Updating application databases and modules

The update functionality (including anti-virus signature updates and code base updates) may not be available in the application in the territory of the USA.

Updating the databases and application modules of Kaspersky Embedded Systems Security ensures up-to-date protection on your device. New viruses, malware, and other types of threats appear worldwide on a daily basis. The application databases contain information about the threats and the ways to neutralize them. To detect threats quickly, you are urged to regularly update the application databases and modules.

Current application license is required for regular database updates. If there is no current license, you will only be able to perform one update.

During the update process, the databases and application modules are downloaded and installed on your device. You can obtain updates for databases and application modules from Kaspersky update servers, from the Administration Server repository, from local or network directories, and from other update sources.

During an update, the application modules and databases on your device are compared with the up-to-date version at the update source. If your current databases and application modules differ from their respective up-to-date versions, the missing portions of the updates will be installed on your device.

If the databases are obsolete, the update package may be large, which may cause additional Internet traffic (up to several dozen MB). The amount of the disk space can be up to 3 GB.

Updates are downloaded from Kaspersky update servers or from other FTP, HTTP, or HTTPS servers over standard network protocols. By default, Internet connection settings are determined automatically. If you are using a proxy server, specify the proxy server settings in the general settings of the application.

Regardless of the update source, the update package is downloaded and the database and application module updates are installed on the device using the Update task. An Update predefined task is created in the application. Using this task, you can perform scheduled and on-demand updates of databases and application modules and configure update settings.

You can use the Update group task, which the Kaspersky Security Center Initial Configuration Wizard automatically creates after installing the Kaspersky Embedded Systems Security administration MMC plug-in or administration web plug-in. You can also create update user tasks in the command line and in Kaspersky Security Center.

You can configure the following settings for updating databases and application modules:

• Select the source from which the application will receive updates, depending on the update scenario used.
• Configure the response timeout of a selected update source when attempting to connect to it. If an update source does not respond within the specified time, the application contacts the next update source in the list.
• Select the mode of downloading and installing application modules and application version updates: download and install, download only, or do not download.
• Configure the task run schedule for updates. By default, the application updates the databases once every 60 minutes.

Updating databases and modules

During an update, the following objects are downloaded and installed on your device:

• Application databases. Application databases include databases of malware signatures, a description of network attacks, databases of malicious and phishing web addresses, databases of banners, spam databases, and other data.

  If the database update on the device is interrupted or finishes with an error, the application continues to use the previously installed database version. If application databases were not installed before, the application continues functioning in "without databases" mode. Database and application module updates are still available.

  If the database update is successful, but the databases themselves are corrupted and the application terminates with an error several times in a row, the databases are automatically deleted. The application continues to work in the "without databases" mode; the database and application module update functionality remains available.

  The databases are up to date if they were downloaded less than three days ago. By default, the application generates the Databases are out of date event (BasesAreOutOfDate) if the last installed database updates were published on the Kaspersky servers more than three but less than seven days ago. If the databases have not been updated for seven days, the application generates the Databases are extremely out of date (BasesAreTotallyOutOfDate) event.

• Application modules. Module updates are intended to eliminate vulnerabilities in the application and to improve methods of protecting devices. Module updates may change the behavior of application components and add new capabilities.

  The application module can be installed regardless of the state of the application (started or stopped, managed by a Kaspersky Security Center policy) and the update schedule. Kaspersky Embedded Systems Security continues protecting your device during the application module update procedure. During the update, application settings and the application log file are migrated to the new version of the application.

  If the transfer of application settings fails for any reason, the application is set to the default values.

  Changes to the application settings made after the update is complete and before the application restarts are not saved.

  After updating version of the application using an autopatch, the mechanism for interacting with the operating system firewall changes: the rules are managed using the iptables and iptables-restore system utilities.

  If the application does not work properly after the update, it automatically rolls back to the previous version. It is recommended to contact Kaspersky Technical Support.

Page top

Updating sources and update scenarios

An update source is a resource that contains updates for Kaspersky Embedded Systems Security databases and application modules. Update sources can be FTP, HTTP, or HTTPS servers (such as Kaspersky update servers), as well as local or network directories mounted by the user.

The main application update sources are Kaspersky update servers. You can specify other update sources in the Update task settings. If an update cannot be performed from an update source, Kaspersky Embedded Systems Security switches to the next update source.

Kaspersky Embedded Systems Security supports the following scenarios for updating databases and application modules:

• Update from Kaspersky update servers. Kaspersky update servers are located in different countries around the world, which ensures a high reliability of updates. If an update cannot be performed from one server, the application switches over to the next server. Updates are downloaded via HTTPS protocol.
• Centralized update Centralized update reduces external Internet traffic, and provides for convenient monitoring of the update.

  Centralized update consists of the following steps:

  1. Download the update package to a repository within the organization's network.

     You can use the repository of the Kaspersky Security Center Administration Server as the repository.

