Kaspersky Endpoint Security protects computers running macOS against viruses and other computer security threats.
File Threat Protection
File Threat Protection safeguards the computer's file system in real time by intercepting and analyzing any attempts to access files. Learn more.
Web Threat Protection
Web Threat Protection secures information sent and received by the computer over the HTTP and HTTPS protocols in Safari, Google Chrome, and Firefox. Learn more.
Network Threat Protection
Network Threat Protection prevents intrusions into the operating system. This component protects against cyberattackers (who use port scanning and brute-force attacks) and the malware they install (including malware that tries to send personal data to criminals). Learn more.
Scan
Kaspersky Endpoint Security detects and neutralizes viruses and other computer security threats on demand in the specified scan scope. Kaspersky Endpoint Security can run a full scan of the computer, a quick scan of critical areas, and a scan of the specified scope. Learn more.
Update
Kaspersky Endpoint Security updates application databases and modules from Kaspersky update servers, distribution points, or other sources specified by your system administrator and creates backup copies of all updated files to allow a rollback of the last update. Learn more.
Backup
Kaspersky Endpoint Security creates a backup copy of infected files prior to any attempt to disinfect or delete them, making it possible for you to restore them. Learn more.
Reports
Kaspersky Endpoint Security generates reports about events and actions involving application components. Learn more.
Notifications
Kaspersky Endpoint Security uses notifications to inform you about certain events in the operation of Kaspersky Endpoint Security. Notifications can be accompanied by sound. Learn more.
Protection Center
Kaspersky Endpoint Security displays protection status messages in Protection Center. Protection Center shows information on the status of computer protection and how to eliminate computer security problems and threats. Learn more.
Remote management of the application via Kaspersky Security Center
You can remotely manage protection of computers with Kaspersky Endpoint Security installed: receive information on the current computer protection status, remotely fix issues, respond to computer security threats, enable or disable protection components (File Threat Protection, Web Threat Protection, Network Threat Protection), enable or disable Web Control, run scan tasks, update application databases, run startup disk encryption, and manage Kaspersky Endpoint Security licenses and subscriptions. You can use the following tools to manage Kaspersky Endpoint Security:
Kaspersky Security Center Administration Console. Learn more.
Kaspersky Security Center Web Console and Cloud Console. Learn more.
Note: The functionality supported by Kaspersky Endpoint Security depends on which management tool you use.
FileVault Disk Encryption
Kaspersky Endpoint Security allows FileVault encryption to be managed remotely. Encryption prevents unauthorized users from accessing sensitive data stored on the startup disk of the user's computer.
Note: The FileVault Disk Encryption feature is available in Kaspersky Security Center 10 SP3 or later. For more information, contact Kaspersky Technical Support.
Web Control
You can remotely manage access to websites that users visit. You can allow or block access to specific web addresses or groups of web addresses. Also you can allow or block access to certain categories of websites based on their content.
Comparison of Kaspersky Endpoint Security functions depending on the Kaspersky Security Center management tool
The functionality supported by Kaspersky Endpoint Security depends on which management tool you use (see the table below).
You can use the following tools to manage Kaspersky Endpoint Security:
Kaspersky Security Center Administration Console. A Microsoft Management Console (MMC) snap-in installed on the Kaspersky Security Center administrator's workstation.
Kaspersky Security Center Web Console. A component of Kaspersky Security Center that is installed on the Administration Server. You can work with the Web Console using a browser on any computer that has access to the Administration Server.
Kaspersky Security Center Cloud Console. The cloud version of Kaspersky Security Center.
Comparison of Kaspersky Endpoint Security features
Kaspersky Endpoint Security has the following hardware and software requirements:
Intel-based Mac
4 GB of memory (RAM)
2 GB of free disk space
Operating system macOS 10.13-12
Note: Kaspersky Endpoint Security version 11.1 can be used on macOS 12 with some limitations. For more details, see Known issues and limitations. To avoid these limitations, install Kaspersky Endpoint Security version 11.2 Patch C or later.
Internet connection
Supported browsers:
Safari
Chrome
Firefox
Kaspersky Endpoint Security is compatible with the following virtualization tools:
Parallels Desktop 16 for Mac Business Edition
VMware Fusion 11.5 Professional
VMware Fusion 12 Professional
You can manage Kaspersky Endpoint Security remotely via Kaspersky Security Center. Kaspersky Security Center 12.0 is required for managing Kaspersky Endpoint Security using the administration plug-in for Kaspersky Security Center Administration Console and the web plug-in for Kaspersky Security Center Web Console.
Note: To manage Kaspersky Endpoint Security for Mac 11.1 via Kaspersky Security Center, you must install Network Agent version 12 on remote computers.
Remove Kaspersky Internet Security for Mac or any other anti-virus applications to avoid system conflicts and maximize system performance.
Note: Before installing Kaspersky Endpoint Security remotely, we recommend that you download the KES_profile.zip archive from Kaspersky Technical Support website and apply the KES_profile.mobileconfig configuration profile on the client computer using Apple Remote Management tools. This will allow Kaspersky Endpoint Security to get the following: permissions to install the kernel extension and the system extension, full disk access, and permissions to configure network connections.
Remotely via Kaspersky Security Center Web Console or Kaspersky Security Center Cloud Console.
For detailed information about deploying Kaspersky applications using Kaspersky Security Center Web Console, see the Kaspersky Security Center help. For detailed information about deploying Kaspersky applications using Kaspersky Security Center Cloud Console, see the Kaspersky Security Center Cloud Console help.
Note: Before installing Kaspersky Endpoint Security remotely, we recommend that you download the KES_profile.zip archive from Kaspersky Technical Support website and apply the KES_profile.mobileconfig configuration profile on the client computer using Apple Remote Management tools. This will allow Kaspersky Endpoint Security to get the following: permissions to install the kernel extension and the system extension, full disk access, and permissions to configure network connections.
After Kaspersky Endpoint Security is installed, you can do the following:
Activate Kaspersky Endpoint Security. When the application is activated, Kaspersky Endpoint Security starts protecting your computer, you can regularly update application databases and modules, perform virus scan tasks, and send requests to Technical Support.
Open the DMG file of the application distribution kit.
In the window with the contents of the distribution kit, double-click Uninstall Kaspersky Endpoint Security.
The Kaspersky Endpoint Security uninstaller starts.
In the uninstaller window, click Uninstall.
In the prompt for administrator credentials, enter an administrator name and password and confirm that you want to uninstall Kaspersky Endpoint Security.
Uninstallation of Kaspersky Endpoint Security starts.
Read the information about completion of uninstallation and click Quit to quit the uninstaller.
Kaspersky Endpoint Security is now uninstalled from your computer. You don't have to restart your computer after uninstalling the application.
Kaspersky Endpoint Security starts on your computer right after installation. To protect your Mac right away, the application prompts you to perform the basic setup:
Grant the necessary permissions to Kaspersky Endpoint Security to protect your Mac against malware, network attacks and Internet threats.
For more information about the permissions you are granting, click .
Note: An Internet connection is required for basic setup of Kaspersky Endpoint Security.
On computers running macOS 10.13, Kaspersky Endpoint Security prompts you to grant permissions to Kaspersky Endpoint Security to install drivers that the application needs to work properly.
In the Essential Protection window, do the following actions to ensure that File Threat Protection functions properly:
If you want Kaspersky Endpoint Security to detect dangerous file activity and processes attempting to run on your Mac, and monitor web traffic and network content, then install the kernel extension. To do this, click Install next to the Kernel extension item and follow the instructions on the screen.
If you want Kaspersky Endpoint Security to work properly, allow Kaspersky Endpoint Security to scan every file on your Mac. To do this, click Allow next to the Full disk access item and follow the instructions on the screen.
Important: Kaspersky Endpoint Security will not work properly without granting these permissions. You must grant all permissions in the Essential Protection window.
In the Essential Protection window, do the following actions to ensure that File Threat Protection and Web Threat Protection function properly:
If you want File Threat Protection to monitor dangerous file activity and processes attempting to run on your Mac, install the system extension. To do this, click Install next to the System extension item and follow the instructions on the screen.
If you want Kaspersky Endpoint Security to work properly, allow Kaspersky Endpoint Security to scan every file on your Mac. To do this, click Allow next to the Full disk access item and follow the instructions on the screen.
If you want Web Threat Protection to inspect network packets before they can harm your Mac, allow network content filtering. To do this, click Allow next to the Network content filtering item and follow the instructions on the screen.
If you want Kaspersky Endpoint Security to search for malware and Internet threats in encrypted HTTPS traffic, allow encrypted web traffic inspection. To do this, click Allow next to the Encrypted web traffic inspection item and follow the instructions on the screen.
Important: Kaspersky Endpoint Security will not work properly without granting these permissions. You must grant all permissions in the Essential Protection window.
In the menu bar, click the application icon and choose Kaspersky Endpoint Security.
Purpose of the main application window
In the main window of Kaspersky Endpoint Security, you can view information about the status of computer protection, File Threat Protection, Web Threat Protection, and Network Threat Protection, and the progress of scan and update tasks.
In the main application window, you can also do the following:
Open the Scan window to manage scan tasks.
Open the Update window to manage update task.
Open the Licensing window to manage application keys.
Open Protection Center.
Controls of the main application window
The main application window includes the following controls:
Protection status indicator (determines the color of the main application window)
Buttons at the bottom of the main application window
Green indicates that computer protection is at an optimal level.
Yellow and red warn of the presence of various problems related to how Kaspersky Endpoint Security is configured or operating.
In addition to the protection status indicator, the main application window describes the computer protection status and displays information from Protection Center about the latest computer security issues and threats. If a scan task is running, information on its progress (percent complete) is also displayed in the main application window below the Scan button.
You can perform the following actions by clicking the buttons at the bottom of the main application window:
Open the scan tasks window: Quick Scan, Full Scan, and Custom Scan.
As soon as Kaspersky Endpoint Security is installed, the Kaspersky Endpoint Security icon appears in the menu bar. When the application is activated, the application icon shows the status of the application. If the application icon is active (), it means that all or some of the protection components are enabled. If the application icon is inactive (), then all of the protection components are disabled.
In the menu bar, click the application icon and choose Preferences.
In the menu bar, click Kaspersky Endpoint Security > Preferences.
If Kaspersky Endpoint Security is running, click the application icon in the Dock and choose Preferences.
Application preferences can be accessed quickly using the following tabs in the upper part of the preferences window:
Essential. On this tab, you can enable or disable computer protection and configure File Threat Protection, Web Threat Protection, and Network Threat Protection preferences.
Scan. On this tab, you can configure the preferences of scan tasks and scheduled startup of scan tasks.
Threats. On this tab, you can select the categories of objects to be detected, create Trusted Zone, and configure Backup preferences.
Advanced. On this tab, you can join or opt out of participating in Kaspersky Security Network.
Update. On this tab, you can configure application update preferences or roll back to the previous version of application databases.
Interface. On this tab, you can configure preferences for the Kaspersky Endpoint Security icon, notifications, and reports, and enable or disable the logging of debugging information in a trace file.
Using the button, you can block users without administrator rights from editing the Kaspersky Endpoint Security preferences. This button is in the lower part of the application preferences window. To edit the preferences, you must enter the administrator's credentials.
Clicking the button opens the Kaspersky Endpoint Security help, which describes all the preferences in the current application window. You can also open the help topic for the active application window by selecting Open Help for This Window in the Help menu.
Kaspersky Endpoint Security displays notifications to inform you of application events. Depending on the version of the operating system installed on the computer, notifications appear in the operating system's Notification Center. The appearance of notifications depends on the options set in the operating system's Notification preferences.
Kaspersky Endpoint Security events are divided into three types according to their importance:
Critical– events that pose a dangerous threat to computer security (detection of malicious objects, vulnerabilities, problems with Kaspersky Endpoint Security). Critical events require your immediate attention. We recommend that you not disable notifications about critical events.
Important– events that do not require your immediate attention but may pose a threat to computer security in the future.
Informational – events reported for your information.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Interface tab, in the Reports section, select the Log non-critical events checkbox to receive notifications about informational Kaspersky Endpoint Security events.
Regardless of whether notifications are enabled or disabled, the application reports include information about events that occur while Kaspersky Endpoint Security is running.
Notifications can be accompanied by sound (for example, notifications about a detected virus). You can disable the sound alert.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Interface tab, in the Notifications section, deselect the Turn on alert sounds on malware detection checkbox.
If an action is required in response to an event, Kaspersky Endpoint Security displays a notification window. For example, when the application detects a malicious object, it prompts you to delete or disinfect the object. The notification window disappears from the screen only after one of the actions is selected.
The End User License Agreement (License Agreement) is a binding agreement between you and AO Kaspersky Lab that stipulates the terms on which you may use the application.
Important: Carefully read the License Agreement before you start using the application.
You can view the terms of the End User License Agreement using the following methods:
During installation of Kaspersky Endpoint Security
By reading the license.txt document in the application installation folder
By installing Kaspersky Endpoint Security, you confirm that you understand and accept the terms of the End User License Agreement. If you don't accept the terms of the End User License Agreement, cancel installation of Kaspersky Endpoint Security and don't use the application.
A license is a time-limited right to use the application, granted under the terms of the End User License Agreement.
A license entitles you to the following kinds of services:
Use of the application in accordance with the terms of the End User License Agreement
Getting technical support
The scope of services and validity period depend on the type of license under which the application was activated.
The following license types are provided:
Trial. A free license intended for trying out the application.
A trial license usually has a short term. When the trial license expires, all Kaspersky Endpoint Security features become disabled. To continue using the application, you need to purchase a commercial license.
You can activate the application under a trial license only once.
Commercial. A paid license granted upon purchase of the application.
When the commercial license expires, key features of the application become disabled. To continue using Kaspersky Endpoint Security, you must renew your commercial license. If you are not planning to renew your license, you must remove the application from your computer.
We recommend renewing the license before it expires, to ensure maximum protection against all security threats.
A subscription for Kaspersky Endpoint Security is a purchase order for the application with specific parameters (expiry date, number of devices protected). You can order a subscription for Kaspersky Endpoint Security from your service provider (such as your ISP). You can manage your subscription in the member area on the service provider's website. For example, you can renew or cancel your subscription, reduce its term, or change the number of devices protected under your subscription.
A subscription can be limited (for one year, for example) or unlimited (without an expiration date). To keep Kaspersky Endpoint Security working after expiration of a limited subscription term, you have to renew it manually. An unlimited subscription is renewed automatically as long as you have paid the service provider in advance.
If you use the application under a limited subscription, when the subscription expires you will be given a grace period to renew your subscription. The application remains functional during the grace period.
After your subscription to updates expires and after the grace period for subscription renewal ends, Kaspersky Endpoint Security remains functional but stops updating application databases.
After your subscription to updates and protection expires and after the grace period for subscription renewal ends, Kaspersky Endpoint Security stops protecting your computer.
To use Kaspersky Endpoint Security under subscription, you have to add the activation code received from the service provider. When you use the application under subscription, you cannot use a different activation code for renewing your subscription. You can apply a different activation code only after the subscription expires or if you cancel the subscription. To cancel your subscription, contact the service provider from which you bought Kaspersky Endpoint Security.
Note: A different subscription activation code can be applied only when the active key is deleted. The subscription doesn't have a key file. You can't add the subscription as a reserve key. A reserve key cannot be added when the subscription is used.
If you are already using Kaspersky Endpoint Security under a valid license but want to use the application under subscription instead, remove the current active key so that you can activate the application using a subscription key. The activation code that was previously used to activate the application on this computer can be used on a different computer.
Note: Possible subscription options may vary with each service provider. Some service providers may also choose not to provide a grace period for renewing subscriptions.
A key is a sequence of bits that you can apply to activate and then use the application in accordance with the terms of the End User License Agreement. Keys are generated by Kaspersky specialists.
You can add a key to the application using one of the following methods: by applying a key file or by entering an activation code. The key is displayed in the application interface as a unique alphanumeric sequence after you add it to the application.
The key may be blocked by Kaspersky in case the terms of the License Agreement have been violated. If the key has been blocked, you need to add another one if you want to use the application.
A key can be active or reserve.
An active key is a key that is currently used by the application. An active key can be added for a trial or commercial license or a subscription. The application cannot have more than one active key.
A reserve key is a key that entitles the user to use the application, but is not currently in use. The reserve key automatically becomes active when the license associated with the current active key expires. A reserve key can be added only if an active key has already been added.
A trial license key can be added as the active key. A key for the trial license cannot be added as the reserve key. A reserve key cannot be added when the trial license key is active.
An activation code is a unique sequence of 20 letters and numbers. You have to enter an activation code in order to add a license key for activating Kaspersky Endpoint Security. You receive the activation code at the email address that you provided when you bought Kaspersky Endpoint Security or requested the trial version of Kaspersky Endpoint Security.
To activate the application with an activation code, you need Internet access in order to connect to Kaspersky activation servers.
If you have lost your activation code after installing the application, it can be recovered. You may need the activation code to register a Kaspersky CompanyAccount, for example. To recover your activation code, contact Kaspersky Technical Support.
A key file is a file with the .key extension provided to you by Kaspersky. Key files are designed to activate the application by adding a license key.
You receive a key file at the email address that you provided when you bought Kaspersky Endpoint Security or ordered the trial version of Kaspersky Endpoint Security.
You do not need to connect to Kaspersky activation servers in order to activate the application with a key file.
You can restore a key file if it has been accidentally deleted. You may need a key file to register a Kaspersky CompanyAccount, for example.
To restore your key file, perform any of the following actions:
Contact the license seller.
Receive a key file through Kaspersky website by using your available activation code.
When activating Kaspersky Endpoint Security by the activation code, in order to verify legitimate use of the application and to provide statistical information on the distribution and use of Kaspersky products, you agree to automatically provide the following information during use of Kaspersky Endpoint Security:
The type, version and localization of the installed Software.
The versions of the installed updates.
The identifier of the computer and the identifier of the Software installation on the computer.
The activation code and unique activation identifier for the current license.
The type, version and word size of the operating system.
The name of the virtual environment when the Software is installed in a virtual environment.
The identifiers of the Software components that are active at the time the information is provided.
The supported data source.
Timeout.
Date and time on the user's computer.
Protocol version.
Protocol content type.
Protocol content length.
The type of data compression used.
The type of signature on the activation ticket.
Regional Activation Center identifier.
Activation code hash calculated using the SHA1 algorithm.
Ticket body hash calculated using the SHA1 algorithm.
License ticket creation date and time.
License activation identifier.
Current license ticket identifier.
License ticket sequence identifier.
Date and time of license activation.
Date and time of license expiration.
License status.
License version.
The unique identifier of the user's computer.
License ticket header version.
Application name.
Transferred data type.
Transferred data scheme version.
The full version of the operating system.
Description of the used virtual machine.
List of IDs for compatible applications.
When you use Kaspersky update servers to download the updates, in order to increase the efficiency of the update procedure, you agree to periodically provide the following information for the application identification during database and module updates:
Software ID (AppID).
Active license ID.
Unique software installation ID (InstallationID).
Unique update task launch ID (SessionID).
Version of application (BuildInfo).
Kaspersky Security Network (KSN) Statement
Use of the KSN may increase the Software's speed of reaction to information and network security threats. The declared purpose is achieved by:
Determining the reputation of scanned objects.
Identifying information security threats that are new and challenging to detect, and their sources.
Taking prompt measures to increase the protection of the data stored and processed by a user with the computer.
Reducing the likelihood of false positives.
Increasing the efficiency of application components.
Investigating an infection of a user's computer.
Improving the performance of the Kaspersky products.
Receiving reference information about the number of objects with known reputation.
Promptly identifying and correcting errors related to the installation, removal, and updating of the product.
During use of the KSN, Kaspersky will automatically receive and process data. The data transmitted by the user depends on the type of license installed and the Kaspersky Security Network use preferences specified.
If you use a license for 1-4 nodes, Kaspersky will automatically receive and process the following data during use of the Kaspersky Security Network:
Information about the license used: the type and validity period of the license, number of days till license expiration, identifier of the partner from whom the license was purchased, Regional Activation Center identifier, checksum of the activation code, ticket body hash calculated using the SHA1 algorithm, license ticket creation date and time, license information identifier, license ticket identifier, license ticket sequence identifier, unique identifier of the user's computer, date from which the license ticket is valid, date to which the license ticket is valid, license ticket current state, ticket header version, license version, ticket header signature certificate identifier, checksum of the key file, ticket header signer serial number, authentication token.
Full version of installed Software; type of installed Software; Software update ID; ID of reputation service; protocol type ID; ID of a regional activation center; version of list of revoked Software service's decisions; ID of the triggered record in the Software's anti-virus databases; timestamp of the triggered record in the Software's anti-virus databases; type of the triggered record in the Software's anti-virus databases; unique ID of the instance of application installation on the computer; license activation date; license expiration date; license identifier; status of the license used by the Software; checksum type for the object being processed; name of the detected malware or legitimate software that can be used to damage the user's device or data; checksum of the object being processed; checksum of the Software activation code; full version of the Software; unique device ID; Software ID; checksum of the Software key file; ID of the information model used to provide the Software license; identifier of the certificate used to sign the Software license ticket header; the Software license ticket create date and time; the Software license ticket checksum; the Software license ticket version; the Software activation code version; format of the data in the request to Rightholder infrastructure; current license ticket ID; the Software component ID; the result of the Software action; error code; accessed address of the web service (URL, IP); port number; web address of the source of the web service request (referrer).
If you use a license for 5 or more nodes, Kaspersky will automatically receive and process the following data during use of the Kaspersky Security Network:
Information about the version of the operating system (OS) and service packs installed on the computer, version and checksums (MD5, SHA2-256, SHA1) of the OS kernel file, parameters of the OS run mode.
Information about the failed last OS reboot: number of failed reboots.
Information about the Kaspersky installed application and the anti-virus protection status: unique identifier of the instance of application installation on the computer, application type, ID of application type, the full version of the application installed, the identifier of the application settings version, the identifier of the computer type, the unique identifier of the computer on which the application is installed, the unique User identifier in the Kaspersky services, locale language and operation state, version of the installed Software components and their operation state, version of the protocol used to connect with the Kaspersky services.
Full version of installed Software; type of installed Software; Software update ID; ID of reputation service; protocol type ID; ID of a regional activation center; version of list of revoked Software service`s decisions; ID of the triggered record in the Software's anti-virus databases; timestamp of the triggered record in the Software's anti-virus databases; type of the triggered record in the Software's anti-virus databases; Unique ID of the instance of application installation on the computer; license activation date; license expiration date; license identifier; status of the license used by the Software; checksum type for the object being processed; name of the detected malware or legitimate software that can be used to damage the user's device or data; checksum of the object being processed; checksum of the Software activation code; full version of the Software; unique device ID; Software ID; checksum of the Software key file; ID of the information model used to provide the Software license; identifier of the certificate used to sign the Software license ticket header; the Software license ticket create date and time; the Software license ticket checksum; the Software license ticket version; the Software activation code version; format of the data in the request to Rightholder infrastructure; current license ticket ID; the Software component ID; the result of the Software action; error code; accessed address of the web service (URL, IP); port number; web address of the source of the web service request (referrer).
