to a device

To install a provisioning profile on a mobile device:
subfolder.
3. Select the user's mobile device on which you need to install the provisioning profile.
You can select multiple mobile devices to install the provisioning profile simultaneously.
5. In the Commands for mobile devices management window, go to the Install

provisioning profile section and click the Send command button.
You can also send the command to the device by selecting All commands from the
context menu of the device, then selecting Install provisioning profile.
245
As a result, the Select provisioning profiles window opens showing a list of provisioning
profiles. Select from the list the provisioning profile that you need to install on the mobile
device. You can select multiple provisioning profiles to install them on the device
simultaneously. To select the range of provisioning profiles, use the SHIFT key. To
combine provisioning profiles into a group, use the CTRL key.
When the command is executed, the selected provisioning profile will be installed on the
user's mobile device. If the command is successfully executed, the current status of the
command in the commands log will be shown as Completed.
again.
commands.
The profile that you have installed can be viewed and removed, if necessary (see the section
"Removing a provisioning profile from a device" on page 246).
Removing a provisioning profile from a

device
To remove a provisioning profile from a mobile device:
subfolder.
246
3. Select the user's mobile device from which you need to remove the provisioning profile.
You can select multiple mobile devices to remove the provisioning profile simultaneously.
5. In the Commands for mobile devices management window, go to the Delete

provisioning profile section and click the Send command button.
context menu, then selecting Delete provisioning profile.
As a result, the Remove provisioning profiles window opens showing the list of profiles.
6. Select from the list the provisioning profile that you need to remove from the mobile device.
You can select multiple provisioning profiles to remove them from the device
simultaneously. To select the range of provisioning profiles, use the SHIFT key. To
combine provisioning profiles into a group, use the CTRL key.
When the command is executed, the selected provisioning profile will be removed from the
user's mobile device. Applications that are related to the deleted provisioning profile will not
be operable. If the command is executed successfully, the current status of the command
will be shown as Completed.
again.
commands.
247
Adding a managed application
Before installing an application to an iOS MDM mobile device, you should add the application to
the iOS MDM mobile devices server. An application is considered as managed if it has been
installed on a device via Kaspersky Security Center. A managed application can be handled
remotely by means of Kaspersky Security Center.
To add a managed application to an iOS MDM mobile devices server:
2. Select an iOS MDM Mobile Device Server.
The properties window of the iOS MDM mobile device server opens.
4. In the properties window of the iOS MDM mobile devices server select the Managed
applications section.
5. Click the Add button in the Managed applications section.
The Add an application window opens.
6. In the Add an application window, in the Application name field, specify the name of the
application to be added.
7. In the Apple ID or link to the app field, specify the Apple ID of the application to be added,
or specify a link to a manifest file that can be used to download the application.
8. If you want a managed application to be removed from the user's mobile device along with
the iOS MDM profile when removing the latter, select the Remove together with iOS MDM
profile check box.
9. If you want to block backup of application data through iTunes, select the Block data
backup check box.
10. Click OK.
The added application is displayed in the Managed applications section of the properties
window of the iOS MDM mobile devices server.
248
Installing an application on a device
To install an application on an iOS MDM mobile device:
subfolder.
2. Select the iOS MDM device on which you want to install an application.
You can select multiple mobile devices to install the application simultaneously.
4. In the Mobile device management commands window, go to the Install app section and
click the Send command button.
menu of the device, and then Install app.
As a result, the Select apps window opens showing a list of profiles. Select from the list the
application that you need to install on the mobile device. You can select multiple
applications to install them simultaneously. To select a range of applications, use the
SHIFT key. To combine applications into a group, use the CTRL key.
When the command is executed, the selected application will be installed on the user's
mobile device. If the command is successfully executed, its current status in the command
log will be shown as Completed.
again. You can click the Remove from queue button to cancel execution of a command
that had been sent if the latter has not yet been executed.
commands.
249
Information about the installed application is displayed in the properties of the iOS MDM mobile
device (see section "Viewing information about an iOS MDM device" on page 252). You can
remove an application from a mobile device using the command log or from the context menu
of the device (see section "Removing an application from a device" on page 250).
Removing an application from a device

To remove an application from a mobile device:
subfolder.
3. Select the user's mobile device from which you need to remove the application.
You can select multiple mobile devices to remove the application simultaneously.
5. In the Mobile device management commands window, go to the Remove app section
and click the Send command button.
context menu of the device, then selecting Remove app.
As a result, the Remove apps window opens showing a list of applications.
6. Select from the list the application that you need to remove from the mobile device. You
can select multiple applications to remove them simultaneously. To select a range of
applications, use the SHIFT key. To combine applications into a group, use the CTRL key.
When the command is executed, the selected application will be removed from the user's
mobile device. If the command is executed successfully, the current status of the command
will be shown as Completed.
250
again.
commands.
Installing Kaspersky Safe Browser on a

device
To install Kaspersky Safe Browser on an iOS MDM mobile device:
subfolder.
The workspace of the Mobile Device Management folder displays a list of managed
mobile devices.
2. Select the iOS MDM device on which you need to install Kaspersky Safe Browser.
You can select multiple mobile devices to install Kaspersky Safe Browser simultaneously.
4. In the Mobile device management commands window, go to the Install Kaspersky Safe
Browser section and click the Send command button.
menu of the device, and then Install Kaspersky Safe Browser.
When the command is executed, Kaspersky Safe Browser will be installed on the user's
mobile device. If the command is successfully executed, its current status in the command
log will be shown as Completed.
251
again. You can click the Remove from queue button to cancel execution of a command
that had been sent if the latter has not yet been executed.
commands.
Information about Kaspersky Safe Browser installed is displayed in the properties of the iOS
MDM mobile device (see section "Viewing information about an iOS MDM device" on
page 252). You can remove an application from a mobile device using the command log or
from the context menu of the device (see section "Removing an application from a device" on
page 250).
Viewing information about an iOS MDM

device
To view information about an iOS MDM device:
subfolder.
3. Select the mobile device about which you need to view information.
As a result, the properties window of the iOS MDM device opens.
The properties window of the mobile device displays information about the connected iOS MDM
device.
252
Disconnecting an iOS MDM device from
management
To disconnect an iOS MDM device from the iOS MDM Mobile Device Server:
subfolder.
3. Select the mobile device that you need to disconnect.
As a result, the iOS MDM device will be marked on the list for removal. The device will be
automatically removed from the list of managed devices after the former is removed from the
database of the iOS MDM Mobile Device Server. Removing a device from the database of the
iOS MDM Mobile Device Server takes up to one minute.
After the iOS MDM device is disconnected from management, all installed configuration profiles,
the iOS MDM profile, and applications for which the Remove together with iOS MDM profile
check box has been installed, will be removed from the device (see the section "Adding a
managed application" on page 248).
Managing KES devices

Kaspersky Security Center supports the following mobile KES device management features:
Manage KES devices in centralized mode by means of commands (see the section
"Commands for mobile devices management" on page 221).
View information about the settings for management of KES devices (see the section
"Viewing information about a KES device" on page 255).
Install applications by means of packages of mobile applications (see the section "Creating
a mobile app package for KES devices" on page 254).
Disconnect KES devices from management (see the section "Disconnecting a KES device
from management" on page 256).
253
For detailed information about how to handle KES devices and connect them to Administration
Server please refer to the Kaspersky Security Center 10 Implementation Guide.
Creating a mobile app package for KES

devices
A Kaspersky Endpoint Security 10 for Mobile Devices license is required to create a mobile
app package for KES devices.
To create a mobile applications package:
subfolder.
2. In the workspace of the Installation packages folder, click the Manage packages of
mobile applications link to open the Mobile applications packages management
window.
3. In the Mobile applications packages management window, click the New.
4. The Mobile Applications Package Creation Wizard starts. Follow the Wizard's instructions.
5. If you want to place an application into a container, in the Settings window of the Wizard,
select the Create container with selected application check box.
The newly created mobile applications package is displayed in the Mobile applications
packages management window.
Containers are used to control activities of applications running on the user's mobile device.
Security policy rules can be applied to applications placed into a container. You can configure
rules for applications in the properties window of the policy of Kaspersky Endpoint Security 10 for
Mobile, in the Containers section. For more details on containers and how to manage them,
please refer to the documentation enclosed with Kaspersky Endpoint Security 10 for Mobile.
You can place a third-party app in a container. You cannot place the Kaspersky Endpoint
Security 10 for Mobile installation package into a container.
254
Enabling two-factor authentication of KES
devices
To enable two-factor authentication of a KES device:
1. Open the system registry of the client computer on which Administration Server is installed
(for example, locally, using the regedit command in the Start Run menu).
\.core\.independent\KLLIM
HKLM\Software\KasperskyLab\Components\34\.core\.independent\KLLIM
3. Create a key with the LP_MobileMustUseTwoWayAuthOnPort13292 name.
4. Specify REG_DWORD as the key type.
5. Set the key value on 1.
As a result, mandatory two-factor authentication of the KES device using a shared certificate
will be enabled after you run the Administration Server service.
The first connection of the KES device to the Administration Server does not require a
certificate.
By default, two-factor authentication of KES devices is disabled.
Viewing information about a KES device

To view information about a KES device:
subfolder.
2. In the workspace, filter KES devices by clicking the Kaspersky Endpoint Security (KES) link.
255
3. Select the mobile device about which the information you need to view.
This opens the properties window of the KES device.
The properties window of the mobile device displays information about the connected KES device.
Disconnecting a KES device from

management
To disconnect a KES device from management, the user has to remove Network Agent from the
device. Once the user has removed Network Agent, device information is removed from the
database of the Administration Server, and the administrator can remove the device from the list of
managed devices.
To remove a KES device from the list of managed devices:
subfolder.
2. In the workspace, filter KES devices by clicking the Kaspersky Endpoint Security (KES) link.
3. Select the mobile device that you need to disconnect from management.
As a result, the device is removed from the list of managed devices.
If Kaspersky Endpoint Security for Android has not been removed from the device, the device
reappears on the list of managed devices after synchronization with the Administration Server.
256
Self Service Portal
This section contains information about Self Service Portal. The section provides Self Service
Portal login instructions for users as well as instructions on creating Self Service Portal accounts
and adding mobile devices on Self Service Portal.
In this section:
About Self Service Portal ........................................................................................................ 257
Adding a device ...................................................................................................................... 260
Creating an account for Self Service Portal ............................................................................. 261
About Self Service Portal

Self Service Portal is a web portal that lets the administrator delegate some of the mobile device
management functions to users. A mobile device user who has signed in on Self Service Portal
can add a device on Self Service Portal. When you add a device, an iOS MDM profile is installed
on iOS MDM devices, while Kaspersky Endpoint Security for Android is installed on KES devices,
after which corporate policies are applied to each device (see the section "Adding a device" on
page 260). After this the device becomes a managed device.
Self Service Portal supports automatic user authorization using Kerberos Constrained Delegation
and domain authorization.
Self Service Portal supports mobile devices with the iOS and Android operating systems.
The user can perform the following actions on Self Service Portal:
Download apps from the corporate Application Shop. Apps must be preliminarily added to
the corporate Application Shop in Kaspersky Security Center Web Console. For more
details on how to add apps to the Application Shop please refer to the Kaspersky Security
Center Web Console User Guide. To upload apps to Self Service Portal, the user must
select the Applications tab in the Self Service Portal window.
Send commands to a managed device on his or her own, for example, in case the device is
lost or stolen. To send commands to the user, you must select the Devices tab in the Self
Service Portal window. A proprietary set of commands is supported for each type of device
(see the following table).
Unlock the device on his or her own by clicking the Show unlock code link if it had been
locked.
Table 3. List of supported commands
Mobile device Commands Command execution result

type
iOS MDM device Lock Device locked.
Delete data All data has been deleted from the device, settings
have been rolled back to the default values, and
the device is no longer managed.
Delete corporate data Corporate data, iOS MDM profile, and Network
Agent have been deleted, and the device is no
longer managed.
KES device Lock Device locked.
Delete data All data has been deleted from the device, settings
have been rolled back to the default values, and
the device is no longer managed.
Delete corporate data Corporate data, iOS MDM profile, and Network
Agent have been deleted, and the device is no
longer managed.
Self Service Portal
258
Mobile device Commands Command execution result
type
Locate Device locked. Device located and shown on

Google Maps. The mobile carrier charges a fee for
sending the text message and for providing
Internet connection.
Alarm Device locked. The device emits a sound signal.
Mugshot Device locked. The photo has been taken by the

front camera of the device and saved on
Administration Server. Photos can be viewed in
the command log on Self Service Portal. The
mobile carrier charges a fee for sending the text
message and for providing Internet connection.
Self Service Portal uses the global list of Kaspersky Security Center users. The list is expanded
automatically when importing users from Active Directory (see the section "Viewing and modifying
Active Directory group properties" on page 176) or manually (see the section "Adding a user
account" on page 151).
If domain authorization on Self Service Portal is prohibited by the administrator, users can use
alias accounts for authorization. Creating aliases for authentication on Self Service Portal is
available in the properties of user accounts (see the section "Creating a Self Service Portal
account" on page 261).
The administrator can grant users the following Self Service Portal usage permissions:
Reading.
Change.
Connect new devices.
Send only information commands (which do not affect the device status).
Take mugshot and Locate are information commands.
Send commands to mobile devices.
Self Service Portal
259
Adding a device
Before adding a device on the Self Service Portal, the user has to accept the Self Service Portal
End User License Agreement and sign in on the portal.
The algorithm of adding a user device to Self Service Portal includes the following steps:
1. The user opens the main page of the portal.
2. Self Service Portal creates an installation package and then displays a one-time link for
downloading the installation package and a QR code in which the link is encoded. The
screen shows the time interval during which a link for downloading the installation package
will be available. A message with a link for downloading the installation package is sent to
the user's email address.
The installation package is required to install Network Agent on the device and apply
corporate policies.
A new installation package can be created only after the previously created package
has been removed from Administration Server.
3. By clicking the Create package to install on new device link, the user is taken to the
installation package download page on the mobile device to be added to Self Service
Portal.
4. Self Service Portal determines the operating system of the user device.
If the device operating system could be determined automatically, the installation package
download page opens. If the device operating system could not be determined
automatically, a window opens letting the user choose an operating system manually.
5. The user downloads the installation package and installs Network Agent on the mobile
device.
6. After Network Agent has been installed, the device connects to Administration Server.
Self Service Portal
260
As a result, the device will be added to the list of managed devices and the corporate policies
will be applied to it. A link to information about connecting to the Administration Server is sent
to the user's email address.
Creating an account for Self Service

Portal
If the use of domain authorization of users on Self Service Portal is forbidden, you can create alias
accounts for users in the Administration Console. Users can log on to Self Service Portal using
alias accounts.
To provide a Self Service Portal account (alias account) to a user:
1. In the console tree, in the User accounts folder, select a user account.
2. In the context menu of the user account, select Grant an account for accessing Self
Service Portal.
3. In the properties window of the user account, in the Self Service Portal accounts section,
click the Add button.
You can click the Add button to create several Self Service Portal alias accounts.
4. In the New Self Service Portal account window, specify the user name and the method of
user notification, and then click OK.
The password for the Self Service Portal account is generated automatically. The user will
be sent a notification by email or to a mobile device, which reports that the account is
created and contains the user name and password.
As a result, the Self Service Portal account will be created. You can create an unlimited
number of Self Service Portal accounts for a single user. After a Self Service Portal account
has been created, it cannot be modified. However, you can delete a selected account by
clicking the button with a red cross on the right of the list of Self Service Portal accounts.
Self Service Portal
261
To modify a Self Service Portal account:
1. In the properties window of a user account, in the Self Service Portal accounts section,
select a Self Service Portal account and click the Set new password button.
2. In the Generate new password for Self Service Portal account window, specify a method of
user notification and click the OK button.
As a result, the password will be changed. A notification of the password change will be sent to
the user's email or mobile device.
You can click the Set new password button to generate a new password for a selected Self
Service Portal account. The password will be created automatically. The new password for Self
Service Portal will be sent to the user's email or cell phone.
Self Service Portal
262
Encryption and data protection
Encryption reduces the risk of unintentional data leakage in case your notebook, removable drive
or hard drive is stolen/lost, or upon the access of unauthorized users and applications.
Kaspersky Endpoint Security 10 for Windows provides encryption functionality. Kaspersky

Endpoint Security 10 for Windows allows you to encrypt files stored on local drives of a computer
and removable drives, as well as removable storage media and hard drives entirely.
Encryption rules are configured through Kaspersky Security Center by defining policies. Encryption
and decryption upon existing rules are performed when applying a policy.
Availability of the encryption management feature is determined by the user interface settings
(see the section "Configuring the interface on page 54).
The administrator can perform the following actions:
Configure and perform files encryption and decryption on computer local drives.
Configure and perform files encryption on removable drives.
Create application's rules of access to encrypted files.
Create and deliver to user key file for access to encrypted files if file encryption is restricted
on the user's computer.
Configure and perform hard drive encryption.
Manage user access to encrypted hard drives and removable drives (manage
authentication agent accounts, create and deliver to users information on request for
account name and password restoration, as well as access keys for encrypted devices).
View encryption statuses and files encryption reports.

