Contents
- Managing client devices
- Settings of a managed device
- Device selections
- Viewing and configuring the actions when devices show inactivity
- About device statuses
- Configuring the switching of device statuses
- Changing the Administration Server for client devices
- Avoiding conflicts between multiple Administration Servers
- Creating Administration Server connection profiles
- About clusters and server arrays
- Properties of a cluster or server array
- Device tags
- Creating a device tag
- Renaming a device tag
- Deleting a device tag
- Viewing devices to which a tag is assigned
- Viewing tags assigned to a device
- Tagging devices manually
- Removing assigned tags from devices
- Viewing rules for tagging devices automatically
- Editing a rule for tagging devices automatically
- Creating a rule for tagging devices automatically
- Running rules for auto-tagging devices
- Deleting a rule for tagging devices automatically
- Quarantine and Backup
- Remote diagnostics of client devices
- Opening the remote diagnostics window
- Enabling and disabling tracing for applications
- Downloading trace files of an application
- Deleting trace files
- Downloading application settings
- Downloading system information from a client device
- Downloading event logs
- Starting, stopping, restarting the application
- Running the remote diagnostics of an application and downloading the results
- Running an application on a client device
- Generating a dump file for an application
- Remotely connecting to the desktop of a client device
- Connecting to devices through Windows Desktop Sharing
- Triggering of rules in Smart Training mode
Managing client devices
Kaspersky Security Center Cloud Console allows you to manage client devices:
- View settings and statuses of managed devices, including clusters and server arrays.
- Configure distribution points.
- Manage tasks.
You can use administration groups to combine client devices in a set that can be managed as a single unit. A client device can be included in only one administration group. Devices can be allocated to a group automatically based on Rule conditions:
- Creating device moving rules.
- Copying device moving rules.
- Conditions for a device moving rule.
You can use device selections to filter devices based on a condition. You can also tag devices for creating selections, for finding devices, and for distributing devices among administration groups.
Settings of a managed device
To view the settings of a managed device:
- In the main menu, go to Assets (Devices) → Managed devices.
The list of managed devices is displayed.
- In the list of managed devices, click the link with the name of the required device.
The properties window of the selected device is displayed.
The following tabs are displayed in the upper part of the properties window representing the main groups of the settings:
Page topDevice selections
Device selections are a tool for filtering devices according to specific conditions. You can use device selections to manage several devices: for example, to view a report about only these devices or to move all of these devices to another group.
Kaspersky Security Center Cloud Console provides a broad range of predefined selections (for example, Devices with Critical status, Protection is disabled, Active threats are detected). Predefined selections cannot be deleted. You can also create and configure additional user-defined selections.
In user-defined selections, you can set the search scope and select all devices, managed devices, or unassigned devices. Search parameters are specified in the conditions. In the device selection you can create several conditions with different search parameters. For example, you can create two conditions and specify different IP ranges in each of them. If several conditions are specified, a selection displays the devices that meet any of the conditions. By contrast, search parameters within a condition are superimposed. If both an IP range and the name of an installed application are specified in a condition, only those devices will be displayed where both the application is installed and the IP address belongs to the specified range.
Viewing the device list from a device selection
Kaspersky Security Center Cloud Console allows you to view the list of devices from a device selection.
To view the device list from the device selection:
- In the main menu, go to the Assets (Devices) → Device selections or Discovery & deployment → Device selections section.
- In the selection list, click the name of the device selection.
The page displays a table with information about the devices included in the device selection.
- You can group and filter the data of the device table as follows:
- Click the settings icon (
), and then select the columns to be displayed in the table. - Click the filter icon (
), and then specify and apply the filter criterion in the invoked menu. The filtered table of devices is displayed.
- Click the settings icon (
You can select one or several devices in the device selection and click the New task button to create a task that will be applied to these devices.
To move the selected devices of the device selection to another administration group, click the Move to group button, and then select the target administration group.
Page topCreating a device selection
To create a device selection:
- In the main menu, go to Assets (Devices) → Device selections.
A page with a list of device selections is displayed.
- Click the Add button.
The Device selection settings window opens.
- Enter the name of the new selection.
- Specify the group that contains the devices to be included in the device selection:
- Find any devices—Searching for devices that meet the selection criteria and included in the Managed Devices or Unassigned devices group.
- Find managed devices—Searching for devices that meet the selection criteria and included in the Managed Devices group.
- Find unassigned devices—Searching for devices that meet the selection criteria and included in the Unassigned devices group.
You can enable the Include data from secondary Administration Servers check box to enable searching for devices that meet the selection criteria and managed by secondary Administration Servers.
- Click the Add button.
- In the window that opens, specify conditions that must be met for including devices in this selection, and then click the OK button.
- Click the Save button.
The device selection is created and added to the list of device selections.
Page topConfiguring a device selection
To configure a device selection:
- In the main menu, go to Assets (Devices) → Device selections.
A page with a list of device selections is displayed.
- Select the relevant user-defined device selection, and click the Properties button.
The Device selection settings window opens.
- On the General tab, click the New condition link.
- Specify conditions that must be met for including devices in this selection.
- Click the Save button.
The settings are applied and saved.
Below are descriptions of the conditions for assigning devices to a selection. Conditions are combined by using the OR logical operator: the selection will contain devices that comply with at least one of the listed conditions.
General
In the General section, you can change the name of the selection condition and specify whether that condition must be inverted:
Network infrastructure
In the Network subsection, you can specify the criteria that will be used to include devices in the selection according to their network data:
- Device name
- Domain
- Administration group
- Description
- IP range
- Managed by a different Administration Server
In the Active Directory subsection, you can configure criteria for including devices into a selection based on their Active Directory data:
- Device is in an Active Directory organizational unit
- Include child organizational units
- This device is a member of an Active Directory group
In the Network activity subsection, you can specify the criteria that will be used to include devices in the selection according to their network activity:
- Acts as a distribution point
- Do not disconnect from the Administration Server
- Connection profile switched
- Last connected to Administration Server
- New devices detected by network poll
- Device is visible
In the Cloud segments subsection, you can configure criteria for including devices in a selection according to their respective cloud segments:
Device statuses
In the Managed device status subsection, you can configure criteria for including devices into a selection based on the description of the devices status from a managed application:
In the Status of components in managed applications subsection, you can configure criteria for including devices in a selection according to the statuses of components in managed applications:
- Data Leakage Prevention status
- Collaboration servers protection status
- Anti-virus protection status of mail servers
- Endpoint Sensor status
In the Status-affecting problems in managed applications subsection, you can specify the criteria that will be used to include devices in the selection according to the list of possible problems detected by a managed application. If at least one problem that you select exists on a device, the device will be included in the selection. When you select a problem listed for several applications, you have the option to select this problem in all of the lists automatically.
You can select check boxes for descriptions of statuses from the managed application; upon receipt of these statuses, the devices will be included in the selection. When you select a status listed for several applications, you have the option to select this status in all of the lists automatically.