Information about all scanned objects and operations: the name of the scanned object, the date and time of the scan, the URL- and Referrer addresses from which it was downloaded, the size of scanned files and the paths to them, the archive sign, the date and time of the file's creation, the name, size and checksums (MD5, SHA2-256) of the packer (if the file was packed), the file's entropy, the file's type, the file type code, the executable file sign, ID and format, the object's checksum (MD5, SHA2-256), the type and value of the object's supplementary checksum, data about the object's digital signature (certificate): data on the certificate's publisher, number of starts of the object since the last statistics delivery, ID of the application's scanning task, the means of receiving information about the object's reputation, the value of the target filter, technical parameters of the applicable detection technologies.
For executable files: the entropy of the file sections, reputation verification flag or file signature flag, name, type, ID type, checksum (MD5) and the size of the application that was loaded by the object being validated, the application path and template paths, an attribute indicating presence in the Autorun list, date of entry, the list of attributes, name of the packer, information about the digital signature of the application: the publisher certificate, the name of the uploaded file in the MIME format, file build date and time.
Information about the applications launched and their modules: checksums (MD5, SHA2-256) of running files, size, attributes, creation date, name of the packer (if the file was packed), names of files, information about processes running on the system (process ID (PID), process name, information about the account the process was started from, the application and command that started the process, the full path to the process's files, and the starting command line, a description of the application that the process belongs to (the name of the application and information about the publisher), as well as the digital certificates being used and information needed to verify their authenticity or information about the absence of a file's digital signature), and information about the modules loaded into the processes: their names, sizes, types, creation dates, attributes, checksums (MD5, SHA2-256, SHA1), the paths to them, PE-file header information, names of packers (if the file was packed), information about the availability and validity of these statistics, identifier of the mode for generating the statistics being sent.
If threats or vulnerabilities are detected, in addition to information about the detected object, information is provided about the identifier, version, and type of the record in the anti-virus database, the name of the threat based on the Kaspersky classification, the date and time of the last update of the anti-virus database, executable file name, the checksum (MD5) of the application file that requested the URL where the threat was detected, the IP address (IPv4 or IPv6) of the detected threat, the vulnerability identifier and its threat level, the URL and Referrer of the web page where the vulnerability was detected.
If a potentially malicious object is detected, information is provided about data in the processes' memory.
Network attack information: IP address of the attacking computer and number of the port on the user's computer targeted by the network attack, ID of the attack protocol, name and type of attack.
Information about network connections: version and checksums (MD5, SHA2-256, SHA1) of the file from which process was started that opened the port, the path to the process's file and its digital signature, local and remote IP addresses, numbers of local and remote connection ports, connection state, timestamp of the port's opening.
The URL and IP address of the web page where harmful or suspicious content was detected, the name, size, and checksum of the file that requested the URL, the identifier, weight and degree of the rule used to reach a verdict, the objective of the attack.
Information about updates of the installed application and anti-virus databases: status of completion of the update task, type of error that may have occurred during the update process, the number of unsuccessful updates, the identifier of the application component that performs updates.
Information about the use of Kaspersky Security Network (KSN): KSN identifier, application identifier, full version of the application, depersonalized IP address of the user's device, indicators of the quality of fulfillment of KSN requests, indicators of the quality of the processing of KSN packets, indicators of the number of KSN requests and information about the types of KSN requests, date and time when statistics began being sent, date and time when statistics finished being sent, information about KSN configuration updates: identifier of the active configuration, identifier of the configuration received, error code of the configuration update.
Information about system log events: event time, name of the log where the event has been detected, type and category of event, name of the event source and event description.
Information to determine the reputation of files and URL-addresses: the URL-address at which the reputation is being requested and the Referrer, the connection's protocol type, the internal identifier of the application type, the number of the port being used, the User identifier, checksum of the scanned file (MD5), type of the detected threat, information about the record used to detect a threat (record identifier for the anti-virus databases, the record timestamp and type).
Data on the application territorial distribution: date of the application installation and activation, ID of the partner providing the license for the application activation, application ID, application language localization ID, license serial number for the application activation, KSN participation sign.
Information about the license used: the type and validity period of the license, number of days till license expiration, identifier of the partner from whom the license was purchased, Regional Activation Center identifier, checksum of the activation code, ticket body hash calculated using the SHA1 algorithm, license ticket creation date and time, license information identifier, license ticket identifier, license ticket sequence identifier, unique identifier of the user's computer, date from which the license ticket is valid, date to which the license ticket is valid, license ticket current state, ticket header version, license version, ticket header signature certificate identifier, checksum of the key file, ticket header signer serial number, authentication token.
Information about hardware installed on the computer: type, name, model name, firmware version, parameters of built-in and connected devices.
Information about the operation of the Web Control component: component version, categorization reason, additional information about categorization reason, categorized URL, host IP address of blocked/categorized object.
In addition, in order to achieve the declared purpose of increasing the effectiveness of protection provided by the application, Kaspersky may receive objects that could be exploited by intruders to harm the computer and create information security threats. Such objects are:
Executable or non-executable files or parts thereof
Computer's RAM areas
Sectors involved in the OS boot process
Network traffic data packages
Web pages and emails containing suspicious or malicious objects
Description of classes and class instances for the WMI storage
Application activity reports
Application activity reports contain the following information about the files and processes:
Name, size, and version of the file being sent, it's description and checksums (MD5, SHA2-256, SHA1), format ID, its manufacturer's name, the name of the application the file belongs to, the fully qualified path to the file on the computer and the path template code, date and time of file creation and update.
Certificate validity start and end dates and times if the file being sent has a digital signature, date and time when the certificate was signed, name of the certificate issuer, information about the certificate holder, impression and public key of the certificate and algorithms used to calculate them, certificate serial number.
Name of the account that had run the process.
Checksums (MD5, SHA2-256, SHA1) for the name of the computer that is running the process.
Process' windows headers.
ID for the anti-virus databases, name of the identified threat according to the Kaspersky classification.
Information about the license used for the application, license ID, its type and expiry date.
Computer's local time at the moment the information was provided.
The names and paths of the files that were accessed by the process.
URL- and IP addresses that were accessed by the process.
URL- and IP addresses from which the running file was downloaded.
In addition, in order to achieve the declared purpose with respect to preventing false positives, the Rightholder may receive trusted executable and non-executable files or their parts.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Advanced tab, click Show KSN Statement.
Kaspersky Endpoint Security saves the following information in a Trace file:
Information about the device and operating system (unique device ID, device type, MAC addresses of network devices, operating system type, operating system version).
Information about the operation of the application and its modules.
Information about the subscription (subscription type, region).
Information about the language locale, application ID, application customization, application version, unique application installation ID, unique computer ID.
Information about the anti-virus protection status of the computer, as well as all processed and detected objects (the name of the detected object, date and time of detection, the web address from which it was downloaded, the names and sizes of infected files and paths to them, the IP address of the attacking computer and the number of the computer port targeted by the network attack, list of malware activity, and unwanted web addresses), and the relevant actions and decisions taken by the application and the user.
Information about applications downloaded by the user (web address, attributes, file size, and information about the process that downloaded the file).
Information about the launched applications and application modules (size, attributes, creation date, PE header details, region, name, location, and packers).
Information about interface errors and usage of the interface of the installed Kaspersky application.
Information about network connections: the IP address of the remote computer and the user's computer, the numbers of ports used to establish the connection, and the network protocol of the connection.
Information about network packets received and sent by the computer over IT and telecom networks.
Information about email and instant messages sent and received.
Information about web addresses visited: the time when the connection was established using an open protocol, data on the website login and password, and the content of cookies.
Public certificate of the server.
Trace files contain only the information necessary to fix defects in the application. Kaspersky uses trace files to investigate incidents associated with errors in the operation of Kaspersky Endpoint Security.
By default, the creation of trace files is disabled. You can enable generation of trace files in the application preferences.
Trace files can only be manually sent to Kaspersky. Kaspersky Endpoint Security does not send trace files to Kaspersky automatically.
You can choose how trace files are sent to Kaspersky.
Before sending trace files to Kaspersky, please review the data they contain.
Important: Trace files may contain personal or sensitive information. By sending trace files to Kaspersky, you agree to provide to Kaspersky all data contained in the trace files you send and you consent to the method used to send them.
Files (or their parts) that may be exploited by intruders to harm the computer or data may be also sent to Kaspersky to be examined additionally.
Kaspersky protects any information received in accordance with law and applicable Kaspersky rules. Data is transmitted over a secure channel.
Participation in Kaspersky Security Network is voluntary. The decision to participate is made when you install Kaspersky Endpoint Security. However, you can change your decision later at any time.
In the Activate Trial Version window, click Activate Trial Version.
Kaspersky Endpoint Security connects to Kaspersky activation servers and sends data for verification. If verification is successful, the application receives and adds a key for the free trial version.
Click Continue to complete activating the application.
Important: A trial version of Kaspersky Endpoint Security can be activated only if the application has not been previously activated on the computer.
In the window that opens, enter the activation code that you received when purchasing Kaspersky Endpoint Security.
Click Activate.
Note: An activation code is a unique combination of twenty Latin letters and numbers in the form xxxxx-xxxxx-xxxxx-ххххх.
Kaspersky Endpoint Security connects to Kaspersky activation servers and sends the activation code to verify its authenticity. If the activation code is successfully verified, the application automatically receives and adds the license key.
Click Continue to complete activating the application.
Note: Depending on the activation code that you have received, you may need to fill out a registration form.
If activation code verification fails, a corresponding notification is displayed. In this case, contact the software vendor that supplied you with this activation code.
After you have activated the application with the activation code, you can view the following information in the Licensing window:
Active key
Key or subscription status
The number of computers on which you can use the application under the current license or subscription
You have to renew the license if the license associated with the active key has expired and no reserve key has been added. When the license expires, the application continues to operate with limited functionality (updates, Kaspersky Security Network, Web Control, and FileVault Disk Encryption via Kaspersky Security Center become unavailable). You can still use all application components and run virus scans, but only with the anti-virus databases that were installed before the license expired.
Important: When your anti-virus databases are out of date, your computer is at increased risk of infection.
A webpage opens, with information on renewing your license through the Kaspersky online store or Kaspersky partners. When you renew a license via an online store, an activation code for Kaspersky Endpoint Security is sent to the email address specified in the order form after you complete the payment.
When you use the application under subscription, Kaspersky Endpoint Security automatically contacts the activation server at specific intervals until your subscription expires.
If you use the application under an unlimited subscription, Kaspersky Endpoint Security renews your subscription without requiring any action from you.
If you use the application under a limited subscription and the grace period for renewing the subscription is over, Kaspersky Endpoint Security notifies you of this and stops trying to automatically renew the subscription and updating the application databases.
You can renew your subscription manually by contacting the vendor that sold you Kaspersky Endpoint Security.
In the Licensing window, click Visit Service Provider Website.
The website of your service provider opens.
Your subscription status may become out of date. In this case, you need to manually update the status of your subscription. If you do not have a current subscription, Kaspersky Endpoint Security stops updating the application databases (if you have subscription to updates) or stops protecting the computer (if you have a subscription to updates and protection).
As soon as you complete installation of Kaspersky Endpoint Security, the application starts automatically and the application icon appears in the menu bar.
In the menu bar, click the application icon and choose Quit.
When you quit the application, the application process is removed from computer memory.
Important: After you quit Kaspersky Endpoint Security, the computer is no longer protected and may become infected, which puts your data at risk of being lost.
The protection status indicator, which determines the color of the main application window, informs you about computer protection problems. Depending on the status of computer protection, the color of the main application window can change. If Kaspersky Endpoint Security detects any security threats, a message about threats appears in the main application window and the main application window changes color.
The color of the main application window can change as follows:
Green. Your computer is appropriately protected.
A green main application window signifies that anti-virus databases are up to date and all application components have been configured as recommended by Kaspersky. No malicious objects have been detected, or any detected malicious objects have been neutralized.
Yellow. The level of computer protection is reduced.
A yellow main application window signifies that Kaspersky Endpoint Security is aware of a problem. Such problems include minor deviations from the recommended protection preferences or slightly outdated application databases.
Red. Your computer is at risk of infection.
A red main application window signifies that there are dangerous problems that may lead to computer infection and data loss. For example, the anti-virus application databases are extremely out of date, the application is not activated, or malicious objects have been detected.
We recommend that you fix any problems and deal with the security threats as soon as possible.
By default, Kaspersky Endpoint Security starts after the operating system starts up, and protects your computer until it is turned off. All protection components (File Threat Protection, Web Threat Protection, and Network Threat Protection) are enabled and running.
You can disable protection completely or disable specific protection components.
Important: Kaspersky strongly advises against disabling protection or protection components, because disabling them may lead to computer infection and data loss.
In the menu bar, click Protection > Turn Protection Off/Turn Protection On.
Important: If you disable computer protection, it will not be re-enabled automatically when Kaspersky Endpoint Security starts again. You have to re-enable computer protection manually.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Essential tab, in the <component name> section, deselect the Enable <component name> checkbox.
Important: If you disable a protection component, it will not be re-enabled automatically when Kaspersky Endpoint Security starts again. You have to re-enable the protection component manually.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Essential tab, in the <component name> section, select the Enable <component name> checkbox.
To enable computer protection or protection components, you can also use Protection Center. Disabling computer protection or disabling protection components puts your computer at much higher risk of infection. This is why Protection Center informs you when computer protection is disabled.
In Protection Center, you can find information about active threats, view the state of application databases, and find out whether any component protection is disabled.
Note: If your organization's system administrator enables Web Control to block access to dangerous web resources, Kaspersky Endpoint Security displays the Web Control is enabled notification in Protection Center.
For each problem or threat, Kaspersky Endpoint Security suggests actions that you can perform to resolve the problem or threat. For example, if Kaspersky Endpoint Security detects infected files on the computer, you can click Disinfect. If the anti-virus databases are out of date, you can click Update. You can fix a problem or neutralize a threat immediately or later.
Click the button with the name of a recommended action to fix the problem or neutralize the threat.
The application performs the selected action.
If you close Protection Center without neutralizing dangerous threats, the protection status indicator in the main application window remains red to remind you of these threats.
The default Full Scan task is included in Kaspersky Endpoint Security. While running this task, the application scans the computer's memory, startup objects, and all internal drives for viruses and other malware.
The default Quick Scan task is included in Kaspersky Endpoint Security. While running this task, the application scans the critical areas of the computer (memory, startup objects, and system folders) for viruses and other malware.
If you want to scan an individual object (such as an internal disk, folder, file, or removable disk) for viruses and other malware, you can run the Custom Scan task.
Configure the automatic start of a scheduled scan task
You can create a schedule for starting the Quick Scan and Full Scan tasks. Kaspersky Endpoint Security automatically scans the entire computer or specified areas of the computer in accordance with the configured schedule.
Dedicated Kaspersky update servers are the main source of updates for Kaspersky Endpoint Security. Kaspersky Endpoint Security can also use distribution points, local folders, or other web servers as an update source.
Note: An Internet connection is required to download updates from the update servers.
By default, Kaspersky Endpoint Security periodically checks for updates on Kaspersky update servers. If new updates are available on a server, Kaspersky Endpoint Security downloads them in the background and installs them on your computer.
In the menu bar, choose Protection > Detected Objects.
The Detected Objects window opens.
In the Detected Objects section, click next to the required file and choose Disinfect.
The application starts disinfecting the selected object. While disinfection is in progress, the application shows a dialog where you can choose the action to take on the object.
In the menu bar, choose Protection > Detected Objects.
The Detected Objects window opens.
In the Detected Objects section, click Disinfect All.
The application starts disinfecting detected objects. While disinfection is in progress, the application shows a notification window where you can choose the action to take on the object. If you select the Apply to all checkbox in the notification window when choosing an action, the application applies the same action to all files of this type.
If you know for sure that the files being blocked by File Threat Protection are safe, you can include them in Trusted Zone.
Restore a file that has been deleted or disinfected by the application
Sometimes it is not possible to save files in their entirety during the disinfection process. If a disinfected file contained important information that is partly or completely inaccessible following disinfection, you can attempt to restore the original file from its backup copy.
In the menu bar, choose Protection > Detected Objects.
The Detected Objects window opens.
In the Back up section, click next to the file that you want to restore.
The pop-up menu opens.
Choose Restore File.
A window for specifying the file name, tag, and folder to which the file will be restored opens. By default, the original file name and location are already specified.
Specify the file name and folder to which the file will be restored.
Click Save.
The application restores the file to the specified location with the specified name.
You need to scan the file for viruses immediately after restoring it. It is possible that the object can be disinfected using updated databases without becoming corrupted.
Important: We recommend that you not restore backup copies of files unless restoring them is absolutely necessary, because doing so could lead to a computer infection.
You can view a Kaspersky Endpoint Security report listing all detected objects on the Processed objects tab. System events are displayed on the System events tab. Additionally, a separate detailed report is created for each of the following application components: File Threat Protection, Web Threat Protection, Network Threat Protection, and scan and update tasks.
Application notifications, in the form of notification windows, inform you of application events that require your attention.
If a notification appears on the screen, select one of the suggested options. The optimal option is the one set as the default option by Kaspersky experts.
Objects detected by Kaspersky Endpoint Security are divided into categories based on various attributes. The application always searches for viruses, worms, Trojans, and malicious tools. These programs may cause significant damage to your computer. To ensure more reliable protection for your computer, you can extend the list of detectable objects by enabling the application to check for legitimate software that can be used by intruders to damage your computer or personal data.
The objects that Kaspersky Endpoint Security protects against are grouped as follows:
Viruses, worms, Trojans, malicious tools, adware, and auto-dialers.
This category includes:
All types of malware.
Software that can inconvenience you by showing advertisements (such as banners) on your computer or replacing search results in your browser with advertising websites.
Applications that establish hidden phone connections through a modem.
Protection against all types of malware is the minimum necessary security level. In accordance with the recommendations of Kaspersky experts, Kaspersky Endpoint Security always monitors objects that belong to this category.
Legitimate software that can be used by intruders to damage your computer or personal data. This category includes legitimate software that can be used by intruders to damage your computer or personal data, such as remote administration applications.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Threats tab, in the Objects to detect section, select the checkboxes next to the categories of objects to detect.
Note: Kaspersky Endpoint Security always protects your computer against viruses, worms, Trojans, malicious tools, adware, and auto-dialers. Accordingly, it is not possible to deselect the checkbox for this category.
Note: If Kaspersky Endpoint Security classifies an application as malware but you believe it is safe, you can add this application to Trusted Zone.
Trusted Zone is a list of objects that Kaspersky Endpoint Security does not scan or monitor. You may need to add objects to Trusted Zone if, for example, Kaspersky Endpoint Security blocks access to a file, application, or website even though you are absolutely sure that this object, application, or web address is harmless.
When an application is added to Trusted Zone, its file and network activities (including suspicious ones) are no longer monitored. However, Kaspersky Endpoint Security continues to scan the executable file and process of the trusted application.
File Threat Protection prevents infection of the computer's file system. The component starts during startup of the operating system, remains in computer memory, and scans for viruses and other malware all files that are opened, saved, or run on your computer and on all connected disks. If you disable File Threat Protection, it will not start at operating system startup. You will have to re-enable File Threat Protection manually.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Essential tab, in the File Threat Protection section, select/deselect the Enable File Threat Protection checkbox.
You can also enable File Threat Protection in Protection Center. Disabling computer protection or disabling protection components puts your computer at much higher risk of infection. This is why Protection Center informs you when protection is disabled.
You can create a protection scope for File Threat Protection.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Essential tab, in the File Threat Protection section, click Protection Scope.
A window with a list of objects that File Threat Protection scans opens. By default, File Threat Protection scans all objects located on internal, removable, and network disks connected to your computer.
Note: On computers running macOS 10.15 or later, you can skip scanning of the read-only system volume to significantly reduce scanning time. By default, File Threat Protection does not scan the read-only system volume.
In the Protection scope section, add/remove the objects to/from the protection scope:
To add a file or folder to the protection scope:
Click .
A pop-up menu where you can select objects to add to the protection scope opens.
In the pop-up menu, choose the Files and Folders item.
A dialog where you can select a file or folder opens.
Select a file or folder that you want to add to the protection scope.
Click Open.
To remove a file or folder from the protection scope:
Select an object in the list of protection scope objects.
Drag the selected object from the window or click .
If you want to scan the read-only system volume, in the Optimization section, deselect the Skip scanning of read-only system volume checkbox.
Important: Optimization might be disabled for security reasons.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Essential tab, in the File Threat Protection section, click Protection Scope.
A window with a list of objects that File Threat Protection scans opens. By default, File Threat Protection scans all objects located on internal, removable, and network disks connected to your computer.
Note: On computers running macOS 10.15 or later, you can skip scanning of the read-only system volume to significantly reduce scanning time. By default, File Threat Protection does not scan the read-only system volume.
In the Protection scope section, add/remove the objects on the list of default objects to/from the protection scope:
To add an object on the list of default objects to the protection scope:
Click .
A pop-up menu where you can select objects to add to the protection scope opens.
In the pop-up menu, select an object that you want to add to the protection scope (for example, All Internal Disks).
To remove an object on the list of default objects from the protection scope:
Select an object in the list of protection scope objects.
Drag the selected object from the window or click .
If you want to scan the read-only system volume, in the Optimization section, deselect the Skip scanning of read-only system volume checkbox.
Important: Optimization might be disabled for security reasons.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Essential tab, in the File Threat Protection section, click Protection Scope.
A window with a list of objects that File Threat Protection scans opens. By default, File Threat Protection scans all objects located on internal, removable, and network disks connected to your computer.
Note: On computers running macOS 10.15 or later, you can skip scanning of the read-only system volume to significantly reduce scanning time. By default, File Threat Protection does not scan the read-only system volume.
Deselect the checkbox next to an object in the list of protection scope objects.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Essential tab, in the File Threat Protection section, click Protection Scope.
A window with a list of objects that File Threat Protection scans opens. By default, File Threat Protection scans all objects located on internal, removable, and network disks connected to your computer.
Note: On computers running macOS 10.15 or later, you can skip scanning of the read-only system volume to significantly reduce scanning time. By default, File Threat Protection does not scan the read-only system volume.
In the Optimization section, deselect the Skip scanning of read-only system volume checkbox.
Important: Optimization might be disabled for security reasons.
Click Save.
When you or an application attempt to access a file included in the protection scope, File Threat Protection checks iSwift databases for information about the file, and uses this information to decide whether to scan the file.
Recognizing malicious objects is possible thanks to signature analysis, a way of searching for threats based on threat descriptions included in the anti-virus databases. In addition to signature analysis, File Threat Protection uses heuristic analysis and other scanning technologies.
If a threat is detected in a file, Kaspersky Endpoint Security identifies the type of the detected malware (for example, virus or Trojan). Then the application displays a notification about the detected object and performs an action on the object based on your File Threat Protection preferences.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Essential tab, in the File Threat Protection section, select the action that File Threat Protection performs after detecting an infected file.