These operations are performed using tools integrated into Kaspersky Endpoint Security 10 for
Windows. For detailed instructions on how to perform operations and a description of encryption
features please refer to the Kaspersky Endpoint Security 10 for Windows Administrator's Guide.
In this section:
Viewing the list of encrypted devices ....................................................................................... 264
Viewing the list of encryption events........................................................................................ 265
Exporting the list of encryption events to a text file .................................................................. 266
Creating and viewing encryption reports ................................................................................. 266
Viewing the list of encrypted devices

To view the list of devices storing encrypted information:
1. Select the Data encryption and protection folder in the console tree of Administration
Server.
2. Open the list of encrypted devices using one of the following methods:
By clicking the Go to list of encrypted devices link in the Manage encrypted devices
section.
In the console tree select the Encrypted devices folder.
As a result, the workspace displays information about devices on the network storing encrypted
files, and about devices encrypted at the drive level. After the information on a device is decrypted,
the device is automatically removed from the list.
You can sort the information in the list of devices either in ascending or descending order in any
column.
Presence or absence of the Encryption and data protection folder in the console tree is
determined by the user interface settings (see the section "Configuring the interface on
page 54).
264
Viewing the list of encryption events
When running data encryption and decryption tasks on client computers, Kaspersky Endpoint
Security 10 for Windows sends to Kaspersky Security Center information about events of the
following types:
Cannot encrypt/decrypt a file, or create an encrypted archive due to a lack of free disk
space.
Cannot encrypt/decrypt a file, or create an encrypted archive due to license issues.
Cannot encrypt/decrypt a file, or create an encrypted archive due to missing access rights.
The application has been prohibited to access an encrypted file.
Unknown errors.
To view a list of events that have occurred when encrypting data on client computers:
1. Select the Data encryption and protection folder in the console tree of Administration
Server.
2. Go to the list of events occurring during encryption, using one of the following methods:
By clicking the Go to error list link in the Data encryption errors control section.
In the console tree select the Encryption events folder.
As a result, the workspace displays information about problems that have occurred during data
encryption on client computers.
You can take the following actions on the list of encryption events:
Sort data records in ascending or descending order in any of the columns.
Perform quick search for records (by text match with a substring in any of the list fields).
Export the list of events to a text file.
Presence or absence of the Encryption and data protection folder in the console tree is
determined by the user interface settings (see the section "Configuring the interface on page 54).
265
Exporting the list of encryption events
to a text file
To export the list of encryption events to a text file:
1. Create a list of encryption events (see the section "Viewing the list of encryption events on
page 265).
2. From the context menu of the events list select Export list.
The Export list window opens.
3. In the Export list window specify the name of the text file with the events list, select a
folder to save it, and click the Save button.
The list of encryption events will be saved to the file that you have specified.
Creating and viewing encryption reports

The administrator can generate the following reports:
Report on devices encryption containing information about the devices encryption status for
all groups of computers.
Report on rights of access to encrypted devices containing information about the status of
the accounts of users who have been granted access to encrypted devices.
Report on encryption errors containing information about errors that have occurred when
running data encryption and decryption tasks on client computers.
Report on the status of computer encryption containing information about whether the
status of computer encryption meets the encryption policy.
Report on file access blocking containing information about blocking applications' access to
encrypted files.
266
To view the report on devices encryption:
1. In the console tree select the Data encryption and protection folder.
Click the View devices encryption report link to run the New Report Template Wizard.
Select the Encrypted devices subfolder, then click the View devices encryption
report link to run the New Report Template Wizard.
3. Follow the instructions of the New Report Template Wizard.
In the Reports and notifications folder of the console tree a new report appears. The report
generation process starts. The report is displayed in the console workspace.
To view the report on rights of access to encrypted devices:
Click the View report on rights of access to encrypted devices link in the Manage
encrypted devices section to run the New Report Template Wizard.
Select the Encrypted devices subfolder, then click the View report on rights of
access to encrypted devices link to run the New Report Template Wizard.
To view the report on encryption errors:
Click the View report on encryption errors link in the Data encryption errors control
section to run the New Report Template Wizard.
267
Select the Encryption events subfolder, then click the View report on encryption
errors link to run the New Report Template Wizard.
To view the report on the status of computer encryption:
1. In the console tree, select the Reports and notifications folder.
Right-click to activate the context menu of the Reports and notifications folder, select
Create Report template, and run the New Report Template Wizard.
Click the Create a report template link to run the New Report Template Wizard.
3. Follow the instructions of the New Report Template Wizard. In the Selecting the report
template type window, in the Others section select Computer encryption status report.
After you have finished with the New Report Template Wizard, a new report template
appears in the Reports and notifications folder of the console tree.
4. In the Reports and notifications folder select the report template created at the previous
steps.
The report generation process starts. The report appears in the workspace of the
For information about whether the encryption statuses of computers and removable media meet
the encryption policy, view information panes on the Statistics tab of the Reports and
notifications folder (see the section "Working with the statistical information on page 162).
268
To view the file access blocking report:
1. In the console tree, select the Reports and notifications folder.
Right-click to activate the context menu of the Reports and notifications folder, select
Create Report template, and run the New Report Template Wizard.
Click the Create a report template link to run the New Report Template Wizard.
3. Follow the instructions of the New Report Template Wizard. In the Selecting the report
template type window, in the Others section select Report on access blockage to files.
After you have finished with the New Report Template Wizard, a new report template
appears in the Reports and notifications folder of the console tree.
4. In the Reports and notifications folder select the report template created at the previous
steps.
The report generation process starts. The report appears in the workspace of the
269
Managing devices access to an
organization's network (Network
Access Control, NAC)
Kaspersky Security Center allows controlling access of devices to an organization's network using
access restriction rules and a white list of devices. NAC agents are used to manage access of
devices to an organization's network. An NAC agent is installed to client computers together with
Network Agent.
Two NAC agents are used in each of the broadcast segments of a network: main and redundant.
The main NAC agent is available for regular use of network access policies. When the computer
hosting the main NAC agent is shut down, the redundant NAC agent takes its functions, which
ensures a continuous operation of NAC on the organization's network. Roles of NAC agents can
be deployed and distributed either manually or automatically.
Before creating network access restriction rules for devices and a white list of devices, the
administrator should create network elements. Network element is a group of devices created on
the basis of criteria defined by the administrator.
The administrator can specify the following criteria for adding devices to a network element:
network attributes (IP address, MAC address);
device manufacturer;
device's membership in a domain;
device protection status;
presence of non-installed critical application updates and security updates on the device.
When a network element is created, the administrator can create access restriction rules for it or
add it to a white list.
The administrator can create the following network access restriction rules:
A rule that blocks network access for all devices included in the network element.
A rule that redirects to the authorization portal any request of network access generated by
any device included in the network element. Authorization portal is a web service that
provides network access to guest devices. The administrator creates accounts and assigns
them to the users of guest devices.
A rule that allows devices included in the network element to access the specified network
addresses only.
The administrator can select a network element and add it to the white list. Devices included in the
white list are provided full access to the organization's network.
In this section:
Switching to the NAC settings in the Network Agent properties ............................................... 272
Selecting an operation mode for the NAC agent ..................................................................... 272
Creating network elements...................................................................................................... 273
Creating network access restriction rules ................................................................................ 274
Creating a white list ................................................................................................................. 275
Creating a list of allowed network addresses........................................................................... 276
Creating accounts to use on the authorization portal ............................................................... 277
Configuring the authorization page interface ........................................................................... 277
Configuring NAC in a Network Agent policy ............................................................................ 278
Managing devices access to an organization's network (Network Access Control, NAC)
271
Switching to the NAC settings in the
Network Agent properties
To switch to the NAC settings in the properties of Network Agent:
2. In the Managed computers folder on the Computers tab select a client computer where
Network Agent is installed.
3. In the context menu of the client computer, select Properties.
A client computer properties window opens.
4. In the client computer properties window, select the Applications section.
5. In the Applications section select Network Agent and click the Properties button.
The Settings of Kaspersky Security Center Network Agent window opens.
6. In the Settings of Network Agent of Kaspersky Security Center window select the
Network Access Control (NAC) section and adjust the NAC settings.
Selecting an operation mode for the

NAC agent
To select an operation mode for the NAC agent:
1. In the Settings of Kaspersky Security Center Network Agent window (see the section
"Switching to the NAC settings in the Network Agent properties on page 272), select
the Managing network access (NAC) section.
2. In the Settings subsection, in the NAC agent operation mode group of settings select an
operation mode for the NAC agent:
Disabled. Select this option to disable the NAC agent.
272
Main. Select this option to use the NAC agent as the main one. The main NAC agent is
responsible for continuous use of access restriction rules in the network segment.
Standby. Select this option to use the NAC agent as the standby one. If the main NAC
agent is inactive, the standby one enables.
3. In the NAC operation mode block of settings select an operation mode for NAC:
Disabled. Select this option if you do not want to apply the access restriction rules in
the network segment in which the NAC agent operates.
Standard. Select this option if you want the created access restriction rules to take
effect immediately in the network segment in which the NAC agent operates.
Emulation. Select this option if you want the created access restriction rules apply in
test mode. In this case, no rule is applied, but the rule applying event is logged.
Creating network elements

To create a network element:
"Switching to the NAC settings in the Network Agent properties on page 272), in the
Managing network access (NAC) section, select the Network elements subsection.
2. From the Add dropdown list select the type of devices that you want to add to the network
element (for example, computers).
The Creating network element window opens.
3. In the Creating network element window enter a name for the network element that you
are creating.
From the Add dropdown list select criteria, which should define whether a network device
will be included in the network element that you are creating:
By network attributes. If you select this option, you can add a computer or computers
to the network element by IP address, MAC address, IP range, or subnet mask.
273
By manufacturer. If you select this option, you can add computers to the network
element by manufacturer.
By domain membership. If you select this option, you can add computers to the
network element on the basis of their membership in a domain. Domain membership
can be used as a criterion that allows accessing the organization's network.
By computer status. If you select this option, you can specify a computer protection
status: for example, "Critical". You can create rules restricting network access for
computers with such status.
By software. If you select this option, you can add computers to the network element
by operating system type, firewall status, and availability of updates.
The added criteria are displayed in the Criteria field so that a network object should meet
them.
4. Click OK.
The created network elements are displayed in the properties window of the Kaspersky
Security Center Network Agent policy, in the Network elements subsection.
Creating network access restriction

rules
To create a network access restriction rule:
Managing network access (NAC) section, select the Access rules subsection.
2. In the Access rules section select the Access restrictions subsection and click the Add
button.
The Properties of access restriction rule window opens.
3. In the Properties of access restriction rule window enter a name for the rule that you are
creating.
274
4. In the Properties of access restriction rule window click the Add button to select a
network element to which the rule will apply. You can add several network elements to the
same rule.
The Adding network elements window opens.
5. In the Adding network elements window select a network element and click the OK button.
The selected network element is displayed in the Properties of access restriction rule
window.
6. In the Properties of access restriction rule window, in the Restrict network access
group of settings select one of the following options:
Block network access. If you select this option, all devices in the network element are
prohibited to access the network.
Redirect to authorization portal. If you select this option, requests from devices in the
network element will be redirected to the authorization server.
Allow access to specified addresses only. If you select this option, in the Available
addresses field specify addresses that are accessible for devices included in the
network element.
7. Click OK.
The created rule is displayed in the Access restrictions subsection.
Creating a white list

To create a white list of IP devices:
Managing network access (NAC) section, select the Access rules subsection.
2. In the Access rules section select the White list subsection and click the Add button.
The Adding network elements window opens.
275
3. In the Adding network elements window select the network element that you want to add
to the white list.
4. Click OK.
Network elements added to the white list are displayed in the White List subsection. Devices
added to the white list are granted full access to the organization's network.
Creating a list of allowed network

addresses
To create a list of allowed network addresses:
Managing network access (NAC) section, select the Network services addresses
subsection.
2. In the Network services addresses section, from the drop-down list on the right from the
Add button select a network address type:
Allowed network addresses. Select this option to add allowed addresses for guest
devices.
The Allowed network addresses window opens in which you can add the addresses
of network services by IP address, MAC address, IP range, and subnet mask.
Authorization portal. Select this option to add the address of the authorization portal to
which requests from guest devices will be redirected.
The Authorization portal window opens where you can specify the address of the
server to which requests from network devices will be redirected.
The added network addresses are displayed in the Network services addresses section.
276
Creating accounts to use on the
authorization portal
To create an account for further use on the authorization portal:
Managing network access (NAC) section, select the Authorization page subsection.
2. In the Authorization page section select the Accounts subsection.
3. Click the Add button in the Accounts section.
The Account addition window opens.
4. In the Account addition window adjust the account settings.
5. If you want to block network access for this account, select the Block account check box.
6. Click OK.
Created accounts are displayed in the Accounts subsection comprised in the Authorization
page section.
Configuring the authorization page

interface
To configure the interface of the authorization page:
Managing network access (NAC) section, select the Authorization page subsection.
2. In the Authorization page section select the Interface subsection.
3. In the Logo group of settings select a logo to use on the authorization page:
Default. Select this option if you want to use Kaspersky Lab logo on the authorization
page.
277
Custom. Select this option if you want to use a custom logo. Click the Select button if
you want to specify the path to a logo file. The new logo should have the same settings
as the default one.
4. In the Authorization page group of settings select the authorization page to which network
access requests will be redirected.
Default. Select this option if you want to use the default page on the authorization
portal. To edit the default page, click the Save to file button and save the authorization
page to a file for further editing.
Custom. Select this option if you want to use an edited version of the Kaspersky Lab
page or your own version. Click the Select button and specify the path to an
authorization page file.
5. Click OK.
Configuring NAC in a Network Agent

policy
To configure NAC in a Network Agent policy:
1. In the Managed computers folder of the console tree go to the Policies tab.
2. Start configuring NAC using one of the following methods:
Click the Change policy settings link in the Actions menu to open the properties
window of Kaspersky Security Center Network Agent, and select the Network Access
Control (NAC) section.
Use links in the Network Access Control (NAC) group of settings in the Actions
menu.
278
Inventory of equipment detected on
the network
Kaspersky Security Center retrieves information about the equipment detected during the network
poll. Inventory covers all equipment connected to the organization's network. Information about the
equipment is updated after each new network poll. The list of detected equipment may contain the
following types of devices:
Computers.
Mobile devices.
Network devices.
Virtual devices.
OEM components.
Computer peripherals.
Connected devices.
VoIP phones.
Network storages.
Equipment detected during a network poll is displayed in the Repositories subfolder of the
Hardware folder of the console tree.
The administrator can add new devices to the equipment list manually or edit information about
equipment that already exists on the network. In the properties of a device you can view and edit
detailed information about that device.
The administrator can assign the "Enterprise equipment" attribute to detected devices. This
attribute can be assigned manually in the properties of a device, or the administrator can specify
criteria for the attribute to be assigned automatically. In this case, the "Enterprise equipment"
attribute is assigned by device type. You can allow or prohibit network connection of equipment by
the "Enterprise equipment" attribute.
Kaspersky Security Center allows writing off equipment. To do this, select the Device is written
off check box in the properties of a device. Such device is not displayed on the equipment list.
In this section:
Adding information about new devices .................................................................................... 280
Configuring criteria used to define enterprise devices ............................................................. 281
Adding information about new devices