System details
In the Operating system section, you can specify the criteria that will be used to include devices in the selection according to their operating system type.
- Platform type
- Operating system service pack version
- Operating system bit size
- Operating system build
- Operating system release number
In the Virtual machines section, you can set up the criteria to include devices in the selection according to whether these are virtual machines or part of virtual desktop infrastructure (VDI):
In the Hardware registry subsection, you can configure criteria for including devices into a selection based on their installed hardware:
Ensure that the lshw utility is installed on Linux devices from which you want to fetch hardware details. Hardware details fetched from virtual machines may be incomplete depending on the hypervisor used.
- Device
- Vendor
- Device name
- Description
- Device vendor
- Serial number
- Inventory number
- User
- Location
- CPU clock rate, in MHz, from
- CPU clock rate, in MHz, to
- Number of virtual CPU cores, from
- Number of virtual CPU cores, to
- Hard drive volume, in GB, from
- Hard drive volume, in GB, to
- RAM size, in MB, from
- RAM size, in MB, to
Third-party software details
In the Applications registry subsection, you can set up the criteria to search for devices according to applications installed on them:
- Application name
- Application version
- Vendor
- Application status
- Find by update
- Name of incompatible security application
- Application tag
- Apply to devices without the specified tags
In the Vulnerabilities and updates subsection, you can specify the criteria that will be used to include devices in the selection according to their Windows Update source:
WUA is switched to Administration Server
Details of Kaspersky applications
In the Kaspersky applications subsection, you can configure criteria for including devices in a selection based on the selected managed application:
- Application name
- Application version
- Critical update name
- Select the period of the last update of modules
- Device is managed through Administration Server
- Security application is installed
In the Anti-virus protection subsection, you can set up the criteria for including devices in a selection based on their protection status:
The Application components subsection contains the list of components of those applications that have corresponding management plug-ins installed in Kaspersky Security Center Cloud Console.
In the Application components subsection, you can specify criteria for including devices in a selection according to the statuses and version numbers of the components that refer to the application that you select:
Tags
In the Tags section, you can configure criteria for including devices into a selection based on key words (tags) that were previously added to the descriptions of managed devices:
Apply if at least one specified tag matches
To add tags to the criterion, click the Add button, and select tags by clicking the Tag entry field. Specify whether to include or exclude the devices with the selected tags in the device selection.
Users
In the Users section, you can set up the criteria to include devices in the selection according to the accounts of users who have logged in to the operating system.
Page topExporting the device list from a device selection
Kaspersky Security Center Cloud Console allows you to save information about devices from a device selection and export it as a CSV or a TXT file.
To export the device list from the device selection:
- Open the table with the devices from the device selection.
- Use one of the following ways to select the devices that you want to export:
- To select particular devices, select the check boxes next to them.
- To select all devices from the current table page, select the check box in the device table header, and then select the Select all on current page check box.
- To select all devices from the table, select the check box in the device table header, and then select the Select all check box.
Click the Export to CSV or Export to TXT button. All information about the selected devices included in the table will be exported.
Note that if you applied a filter criterion to the device table, only the filtered data from the displayed columns will be exported.
Page topRemoving devices from administration groups in a selection
When working with a device selection, you can remove devices from administration groups right in this selection, without switching to the administration groups from which these devices must be removed.
To remove devices from administration groups:
- In the main menu, go to Assets (Devices) → Device selections or Discovery & deployment → Device selections.
- In the selection list, click the name of the device selection.
The page displays a table with information about the devices included in the device selection.
- Select the devices that you want to remove, and then click Delete.
The selected devices are removed from their respective administration groups.
Viewing and configuring the actions when devices show inactivity
If client devices within a group are inactive, you can get notifications about it. You can also automatically delete such devices.
To view or configure the actions when the devices in the group show inactivity:
- In the main menu, go to Assets (Devices) → Hierarchy of groups.
- Click the name of the required administration group.
The administration group properties window opens.
- In the properties window, go to the Settings tab.
- In the Inheritance section, enable or disable the following options:
- In the Device activity section, enable or disable the following options:
- Click Save.
Your changes are saved and applied.
Page topAbout device statuses
Kaspersky Security Center Cloud Console assigns a status to each managed device. The particular status depends on whether the conditions defined by the user are met. In some cases, when assigning a status to a device, Kaspersky Security Center Cloud Console takes into consideration the device's visibility flag on the network (see the table below). If Kaspersky Security Center Cloud Console does not find a device on the network within two hours, the visibility flag of the device is set to Not Visible.
The statuses are the following:
- Critical or Critical/Visible
- Warning or Warning/Visible
- OK or OK/Visible
The table below lists the default conditions that must be met to assign the Critical or Warning status to a device, with all possible values.
Conditions for assigning a status to a device
Condition |
Condition description |
Available values |
|---|---|---|
Security application is not installed |
Network Agent is installed on the device, but a security application is not installed. |
|
Too many viruses detected |
Some viruses have been found on the device by a task for virus detection, for example, the Virus scan task, and the number of viruses found exceeds the specified value. |
More than 0. |
Real-time protection level differs from the level set by the Administrator |
The device is visible on the network, but the real-time protection level differs from the level set (in the condition) by the administrator for the device status. |
|
Malware scan has not been performed in a long time |
The device is visible on the network and a security application is installed on the device, but neither the Malware scan task nor a local scan task has been run within the specified time interval. The condition is applicable only to devices that were added to the Administration Server database 7 days ago or earlier. |
More than 1 day. |
Databases are outdated |
The device is visible on the network and a security application is installed on the device, but the anti-virus databases have not been updated on this device within the specified time interval. The condition is applicable only to devices that were added to the Administration Server database 1 day ago or earlier. |
More than 1 day. |
Not connected in a long time |
Network Agent is installed on the device, but the device has not connected to an Administration Server within the specified time interval, because the device was turned off. |
More than 1 day. |
Active threats are detected |
The number of unprocessed objects in the Active threats folder exceeds the specified value. |
More than 0 items. |
Restart is required |
The device is visible on the network, but an application requires the device restart longer than the specified time interval and for one of the selected reasons. |
More than 0 minutes. |
Incompatible applications are installed |
The device is visible on the network, but software inventory performed through Network Agent has detected incompatible applications installed on the device. |
|
Software vulnerabilities have been detected |
The device is visible on the network and Network Agent is installed on the device, but the Find vulnerabilities and required updates task has detected vulnerabilities with the specified severity level in applications installed on the device. |
|
License expired |
The device is visible on the network, but the license has expired. |
|
License expires soon |
The device is visible on the network, but the license will expire on the device in less than the specified number of days. |
More than 0 days. |
Check for Windows Update updates has not been performed in a long time |
The device is visible on the network, but the Perform Windows Update synchronization task has not been run within the specified time interval. |
More than 1 day. |
Invalid encryption status |
Network Agent is installed on the device, but the device encryption result is equal to the specified value. |
|
Mobile device settings do not comply with the policy |
The mobile device settings are other than the settings that were specified in the Kaspersky Endpoint Security for Android policy during the check of compliance rules. |
|
Unprocessed security issues detected |
Some unprocessed security issues have been found on the device. Security issues can be created either automatically, through managed Kaspersky applications installed on the client device, or manually by the administrator. |
|
Device status defined by application |
The status of the device is defined by the managed application. |
|
Device is out of disk space |
Free disk space on the device is less than the specified value or the device could not be synchronized with the Administration Server. The Critical or Warning status is changed to the OK status when the device is successfully synchronized with the Administration Server and free space on the device is greater than or equal to the specified value. |
More than 0 MB |
Device has become unmanaged |
During device discovery, the device was recognized as visible on the network, but more than three attempts to synchronize with the Administration Server failed. |
|
Protection is disabled |
The device is visible on the network, but the security application on the device has been disabled for longer than the specified time interval. In this case, the state of the security application is stopped or failure, and differs from the following: starting, running, or suspended. |
More than 0 minutes. |
Security application is not running |
The device is visible on the network and a security application is installed on the device but is not running. |
|
Kaspersky Security Center Cloud Console enables you to set up automatic switching of the status of a device in an administration group when specified conditions are met. When specified conditions are met, the client device is assigned one of the following statuses: Critical or Warning. When specified conditions are not met, the client device is assigned the OK status.