Before attempting to disinfect or delete an infected file, Kaspersky Endpoint Security saves a backup copy for subsequent restoration or disinfection.
Information about File Threat Protection and all detected objects is logged in a report.
Note: If File Threat Protection stops running with an error, you can view the report and try to start the component again. If the problem is not solved, you can contact Kaspersky Technical Support.
When you use the Internet, your computer is at risk of infection by viruses and other computer security threats. Computer security threats may penetrate your computer when you download free programs or visit websites that have been attacked by hackers. In addition, network worms may attack your computer as soon as your computer establishes an Internet connection, even before you open a web address or download a file.
Kaspersky Endpoint Security protects information that your computer sends and receives via the HTTP and HTTPS protocols in Safari, Chrome, or Firefox.
Note: Kaspersky Endpoint Security monitors web traffic on the ports most frequently used for HTTP and HTTPS data transfer. Kaspersky Endpoint Security scans encrypted connections (HTTPS) only if the Check secure connections (HTTPS) checkbox in the General section is selected.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Essential tab, in the Web Threat Protection section, select/deselect the Enable Web Threat Protection checkbox.
You can also enable Web Threat Protection via Protection Center. Disabling computer protection or disabling protection components puts your computer at much higher risk of infection. This is why Protection Center informs you when protection is disabled.
Important: If you disable Web Threat Protection, it will not be re-enabled automatically when Kaspersky Endpoint Security starts again or when the operating system restarts. You have to re-enable Web Threat Protection manually.
Web Threat Protection scans web traffic based on the preferences recommended by Kaspersky. Malicious objects are recognized using signature analysis, heuristic analysis, and data from Kaspersky Security Network.
Checking links on websites for phishing threats and malicious web addresses makes it possible to avoid phishing attacks. Phishing attacks usually take the form of email messages from criminals, who pretend to be financial institutions (such as banks) and send links to fraudulent websites. In these emails, the criminals try to trick the user into visiting a phishing website and entering confidential data (such as your bank card number or the name and password for your online bank account). A phishing attack can be disguised, for example, as a message from your bank with a link to its official website, but in reality, the link takes you to an exact copy of the bank's official website created by impostors.
Web Threat Protection monitors your web traffic for attempts to visit a phishing website; it blocks access to such websites. To check links on websites for phishing threats and malicious web addresses, Kaspersky Endpoint Security uses the application databases, heuristic analysis, and data from Kaspersky Security Network.
Web traffic scan algorithm
Each website or file that you or an application accesses via the HTTP and HTTPS protocols is intercepted and scanned for malicious code by Web Threat Protection:
If a website or file contains malicious code, Kaspersky Endpoint Security can block it and display a notification that the requested file or website is infected.
If the file or website does not contain malicious code, you can access it immediately.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Essential tab, in the Web Threat Protection section, select the action that Web Threat Protection performs after detecting a dangerous web traffic object.
Information about Web Threat Protection and all detected dangerous web traffic objects is logged in a report.
Note: If Web Threat Protection stops running with an error, you can view the Web Threat Protection report and try to restart the component. If the problem is not solved, you can contact Kaspersky Technical Support.
Kaspersky Endpoint Security protects your computer against network attacks.
A network attack is an attempt to break into the operating system of a remote computer. Criminals attempt network attacks to establish control over the operating system, cause denial of service in the operating system, or access sensitive information. To achieve these goals, criminals either carry out direct attacks, such as port scanning and brute force attacks, or use malware installed on the computer being attacked.
Network attacks can be divided into the following types:
Port scanning. This type of network attack is usually performed to prepare for a more dangerous network attack. An intruder scans UDP/TCP ports that use network services on the target computer and determines the target computers' vulnerability to other, more dangerous types of network attacks. Port scanning also allows the intruder to determine the operating system on the target computer and select appropriate network attacks for that operating system.
DoS attacks or network attacks causing a denial of service. Such network attacks cause the target operating system to become unstable or completely inoperable.
The main types of DoS attacks are:
Transmission of specially designed network packets that are not expected by the target computer, thus causing the target operating system to malfunction or crash.
Sending a large number of network packets to a remote computer over a short period. All the target computer's resources are used to process the network packets sent by the intruder. As a result, the computer stops performing its functions.
Network intrusion attacks. Such network attacks are designed to "hijack" the target computer's operating system. This is the most dangerous type of network attack, because if the attack is successful, then the intruder gains total control over the operating system.
This type of network attack is used when the intruder wants to obtain confidential data (such as bank card numbers or passwords) from a remote computer or secretly use the remote computer for his or her own purposes (such as attacking other computers from this computer).
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Essential tab, in the Network Threat Protection section, select/deselect the Enable Network Threat Protection checkbox.
You can also enable Network Threat Protection in Protection Center. Disabling computer protection or disabling protection components puts your computer at much higher risk of infection. This is why Protection Center informs you when protection is disabled.
Important: If you disable Network Threat Protection, it will not be re-enabled automatically when Kaspersky Endpoint Security starts again or after the operating system restarts. You have to re-enable Network Threat Protection manually.
When the application detects dangerous network activity, Kaspersky Endpoint Security automatically adds the IP address of the attacking computer to the list of blocked computers, unless the attacking computer is in the list of trusted computers.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Essential tab, in the Network Threat Protection section, select the Enable Network Threat Protection checkbox.
Click Preferences.
A window with a list of trusted computers and a list of blocked computers opens.
Open the Blocked computers tab.
If you are sure that the blocked computer is not a threat, select the IP address of the computer in the list and click Unblock.
A confirmation dialog opens.
In the confirmation dialog, select one of the following:
If you want to unblock the computer, click Unblock.
Kaspersky Endpoint Security unblocks the IP address.
If you want Kaspersky Endpoint Security to never block the selected IP address, click Unblock and Exclude.
Kaspersky Endpoint Security unblocks the IP address and adds it to the list of trusted computers.
Click Save.
You can create and edit the list of trusted computers. Kaspersky Endpoint Security doesn't block the IP addresses of these computers automatically even after dangerous network activity is detected from them.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Essential tab, in the Network Threat Protection section, select the Enable Network Threat Protection checkbox.
Click Preferences.
A window with a list of trusted computers and a list of blocked computers opens.
Open the Trusted computers tab.
Edit the list of trusted computers:
To add an IP address to the list of trusted computers:
Click .
In the field that appears, enter the IP address of the computer that you trust to be safe.
To remove an IP address from the list of trusted computers:
Select an IP address in the list.
Click .
To edit an IP address in the list of trusted computers:
Select an IP address in the list.
Click Edit.
Change the IP address.
Click Save.
When a network attack is detected, Kaspersky Endpoint Security logs information about the attack in a report.
Note: If the Network Threat Protection component stops running with an error, you can view the report and try to restart the component. If the problem is not solved, you can contact Kaspersky Technical Support.
File Threat Protection and Web Threat Protection provide real-time computer protection, but we also recommend that you regularly scan your computer for viruses and other computer security threats. Computer scanning is necessary to prevent the spread of malware that has not been detected by the protection components.
Kaspersky Endpoint Security contains the following built-in scan tasks:
Full Scan.
A virus scan of the computer's memory, startup objects, and all internal disks.
Quick Scan.
A virus scan of only critical areas of the computer: memory, startup objects, and system folders.
Custom Scan.
A virus scan of a specified object (file, folder, internal disk, or removable disk).
Each scan task is performed within a specified scan scope and is started manually. Malicious objects are recognized through signature analysis. In addition to signature analysis, Kaspersky Endpoint Security uses heuristic analysis and other scanning technologies.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Scan tab, click Schedule.
In the window that opens, select the checkbox next to the name of the scan task you want to start on a schedule.
Configure the scan task frequency and time.
Click OK to save changes made to the scan task schedule.
The Full Scan and Quick Scan tasks already contain scan scopes. While performing the Full Scan task, Kaspersky Endpoint Security scans the computer's memory, startup objects, and all internal disks. While performing the Quick Scan task, Kaspersky Endpoint Security scans computer memory, startup objects, and system folders. You can change the scan scope of the Quick Scan task.
Note: On computers running macOS 10.15 or later, you can skip scanning of the read-only system volume to significantly reduce scanning time. By default, Kaspersky Endpoint Security does not scan the read-only system volume when performing a Quick Scan task and does scan it when performing a Full Scan task.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Scan tab, in the list on the left, select the Quick Scan task.
In the Scan scope section, click Edit.
A window with the list of scan scope objects opens.
Deselect the checkbox next to the object in the list of scan scope objects.
Click OK.
If a threat is detected in a file, the application displays a notification and performs the specified action on the object. You can modify the action to perform when an object is detected.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Scan tab, select a task in the task list.
In the Action section, select the action that Kaspersky Endpoint Security performs after detecting infected files.
Before disinfecting or deleting an infected file, Kaspersky Endpoint Security saves a copy of it in Backup, so you can restore the original file, if necessary.
Information about the results of scan tasks and all detected objects is logged in a report.
Note: If any errors occur while running a virus scan task, start the task again. If the new attempt to run the scan also results in an error, contact Kaspersky Technical Support.
Timely updates of application databases ensure that your computer is always protected. File Threat Protection, Web Threat Protection, and scan tasks use application databases to detect and neutralize viruses and other malware on your computer. Application databases are updated regularly with different kinds of threats and ways to neutralize them, so it is important that you update the databases regularly.
Kaspersky Endpoint Security downloads application databases and new application modules from Kaspersky update servers and installs them on your computer. Kaspersky Endpoint Security can also use distribution points, local folders, or other web servers.
Note: Internet access is required for connecting to the update servers and downloading updates. If you connect to the Internet via a proxy server, you may need to configure the network preferences.
Application database updates can be downloaded in one of the following ways:
Automatically. Kaspersky Endpoint Security regularly checks Kaspersky update servers for updates. If a new update is available on the update server, Kaspersky Endpoint Security downloads the update in the background and installs it on your computer. This option is enabled by default.
Manually. You can manually check for Kaspersky Endpoint Security updates at any time.
You can also start an update task in one of the following ways:
Click the application icon and choose Update.
In the menu bar, choose Protection > Update.
During an update, the application databases and modules are compared with the ones currently available on the update servers. If the latest version of the databases is installed on your computer, the Update window displays a message saying that the application databases are up to date. If the application version and application databases differ from those currently available on the update servers, only the missing components of the update are downloaded and installed on your computer. Incremental updates of application databases take less time and require less web traffic.
If you connect to the Internet via a proxy server, you can configure the proxy server connection preferences. Kaspersky Endpoint Security uses these preferences to update application databases and download application module updates.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
Select the Update tab.
In the Proxy section, select the Use proxy server checkbox and click Preferences.
A window opens, in which you can configure the proxy server connection preferences.
Configure the connection to a proxy server.
Click Save to save the changes made to the proxy server connection preferences.
Before updating the application databases Kaspersky Endpoint Security creates backup copies of them, so a rollback can be performed, if necessary. The rollback feature is useful if a new version of the application databases contains an incorrect signature that makes Kaspersky Endpoint Security block a safe application.
Note: If Kaspersky Endpoint Security databases become corrupted, we recommend that you start an update to download and install the latest version of application databases.
Sometimes the integrity of infected files cannot be preserved during the disinfection process. If a disinfected file contained important information that is partly or completely inaccessible following disinfection, you can restore the original file from Backup.
A backup copy is a copy of a dangerous file that is created when the file is disinfected or deleted. It is stored in Backup.
Backup is a special storage area that contains backup copies of files that have been deleted or modified during disinfection. The main function of Backup is to let the user restore an original file at any time. Files in Backup are saved in a special format and are not dangerous for the computer.
In the menu bar, choose Protection > Detected Objects.
The Detected Objects window opens.
In the Back up section, click next to the file that you want to restore.
The pop-up menu opens.
Choose Restore File.
A window for specifying the file name, tag, and folder to which the file will be restored opens. By default, the original file name and location are already specified.
Specify the file name and folder to which the file will be restored.
Click Save.
The application restores the file to the specified location with the specified name.
You need to scan the file for viruses immediately after restoring it. It is possible that the object can be disinfected using updated databases without becoming corrupted.
Important: We recommend that you not restore backup copies of files unless restoring them is absolutely necessary, because doing so could lead to a computer infection.
In the menu bar, choose Protection > Detected Objects.
The Detected Objects window opens.
In the Back up section, do the following:
To delete all backup copies of files, click Delete All.
To delete the selected backup copy, click next to it and choose Delete Backed Up Copy.
By default, the storage period for files in Backup is 30 days. When this period expires, the files are deleted. You can change the maximum Backup storage period for files or remove the limit on the storage period.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Threats tab, in the Backup section, select the Delete backed up objects after <number> days checkbox and specify the period after which files stored in Backup are automatically deleted.
You can view a Kaspersky Endpoint Security report listing all detected objects on the Processed objects tab. System events are displayed on the System events tab. Additionally, a separate detailed report is created for each of the following application components: File Threat Protection, Web Threat Protection, Network Threat Protection, and scan and update tasks.
Kaspersky Endpoint Security can save reports in text format. This functionality may be useful if application components or tasks produce errors you cannot fix on your own and you need assistance from Kaspersky Technical Support. In this case, send the text report to Kaspersky Technical Support so our specialists can study the problem and fix it as quickly as possible.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Interface tab, in the Reports section, select the Log non-critical events checkbox to receive notifications about informational Kaspersky Endpoint Security events.
Note: The FileVault Disk Encryption feature is available in Kaspersky Security Center 10 SP3 or later. For more information, contact Kaspersky Technical Support.
Kaspersky Endpoint Security allows FileVault encryption to be managed remotely. Encryption prevents unauthorized users from accessing sensitive data stored on the startup disk of the user's computer.
When an administrator starts FileVault encryption on a computer from Kaspersky Security Center, Kaspersky Endpoint Security prompts a user of this computer to enter his or her credentials. Disk encryption only starts after the user provides the credentials and the computer is restarted.
Note: If FileVault encryption management isn't enabled in Kaspersky Security Center, users with administrator rights can encrypt and decrypt their Mac startup disks from System Preferences. For more information on FileVault, refer to Apple documentation.
If the computer has multiple computer accounts, FileVault encryption makes the disk inaccessible to all users except for the user who entered his or her credentials.
Choose Apple menu > System Preferences, then click Security & Privacy.
On the FileVault tab, at the bottom of the window, click the lock.
In the prompt for administrator credentials, enter the user name and password.
Click Enable Users.
In the window that opens, select a user to authorize to unlock the computer and click Enable User next to his or her name.
In the window that opens, enter the password of the user's computer account and click OK.
Click Done.
The user can access the encrypted disk.
Note: Administrator rights are required to allow other users to unlock the disk.
If an administrator manages Kaspersky Endpoint Security via Kaspersky Security Center Administration Console, Web Console, or Cloud Console and a user of this computer forgets or loses his or her credentials and cannot access an encrypted disk, the administrator can get a recovery key.
A set of services that provides access to a database with constantly updated information about the reputation of files, web resources, and software. Kaspersky Security Network ensures that Kaspersky applications respond more quickly to threats, improves the performance of some protection components, and reduces the likelihood of false positives.
, Kaspersky Endpoint Security statistics are automatically sent to Kaspersky to enhance protection of your Mac.
Note: Kaspersky doesn't receive, process, or store any personal data without your explicit consent.
Participation in Kaspersky Security Network is voluntary. The decision to participate is made when you install Kaspersky Endpoint Security. However, you can change your decision later at any time.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Advanced tab, in the Improved protection section, click Show KSN Statement to view the Kaspersky Security Network Statement.
If you want Kaspersky Endpoint Security to use information about the reputation of files, web resources, and applications received from Kaspersky Security Network and you accept all the terms of the Statement, select the Participate in Kaspersky Security Network checkbox.
In the window that opens, click Confirm.
The Participate in Kaspersky Security Network and Enable extended KSN mode checkboxes will be selected.
Note: By default, Kaspersky Endpoint Security uses the Extended KSN mode. Extended KSN mode is a mode in which Kaspersky Endpoint Security sends additional data to Kaspersky. If you do not want to provide these data to Kaspersky, deselect the Enable extended KSN mode checkbox.
If the Participate in Kaspersky Security Network checkbox is selected and the Enable extended KSN mode checkbox is unselected, Kaspersky Endpoint Security provides to Kaspersky the following data:
Information about the license used: the type and validity period of the license, number of days till license expiration, identifier of the partner from whom the license was purchased, Regional Activation Center identifier, checksum of the activation code, ticket body hash calculated using the SHA1 algorithm, license ticket creation date and time, license information identifier, license ticket identifier, license ticket sequence identifier, unique identifier of the user's computer, date from which the license ticket is valid, date to which the license ticket is valid, license ticket current state, ticket header version, license version, ticket header signature certificate identifier, checksum of the key file, ticket header signer serial number, authentication token.
Full version of installed Software; type of installed Software; Software update ID; ID of reputation service; protocol type ID; ID of a regional activation center; version of list of revoked Software service's decisions; ID of the triggered record in the Software's anti-virus databases; timestamp of the triggered record in the Software's anti-virus databases; type of the triggered record in the Software's anti-virus databases; unique ID of the instance of application installation on the computer; license activation date; license expiration date; license identifier; status of the license used by the Software; checksum type for the object being processed; name of the detected malware or legitimate software that can be used to damage the user's device or data; checksum of the object being processed; checksum of the Software activation code; full version of the Software; unique device ID; Software ID; checksum of the Software key file; ID of the information model used to provide the Software license; identifier of the certificate used to sign the Software license ticket header; the Software license ticket create date and time; the Software license ticket checksum; the Software license ticket version; the Software activation code version; format of the data in the request to Rightholder infrastructure; current license ticket ID; the Software component ID; the result of the Software action; error code; accessed address of the web service (URL, IP); port number; web address of the source of the web service request (referrer).
If the Participate in Kaspersky Security Network and Enable extended KSN mode checkboxes are selected, Kaspersky Endpoint Security provides to Kaspersky the following data:
Information about the version of the operating system (OS) and service packs installed on the computer, version and checksums (MD5, SHA2-256, SHA1) of the OS kernel file, parameters of the OS run mode.
Information about the failed last OS reboot: number of failed reboots.
Information about the Kaspersky installed application and the anti-virus protection status: unique identifier of the instance of application installation on the computer, application type, ID of application type, the full version of the application installed, the identifier of the application settings version, the identifier of the computer type, the unique identifier of the computer on which the application is installed, the unique User identifier in the Kaspersky services, locale language and operation state, version of the installed Software components and their operation state, version of the protocol used to connect with the Kaspersky services.
Full version of installed Software; type of installed Software; Software update ID; ID of reputation service; protocol type ID; ID of a regional activation center; version of list of revoked Software service`s decisions; ID of the triggered record in the Software's anti-virus databases; timestamp of the triggered record in the Software's anti-virus databases; type of the triggered record in the Software's anti-virus databases; Unique ID of the instance of application installation on the computer; license activation date; license expiration date; license identifier; status of the license used by the Software; checksum type for the object being processed; name of the detected malware or legitimate software that can be used to damage the user's device or data; checksum of the object being processed; checksum of the Software activation code; full version of the Software; unique device ID; Software ID; checksum of the Software key file; ID of the information model used to provide the Software license; identifier of the certificate used to sign the Software license ticket header; the Software license ticket create date and time; the Software license ticket checksum; the Software license ticket version; the Software activation code version; format of the data in the request to Rightholder infrastructure; current license ticket ID; the Software component ID; the result of the Software action; error code; accessed address of the web service (URL, IP); port number; web address of the source of the web service request (referrer).
Information about all scanned objects and operations: the name of the scanned object, the date and time of the scan, the URL- and Referrer addresses from which it was downloaded, the size of scanned files and the paths to them, the archive sign, the date and time of the file's creation, the name, size and checksums (MD5, SHA2-256) of the packer (if the file was packed), the file's entropy, the file's type, the file type code, the executable file sign, ID and format, the object's checksum (MD5, SHA2-256), the type and value of the object's supplementary checksum, data about the object's digital signature (certificate): data on the certificate's publisher, number of starts of the object since the last statistics delivery, ID of the application's scanning task, the means of receiving information about the object's reputation, the value of the target filter, technical parameters of the applicable detection technologies.
For executable files: the entropy of the file sections, reputation verification flag or file signature flag, name, type, ID type, checksum (MD5) and the size of the application that was loaded by the object being validated, the application path and template paths, an attribute indicating presence in the Autorun list, date of entry, the list of attributes, name of the packer, information about the digital signature of the application: the publisher certificate, the name of the uploaded file in the MIME format, file build date and time.
Information about the applications launched and their modules: checksums (MD5, SHA2-256) of running files, size, attributes, creation date, name of the packer (if the file was packed), names of files, information about processes running on the system (process ID (PID), process name, information about the account the process was started from, the application and command that started the process, the full path to the process's files, and the starting command line, a description of the application that the process belongs to (the name of the application and information about the publisher), as well as the digital certificates being used and information needed to verify their authenticity or information about the absence of a file's digital signature), and information about the modules loaded into the processes: their names, sizes, types, creation dates, attributes, checksums (MD5, SHA2-256, SHA1), the paths to them, PE-file header information, names of packers (if the file was packed), information about the availability and validity of these statistics, identifier of the mode for generating the statistics being sent.
If threats or vulnerabilities are detected, in addition to information about the detected object, information is provided about the identifier, version, and type of the record in the anti-virus database, the name of the threat based on the Kaspersky classification, the date and time of the last update of the anti-virus database, executable file name, the checksum (MD5) of the application file that requested the URL where the threat was detected, the IP address (IPv4 or IPv6) of the detected threat, the vulnerability identifier and its threat level, the URL and Referrer of the web page where the vulnerability was detected.
If a potentially malicious object is detected, information is provided about data in the processes' memory.
Network attack information: IP address of the attacking computer and number of the port on the user's computer targeted by the network attack, ID of the attack protocol, name and type of attack.
Information about network connections: version and checksums (MD5, SHA2-256, SHA1) of the file from which process was started that opened the port, the path to the process's file and its digital signature, local and remote IP addresses, numbers of local and remote connection ports, connection state, timestamp of the port's opening.
The URL and IP address of the web page where harmful or suspicious content was detected, the name, size, and checksum of the file that requested the URL, the identifier, weight and degree of the rule used to reach a verdict, the objective of the attack.
Information about updates of the installed application and anti-virus databases: status of completion of the update task, type of error that may have occurred during the update process, the number of unsuccessful updates, the identifier of the application component that performs updates.
Information about the use of Kaspersky Security Network (KSN): KSN identifier, application identifier, full version of the application, depersonalized IP address of the user's device, indicators of the quality of fulfillment of KSN requests, indicators of the quality of the processing of KSN packets, indicators of the number of KSN requests and information about the types of KSN requests, date and time when statistics began being sent, date and time when statistics finished being sent, information about KSN configuration updates: identifier of the active configuration, identifier of the configuration received, error code of the configuration update.
Information about system log events: event time, name of the log where the event has been detected, type and category of event, name of the event source and event description.