To add information about new devices on the network:
1. In the Repositories folder of the console tree select the Hardware subfolder.
2. In the workspace of the Hardware folder click the Add device link to open the New device
window.
The New device window opens.
3. In the New device window, in the Type drop-down list select a device type that you want
to add.
4. Click OK.
The device properties window opens on the General section.
5. In the General section fill in the entry fields with data on the device. The General section
lists the following settings:
Corporate device. Select the check box if you want to assign the "Enterprise" attribute
to the device. Using this attribute, you can search for devices in the Hardware folder.
Device is written off. Select the check box if you do not want the device to be
displayed on the list of devices in the Hardware folder.
6. Click Apply.
The new device will be displayed in the workspace of the Hardware folder.
Inventory of equipment detected on the network
280
Configuring criteria used to define
enterprise devices
To configure criteria of detection for enterprise devices:
1. In the Repositories folder of the console tree select the Hardware subfolder.
2. In the workspace of the Hardware folder click the Configure criteria for corporate
devices link to open the hardware properties window.
3. In the hardware properties window, in the Corporate devices section select a mode of
assigning the "Corporate" attribute to the device:
Set the "Corporate" attribute manually. The "Corporate equipment" attribute is

assigned to the device manually in the device properties window, in the General
section.
Set the "Corporate" attribute automatically. In the By device type block of settings
specify device types to which the application will automatically assign the "Corporate"
attribute.
4. Click Apply.
Inventory of equipment detected on the network
281
Updating databases and software
modules
This section describes how to download and distribute updates of databases and software
modules using Kaspersky Security Center.
To maintain the protection system's reliability, you should timely update the databases and
Kaspersky Lab application modules, managed through Kaspersky Security Center.
To update databases and Kaspersky Lab application modules that are managed through
Kaspersky Security Center, the Download updates to the repository task of the Administration
Server is used. When the task is complete, updates for databases and application modules are
downloaded to the Administration Server from the update source.
The Download updates to the repository task is not available on virtual Administration
Servers. The repository of the virtual Administration Server displays updates downloaded to
the master Administration Server.
You can configure the updates to be verified for performance and errors before they are distributed
to client computers.
When running the Download updates to the repository task, the following information is sent to
Kaspersky Lab update servers in automatic mode in order to ensure the downloading of relevant
versions of databases and application modules:
Application ID and version.
Application setup ID.
Active key ID.
Download updates to the repository task run ID.
All information being sent contains no personal data or other confidential data. Kaspersky Lab
protects information as provided by the requirements of the current legislation.
In this section:
Creating the task of downloading updates to the repository .................................................... 283
Configuring the task of downloading updates to the repository ................................................ 284
Verifying downloaded updates ................................................................................................ 285
Configuring test policies and auxiliary tasks ............................................................................ 286
Viewing downloaded updates .................................................................................................. 288
Automatic distribution of updates ............................................................................................ 288
Rolling back installed updates ................................................................................................. 295
Creating the task of downloading

updates to the repository
The task of downloading updates into the Administration Server repository is created automatically
by Kaspersky Security Center Quick Start Wizard. You can create only one task for downloading
updates to the repository. Thai is why you can create a task for downloading updates to the
repository only if such task was removed from the Administration Server tasks list.
To create a task for downloading updates to the repository:
Click the Create a task button in the workspace.
This starts the New Task Wizard. Follow the Wizard's instructions. In the Task type wizard
window, select Download updates to the repository.
After the Wizard completes, the Download updates to the repository task will be created in the
list of Administration Server tasks.
Updating databases and software modules
283
When an Administration Server performs the Download updates to the repository task, updates
to databases and software modules of applications are downloaded from the updates source and
stored in the shared folder.
Updates are distributed to client computers and slave Administration Servers from the shared folder.
The following resources can be used as a source of updates for the Administration Server:
Kaspersky Lab update servers Kaspersky Lab's servers to which the updated anti-virus
database and the application modules are uploaded.
Master Administration Server.
FTP/HTTP server or a network updates folder an FTP server, an HTTP server, a local or
a network folder added by the user and containing the latest updates. When selecting a
local folder, you should specify a folder on a computer with Administration Server installed.
To update Administration Server from an FTP/HTTP server or a network folder, you

should copy to those resources the correct structure of folders with updates, identical to
that created when using Kaspersky Lab update servers.
Source selection depends on task settings. By default, updating is performed over the Internet from
Kaspersky Lab's update servers.
Configuring the task of downloading

updates to the repository
To configure the task for downloading updates to the repository:
1. In the workspace of Administration Server tasks folder, select the Download updates to
the repository task in the task list.
2. Open the task properties window in one of the following ways:
From the context menu of the task, select Properties.
By clicking the Change task settings link in the workspace of the selected task.
This will open the Download updates to the repository task properties window. In this window
you can configure how the updates are downloaded to the Administration Server repository.
284
Verifying downloaded updates
To make Kaspersky Security Center verify downloaded updates before distributing
them to client computers:
1. In the workspace of Tasks folder, select the Download updates to the repository task in
the list of tasks.
2. Open the task properties window in one of the following ways:
By clicking the Change task settings link in the workspace of the selected task.
3. In the task properties window that opens, in the Updates verification section, select the
Verify updates before distributing check box and select the update verification task in
one of the following ways:
Click Select to choose an existing updates verification task.
Click the Create button to create an update verification task.
This starts the Update Verification Task Wizard. Follow the Wizard's instructions.
While creating the update verification task, you should select an administration group
that contains computers on which the task will be run. Computers included in this group
are called test computers.
It is recommended to use computers with most reliable protection and most popular
application configuration in the network. This approach increases the quality of
scans, and minimizes the risk of false positives and the probability of virus detection
during scans. If viruses are detected on the test computers, the update verification
task is considered unsuccessful.
4. Click OK to close the properties window of the downloading updates to the repository task.
As a result, the updates verification task is performed with the task of downloading updates to
the repository. The Administration Server will download updates from the source, save them in
temporary storage, and run the update verification task. If the task completes successfully, the
updates will be copied from the temporary storage to the Administration Server shared folder
(<Installation folder Kaspersky Security Center\Share\Updates) and distributed to all client
computers for which the Administration Server is the source of updates.
285
If the results of the update verification task show that updates located in the temporary storage are
incorrect or if the update verification task completes with an error, such updates will not be copied
to the shared folder, and the Administration Server will keep the previous set of updates. The tasks
that have the When new updates are downloaded to the repository schedule type are not
started then, either. These operations will be performed at the next start of the Administration
Server update download task if scanning of the new updates completes successfully.
A set of updates is considered to be incorrect if one of the following conditions is met on at least
one test computer:
Update task error has occurred.
The real-time protection status of the anti-virus application has changed after applying
updates.
An infected object has been detected while running the on-demand scan task.
Functional error of a Kaspersky Lab application has occurred
If none of the listed conditions is true for any test computer, the set of updates is considered to be
correct and the update verification task completes successfully.
Configuring test policies and auxiliary

tasks
When creating an update verification task, the Administration Server generates test policies,
auxiliary group update tasks and on-demand scan tasks.
Auxiliary group update and on-demand scan tasks take some time. These tasks are performed
when the updates verification task is executed. The updates verification task is performed
when updates are downloaded to the repository. The duration of Download updates to the
repository task includes auxiliary group update and on-demand scan tasks.
You can change the settings of text policies and auxiliary tasks.
286
To change settings of a text policy or an auxiliary task:
1. In the console tree, select a group for which the updates verification task is created.
2. In the group workspace, select one of the following tabs:
Policies, if you want to edit the test policy settings.
Tasks, if you want to change auxiliary task settings.
3. In the tab workspace select a policy or a task, whose settings you want to change.
4. Open the policy (task) properties window in one of the following ways:
From the context menu of the policy (task), select Properties.
By clicking the Change policy settings (Change task settings) link in the workspace
of the selected policy (task).
To verify updates correctly, the following restrictions should be imposed on the modification of test
policies and auxiliary tasks:
In the auxiliary task settings:
Save all tasks with the Critical event and Functional failure importance levels on
Administration Server. Using the events of these types, the Administration Server
analyzes the operation of applications.
Use Administration Server as the source of updates.
Specify task schedule type: Manually.
In the settings of test policies:
Disable the iChecker, iSwift, and iStream scanning acceleration technologies.
Select an action to perform on infected objects: Do not prompt/Skip/Write

information to report.
In the settings of test policies and auxiliary tasks:
287
If a computer restart is required after the installation of updates to software modules, it must
be performed immediately. If the computer is not restarted, it is impossible to test this type
of updates. For some applications installation of updates that require a restart may be
prohibited or configured to prompt the user for confirmation first. These restrictions should
be disabled in the settings of test policies and auxiliary tasks.
Viewing downloaded updates

To view the list of downloaded updates,
in the console tree, select Repositories folder, the Updates subfolder.
The workspace of the Updates folder shows the list of updates that are saved on the
Automatic distribution of updates

Kaspersky Security Center allows you to automatically distribute and install updates on client
computers and slave Administration Servers.
In this section:
Distributing updates to client computers automatically ............................................................ 289
Distributing updates to slave Administration Servers automatically ......................................... 290
Installing updates for program modules of Network Agents automatically ............................... 291
Appointing computers to act as Update Agents ....................................................................... 292
Removing a computer from the list of update agents ............................................................... 294
Downloading updates by Update Agents ................................................................................. 294
288
Distributing updates to client computers
automatically
To distribute the updates of the selected application to client computers immediately
after the updates are downloaded to the Administration Server repository:
2. Create an update deployment task for the selected client computers in one of the following
ways:
If you want to distribute updates to the client computers that belong to the selected
administration group, create a task for the selected group (see the section "Creating a
group task" on page 116).
If you want to distribute updates to the client computers that belong to different
administration groups or do not belong to administration groups at all, create a task for
specific computers (see the section "Creating a task for specific computers" on page 117).
This starts the New Task Wizard. Follow its instructions and perform the following actions:
a. In the Task type wizard window, in the node of the required application select the
updates deployment task.
The name of the updates deployment task displayed in the Task type window
depends on the application for which you create this task. For detailed
information about names of update tasks for the selected Kaspersky Lab
application, see the corresponding Guides.
b. In the Schedule wizard window, in the Scheduled start field, select When new
updates are downloaded to the repository.
As a result, the created update distribution task will start for selected computers each time the
updates are downloaded to the Administration Server repository.
If an updates distribution task for the required application is created for selected computers, to
automatically distribute updates to client computers in the task properties window in the Schedule
section, select the When new updates are downloaded to the repository option, in the
Scheduled start field.
289
Distributing updates to slave
Administration Servers automatically
To distribute the updates of the selected application to slave Administration Servers
immediately after the updates are downloaded to the master Administration Server
repository:
1. In the console tree, in the master Administration Server node, select the Administration
Server tasks folder.
2. In the task list in the workspace, select the task of downloading updates to the
Administration Server repository.
3. Open the Settings section of the selected task in one of the following ways:
By clicking the Edit settings link in the workspace of the selected task.
4. In the Settings section of the task properties window, select the Other settings
subsection, click the Configure link. This opens the Other settings window.
5. In the Other settings window that opens, select the Force update of slave Servers
check box.
In the settings of the task of downloading updates by the Administration Server, on the
Settings tab of the task properties window, select the Force update of slave Servers
check box.
As a result, after the master Administration Server retrieves updates, the updates download
tasks automatically start on slave Administration Servers regardless of their schedule.
290
Installing updates for program modules of
Network Agents automatically
To install updates for program modules of Network Agents automatically after they are
uploaded to the Administration Server repository:
1. In the console tree, in the master Administration Server node, select the Administration
Server tasks folder.
2. In the task list in the workspace, select the task of downloading updates to the
Administration Server repository.
3. Open the properties window of the selected task using one of the following methods:
By clicking the Edit settings link in the workspace of the selected task.
4. In the task properties window, select the Settings section.
5. Click the Configure link in the Other settings section to open the Other settings window.
6. In the Other settings window that opens, select the Update Network Agent modules
check box.
If this check box is selected, updates for program modules of Network Agent will be
automatically installed after they are uploaded to the Administration Server repository. If
this check box is cleared, Network Agent updates will not be installed automatically.
Retrieved updates can be installed manually. By default, this check box is selected.
Network Agent program modules can only be installed automatically for Network Agent
10 Service Pack 2 or later.
7. Click OK.
As a result, updates for Network Agent program modules will be installed automatically.
291
Assigning computers to act as Update
Agents
Kaspersky Security Center allows you to assign computers to act as Update Agents. Assignment
can be performed automatically (using Administration Server) or manually.
If the administration group structure reflects the network topology, or if selected network segments
correspond to a specific administration group, you can use automatic assignment of Update
Agents.
If the administration group structure does not reflect the network topology, we recommend that you
disable automatic assignment of Update Agents and assign one or several computers to act as
Update Agents in each of the selected network segments instead.
When assigning Update Agents manually, we recommend that you assign 100 to 200
managed computers to a single Update Agent.
To manually appoint a computer to act as Update Agent:
3. In the Administration Server properties window, select the Update Agents section and click
the Add button.
This opens the Add Update Agent window.
4. In the Add Update Agent window, perform the following actions:
a. Select a computer that will act as an Update Agent (select one in an administration
group, or specify the IP address of a computer). When selecting a computer, keep in
mind the operation features of Update Agents and requirements set for the computer
that acts as an Update Agent (see section "Update Agent" on page 79).
b. Specify the set of computers on which the Update Agent will distribute updates. You
can specify an administration group or a Network Location Awareness (NLA) subnet.
292
5. Click OK.
The Update Agent that you have added will be displayed in the list of Update Agents, in the
Update Agents section.
6. Select the added Update Agent in the list and click the Properties button to open its
properties window.
7. Configure the Update Agent in the properties window:
In the General section, specify the SSL port number, the address and number of the IP
delivery port for IP multicasting, as well as the set of data distributed by the Update
Agent (an Update Agent can distribute updates and / or installation packages).
In the Scope section, specify the scope to which the Update Agent will distribute
updates (administration groups and / or an NLA subnet).
In the Network poll section, configure the polling of Windows domains, Active
Directory, and IP subnets by the Update Agent.
In the Advanced section, specify the folder that the Update Agent must use to store
distributed data.
As a result, the selected computers will act as Update Agents.
To assign Update Agents automatically, using Administration Server:
3. In the Administration Server properties window, in the Update Agents section, select the
Define Update Agents automatically check box.
If automatic assignment of computers to act as Update Agents is enabled, you cannot

configure Update Agents manually nor edit the list of Update Agents.
4. Click OK.
As a result, Administration Server assigns and configures Update Agents automatically.
293
Removing a computer from the list of
update agents
To remove a computer from the list of Update Agents:
3. In the Administration Server properties window, in the Update Agents section, select a
computer that acts as an Update Agent, and click the Remove button.
As a result, the computer will be removed from the list of Update Agents and will stop acting as
an Update Agent.
You cannot remove a computer from the list of Update Agents if it was appointed by
Administration Server automatically (see section "Appointing computers to act as Update
Agents" on page 292).
Downloading updates by Update Agents

Kaspersky Security Center allows Update Agents to receive updates from the Administration
Server, Kaspersky Lab servers, or from a local or network folder.
To configure update download for an Update Agent:
3. In the Administration Server properties window, in the Update Agents section, select the
Update Agent via which updates will be delivered to client computers in the group.
4. Click the Properties button to open the properties window of the selected Update Agent.
5. In the Update Agent properties window, select the Updates source section.
294
6. Select an update source for the Update Agent:
To allow the Update Agent to receive updates from the Administration Server, select
Retrieve from Administration Server.
To allow the Update Agent to receive updates using the task, select Use update
download task:
Click Select to choose an existing updates download task of the update agent.
Click the New task button to create the updates download task for the Update
Agent.
The update download task of an Update Agent is a local task. You have to create a
new update download task for each computer that acts as an Update Agent.
As a result, the Update Agent will receive updates from the specified source.
Rolling back installed updates

To roll back the updates that have been installed:
subfolder.
2. In the workspace of the Software updates folder, select the update that you want to roll
back.
3. In the context menu of the update, select Delete update files.
4. Run the update task (see section "Automatic installation of updates for Kaspersky Endpoint
Security on client computers" on page 198).
When this task is completed, the update installed on the client computer is rolled back and its
status changed to Not installed.
295
Working with application keys
This section describes the features of Kaspersky Security Center related to handling keys of
managed Kaspersky Lab applications.
Kaspersky Security Center allows you to perform centralized distribution of keys for Kaspersky Lab
applications on client computers, monitor their use, and renew licenses.
When adding a key using Kaspersky Security Center, the settings of the key are saved on
Administration Server. Based on this information, the application generates a key usage report and
notifies the administrator of expiry of licenses and violation of license restrictions implied by the
settings of keys. You can configure notifications of the use of keys within the Administration Server
settings.
In this section:
Viewing information about keys in use .................................................................................... 296
Adding a key to the Administration Server repository .............................................................. 297
Deleting an Administration Server key..................................................................................... 298
Deploying a key to client computers ........................................................................................ 298
Automatic deployment of a key ............................................................................................... 299
Creating and viewing a key usage report ................................................................................ 300
Viewing information about keys in use

To view information about keys in use,
in the console tree, in the Application management folder, select the Kaspersky Lab
licenses subfolder.
The workspace of the folder displays a list of keys used on client computers.
Next to each of the keys an icon is displayed, corresponding to the type of use:
Information about the key is received from a client computer connected to the
Administration Server. The file of this key is stored outside of the Administration Server.
The key file is stored in the Administration Server repository. Automatic distribution is
disabled for this key.
The key file is stored in the Administration Server repository. Automatic distribution
is enabled for this key.
You can view information about keys used with the application on a client computer by opening the
Applications section of the client computer properties window (see section "Viewing and editing
the local application settings" on page 125).
To define the up-to-date settings of virtual Administration Server keys, the Administration
Server sends a request to Kaspersky Lab activation servers at least once per day.
Adding a key to the Administration

Server repository
To add a key to the Administration Server repository:
1. In the console tree, in the Application management folder, select the Kaspersky Lab
licenses subfolder.
2. Start the key adding task using one of the following methods:
From the context menu of the list of keys select Add key.
By clicking the Add key link in the workspace of the list of keys.
This will start the Add Key Wizard. Follow the Wizard's instructions.
297
Deleting an Administration Server key
To delete an Administration Server key:
2. In the Administration Server properties window that opens, select the Keys section.
3. Delete the active or additional key by clicking the Remove button.
This deletes the key.
If an additional key has been added, after the active key is deleted the additional key automatically
becomes the active key.
After the active key is deleted, such features as Systems Management (see the section
"Kaspersky Security Center licensing options" on page 60) and Mobile devices management
(see the section "Kaspersky Security Center licensing options" on page 60) become
unavailable for Administration Server. You can add (see the section "Adding a key to the
Administration Server repository" on page 297) a key that has been deleted, or add a different key.
Deploying a key to client computers

Kaspersky Security Center allows distributing the key to client computers using the key
distribution task.
To distribute a key to client computers:
licenses subfolder.
2. Run the key distribution task using one of the following methods:
From the context menu of the list of keys select Deploy a key.
Click the Deploy key to managed computers link in the workspace of the list of keys.
This starts the Key Distribution Task Creation Wizard. Follow the Wizard's instructions.
298
Tasks created using the Key Distribution Task Creation Wizard are tasks for specific computers
stored in the Tasks for specific computers folder of the console tree.
You can also create a group or local key distribution task using the Task Creation Wizard for an
administration group and for a client computer.
Automatic distribution of a key