Different statuses may correspond to different values of one condition. For example, by default, if the Databases are outdated condition has the More than 3 days value, the client device is assigned the Warning status; if the value is More than 7 days, the Critical status is assigned.
When Kaspersky Security Center Cloud Console assigns a status to a device, for some conditions (see the Condition description column) the visibility flag is taken into consideration. For example, if a managed device was assigned the Critical status because the Databases are outdated condition was met, and later the visibility flag was set for the device, then the device is assigned the OK status.
Configuring the switching of device statuses
You can change conditions to assign the Critical or Warning status to a device.
To enable changing the device status to Critical:
- In the main menu, go to Assets (Devices) → Hierarchy of groups.
- In the list of groups that opens, click the link with the name of a group for which you want to change switching the device statuses.
- In the properties window that opens, select the Device status tab.
- In the left pane, select Critical.
- In the right pane, in the Set to Critical if these are specified section, enable the condition to switch a device to the Critical status.
You can change only settings that are not locked in the parent policy.
- Select the radio button next to the condition in the list.
- In the upper-left corner of the list, click the Edit button.
- Set the required value for the selected condition.
Values cannot be set for every condition.
- Click OK.
When specified conditions are met, the managed device is assigned the Critical status.
To enable changing the device status to Warning:
- In the main menu, go to Assets (Devices) → Hierarchy of groups.
- In the list of groups that opens, click the link with the name of a group for which you want to change switching the device statuses.
- In the properties window that opens, select the Device status tab.
- In the left pane, select Warning.
- In the right pane, in the Set to Warning if these are specified section, enable the condition to switch a device to the Warning status.
You can change only settings that are not locked in the parent policy.
- Select the radio button next to the condition in the list.
- In the upper-left corner of the list, click the Edit button.
- Set the required value for the selected condition.
Values cannot be set for every condition.
- Click OK.
When specified conditions are met, the managed device is assigned the Warning status.
Changing the Administration Server for client devices
You can change the Administration Server that manages client devices to a different Server using the Change Administration Server task. After the task completion, the selected client devices will be put under the management of the Administration Server that you specify. You can switch the device management between the following Administration Servers:
- Primary Administration Server and one of its virtual Administration Servers
- Two virtual Administration Servers of the same primary Administration Server
To change the Administration Server that manages client devices to a different Server:
- In the main menu, go to Assets (Devices) → Tasks.
- Click Add.
The New task wizard starts. Proceed through the wizard by using the Next button.
- At the New task settings step, specify the following settings:
- In the Application drop-down list, select Kaspersky Security Center Cloud Console.
- In the Task type field, select Change Administration Server.
- In the Task name field, specify the name for the task that you are creating.
A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
- Select devices to which the task will be assigned:
- At the Task scope step, specify an administration group, devices with specific addresses, or a device selection.
- At the next step, confirm that you agree to the terms of changing the Administration Server for client devices.
- At the next step, select the virtual Administration Server that you want to use to manage the selected devices.
- At the Selecting an account to run the task step, specify the account settings:
- If on the Finish task creation page you enable the Open task details when creation is complete option, you can modify the default task settings.
If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
- Click the Finish button.
The task is created and displayed in the list of tasks.
- Click the name of the created task to open the task properties window.
- In the task properties window, specify the general task settings according to your needs.
- Click the Save button.
The task is created and configured.
- Run the created task.
After the task is complete, the client devices for which it was created are put under the management of the Administration Server specified in the task settings.
Avoiding conflicts between multiple Administration Servers
If you have more than one Administration Server on your network, they can see the same client devices. This may result, for example, in remote installation of the same application to one and the same device from more than one Server and other conflicts. To avoid such a situation, Kaspersky Security Center Cloud Console allows you to prevent an application from being installed on a device managed by another Administration Server.
You can also use the Managed by a different Administration Server property as a criterion for the following purposes:
Kaspersky Security Center Cloud Console uses heuristics to determine whether a client device is managed by the Administration Server you are working with or by a different Administration Server.
Page topCreating Administration Server connection profiles
To allow out-of-office users to change the method of connecting Network Agent to Administration Server, you have to configure Administration Server connection profiles.
Connection profiles are supported only for devices running Windows and macOS.
To create a connection profile:
- In the main menu, go to Assets (Devices), and do one of the following:
- If you want to create a connection profile for a group of managed devices, click Policies & profiles, and then click Kaspersky Security Center Network Agent.
- If you want to create a connection profile for a specific managed device, click Managed devices, and then click the name of the device. In the window that opens, go to the Applications tab, and then click Kaspersky Security Center Network Agent.
The properties window of the Network Agent policy opens.
- Go to the Application settings tab, and then go to the Connectivity section.
- In the Connection profiles section, click the Settings button.
The Administration Server connection profiles subsection displays the table of connection profiles.
You cannot view, modify, or delete the Home Administration Server and Offline mode connection profiles.
- Click the Add button, and then in the window that opens, specify the profile name.
The name must be unique. You cannot use the same name for several profiles.
- If necessary, select the check boxes in the following fields:
- Enable out-of-office mode when Administration Server is not available.
- Use proxy server.
If you select this option, do the following:
- Specify information in the Address and the Port number fields.
- If necessary, select the Proxy server authentication check box, and then specify the user name and the password in the corresponding fields.
- Click the Save button.
The new profile is displayed in the table of connection profiles. You can use it when configuring the Network location settings.
You can edit and delete connection profiles.