Information to determine the reputation of files and URL-addresses: the URL-address at which the reputation is being requested and the Referrer, the connection's protocol type, the internal identifier of the application type, the number of the port being used, the User identifier, checksum of the scanned file (MD5), type of the detected threat, information about the record used to detect a threat (record identifier for the anti-virus databases, the record timestamp and type).
Data on the application territorial distribution: date of the application installation and activation, ID of the partner providing the license for the application activation, application ID, application language localization ID, license serial number for the application activation, KSN participation sign.
Information about the license used: the type and validity period of the license, number of days till license expiration, identifier of the partner from whom the license was purchased, Regional Activation Center identifier, checksum of the activation code, ticket body hash calculated using the SHA1 algorithm, license ticket creation date and time, license information identifier, license ticket identifier, license ticket sequence identifier, unique identifier of the user's computer, date from which the license ticket is valid, date to which the license ticket is valid, license ticket current state, ticket header version, license version, ticket header signature certificate identifier, checksum of the key file, ticket header signer serial number, authentication token.
Information about hardware installed on the computer: type, name, model name, firmware version, parameters of built-in and connected devices.
Information about the operation of the Web Control component: component version, categorization reason, additional information about categorization reason, categorized URL, host IP address of blocked/categorized object.
Note: Depending on Kaspersky Security Center settings, you can participate in Kaspersky Private Security Network instead of Kaspersky Security Network. Kaspersky Endpoint Security notifies you when it switches from Kaspersky Private Security Network to Kaspersky Security Network and prompts you to accept the terms of the Kaspersky Security Network Statement. For detailed information about participating in Kaspersky Private Security Network, see the Kaspersky Security Center help.
Manage the application via Kaspersky Security Center Administration Console
Kaspersky Security Center is designed for centralized management of corporate network security. For detailed information about Kaspersky Security Center, see the Kaspersky Security Center help.
Deploy Kaspersky Endpoint Security on a corporate network
Deploy Administration Server on the network.
Administration Server is a component of Kaspersky Security Center that centrally stores information about all Kaspersky applications that are installed within the corporate network and to manage these applications.
Install Administration Console on the Kaspersky Security Center administrator's workstation.
Administration Console is a component of Kaspersky Security Center that provides a user interface for the administrative services of Administration Server and Network Agent. Network Agent coordinates the interaction between Administration Server and Kaspersky Endpoint Security installed on computers within the corporate network.
An administration plug-in is a dedicated component that provides an interface for managing Kaspersky applications through Administration Console. Each application has its own administration plug-in. The administration plug-in is provided for all Kaspersky applications that can be managed from Kaspersky Security Center.
Install Network Agent on remote Mac computers in one of the following ways:
Important: If Kaspersky Internet Security for Mac or third-party anti-virus software is installed on remote computers, uninstall them before installing Kaspersky Endpoint Security.
For detailed information on how to deploy Administration Server and install Administration Console, see the Kaspersky Security Center help.
Update Kaspersky Endpoint Security version 10 or 11 to version 11.0.1 or later
Note: To manage Kaspersky Endpoint Security for Mac 11.1 via Kaspersky Security Center, you must install Network Agent version 12 on remote computers.
Update Kaspersky Endpoint Security from version 10 to version 11.0.1 or later
You can update Kaspersky Endpoint Security managed via Kaspersky Security Center from version 10 to version 11.0.1 or later in one of the following ways:
Simultaneously update Kaspersky Endpoint Security to version 11.0.1 or later and Network Agent to version 12 on remote computers.
First update Network Agent to version 12 and then update Kaspersky Endpoint Security to version 11.0.1 or later.
Note: Network Agent version 11 or later cannot be used by Kaspersky Endpoint Security 10 to connect to Kaspersky Security Center.
For detailed information on how to update Kaspersky Endpoint Security version 10 to version 11 or later, see the Knowledge Base.
Update Kaspersky Endpoint Security from version 11 to version 11.0.1 or later
You can update Kaspersky Endpoint Security managed via Kaspersky Security Center from version 11 to version 11.0.1 or later in one of the following ways:
Simultaneously update Kaspersky Endpoint Security to version 11.0.1 or later and Network Agent to version 12 on remote computers.
First update Network Agent to version 12 and then update Kaspersky Endpoint Security to version 11.0.1 or later.
Prepare for remote installation of Kaspersky Endpoint Security
This section contains information about installation of the Kaspersky Endpoint Security administration plug-in on the Kaspersky Security Center administrator's workstation and installation of Network Agent on the remote computer.
Installation of the Kaspersky Endpoint Security administration plug-in and Network Agent is a prerequisite for installation of Kaspersky Endpoint Security via Kaspersky Security Center.
On the Kaspersky Security Center administrator's workstation, unpack the archive with the Kaspersky Endpoint Security installation package files.
Open the folder with the Kaspersky Endpoint Security installation package files.
Double-click klcfginst.exe.
Installation of the Kaspersky Endpoint Security administration plug-in starts.
Important: Before installing the Kaspersky Endpoint Security administration plug-in, close Administration Console on the Kaspersky Security Center administrator's workstation.
Network Agent coordinates the interaction between Administration Server and Kaspersky Endpoint Security installed on computers within the corporate network.
Install Network Agent using Kaspersky Security Center
Kaspersky Security Center installs Network Agent on a client computer using an SSH connection.
Before installing Network Agent on a client computer, make sure that the following conditions are met:
Kaspersky Security Center Administration Server is deployed on the corporate network.
Administration Console is installed on the Kaspersky Security Center administrator's workstation.
Remote Login is enabled on remote computers.
A dedicated administrator account that will be used to run the remote installation task is created on a remote computer. You can use a domain account for the installation.
The sudo password is disabled for the dedicated account.
Start Kaspersky Security Center Administration Console.
Maximize the Administration Server <Server name> node.
In the console tree, select the Advanced folder, then Remote installation subfolder, and then the Installation packages subfolder.
In the workspace, click Create installation package.
In the Select installation package type window, click Create an installation package for a Kaspersky application.
In the Defining the installation package name window, type the name of the new installation package in the Name field and click Next.
In the Selecting the distribution package for installation window, click Browse.
The window for selecting a file for creating the installation package opens.
Open the folder with the contents of the Network Agent installation package and select the klnagent.kud file.
The Selecting the distribution package for installation window shows the name and version of the application to be installed remotely using the file that has been added.
Click Next.
The Kaspersky Endpoint Security installation package is created with the specified settings.
In the last window of the wizard, click Finish to exit the New Package Wizard.
Start Kaspersky Security Center Administration Console.
Maximize the Administration Server <Server name> node.
Select the Tasks folder.
In the workspace, start the New Task Wizard by clicking New task.
Follow the steps of the New Task Wizard below to create a task for remote installation of Kaspersky Endpoint Security on the client computer.
To proceed to the next step of the wizard, click Next. To return to the previous step of the wizard, click . To exit the wizard at any step, click Cancel.
Note: The appearance of the buttons may vary depending on your version of Windows.
In the Select installation package window, do one of the following:
If the Network Agent installation package with the required settings has been created previously, select it in the list of installation packages in the upper part of the Select installation package window.
If the required installation package has not been created yet, click New to start the New Package Wizard.
In the Select devices to which the task will be assigned window, select the method you want to use to specify client computers:
To select from among computers detected on the network by Administration Server, select the Select networked devices detected by Administration Server option.
To specify the IP addresses of computers manually or import the IP addresses of computers from a file, select the Specify device addresses manually or import addresses from list option.
To create a task for a selection of devices based on a preset criterion, select the Assign task to a device selection option.
To select computers from a specific administration group, select the Assign task to an administration group option.
In the window that opens (Select devices, Device selection, or Select Administration group, depending on the option you selected in the previous step), select the client computers, specify the IP addresses of computers, specify a computer selection, or select the administration group to which the task will be applied.
In the Configure task schedule window, select the start mode in the Scheduled start drop-down list.
If necessary, configure a scheduled task to start automatically (by specifying the task start date and time).
If you want to run tasks that the application was unable to start according to schedule (for example, because the computer was turned off at the scheduled time), select the Run missed tasks checkbox.
Kaspersky Endpoint Security starts the task as soon as the obstacle preventing the task from being started is eliminated.
Start the SSH client on the administrator's workstation.
Connect to the remote computer.
Connect the shared folder of Administration Server as a network drive on the remote computer. To do this, enter the following commands in the SSH client:
mkdir /Volumes/KLSHARE
mount_smbfs //<administrator account>:<password>@<Administration Server IP address>/KLSHARE /Volumes/KLSHARE
Parameter descriptions:
<administrator account> – Name of the administrator account on Administration Server.
<password> – Password of the administrator on Administration Server.
<Administration Server IP address> – IP address of the server hosting Kaspersky Security Center.
Run the installation script. To do this, enter the following command in the SSH client:
cd /Volumes/KLSHARE/<klnagent_package_folder>
where <klnagent_package_folder> is the folder, in which the Network Agent installation package is located.
<action> – Parameter that defines whether encryption will be used when establishing the connection between Network Agent and Administration Server. If the value is "0", an unencrypted connection is used. If the value is "1", the connection is established via the SSL protocol (default value).
<server> – IP address or DNS name of the server on which Kaspersky Security Center is installed.
<port number> – Number of the port that will be used to establish an unencrypted connection to Administration Server. Port 14000 is used by default.
<SSL port number> – Number of the port that will be used to establish an encrypted connection to Administration Server using the SSL protocol. Port 13000 is used by default.
Important: Administrator rights are required for executing this command.
Disconnect the network drive on the remote computer. To do this, enter the following command in the SSH client:
umount /Volumes/KLSHARE
Check if Network Agent functions properly on the remote computer. To do this, enter the following commands in the SSH client:
cd /Library/Application\ Support/Kaspersky\ Lab/klnagent/Binaries/
sudo ./klnagchk
If the check is successful, Network Agent functions properly.
This section contains information on how to manage Network Agent using the command line on a client computer.
You can stop Network Agent and start it again using the command line on a client computer.
You can also connect a remote computer to Administration Server manually using the klmover utility and check the connection between the remote computer and Administration Server using the klnagchk utility.
On the remote computer, run the klnagchk utility from the command line.
The klnagchk utility is included in the Network Agent distribution kit.
After Network Agent has been installed, the klnagchk utility is located in the /Library/Application Support/Kaspersky Lab/klnagent/Binaries folder.
Depending on the parameters that you specify, the klnagchk utility performs the following operations when run from the command line:
Displays the settings specified for the connection between Network Agent installed on the remote computer and Administration Server, or saves them in a file.
Saves Network Agent statistics (since the last startup of Network Agent) and utility execution results in a file, or displays this information on the screen.
Tries to establish a connection between Network Agent and Administration Server.
If the utility can't establish a connection, it sends an ICMP packet to check the status of the computer on which Administration Server is installed.
Before running the utility, go to /Library/Application Support/Kaspersky Lab/klnagent/Binaries in the command line.
Important: Administrator rights are required to run the utility.
Parameter descriptions
-logfile <file name> – Save the settings of the connection between Network Agent and Administration Server and utility execution results in a file. If this parameter is not specified, the server connection settings, execution results, and error messages are displayed on the screen.
-sp – Display the password for proxy server authentication on the screen or save it in a file. This parameter is used if Network Agent connects to Administration Server via a proxy server. By default, this parameter is not used.
-savecert <file name> – Save the certificate for authentication on Administration Server in a specified file.
-restart – Restart Network Agent after the utility finishes running.
Important: The administrator rights are required to run the utility.
Parameter descriptions
-logfile <file name> – Save execution results in a file. If this parameter is not specified, execution results and error messages are displayed on the screen.
-address <server address> – Address that Network Agent uses to connect to Administration Server. You can specify either the IP address or the DNS name of the server.
Note: You can also use the command with this parameter to change the address of the Administration Server to which remote computers are connected.
-pn <port number> – Number of the port that will be used to establish an unencrypted connection to Administration Server. Port 14000 is used by default.
-ps <SSL port number> – Number of the port that will be used to establish an encrypted connection to Administration Server via the SSL protocol. Port 13000 is used by default.
-nossl – Use an unencrypted connection to Administration Server. If this parameter is not specified, Network Agent will establish a secure connection to Administration Server via the encrypted SSL protocol.
-cert <path to certificate file> – Use the specified certificate file for authentication on a new Administration Server. If this parameter is not specified, Network Agent will receive a certificate at the first connection to Administration Server.
-silent – Run the utility in silent mode.
-dupfix – This parameter is used if Network Agent was installed in a way that differs from the methods described in the Administrator's Guide, for example, if it was recovered from a disk image with Network Agent installed. If automatic self-identification of Network Agent results in duplicate icons of the original computer and other computers in the Administration Console, try reconnecting the duplicate computers.
Note: When running the klmover utility, it is recommended to specify values for all parameters.
Start the SSH client on the Kaspersky Security Center administrator's workstation.
Connect to the remote computer.
Connect the shared folder of Administration Server as a network drive on the remote computer. To do this, enter the following commands in the SSH client:
mkdir /Volumes/KLSHARE
mount_smbfs //<administrator account>:<password>@<Administration Server IP address>/KLSHARE /Volumes/KLSHARE
Parameter descriptions:
<administrator account> – Name of the administrator account on Administration Server.
<password> – Password of the administrator on Administration Server.
<Administration Server IP address> – IP address of the server hosting Kaspersky Security Center.
Run the installation script. To do this, enter the following commands in the SSH client:
cd /Volumes/KLSHARE/<KES package folder>
sudo ./install.sh
where <KES package folder> is the folder, in which the Kaspersky Endpoint Security installation package is located.
Important: Administrator rights are required for executing this command.
Disconnect the network drive on the remote computer. To do this, enter the following command in the SSH client:
To install Kaspersky Endpoint Security on a client computer using Kaspersky Security Center, you must create and start the Install application remotely task.
Start Kaspersky Security Center Administration Console.
Maximize the Administration Server <Server name> node.
Select the Tasks folder.
In the workspace, start the New Task Wizard by clicking New task.
Follow the steps of the New Task Wizard below to create a task for remote installation of Kaspersky Endpoint Security on the client computer.
To proceed to the next step of the wizard, click Next. To return to the previous step of the wizard, click . To exit the wizard at any step, click Cancel.
Note: The appearance of the buttons may vary depending on your version of Windows.
In the Select installation package window, do one of the following:
If the Kaspersky Endpoint Security installation package with the required settings has been created previously, select it in the list of installation packages in the upper part of the Select installation package window.
If the required installation package has not been created yet, click New to start the New Package Wizard.
In the Advanced window, select the Install Network Agent together with this application and <Network Agent installation package name> checkboxes if you want to install Network Agent on the client computer also.
Note: The installation package for Network Agent must be created beforehand. If it has not been created, click Create to start the New Package Wizard.
In the Select devices to which the task will be assigned window, select the method you want to use to specify client computers:
To select from among computers detected on the network by Administration Server, select the Select networked devices detected by Administration Server option.
To specify the IP addresses of computers manually or import the IP addresses of computers from a file, select the Specify device addresses manually or import addresses from list option.
To create a task for a selection of devices based on a preset criterion, select the Assign task to a device selection option.
To select computers from a specific administration group, select the Assign task to an administration group option.
In the window that opens (Select devices, Device selection, or Select Administration group, depending on the option you selected in the previous step), select the client computers, specify the IP addresses of computers, specify a computer selection, or select the administration group to which the task will be applied.
In the Configure task schedule window, select the start mode in the Scheduled start drop-down list.
If necessary, configure a scheduled task to start automatically (by specifying the task start date and time).
If you want to run tasks that the application was unable to start according to schedule (for example, because the computer was turned off at the scheduled time), select the Run missed tasks checkbox.
Kaspersky Endpoint Security starts the task as soon as the obstacle preventing the task from being started is eliminated.
When you create the Install application remotely task, you can either use an existing installation package or create a new one. To view the list of the created Installation packages, click Advanced > Remote installation > Installation packages.
Start Kaspersky Security Center Administration Console.
Maximize the Administration Server <Server name> node.
In the console tree, select the Advanced folder, then Remote installation subfolder, and then the Installation packages subfolder.
In the workspace, click Create installation package.
In the Select installation package type window, click Create an installation package for a Kaspersky application.
In the Defining the installation package name window, type the name of the new installation package in the Name field and click Next.
In the Selecting the distribution package for installation window, click Browse.
The window for selecting a file for creating the installation package opens.
Open the folder with the contents of the Kaspersky Endpoint Security installation package and select the kesmac.kud file.
The Selecting the distribution package for installation window shows the name and version of the application to be installed remotely using the file that has been added.
Select the Copy updates from repository to installation package checkbox to copy application updates from the Kaspersky Security Center storage to the installation package, if necessary, and click Next.
The installation package starts uploading to Administration Server. When the upload is finished, the Installation Type window opens.
In the Installation Type window, in the Packages to install section, deselect the checkboxes next to the names of the components that you want to skip during installation on the client computer, and click Next.
The Kaspersky Endpoint Security installation package is created with the specified settings.
In the last window of the wizard, click Finish to complete the New Package Wizard.
Uninstall the application using Kaspersky Security Center
Before removing Kaspersky Endpoint Security from a client computer via Kaspersky Security Center, make sure the following conditions are met:
Kaspersky Security Center Administration Server is deployed on the corporate network.
Administration Console is installed on the Kaspersky Security Center administrator's workstation.
Network Agent is installed on the client computer.
To uninstall Kaspersky Endpoint Security from the client computer via Kaspersky Security Center, you have to create and start the Uninstall application remotely task.
Important: Removing Kaspersky Endpoint Security from a client computer may lead to a risk of infection.
Start Kaspersky Security Center Administration Console.
Maximize the Administration Server <Server name> node.
Select the Tasks folder.
In the workspace, start the New Task Wizard by clicking New task.
Follow the steps of the New Task Wizard below to create a task for remote uninstallation of Kaspersky Endpoint Security from the client computer.
To proceed to the next step of the wizard, click Next. To return to the previous step of the wizard, click . To exit the wizard at any step, click Cancel.
Note: The appearance of the buttons may vary depending on your version of Windows.
In the Select devices to which the task will be assigned window, select the method you want to use to specify client computers:
To select from among computers detected on the network by Administration Server, select the Select networked devices detected by Administration Server option.
To specify the IP addresses of computers manually or import the IP addresses of computers from a file, select the Specify device addresses manually or import addresses from list option.
To create a task for a selection of devices based on a preset criterion, select the Assign task to a device selection option.
To select computers from a specific administration group, select the Assign task to an administration group option.
In the window that opens (Select devices, Device selection, or Select Administration group, depending on the option you selected in the previous step), select the client computers, specify the IP addresses of computers, specify a computer selection, or select the administration group to which the task will be applied.
In the Configure task schedule window, select the start mode in the Scheduled start drop-down list.
If necessary, configure a scheduled task to start automatically (by specifying the task start date and time).
If you want to run tasks that the application was unable to start according to schedule (for example, because the computer was turned off at the scheduled time), select the Run missed tasks checkbox.
Kaspersky Endpoint Security starts the task as soon as the obstacle preventing the task from being started is eliminated.
Start Kaspersky Security Center Administration Console.
Maximize the Administration Server <Server name> node.
In the console tree, click Managed devices.
Select the administration group that contains the required client computer.
Select the Devices tab.
Select a computer from the list of client computers.
Open the Properties: <Computer name> window in one of the following ways:
Double-click the name of the client computer.
Right-click the client computer and choose Properties from the context menu.
Select the Applications section.
In the Kaspersky applications installed on the device list, right-click to open the context menu of the Kaspersky Endpoint Security for Mac (11.1) item and do one of the following:
To start the application, select the Start item.
To stop the application, select the Stop item.
Important: After Kaspersky Endpoint Security is stopped, the client computer keeps running in unprotected mode, which may lead to a risk of infection.
This section describes how to use Kaspersky Security Center to create and configure tasks that Kaspersky Endpoint Security performs on a client computer or a group of computers.
A task is a set of configurable actions that Kaspersky Endpoint Security performs on a client computer.
In Kaspersky Security Center, you can create the following tasks:
When managing Kaspersky Endpoint Security via Kaspersky Security Center, you can create the following types of tasks:
Local tasks. A local task is a task to run on a separate client computer.
Group tasks. A group task is a task to run on computers in an administration group.
Tasks for an arbitrary set of computers. You can create a task to be run on any computers regardless of whether they belong to an administration group or a computer selection.
Start Kaspersky Security Center Administration Console.
Maximize the Administration Server <Server name> node.
In the console tree, click Tasks.
In the workspace, click New task to start the New Task Wizard.
Follow the steps of the New Task Wizard to create a task for an arbitrary set of computers.
To proceed to the next step of the wizard, click Next. To return to the previous step of the wizard, click . To exit the wizard at any step, click Cancel.
Note: The appearance of the buttons may vary depending on your version of Windows.
Depending on the task type selected during the previous step, the contents of the settings window may vary. This window is not displayed for the Rollback task.
Application activation
In the Application activation window, do the following:
Select an activation code or key from Kaspersky Security Center storage or add a key file stored on your computer.
If you want to add the specified key as a reserve key, select the Add as reserve key checkbox.
The reserve key becomes active when the current active key expires.
Information about the specified key (key, key type, and key expiration date) is displayed in the Application activation window.
Update
Dedicated Kaspersky update servers are the main source of updates for Kaspersky Endpoint Security. Kaspersky Endpoint Security can also use distribution points, local folders, or other web servers as an update source.
You can put downloaded updates in a local folder to update application databases and Kaspersky Endpoint Security modules on other computers on the corporate network in order to reduce the amount of Internet traffic.
You can set up update distribution as follows:
One of the computers on the network receives the Kaspersky Endpoint Security update package from Kaspersky update servers or a different update source. The retrieved updates are placed in a shared local folder.
Note: The shared local folder must be created in advance.
Other computers on the network refer to the shared local folder as the update source.
Distribution of updates via a local computer
If necessary, edit the Update task settings in the Update window:
To disable updates of application modules, deselect the Update application modules checkbox.
To change the update sources:
Click Settings.
The Settings: Update window opens.
Select the checkboxes next to the update sources that you want to use.
To specify a different update source, click Add.
The Update source window opens.
Specify the web address of the update source or the path to a local or network folder that is an update source and click OK.
Click OK to save changes and close the Settings: Update window.
Scan
By default, Kaspersky Endpoint Security uses the Recommended security level, prompts the user for an action when it detects an infected object after the scan, and scans the following objects:
All removable drives
All internal drives
All network drives
Memory
If necessary, edit the Scan settings in the Scan window:
Select one of the preset security levels or customize security settings.
Specify the action that Kaspersky Endpoint Security performs upon detecting an infected object.
Note: This step is not relevant for local or group tasks.
In the Select devices to which the task will be assigned window, select the method you want to use to specify client computers:
To select from among computers detected on the network by Administration Server, select the Select networked devices detected by Administration Server option.
To specify the IP addresses of computers manually or import the IP addresses of computers from a file, select the Specify device addresses manually or import addresses from list option.