Kaspersky Security Center allows automatic distribution of keys to managed devices if they are
located in the keys repository on the Administration Server.
To distribute a key to managed devices automatically:
licenses subfolder.
2. In the workspace of the folder, select the key that you want to distribute to devices
automatically.
3. Open the properties window of the selected key using one of the following methods:
From the context menu of the key select Properties.
Click the Show key properties window link in the workspace of the selected key.
4. In the key properties window that opens, select the Automatically deployed key check
box. Close the key properties window.
As a result, the key will be automatically distributed as the active or additional key to all
compatible devices.
Key distribution is performed by means of the Network Agent. No additional key distribution tasks
are created for the application.
Automatic distribution of a key as the active or additional key takes into account the licensing limit
of the number of devices imposed in the key's properties. If the licensing limit is reached,
distribution of this key on devices ceases automatically.
299
Creating and viewing a key usage report
To create a key usage report on client computers,
in the console tree, in the Reports and notifications folder select the report template named
Key usage report, or create a new report template of the same type.
As a result, the workspace of the key usage report displays information about active and additional
keys used on the client computers. The report also contains information about computers on which
the keys are used, and about restrictions specified in the settings of the keys.
300
Data storages
This section provides information about data stored on the Administration Server and used for
tracking the condition of client computers and servicing them.
The data used to track the status of client computers are displayed in Repositories folder of the
console tree.
The Repositories folder contains the following objects:
the updates downloaded by the Administration Server that are distributed to client
computers (see the section "Viewing downloaded updates" on page 288);
list of hardware items detected in the network;
keys that were found on client computers (see the section "Working with application keys"
on page 296);
files quarantined on client computers by anti-virus applications;
files placed into Backup on client computers;
files assigned for scanning later by anti-virus applications.
In this section:
Exporting a list of repository objects to a text file ..................................................................... 302
Installation packages............................................................................................................... 302
Quarantine and Backup........................................................................................................... 302
Unprocessed files.................................................................................................................... 307

Exporting a list of repository objects to
a text file
You can export the list of objects from the repository to a text file.
To export the list of objects from the repository to a text file:

1. In the console tree, select Repositories folder, the necessary subfolder.
2. In the repository subfolder, select Export list.
This will open the Export list window, in which you can specify the name of text file and
path to the folder where it was placed.
Installation packages
Kaspersky Security Center places installation packages of applications by Kaspersky Lab and
third-party vendors to data storage areas.
An installation package is a set of files required to install an application. An installation package

contains the setup settings and initial configuration of the application being installed.
If you want to install an application to a client computer, you should create an installation package
for that application (see the section "Creating installation packages of applications on page 215)
or use an existing one. The list of created installation packages is stored in the Remote
installation folder of the console tree, the Installation packages subfolder.
For detailed information on installation packages, see Kaspersky Security Center Implementation
Guide.
Quarantine and Backup

The Kaspersky Lab anti-virus applications installed on client computers can quarantine objects or
place them to backup during computer scan.
Quarantine is a special area storing files probably infected with viruses and files that cannot be
disinfected at the time when they are detected.
Data storages
302
Backup is designed for storing backup copies of files that have been deleted or modified during the
disinfection process.
Kaspersky Security Center creates a list of files placed into Quarantine or Backup by Kaspersky
Lab application on client computers. The Network Agents on client computers transfer information
about the files in Quarantine and Backup to the Administration Server. You can use Administration
Console to view the properties of files in repositories on client computers, run anti-virus scanning of
those repositories, and delete the stored files.
Operations with Quarantine and Backup are supported for versions 6.0 or later of Kaspersky
Anti-Virus for Windows Workstations and Kaspersky Anti-Virus for Windows Servers, as well
as for Kaspersky Endpoint Security 10 for Windows.
Kaspersky Security Center does not copy files from repositories to Administration Server. All files
are stored in the repositories on client computers. You can restore files only on a computer where
an anti-virus application that placed the file into the repository is installed.
In this section:
Enabling remote management for files in the repositories ....................................................... 303
Viewing properties of a file placed in repository ....................................................................... 304
Removing files from repositories ............................................................................................. 305
Restoring files from repositories .............................................................................................. 305
Saving a file from repositories to disk ...................................................................................... 306
Scanning files in Quarantine ................................................................................................... 306
Enabling remote management for files in

the repositories
By default, you cannot manage files placed in the repositories on client computers.
Data storages
303
To enable remote management for files in the repositories on client computers:
1. In the console tree, select an administration group, for which you want to enable remote
management for files in the repository.
2. In the group workspace, open the Policies tab.
3. On the Policies tab select the policy of an anti-virus application that places files to the
repositories on client computers.
4. In the policy settings window in the Inform Administration Server group of settings, select
the check boxes corresponding to the repositories for which you want to enable the remote
management.
The location of Inform Administration Server settings group in the policy properties
window and the names of check boxes depend on selected anti-virus application.
Viewing properties of a file placed in

repository
To view properties of a file in Quarantine or Backup:
1. In the console tree, select the Repositories folder, the Quarantine or Backup subfolder.
2. In the workspace of the Quarantine (Backup) folder, select a file whose properties you
want to view.
3. Open the file properties window in one of the following ways:
From the context menu of the file, select Properties.
Click the Show object properties link in the workspace of the selected file.
Data storages
304
Removing files from repositories
To delete a file from Quarantine or Backup:
2. In the workspace of the Quarantine (Backup) folder select the files that you want to delete
by using the Shift and Ctrl keys.
3. Delete the files in one of the following ways:
From the context menu of the files select Remove.
Click the Delete objects (Delete object if you want to delete one file) link in the
workspace of the selected files.
As a result, the anti-virus applications that placed files in repositories on client computers, will
delete files from these repositories.
Restoring files from repositories

To restore a file from Quarantine or Backup:
2. In the workspace of the Quarantine (Backup) folder select the files that you want to
restore by using the Shift and Ctrl keys.
3. Start files restoration in one of the following ways:
From the context menu of the files, select Restore.
By clicking the Restore link in the workspace of the selected files.
restore files to their initial folders.
Data storages
305
Saving a file from repositories to disk
Kaspersky Security Center allows you to save to disk the copies of files that were placed by an
anti-virus application in Quarantine or Backup on client computer. The files are copied to the
computer on which Kaspersky Security Center is installed, to the specified folder.
To save a copy of file from Quarantine or Backup to hard drive:
2. In the workspace of the Quarantine (Backup) folder, select a file that you want to copy to
the hard drive.
3. Start copying the files in one of the following ways:
In the context menu of the file, select the Save to Disk item.
Click the Save to Disk link in the workspace of the selected file.
As a result, the anti-virus application that placed the file in Quarantine on client computer will save
a copy of file to hard drive.
Scanning files in Quarantine

To scan quarantined files:
1. In the console tree, select the Repositories folder, the Quarantine subfolder.
2. In the workspace of the Quarantine folder select the files that you want to scan by using
the Shift and Ctrl keys.
3. Start the file scanning process in one of the following ways:
Select Scan Quarantined Files from the context menu of the file.
By clicking the Test link in the workspace of the selected files.
As a result, the application runs the on-demand scan task for anti-virus applications that have
placed files to Quarantine on client computers where the selected files are stored.
Data storages
306
Unprocessed files
The information about unprocessed files found on client computers is stored in the Repositories
folder, the Unprocessed files subfolder.
Postponed processing and disinfection by an anti-virus application are performed upon request or
after a specified event. You can configure the postponed processing.
Postponed file disinfection

To start postponed file disinfection:
1. In the console tree, select the Repositories folder, the Unprocessed files subfolder.
2. In the workspace of the Unprocessed files folder, select a file that you want to disinfect.
3. Start disinfecting the file in one of the following ways:
From the context menu of the file, select Disinfect.
By clicking the Disinfect link in the workspace of the selected file.
The attempt to disinfect this file is then performed.
If a file has been disinfected, the anti-virus application installed on client computer restores it to its
initial location. The record about the file is removed from list in the Unprocessed files folder. If file
disinfection is not possible, anti-virus application installed on client computer removes the file from
the computer. The record about the file is removed from list in the Unprocessed files folder.
Saving an unprocessed file to disk

Kaspersky Security Center allows saving to disk the copies of unprocessed files found on client
computers. The files are copied to the computer on which Kaspersky Security Center is installed,
to the specified folder.
Data storages
307
To save a copy of an unprocessed file to disk:
2. In the workspace of the Unprocessed files folder, select files that you want to copy on the
hard drive.
3. Start copying the files in one of the following ways:
In the context menu of the file, select the Save to Disk item.
Click the Save to Disk link in the workspace of the selected file.
As a result, an anti-virus application installed on client computer on which an unprocessed file has
been found, will save a file copy to the specified folder.
Deleting files from the Unprocessed files

folder
To delete a file from the Unprocessed files folder:
2. In the workspace of the Unprocessed files folder select the files that you want to delete by
using the Shift and Ctrl keys.
3. Delete the files in one of the following ways:
From the context menu of the files select Remove.
Click the Delete objects (Delete object if you want to delete one file) link in the
workspace of the selected files.
delete files from these repositories. The records about files are removed from list in the
Unprocessed files folder.
Data storages
308
Kaspersky Security Network (KSN)
This section describes how to use an online service infrastructure named Kaspersky Security
Network (KSN). The section provides the details on KSN, as well as instructions on how to enable
KSN, configure access to KSN, and view the statistics of the use of KSN proxy server.
About KSN
Kaspersky Security Network (KSN) is an online service infrastructure that provides access to the
online Knowledge Base of Kaspersky Lab, which contains information about the reputation of files,
web resources, and software. The use of data from Kaspersky Security Network ensures faster
responses by Kaspersky Lab applications to threats, improves the effectiveness of some protection
components, and reduces the risk of false positives. KSN allows using Kaspersky Lab's reputation
databases to retrieve information about applications installed on client computers.
By participating in KSN, you agree to send to Kaspersky Lab in automatic mode information about
the operation of Kaspersky Lab applications (see the section "About data provision" on page 310)
installed on client computers that are managed by Kaspersky Security Center, in accordance with
the KSN Statement. Information is transferred in accordance with the current KSN access settings
(see the section "Setting up access to KSN" on page 311).
The application prompts you to join KSN when installing the application and when running the
Quick Start Wizard (see section "Kaspersky Security Center Quick Start Wizard" on page 67). You
can start or stop using KSN at any moment when using the application (see the section "Enabling
and disabling KSN" on page 312).
Client computers managed by Administration Server interact with KSN using the KSN Proxy
service. The KSN Proxy service provides the following features:
Client computers can send requests to KSN and transfer information to KSN even if they do
not have direct access to the Internet.
KSN Proxy server caches processed data, thus reducing the load on the outbound channel
and the time period spent for waiting for information requested by a client computer.
You can configure KSN Proxy server in the KSN proxy server section of the Administration Server
properties window (see section "Setting up access to KSN" on page 311).
About data provision
By participating in Kaspersky Security Network program, you agree to send to Kaspersky Lab in
automatic mode information about the operation of Kaspersky Lab applications installed on client
computers that are managed by Kaspersky Security Center. Kaspersky Lab specialists use
information retrieved from client computers in order to fix problems in Kaspersky Lab applications
or to modify some of their features.
If you participate in Kaspersky Security Network program, you agree to send to Kaspersky Lab in
automatic mode the following information retrieved by Kaspersky Security Center on your
computer:
Name, version, and language of the software product for which the update is to be installed.
Version of the update database that is used by the software during installation.
Result of the update installation.
Computer ID and version of Network Agent used on it.
Software settings used when installing updates, such as the ID's of operations
executed and the codes of results for those operations.
If you cancel your participation in Kaspersky Security Network program, the above-listed details will
not be sent to Kaspersky Lab.
Retrieved information is protected by Kaspersky Lab pursuant to the requirements of the current
legislation and the existing rules of Kaspersky Lab. Kaspersky Lab uses retrieved information in
non-personalized form only and as general statistics. The general statistical data is generated
automatically based on originally retrieved information and does not contain any personal data or
other confidential information. The originally retrieved information is stored in encrypted form and
erased as it is accumulated (two times per year). The storage term of general statistical data is
unlimited.
Provision of data is accepted on a voluntary basis. The feature of data provision can be enabled or
disabled at any moment in the application settings window.
310
Setting up the access to KSN
To set up Administration Server's access to KSN:
1. In the console tree, select the Administration Server for which you need to configure the
access to KSN.
3. In the Administration Server properties window, in the KSN proxy server section, select
the KSN proxy server settings subsection.
4. Select the Use Administration Server as proxy server check box to enable the KSN
Proxy service.
Data are sent from client computers to KSN in accordance with the policy of Kaspersky
Endpoint Security, which is active on those client computers. If this check box is cleared, no
data will be sent to KSN from Administration Server and from client computers via
Kaspersky Security Center. However, client computers can send data to KSN directly
(bypassing Kaspersky Security Center), in accordance with their respective settings. The
policy of Kaspersky Endpoint Security for Windows, which is active on client computers,
determines which data will be directly (bypassing Kaspersky Security Center) sent by those
computers to KSN.
5. Select the Send Kaspersky Security Center statistics to KSN.
If this check box is selected, client computers will send patch installation results to
Kaspersky Lab. When selecting this check box, you should read and accept the terms of
the KSN Statement.
If you are using Private KSN (the infrastructure of KSN is located not on Kaspersky Lab
servers but, for instance, within the Internet provider's network), select the Configure
Private KSN check box and click the Select file with KSN settings button to download the
settings of Private KSN (files with the extensions pkcs7, pem). After the settings are
downloaded, the interface displays the provider's name and contacts, as well as the
creation date of the file with the settings of Private KSN.
Private KSN is supported by Kaspersky Security Center 10 Service Pack 1 and

Kaspersky Endpoint Security 10 Service Pack 1.
311
6. Configure the Administration Server connection to the KSN Proxy service:
In the TCP port entry field, specify the number of the TCP port that will be used for
connecting to KSN Proxy server. The default port to connect to KSN Proxy server is
13111.
If you want the Administration Server to connect to KSN Proxy server through a UDP
port, select the Use UDP port check box and specify the port number in the UDP port
field. By default, this check box is cleared, and UDP port 15111 is used for connecting
to KSN Proxy server.
7. Click OK.
As a result, the KSN access settings will be saved.
Enabling and disabling KSN

To enable KSN:
1. In the console tree, select the Administration Server for which you need to enable KSN.
4. Select the Use Administration Server as proxy server.
As a result, the KSN Proxy service is enabled.
5. Select the Send Kaspersky Security Center statistics to KSN.
As a result, KSN will be enabled.
If this check box is selected, client computers will send patch installation results to
Kaspersky Lab. When selecting this check box, you should read and accept the terms of
the KSN Statement.
6. Click OK.
312
To disable KSN:
1. In the console tree, select the Administration Server for which you need to enable KSN.
4. Clear the Use Administration Server as proxy server check box to disable the KSN Proxy
service, or clear the Send Kaspersky Security Center statistics to KSN check box.
If this check box is cleared, client computers will send no patch installation results to
Kaspersky Lab.
If you are using Private KSN, clear the Configure Private KSN check box.
As a result, KSN will be disabled.
5. Click OK.
Viewing the KSN proxy server statistics

KSN Proxy server is a service that ensures interaction between the Kaspersky Security Network
infrastructure and client computers managed by an Administration Server.
Using a KSN Proxy server provides you the following features:
Client computers can send requests to KSN and transfer information to KSN even if they do
not have direct access to the Internet.
KSN Proxy server caches processed data, thus reducing the load on the outbound channel
and the time period spent for waiting for information requested by a client computer.
In the Administration Server properties window, you can configure the KSN Proxy server and view
the statistics on the KSN Proxy server usage.
313
To view the statistics of KSN proxy server:
1. In the console tree, select the Administration Server for which you need to view the KSN
statistics.
the KSN proxy server statistics subsection.
This section displays the statistics of the operation of KSN proxy server. If necessary,
perform these additional actions:
Click the Refresh button to update the statistics on the KSN Proxy server usage.
Click the Export to file button to export the statistics to a CSV file.
Click the Check KSN connection button to check if the Administration Server is
currently connected to KSN.
4. Click the OK button to close the Administration Server properties window.
314
Contacting Technical Support
Service
This section provides information about the ways and conditions for providing you technical
support.
In this section:
How to obtain technical support .............................................................................................. 315
Technical support by phone .................................................................................................... 316
Technical Support via Kaspersky CompanyAccount ............................................................... 316
How to obtain technical support

If you do not find a solution to your problem in the documentation or in other sources of information
about the application (see section "Sources of information about the application" on page 20), we
recommend that you contact Kaspersky Lab Technical Support. Technical Support specialists will
answer your questions about installing and using the application.
Technical support is only available to users who purchased the commercial license. Users who
have received a trial license are not entitled to technical support.
Before contacting Technical Support, we recommend that you read through the support rules
(http://support.kaspersky.com/support/rules).
You can contact Technical Support in one of the following ways:
By calling Technical Support by phone (http://support.kaspersky.com/support/contacts).
By sending a request to Kaspersky Lab Technical Support using the Kaspersky