     The update package is downloaded to the Administration Server repository via the Download updates to Administration Server repository task of the Administration Server.

     If you manage the application using Kaspersky Security Center Cloud Console, you can use the repositories of the distribution points (devices with Network Agent installed) as the repository. For more details about distribution points, refer to Kaspersky Security Center Help.

  2. Distribute the update package to client devices

     The update package is distributed to the client devices by the Update task of Kaspersky Embedded Systems Security. In the task settings, select the Kaspersky Security Center Administration Server as the update source.

• Updating from a local or network directory (SMB/NFS) mounted by a user, or from an FTP, HTTP, or HTTPS server. You can specify a custom update source in Update task settings.

Page top

Updating application databases and modules in the Web Console

In the Web Console, you can update databases and application modules using the Update task. You can use the automatically created Update group task, as well as create user tasks for updating.

To configure update settings in the Web Console:

1. In the main window of the Web Console, select Assets (Devices) → Tasks.

   The list of tasks opens.

2. Do one of the following:
   • If you want to edit the settings of a task that is run on all devices included in a specific administration group, click the link in the Current path field in the upper part of the window and select the administration group in the window that opens.

     The list displays only tasks configured for the selected administration group.

   • If you want to edit the settings of a task that is run on one or multiple devices (a task for a set of devices), click the link in the Current path field in the upper part of the window and select the top node with the name of the Administration Server in the window that opens.

     The list displays all tasks created on the Administration Server.

3. In the list of tasks, select the required Update task and open the task properties window by clicking the link in the task name.
4. In the task properties window, select Application settings tab. Select the Update sources section in the list on the left.
5. Select the update source from which the application will receive updates for databases and modules, depending on the update scenario used.

   If you are managing the application using the Web Console, the list of update sources contains Kaspersky update servers and the Kaspersky Security Center Administration Server. If you are managing the application using Kaspersky Security Center Cloud Console, the list of update sources contains Kaspersky update servers and distribution points (for more details about distribution points, refer to the Kaspersky Security Center Help system). You can add other update sources to the list.

   You can create a list of update sources by selecting the Other sources on the local or global network option. You can specify FTP-, HTTP-, or HTTPS servers as update sources. If an update cannot be performed from an update source, Kaspersky Embedded Systems Security switches to the next update source. The application accesses update sources in the order in which they appear in the table.

6. Go to the Settings section and configure other update settings.
7. Select the Schedule tab and configure the schedule for running the update task.

   If you have selected Kaspersky Security Center as the update source, select When downloading updates to the repository from the Scheduled start drop-down list. For more details about scheduling tasks, refer to the Kaspersky Security Center Help system.

8. Click the Save button to save the changes made.

The task will start according to the configured schedule. You can also run the task manually.

Update sources for the Update task section

Update task settings section

Page top

Updating application databases and modules in the Administration Console

In the Administration Console, you can update databases and application modules using the Update task. You can use the automatically created Update group task, as well as create user tasks for updating.

To configure update settings in the Administration Console:

1. In the Administration Console, perform one of the following actions:
   • To edit the settings of a task that is run on devices included in the specified administration group, select this administration group in the console tree, then select the Tasks tab in the workspace.
   • To edit the settings of a task that is run on one or multiple devices (a task for a set of devices), select the Tasks folder in the console tree.
2. In the list of tasks, select the required Update task and double-click it to open the task properties window.
3. In the task properties window, select the Update sources section in the list on the left.
4. Select the update source from which the application will receive updates for databases and modules, depending on the update scenario used.

   The list of update sources contains Kaspersky update servers and the Kaspersky Security Center Administration Server. You can add other update sources to the list.

   You can create a list of update sources by selecting the Other sources on the local or global network option. You can specify FTP-, HTTP-, or HTTPS servers as update sources. If an update cannot be performed from an update source, Kaspersky Embedded Systems Security switches to the next update source. The application accesses update sources in the order in which they appear in the table.

5. Select the Settings section and configure other update settings.
6. Select the Schedule section and configure the schedule for running the update task.

   If you have selected Kaspersky Security Center as the update source, select When downloading updates to the repository from the Scheduled start drop-down list. For more details about scheduling tasks, refer to the Kaspersky Security Center Help system.

7. Click Apply or OK in the Properties: <Task name> window to save the changes made.

The task will start according to the configured schedule. You can also run the task manually.

Update sources for the Update task section

Update task settings section

Page top

Updating application databases and modules in the command line

On the command line, you can update databases and application modules in the following ways:

• Using the Update predefined task. You can manually start, stop, pause, or resume this task and configure the task run schedule. You can configure scan settings by editing the settings of this task.
• Using user tasks for updating (tasks of the Update type). You can manually start user tasks and configure the task schedule.