To create a task for a selection of devices based on a preset criterion, select the Assign task to a device selection option.
To select computers from a specific administration group, select the Assign task to an administration group option.
Note: This step is not relevant for local or group tasks.
In the window that opens (Select devices, Device selection, or Select Administration group, depending on the option you selected in the previous step), select the client computers, specify the IP addresses of computers, specify a computer selection, or select the administration group to which the task will be applied.
In the Configure task schedule window, select the start mode in the Scheduled start drop-down list.
If necessary, configure a scheduled task to start automatically (by specifying the task start date and time).
If you want to run tasks that the application was unable to start according to schedule (for example, because the computer was turned off at the scheduled time), select the Run missed tasks checkbox.
Kaspersky Endpoint Security starts the task as soon as the obstacle preventing the task from being started is eliminated.
If you want Kaspersky Security Center to automatically determine the interval between task launches on different computers, select the Use automatically randomized delay for task starts checkbox.
This helps to reduce the load on Kaspersky Security Center Administration Server.
To set the interval between task launches on different computers manually, select the Use randomized delay for task starts within an interval of (min) checkbox and specify the number of minutes.
This helps to reduce the load on Kaspersky Security Center Administration Server.
To change the level of security at which Kaspersky Endpoint Security runs the Scan task, do one of the following in the Security level section:
Select a preset security level by moving the slider up or down the scale.
You can select one of the following security levels:
Maximum protection. Kaspersky Endpoint Security performs the maximum monitoring of files that are opened, saved, or executed.
Recommended. Kaspersky Endpoint Security monitors files with the settings recommended by Kaspersky.
This is the default security level.
Maximum speed. Kaspersky Endpoint Security monitors a minimum set of files. You can choose this security level if you want to use other applications that require significant memory resources.
Configure security settings manually:
Click Settings.
The Settings: Scan window opens.
On the General tab, in the File types section, select the types of files that should be scanned by Kaspersky Endpoint Security when running the Scan task.
On the General tab, in the Optimization section, configure scan performance settings.
On the General tab in the Compound files section, select which compound files you want Kaspersky Endpoint Security to analyze for detectable objects.
On the Advanced tab, in the Advanced settings section, configure the use of iSwift technology and recording of information about detected objects in the application statistics.
On the Advanced tab, in the Heuristic Analyzer section, configure the use of Heuristic Analyzer and select the protection level to be applied by Heuristic Analyzer during virus scans.
Click OK to save changes and close the Settings: Scan window.
The security level changes to Custom.
To restore the default settings, click Default.
The security level changes to Recommended.
If necessary, in the Action section, select the action that Kaspersky Endpoint Security should perform when an infected object is detected.
To specify a scan scope, in the Scan scope section, click Settings and do the following in the Scan scope window that opens:
If you want Kaspersky Endpoint Security to scan all removable drives, select the All removable drives checkbox.
If you want Kaspersky Endpoint Security to scan all internal drives, select the All internal drives checkbox.
If you want Kaspersky Endpoint Security to scan all network drives, select the All network drives checkbox.
If you want Kaspersky Endpoint Security to scan the computer memory, select the Memory checkbox.
If you want Kaspersky Endpoint Security to scan other files or folders, click Add and specify a file, folder, or mask for file or folder names.
Click OK to save changes and close the Scan scope window.
Save the changes in one of the following ways:
Click Apply to remain in the Properties: <Task name> window after saving changes.
Click OK to close the Properties: <Task name> window after saving changes.
If you want Kaspersky Endpoint Security to update application modules along with application databases, select the Update application modules checkbox.
To choose an update source:
Click Settings.
The Settings: Update window opens.
Specify the update source in one of the following ways:
If you want the application to download updates from Administration Server, select the Kaspersky Security Center checkbox.
If you want the application to download updates from Kaspersky update servers, select the Kaspersky update servers checkbox.
To add a different update source, click Add and, in the window that opens, enter the path to the update source.
By default, Kaspersky Endpoint Security downloads updates from Kaspersky update servers.
Click OK to save changes and close the Settings: Update window.
Save the changes in one of the following ways:
Click Apply to remain in the Properties: <Task name> window after saving changes.
Click OK to close the Properties: <Task name> window after saving changes.
Open the list of local tasks for a client computer.
In the list of local tasks, select the File Threat Protection task and open its properties in one of the following ways:
Double-click the task name.
Right-click to display the task's shortcut menu and select Properties.
Click Properties.
Select the File Threat Protection section.
If necessary, configure the following settings:
Enable or disable File Threat Protection on the client computer.
To select one of the preset security levels, use the slider in the Security level section.
To configure the security settings manually, click Settings and in the Settings: File Threat Protection window that opens, do the following:
On the General tab, in the File types section, select the types of files that Kaspersky Endpoint Security should scan when they are opened, executed, or saved.
On the General tab, in the Optimization section, configure scan performance settings and select the scan technology, and select whether Kaspersky Endpoint Security will skip scanning of the read-only system volume on client computers running macOS 10.15 or later.
On the General tab, in the Compound files section, select which compound files should be scanned for detectable objects and set a restriction on scanning large objects.
On the Protection scope tab, specify files or folders that should be scanned by File Threat Protection.
By default, all objects located on removable, internal, and network drives connected to the client computer are scanned. You can add an object to the protection scope, modify an object on the list, temporarily disable scanning of an object on the list, or remove an object from the list.
On the Advanced tab, in the Scan mode section, select the File Threat Protection mode.
On the Advanced tab, in the Pause task section, enable or disable scheduled pausing of File Threat Protection and configure automatic pausing of tasks according to a schedule.
On the Advanced tab, in the Heuristic Analyzer section, configure the use of Heuristic Analyzer by File Threat Protection.
Click OK to save changes and close the Settings: File Threat Protection window.
In the If a malicious object is detected section, select the action that File Threat Protection performs upon detecting an infected object.
Save the changes in one of the following ways:
Click Apply to remain in the Properties: File Threat Protection window after saving changes.
Click OK to close the Properties: File Threat Protection window after saving changes.
Open the list of local tasks for a client computer.
In the list of local tasks, select the Web Threat Protection task and open its properties in one of the following ways:
Double-click the task name.
Right-click to display the task's shortcut menu and select Properties.
Click Properties.
Select the Web Threat Protection section.
If necessary, configure the following settings:
Enable or disable Web Threat Protection on the client computer.
To select one of the preset security levels, use the slider in the Security level section.
To configure the security settings manually, click Settings and in the Settings: Web Threat Protection window that opens, do the following:
On the General tab, in the Scan mode section, enable or disable checking of web addresses against the database of malicious web addresses.
On the General tab, in the Anti-Phishing settings section, enable or disable checking of web addresses against the database of phishing web addresses.
On the General tab, in the Anti-Phishing settings section, enable or disable the use of Heuristic Analyzer for detecting phishing links.
On the Trusted web addresses tab, enable or disable scanning of web traffic from trusted web addresses and create or edit a list of trusted web addresses.
Click OK to save changes and close the Settings: Web Threat Protection window.
In the If a malicious object is detected section, select the action that Web Threat Protection performs upon detecting a dangerous object in web traffic.
Save the changes in one of the following ways:
Click Apply to remain in the Properties: Web Threat Protection window after saving changes.
Click OK to close the Properties: Web Threat Protection window after saving changes.
Open the list of local tasks for a client computer.
In the list of local tasks, select the Quick Scan task and open its properties in one of the following ways:
Double-click the task name.
Right-click to display the task's shortcut menu and select Properties.
Click Properties.
Select the Scan section.
If necessary, configure the following settings:
To select one of the preset security levels, use the slider in the Security level section.
To configure the security settings manually, click Settings and in the Settings: Scan window that opens, do the following:
On the General tab, in the File types section, select the types of files that should be scanned by Kaspersky Endpoint Security.
On the General tab, in the Optimization section, configure scan performance settings.
On the General tab, in the Compound files section, select which compound files you want Kaspersky Endpoint Security to scan.
On the Advanced tab, in the Advanced settings section, configure the use of iSwift technology and the saving of information about detected objects in the application statistics.
On the Advanced tab, in the Heuristic Analyzer section, configure the use of Heuristic Analyzer and select the protection level to be applied by Heuristic Analyzer.
Click OK to save changes and close the Settings: Scan window.
In the Action section, select the action that Kaspersky Endpoint Security should perform upon detecting an infected object.
To specify a scan scope, in the Scan scope section, click Settings and do the following in the Scan scope window that opens:
If you want Kaspersky Endpoint Security to scan objects in the default list, select the checkbox next to the relevant object.
If you want Kaspersky Endpoint Security to scan other files or folders, click Add and specify a file, folder, or mask for file or folder names.
Click OK to save changes and close the Scan scope window.
Save the changes in one of the following ways:
Click Apply to remain in the Properties: Quick Scan window after saving changes.
Click OK to close the Properties: Quick Scan window after saving changes.
Open the list of local tasks for a client computer.
In the list of local tasks, select the Full Scan task and open its properties in one of the following ways:
Double-click the task name.
Right-click to display the task's shortcut menu and select Properties.
Click Properties.
Select the Scan section.
If necessary, configure the following settings:
To select one of the preset security levels, use the slider in the Security level section.
To configure the security settings manually, click Settings and in the Settings: Scan window that opens, do the following:
On the General tab, in the File types section, select the types of files that should be scanned by Kaspersky Endpoint Security.
On the General tab, in the Optimization section, configure scan performance settings.
On the General tab, in the Compound files section, select which compound files you want Kaspersky Endpoint Security to scan.
On the Advanced tab, in the Advanced settings section, configure the use of iSwift technology and the saving of information about detected objects in the application statistics.
On the Advanced tab, in the Heuristic Analyzer section, configure the use of Heuristic Analyzer and select the protection level to be applied by Heuristic Analyzer.
Click OK to save changes and close the Settings: Scan window.
In the Action section, select the action that Kaspersky Endpoint Security should perform upon detecting an infected object.
To specify a scan scope, in the Scan scope section, click Settings and do the following in the Scan scope window that opens:
If you want Kaspersky Endpoint Security to scan objects in the default list, select the checkbox next to the relevant object.
If you want Kaspersky Endpoint Security to scan other files or folders, click Add and specify a file, folder, or mask for file or folder names.
Click OK to save changes and close the Scan scope window.
Save the changes in one of the following ways:
Click Apply to remain in the Properties: Full Scan window after saving changes.
Click OK to close the Properties: Full Scan window after saving changes.
Open the list of local tasks for a client computer.
In the list of local tasks, select the Custom Scan task and open its properties in one of the following ways:
Double-click the task name.
Right-click to display the task's shortcut menu and select Properties.
Click Properties.
Select the Scan section.
If necessary, configure the following settings:
To select one of the preset security levels, use the slider in the Security level section.
To configure the security settings manually, click Settings and in the Settings: Scan window that opens, do the following:
On the General tab, in the File types section, select the types of files that should be scanned by Kaspersky Endpoint Security.
On the General tab, in the Optimization section, configure scan performance settings.
On the General tab, in the Compound files section, select which compound files you want Kaspersky Endpoint Security to scan.
On the Advanced tab, in the Advanced settings section, configure the use of iSwift technology and the saving of information about detected objects in the application statistics.
On the Advanced tab, in the Heuristic Analyzer section, configure the use of Heuristic Analyzer and select the protection level to be applied by Heuristic Analyzer.
Click OK to save changes and close the Settings: Scan window.
In the Action section, select the action that Kaspersky Endpoint Security should perform upon detecting an infected object.
To specify a scan scope, in the Scan scope section, click Settings and do the following in the Scan scope window that opens:
Click Add and specify a file, folder, or name mask of a file or folder.
Click OK to save changes and close the Scan scope window.
Save the changes in one of the following ways:
Click Apply to remain in the Properties: Custom Scan window after saving changes.
Click OK to close the Properties: Custom Scan window after saving changes.
This section contains information on how to create and configure policies for Kaspersky Endpoint Security.
A policy determines an application's settings and manages the ability to configure that application on computers within an administration group. An individual policy must be created for each application. You can create multiple policies for applications installed on computers in each administration group, but only one policy can be applied at a time to each application within an administration group.
Note: When creating and configuring a policy, you can allow or prohibit changes to any group of settings in policies using the and buttons.
You can perform the following actions on custom policies:
Start Kaspersky Security Center Administration Console.
Maximize the Administration Server <Server name> node.
In the console tree, click Policies.
In the workspace, click New policy.
The New Policy Wizard opens.
Follow the steps of the New Policy Wizard to create a policy.
To proceed to the next step of the wizard, click Next. To return to the previous step of the wizard, click . To exit the wizard at any step, click Cancel.
Note: The appearance of the buttons may vary depending on your version of Windows.
In the Select the application for which you want to create a group policy window, in the list of applications, select Kaspersky Endpoint Security for Mac (11.1).
In the Enter a group policy name window, in the Name field, specify the name of the policy that you are creating. The name can't contain the following symbols: “ * < : > ? \ |.
Select the Use policy settings for an earlier version of the application checkbox if you want to import the settings from an existing Kaspersky Endpoint Security policy to a new policy.
Read the full text of the Kaspersky Security Network Statement by clicking the KSN Statement button.
View information about KSN infrastructure provided by Kaspersky Security Center.
Enable or disable the use of Kaspersky Security Network.
Enable or disable extended KSN mode.
Enable or disable the use of a KSN proxy.
Enable or disable the use of Kaspersky servers when the KSN proxy is unavailable.
Note: Use of Kaspersky Security Network and a KSN proxy on remote computers is available only if Kaspersky Security Center Administration Server is used as the proxy server. For detailed information about Administration Server properties, see the Kaspersky Security Center help.
When Global KSN infrastructure is used by Kaspersky Security Center and you choose to participate in Kaspersky Security Network in policy settings, Kaspersky Endpoint Security statistics from client computers to which the policy is applied are automatically sent to Kaspersky to enhance protection of these computers.
Note: Kaspersky doesn't receive, process, or store any personal data without your explicit consent.
If the I agree to use Kaspersky Security Network checkbox is selected and the Enable extended KSN mode checkbox is unselected, Kaspersky Endpoint Security provides to Kaspersky the following data:
Information about the license used: the type and validity period of the license, number of days till license expiration, identifier of the partner from whom the license was purchased, Regional Activation Center identifier, checksum of the activation code, ticket body hash calculated using the SHA1 algorithm, license ticket creation date and time, license information identifier, license ticket identifier, license ticket sequence identifier, unique identifier of the user's computer, date from which the license ticket is valid, date to which the license ticket is valid, license ticket current state, ticket header version, license version, ticket header signature certificate identifier, checksum of the key file, ticket header signer serial number, authentication token.
Full version of installed Software; type of installed Software; Software update ID; ID of reputation service; protocol type ID; ID of a regional activation center; version of list of revoked Software service's decisions; ID of the triggered record in the Software's anti-virus databases; timestamp of the triggered record in the Software's anti-virus databases; type of the triggered record in the Software's anti-virus databases; unique ID of the instance of application installation on the computer; license activation date; license expiration date; license identifier; status of the license used by the Software; checksum type for the object being processed; name of the detected malware or legitimate software that can be used to damage the user's device or data; checksum of the object being processed; checksum of the Software activation code; full version of the Software; unique device ID; Software ID; checksum of the Software key file; ID of the information model used to provide the Software license; identifier of the certificate used to sign the Software license ticket header; the Software license ticket create date and time; the Software license ticket checksum; the Software license ticket version; the Software activation code version; format of the data in the request to Rightholder infrastructure; current license ticket ID; the Software component ID; the result of the Software action; error code; accessed address of the web service (URL, IP); port number; web address of the source of the web service request (referrer).
If the I agree to use Kaspersky Security Network and Enable extended KSN mode checkboxes are selected, Kaspersky Endpoint Security provides to Kaspersky the following data:
Information about the version of the operating system (OS) and service packs installed on the computer, version and checksums (MD5, SHA2-256, SHA1) of the OS kernel file, parameters of the OS run mode.
Information about the failed last OS reboot: number of failed reboots.
Information about the Kaspersky installed application and the anti-virus protection status: unique identifier of the instance of application installation on the computer, application type, ID of application type, the full version of the application installed, the identifier of the application settings version, the identifier of the computer type, the unique identifier of the computer on which the application is installed, the unique User identifier in the Kaspersky services, locale language and operation state, version of the installed Software components and their operation state, version of the protocol used to connect with the Kaspersky services.
Full version of installed Software; type of installed Software; Software update ID; ID of reputation service; protocol type ID; ID of a regional activation center; version of list of revoked Software service`s decisions; ID of the triggered record in the Software's anti-virus databases; timestamp of the triggered record in the Software's anti-virus databases; type of the triggered record in the Software's anti-virus databases; Unique ID of the instance of application installation on the computer; license activation date; license expiration date; license identifier; status of the license used by the Software; checksum type for the object being processed; name of the detected malware or legitimate software that can be used to damage the user's device or data; checksum of the object being processed; checksum of the Software activation code; full version of the Software; unique device ID; Software ID; checksum of the Software key file; ID of the information model used to provide the Software license; identifier of the certificate used to sign the Software license ticket header; the Software license ticket create date and time; the Software license ticket checksum; the Software license ticket version; the Software activation code version; format of the data in the request to Rightholder infrastructure; current license ticket ID; the Software component ID; the result of the Software action; error code; accessed address of the web service (URL, IP); port number; web address of the source of the web service request (referrer).
Information about all scanned objects and operations: the name of the scanned object, the date and time of the scan, the URL- and Referrer addresses from which it was downloaded, the size of scanned files and the paths to them, the archive sign, the date and time of the file's creation, the name, size and checksums (MD5, SHA2-256) of the packer (if the file was packed), the file's entropy, the file's type, the file type code, the executable file sign, ID and format, the object's checksum (MD5, SHA2-256), the type and value of the object's supplementary checksum, data about the object's digital signature (certificate): data on the certificate's publisher, number of starts of the object since the last statistics delivery, ID of the application's scanning task, the means of receiving information about the object's reputation, the value of the target filter, technical parameters of the applicable detection technologies.
For executable files: the entropy of the file sections, reputation verification flag or file signature flag, name, type, ID type, checksum (MD5) and the size of the application that was loaded by the object being validated, the application path and template paths, an attribute indicating presence in the Autorun list, date of entry, the list of attributes, name of the packer, information about the digital signature of the application: the publisher certificate, the name of the uploaded file in the MIME format, file build date and time.
Information about the applications launched and their modules: checksums (MD5, SHA2-256) of running files, size, attributes, creation date, name of the packer (if the file was packed), names of files, information about processes running on the system (process ID (PID), process name, information about the account the process was started from, the application and command that started the process, the full path to the process's files, and the starting command line, a description of the application that the process belongs to (the name of the application and information about the publisher), as well as the digital certificates being used and information needed to verify their authenticity or information about the absence of a file's digital signature), and information about the modules loaded into the processes: their names, sizes, types, creation dates, attributes, checksums (MD5, SHA2-256, SHA1), the paths to them, PE-file header information, names of packers (if the file was packed), information about the availability and validity of these statistics, identifier of the mode for generating the statistics being sent.
If threats or vulnerabilities are detected, in addition to information about the detected object, information is provided about the identifier, version, and type of the record in the anti-virus database, the name of the threat based on the Kaspersky classification, the date and time of the last update of the anti-virus database, executable file name, the checksum (MD5) of the application file that requested the URL where the threat was detected, the IP address (IPv4 or IPv6) of the detected threat, the vulnerability identifier and its threat level, the URL and Referrer of the web page where the vulnerability was detected.
If a potentially malicious object is detected, information is provided about data in the processes' memory.
Network attack information: IP address of the attacking computer and number of the port on the user's computer targeted by the network attack, ID of the attack protocol, name and type of attack.
Information about network connections: version and checksums (MD5, SHA2-256, SHA1) of the file from which process was started that opened the port, the path to the process's file and its digital signature, local and remote IP addresses, numbers of local and remote connection ports, connection state, timestamp of the port's opening.
The URL and IP address of the web page where harmful or suspicious content was detected, the name, size, and checksum of the file that requested the URL, the identifier, weight and degree of the rule used to reach a verdict, the objective of the attack.
Information about updates of the installed application and anti-virus databases: status of completion of the update task, type of error that may have occurred during the update process, the number of unsuccessful updates, the identifier of the application component that performs updates.
Information about the use of Kaspersky Security Network (KSN): KSN identifier, application identifier, full version of the application, depersonalized IP address of the user's device, indicators of the quality of fulfillment of KSN requests, indicators of the quality of the processing of KSN packets, indicators of the number of KSN requests and information about the types of KSN requests, date and time when statistics began being sent, date and time when statistics finished being sent, information about KSN configuration updates: identifier of the active configuration, identifier of the configuration received, error code of the configuration update.
Information about system log events: event time, name of the log where the event has been detected, type and category of event, name of the event source and event description.
Information to determine the reputation of files and URL-addresses: the URL-address at which the reputation is being requested and the Referrer, the connection's protocol type, the internal identifier of the application type, the number of the port being used, the User identifier, checksum of the scanned file (MD5), type of the detected threat, information about the record used to detect a threat (record identifier for the anti-virus databases, the record timestamp and type).
Data on the application territorial distribution: date of the application installation and activation, ID of the partner providing the license for the application activation, application ID, application language localization ID, license serial number for the application activation, KSN participation sign.
Information about the license used: the type and validity period of the license, number of days till license expiration, identifier of the partner from whom the license was purchased, Regional Activation Center identifier, checksum of the activation code, ticket body hash calculated using the SHA1 algorithm, license ticket creation date and time, license information identifier, license ticket identifier, license ticket sequence identifier, unique identifier of the user's computer, date from which the license ticket is valid, date to which the license ticket is valid, license ticket current state, ticket header version, license version, ticket header signature certificate identifier, checksum of the key file, ticket header signer serial number, authentication token.
Information about hardware installed on the computer: type, name, model name, firmware version, parameters of built-in and connected devices.
Information about the operation of the Web Control component: component version, categorization reason, additional information about categorization reason, categorized URL, host IP address of blocked/categorized object.
When Private KSN infrastructure is used by Kaspersky Security Center and you choose to participate in Kaspersky Security Network in policy settings, Kaspersky Endpoint Security doesn't send statistics from client computers to which the policy is applied to Kaspersky.
After a policy is deleted or made inactive, KSN settings on a client computer return to the initial state.
In the FileVault Disk Encryption window, do the following if necessary:
Enable or disable FileVault disk encryption management for the user's startup disk.
By default, FileVault disk encryption management is disabled.
Choose the Encrypt disk option, if you want to encrypt the user's startup disk when the policy is applied to a client computer.
If the Enable FileVault disk encryption management checkbox is unselected, users with administrator rights can encrypt and decrypt their Mac startup disks from System Preferences.
If the Enable FileVault disk encryption management checkbox and the Encrypt disk option are selected, users with administrator rights can't decrypt the startup disk of their Mac from System Preferences.
If the Enable FileVault disk encryption management checkbox and the Decrypt disk option are selected, users with administrator rights can't encrypt the startup disk of their Mac from System Preferences.