CompanyAccount portal (https://companyaccount.kaspersky.com).
Technical support by phone
In most regions of the world, you can call specialists at Kaspersky Lab Technical Support by
phone. You can receive information about how to obtain technical support in your region and the
contacts of Technical Support on the website of Kaspersky Lab Technical Support
(http://support.kaspersky.com/b2c).
Before contacting Technical Support, please read the support rules

(http://support.kaspersky.com/support/rules).
Technical Support via Kaspersky

CompanyAccount
Kaspersky CompanyAccount (https://companyaccount.kaspersky.com) is a portal for companies
that use Kaspersky Lab applications. The Kaspersky CompanyAccount portal is designed to
facilitate interaction between users and Kaspersky Lab specialists through online requests. The
Kaspersky CompanyAccount portal allows you to monitor the progress of electronic request
processing by Kaspersky Lab specialists and store a history of electronic requests.
You can register all of your organization's employees under a single account on Kaspersky
CompanyAccount. A single account lets you centrally manage electronic requests from registered
employees to Kaspersky Lab and also manage the permissions of these employees through
Kaspersky CompanyAccount.
The Kaspersky CompanyAccount portal is available in the following languages:
English.
Spanish.
Italian.
German.
Polish.
Contacting Technical Support Service
316
Portuguese.
Russian.
French.
Japanese.
To learn more about Kaspersky CompanyAccount, please visit the Technical Support website
(http://support.kaspersky.com/faq/companyaccount_help).
Contacting Technical Support Service
317
Appendices
This section provides information that complements the document text.
In this section:
Advanced features .................................................................................................................. 318
Features of using the management interface .......................................................................... 343
Reference information ............................................................................................................. 345
Advanced features
This section describes a range of additional options of Kaspersky Security Center designed for
expanding the functionality of centralized management of applications on client computers.
In this section:
Kaspersky Security Center operation automation. Utility tool klakaut ...................................... 319
Mobile users............................................................................................................................ 319
Events in application operation................................................................................................ 323
Event notifications displayed by running an executable file ..................................................... 323
Managing Kaspersky Security for Virtualization ....................................................................... 324
Monitoring the anti-virus protection status using information from the system registry ............. 325
Clusters and server arrays ...................................................................................................... 326
Searching for computers ......................................................................................................... 327
Connecting to client computers through Windows Desktop Sharing ........................................ 330
About the accounts in use ....................................................................................................... 330

Custom tools ........................................................................................................................... 331
Exporting lists from dialog boxes ............................................................................................. 332
Network Agent disk cloning mode ........................................................................................... 332
Backup copying and restoration of Administration Server data ................................................ 334
Data backup and recovery in interactive mode ........................................................................ 340
Installing an application using Active Directory group policies ................................................. 342
Kaspersky Security Center operation

automation. Utility tool klakaut
You can automate the operation of Kaspersky Security Center using the klakaut utility. The klakaut
utility and a help system for it are located in the installation folder of Kaspersky Security Center.
Out-of-office users
Kaspersky Security Center provides the option of switching the Network Agent of a client computer
to other Administration Servers if the following settings of the network have been changed:
Subnet the subnet address and mask have changed.
DNS domain Change the DNS suffix for a subnetwork.
Default gateway address Change the address of the main network gateway.
DHCP server address Change the IP address of the network DHCP server.
DNS server address Change the IP address of the network DNS server.
WINS server address Change the IP address of the network WINS server.
Windows domain accessibility the status of the Windows domain to which a client
computer is connected, has changed.
Appendices
319
The functionality is supported for the following operating systems: Microsoft Windows XP /
Windows Vista; Microsoft Windows Server 2003 / 2008.
The initial settings of the Network Agent connection to the Server are defined when installing the
Network Agent. Afterwards, if rules of switching the Network Agent to other Administration Servers
have been created, the Network Agent responds to changes in the network settings as follows:
If the network settings comply with one of the rules created, Network Agent connects to
Administration Server specified in this rule. The applications installed on client computers
switch to out-of-office policies provided that such behavior is enabled in the rule.
If none of the rules apply, Network Agent roll back to the default settings of connection to
the Administration Server specified during the installation. The applications installed on
client computers roll back to active policies.
If the Administration Server is not accessible, Network Agent uses out-of-office policies.
By default, Network Agent switches to out-of-office policy if the Administration Server remains
inaccessible for more than 45 minutes.
The settings of Network Agent connection to Administration Server are saved in a connection
profile. In the connection profile you can create rules of switching client computers to out-of-office
policies, as well as configure the profile so that it could be used for downloading updates only.
In this section:
Creating an Administration Server connection profile for mobile users .................................... 321
Creating a Network Agent switching rule ................................................................................. 322
Appendices
320
Creating an Administration Server connection
profile for mobile users
To create a profile for connection of Network Agent to Administration Server for mobile
users:
1. From the console tree select an administration group for the client computers in which you
need to create a profile for connecting Network Agent to the Server.
If you want to create a connection profile for all of the computers in the group, select a
Network Agent policy in the workspace of the group, on the Policies tab. Open the
properties window of the selected policy.
If you want to create a connection profile for a computer within a group, select the
computer in the workspace of the group, on the Computers tab, and do the following:
a. Open the properties window of the selected computer.
b. In the Applications section of the computer properties window select the Network
Agent.
c. Open the Network Agent properties window.
3. In the properties window that opens, in the Network section select the Connection
subsection.
4. In the Administration Server connection profiles section click the Add button.
By default, the list of connection profiles contains the <Not connected> profile only. The
profile cannot be edited or removed. It does not contain a Server for connection, so
Network Agent, when switching to it, will not attempt to connect to any Server while the
applications installed on client computers run under the out-of-office policies. The <Not
connected> profile can be used if computers are disconnected from the network.
5. In the New profile window that opens, configure the connection profile and select the
Enable out-of-office policies check box.
As a result, a profile for connecting Network Agent to Administration Server is created for
mobile users. When Network Agent connects to Administration Server using this profile,
applications installed on a client computer will use out-of-office policies.
Appendices
321
Creating a Network Agent switching rule
To create a rule of switching the Network Agent from one Administration Server to
another in case of changes in the network settings:
1. In the console tree select an administration group for the computers of which you need to
create a Network Agent switching rule.
If you want to create a switching rule for all of the computers in the group, in the
workspace of the group select a Network Agent policy on the Policies tab. Open the
properties window of the selected policy.
If you want to create a switching rule for a computer selected from a group, in the
workspace of the group, on the Computers tab select a computer and do the following:
a. Open the properties window of the selected computer.
b. In the Applications section of the computer properties window select the Network
Agent.
c. Open the Network Agent properties window.
3. In the properties window that opens, in the Network section select the Connection
subsection.
4. In the Switch profiles section click the Add button.
5. In the New rule window that opens, configure a switching rule and select the Rule
activated check box to enable the use of the rule.
As a result, a new switching rule is created; anytime its conditions are met, the Network Agent
uses the connection profile specified in the rule to connect to the Administration Server.
The switching rules are checked for a match to the network layout in the order of their
appearance in the list. If a network matches several rules, the first one will be used. You can
change the order of rules on the list using the and buttons.
Appendices
322
Events in application operation
Kaspersky Security Center allows you to get information about events in the operation of
Administration Server and other Kaspersky Lab applications installed on client computers.
Four severity levels exist for Kaspersky Lab applications:
Critical event.
Functional failure.
Warning.
Info.
You can configure the events processing rules for each importance level individually.
See also:
Adjusting the general settings of Administration Server ............................................................. 91
Event notifications displayed by running an

executable file
Kaspersky Security Center can notify the administrator about events on client computers by
running an executable file. The executable file must contain another executable file with
placeholders of the event to be relayed to the administrator.
Table 4. Placeholders for describing an event
Placeholder Placeholder description
%SEVERITY% Event importance level
%COMPUTER% Name of the computer where the event occurred
%DOMAIN% Domain
%EVENT% Event
Appendices
323
Placeholder Placeholder description
%DESCR% Event description
%RISE_TIME% Time created
%KLCSAK_EVENT_TASK_DISPLAY_NAME% Task name
%KL_PRODUCT% Kaspersky Security Center Network Agent
%KL_VERSION% Network Agent version number
%HOST_IP% IP address
%HOST_CONN_IP% Connection IP address
Example
Event notifications are sent by an executable file (such as script1.bat) inside which another
executable file (such as script2.bat) with the %COMPUTER% placeholder is launched. When an
event occurs, the script1.bat file is launched on the administrator's computer, which in turn
launches the script2.bat file with the %COMPUTER% placeholder. As a result, the administrator
receives the name of the computer where the event has occurred.
Managing Kaspersky Security for

Virtualization
Kaspersky Security Center supports the option of connection of virtual machines to Administration
Server. Virtual machines are managed via Kaspersky Security for Virtualization 3.0. For more
details, please refer to the Kaspersky Security for Virtualization 3.0 Administrator's Guide.
Appendices
324
Monitoring the anti-virus protection status
using information from the system registry
To monitor the anti-virus protection status on a client computer using information
logged by the Network Agent into the system registry:
1. Open the system registry of the client computer (for example, locally, using the regedit
command from the Start Run menu).
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1103
\1.0.0.0\Statistics\AVState
As a result, the system registry will display information about the anti-virus protection status of
the client computer.
The anti-virus protection status corresponds to the values of the keys described in the table below.
Table 5. Registry keys and their possible values
Key (data type) Value Description
Protection_AdmServer <The Administration Server Name of the Administration

(REG_SZ) name> Server managing the
computer.
Protection_AvInstall non-zero An anti-virus application is

ed (REG_DWORD) installed on the computer.
Protection_AvRunning non-zero The real-time protection of the

(REG_DWORD) computer is enabled.
Protection_HasRtp non-zero A real-time protection

(REG_DWORD) component is installed.
Real-time protection status:
0 Unknown.
2 Inactive.
Appendices
325
Key (data type) Value Description
3 Paused.
4 Starting.
5 Active.
6 Active, high level (maximum

protection).
7 Active, default (recommended)

settings are applied.
8 Active, custom settings are

applied.
9 Operation failure.
Protection_LastFscan DD-MM-YYYY HH-MM-SS Date and time (in UTC format)

(REG_SZ) of the last full scan.
Protection_BasesDate DD-MM-YYYY HH-MM-SS Date and time (in UTC format)

(REG_SZ) of the application databases
release.
Protection_LastConnect DD-MM-YYYY HH-MM-SS Date and time (in UTC format)

ed (REG_SZ) of the last connection to the
Clusters and server arrays

Kaspersky Security Center supports the cluster technology. If Network Agent sends to
Administration Server information confirming that an application installed on a client computer
makes part of a server array, the client computer becomes a cluster node. The cluster will be
added as an individual object in the Managed computers folder in the console tree with the
icon (see figure below).
Appendices
326
A few typical features of a cluster can be distinguished:
A cluster and any of its nodes are always in the same administration group.
If the administrator attempts to move a cluster node, the node moves back to its original
location.
If the administrator attempts to move a cluster to a different group, all of its nodes also
move with it.
Searching for computers

Kaspersky Security Center allows searching computers based on specified criteria. Search results
can be saved to a text file.
The search functionality allows finding the following computers:
Client computers in administration groups of Administration Server and its slave Servers.
Unassigned computers running under an Administration Server and its slave Servers.
To search client computers of an administration group:
1. In the console tree select an administration group folder.
2. Open the Search window using one of the following methods:
Select Search from the context menu of the administration group folder.
Select the Groups tab in the workspace. Open the window by clicking the Find
managed computers link.
3. On the tabs of the Search window specify criteria for the search of client computers, and
click the Find now button.
As a result, computers that meet the specified search criteria, will be displayed in a table in
the bottom part of the Search window. If you need to save information about the search
results as a text file, click the Export to file button.
Appendices
327
To search for unassigned computers:
1. In the console tree, select the Unassigned computers folder.
2. Open the Search window using one of the following methods:
Select Search from the context menu of the Unassigned computers folder.
By clicking the Find unassigned computers link in the Actions section of the
workspace.
To search for computers regardless of whether they are included in an administration

group or not:
1. In the console tree select the Administration Server <Server Name> node.
2. Select Search from the context menu of the node.
In the Search window you can also search for administration groups and slave Administration
Servers using a drop-down list in the top right corner of the window. Search of administration
groups and slave Administration Servers is not available if you have opened the Search
window from the Unassigned computers folder.
Appendices
328
To find computers, you can use the following regular expressions in the entry fields of the Search
window:
*. Replaces any sequence of characters. To search for such words as Server, Servers, or
Server room, enter expression Server* in the search field.
?. Replaces any single character. To search for such words as Word or Ward, enter the
W?rd expression in the search field.
Text in the search field cannot begin with the ? symbol.
[<range>]. Replaces any single character from a specified range or set. To search for any
numeral, enter the [0-9] expression in the search field. To search for one of the
charactersa, b, c, d, e, or fenter the [abcdef] expression in the search field.
Full-text search is available in the Comment field on the Network tab of the Search window.
Use the following regular expressions in the search field to run a full-text search:
Space. You will see all computers whose descriptions contain any of the listed words. To
search for a phrase that contains the word Slave or Virtual (or both these words), enter the
Slave Virtual expression in the search field.
Plus sign (+), AND or &&. When a plus sign precedes a word, all search results will contain
this word. To find a phrase that contains both Slave and Virtual, you can enter
+Slave+Virtual, Slave AND Virtual, Slave && Virtual as the query in the
search field.
OR or ||. When placed between two words, it indicates that one word or the other can be
found in the text. To search for a phrase that contains such word as Slave or Virtual, you
can enter any of the following expressions in the search field: Slave OR Virtual, Slave
|| Virtual.
Minus sign (-). When a minus sign precedes a word, no search results will contain this
word. To search for a phrase that must contain such word as Slave and must not contain
such word as Virtual, you must enter the +Slave-Virtual expression in the search field.
Appendices
329
"<some text>". Text enclosed in quotation marks must be present in the text. To search for a
phrase that contains such word combination as Slave Server, you must enter the Slave Server
expression in the search field.
Connecting to client computers through

Windows Desktop Sharing
To connect to a client computer through Windows Desktop Sharing:
1. In the console tree select the Managed computers folder on the Computers tab.
The folder workspace displays a list of client computers.
2. In the context menu of the client computer to which you want to connect, select Connect to
computer Windows Desktop Sharing.
The Select remote desktop session window opens.
3. In the Select remote desktop session window select a desktop session to use for
connection to the client computer.
4. Click OK.
Connection to the client computer is established.
About the accounts in use

You can specify an account under which the task should be run.
For example, to perform an on-demand scan task, you need access rights to the object being
scanned, and to perform an update task, you need authorized proxy server user rights. The
opportunity to specify an account for the task run allows avoiding problems with on-demand scan
tasks and update tasks in case the user running a task does not have the required access rights.
Appendices
330
During the execution of remote installation/uninstallation tasks the specified account is used to
download to client computers the files required to install or uninstall an application in case Network
Agent is not installed or unavailable. If Network Agent is installed and available, the account is
used if according to tasks settings, files delivery is performed by using Microsoft Windows utilities
from the shared folder only. In this case, the account must have the following rights on the client
computer:
The right to run applications remotely.
The right to use the Admin$ resource.
The right to Log On As Service.
If the files are delivered to client computers by the Network Agent, the account is not used. All file
copying and installation operations are then performed by the Network Agent (Local System
Account).
Custom tools
Kaspersky Security Center allows creating a list of custom tools (hereinafter also referred to as
simply tools) applications activated for a client computer from the Administration Console using
the Custom tools group of the context menu. Each tool in the list will be associated with a
separate menu command, which the Administration Console uses to start the application
corresponding to that tool.
The applications starts on the administrator's workstation. The application can accept the attributes
of a remote client computer as command-line arguments (NetBIOS name, DNS name, IP address).
Connection to the remote computer can be established using tunnel connection.
By default, the list of custom tools contains the following service programs for each client
computer:
Remote diagnostics utility for remote diagnostics of Kaspersky Security Center.
Remote Desktop standard Microsoft Windows Remote Desktop Connection component.
Computer management standard Microsoft Windows component.
Appendices
331
To add or remove custom tools, or to edit their settings,
in the context menu of the client computer select Custom tools Configure custom tools.
As a result, the Custom tools window opens. In this window you can add or remove custom tools,
and edit their settings using the Add, Modify, and Remove buttons.
Exporting lists from dialog boxes

In dialog boxes of the application you can export lists of objects to text files.
Export of a list of objects is possible for dialog box sections that contain the Export to file button.
Network Agent disk cloning mode

Cloning the hard drive of a reference computer is a popular method of software installation on new
computers. If Network Agent is running in normal mode on the hard drive of the reference
computer, the following problem arises:
After the reference disk image with Network Agent is deployed on new computers, they are
displayed in Administration Console with a single icon. This problem arises because cloning results
in new computers keeping identical internal data, which allow the Administration Server to
associate a computer with an icon in Administration Console.
A special Network Agent disk cloning mode allows you to avoid such problems with an incorrect
display of new computers in Administration Console. Use this mode when deploying software (with
Network Agent) on new computers by cloning the disk.
In disk cloning mode, Network Agent keeps running, but it does not connect to the Administration
Server. When quitting the cloning mode, Network Agent deletes the internal data, which cause the
Administration Server to associate multiple computers with a single icon in Administration Console.
Upon completing the reference computer image cloning, new computers are displayed in
Administration Console properly (with individual icons).
Appendices
332
Network Agent disk cloning mode usage scenario
1. The administrator installs Network Agent on a reference computer.
2. The administrator checks the connection between Network Agent and the Administration
Server using the klnagchk utility (see section "Checking the connection between a client
computer and the Administration Server manually. Utility tool klnagchk" on page 136).
3. The administrator enables the Network Agent disk cloning mode.
4. The administrator installs software and patches on the computer, and restarts it as many
times as needed.
5. The administrator clones the hard disk of the reference computer on any number of
computers.
6. Each cloned copy must meet the following conditions:
a. The computer name must be changed.
b. The computer must be restarted.
c. The disk cloning mode must be disabled.
Enabling and disabling the disk cloning mode using the klmover utility
To enable / disable the Network Agent disk cloning mode:

1. Run the klmover utility on the computer with Network Agent installed that you need to clone.
The klmover utility is located in the Network Agent installation folder.
2. To enable the disk cloning mode, enter the following command in the Windows command
prompt: klmover -cloningmode 1.
Network Agent switches into the disk cloning mode.
3. To request the current status of the disk cloning mode, enter the following command in the
command prompt: klmover -cloningmode.
As a result, the utility window shows whether the disk cloning mode is enabled or disabled.
4. To disable the disk cloning mode, enter the following command in the utility command line:
klmover -cloningmode 0.
Appendices
333
Backup copying and restoration of
Administration Server data
Data backup allows moving an Administration Server from one computer to another without data
loss. Using the backup, you can restore data when moving the database of an Administration
Server to another computer, or when conversing to a new version of Kaspersky Security Center.
You can create a backup copy of Administration Server data using one of the following methods:
Create and run a data backup task using the Administration Console.
Run the klbackup utility on the computer where the Administration Server is installed. This
utility is included in the Kaspersky Security Center distribution kit; after the installation of the
Administration Server the utility is located in the root of the destination folder specified at
the application installation.
The following data are saved in the backup copy of the Administration Server:
Information database of the Administration Server (policies, tasks, application settings,

events saved on the Administration Server).
Configuration information about the structure of the administration groups and client
computers.
Storage of distribution packages of applications for remote installation.
Administration Server certificate.
Recovery of Administration Server data is only possible using the klbackup utility.
In this section:
Creating a data backup task .................................................................................................... 335
Data backup and recovery utility (klbackup) ............................................................................ 335
Data backup and recovery in interactive mode ........................................................................ 336
Data backup and recovery in non-interactive mode ................................................................. 337
Moving an Administration Server to another computer ............................................................ 339
Appendices
334
Creating a data backup task
Backup tasks are Administration Server tasks, they are created by the Quick Start Wizard. If a
backup task created by the Quick Start Wizard has been deleted, you can create one manually.
To create an Administration Server data backup task:
1. In the console tree, select the Administration Server tasks folder.
In the console tree, in the context menu of the Administration Server tasks folder,
select Create Task.
Click the Create a task link in the workspace.
This starts the New Task Wizard. Follow the Wizard's instructions. In the Task type window of
the Wizard select the task type named Backup of Administration Server data.
The Backup of Administration Server data task can only be created in a single copy. If the
Administration Server data backup task has already been created for the Administration
Server, it is not displayed in the task type selection window of the Backup Task Creation
Wizard.
Data backup and recovery utility (klbackup)

You can back up Administration Server data for backup storage and future recovery using the
klbackup utility making part of the Kaspersky Security Center distribution kit.
The klbackup utility can run in either of the two following modes:
Interactive (see section "Data backup and recovery in interactive mode" on page 336)
Non-interactive (see section "Data backup and recovery in non-interactive mode" on

page 337).
Appendices
335
Data backup and recovery in interactive mode
To create a backup copy of Administration Server data in interactive mode:
1. Run the klbackup utility located in the installation folder of Kaspersky Security Center.
The Backup and Restore Wizard starts.
2. In the first window of the Wizard select Perform backup of Administration Server data.
If you select the Restore or backup Administration Server certificate only check box, a
backup copy of the Administration Server certificate will only be saved.
Click Next.
3. In the next window of the Wizard specify a password and a destination folder for backup.
Click the Next button to start backup.
To recover Administration Server data in interactive mode:
1. Uninstall Administration Server and then reinstall it again.
2. Run the klbackup utility located in the installation folder of Kaspersky Security Center.
As a result, the Backup and Restore Wizard starts.
The klbackup utility must be started under the same account under which you installed
3. In the first window of the Wizard select Restore Administration Server data.
If you select the Restore or backup Administration Server certificate only check box,
the Administration Server will only be recovered.
Click Next.
If you need to disable network polling during data restoration, keep the CTRL key pressed
and click the Next button in the Wizard window.
Appendices
336
4. In the Restore settings window of the Wizard:
Specify the folder, which contains a backup copy of Administration Server data.
Specify the password that was entered during data backup.
5. Click the Next button to restore data.
When restoring data, you must specify the same password that was entered during
backup. If you specify an invalid password, data will not be restored. If the path to a
shared folder changed after backup, check the operation of tasks that use restored
data (restore tasks, remote installation tasks). If necessary, edit the settings of these
tasks.
While data is being restored from a backup file, the shared folder of Administration
Server must not be accessed by anybody. The account under which the klbackup utility
is started must have full access to the shared folder.
Data backup and recovery in non-interactive

mode
To create a backup copy or recover Administration Server data in non-interactive
mode,
run the klbackup utility with the required set of keys from the command line of the computer
with Administration Server installed.
klbackup [-logfile LOGFILE] -path BACKUP_PATH [-use_ts]|[-

restore] -savecert PASSWORD
If no password is specified in the command line of the klbackup utility, the utility requests
entering the password interactively.
Appendices
337
-logfile LOGFILE save a report on Administration Server data backup and recovery.
-path BACKUP_PATH save information in the BACKUP_PATH folder or use data from
the BACKUP_PATH folder for recovery (mandatory setting).
The database server account and the klbackup utility should be granted permissions
for changing data in the folder BACKUP_PATH.
-use_ts when saving data, copy information to the folder BACKUP_PATH, to the
subfolder with a name containing the current system date and operation time in format
klbackup YYYY-MM-DD # HH-MM-SS. If no key is specified, information is saved in the
root of the folder BACKUP_PATH.
When attempting to save information in a folder that already stores a backup copy, an
error message appears. No information will be updated.
Availability of the -use_ts key allows maintaining an Administration Server data archive.
For example, if the -path key indicates the folder C:\KLBackups, the folder klbackup
2006-06-19 # 11-30-18 then stores information about the status of the Administration
Server as of June, 19, 2006 at 11:30:18 AM.
-restore recover Administration Server data. Data recovery is performed based on

information contained in the folder BACKUP_PATH. If no key is available, data are backed
up in the folder BACKUP_PATH.
-savecert PASSWORD save or recover the Administration Server certificate; to encrypt

and decrypt the certificate, use the password specified by the setting PASSWORD.
When restoring data, you must specify the same password that was entered during
backup. If you specify an invalid password, data will not be restored. If the path to a
shared folder changed after backup, check the operation of tasks that use restored data
(restore tasks, remote installation tasks). If necessary, edit the settings of these tasks.
Appendices
338
While data is being restored from a backup file, the shared folder of Administration Server
must not be accessed by anybody. The account under which the klbackup utility is started
must have full access to the shared folder.
Moving an Administration Server to another

computer
To move an Administration Server to another computer without shifting the
Administration Server database:
1. Create a backup copy of Administration Server data.
2. Install the Administration Server to the selected computer.
To simplify the process of moving administration groups, it is recommended that you

make sure that the address of the new Administration Server is the same as the
address of the previous Administration Server. The address (the name of a computer in
Windows network, or an IP address) is specified in the settings applied to connection of
the Network Agent to the Administration Server.
3. On the new Administration Server recover Administration Server data from the backup
copy.
4. If the address (the computer name in Windows network, or the IP address) of the new
Administration Server does not coincide with that of the previous Administration Server, to
connect client computers to the new Administration Server, create an Administration Server
shift task for the Managed computers group on the previous Administration Server.
If the addresses coincide, you do not have to create a Server shift task, since the
connection will be performed to the address specified in the settings.
5. Delete the previous Administration Server.
Appendices
339
To move an Administration Server to another computer and change the Administration
Server database:
1. Create a backup copy of Administration Server data.
2. Install a new SQL server.
To transfer information correctly, the database on the new SQL server should have the
same collation schemes as the previous SQL server.
3. Install a new Administration Server. The name of the previous SQL server database and
that of the new one should be the same.
To simplify the process of moving administration groups, it is recommended that you

make sure that the address of the new Administration Server is the same as the
address of the previous Administration Server. The address (the name of a computer in
Windows network, or an IP address) is specified in the settings applied to connection of
the Network Agent to the Administration Server.
4. On the new Administration Server recover the data from the previous Administration Server
from the backup copy.
5. If the address (the computer name in Windows network, or the IP address) of the new
Administration Server does not coincide with that of the previous Administration Server, to
connect client computers to the new Administration Server, create an Administration Server
shift task for the Managed computers group on the previous Administration Server.
6. If the addresses coincide, you do not have to create a Server shift task, since the
connection will be performed to the address specified in the settings.
7. Delete the previous Administration Server.
Data backup and recovery in interactive

mode
The Administration Server database maintenance allows you to reduce the database volume,
improve the performance and operation reliability of the application. We recommend that you
maintain the Administration Server database at least every week.
Appendices
340
The Administration Server database maintenance is performed through the dedicated task. The
application performs the following actions when maintaining the database:
Checks the database for errors.
Re-organizes database indexes.
Updates the database statistics.
Shrinks the database (if necessary).
The Administration Server database maintenance task does not support MySQL. If you use
MySQL as the DBMS, the administrator will have to maintain the database on his or her own.
To create an Administration Server database maintenance task:
1. In the console tree, select the node of the Administration Server for which you want to
create a database maintenance task.
2. Select the Tasks folder.
This starts the New Task Wizard.
4. In the Select type window of the task Wizard, select Database maintenance as the task
type and click Next.
5. If you need to shrink the Administration Server database during maintenance, in the
Settings window of the Wizard, select the Shrink database check box.
The newly created task is displayed in the list of tasks in the workspace of the Tasks folder.
Only one database maintenance task can be running for a single Administration Server. If a
database maintenance task has already been created for an Administration Server, no new
database maintenance task can be created.
Appendices
341
Installing an application using Active
Directory group policies
Kaspersky Security Center allows you to install Kaspersky Lab applications by using Active
Directory group policies.
You can install applications using Active Directory group policies only by using installation
packages that include Network Agent.
To install an application using Active Directory group policies:
1. Run the creation of group remote installation task or remote installation task for specific
computers.
2. In the New Task Wizard's Settings window select the Assign the package installation in
the Active Directory group policies check box.
3. Run the created remote installation task manually or wait for its scheduled start.
This starts the following remote installation sequence:
1. After the task is started, the following objects are created in each domain that includes the
client computers from the specified set:
A group policy under the name Kaspersky_AK{GUID}
the Kaspersky_AK{GUID} security group that corresponds to the group policy. This
security group includes client computers covered by the task. The content of the
security group defines the scope of the group policy.
2. In this case, applications are installed on client computers directly from the application's
shared network folder named Share. In the Kaspersky Security Center installation folder,
an auxiliary nested folder will be created that contains the .msi file for the application to be
installed.
3. When new computers are added to the task scope, they are added to the security group
after the next task start. If the Run missed tasks check box is selected in the task
schedule, computers are added to the security group immediately.
Appendices
342
4. When computers are deleted from the task scope, they are deleted from the security group
after the next task start.
5. When a task is deleted from Active Directory, the policy, the link to the policy, and the
corresponding security group are deleted.
If you want to apply another installation scheme using Active Directory, you can configure the
required settings manually. This may be required in the following cases, for example:
when the anti-virus protection administrator does not have rights to make changes to the
Active Directory of certain domains;
when the original installation package needs to be stored on a separate network resource;
when it is necessary to link a group policy to specific Active Directory units.
The following options for using an alternative installation scheme through Active Directory are
available:
If installation is to be performed directly from the Kaspersky Security Center shared folder,
in the Active Directory group policy properties you must specify the .msi file located in the
exec subfolder of the installation package folder for the required application.
If the installation package has to be located on another network resource, you must copy
the whole exec folder content to it, because in addition to the file with .msi extension the
folder contains configuration files generated when the package was created. To install the
key with the application, copy the key file to this folder as well.
Features of using the management

interface
In this section:
How to return to a properties window that disappeared ........................................................... 344
How to navigate the console tree ............................................................................................ 344
How to open the object properties window in the workspace ................................................... 344
How to select a group of objects in the workspace .................................................................. 345
How to change the set of columns in the workspace ............................................................... 345
Appendices
343
How to return to a properties window that
disappeared
Sometimes an opened object properties window disappears from the screen. This happens
because the properties window is covered by the main application window (this situation is
characteristic of the Microsoft Management Console).
To go to the properties window that disappeared,
press ALT+TAB.
How to navigate the console tree

To navigate the console tree, you can use the following toolbar buttons:
One step back.
One step forward.
One level up.
You can also use a navigation chain located in the upper-right corner of the workspace. The
navigation chain contains the full path to the folder of the console tree in which you are currently
located. All elements of the chain, except for the last one, are links to the objects in the console tree.
How to open the object properties window

in the workspace
You can change the properties of the most Administration Console objects in the object properties
window.
To open the properties window of an object located in the workspace:
From the context menu of the object, select Properties.
Select an object and press ALT+ENTER.
Appendices
344
How to select a group of objects in the
workspace
You can select a group of objects in the workspace. You can use the selection of objects group to
create a set of computers for which you wish to create tasks later.
To select an objects range:
1. Select the first object in the range and press SHIFT.
2. Hold down the SHIFT key and select the last object in the range.
The range will be selected.
To group separate objects:
1. Select the first object in the group and press CTRL.
2. Hold down the CTRL key and select other objects that you want to include in the group.
The objects will be grouped.
How to change the set of columns in the

workspace
Administration Console allows you to change a set of columns displayed in the workspace.
To change a set of columns displayed in the workspace:
1. In the console tree, click the object for which you wish to change the set of columns.
2. In the Administration Console menu, select View Add/Remove columns.
3. In the window that opens, create a set of columns to be displayed.
Reference information
Tables of this section provide summary information about the context menu of Administration
Console objects, as well as about the statuses of console tree objects and workspace objects.
Appendices
345
In this section:
Using Update Agent as gateway ............................................................................................. 346
Using masks in string variables ............................................................................................... 347
Context menu commands ....................................................................................................... 347
About connections manager .................................................................................................... 351
User's rights to manage Exchange ActiveSync mobile devices ............................................... 352
About the administrator of virtual Server ................................................................................. 354
List of managed computers. Description ................................................................................. 354
Statuses of computers, tasks, and policies .............................................................................. 357
Using regular expressions in the search field .......................................................................... 359
Using Update Agent as gateway

If the Administration Server is outside the demilitarized zone (DMZ), Network Agents from this
zone cannot connect to the Server.
When connecting the Administration Server with Network Agents, you can use the Update Agent
as the gateway. The Update Agent opens a port to Administration Server for the connection to be
created. When the Administration Server is started, it connects to an Update Agent and maintains
this connection during the entire session.
Upon receiving a signal from the Administration Server, the Update Agent sends a UDP signal to
the Network Agents in order to allow connection to the Administration Server. When the Network
Agents receive that signal, they connect to the Update Agent, which exchanges information
between them and the Administration Server.
Appendices
346
Using masks in string variables
Using masks for string variables is allowed. When creating masks, you can use the following
regular expressions:
Wildcard character (*) any string of 0 or more characters.
Question mark (?) any single character.
[<range>] Any single character from the specified range or array.
For example: [09] any numeral; [abcdef] any of the characters a, b, c, d, e, f.
Context menu commands

This section lists Administration Console objects and corresponding context menu items (see table
below).
Table 6. Items of the context menu of Administration Console objects
Object Menu item Menu item purpose
General items of context Search Open the computers search

menu window.
Update Refresh the display of the selected

object.
Export list Export current lint to file.
Properties Open the properties window for the

selected object.
View Add/Remove Add or remove columns in the table

columns of objects in the workspace.
View Large icons Display objects in the workspace

as large icons.
View Small icons Display objects in the workspace

as small icons.
Appendices
347
View List Display objects in the workspace

as a list.
View Table Display objects in the workspace

as a table.
View Configure
Configure the display of
Administration Console elements.
Kaspersky Security Center Create Administration Add an Administration Server to the

Server console tree.
<The Administration Server Connect to Connect to Administration Server.

name> Administration Server
Disconnect from Disconnect from Administration

Administration Server Server.
Managed computers Install application Start the Application Remote

View Configure Configure the display of interface

interface elements.
Remove Remove the Administration Server

from the console tree.
Install application Start the Remote Installation

Wizard for the administration
group.
Reset Virus Counter Reset virus counters for client

computers included in the
Appendices
348
Virus Activity Create a report on virus activity of

client computers that are not
included in the administration
group.
Create Group Create an administration group.
All Tasks Create Create a structure of administration

groups structure groups based on the structure of
domains or Active Directory.
All tasks Show Start the New Message for User

Message Wizard intended for users of client
computers included in the
Managed computers Create Slave Start the Add Slave Administration

Administration Servers Administration Server Server Wizard.
Create Virtual Start the New Virtual Administration

Administration Server Server Wizard.
Create New selection Create a selection of computers.