To edit a connection profile:
- In the table of connection profiles click the name of the connection profile that you want to edit.
- Make all necessary changes, and then click the Save button.
The changes are applied to the connection profile.
To delete a connection profile:
- In the table of connection profiles select the check boxes next to the connection profiles that you want to delete.
- Click the Delete button.
The selected connection profiles are deleted.
Page topAbout clusters and server arrays
Kaspersky Security Center Cloud Console supports cluster technology. If Network Agent sends information to Administration Server confirming that an application installed on a client device is part of a server array, this client device becomes a cluster node.
If an administration group contains clusters or server arrays, the Managed devices page displays two tabs—one for individual devices, and one for clusters and server arrays. After the managed devices are detected as cluster nodes, the cluster is added as an individual object to the Clusters and server arrays tab.
The cluster or server array nodes are listed on the Devices tab, along with other managed devices. You can view properties of the nodes as individual devices and perform other operations, but you cannot delete a cluster node or move it to another administration group separately from its cluster. You can only delete or move an entire cluster.
You can perform the following operations with clusters or server arrays:
- View properties
- Move the cluster or server array to another administration group
When you move a cluster or server array to another group, all of its nodes move with it, because a cluster and any of its nodes always belong to the same administration group.
- Delete
It is reasonable to delete a cluster or server array only when the cluster or server array does not exist in the organization network any longer. If a cluster is still visible on your network and Network Agent and the Kaspersky security application are still installed on the cluster nodes, Kaspersky Security Center Cloud Console returns the deleted cluster and its nodes back to the list of managed devices automatically.
Properties of a cluster or server array
To view the settings of a cluster or server array:
- In the main menu, go to Assets (Devices) → Managed devices → Clusters and server arrays.
The list of clusters and server arrays is displayed.
- Click the name of the required cluster or server array.
The properties window of the selected cluster or server array is displayed.
General
The General section displays general information about the cluster or server array. Information is provided on the basis of data received during the last synchronization of the cluster nodes with the Administration Server:
- Name
- Description
- Windows domain
- NetBIOS name
- DNS name
Tasks
In the Tasks tab, you can manage the tasks assigned to the cluster or server array: view the list of existing tasks; create new ones; remove, start, and stop tasks; modify task settings; and view execution results. The listed tasks relate to the Kaspersky security application installed on the cluster nodes. Kaspersky Security Center Cloud Console receives the task list and the task status details from the cluster nodes. If a connection is not established, the status is not displayed.
Nodes
This tab displays a list of nodes included into the cluster or server array. You can click a node name to view the device properties window.
Kaspersky application
The properties window may also contain additional tabs with the information and settings related to the Kaspersky security application installed on the cluster nodes.
Device tags
Kaspersky Security Center Cloud Console enables you to tag devices. A tag is the label of a device that can be used for grouping, describing, or finding devices. Tags assigned to devices can be used for creating selections, for finding devices, and for distributing devices among administration groups.
You can tag devices manually or automatically. You may use manual tagging when you want to tag an individual device. Auto-tagging is performed by Kaspersky Security Center Cloud Console in accordance with the specified tagging rules.
Devices are tagged automatically when specified rules are met. An individual rule corresponds to each tag. Rules are applied to the network properties of the device, operating system, applications installed on the device, and other device properties. For example, if your network includes devices running Windows, Linux, and macOS, you can set up a rule that will assign the [Linux] tag to all Linux-based devices. Then, you can use this tag when creating a device selection; this will help you sort all Linux-based devices and assign them a task. A tag is automatically removed from a device in the following cases:
- When the device stops meeting conditions of the rule that assigns the tag.
- When the rule that assigns the tag is disabled or deleted.
The list of tags and the list of rules on each Administration Server are independent of all other Administration Servers, including a primary Administration Server or subordinate virtual Administration Servers. A rule is applied only to devices from the same Administration Server on which the rule is created.
Creating a device tag
To create a device tag:
- In the main menu, go to Assets (Devices) → Tags → Device tags.
- Click Add.
A new tag window opens.
- In the Tag field, enter the tag name.
- Click Save to save the changes.
The new tag appears in the list of device tags.
Page topRenaming a device tag
To rename a device tag:
- In the main menu, go to Assets (Devices) → Tags → Device tags.
- Click the name of the tag that you want to rename.
A tag properties window opens.
- In the Tag field, change the tag name.
- Click Save to save the changes.
The updated tag appears in the list of device tags.
Page topDeleting a device tag
To delete a device tag:
- In the main menu, go to Assets (Devices) → Tags → Device tags.
- In the list, select the device tag that you want to delete.
- Click the Delete button.
- In the window that opens, click Yes.
The device tag is deleted. The deleted tag is automatically removed from all of the devices to which it was assigned.
The tag that you have deleted is not removed automatically from auto-tagging rules. After the tag is deleted, it will be assigned to a new device only when the device first meets the conditions of a rule that assigns the tag.
The deleted tag is not removed automatically from the device if this tag is assigned to the device by an application or Network Agent. To remove the tag from your device, use the klscflag utility.
Page topViewing devices to which a tag is assigned
To view devices to which a tag is assigned:
- In the main menu, go to Assets (Devices) → Tags → Device tags.
- Click the View devices link next to the tag for which you want to view assigned devices.
You will be redirected to the Managed devices section of the main menu, with the devices filtered by the tag for which you clicked the View devices link.
- If you want to return to the list of device tags, click the Back button of your browser.
After you view the devices to which the tag is assigned, you can either create and assign a new tag or assign the existing tag to other devices. In this case, you have to remove the filter by tag, select the devices, and then assign the tag.
Page topViewing tags assigned to a device
To view tags assigned to a device:
- In the main menu, go to Assets (Devices) → Managed devices.
- Click the name of the device whose tags you want to view.
- In the device properties window that opens, select the Tags tab.
The list of tags assigned to the selected device is displayed. In the Tag assigned column you can view how the tag was assigned.
You can assign another tag to the device or remove an already assigned tag. You can also view all device tags that exist on the Administration Server.
You can also view tags assigned to a device in the command line, by using the klscflag utility.
To view tags assigned to a device in the command line, run the following command:
klscflag -ssvget -pv 1103/1.0.0.0 -s KLNAG_SECTION_TAGS_INFO -n KLCONN_HOST_TAGS -svt ARRAY_T -ss "|ss_type = \"SS_PRODINFO\";"
Tagging devices manually
To assign a tag to a device:
- View tags assigned to the device to which you want to assign another tag.
- Click Add.
- In the window that opens, do one of the following:
- To create and assign a new tag, select Create new tag, and then specify the name of the new tag.
- To select an existing tag, select Assign existing tag, and then select the necessary tag in the drop-down list.
- Click OK to apply the changes.
- Click Save to save the changes.
The selected tag is assigned to the device.
To assign a tag to several devices:
- In the main menu, go to Assets (Devices) → Managed devices.