In the Web Control window, do the following if necessary:
Enable or disable Web Control.
Note: If you enable Web Control to block access to dangerous web resources, Kaspersky Endpoint Security displays the Web Control is enabled notification in Protection Center on the remote computer. Kaspersky Endpoint Security displays notifications when the user accesses web resources blocked by Web Control on the remote computer if the Check secure connections (HTTPS) checkbox is selected in the Network window of the New policy Wizard.
Add a new rule for Web Control by clicking Add.
You can enter a rule name, choose whether the rule is active, specify a rule area by creating a list of specific web addresses or selecting website categories, and select an action that Kaspersky Endpoint Security performs when a user accesses a website included in this rule.
Edit, delete, or organize created rules in the list.
The order in which the rules are sorted determines the priority of their application by Kaspersky Endpoint Security.
Select the Open policy properties immediately after it is created checkbox if you want to review the policy settings after the policy is created.
Click Finish to close the New Policy Wizard.
The policy that you have created appears on the Policies tab in the workspace of the relevant administration group. The policy is applied to client computers after their first synchronization with Administration Server.
You can edit the settings of the policy you have created. You can also prohibit or allow changes to each group of settings from a client computer using the and buttons for each group of settings. The button next to a group of settings signifies that the user of a client computer is not allowed to edit these settings on the user's computer. The button next to a group of settings signifies that the user of a client computer is allowed to edit these settings on the user's computer.
You can create an unlimited number of various policies for applications installed on computers in each administration group, but only one policy can be applied to each application at a time within an administration group.
You can make changes to the policy that you created in Kaspersky Security Center and block any changes to its settings in the policies of subgroups and in task settings.
Kaspersky Endpoint Security policy settings include application settings and task settings.
Configure policy settings
Start Kaspersky Security Center Administration Console.
Maximize the Administration Server <Server name> node.
In the console tree, click Managed devices.
In the workspace, select the Policies tab.
Right-click the policy you want to configure and choose Properties.
In the Properties: <Policy name> window, configure the policy settings:
Read the full text of the Kaspersky Security Network Statement by clicking KSN Statement.
Enable or disable the use of Kaspersky Security Network.
Enable or disable extended KSN mode.
Enable or disable the use of a KSN proxy.
Enable or disable the use of Kaspersky servers when the KSN proxy is unavailable.
Note: Use of Kaspersky Security Network and a KSN proxy on remote computers is available only if Kaspersky Security Center Administration Server is used as the proxy server. For detailed information about Administration Server properties, see the Kaspersky Security Center help.
Enable or disable FileVault disk encryption management for client computers.
Encrypt or decrypt the startup disk on client computers.
If the Enable FileVault disk encryption management checkbox is unselected, users with administrator rights can encrypt and decrypt their Mac startup disks from System Preferences.
If the Enable FileVault disk encryption management checkbox and the Encrypt disk option are selected, users with administrator rights can't decrypt the startup disk of their Mac from System Preferences.
If the Enable FileVault disk encryption management checkbox and the Decrypt disk option are selected, users with administrator rights can't encrypt the startup disk of their Mac from System Preferences.
A policy status defines the operation of a policy. The policy can have active, out-of-office, or inactive status. You can change the policy status in policy settings.
A policy profile is a named set of variable settings for a policy, which is activated on a client computer when specific conditions are met. Activation of a profile modifies the policy settings in effect on the device when the policy profile is activated.
In the console tree, select the administration group for which you want to create a policy profile.
In the workspace, select the Policies tab.
Do one of the following to open the properties of the policy for which you want to create a profile:
Double-click the name of the policy.
Right-click the policy name to display the context menu and choose Properties.
Click the Configure policy link.
In the Properties: <Policy name> window, select the Policy profiles section.
In the workspace, click Add.
In the Assigning policy profiles window, read the information about policies and click Next.
If you don't want to display this window when you create new policy profiles, select the Do not show this window again checkbox before clicking Next.
In the Policy profile name window, do the following to configure the policy profile:
Enter the name of the new policy profile.
Note: The name of a profile cannot include more than 100 characters.
In the Policy profile state section, select whether the policy profile is enabled or disabled.
In the drop-down list in the Policy profile state section, select whether the policy profile can be edited.
If you want to configure activation rules for the policy profile, select the After closing the New Policy Profile Wizard, proceed to configuring the policy profile activation rule checkbox.
Click Finish.
If you have selected the After closing the New Policy Profile Wizard, proceed to configuring the policy profile activation rule checkbox, proceed with the steps of the New Policy Profile Activation Rule Wizard.
The policy profile that you created appears in the Policy profiles section of the Properties: <Policy name> window.
In the console tree, select the administration group for which you want to modify a policy profile.
In the workspace, select the Policies tab.
Do one of the following to open the properties of the policy for which you want to modify a profile:
Double-click the name of the policy.
Right-click the policy name to display the context menu and choose Properties.
Click the Configure policy link.
In the Properties: <Policy name> window, select the Policy profiles section.
In the workspace, select the policy profile that you want to modify and click Properties.
The Properties: <Policy profile name> window opens.
Configure the profile if necessary:
In the General section, rename the profile or enable/disable the profile by selecting/deselecting the Enable profile checkbox.
In the Activation rules section, create, edit, or delete the activation rules.
In the Devices section, choose the devices to which the policy profile is applied.
Edit the policy settings in the relevant sections.
Click OK.
If the policy profile is active, the modified settings will be applied after the client computer is synchronized with Administration Server. If the policy profile is inactive, they will be applied after the activation rule is triggered.
Start Kaspersky Security Center Administration Console.
Maximize the Administration Server <Server name> node.
In the console tree, click Managed devices.
Select the administration group that contains the required client computer.
Select the Devices tab.
Select the computer from the list of client computers.
Right-click the selected computer to open the context menu and choose All tasks > View report on threats.
The generated report opens in a browser window.
You can find information about other ways to generate a report on objects detected by the application on the client computer in the Kaspersky Security Center help.
Remote administration of the application via Kaspersky Security Center Web Console and Cloud Console
Kaspersky Security Center Web Console (Web Console) is a web application intended to provide a centralized way to perform the main tasks related to managing and maintaining an organization's network security. Web Console is a Kaspersky Security Center component that provides a user interface for managing Kaspersky Endpoint Security in a browser window. For detailed information about Kaspersky Security Center Web Console, see the Kaspersky Security Center help.
Kaspersky Security Center Cloud Console (Cloud Console) is a cloud-based solution for protecting and managing an organization's network. For detailed information about Kaspersky Security Center Cloud Console, see the Kaspersky Security Center Cloud Console help.
This section contains information on how to create and configure policies for Kaspersky Endpoint Security using Kaspersky Security Center Web Console and Cloud Console.
A policy determines an application's settings and manages the ability to configure that application on computers within an administration group. An individual policy must be created for each application. You can create multiple policies for applications installed on computers in each administration group, but only one policy can be applied at a time to each application within an administration group.
Note: When creating and configuring a policy, you can allow or prohibit changes to any group of settings in policies using the Enforce toggle switch.
In the DEVICES section on the left, select the POLICIES&PROFILES section.
Click Add.
Select the application for which you want to create a policy and click Next.
The New policy window opens.
On the GENERAL tab, specify the policy name and configure the policy status and the policy settings inheritance options.
On the APPLICATION SETTINGS tab, configure the application settings that will be applied to Kaspersky Endpoint Security on the client computer when the policy is enforced.
Click Save.
You can perform the following actions on custom policies:
Note: After you create a policy profile for a Kaspersky Endpoint Security policy using Kaspersky Security Center Web Console and Cloud Console, you need to check that the settings are applied correctly on client computers.
In the Advanced Threat Protection section, you can choose whether Kaspersky Endpoint Security on client computers participates in Kaspersky Security Network and configure the use of KSN proxy.
Do the following if necessary:
Read the full text of the Kaspersky Security Network Statement by clicking the KSN Statement link.
View information about KSN infrastructure provided by Kaspersky Security Center by clicking the KSN Statement link.
Note: Global KSN infrastructure is used in Kaspersky Security Center by default. If you manage Kaspersky Endpoint Security via Kaspersky Security Center Web Console and depending on Kaspersky Security Center settings, you can participate in Kaspersky Private Security Network instead of Kaspersky Security Network. If you manage Kaspersky Endpoint Security via Kaspersky Security Center Cloud Console, participation in Kaspersky Private Security Network is unavailable. For detailed information about participating in Kaspersky Private Security Network, see the Kaspersky Security Center help.
Turn on/off the use of Kaspersky Security Network.
Turn on/off extended KSN mode.
Enable or disable the use of a KSN proxy.
Enable or disable the use of Kaspersky servers when the KSN proxy is unavailable.
Note: If you manage Kaspersky Endpoint Security via Kaspersky Security Center Web Console, use of Kaspersky Security Network and a KSN proxy on remote computers is available only if Kaspersky Security Center Administration Server is used as the proxy server. For detailed information about Administration Server properties, see the Kaspersky Security Center help. If you manage Kaspersky Endpoint Security via Kaspersky Security Center Cloud Console, you can use Kaspersky Security Network and a KSN proxy on remote computers through distribution points running a Windows operating system.
When Global KSN infrastructure is used by Kaspersky Security Center and you choose to participate in Kaspersky Security Network in policy settings, Kaspersky Endpoint Security statistics from client computers to which the policy is applied are automatically sent to Kaspersky to enhance protection of these computers.
Note: Kaspersky doesn't receive, process, or store any personal data without your explicit consent.
If the Kaspersky Security Network toggle switch is enabled and the Extended KSN mode toggle switch is disabled, Kaspersky Endpoint Security running on client computers provides to Kaspersky the following data:
Information about the license used: the type and validity period of the license, number of days till license expiration, identifier of the partner from whom the license was purchased, Regional Activation Center identifier, checksum of the activation code, ticket body hash calculated using the SHA1 algorithm, license ticket creation date and time, license information identifier, license ticket identifier, license ticket sequence identifier, unique identifier of the user's computer, date from which the license ticket is valid, date to which the license ticket is valid, license ticket current state, ticket header version, license version, ticket header signature certificate identifier, checksum of the key file, ticket header signer serial number, authentication token.
Full version of installed Software; type of installed Software; Software update ID; ID of reputation service; protocol type ID; ID of a regional activation center; version of list of revoked Software service's decisions; ID of the triggered record in the Software's anti-virus databases; timestamp of the triggered record in the Software's anti-virus databases; type of the triggered record in the Software's anti-virus databases; unique ID of the instance of application installation on the computer; license activation date; license expiration date; license identifier; status of the license used by the Software; checksum type for the object being processed; name of the detected malware or legitimate software that can be used to damage the user's device or data; checksum of the object being processed; checksum of the Software activation code; full version of the Software; unique device ID; Software ID; checksum of the Software key file; ID of the information model used to provide the Software license; identifier of the certificate used to sign the Software license ticket header; the Software license ticket create date and time; the Software license ticket checksum; the Software license ticket version; the Software activation code version; format of the data in the request to Rightholder infrastructure; current license ticket ID; the Software component ID; the result of the Software action; error code; accessed address of the web service (URL, IP); port number; web address of the source of the web service request (referrer).
If the Kaspersky Security Network and Extended KSN mode toggle switches are enabled, Kaspersky Endpoint Security running on client computers provides to Kaspersky the following data:
Information about the version of the operating system (OS) and service packs installed on the computer, version and checksums (MD5, SHA2-256, SHA1) of the OS kernel file, parameters of the OS run mode.
Information about the failed last OS reboot: number of failed reboots.
Information about the Kaspersky installed application and the anti-virus protection status: unique identifier of the instance of application installation on the computer, application type, ID of application type, the full version of the application installed, the identifier of the application settings version, the identifier of the computer type, the unique identifier of the computer on which the application is installed, the unique User identifier in the Kaspersky services, locale language and operation state, version of the installed Software components and their operation state, version of the protocol used to connect with the Kaspersky services.
Full version of installed Software; type of installed Software; Software update ID; ID of reputation service; protocol type ID; ID of a regional activation center; version of list of revoked Software service`s decisions; ID of the triggered record in the Software's anti-virus databases; timestamp of the triggered record in the Software's anti-virus databases; type of the triggered record in the Software's anti-virus databases; Unique ID of the instance of application installation on the computer; license activation date; license expiration date; license identifier; status of the license used by the Software; checksum type for the object being processed; name of the detected malware or legitimate software that can be used to damage the user's device or data; checksum of the object being processed; checksum of the Software activation code; full version of the Software; unique device ID; Software ID; checksum of the Software key file; ID of the information model used to provide the Software license; identifier of the certificate used to sign the Software license ticket header; the Software license ticket create date and time; the Software license ticket checksum; the Software license ticket version; the Software activation code version; format of the data in the request to Rightholder infrastructure; current license ticket ID; the Software component ID; the result of the Software action; error code; accessed address of the web service (URL, IP); port number; web address of the source of the web service request (referrer).
Information about all scanned objects and operations: the name of the scanned object, the date and time of the scan, the URL- and Referrer addresses from which it was downloaded, the size of scanned files and the paths to them, the archive sign, the date and time of the file's creation, the name, size and checksums (MD5, SHA2-256) of the packer (if the file was packed), the file's entropy, the file's type, the file type code, the executable file sign, ID and format, the object's checksum (MD5, SHA2-256), the type and value of the object's supplementary checksum, data about the object's digital signature (certificate): data on the certificate's publisher, number of starts of the object since the last statistics delivery, ID of the application's scanning task, the means of receiving information about the object's reputation, the value of the target filter, technical parameters of the applicable detection technologies.
For executable files: the entropy of the file sections, reputation verification flag or file signature flag, name, type, ID type, checksum (MD5) and the size of the application that was loaded by the object being validated, the application path and template paths, an attribute indicating presence in the Autorun list, date of entry, the list of attributes, name of the packer, information about the digital signature of the application: the publisher certificate, the name of the uploaded file in the MIME format, file build date and time.
Information about the applications launched and their modules: checksums (MD5, SHA2-256) of running files, size, attributes, creation date, name of the packer (if the file was packed), names of files, information about processes running on the system (process ID (PID), process name, information about the account the process was started from, the application and command that started the process, the full path to the process's files, and the starting command line, a description of the application that the process belongs to (the name of the application and information about the publisher), as well as the digital certificates being used and information needed to verify their authenticity or information about the absence of a file's digital signature), and information about the modules loaded into the processes: their names, sizes, types, creation dates, attributes, checksums (MD5, SHA2-256, SHA1), the paths to them, PE-file header information, names of packers (if the file was packed), information about the availability and validity of these statistics, identifier of the mode for generating the statistics being sent.
If threats or vulnerabilities are detected, in addition to information about the detected object, information is provided about the identifier, version, and type of the record in the anti-virus database, the name of the threat based on the Kaspersky classification, the date and time of the last update of the anti-virus database, executable file name, the checksum (MD5) of the application file that requested the URL where the threat was detected, the IP address (IPv4 or IPv6) of the detected threat, the vulnerability identifier and its threat level, the URL and Referrer of the web page where the vulnerability was detected.
If a potentially malicious object is detected, information is provided about data in the processes' memory.
Network attack information: IP address of the attacking computer and number of the port on the user's computer targeted by the network attack, ID of the attack protocol, name and type of attack.
Information about network connections: version and checksums (MD5, SHA2-256, SHA1) of the file from which process was started that opened the port, the path to the process's file and its digital signature, local and remote IP addresses, numbers of local and remote connection ports, connection state, timestamp of the port's opening.
The URL and IP address of the web page where harmful or suspicious content was detected, the name, size, and checksum of the file that requested the URL, the identifier, weight and degree of the rule used to reach a verdict, the objective of the attack.
Information about updates of the installed application and anti-virus databases: status of completion of the update task, type of error that may have occurred during the update process, the number of unsuccessful updates, the identifier of the application component that performs updates.
Information about the use of Kaspersky Security Network (KSN): KSN identifier, application identifier, full version of the application, depersonalized IP address of the user's device, indicators of the quality of fulfillment of KSN requests, indicators of the quality of the processing of KSN packets, indicators of the number of KSN requests and information about the types of KSN requests, date and time when statistics began being sent, date and time when statistics finished being sent, information about KSN configuration updates: identifier of the active configuration, identifier of the configuration received, error code of the configuration update.
Information about system log events: event time, name of the log where the event has been detected, type and category of event, name of the event source and event description.
Information to determine the reputation of files and URL-addresses: the URL-address at which the reputation is being requested and the Referrer, the connection's protocol type, the internal identifier of the application type, the number of the port being used, the User identifier, checksum of the scanned file (MD5), type of the detected threat, information about the record used to detect a threat (record identifier for the anti-virus databases, the record timestamp and type).
Data on the application territorial distribution: date of the application installation and activation, ID of the partner providing the license for the application activation, application ID, application language localization ID, license serial number for the application activation, KSN participation sign.
Information about the license used: the type and validity period of the license, number of days till license expiration, identifier of the partner from whom the license was purchased, Regional Activation Center identifier, checksum of the activation code, ticket body hash calculated using the SHA1 algorithm, license ticket creation date and time, license information identifier, license ticket identifier, license ticket sequence identifier, unique identifier of the user's computer, date from which the license ticket is valid, date to which the license ticket is valid, license ticket current state, ticket header version, license version, ticket header signature certificate identifier, checksum of the key file, ticket header signer serial number, authentication token.
Information about hardware installed on the computer: type, name, model name, firmware version, parameters of built-in and connected devices.
Information about the operation of the Web Control component: component version, categorization reason, additional information about categorization reason, categorized URL, host IP address of blocked/categorized object.
When Private KSN infrastructure is used by Kaspersky Security Center and you choose to participate in Kaspersky Security Network in policy settings, Kaspersky Endpoint Security doesn't send statistics from client computers to which the policy is applied to Kaspersky.
In the File Threat Protection window, do the following if necessary:
Turn on/off File Threat Protection.
By default, File Threat Protection is turned on.
Create a protection scope.
Select the action to be performed upon detecting a malicious object.
Select whether Kaspersky Endpoint Security will scan only new and modified files or all files.
Select whether Kaspersky Endpoint Security will skip scanning of the read-only system volume on client computers running macOS 10.15 or later.
Select whether Kaspersky Endpoint Security will use iSwift technology while scanning files.
Note: iSwift allows Kaspersky Endpoint Security to use a special algorithm to exclude certain objects from scanning, which helps increase the scan speed.
Select which types of files Kaspersky Endpoint Security will scan.
Select the actions Kaspersky Endpoint Security takes for compound files.
In the Security Controls section, do the following if necessary:
Turn on/off Web Control.
Note: If you turn on Web Control to block access to dangerous web resources, Kaspersky Endpoint Security displays the Web Control is enabled notification in Protection Center on the remote computer. Kaspersky Endpoint Security displays notifications when the user accesses web resources blocked by Web Control on the remote computer if the Secure connections (HTTPS) check toggle switch is turned on in the Network window of the New policy wizard.
Add rules that will define which web addresses or website categories will be monitored and managed by Web Control on a user's computer.
Edit, delete, or organize created rules in the list.
The order in which the rules are sorted determines the priority of their application by Kaspersky Endpoint Security.
In the Data Encryption section, you can turn on or off encryption of the client computer's startup disks to prevent unauthorized users from accessing sensitive data. By default, FileVault disk encryption is disabled.
This section describes how to use Kaspersky Security Center Web Console and Cloud Console to create and configure tasks that Kaspersky Endpoint Security performs on a client computer or a group of computers managed by Kaspersky Security Center.
A task is a set of configurable actions that Kaspersky Endpoint Security performs on a client computer.
In Kaspersky Security Center Web Console and Cloud Console, you can create the following tasks:
In the DEVICES section on the left, select the TASKS section.
Click Add.
The Add Task Wizard starts.
In the Application drop-down list, select Kaspersky Endpoint Security for Mac (11.1).
In the Task type drop-down list, select the task you want to create.
If needed, edit the task name in the Task name field.
Select devices to which the task will be assigned.
Configure settings for the selected task type.
Complete the Add Task Wizard by clicking Finish.
Note: If you select the Open task details when creation is complete check box in the Finish task creation window, you can proceed with modifying the default task settings. If you do not select this check box, the task is created with the default settings. You can modify the default task settings later, at any time.
Dedicated Kaspersky update servers are the main source of updates for Kaspersky Endpoint Security. Kaspersky Endpoint Security can also use distribution points, local folders, or other web servers as an update source.
If you manage Kaspersky Endpoint Security via Kaspersky Security Center Web Console, the list of update sources includes Kaspersky update servers and Kaspersky Security Center servers by default. Kaspersky Endpoint Security downloads updates first from Kaspersky Security Center servers and then from Kaspersky update servers.
If you manage Kaspersky Endpoint Security via Kaspersky Security Center Cloud Console, the list of update sources includes Kaspersky update servers and distribution points by default. Kaspersky Endpoint Security downloads updates first from distribution points and then from Kaspersky update servers. For detailed information about distribution points, see the Kaspersky Security Center help.
You can do the following if necessary:
Enable or disable updating of application modules.
Add or delete update sources that will be used to update Kaspersky Endpoint Security.
This check box enables/disables adding the Web Threat Protection and Web Control components to the Kaspersky Endpoint Security installation package.
If this check box is selected, the Web Threat Protection and Web Control components are included in the Kaspersky Endpoint Security installation package.
If this check box is cleared, the Web Threat Protection and Web Control components are not included in the Kaspersky Endpoint Security installation package.
In the License information window, you can view information about a license, including its expiration date, the number of computers on which you can use Kaspersky Endpoint Security under this license, and the license type.
In the If a malicious object is detected section, you can select the action that Kaspersky Endpoint Security performs upon detecting an infected object.
Kaspersky Endpoint Security doesn't process objects until the scan is complete. At that point, Kaspersky Endpoint Security displays a notification with information about each infected object and prompts the user to select what action to take. The available options depend on the type of object.
Kaspersky Endpoint Security displays a notification with information about each infected object that the application detects and prompts the user to select a further action. The available options depend on the type of object.
This check box enables/disables the limit on the duration of file scans. Kaspersky Endpoint Security skips a file if scanning the file exceeds the specified time limit.
If this check box is selected, Kaspersky Endpoint Security skips a file if scanning the file exceeds the specified time limit.
If this check box is cleared, Kaspersky Endpoint Security scans files regardless of how much time the scan might take.
The default value is 30 seconds.
In the Compound files section, you can select the types of compound files that Kaspersky Endpoint Security scans.
This check box enables/disables scanning of an object as a folder.
If this check box is selected, Kaspersky Endpoint Security scans the object that you have specified in the Enter a file name, folder name, or mask field as a folder.
If this check box is cleared, Kaspersky Endpoint Security scans the object that you have specified in the Enter a file name, folder name, or mask field as a file.
This check box enables/disables scanning of subfolders in the folder specified in the Enter a file name, folder name, or mask field.
If this check box is selected, Kaspersky Endpoint Security scans subfolders during virus scans.
If this check box is cleared, Kaspersky Endpoint Security scans only the files directly in the folder specified in the Enter a file name, folder name, or mask field during virus scans.