Computer selections
All tasks Import Import selection from file.
Application Create Category Create a category of applications.

management Application
categories
Application Filter Configure a filter for the list of

management Applications applications.
registry
Application Monitored Applications Configure the publishing of events

management Applications on installation of applications.
registry
Appendices
349
Application management Remove applications that Clear the list of information about
Applications registry are not installed applications that are not installed
on computers of the network
anymore.
Application management Accept License Accepting the License Agreements

Software updates Agreements for updates of software updates.
Application management Add Key Add a key to the Administration

Kaspersky Lab software Server repository.
licenses
Activate application Start the Application Activation
Task Creation Wizard.
Keys Report Create and view a report on keys

on client computers.
Application management Create Licensed Creating a group of licensed

Third-party licenses usage applications group applications.
Mobile Device Management Create Mobile device Connecting a new user mobile
Mobile devices device.
Mobile Device Management Create Certificate Creating a certificate.

Certificates
Create Mobile device Connecting a new user mobile
device.
Remote installation Show current application View the list of up-to-date versions
Installation packages versions of Kaspersky Lab applications
available on web servers.
Create Installation Create an installation package.

package
All Tasks Update Update application databases in

databases installation packages.
Appendices
350
All Tasks Show the View the list of stand-alone

general list of stand- packages created for installation
alone packages packages.
Network polling Domains All tasks Computer Configure the response of the
Activity Administration Server to inactivity
of computers on the network.
Network polling IP subnets Create an IP subnet Create an IP subnet.
Repositories Updates Download updates Run the task of downloading

updates to the Administration
Server repository.
Updates download Configure the task of downloading

settings updates to the Administration
Server repository.
Anti-Virus Database Create and view a report on

Versions Report versions of databases.
All Tasks Clear Clear the repository of updates on

updates repository the Administration Server.
Repositories Hardware Create Device Creating a new device.
About connections manager

In this section you can specify the time intervals during which Network Agent sends data to the
Connect at specified time periods
Appendices
351
User's rights to manage Exchange
ActiveSync mobile devices
To manage mobile devices running under the Exchange ActiveSync protocol with Microsoft
Exchange Server 2010 or Microsoft Exchange Server 2013, make sure that the user is included in
a role group for which the following commandlets are allowed to execute:
Get-CASMailbox.
Set-CASMailbox.
Remove-ActiveSyncDevice.
Clear-ActiveSyncDevice.
Get-ActiveSyncDeviceStatistics.
Get-AcceptedDomain.
Set-AdServerSettings.
Get-ActiveSyncMailboxPolicy.
New-ActiveSyncMailboxPolicy.
Set-ActiveSyncMailboxPolicy.
Remove-ActiveSyncMailboxPolicy.
To manage mobile devices running under the Exchange ActiveSync protocol with Microsoft
Exchange Server 2007, make sure that the user has been granted the administrator rights. If the
rights have not been granted, execute the commandlets to assign the administrator rights to the
user (see the table below).
Appendices
352
Table 7. Administrator rights required for managing Exchange ActiveSync mobile devices
on Microsoft Exchange Server 2007
Access Object Cmdlet
Full Branch "CN=Mobile Mailbox Add-ADPermission -User <User or

Policies,CN=Your group name> -Identity "CN=Mobile
Organization,CN=Microsoft Mailbox Policies,CN=<Organization
Exchange,CN=Services,CN=Configurat name>,CN=Microsoft
ion,DC=yourdomain" Exchange,CN=Services,CN=Configura
tion,DC=<Domain name>" -
InheritanceType All -AccessRight
GenericAll
Read Branch "CN= Your Add-ADPermission -User <User or

Organization,CN=Microsoft group name> -Identity
Exchange,CN=Services,CN=Configurat "CN=<Organization
ion,DC= yourdomain" name>,CN=Microsoft
Exchange,CN=Services,CN=Configura
tion,DC=<Domain name>" -
InheritanceType All -AccessRight
GenericRead
Read/write Properties Add-ADPermission -User <User or

msExchMobileMailboxPolicyLink and group name> -Identity "DC=<Domain
msExchOmaAdminWirelessEnable for name>" -InheritanceType All -
objects in Active Directory AccessRight
ReadProperty,WriteProperty -
Properties
msExchMobileMailboxPolicyLink,
msExchOmaAdminWirelessEnable
Full Mailbox storages ms-Exch-Store-Admin Get-MailboxDatabase | Add-

for mailboxstorages ADPermission -User <user or group
name> -ExtendedRights ms-Exch-
Store-Admin
Appendices
353
For detailed information about how to use commandlets in Exchange Management Shell console,
please refer to the website of Microsoft Exchange Server Technical Support
http://technet.microsoft.com/en-us/library/bb123778(v=exchg.150).aspx.
About the administrator of virtual Server

An administrator of the enterprise network, which is managed by a virtual Server, starts Kaspersky
Security Center Web Console to view data about anti-virus protection in the name of the account
specified in this window.
If necessary, several administrator accounts can be created on a virtual Server.
The administrator of a virtual Administration Server is an internal user of Kaspersky Security

Center. No data on internal users is transferred to the operating system. Kaspersky Security
Center authenticates internal users.
List of managed computers. Description

The following table displays the names and respective descriptions of columns of the list of
managed computers.
Table 8. Descriptions of columns of the list of managed computers
Column name Value
Name The NetBios name of the client computer. The descriptions of

computer name icons are given in the Appendix (see section
"Statuses of computers, tasks, and policies" on page 357).
Operating system type The type of the operating system installed on the client computer.
Domain The name of the domain in which the client computer is located.
Agent installed
The result of installation of Network Agent on the client computer.
Agent running The result of Network Agent's operation.
Appendices
354
Column name Value
Connecting to Server The time period that has elapsed since the client computer had been
connected to the Administration Server.
Last update The time period that has elapsed since the last update of Kaspersky
Security Center Administration Server.
Status The current status of the client computer (OK, Critical, Warning).
Status description The reasons for the change of the client computer's status to Critical
or Warning.
The computer's status changes to Warning or Critical by the

following reasons:
Kaspersky Anti-Virus is not installed.
Too many viruses have been detected.
The real-time protection level differs from the one set by the
administrator.
A virus scan has not been performed for a long time.
The databases are obsolete.
The client computer has not been connected for a long time.
There are unprocessed objects.
Restart required.
Incompatible software is installed.
Vulnerabilities have been detected in applications.
Windows Updates has not been searched for a long time.
A certain state of data encryption.
The settings of the mobile device do not comply with the

policy.
There are unprocessed incidents.
The license expires soon.
Appendices
355
Column name Value
The computer's status changes to Critical only by the following
reasons:
The license has expired.
Connection with the client computer has been lost.
Protection is disabled.
Kaspersky Anti-Virus is not running.
Info update The time period that has elapsed since the client computer had been
last successfully synchronized with the Administration Server.
Domain name The domain name of the client computer.
DNS domain The main DNS suffix.
IP address The IP address of the client computer. It is recommended to use the

IPv4 address.
Last visible time The duration of the time period during which the client computer has
remained visible on the network.
On-demand scan The date and time of the last scan of the client computer performed
by the anti-virus application upon the user's request.
Viruses found The number of viruses found.
Real-time protection status The status of the real-time protection (Running, Stopped, Unknown).
Connection IP address The IP address that is used for connection to Kaspersky Security
Center Administration Server.
Network Agent version Version of the Network Agent.
Protection version The version of the anti-virus application installed on the client
computer.
Databases version The version of the anti-virus databases.
Appendices
356
Column name Value
Turn-on time The date and time when the client computer was last turned on.
Restart A restart of the client computer is required.
Update Agent The name of the computer that acts as the update agent for this
client computer.
Description The description of the client computer received as a result of a

network scan.
Encryption status The data encryption status of the client computer.
WUA status The state of Windows Update Agent on the client computer.
The "Yes" value corresponds to client computers that retrieve

updates through Windows Update from the Administration Server.
The "No" value corresponds to client computers that retrieve updates

through Windows Update from other sources.
Operating system bit size The bit size of the operating system installed on the client computer.
Statuses of computers, tasks, and policies

The table below contains a list of icons displayed in the console tree and in the Administration
Console workspace, next to the names of client computers, tasks, and policies. Those icons define
the statuses of objects.
Table 9. Statuses of computers, tasks, and policies
Icon Status
Computer with an operating system for workstations detected in the system and not
included in any of the administration groups.
Computer with an operating system for workstations included in an administration

group, with the OK status.

group, with the Warning status.
Appendices
357
Icon Status

group, with the Critical status.

group, which has lost its connection with the Administration Server.
Computer with an operating system for servers detected in the system and not included
in any of the administration groups.
Computer with an operating system for servers included in an administration group, with
the OK status.
the Warning status.
the Critical status.
Computer with an operating system for servers included in an administration group,

which has lost its connection with the Administration Server.
Mobile device detected in the network and included in none of the administration
groups.
Mobile device included in an administration group, with the OK status.
Mobile device included in an administration group, with the Warning status.
Mobile device included in an administration group, with the Critical status.
Mobile device included in an administration group, having lost its connection with the
Active policy.
Appendices
358
Icon Status
Inactive policy.
Active policy inherited from a top-level group.
Task (group task, Administration Server task, or task for specific computers) with the
Scheduled or Completed status.
Running status.
Completed with error status.
Task inherited from a top-level group.
Using regular expressions in the search

field
You can use the following regular expressions in the search field to search for specific words and
characters:
*. Replaces any sequence of characters. To search for such words as Server, Servers, or
Server room, enter expression Server* in the search field.
?. Replaces any single character. To search for such words as Word or Ward, enter the
W?rd expression in the search field.
Text in the search field cannot begin with the ? symbol.
[<range>]. Replaces any single character from a specified range or set. To search for any
numeral, enter the [0-9] expression in the search field. To search for one of the
charactersa, b, c, d, e, or fenter the [abcdef] expression in the search field.
Appendices
359
Use the following regular expressions in the search field to run a full-text search:
Space. You will see all computers whose descriptions contain any of the listed words. To
search for a phrase that contains the word Slave or Virtual (or both these words), enter the
Slave Virtual expression in the search field.
Plus sign (+), AND or &&. When a plus sign precedes a word, all search results will contain
this word. To find a phrase that contains both Slave and Virtual, you can enter
+Slave+Virtual, Slave AND Virtual, Slave && Virtual as the query in the
search field.
OR or ||. When placed between two words, it indicates that one word or the other can be
found in the text. To search for a phrase that contains such word as Slave or Virtual, you
can enter any of the following expressions in the search field: Slave OR Virtual, Slave
|| Virtual.
Minus sign (-). When a minus sign precedes a word, no search results will contain this
word. To search for a phrase that must contain such word as Slave and must not contain
such word as Virtual, you must enter the +Slave-Virtual expression in the search field.
"<some text>". Text enclosed in quotation marks must be present in the text. To search
for a phrase that contains such word combination as Slave Server, you must enter the
Slave Server expression in the search field.
Full-text search is available in the following filtering blocks:
In the event list filtering block, by the Event and Description columns.
In the user account filtering block, by the Name column.
In the applications registry filtering block, by the Name column if the Group applications
by name check box is cleared.
Appendices
360
Glossary
Active key
Key that is used at the moment to work with the application.
Additional key
A key that certifies the right to use the application but is not currently being used.
Administration Console
A Kaspersky Security Center component that provides a user interface for the administrative
services of Administration Server and Network Agent.
Administration group
A set of computers grouped together in accordance with the performed functions and the
Kaspersky Lab applications installed on those machines. Computers are grouped for convenience
of management as one single entity. A group can include other groups. A group can contain group
policies for each application installed in it and appropriate group tasks.
Administration Server client (Client computer)
A computer, server, or workstation on which Network Agent and managed Kaspersky Lab
applications are running.
Administrator rights
The level of the user's rights and privileges required for administration of Exchange objects within
an Exchange organization.
Anti-virus databases
Databases that contain information about computer security threats that are known to Kaspersky
Lab at the time of release of the anti-virus databases. Records that are contained in anti-virus
databases allow detecting malicious code in scanned objects. The anti-virus databases are created
by Kaspersky Lab specialists and updated hourly.
Application Shop
Component of Kaspersky Security Center. Application Shop is used for installing applications on
Android devices owned by users. Application Shop allows you to publish the apk files of
applications and links to applications in Google Play.
Authentication Agent
An interface for passing the authentication process to access encrypted hard drives and load the
operating system after the system hard drive has been encrypted.
Available update
A package of updates for the modules of a Kaspersky Lab application including a set of urgent
patches released during a certain time interval, and modifications to the application architecture.
Broadcast domain
A logical area of a computer network in which all nodes can exchange data using a broadcasting
channel at the level of OSI (Open Systems Interconnection Basic Reference Model).
Computer owner
A computer owner is a user whom the administrator can contact when the need arises to perform
certain operations with a client computer.
Glossary
362
Configuration profile
Policy that contains a collection of settings and restrictions for an iOS MDM mobile device.
Demilitarized zone (DMZ)
Demilitarized zone is a segment of a local network that contains servers, which respond to
requests from the global Web. In order to ensure the security of an organization's local network,
access to the LAN from the demilitarized zone is protected with a firewall.
EAS device
A mobile device connected to Administration Server over Exchange ActiveSync protocol. Devices
with the iOS, Android, and Windows Phone operating systems can be connected and managed
via the Exchange ActiveSync protocol.
Exchange ActiveSync Mobile Device Server
A component of Kaspersky Security Center that allows you to connect Exchange ActiveSync
mobile devices to the Administration Server. Installed on a client computer.
General certificate
A certificate intended for identifying the user's mobile device.
Group of licensed applications
A group of applications created on the basis of criteria set by the administrator (for example, by
vendor), for which statistics of installations to client computers are maintained.
Glossary
363
Group task
A task defined for an administration group and executed on all the client computers included in that
Home Administration Server
Home Administration Server is the Administration Server that was specified during Network Agent
installation. The home Administration Server can be used in settings of Network Agent connection
profiles.
Installation package
A set of files created for remote installation of a Kaspersky Lab application by using the Kaspersky
Security Center remote administration system. The installation package contains a range of
settings needed to install the application and get it running immediately after installation.
Parameter values correspond to application defaults. The installation package is created using files
with the .kpd and .kud extensions included in the application distribution kit.
Internal users
The accounts of internal users are used to work with virtual Administration Servers. Under the
account of an internal user, the administrator of a virtual Administration Server can start Kaspersky
Security Center Web Console to check the anti-virus security status of a network. Kaspersky
Security Center grants the rights of real users to internal users of the application.
The accounts of internal users are created and used only within Kaspersky Security Center. No
data on internal users is transferred to the operating system. Kaspersky Security Center
authenticates internal users.
Glossary
364
iOS MDM device
A mobile device that is connected to the iOS MDM Mobile Device Server over iOS MDM protocol.
Devices running on iOS operating system can be connected and managed over iOS MDM protocol.
iOS MDM Mobile Device Server
A component of Kaspersky Security Center, installed to a client computer and allowing connection
of iOS mobile devices to Administration Server and management of iOS mobile devices through
Apple Push Notifications (APNs) service.
iOS MDM profile
Collection of settings for connection of iOS mobile devices to Administration Server. The user
installs an iOS MDM profile to a mobile device, after which this mobile device connects to
Kaspersky Security Center administrator
The person managing the application operations through the Kaspersky Security Center system of
remote centralized administration.
Kaspersky Security Center operator
A component of Kaspersky Security Center installed together with Administration Server. Web
Server is designed for transfer of standalone installation packages, iOS MDM profiles, and files
from the shared folder over the network.