- Select the devices to which you want to assign a tag.
- Click Tags, and then select Assign from the drop-down list.
- In the window that opens, select a tag from the drop-down list.
If necessary, you can select several tags.
You can also do the following:
- Edit the name of a tag by clicking the Edit (
) icon.Specify the new name of the tag, and then click the Save button.
Note that the tag will also be renamed in the list of device tags.
- Delete a tag by clicking the Delete (
) icon.In the window that opens, click Delete.
Note that the tag will also be deleted from the Administration Server.
- Edit the name of a tag by clicking the Edit (
- Click the Save button.
The tags are assigned to the selected devices. You can remove the assigned tags.
Page topRemoving assigned tags from devices
The unassigned device tag is not deleted. If you want, you can delete it manually.
You cannot manually remove tags assigned to the device by applications or Network Agent. To remove these tags, use the klscflag utility.
To remove a tag from a device:
- In the main menu, go to Assets (Devices) → Managed devices.
- Click the name of the device whose tags you want to view.
- In the device properties window that opens, select the Tags tab.
- Select the check box next to the tag that you want to remove.
- At the top of the list, click the Unassign tag? button.
- In the window that opens, click Yes.
The tag is removed from the device.
To remove tags from several devices:
- In the main menu, go to Assets (Devices) → Managed devices.
- Select the devices whose tags you want to remove.
- Click Tags, and then select Unassign from the drop-down list.
- In the window that opens, select the check boxes next to the tags that you want to remove.
The window displays all tags assigned to all the devices that you selected at step 2.
- Click the Save button.
The tags are removed from the devices.
Page topViewing rules for tagging devices automatically
To view rules for tagging devices automatically,
Do any of the following:
- In the main menu, go to Assets (Devices) → Tags → Auto-tagging rules.
- In the main menu, go to Assets (Devices) → Tags → Device tags, and then click the Set up auto-tagging rules link.
- View tags assigned to a device and then click the Settings button.
The list of rules for auto-tagging devices appears.
Page topEditing a rule for tagging devices automatically
To edit a rule for tagging devices automatically:
- View rules for tagging devices automatically.
- Click the name of the rule that you want to edit.
A rule settings window opens.
- Edit the general properties of the rule:
- In the Rule name field, change the rule name.
The name cannot be more than 256 characters long.
- Do any of the following:
- Enable the rule by switching the toggle button to Rule enabled.
- Disable the rule by switching the toggle button to Rule disabled.
- In the Rule name field, change the rule name.
- Do any of the following:
- If you want to add a new condition, click the Add button, and specify the settings of the new condition in the window that opens.
- If you want to edit an existing condition, click the name of the condition that you want to edit, and then edit the condition settings.
- If you want to delete a condition, select the check box next to the name of the condition that you want to delete, and then click Delete.
- Click OK in the conditions settings window.
- Click Save to save the changes.
The edited rule is shown in the list.
Page topCreating a rule for tagging devices automatically
To create a rule for tagging devices automatically:
- View rules for tagging devices automatically.
- Click Add.
A new rule settings window opens.
- Configure the general properties of the rule:
- In the Rule name field, enter the rule name.
The name cannot be more than 256 characters long.
- Do one of the following:
- Enable the rule by switching the toggle button to Rule enabled.
- Disable the rule by switching the toggle button to Rule disabled.
- In the Tag field, enter the new device tag name or select one of the existing device tags from the list.
The name cannot be more than 256 characters long.
- In the Rule name field, enter the rule name.
- In the conditions section, click the Add button to add a new condition.
A new condition settings window open.
- Enter the condition name.
The name cannot be more than 256 characters long. The name must be unique within a rule.
- Set up the triggering of the rule according to the following conditions. You can select multiple conditions.
- Network—Network properties of the device, such as the device name on the Windows network, or device inclusion in a domain or an IP subnet.
If case sensitive collation is set for the database that you use for Kaspersky Security Center Cloud Console, keep case when you specify a device DNS name. Otherwise, the auto-tagging rule will not work.
- Applications—Presence of Network Agent on the device, operating system type, version, and architecture.
- Virtual machines—Device belongs to a specific type of virtual machine.
- Active Directory—Presence of the device in an Active Directory organizational unit and membership of the device in an Active Directory group.
- Applications registry—Presence of applications of different vendors on the device.
- Network—Network properties of the device, such as the device name on the Windows network, or device inclusion in a domain or an IP subnet.
- Click OK to save the changes.
If necessary, you can set multiple conditions for a single rule. In this case, the tag will be assigned to a device if it meets at least one condition.
- Click Save to save the changes.
The newly created rule is enforced on devices managed by the selected Administration Server. If the settings of a device meet the rule conditions, the device is assigned the tag.
Later, the rule is applied in the following cases:
- Automatically and periodically, depending on the server workload
- After you edit the rule
- When you run the rule manually
- After the Administration Server detects a change in the settings of a device that meets the rule conditions or the settings of a group that contains such device
You can create multiple tagging rules. A single device can be assigned multiple tags if you have created multiple tagging rules and if the respective conditions of these rules are met simultaneously. You can view the list of all assigned tags in the device properties.
Page topRunning rules for auto-tagging devices
When a rule is run, the tag specified in properties of this rule is assigned to devices that meet conditions specified in properties of the same rule. You can run only active rules.
To run rules for auto-tagging devices:
- View rules for tagging devices automatically.
- Select check boxes next to active rules that you want to run.
- Click the Run rule button.
The selected rules are run.
Page topDeleting a rule for tagging devices automatically
To delete a rule for tagging devices automatically:
- View rules for tagging devices automatically.
- Select the check box next to the rule that you want to delete.
- Click Delete.
- In the window that opens, click Delete again.
The selected rule is deleted. The tag that was specified in properties of this rule is unassigned from all of the devices that it was assigned to.
The unassigned device tag is not deleted. If you want, you can delete it manually.
Page topQuarantine and Backup
Kaspersky anti-virus applications installed on client devices may place files in Quarantine or Backup during device scan.
Quarantine is a special repository for storing files that are probably infected with viruses and files that cannot be disinfected at the time when they are detected.
Backup is designed for storing backup copies of files that have been deleted or modified during the disinfection process.
Kaspersky Security Center Cloud Console creates a summarized list of files placed in Quarantine or Backup by Kaspersky applications on the devices. Network Agents on client devices transmit information about the files in Quarantine and Backup to the Administration Server.
Kaspersky Security Center Cloud Console does not copy files from repositories to Administration Server. All files are stored in repositories on the devices.
Downloading a file from repositories
Kaspersky Security Center Cloud Console enables you to download copies of files that a security application placed in Quarantine or Backup on a client device. Files are copied to the destination that you specify.
You can download files only if one of the following conditions is met: the Do not disconnect from the Administration Server option is enabled in the settings of the device, a push server is in use, or a connection gateway is in use. Otherwise, downloading is not possible.