Clicking this link opens the Protection window where you can manage general settings for Kaspersky Endpoint Security installed on users computers and select the types of objects that Kaspersky Endpoint Security will detect.
Clicking this link opens the User interaction window where you can set up notifications displayed by Kaspersky Endpoint Security, the display language for events displayed in Kaspersky Security Center, and additional settings for Kaspersky Endpoint Security.
Clicking this link opens the Network window where you can manage proxy server settings, enable or disable scanning of encrypted connections (HTTPS), and configure monitored ports.
Clicking this link opens the Trusted zone window where you can add exclusions for File Threat Protection or scan tasks and configure trusted applications.
In the General section, you can enable or disable file protection on a remote computer and configure automatic start of the application when the computer is turned on or the operating system is restarted.
This check box enables/disables automatic start of Kaspersky Endpoint Security when a remote computer is turned on or after its operating system is restarted.
If the check box is selected, Kaspersky Endpoint Security starts automatically when the remote computer is turned on or its operating system is restarted.
If the check box is cleared, Kaspersky Endpoint Security does not start automatically when the remote computer is turned on or its operating system is restarted.
This check box enables/disables detection of applications that are not malicious or dangerous but which under certain circumstances may be used to harm a user's computer.
If the check box is selected, Kaspersky Endpoint Security detects legitimate software that can be used by intruders to damage a user's computer or personal data.
If the check box is cleared, Kaspersky Endpoint Security does not detect legitimate software that can be used by intruders to damage a user's computer or personal data.
This check box is cleared by default.
The Advanced section lets you enable energy-saving mode.
When the Enforce toggle switch is turned on, Kaspersky Endpoint Security prohibits changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
When the Enforce toggle switch is turned off, Kaspersky Endpoint Security allows changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
In the Reports section, you can configure settings for generating and storing reports on events that occur while Kaspersky Endpoint Security is running.
This check box enables/disables deletion of reports after the specified period.
If this check box is selected, Kaspersky Endpoint Security deletes reports after the specified period. By default, Kaspersky Endpoint Security stores reports for 30 days.
If this check box is cleared, Kaspersky Endpoint Security stores reports indefinitely.
This check box enables/disables logging of non-critical events (such as informational events) in the report. Non-critical events do not affect security.
If this check box is selected, Kaspersky Endpoint Security logs informational events in the report.
If this check box is cleared, Kaspersky Endpoint Security does not log informational events in the report.
This check box enables/disables keeping only information about important events from the previous run of the task.
If this check box is selected, each time a task starts, Kaspersky Endpoint Security removes information about non-critical events from the previous run of the task but keeps important information (for example, about detected malware) in the report.
If this check box is cleared, Kaspersky Endpoint Security keeps all information from the previous run of the task.
This check box is cleared by default.
In the Backup section, you can specify how long objects can be stored in Backup.
This check box enables/disables removal of objects from Backup after the specified period.
If this check box is selected, Kaspersky Endpoint Security removes objects from Backup after the specified period. The default storage period is 30 days.
If this check box is cleared, Kaspersky Endpoint Security stores objects in Backup indefinitely.
When the Enforce toggle switch is turned on, Kaspersky Endpoint Security prohibits changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
When the Enforce toggle switch is turned off, Kaspersky Endpoint Security allows changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
In the Application interface section, you can configure whether the application icon is displayed in the menu bar on a remote computer and whether a user can open the Kaspersky Endpoint Security main window and use the application interface.
This check box enables/disables a user's ability to open the Kaspersky Endpoint Security main window and use the application interface on a remote computer.
If this check box is selected, a user can open the Kaspersky Endpoint Security main window and use the application interface on a remote computer.
If this check box is cleared, Kaspersky Endpoint Security prevents a user from opening the main application window and hides the application interface on a remote computer.
This check box is selected by default.
In the Notifications section, you can enable notifications about Kaspersky Endpoint Security events and choose the preferred notification type.
The Notifications toggle switch enables/disables notifications about Kaspersky Endpoint Security events.
If the Notifications toggle switch is turned on, Kaspersky Endpoint Security shows notifications about events that occur while Kaspersky Endpoint Security components are running.
If the Notifications toggle switch is turned off, Kaspersky Endpoint Security doesn't show notifications about events that occur while Kaspersky Endpoint Security components are running.
In the Allow user to quit the application section, you can configure whether Kaspersky Endpoint Security can be shut down by a user on a remote computer.
This check box enables/disables availability of the Quit item in the context menu of the application icon shown in the menu bar.
If this check box is selected, the Quit item is available in the context menu of the application icon. The user of a remote computer can quit Kaspersky Endpoint Security on the remote computer.
If this check box is cleared, the Quit item is unavailable in the context menu of the application icon. The user of a remote computer cannot quit Kaspersky Endpoint Security on the remote computer.
This check box is selected by default.
In the Events in Kaspersky Security Center section, you can select the display language for Kaspersky Endpoint Security events in Kaspersky Security Center.
This check box enables/disables local management of Kaspersky Endpoint Security updates on a remote computer.
If this check box is selected, local management of Kaspersky Endpoint Security updates on a remote computer is enabled.
If this check box is cleared, Kaspersky Endpoint Security updates on a remote computer can be managed only using the Kaspersky Endpoint Security administration plug-in in Kaspersky Security Center.
This check box enables/disables local management of Kaspersky Endpoint Security keys on a remote computer.
If the check box is selected, local management of Kaspersky Endpoint Security keys on a remote computer is enabled.
If the check box is cleared, Kaspersky Endpoint Security keys on a remote computer can be managed only using the Kaspersky Endpoint Security administration plug-in in Kaspersky Security Center.
When the Enforce toggle switch is turned on, Kaspersky Endpoint Security prohibits changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
When the Enforce toggle switch is turned off, Kaspersky Endpoint Security allows changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
If this option is selected, Kaspersky Endpoint Security does not use a proxy server to connect to update sources for application databases and modules.
If this option is selected, Kaspersky Endpoint Security connects to update sources for application databases and modules using the proxy server settings configured in your operating system.
If this option is selected, Kaspersky Endpoint Security connects to update sources for application databases and modules using the proxy server settings you have specified.
This check box enables/disables use of a proxy server when updating application databases and modules from a local or network folder.
If this check box is selected, Kaspersky Endpoint Security does not use a proxy server when updating application databases and modules from a local or network folder.
If this check box is cleared, Kaspersky Endpoint Security uses a proxy server when updating application databases and modules from a local or network folder.
This check box is selected by default.
This check box is available if the Use specified proxy server settings option is selected.
In the Check secure connections section, you can define whether Kaspersky Endpoint Security scans secure connections (HTTPS).
The Secure connections (HTTPS) check toggle switch enables/disables scanning of secure connections established via the HTTPS protocol and displaying notifications when Web Control blocks the user's access to dangerous web resources.
If the Secure connections (HTTPS) check toggle switch is turned on, Kaspersky Endpoint Security does the following:
Web Threat Protection scans data that is sent and received by your computer over the HTTPS protocol in Safari, Google Chrome, or Firefox.
The application displays notifications when the user accesses web resources blocked by Web Control on the remote computer.
If the Secure connections (HTTPS) check toggle switch is turned off, Kaspersky Endpoint Security does the following:
Web Threat Protection does not scan data that is sent and received by your computer via the HTTPS protocol.
The application does not display notifications when the user accesses web resources blocked by Web Control on the remote computer.
This toggle switch is turned off by default.
In the Monitored ports section, you can configure which ports are monitored by Kaspersky Endpoint Security.
When the Enforce toggle switch is turned on, Kaspersky Endpoint Security prohibits changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
When the Enforce toggle switch is turned off, Kaspersky Endpoint Security allows changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
When the Enforce toggle switch is turned on, Kaspersky Endpoint Security prohibits changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
When the Enforce toggle switch is turned off, Kaspersky Endpoint Security allows changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
This check box enables/disables scanning of subfolders of the folder specified in the Enter a file name, folder name, or mask field.
If this check box is selected, Kaspersky Endpoint Security does not scan subfolders of the specified folder during virus scans.
If this check box is cleared, Kaspersky Endpoint Security only excludes files directly in the folder specified in the Enter a file name, folder name, or mask field during virus scans. Subfolders of the specified folder are scanned.
This check box is selected by default.
In the Components section, you can select components that will not scan the specified file or folder.
When the Enforce toggle switch is turned on, Kaspersky Endpoint Security prohibits changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
When the Enforce toggle switch is turned off, Kaspersky Endpoint Security allows changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
This list contains the addresses of resources from which Kaspersky Endpoint Security downloads and installs updates of application databases and modules. You can specify a local or network folder, or an FTP or HTTP server as an update source.
By default, the list of update sources contains Kaspersky update servers.
If you manage Kaspersky Endpoint Security via Kaspersky Security Center Web Console, the list of update sources also includes Kaspersky Security Center servers by default.
If you manage Kaspersky Endpoint Security via Kaspersky Security Center Cloud Console, the list of update sources also includes distribution points by default. For detailed information about distribution points, see the Kaspersky Security Center help.
You cannot remove the default update sources from the list.
If the toggle switch in this column is turned on, Kaspersky Endpoint Security uses the corresponding update source from the Update source column to receive updates.
If the toggle switch in this column is turned off, Kaspersky Endpoint Security doesn't use the corresponding update source from the Update source column to receive updates.
When the Enforce toggle switch is turned on, Kaspersky Endpoint Security prohibits changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
When the Enforce toggle switch is turned off, Kaspersky Endpoint Security allows changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
The FileVault disk encryption toggle switch enables/disables FileVault disk encryption management.
If the FileVault disk encryption toggle switch is turned on, FileVault disk encryption can be applied to client computers from Kaspersky Security Center.
If the FileVault disk encryption toggle switch is turned off, FileVault disk encryption can't be applied to client computers from Kaspersky Security Center.
This toggle switch is turned off by default.
Note: If the FileVault disk encryption toggle switch is turned off, users with administrator rights can encrypt and decrypt their Mac startup disks from System Preferences. For more information on FileVault, refer to Apple documentation.
Kaspersky Endpoint Security displays a prompt for computer account credentials on client computers to which the policy is applied. When the user enters the credentials, Kaspersky Endpoint Security starts encrypting the user's startup disk.
If the FileVault disk encryption toggle switch is turned on and the Encrypt disk option is selected, users with administrator rights can't decrypt the startup disk of their Mac from System Preferences.
Kaspersky Endpoint Security displays a prompt for computer account credentials on client computers to which the policy is applied. When the user enters the credentials, Kaspersky Endpoint Security starts decrypting the user's startup disk.
If the FileVault disk encryption toggle switch is turned on and the Decrypt disk option is selected, users with administrator rights can't encrypt the startup disk of their Mac from System Preferences.
When the Enforce toggle switch is turned on, Kaspersky Endpoint Security prohibits changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
When the Enforce toggle switch is turned off, Kaspersky Endpoint Security allows changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
An action that Kaspersky Endpoint Security performs when the user visits a certain web address, group of web addresses, or category of websites affected by the rule.
You can change the assigned action by selecting another option in the corresponding shortcut menu in this column.
When the Enforce toggle switch is turned on, Kaspersky Endpoint Security prohibits changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
When the Enforce toggle switch is turned off, Kaspersky Endpoint Security allows changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
If this option is selected, you create an inactive rule. It will be pending when the policy is enforced.
In the Action section, you can select the action that Kaspersky Endpoint Security performs when the user visits a certain web address, group of web addresses, or category of websites affected by the rule.
If this option is selected, Kaspersky Endpoint Security allows the user to visit the web address, group of web addresses, or category of websites affected by the rule.
Note: Kaspersky Endpoint Security allows to visit web resources on the remote computer if the Secure connections (HTTPS) check toggle switch is turned on in the Network window of the New Policy wizard.
If this option is selected, Kaspersky Endpoint Security prevents the user from visiting the web address, group of web addresses, or category of websites affected by the rule.
Note: Kaspersky Endpoint Security displays notifications when the user accesses web resources blocked by Web Control on the remote computer if the Secure connections (HTTPS) check toggle switch is turned on in the Network window of the New Policy wizard.
If this option is selected, Kaspersky Endpoint Security shows a warning when the user attempts to visit the web address, group of web addresses, or category of websites affected by the rule.
In the Rule area section, you can choose to create a rule for a particular web address or a group of web addresses, or website categories.
The File Threat Protection toggle switch enables/disables File Threat Protection.
If the File Threat Protection toggle switch is turned on, Kaspersky Endpoint Security performs real-time monitoring of the file system of the client computers to which the policy is applied.
If the File Threat Protection toggle switch is turned off, Kaspersky Endpoint Security doesn't protect the file system of the client computers to which the policy is applied.
This toggle switch is turned on by default.
In the Protection scope section, you can set up a protection scope by selecting one of the preset items or by adding files or folders of your choice.
If the toggle switch in this column is turned on, Kaspersky Endpoint Security scans the corresponding object in the Protection scope column when File Threat Protection is enabled.
If the toggle switch in this column is turned off, Kaspersky Endpoint Security doesn't scan the corresponding object in the Protection scope column when File Threat Protection is enabled.
This column indicates whether Kaspersky Endpoint Security scans subfolders of a corresponding object.
In the If a malicious object is detected section, you can select the action that Kaspersky Endpoint Security performs upon detecting a malicious object.
Kaspersky Endpoint Security displays a notification window with information about the malicious object that has infected the file and prompts you to choose the action to be taken by Kaspersky Endpoint Security. Actions may vary depending on the status of the object.
Kaspersky Endpoint Security blocks access to the infected file and attempts to disinfect it without requesting confirmation from the user.
If the file is disinfected, Kaspersky Endpoint Security saves it in its original location under the original file name. If disinfection fails, Kaspersky Endpoint Security deletes the infected file.
Kaspersky Endpoint Security blocks access to the infected file and attempts to disinfect it without requesting confirmation from the user.
If the file is disinfected, Kaspersky Endpoint Security saves it in its original location under the original file name. If disinfection fails, Kaspersky Endpoint Security keeps the infected file in a blocked state in its original location.
In the Optimization section, you can configure scan performance and select the scanning algorithm.
This check box enables/disables use of iSwift technology during scanning. iSwift allows Kaspersky Endpoint Security to use a special algorithm to exclude certain objects from scanning, which helps increase the scan speed.
If this check box is selected, Kaspersky Endpoint Security uses iSwift during scanning.
If this check box is cleared, Kaspersky Endpoint Security does not use iSwift during scanning.
This check box is selected by default.
In the File types section, you can select which files will be scanned by Kaspersky Endpoint Security when File Threat Protection is enabled.
Kaspersky Endpoint Security scans only objects that may be infected based on their file extension.
The list of extensions is defined by Kaspersky and is included in Kaspersky Endpoint Security databases.
Kaspersky Endpoint Security always scans files without extensions.
In the Compound files section, you can select the types of compound files that Kaspersky Endpoint Security scans when File Threat Protection is enabled.
An option that limits the size of archives to be scanned.
If this check box is selected, Kaspersky Endpoint Security scans all archives whose size exceeds the set limit, but does so with a lower priority two minutes after detecting such an archive.
If this check box is cleared, Kaspersky Endpoint Security scans all archives with equal priority.
This check box is available if the Scan archives check box is selected.
When the Enforce toggle switch is turned on, Kaspersky Endpoint Security prohibits changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
When the Enforce toggle switch is turned off, Kaspersky Endpoint Security allows changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
This check box enables/disables scanning of an object as a folder.
If this check box is selected, Kaspersky Endpoint Security scans the object that you have specified in the Enter a file name, folder name, or mask field as a folder.
If this check box is cleared, Kaspersky Endpoint Security scans the object that you have specified in the Enter a file name, folder name, or mask field as a file.
This check box enables/disables scanning of subfolders in the folder specified in the Enter a file name, folder name, or mask field.
If this check box is selected, Kaspersky Endpoint Security scans subfolders during virus scans.
If this check box is cleared, Kaspersky Endpoint Security scans only the files directly in the folder specified in the Enter a file name, folder name, or mask field during virus scans.
The Web Threat Protection toggle switch enables/disables Web Threat Protection.
If the Web Threat Protection toggle switch is turned on, Web Threat Protection scans data sent and received by your computer over the HTTP and HTTPS protocols in Safari, Google Chrome, or Firefox.
If the Web Threat Protection toggle switch is turned off, Web Threat Protection does not scan data sent and received by your computer via web browsers.
This toggle switch is turned on by default.
In the If a malicious object is detected section, you can select the action that Kaspersky Endpoint Security performs upon detecting a malicious object.
Kaspersky Endpoint Security displays a notification window with information about the type of malware that has infected the web traffic object and prompts you to choose the action to be taken by Kaspersky Endpoint Security on this object. The available actions may vary depending on the status of the object.
Kaspersky Endpoint Security automatically blocks access to dangerous web traffic objects.
In the Trusted web addresses section, you can create or edit a list of trusted web addresses and enable or disable scanning of traffic from web addresses on this list.
You can clear the check box next to a web address on the list. If the check box is cleared, Web Threat Protection scans web traffic from the web address.
The list is available if the Do not scan web traffic from trusted web addresses check box is selected.
If the toggle switch in this column is turned on, Kaspersky Endpoint Security doesn't scan the corresponding object from the Web address column when Web Threat Protection is enabled and the Do not scan web traffic from trusted web addresses check box is selected.
If the toggle switch in this column is turned off, Kaspersky Endpoint Security scans the corresponding object from the Web address column when Web Threat Protection is enabled and the Do not scan web traffic from trusted web addresses check box is selected.
When the Enforce toggle switch is turned on, Kaspersky Endpoint Security prohibits changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
When the Enforce toggle switch is turned off, Kaspersky Endpoint Security allows changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
The Network Threat Protection toggle switch enables/disables Network Threat Protection.
If the Network Threat Protection toggle switch is turned on, Kaspersky Endpoint Security protects the remote computer against network attacks.
If the Network Threat Protection toggle switch is turned off, Kaspersky Endpoint Security does not protect the remote computer against network attacks.
This toggle switch is turned on by default.
In the Network Threat Protection settings section, you can modify the period for which Kaspersky Endpoint Security blocks attacking computers.
This check box enables/disables adding attacking computers to the list of blocked computers for the specified period.
If this check box is selected, Kaspersky Endpoint Security adds attacking computers to the list of blocked computers for the specified period.
If this check box is cleared, Kaspersky Endpoint Security does not block attacking computers.
This check box is selected by default.
By default, attacking computers are blocked for 60 minutes.
In the Exclusions section, you can create or edit a list of IP addresses of remote computers whose network activity will never be blocked by Kaspersky Endpoint Security.
When the Enforce toggle switch is turned on, Kaspersky Endpoint Security prohibits changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
When the Enforce toggle switch is turned off, Kaspersky Endpoint Security allows changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
The Kaspersky Security Network toggle switch enables/disables participation in Kaspersky Security Network.
If the Kaspersky Security Network toggle switch is turned on, the client computers to which the policy is applied participate in Kaspersky Security Network.
If the Kaspersky Security Network toggle switch is turned off, the client computers to which the policy is applied do not participate in Kaspersky Security Network.
The Extended KSN mode toggle switch enables/disables sending of additional data from the remote computer to Kaspersky in order to improve protection of client computers and the usability of Kaspersky Endpoint Security.
If Extended KSN mode is turned on, client computers under the policy provide both data required for detection services functioning and additional data to Kaspersky Security Network.
If Extended KSN mode is turned off, client computers under the policy provide only data required for detection services functioning and don't provide additional data to Kaspersky Security Network.
The Extended KSN mode toggle switch is turned off by default.
The toggle switch is turned on automatically if you turn on the Kaspersky Security Network toggle switch, but you can turn it off.
If the Kaspersky Security Network toggle switch is enabled and the Extended KSN mode toggle switch is disabled, Kaspersky Endpoint Security running on client computers provides to Kaspersky the following data:
Information about the license used: the type and validity period of the license, number of days till license expiration, identifier of the partner from whom the license was purchased, Regional Activation Center identifier, checksum of the activation code, ticket body hash calculated using the SHA1 algorithm, license ticket creation date and time, license information identifier, license ticket identifier, license ticket sequence identifier, unique identifier of the user's computer, date from which the license ticket is valid, date to which the license ticket is valid, license ticket current state, ticket header version, license version, ticket header signature certificate identifier, checksum of the key file, ticket header signer serial number, authentication token.
Full version of installed Software; type of installed Software; Software update ID; ID of reputation service; protocol type ID; ID of a regional activation center; version of list of revoked Software service's decisions; ID of the triggered record in the Software's anti-virus databases; timestamp of the triggered record in the Software's anti-virus databases; type of the triggered record in the Software's anti-virus databases; unique ID of the instance of application installation on the computer; license activation date; license expiration date; license identifier; status of the license used by the Software; checksum type for the object being processed; name of the detected malware or legitimate software that can be used to damage the user's device or data; checksum of the object being processed; checksum of the Software activation code; full version of the Software; unique device ID; Software ID; checksum of the Software key file; ID of the information model used to provide the Software license; identifier of the certificate used to sign the Software license ticket header; the Software license ticket create date and time; the Software license ticket checksum; the Software license ticket version; the Software activation code version; format of the data in the request to Rightholder infrastructure; current license ticket ID; the Software component ID; the result of the Software action; error code; accessed address of the web service (URL, IP); port number; web address of the source of the web service request (referrer).
If the Kaspersky Security Network and Extended KSN mode toggle switches are enabled, Kaspersky Endpoint Security running on client computers provides to Kaspersky the following data:
Information about the version of the operating system (OS) and service packs installed on the computer, version and checksums (MD5, SHA2-256, SHA1) of the OS kernel file, parameters of the OS run mode.
Information about the failed last OS reboot: number of failed reboots.
Information about the Kaspersky installed application and the anti-virus protection status: unique identifier of the instance of application installation on the computer, application type, ID of application type, the full version of the application installed, the identifier of the application settings version, the identifier of the computer type, the unique identifier of the computer on which the application is installed, the unique User identifier in the Kaspersky services, locale language and operation state, version of the installed Software components and their operation state, version of the protocol used to connect with the Kaspersky services.
Full version of installed Software; type of installed Software; Software update ID; ID of reputation service; protocol type ID; ID of a regional activation center; version of list of revoked Software service`s decisions; ID of the triggered record in the Software's anti-virus databases; timestamp of the triggered record in the Software's anti-virus databases; type of the triggered record in the Software's anti-virus databases; Unique ID of the instance of application installation on the computer; license activation date; license expiration date; license identifier; status of the license used by the Software; checksum type for the object being processed; name of the detected malware or legitimate software that can be used to damage the user's device or data; checksum of the object being processed; checksum of the Software activation code; full version of the Software; unique device ID; Software ID; checksum of the Software key file; ID of the information model used to provide the Software license; identifier of the certificate used to sign the Software license ticket header; the Software license ticket create date and time; the Software license ticket checksum; the Software license ticket version; the Software activation code version; format of the data in the request to Rightholder infrastructure; current license ticket ID; the Software component ID; the result of the Software action; error code; accessed address of the web service (URL, IP); port number; web address of the source of the web service request (referrer).