  Update task settings

  Setting	Description	Values
  SourceType	Source from which the application receives updates.	KLServers (default value) — The application receives updates from one of the Kaspersky update servers. Updates are downloaded via HTTPS protocol. SCServer. The application downloads updates to the protected device from the Administration Server installed on the local network. You can select this update source if you use Kaspersky Security Center for centralized administration of device protection in your organization. Custom — The application downloads updates from a custom source specified in the [CustomSources.item_#] section. You can specify directories on FTP, HTTP, and HTTPS servers or directories on any device mounted on the protected client device, including directories on remote devices mounted via the Samba or NFS protocols.
  UseKLServersWhenUnavailable	The application's access to Kaspersky update servers if all custom update sources are unavailable.	Yes (default value) — The application will connect to Kaspersky update servers if all custom update sources are unavailable. No — The application will not connect to Kaspersky update servers if all custom update sources are unavailable.
  ApplicationUpdateMode	Application update download and installation mode.	Disabled — Do not download or install application updates. DownloadOnly (default value) — Download application updates, but do not install them. DownloadAndInstall — Automatically download and install application updates. After updates are installed, the application will restart automatically.
  ConnectionTimeout	Response timeout (in seconds) of an update source while attempting to connect to it. If an update source does not respond within the specified time interval, the application contacts the next update source in the list.	You can use only integers within the range from 0 to 120. Default value: 10.
  The [CustomSources.item_#] section contains the following settings:
  URL	Address of the custom update source on the local area network or the Internet.	The default value is not defined. Examples: URL=http://example.com/bases/ – address of the HTTP server with the directory that contains updates. URL=/home/bases/ – directory on the protected computer that contains application databases.
  Enabled	Use of the update source specified in the URL setting. To run the task, at least one update source needs to be enabled.	Yes – the application uses the update source. No – The app doesn't use the update source. The default value is not defined.

Page top

Updating using Kaspersky Update Utility

To reduce Internet traffic, you can configure updates of application databases and modules on devices of the organization's LAN from a shared directory by using the Kaspersky Update Utility. For this purpose, one of the devices in the organization's LAN must receive update packages from the Kaspersky Security Center Administration Server or from Kaspersky update servers and use the utility to copy the received update packages to the shared directory. Other devices on the organization's LAN will be able to receive the update package from this shared directory.

To configure Kaspersky Security Center to update databases from a shared directory using the Kaspersky Update Utility:

1. Install Kaspersky Update Utility on one of the devices of the organization's LAN.

   You can download the Kaspersky Update Utility distribution kit from the Kaspersky Technical Support website.

2. Configure copying of the update package to the shared directory in the Kaspersky Update Utility settings.

   Select the update source (for example, the Administration Server repository) and the shared directory to which the Kaspersky Update Utility will copy update packages. For detailed information about using Kaspersky Update Utility, refer to the Kaspersky Knowledge Base.

3. Configure updates of application databases and modules from the specified shared directory on other devices in the organization's local network:
   1. Open the properties of the Update task that will be performed on the required device using the Web Console or using the Administration Console.
   2. In the task properties, go to the Update sources section.
   3. In the Update sources section, select the Other sources on the local or global network option.
4. In the table of update sources, click the Add button and specify the path to the shared directory.

   The address of the update source must match the address specified in the Kaspersky Update Utility settings.

5. Select the Use this source check box and click OK.
6. In the table, set the order of the update sources using the Up and Down buttons.
7. Save the changes to the task settings.

To configure Kaspersky Security Center to update databases from a shared directory using the command line:

1. Install Kaspersky Update Utility on one of the devices of the organization's LAN.

   You can download the Kaspersky Update Utility distribution kit from the Kaspersky Technical Support website.

2. Configure copying of the update package to the shared directory in the Kaspersky Update Utility settings.

   Select the update source (for example, the Administration Server repository) and the shared directory to which the Kaspersky Update Utility will copy update packages. For detailed information about using Kaspersky Update Utility, refer to the Kaspersky Knowledge Base.

3. Configure updates of application databases and modules from the specified shared directory on other devices in the organization's local network: in the Update task settings, set SourceType=Custom and specify the path to the shared directory in the [CustomSources.item_#] section.

   The address of the update source must match the address specified in the Kaspersky Update Utility settings.

Rolling back application database and module updates

After the application databases are updated for the first time, the rollback of the application databases to their previous versions becomes available.

Every time a user starts the update process, Kaspersky Embedded Systems Security creates a backup copy of the current application databases. This allows you to roll back the application databases to a previous version if needed.

Rolling back the last database update may be useful, for example, if the new application database version contains invalid signatures, which causes Kaspersky Embedded Systems Security to block safe applications.

In the command line, to roll back updates, you can run the Rollback predefined task or create and run user tasks for rolling back updates (tasks of the Rollback type).

In Kaspersky Security Center, you can create rollback tasks for administration groups or for individual devices using the Web Console or the Administration Console.

The rollback task does not have any settings.