The maximum total number of devices with the Do not disconnect from the Administration Server option selected is 300.
To save a copy of file from Quarantine or Backup to a hard drive:
- Do one of the following:
- If you want to save a copy of file from Quarantine, in the main menu, go to Operations → Repositories → Quarantine.
- If you want to save a copy of file from Backup, in the main menu, go to Operations → Repositories → Backup.
- In the window that opens, select a file that you want to download and click Download.
The download starts. A copy of the file that had been placed in Quarantine on the client device is saved to the specified folder.
Deleting files from repositories
To delete a file from Quarantine or Backup:
- Do one of the following:
- If you want to save a copy of file from Quarantine, in the main menu, go to Operations → Repositories → Quarantine.
- If you want to save a copy of file from Backup, in the main menu, go to Operations → Repositories → Backup.
- In the window that opens, select a file that you want to delete and click Delete.
- Confirm that you want to delete the file.
The security application on the client device that had placed files in the repository (Quarantine or Backup) deletes the same files from this repository.
Remote diagnostics of client devices
You can use remote diagnostics for remote execution of the following operations on Windows-based and Linux-based client devices:
- Enabling and disabling tracing, changing the tracing level, and downloading the trace file
- Downloading system information and application settings
- Downloading event logs
- Generating a dump file for an application
- Starting diagnostics and downloading diagnostics reports
- Starting, stopping, and restarting applications
You can use event logs and diagnostics reports downloaded from a client device to troubleshoot problems on your own. Also, if you contact Kaspersky Technical Support, a Technical Support specialist might ask you to download trace files, dump files, event logs, and diagnostics reports from a client device for further analysis at Kaspersky.
Opening the remote diagnostics window
To perform remote diagnostics on Windows-based and Linux-based client devices, you first have to open the remote diagnostics window.
To open the remote diagnostics window:
- To select the device for which you want to open the remote diagnostics window, perform one of the following:
- If the device belongs to an administration group, in the main menu, go to Assets (Devices) → Groups → <group name> → Managed devices.
- If the device belongs to the Unassigned devices group, in the main menu, go to Discovery & deployment → Unassigned devices.
- Click the name of the required device.
- In the device properties window that opens, select the Advanced tab.
- In the window that opens, click Remote diagnostics.
This opens the Remote diagnostics window of a client device. If connection between Administration Server and the client device is not established, the error message is displayed.
Alternatively, if you need to obtain all diagnostic information about a Linux-based client device at once, you can run the collect.sh script on this device.
Page topEnabling and disabling tracing for applications
You can enable and disable tracing for applications, including Xperf tracing.
Enabling and disabling tracing
To enable or disable tracing on a remote device:
- Open the remote diagnostics window of a client device.
- In the remote diagnostics window, select the Kaspersky applications tab.
In the Application management section, the list of Kaspersky applications installed on the device displays.
- In the application list, select the application for which you want to enable or disable tracing.
The list of remote diagnostics options opens.
- If you want to enable tracing:
- In the Tracing section, click Enable tracing.
- In the Modify tracing level window that opens, we recommend that you keep the default values of the settings. When required, a Technical Support specialist will guide you through the configuration process. The following settings are available:
- Tracing level
- Rotation-based tracing
This setting is available for Kaspersky Endpoint Security only.
- Click Save.
The tracing is enabled for the selected application. In some cases, the security application and its task must be restarted in order to enable tracing.
On Linux-based client devices, tracing for the Updater of Kaspersky Security Agent component is regulated by the Network Agent settings. Therefore, the Enable tracing and Modify tracing level options are disabled for this component on client devices running Linux.
- If you want to disable tracing for the selected application, click Disable tracing.
The tracing is disabled for the selected application.
Enabling Xperf tracing
For Kaspersky Endpoint Security, a Technical Support specialist may ask you to enable Xperf tracing for information about the system performance.
To enable and configure Xperf tracing or disable it:
- Open the remote diagnostics window of a client device.
- In the remote diagnostics window, select the Kaspersky applications tab.
In the Application management section, the list of Kaspersky applications installed on the device displays.
- In the list of applications, select Kaspersky Endpoint Security for Windows.
The list of remote diagnostics options for Kaspersky Endpoint Security for Windows displays.
- In the Xperf tracing section, click Enable Xperf tracing.
If Xperf tracing is already enabled, the Disable Xperf tracing button is displayed instead. Click this button if you want to disable Xperf tracing for Kaspersky Endpoint Security for Windows.
- In the Change Xperf tracing level window that opens, depending on the request from the Technical Support specialist, do the following:
- Select one of the following tracing levels:
- Select one of the following Xperf tracing types:
You may also be asked to enable the Rotation file size, in MB option to prevent excessive increase in the size of the trace file. Then specify the maximum size of the trace file. When the file reaches the maximum size, the oldest tracing information is overwritten with new information.
- Define the rotation file size.
- Click Save.
Xperf tracing is enabled and configured.
- If you want to disable Xperf tracing for Kaspersky Endpoint Security for Windows, click Disable Xperf tracing in the Xperf tracing section.
Xperf tracing is disabled.
Downloading trace files of an application
You can download trace files from a client device only if one of the following conditions is met: the Do not disconnect from the Administration Server option is enabled in the settings of the device, a push server is in use, or a connection gateway is in use. Otherwise, downloading is not possible.
The maximum total number of devices with the Do not disconnect from the Administration Server option selected is 300.
To download a trace file of an application:
- Open the remote diagnostics window of a client device.
- In the remote diagnostics window, select the Kaspersky applications tab.
In the Application management section, the list of Kaspersky applications installed on the device displays.
- In the list of applications, select the application for which you want to download a trace file.
- In the Tracing section, click the Trace files button.
This opens the Device tracing logs window, where a list of trace files is displayed.
- In the list of trace files, select the file that you want to download.
- Do one of the following:
- Download the selected file by clicking the Download. You can select one or several files for downloading.
- Download a portion of the selected file:
- Click Download a portion.
You cannot download portions of several files at the same time. If you select more than one trace file, the Download a portion button will be disabled.
- In the window that opens, specify the name and the file portion to download, according to your needs.
For Linux-based devices, editing the file portion name is not available.
- Click Download.
- Click Download a portion.
The selected file, or its portion, is downloaded to the location that you specify.
Page topDeleting trace files
You can delete trace files that are no longer needed.
To delete a trace file:
- Open the remote diagnostics window of a client device.
- In the remote diagnostics window that opens, select the Event logs tab.
- In the Trace files section, click Windows Update logs or Remote installation logs, depending on which trace files you want to delete.
This opens the Device tracing logs window, where a list of trace files is displayed.
- In the list of trace files, select one or several files that you want to delete.
- Click the Remove button.
The selected trace files are deleted.
Page topDownloading application settings
You can download application settings from a client device only if one of the following conditions is met: the Do not disconnect from the Administration Server option is enabled in the settings of the device, a push server is in use, or a connection gateway is in use. Otherwise, downloading is not possible.