An infrastructure of cloud services that provides access to the online Knowledge Base of
Kaspersky Lab, which contains information about the reputation of files, web resources, and
software. The use of data from Kaspersky Security Network ensures faster responses by
Kaspersky Lab applications to threats, improves the effectiveness of some protection components,
and reduces the risk of false positives.
Glossary
365
KES device
A mobile device that is connected to Administration Server and managed through Kaspersky
Endpoint Security for Android.
Local task
A task defined and running on a single client computer.
MDM policy
A collection of application settings used for managing mobile devices through Kaspersky Security
Center. Different application settings are used to manage different types of mobile devices. A
policy includes the settings for complete configuration of all application features.
Mobile device server

A component of Kaspersky Security Center that provides access to mobile devices and allows
managing them through Administration Console.
Network Agent
A Kaspersky Security Center component that enables interaction between the Administration Server
and Kaspersky Lab applications that are installed on a specific network node (workstation or server).
This component is common for all of the company's products for Windows. Separate versions of
Network Agent exist for Kaspersky Lab products developed for Novell, Unix and Mac.
Network Location Awareness subnet

Network Location Awareness (NLA subnet) is a subnet that spans a set of computers specified
manually. Within the Kaspersky Security Center functionality, an NLA subnet may be used for
manual creation of a set of computers on which an Update Agent will distribute updates.
Glossary
366
P
Policy
A policy determines the settings of an application and manages the access to configuration of an
application installed on computers within an administration group. An individual policy must be
created for each application. You can create an unlimited number of various policies for
applications installed on computers in each administration group, but only one policy can be
applied to each application at a time within an administration group.
Profile
Collection of settings of Exchange ActiveSync mobile devices that define their behavior when
connected to a Microsoft Exchange server.
Provisioning profile
Collection of settings for applications operation on iOS mobile devices. A provisioning profile
contains information about the license; it is linked to a specific application.
Restoration
Relocation of the original object from Quarantine or Backup to its original folder where the object
had been stored before it was quarantined, disinfected or deleted, or to a user-defined folder.
Restoration of Administration Server data
Restoration of Administration Server data from the information saved in Backup by using the
backup utility. The utility can restore:
Information database of the Administration Server (policies, tasks, application settings,

events saved on the Administration Server).
Configuration information about the structure of administration groups and client computers.
Glossary
367
Repository of the installation files for remote installation of applications (content of the
folders: Packages, Uninstall Updates).
Administration Server certificate.
Role group
A group of users of Exchange ActiveSync mobile devices who are granted identical administrator
rights (see section "Administrator rights" on page 384).
Task
Functions performed by Kaspersky Lab's application are implemented as tasks, such as: Real-time
file protection, Full computer scan, Database update.
Task for specific computers
A task assigned for a set of client computers from arbitrary administration groups and performed
on those hosts.
Update Agent
Computer that has Network Agent installed and is used for update distribution, remote installation
of applications, collection of information about computers in an administration group and / or
broadcasting domain. Update Agents are designed to reduce the load on the Administration Server
during update distribution and to optimize network traffic. Update Agents can be assigned
automatically, by the Administration Server, or manually, by the administrator.
Glossary
368
V
Virtual Administration Server
A component of Kaspersky Security Center, designed for management of the protection system of
a client organization's network.
Virtual Administration Server is a particular case of a slave Administration Server and has the
following restrictions as compared with physical Administration Server:
Virtual Administration Server can be created only on master Administration Server.
Virtual Administration Server uses the master Administration Server database. Thus, the
following tasks are not supported on virtual Server: backup copying, restoration, updates
verification and updates downloading. These tasks exist only on master Administration
Server.
Virtual Server does not support creation of slave Administration Servers (including virtual
Servers).
Virus outbreak
A series of deliberate attempts to infect a computer with a virus.
Vulnerability
A flaw in an operating system or an application that may be exploited by malware makers to

penetrate into the operating system or the application and corrupt its integrity. A large number of
vulnerabilities in an operating system makes it unreliable, because viruses that have penetrated
into the operating system may cause operation failures in the operating system itself and in
installed applications.
Windows Server Update Services (WSUS)
An application used for distribution of updates for Microsoft applications on users' computers in an
organization's network.
Glossary
369
AO Kaspersky Lab
Kaspersky Lab is an internationally renowned vendor of systems for computer protection against
various types of threats, including viruses, malware, spam, network and hacker attacks.
In 2008, Kaspersky Lab was rated among the worlds top four leading vendors of information
security software solutions for end users (IDC Worldwide Endpoint Security Revenue by Vendor).
In Russia, according to IDC, Kaspersky Lab is the first choice among all vendors of computer
protection systems for home users (IDC Endpoint Tracker 2014).
Kaspersky Lab was founded in Russia in 1997. Today, Kaspersky Lab is an international group of
companies running 34 offices in 31 countries. The company employs more than 3000 qualified
specialists.
PRODUCTS. Kaspersky Labs products provide protection for all systemsfrom home computers
to large corporate networks.
The personal product range includes applications that provide information security for desktop,
laptop, and tablet computers, as well as for smartphones and other mobile devices.
The company offers solutions and technologies for protection and control of workstations and
mobile devices, virtual machines, file servers and web servers, mail gateways, and firewalls. The
company's portfolio also includes dedicated products aimed at protection against DDoS attacks,
protection of environments managed with industrial control systems, and fraud prevention. Used in
conjunction with Kaspersky Labs centralized management tools, these solutions ensure effective
automated protection against computer threats for organizations of any scale. Kaspersky Lab's
products are certified by the major test laboratories, are compatible with the software of many
suppliers of computer applications, and are optimized to run on many hardware platforms.
Kaspersky Labs virus analysts work around the clock. Every day they uncover hundreds of
thousands of new computer threats, create tools to detect and disinfect them, and include the
corresponding signatures in the databases used by Kaspersky Lab applications.
TECHNOLOGIES. Many technologies that are now part and parcel of modern anti-virus tools were
originally developed by Kaspersky Lab. It is no coincidence that the program kernel of Kaspersky
Anti-Virus is integrated in products made by many other software vendors, including: Alcatel-
Lucent, Alt-N, Asus, BAE Systems, Blue Coat, Check Point, Cisco Meraki, Clearswift, D-Link,
Facebook, General Dynamics, H3C, Juniper Networks, Lenovo, Microsoft, NETGEAR, Openwave
Messaging, Parallels, Qualcomm, Samsung, Stormshield, Toshiba, Trustwave, Vertu, and ZyXEL.
Many of the companys innovative technologies are patented.
ACHIEVEMENTS. Over the years, Kaspersky Lab has won hundreds of awards for its services in
combating computer threats. For example, in 2014, tests and researches conducted by the
renowned Austrian anti-virus lab AV-Comparatives rated Kaspersky Lab as one of the two leaders
in the number of Advanced+ certificates awarded, which brought the company the Top Rated
certificate. But Kaspersky Lab's main achievement is the loyalty of its users worldwide. The
companys products and technologies protect more than 400 million users, and its corporate clients
number more than 270,000.
Kaspersky Lab official site: http://www.kaspersky.com
Virus encyclopedia: http://www.securelist.com/
Anti-Virus Lab: http://newvirus.kaspersky.com (for scanning

unknown files and websites)
Kaspersky Lab web forum: http://forum.kaspersky.com
AO Kaspersky Lab
371
Information about third-party code
Information about third-party code is contained in a file named legal_notices.txt and stored in the
application installation folder.
About NAC/ARP Enforcement
technology
The NAC Solution/ARP Enforcement technology is legal technology dedicated to securing and
regulating access to a corporate network by ensuring device compliance to corporate security
policies.
User behavior and user obligations
The user agrees to comply with the applicable local, state, national, international, and
supranational laws and regulations as well as the specifications mentioned in the documentation or
the related transfer documents of the authorized dealer from whom the user purchased the
Software and
(a) not to use the Software for illegal purposes,
(b) not to transmit or store material that infringes intellectual property rights or any other
rights of third parties or is illegal, unauthorized, defamatory or offensive or invades the
privacy of third parties,
(c) not to transmit or store data owned by third parties, without obtaining beforehand
the consent prescribed by law of the owner of the data to the data transmission,
(d) not to transmit material containing software viruses or any other harmful computer
codes, files or programs,
(e) not to carry out any acts interfering with or interrupting the operation of the server or
networks associated with the software,
(f) not to attempt to gain unauthorized access to computer systems or networks

associated with the Software.
The user is restricted to using the software as intended and within the specific legal framework
conditions in their country. Please note that the use of this security Software within networks can
affect provisions of data protection law at the EU level and/or at EU member state level. Moreover,
in operational use also provisions of collective labor law may have to be observed.
Enhanced protection with
Kaspersky Security Network
Kaspersky Lab offers an extra layer of protection to users through the Kaspersky Security Network.
This protection method is designed to combat advanced persistent threats and zero-day attacks.
Integrated cloud technologies and the expertise of Kaspersky Lab virus analysts make Kaspersky
Endpoint Security the unsurpassed choice for protection against the most sophisticated network
threats.
Details on enhanced protection in Kaspersky Endpoint Security are available on the Kaspersky Lab
website.
Trademark notices
The registered trademarks and service marks are the property of their owners.
Active Directory, ActiveSync, Excel, Internet Explorer, Hyper-V, Microsoft, SQL Server, Tahoma,
Windows, Windows Server, Windows Phone, and Windows Vista are trademarks of Microsoft
Corporation registered in the United States and elsewhere.
Adobe is either registered trademark or trademark of Adobe Systems Incorporated in the United
States and/or elsewhere.
AirPlay, AirDrop, AirPrint, App Store, Apple, FaceTime, FileVault, iBook, iBooks, iPad, iPhone,
iTunes, Leopard, Mac OS,OS X, Safari, Snow Leopard, and Tiger are trademarks of Apple Inc.
registered in the United States and elsewhere.
AMD, AMD64 are trademarks of Advanced Micro Devices, Inc.
Apache and the Apache feather logo are trademarks owned by the Apache Software Foundation.
BlackBerry is owned by Research In Motion Limited and is registered in the United States and may
be pending or registered elsewhere.
The Bluetooth word, mark and logos are owned by Bluetooth SIG, Inc.
Cisco is a registered trademark or trademark of Cisco Systems, Inc. and / or its affiliates in the
United States and certain other countries.
Citrix, XenServer are trademarks of Citrix Systems, Inc. and / or its subsidiaries registered in the
United States Patent and Trademark Office and elsewhere.
Debian is a registered trademark of Software in the Public Interest, Inc.
Android, Chrome, Google, Google Play, Google Maps, and YouTube are trademarks of Google,
Inc.
Firefox is a registered trademark of the Mozilla Foundation.
FreeBSD is a registered trademark of FreeBSD foundation.

Oracle and Java are registered trademarks of Oracle and/or its affiliates.
QRadar is a trademark of International Business Machines Corporation, registered in many

jurisdictions worldwide.
Fedora and Red Hat Enterprise Linux are trademarks of Red Hat Inc. registered in the United
States of America and elsewhere.
Linux is a trademark owned by Linus Torvalds and registered in the U.S. and elsewhere.
Novell is a trademark owned by Novell, Inc. and registered in the United States and elsewhere.
Symbian is a trademark owned by the Symbian Foundation Ltd.
SPL, Splunk are trademarks of Splunk, Inc. registered in the United States and elsewhere.
UNIX is a trademark registered in the U.S. and elsewhere; use under license from X/Open
Company Limited.
VMware is a trademark of VMware, Inc., or a trademark owned by VMware, Inc. and registered in
the U.S. and elsewhere.
Trademark notices
376
Index
A
Active Directory ....................................................................................................................... 342
Addition
Administration Server ........................................................................................................... 89
client computer ................................................................................................................... 138
Administration groups ............................................................................................................... 68
Administration Server ................................................................................................................ 68
Administration Server certificate................................................................................................ 87
Anti-virus protection ................................................................................................................ 325
AO Kaspersky Lab .................................................................................................................. 370
Application licensing ........................................................................................................... 57, 59
Arrays ..................................................................................................................................... 326
B
Backup
task .................................................................................................................................... 335
utility ................................................................................................................................... 335
C
Certificate
general ....................................................................................................................... 158, 227
installing a certificate for a user .................................................................................. 158, 227
mail ............................................................................................................................ 158, 227
VPN............................................................................................................................ 158, 227

Cisco Network Admission Control ............................................................................................. 93
Client computers ....................................................................................................................... 73
connecting to the Server ..................................................................................................... 128
message to the user ........................................................................................................... 140
Clusters .................................................................................................................................. 326
Console tree ............................................................................................................................. 44
Context menu ................................................................................................................... 54, 347
D
Deleting
Administration Server ........................................................................................................... 89
policy .................................................................................................................................. 106
E
Encryption ............................................................................................................................... 263
Event selections
creating .............................................................................................................................. 167
settings ............................................................................................................................... 167
viewing the log.................................................................................................................... 166
Exchange ActiveSync mobile device ....................................................................................... 235
Exchange ActiveSync Mobile Device Server ........................................................................... 235
exec ........................................................................................................................................ 342
G
Group of licensed applications ................................................................................................ 190
Group tasks
filtering ............................................................................................................................... 124
inheriting............................................................................................................................. 119
Index
378
Groups
structure ............................................................................................................................... 99
I
Image...................................................................................................................................... 210
Importing
policies ............................................................................................................................... 108
tasks................................................................................................................................... 121
Installation
Active Directory .................................................................................................................. 342
iOS MDM mobile device.......................................................................................................... 239
IP subnet
creating .............................................................................................................................. 178
editing ........................................................................................................................ 177, 179
K
Key ......................................................................................................................................... 296
distribution .......................................................................................................................... 299
installation .......................................................................................................................... 297
removing ............................................................................................................................ 298
report.................................................................................................................................. 300
L
License ..................................................................................................................................... 58
End User License Agreement ............................................................................................... 57
key file .................................................................................................................................. 65
Limiting traffic............................................................................................................................ 93
Index
379
M
Management
client computer ................................................................................................................... 140
initial configuration................................................................................................................ 67
keys.................................................................................................................................... 296
policies ............................................................................................................................... 102
Managing the application ........................................................................................................ 102
Mobile users
profile ................................................................................................................................. 321
switching rules .................................................................................................................... 322
N
Network discovery................................................................................................................... 175
Network poll
Active Directory groups ...................................................................................................... 176
IP subnets .......................................................................................................................... 177
Windows network ............................................................................................................... 176
Notifications ............................................................................................................................ 163
P
Policies
activation ............................................................................................................................ 105
copying ............................................................................................................................... 107
exporting ............................................................................................................................ 107
importing ............................................................................................................................ 108
mobile users ....................................................................................................................... 319
removing ............................................................................................................................ 106
Policies and tasks conversion wizard .............................................................................. 108, 122
Index
380
Policy ........................................................................................................................................ 75
creating .............................................................................................................................. 104
Policy profile ........................................................................................................................... 109
Policy profile
creating .......................................................................................................................... 111

deleting .......................................................................................................................... 114
R
Report template
creating .............................................................................................................................. 160
Reports
delivery ............................................................................................................................... 161
generating .......................................................................................................................... 160
keys.................................................................................................................................... 300
viewing ............................................................................................................................... 160
Repositories
applications registry ............................................................................................................ 188
installation packages .......................................................................................................... 302
keys.................................................................................................................................... 296
S
Statistics ................................................................................................................................. 162
T
Task .......................................................................................................................................... 75
key adding .......................................................................................................................... 297
Tasks
backup copying .................................................................................................................. 335
changing Administration Server .......................................................................................... 139
Index
381
delivery of reports ............................................................................................................... 161
exporting ............................................................................................................................ 121
group tasks......................................................................................................................... 116
importing ............................................................................................................................ 121
local.................................................................................................................................... 118
managing client computers ................................................................................................. 140
running ............................................................................................................................... 124
viewing the results .............................................................................................................. 124
U
Update
distribution .................................................................................................. 288, 289, 290, 292
downloading ....................................................................................................................... 283
scanning ............................................................................................................................. 285
viewing ............................................................................................................................... 288
Update Agents ........................................................................................................................ 292
Updating the application.......................................................................................................... 196
User role
adding ................................................................................................................................ 230
User roles ............................................................................................................................... 153
User role
adding ............................................................................................................................ 154

assigning ....................................................................................................................... 155
V
Virtual Administration Server ..................................................................................................... 70
Vulnerability ............................................................................................................................ 193
Index
382

KASC Administrator Guide Full

Uploaded by

Copyright:

Available Formats

KASC Administrator Guide Full

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

KASC Administrator Guide Full

Uploaded by

Copyright:

Available Formats

Kaspersky Security Center 10

Application version: 10 Service Pack 2

Document revision date: 1/18/2016

2016 AO Kaspersky Lab. All Rights Reserved.

Document conventions .............................................................................................................. 18

Sources of information about the application (see page 20)

Kaspersky Security Center (see page 23)

Application interface (see page 42)

Quick Start Wizard (see page 67)

Basic concepts (see page 68)

This section explains basic concepts related to Kaspersky Security Center.

Managing Administration Servers (see page 82)

Managing administration groups (see page 95)

This section provides information about how to handle administration groups.

Managing applications remotely (see page 102)

Managing client computers (see page 126)

This section provides information about how to handle client computers.

Working with reports, statistics, and notifications (see page 159)

About this document

Managing applications on client computers (see page 183)

Remote installation of operating systems and applications (see page 208)

Mobile Device Management (see page 218)

Self Service Portal (see page 257)

Data encryption and protection (see page 263)

Inventory of equipment detected on the network (see page 279)

About this document

Working with application keys (see page 296)

Data repositories (see page 301)

Contacting the Technical Support Service (see page 315)

This section lists terms used in the guide.

AO Kaspersky Lab (see page 370)

This section provides information about AO Kaspersky Lab.

Information about third-party code (see page 372)

Trademark notice (see page 375)

This section contains registered trademark notices.

This section helps you find necessary data quickly.

About this document

Table 1. Document conventions

Sample text Document conventions description

Warnings are highlighted with red color and boxed. Warnings

Notes are boxed. Notes contain additional and reference

Examples are given on a blue background under the heading

Update means... The following elements are italicized in the text:

The Databases are out of date New terms.

Introductory phrases of instructions are italicized and

About this document

The following message then text in the command line;

<User name> Variables are enclosed in angle brackets. Instead of a

About this document

This section lists the sources of information about the application.

Discussing Kaspersky Lab applications on the forum ................................................................ 22

Sources for unassisted search of

Kaspersky Security Center page on the Kaspersky Lab website.

Kaspersky Security Center page on the Technical Support Service website.

An Internet connection is required to use online information sources.

On the Kaspersky Security Center page (http://www.kaspersky.com/security-center), you can view

Page of Kaspersky Security Center in the Knowledge Base

Knowledge Base is a section on the Technical Support website.

On the Kaspersky Security Center page (http://support.kaspersky.com/ksc10), you can read

Application documentation consists of the files of application guides.