Information about all scanned objects and operations: the name of the scanned object, the date and time of the scan, the URL- and Referrer addresses from which it was downloaded, the size of scanned files and the paths to them, the archive sign, the date and time of the file's creation, the name, size and checksums (MD5, SHA2-256) of the packer (if the file was packed), the file's entropy, the file's type, the file type code, the executable file sign, ID and format, the object's checksum (MD5, SHA2-256), the type and value of the object's supplementary checksum, data about the object's digital signature (certificate): data on the certificate's publisher, number of starts of the object since the last statistics delivery, ID of the application's scanning task, the means of receiving information about the object's reputation, the value of the target filter, technical parameters of the applicable detection technologies.
For executable files: the entropy of the file sections, reputation verification flag or file signature flag, name, type, ID type, checksum (MD5) and the size of the application that was loaded by the object being validated, the application path and template paths, an attribute indicating presence in the Autorun list, date of entry, the list of attributes, name of the packer, information about the digital signature of the application: the publisher certificate, the name of the uploaded file in the MIME format, file build date and time.
Information about the applications launched and their modules: checksums (MD5, SHA2-256) of running files, size, attributes, creation date, name of the packer (if the file was packed), names of files, information about processes running on the system (process ID (PID), process name, information about the account the process was started from, the application and command that started the process, the full path to the process's files, and the starting command line, a description of the application that the process belongs to (the name of the application and information about the publisher), as well as the digital certificates being used and information needed to verify their authenticity or information about the absence of a file's digital signature), and information about the modules loaded into the processes: their names, sizes, types, creation dates, attributes, checksums (MD5, SHA2-256, SHA1), the paths to them, PE-file header information, names of packers (if the file was packed), information about the availability and validity of these statistics, identifier of the mode for generating the statistics being sent.
If threats or vulnerabilities are detected, in addition to information about the detected object, information is provided about the identifier, version, and type of the record in the anti-virus database, the name of the threat based on the Kaspersky classification, the date and time of the last update of the anti-virus database, executable file name, the checksum (MD5) of the application file that requested the URL where the threat was detected, the IP address (IPv4 or IPv6) of the detected threat, the vulnerability identifier and its threat level, the URL and Referrer of the web page where the vulnerability was detected.
If a potentially malicious object is detected, information is provided about data in the processes' memory.
Network attack information: IP address of the attacking computer and number of the port on the user's computer targeted by the network attack, ID of the attack protocol, name and type of attack.
Information about network connections: version and checksums (MD5, SHA2-256, SHA1) of the file from which process was started that opened the port, the path to the process's file and its digital signature, local and remote IP addresses, numbers of local and remote connection ports, connection state, timestamp of the port's opening.
The URL and IP address of the web page where harmful or suspicious content was detected, the name, size, and checksum of the file that requested the URL, the identifier, weight and degree of the rule used to reach a verdict, the objective of the attack.
Information about updates of the installed application and anti-virus databases: status of completion of the update task, type of error that may have occurred during the update process, the number of unsuccessful updates, the identifier of the application component that performs updates.
Information about the use of Kaspersky Security Network (KSN): KSN identifier, application identifier, full version of the application, depersonalized IP address of the user's device, indicators of the quality of fulfillment of KSN requests, indicators of the quality of the processing of KSN packets, indicators of the number of KSN requests and information about the types of KSN requests, date and time when statistics began being sent, date and time when statistics finished being sent, information about KSN configuration updates: identifier of the active configuration, identifier of the configuration received, error code of the configuration update.
Information about system log events: event time, name of the log where the event has been detected, type and category of event, name of the event source and event description.
Information to determine the reputation of files and URL-addresses: the URL-address at which the reputation is being requested and the Referrer, the connection's protocol type, the internal identifier of the application type, the number of the port being used, the User identifier, checksum of the scanned file (MD5), type of the detected threat, information about the record used to detect a threat (record identifier for the anti-virus databases, the record timestamp and type).
Data on the application territorial distribution: date of the application installation and activation, ID of the partner providing the license for the application activation, application ID, application language localization ID, license serial number for the application activation, KSN participation sign.
Information about the license used: the type and validity period of the license, number of days till license expiration, identifier of the partner from whom the license was purchased, Regional Activation Center identifier, checksum of the activation code, ticket body hash calculated using the SHA1 algorithm, license ticket creation date and time, license information identifier, license ticket identifier, license ticket sequence identifier, unique identifier of the user's computer, date from which the license ticket is valid, date to which the license ticket is valid, license ticket current state, ticket header version, license version, ticket header signature certificate identifier, checksum of the key file, ticket header signer serial number, authentication token.
Information about hardware installed on the computer: type, name, model name, firmware version, parameters of built-in and connected devices.
Information about the operation of the Web Control component: component version, categorization reason, additional information about categorization reason, categorized URL, host IP address of blocked/categorized object.
Note: If you manage Kaspersky Endpoint Security via Kaspersky Security Center Web Console and depending on Kaspersky Security Center settings, you can participate in Kaspersky Private Security Network instead of Kaspersky Security Network. If you manage Kaspersky Endpoint Security via Kaspersky Security Center Cloud Console, participation in Kaspersky Private Security Network is unavailable. For detailed information about participating in Kaspersky Private Security Network, see the Kaspersky Security Center help.
In the KSN Proxy settings section, you can configure the KSN Proxy settings.
When the Enforce toggle switch is turned on, Kaspersky Endpoint Security prohibits changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
When the Enforce toggle switch is turned off, Kaspersky Endpoint Security allows changing the values of task settings, application settings, policies of subgroups, and secondary Administration Servers on a local computer.
Clicking this link opens a new browser window where you can read the text of the Kaspersky Security Network Statement or Kaspersky Private Security Network Statement.
The computers to which the policy is applied don't participate in Kaspersky Security Network/Kaspersky Private Security Network.
Note: If you manage Kaspersky Endpoint Security via Kaspersky Security Center Cloud Console, participation in Kaspersky Private Security Network is unavailable. For detailed information about participating in Kaspersky Private Security Network, see the Kaspersky Security Center help.
You can manage Kaspersky Endpoint Security from the command line.
Note: After updates of Kaspersky Endpoint Security modules are installed, the version of the application client in the command line may differ from the installed version of the application.
Command line syntax:
kav <command> <parameters>
Each command has its own range of supported parameters.
Note: To run a virus scan, you can also use tasks created in the application by starting one from the command line. The task is started with the parameters that are specified in the Kaspersky Endpoint Security interface.
Parameter descriptions
<scan scope> – This parameter specifies a list of objects that are to be scanned for malicious code. You can include several parameters separating them with a space.
The following values are possible:
<files> – List of paths to files and/or folders to be scanned. You can specify absolute or relative paths to the files. Items in the list are separated by a space.
Note: If the name of an object or the path to it includes a space or special characters (such as $, &, or @), the name should be encased in single quotes (' '), or each of the special characters should be escaped by adding a backslash (\) immediately before it. If reference is made to a specific folder, all files and folders in this folder are scanned.
-all – Full scan of your computer.
-remdrives – All removable drives.
-fixdrives – All internal drives.
-netdrives – All network drives.
-@:<filelist.lst> – Path to the file with a list of objects and folders within the scan scope. The file must be in text format and each scan object must be listed in a separate line. Only an absolute path to the file may be entered.
<action> – This parameter determines the action to take on malicious objects that are detected during the scan. If this parameter is not defined, the default action is the one corresponding to the value -i8.
The following values are possible:
-i0 – Take no actions on the object, only save information about the object in a report.
-i1 – Disinfect infected objects, skip them if they cannot be disinfected.
-i2 – Disinfect infected objects, delete them if they cannot be disinfected; do not delete containers, except for those with executable headers (.sfx archives).
-i3 – Disinfect infected objects, delete them if they cannot be disinfected; delete containers completely if infected files inside them cannot be deleted.
-i4 – Delete infected objects; delete containers completely if infected files inside them cannot be deleted.
-i8 – Prompt the user for action if an infected object is detected (used by default).
-i9 – Prompt the user for action when the scan is completed.
<file types> – This parameter defines the file types that are subject to virus scan. By default, if this parameter is not defined, only files that may be potentially infected (based on the file contents) are scanned.
The following values are possible:
-fe – Scan only files that may be potentially infected (based on the file extension).
-fi – Scan only files that may be potentially infected (based on the file content). This parameter is used by default.
-fa – Scan all files.
<exclusions> – This parameter defines the objects to exclude from scanning. You can include several parameters separating them with a space.
The following values are possible:
-e:a – Do not scan archives.
-e:b – Do not scan email databases.
-e:m – Do not scan email messages in text format.
-e:<mask> – Do not scan objects by mask.
-e:<seconds> – Skip objects that are scanned for longer than the specified length of time (in seconds).
-es:<size> – Skip objects with size larger than the specified value (in megabytes).
<report parameters> – These parameters define the format of the report containing the scan results. You can specify an absolute or relative path to the report file. If this parameter is not defined, scan results are displayed and all events are shown.
The following values are possible:
-r:<report file> – Log only important events to the specified report file.
-ra:<report file> – Log all events to the specified report file.
<advanced parameters> – Parameters that define the use of virus scan technologies and configuration files:
-iSwift=<on|off> – Enable/disable the use of iSwift.
-c:<configuration file> – Define the path to the configuration file that contains the application preferences for virus scan tasks. You can specify an absolute or relative path to the file. If this parameter is not specified, the values set in the application interface are used together with the values that are already specified in the command line.
Example:
Start scan of the folders ~/Documents, /Applications, and the file named my test.exe:
kav scan ~/Documents /Applications 'my test.exe'
Scan the objects listed in the file objects2scan.txt. Use the scan_settings.txt configuration file. When the scan is complete, create a report to log all events:
<update source> – An HTTP server or a network or local folder from which updates are downloaded. If a path is not selected, the update source will be taken from the application update preferences.
<report parameters> – These parameters define the format of the report on the scan results. You can specify an absolute or relative path to the report file. If this parameter is not defined, update results are displayed and all events are shown.
The following values are possible:
-r:<report file> – Log only important events to the specified report file.
-ra:<report file> – Log all events to the specified report file.
<advanced parameters> – A parameter that defines use of a configuration file.
-c:<configuration file> – Defines the path to a configuration file that contains the application preferences for updating the application. You can specify an absolute or relative path to the file. If this parameter is not defined, the values set in the application interface are used.
Example:
Update the application databases from the default source, logging all events in the report:
kav update -ra:avbases_upd.txt
Update the Kaspersky Endpoint Security modules using the parameters of the updateapp.ini configuration file:
Important: Administrator rights are required to run this command.
Parameter descriptions
<report parameters> – This parameter defines the format of the report containing the results of the update rollback. You can specify an absolute or relative path to the report file. If this parameter is not defined, rollback results are displayed and all events are shown.
The following values are possible:
-r:<report file> – Log only important events to the specified report file.
-ra:<report file> – Log all events to the specified report file.
kav start <task or component name> <report parameters>
The stop command syntax:
kav stop <task or component name>
Important: Administrator rights are required to run the stop command.
Parameter descriptions
<task or component name> – Specify one of the following values:
fm or file_monitoring – File Threat Protection
wm or web_monitoring – Web Threat Protection
ids – Network Threat Protection
full or scan_my_computer – Full Scan task
scan_objects – Custom Scan task
quick or scan_critical_areas – Quick Scan task
updater – Update task
rollback – Rollback task
<report parameters> – These parameters define the format of the report on the component or task results. You can specify an absolute or relative path to the report file. If this parameter is not defined, Kaspersky Endpoint Security displays results in accordance with parameters configured in the graphical user interface.
Note:<report parameters> is only available for scan_objects, updater, and rollback values.
The following values are possible:
-r:<report file> – Kaspersky Endpoint Security logs only important events to the specified report file.
-ra:<report file> – Kaspersky Endpoint Security logs all events to the specified report file.
Note: Components and tasks started from the command prompt are run with the parameters configured in the graphical user interface.
Example:
To enable the File Threat Protection component, enter the following command in the command line:
kav start fm
To stop the Full Scan task from the command line, enter the following command:
<task or component name> – Specify one of the following values:
fm or file_monitoring – File Threat Protection
wm or web_monitoring – Web Threat Protection
ids – Network Threat Protection
full or scan_my_computer – Full Scan task
scan_objects – Custom Scan task
quick or scan_critical_areas – Quick Scan task
updater – Update task
rollback – Rollback task
Note: If the status command is run without specifying a value for the <task or component name> parameter, the status of all tasks and components of the application is displayed. For the statistics command, a value must be specified for the <task or component name> parameter.
The general codes may be returned by any command from the command line. The return codes include general codes as well as codes specific to a certain task.
Syntax of the command for receiving the return code:
If you can't find a solution to your issue in the application documentation or in any of the sources of information about the application, contact Technical Support. Technical Support specialists will answer all your questions about installing and using the application.
Note: Kaspersky provides support of this application during its lifecycle (see the product support lifecycle page). Before contacting Technical Support, please read the support rules.
You can contact Technical Support in one of the following ways:
Technical support is available only to users who purchased a commercial license. Users who have received a trial license are not entitled to technical support.
Kaspersky CompanyAccount is a portal for companies that use Kaspersky applications. The Kaspersky CompanyAccount portal is designed to facilitate interaction between users and Kaspersky specialists through online requests. You can use Kaspersky CompanyAccount to track the status of your online requests and store a history of them as well.
You can register all of your organization's employees under a single account on Kaspersky CompanyAccount. A single account lets you centrally manage electronic requests from registered employees to Kaspersky and also manage the privileges of these employees via Kaspersky CompanyAccount.
The Kaspersky CompanyAccount portal is available in the following languages:
For more effective support and troubleshooting of application problems, Technical Support specialists may ask you to change application preferences temporarily for purposes of debugging during diagnostics. This may require doing the following:
Activating the functionality that extracts extended diagnostic information.
Fine-tuning the preferences of individual application components, which are not available via standard user interface elements.
Changing the preferences of transmission of diagnostic information that is extracted.
Technical Support specialists will provide you with all the information needed to perform the listed operations and inform you about the scope of data to be acquired for debugging purposes. After the extended diagnostic information is extracted, it is saved on the user's computer. The data is not sent to Kaspersky automatically.
After you report a problem to Kaspersky Technical Support specialists, they may ask you to generate a report with information about the operation of Kaspersky Endpoint Security and send it to Kaspersky Technical Support. Technical Support specialists may also ask you to create a trace file. The trace file makes it possible to perform a step-by-step examination of the execution of application commands and determine when errors occur.
Tracing is an effective way of recording detailed information about application activity. Technical Support specialists use trace files to troubleshoot issues.
In the menu bar, click the application icon and choose Preferences.
The application preferences window opens.
On the Interface tab, in the Traces section, deselect the Enable tracing checkbox.
Kaspersky Endpoint Security saves the following information in a trace file:
Information about the device and operating system (unique device ID, device type, MAC addresses of network devices, operating system type, operating system version).
Information about the operation of the application and its modules.
Information about the subscription (subscription type, region).
Information about the language locale, application ID, application customization, application version, unique application installation ID, unique computer ID.
Information about the anti-virus protection status of the computer, as well as all processed and detected objects (the name of the detected object, date and time of detection, the web address from which it was downloaded, the names and sizes of infected files and paths to them, the IP address of the attacking computer and the number of the computer port targeted by the network attack, list of malware activity, and unwanted web addresses), and the relevant actions and decisions taken by the application and the user.
Information about applications downloaded by the user (web address, attributes, file size, and information about the process that downloaded the file).
Information about the launched applications and application modules (size, attributes, creation date, PE header details, region, name, location, and packers).
Information about interface errors and usage of the interface of the installed Kaspersky application.
Information about network connections: the IP address of the remote computer and the user's computer, the numbers of ports used to establish the connection, and the network protocol of the connection.
Information about network packets received and sent by the computer over IT and telecom networks.
Information about email and instant messages sent and received.
Information about web addresses visited: the time when the connection was established using an open protocol, data on the website login and password, and the content of cookies.
Public certificate of the server.
Trace files contain only the information necessary to fix defects in the application. Kaspersky uses trace files to investigate incidents associated with errors in the operation of Kaspersky Endpoint Security.
By default, the creation of trace files is disabled. You can enable generation of trace files in the application preferences.
Trace files can only be manually sent to Kaspersky. Kaspersky Endpoint Security does not send trace files to Kaspersky automatically.
You can choose how trace files are sent to Kaspersky.
Before sending trace files to Kaspersky, please review the data they contain.
Important: Trace files may contain personal or sensitive information. By sending trace files to Kaspersky, you agree to provide to Kaspersky all data contained in the trace files you send and you consent to the method used to send them.
Kaspersky Endpoint Security page in the Knowledge Base
The Knowledge Base is a section on the Kaspersky Technical Support website.
On the Kaspersky Endpoint Security page in the Knowledge Base, you can read articles that provide useful information, recommendations, and answers to frequently asked questions on how to buy, install, and use the application.
Articles in the Knowledge Base may provide answers to questions that relate both to Kaspersky Endpoint Security as well as to other Kaspersky applications. Articles in the Knowledge Base may also contain Technical Support news.
Note: An Internet connection is required to access website resources.
If you can't find a solution to your problem, contact Technical Support.
Online help
In the Administrator's Guide, you can find information on how to:
Prepare for the installation of the application, install and activate the application.
Configure and use the application.
Remotely manage the application via Kaspersky Security Center.
Help materials included with the application (this help)
The application includes full help and context help.
Full help provides information on how to configure and use Kaspersky Endpoint Security.
Context help provides information about Kaspersky Endpoint Security windows, describes Kaspersky Endpoint Security preferences, and contains links to task descriptions where those preferences are used.
Help can be included in the distribution kit or located on the Kaspersky website. An Internet connection is required for viewing online help.
Kaspersky Endpoint Security has following known issues and limitations:
If an application that collects information and sends it to be processed is installed on your computer, Kaspersky Endpoint Security may classify this application as malware. To avoid this, you can exclude the application from scanning by configuring Kaspersky Endpoint Security as described in this document.
Application functional settings can be modified by editing configuration files.
In Kaspersky Security Center, information about reserved keys is not displayed in the properties of managed devices.
In Kaspersky Security Center, local tasks may be listed twice in the properties of managed devices.
Changing the update source for a local update task disables automatic execution of the update task.
To exclude Safari network traffic from scanning by Kaspersky Endpoint Security, you need to add the following paths to the exclusion list:
After you create a policy profile for a Kaspersky Endpoint Security policy using Kaspersky Security Center Web Console and Cloud Console, you need to check that the settings are applied correctly on client computers.
On computers running macOS 11.0, when enabling FileVault disk encryption in policy settings, users with administrator rights can decrypt the startup disk of their Mac from System Preferences.
Changes in the proxy server options will be applied only after Kaspersky Endpoint Security is restarted.
Safari might not connect to a website with an untrusted certificate. You can add such a website to the exclusions or use another browser.
Kaspersky Endpoint Security version 11.1 can be used on macOS 12 with the following limitations:
The Kaspersky Endpoint Security icon is displayed incorrectly in application notifications.
Notifications about malware detection are not displayed. You can allow notifications in the operating system's Notifications preferences.
When downloading an anti-virus databases patch, the update is not finished until you close the window informing that Kaspersky Endpoint Security Daemon requires an update.
Kaspersky Endpoint Security can crash when starting a Quick Scan or Full Scan, and during basic setup of the application.
Kaspersky Endpoint Security for Mac version 11.1 cannot be installed on macOS 12.3 or later. If you are using these versions of macOS, you must install Kaspersky Endpoint Security version 11.2 Patch C or later.
If when creating a scan task in Kaspersky Security Center, in the scan settings you have selected the Scan applications and documents by extension option, Kaspersky Endpoint Security performs virus scans on objects without extensions and objects with the following extensions:
General formats:
txt
csv
htm
html
Multimedia (audio/video) files:
flv
f4v
avi
3gp
3g2
3gp2
3p2
divx
mp4
mkv
mov
qt
asf
wmv
rm
rmvb
vob
dat
mpg
mpeg
bik
fcs
mp3
mpeg3
flac
ape
ogg
aac
m4a
wma
ac3
wav
mka
rm
ra
ravb
mid
midi
cda
Image files:
jpg
jpe
jpeg
jff
gif
png
bmp
tif
tiff
emf
wmf
eps
psd
cdr
swf
Executable and system files:
exe
dll
scr
ocx
com
sys
class
o
so
elf
prx
vb
vbs
js
bat
cmd
msi
deb
rpm
sh
pl
dylib
Documents and templates:
doc
dot
docx
dotx
docm
dotm
xsl
xls
xlsx
xltx
xlsm
xltm
xlam
xlsb
ppt
pot
pps
pptx
potx
pptm
potm
ppsx
ppsm
rtf
pdf
msg
eml
vsd
vss
vst
vdx
vsx
vtx
xps
oxps
one
onepkg
xsn
odt
ods
odp
sxw
pub
mdb
accdb
accde
accdr
accdc
chm
mht
Archives:
zip
7z*
7-z
rar
iso
cab
jar
bz
bz2
tbz
tbz2
gz
tgz
arj
dmg
smi
img
xar
Note: The actual format of a file may not match its file name extension.
You can use the tilde symbol (~) when you specify the protection scope, scan scope, and Trusted Zone.
The ~ symbol in the path to a file or folder replaces /Users/<user name>. For example, the path ~/Desktop means that the protection scope includes Desktop folders of all users on computers that you want to protect.
Registered trademarks and service marks are the property of their respective owners.
Apple, Apple Remote Desktop, FileVault, Mac, Mac Pro, macOS, and Safari are trademarks of Apple Inc., registered in the U.S. and other countries.
Chrome, Google, and Google Chrome are trademarks of Google, Inc.
Intel is a trademark of Intel Corporation in the U.S. and/or other countries.
Excel, IIS, Microsoft, Windows, Windows Installer, and WMI are registered trademarks of Microsoft Corporation in the United States and other countries.
Firefox and Mozilla are trademarks of the Mozilla Foundation.
Java and JavaScript are registered trademarks of Oracle and/or its affiliates.
Parallels Desktop is registered trademark of Parallels International GmbH.
VMware and VMware Fusion are registered trademarks or trademarks of VMware, Inc. in the United States and/or other jurisdictions.
and select the .dmg file with the Kaspersky Endpoint Security installation package.
.
), it means that all or some of the protection components are enabled. If the application icon is inactive (
), then all of the protection components are disabled.
button, you can block users without administrator rights from editing the Kaspersky Endpoint Security preferences. This button is in the lower part of the application preferences window. To edit the preferences, you must enter the administrator's credentials.
.
button.
.
Start Full Scan button.
Start Quick Scan button.
Schedule Scan.
.
next to the required file and choose Disinfect.
.
Custom Scan.
.
. To exit the wizard at any step, click Cancel.
and 
buttons.
/
buttons.