The maximum total number of devices with the Do not disconnect from the Administration Server option selected is 300.
To download application settings from a client device:
- Open the remote diagnostics window of a client device.
- In the remote diagnostics window, select the Kaspersky applications tab.
- In the Application settings section, click the Download button to download information about the settings of the applications installed on the client device.
The ZIP archive with information is downloaded to the specified location.
Page topDownloading system information from a client device
You can download system information to your device from a client device only if one of the following conditions is met: the Do not disconnect from the Administration Server option is enabled in the settings of the device, a push server is in use, or a connection gateway is in use. Otherwise, downloading is not possible.
The maximum total number of devices with the Do not disconnect from the Administration Server option selected is 300.
To download system information from a client device:
- Open the remote diagnostics window of a client device.
- In the remote diagnostics window, select the System information tab.
- Click the Download button to download the system information about the client device.
The file with information is downloaded to the specified location.
Page topDownloading event logs
You can download event logs to your device from a client device only if one of the following conditions is met: the Do not disconnect from the Administration Server option is enabled in the settings of the device, a push server is in use, or a connection gateway is in use. Otherwise, downloading is not possible.
The maximum total number of devices with the Do not disconnect from the Administration Server option selected is 300.
To download an event log from a remote device:
- Open the remote diagnostics window of a client device.
- In the remote diagnostics window, on the Event logs tab, click All device logs.
- In the All device logs window, select one or several relevant logs.
- Do one of the following:
- Download the selected log by clicking Download entire file.
- Download a portion of the selected log:
- Click Download a portion.
You cannot download portions of several logs at the same time. If you select more than one event log, the Download a portion button will be disabled.
- In the window that opens, specify the name and the log portion to download, according to your needs.
- Click Download.
- Click Download a portion.
The selected event log, or a portion of it, is downloaded to the specified location.
Page topStarting, stopping, restarting the application
You can start, stop, and restart applications on a client device.
To start, stop, or restart an application:
- Open the remote diagnostics window of a client device.
- In the remote diagnostics window, select the Kaspersky applications tab.
In the Application management section, the list of Kaspersky applications installed on the device displays.
- In the list of applications, select the application that you want to start, stop, or restart.
- Select an action by clicking one of the following buttons:
- Stop application
This button is available only if the application is currently running.
- Restart application
This button is available only if the application is currently running.
- Start application
This button is available only if the application is not currently running.
- Stop application
Depending on the action that you have selected, the required application is started, stopped, or restarted on the client device.
If you restart the Network Agent, a message is displayed stating that the current connection of the device to the Administration Server will be lost.
Page topRunning the remote diagnostics of an application and downloading the results
To start diagnostics for an application on a remote device and download the results:
- Open the remote diagnostics window of a client device.
- In the remote diagnostics window, select the Kaspersky applications tab.
In the Application management section, the list of Kaspersky applications installed on the device displays.
- In the list of applications, select the application for which you want to run remote diagnostics.
The list of remote diagnostics options opens.
- In the Diagnostics report section, click the Run diagnostics button.
This starts the remote diagnostics process and generates a diagnostics report. When the diagnostics process is complete, the Download diagnostics report button becomes available.
- Click the Download diagnostics report button to download the report.
The report is downloaded to the specified location.
Page topRunning an application on a client device
You may have to run an application on the client device, if a Kaspersky support specialist requests it. You do not have to install the application on that device.
To run an application on the client device:
- Open the remote diagnostics window of a client device.
- In the remote diagnostics window, select the Running a remote application tab.
- In the Running a remote application section, click the Upload button to select a ZIP archive containing the application that you want to run on the client device.
The ZIP archive must include the utility folder. This folder contains the executable file to be run on a remote device.
You can specify the executable file name and the command-line arguments, if necessary. To do this, fill in the Executable file in an archive to be run on a remote device and Command line arguments fields.
- Click the Upload and run button to run the specified application on a client device.
- Follow the instructions of the Kaspersky support specialist.
Generating a dump file for an application
An application dump file allows you to view parameters of the application running on a client device at a point in time. This file also contains information about modules that were loaded for an application.
Generating dump files is available only for 32-bit processes running on Windows-based client devices. For client devices running Linux and for 64-bit processes this feature is not supported.
To create a dump file for an application:
- Open the remote diagnostics window of a client device.
- In the remote diagnostics window, select click the Running a remote application tab.
- In the Generating the process dump file section, specify the executable file of the application for which you want to generate a dump file.
- Click the Download button to save the dump file for the specified application.
If the specified application is not running on the client device, the error message will be displayed.
Remotely connecting to the desktop of a client device
You can obtain remote access to the desktop of a client device through a Network Agent installed on the device. Remote connection to a device through the Network Agent is possible even if the TCP and UDP ports of the client device are closed.
Upon establishing the connection with the device, you gain full access to information stored on this device and can manage applications installed on it.
Remote connection must be allowed in the operating system settings of the target managed device. For example, in Windows 10, this option is called Allow Remote Assistance connections to this computer (you can find this option at Control Panel → System and Security → System → Remote settings). If you have a license for the Vulnerability and patch management feature, you can enable this option forcibly when you establish connection to a managed device. If you do not have the license, enable this option locally on the target managed device. If this option is disabled, remote connection is not possible.
To establish remote connection to a device, you must have two utilities:
- Kaspersky utility named klsctunnel. This utility must be stored on your workstation. You use this utility for tunneling the connection between a client device and the Administration Server.
Kaspersky Security Center Cloud Console allows tunneling TCP connections from Administration Console via the Administration Server and then via Network Agent to a specified port on a managed device. Tunneling is designed for connecting a client application on a device with Administration Console installed to a TCP port on a managed device—if no direct connection is possible between Administration Console and the target device.
Connection tunneling between a remote client device and Administration Server is required if the port used for connection to Administration Server is not available on the device. The port on the device may be unavailable in the following cases:
- The remote device is connected to a local network that uses the NAT mechanism.
- The remote device is part of the local network of Administration Server, but its port is closed by a firewall.
- Standard Microsoft Windows component named Remote Desktop Connection. Connection to a remote desktop is established through the standard Windows utility mstsc.exe in accordance with the utility's settings.
Connection to the current remote desktop session of the user is established without the user's knowledge. Once you connect to the session, the device user is disconnected from the session without an advance notification.
To connect to the desktop of a client device, one of the following conditions must be met:
- Client device is a member of an administration group that has a distribution point with the Do not disconnect from the Administration Server option enabled.
- In the client device settings, the Do not disconnect from the Administration Server option is enabled.
The maximum total number of client devices with the Do not disconnect from the Administration Server option enabled is 300.
To connect to the desktop of a client device:
- In the main menu, go to Assets (Devices) → Managed devices.
- Select the check box next to the name of the device to which you want to obtain access.
- Click the Connect to Remote Desktop button.
The Connect to Remote Desktop window opens.
- Click the Download button to download the klsctunnel utility.
- Click the Copy to clipboard button to copy the text from the text field. This text is a Binary Large Object (BLOB) that contains settings required to establish connection between the Administration Server and the managed device.
A BLOB is valid for 3 minutes. If it has expired, reopen the Connect to Remote Desktop window to generate a new BLOB.
- Run the klsctunnel utility.
The utility window opens.
- Paste the copied text into the text field.
- If you use a proxy server, select the Use proxy server check box, and then specify the proxy server connection settings.
- Click the Open port button.
The Remote Desktop Connection login window opens.
- Specify the credentials of the account under which you are currently logged in to Kaspersky Security Center Cloud Console.
- Click the Connect button.
When connection to the device is established, the desktop is available in the Remote Desktop Connection window of Microsoft Windows.
Connecting to devices through Windows Desktop Sharing
You can obtain remote access to the desktop of a client device through a Network Agent installed on the device. Remote connection to a device through the Network Agent is possible even if the TCP and UDP ports of the client device are closed.
You can connect to an existing session on a client device without disconnecting the user in this session. In this case, you and the session user on the device share access to the desktop.
To establish remote connection to a device, you must have two utilities:
- Kaspersky utility named klsctunnel. This utility must be stored on your workstation. You use this utility for tunneling the connection between a client device and the Administration Server.
Kaspersky Security Center Cloud Console allows tunneling TCP connections from Administration Console via the Administration Server and then via Network Agent to a specified port on a managed device. Tunneling is designed for connecting a client application on a device with Administration Console installed to a TCP port on a managed device—if no direct connection is possible between Administration Console and the target device.
Connection tunneling between a remote client device and Administration Server is required if the port used for connection to Administration Server is not available on the device. The port on the device may be unavailable in the following cases:
- The remote device is connected to a local network that uses the NAT mechanism.
- The remote device is part of the local network of Administration Server, but its port is closed by a firewall.
- Windows Desktop Sharing. When connecting to an existing session of the remote desktop, the session user on the device receives a connection request from you. No information about remote activity on the device and its results will be saved in reports created by Kaspersky Security Center Cloud Console.
You can configure an audit of user activity on a remote client device. During the audit, the application saves information about files on the client device that have been opened and/or modified by the administrator.
To connect to the desktop of a client device through Windows Desktop Sharing, the following conditions must be met:
- Microsoft Windows Vista or later is installed on your workstation.
To check whether the Windows Desktop Sharing feature is included in your Windows edition, make sure that CLSID {32BE5ED2-5C86-480F-A914-0FF8885A1B3F} is included in the 32-bit registry.
- Microsoft Windows Vista or later is installed on the client device.
- Kaspersky Security Center Cloud Console uses a license for Vulnerability and patch management.
- The client device is a member of an administration group that has a distribution point with the Do not disconnect from the Administration Server option enabled, or this option is enabled in the client device settings.
Note that the maximum total number of client devices with the Do not disconnect from the Administration Server option enabled is 300.
To connect to the desktop of a client device through Windows Desktop Sharing:
- In the main menu, go to Assets (Devices) → Managed devices.
- Select the check box next to the name of the device to which you want to obtain access.
- Click the Windows Desktop Sharing button.
The Windows Desktop Sharing wizard opens.
- Click the Download button to download the klsctunnel utility, and wait for the download process to complete.
If you already have the klsctunnel utility, skip this step.
- Click the Next button.
- Select the session on the device to which you want to connect, and then click the Next button.
- On the target device, in the dialog box that opens, the user must allow a desktop sharing session. Otherwise, the session is not possible.
After the device user confirms the desktop sharing session, the next page of the wizard opens.
- Click the Copy to clipboard button to copy the text from the text field. This text is a Binary Large Object (BLOB) that contains settings required to establish connection between the Administration Server and the managed device.
A BLOB is valid for 3 minutes. If it has expired, generate a new BLOB.
- Run the klsctunnel utility.
The utility window opens.
- Paste the copied text into the text field.
- If you use a proxy server, select the Use proxy server check box, and then specify the proxy server connection settings.
- Click the Open port button.
Desktop sharing starts in a new window. If you want to interact with the device, click the menu icon (
) in the upper-left corner of the window, and then select Interactive mode.
Triggering of rules in Smart Training mode
This section provides information about the detections performed by the Adaptive Anomaly Control rules in Kaspersky Endpoint Security for Windows on client devices.
The rules detect anomalous behavior on client devices and may block it. If the rules work in Smart Training mode, they detect anomalous behavior and send reports about every such occurrence to Kaspersky Security Center Cloud Console Administration Server. This information is stored as a list in the Rule triggers in Smart Training state subfolder of the Repositories folder. You can confirm detections as correct or add them as exclusions, so that this type of behavior is not considered anomalous anymore.
Information about detections is stored in the event log on the Administration Server (along with other events) and in the Adaptive Anomaly Control report.
For more information about Adaptive Anomaly Control, the rules, their modes and statuses, refer to Kaspersky Endpoint Security Help.
Viewing the list of detections performed using Adaptive Anomaly Control rules
To view the list of detections performed by Adaptive Anomaly Control rules:
- In the main menu, go to Operations → Repositories.
- Click the Rule triggers in Smart Training state link.
The list displays the following information about detections performed using Adaptive Anomaly Control rules:
To view properties of each information element:
- In the main menu, go to Operations → Repositories.
- Click the Rule triggers in Smart Training state link.
- In the window that opens, select the object that you want.
- Click the Properties link.
The properties window of the object opens and displays information about the selected element.
You can confirm or add to exclusions any element in the list of detections of Adaptive Anomaly Control rules.
To confirm an element,
Select an element (or several elements) in the list of detections and click the Confirm button.
The status of the element(s) will be changed to Confirming.
Your confirmation will contribute to the statistics used by the rules (for more information, refer to Kaspersky Endpoint Security for Windows documentation).
To add an element as an exclusion,
Select an element (or several elements) in the list of detections and click the Exclude button.
The Add exclusion wizard starts. Follow the instructions of the wizard.
If you reject or confirm an element, it will be excluded from the list of detections after the next synchronization of the client device with the Administration Server, and will no longer appear in the list.
Adding exclusions from the Adaptive Anomaly Control rules
The Add exclusion wizard enables you to add exclusions from the Adaptive Anomaly Control rules for Kaspersky Endpoint Security for Windows.
To start the Add exclusion wizard through the Adaptive Anomaly Control node:
- In the main menu, go to Operations → Repositories → Rule triggers in Smart Training state.
- In the window that opens, select an element (or several elements) in the list of detections, and then click the Exclude button.
You can add up to 1000 exclusions at a time. If you select more elements and try to add them to exclusions, an error message is displayed.
The Add exclusion wizard starts. Proceed through the wizard by using the Next button.