Updating Kaspersky databases and applications

This section describes steps you must take to regularly update the following:

• Kaspersky databases and software modules
• Installed Kaspersky applications, including Kaspersky Security Center Cloud Console components and security applications

Updates functionality (including providing anti-virus signature updates and codebase updates), as well as KSN functionality may not be available in the software in the U.S.

Scenario: Regular updating of Kaspersky databases and applications

This section provides a scenario for regular updating of Kaspersky databases, software modules, and applications. After you complete the Configuring network protection scenario, you must maintain the reliability of the protection system. This maintenance ensures that protection of the managed devices remains firm against a range of threats, including viruses, network attacks, and phishing attacks.

There are several schemes that you can use to install updates to Kaspersky Security Center Cloud Console components and security applications. Choose one or more schemes that meet the requirements of your network best.

The scenario below describes the update scheme that implies downloading updates to the distribution point repositories. If the managed devices do not have a connection to the distribution points, consider updating Kaspersky databases, software modules, and applications manually or directly from the Kaspersky update servers.

When you complete this scenario, the following results occur:

• Kaspersky Security Center Cloud Console components are updated automatically or only when you designate the Approved status for the updates.
• Kaspersky security applications, Kaspersky databases, and software modules are updated according to the schedule that you specified. By default, Kaspersky security applications install only those updates that you approve.

You can configure the update process to download and install updates in either of two ways:

• Automatically

  In this case you have to perform this scenario only once. You will have to schedule the Download updates to the repositories of distribution points task (if any) and the Update tasks for the Kaspersky security applications, and keep the default update settings that are in the Network Agent properties.

• Manually

  You can configure the update process to run the Download updates to the repositories of distribution points task (if any) and the Update tasks for the Kaspersky security applications manually. You can also configure Network Agent to install updates for the Kaspersky Security Center Cloud Console components only when you designate the Approved status for the updates.

Prerequisites

Before you start, make sure that you have done the following:

1. Deployed the Kaspersky security applications to the managed devices according to the scenario of deploying Kaspersky applications through Kaspersky Security Center Cloud Console. When performing that scenario, you assigned an appropriate amount of distribution points in accordance with the number of managed devices and the network topology.
2. Created and configured all required policies, policy profiles, and tasks according to the scenario of configuring network protection.

Stages

Configuration of regular updating of Kaspersky databases and applications proceeds in stages:

1. Creating the task for downloading updates to the repositories of distribution points

   Create the Download updates to the repositories of distribution points task. When this task is run, Kaspersky Security Center Cloud Console downloads the updates to the distribution points directly from Kaspersky update servers.

   How-to instructions: Creating the task for downloading updates to the repositories of distribution points

2. Configuring distribution points

   Make sure that the Deploy updates option is enabled in the properties of all required distribution points. When this option is disabled for a distribution point, the devices included in the scope of the distribution point can download updates only from a local resource or directly from Kaspersky update servers.

   If you want the managed devices to receive updates only from the distribution points, enable the Distribute files through distribution points only option in the Network Agent policy.

3. Optimizing the update process by using diff files (optional)

   Enabling this feature results in decrease in the traffic between the distribution points and the managed devices. To use this feature, enable the Download diff files option in the properties of the Download updates to the repositories of distribution points task.

   How-to instructions: Using diff files for updating Kaspersky databases and software modules

4. Defining which updates to install

   By default, the downloaded software updates have the Undefined status. Change the status to Approved or Declined to define if this update should be installed on networked devices. The approved updates are always installed. The undefined updates can only be installed on Network Agent and other Kaspersky Security Center Cloud Console components in accordance with the Network Agent policy settings. The updates for which you set Declined status will not be installed on devices.

   How-to instructions:

   • About update statuses
   • Approving and declining software updates
5. Configuring automatic installation of updates and patches for Kaspersky Security Center Cloud Console components

   By default, the downloaded updates and patches for Network Agent and other Kaspersky Security Center Cloud Console components are installed automatically. If you have left the Automatically install applicable updates and patches for components that have the Undefined status option enabled in the Network Agent properties, then all updates will be installed automatically after they are downloaded to the repository (or several repositories). If this option is disabled, Kaspersky patches that have been downloaded and tagged with the Undefined status will be installed only after you change their status to Approved.

   How-to instructions: Enabling and disabling automatic updating and patching for Kaspersky Security Center Cloud Console components

6. Configuring automatic installation of updates for the security applications

   Create the Update tasks for the managed applications to provide timely updates to the applications, software modules and Kaspersky databases, including anti-virus databases. We recommend that you select the When new updates are downloaded to the repository option when configuring the task schedule. This will ensure that new updates are installed as soon as possible.

   By default, updates for the managed applications are installed only after you change the update status to Approved. For Kaspersky Endpoint Security for Windows, you can change the update settings in the Update task.

   If an update requires reviewing and accepting the terms of the End User License Agreement, then you first need to accept the terms. After that the update can be propagated to the managed devices.

   How-to instructions: Automatic installation of Kaspersky Endpoint Security updates on devices

7. Approving and declining updates of managed Kaspersky applications

   By default, the downloaded software updates have the Undefined status. You can change the status to Approved or Declined. The approved updates are always installed. If an update of a managed Kaspersky application requires reviewing and accepting the terms of the End User License Agreement, then you first need to accept the terms. After that the update can be propagated to the managed devices. The updates for which you set Declined status will not be installed on devices. If a declined update for a managed application was previously installed, Kaspersky Security Center Cloud Console will try to uninstall the update from all devices.

   Approving and declining updates is available only for Network Agent and managed Kaspersky applications installed on the Windows-based and Linux-based client devices. Seamless updating of Administration Server, Kaspersky Security Center Cloud Console, and management web plug-ins is not supported.

   How-to instructions: Approving and declining software updates

Upon completion of the scenario, you can proceed to monitoring the network status.

About updating Kaspersky databases, software modules, and applications

To be sure that the protection of your managed devices is up-to-date, you must provide timely updates of the following:

• Kaspersky databases and software modules

  Before downloading Kaspersky databases and software modules, Kaspersky Security Center Cloud Console checks if Kaspersky servers are accessible. If access to the servers using system DNS is not possible, the application uses public DNS servers. This is necessary to make sure anti-virus databases are updated and the level of security is maintained for the managed devices.

• Installed Kaspersky applications, including Kaspersky Security Center Cloud Console components and security applications

  Kaspersky Security Center Cloud Console allows you to update Network Agent and Kaspersky applications installed on Windows-based and Linux-based client devices automatically. Seamless updating of Administration Server, Kaspersky Security Center Cloud Console, and management web plug-ins is not supported. To update these components, you have to download the latest versions from the Kaspersky website, and then install them manually.

Depending on the configuration of your network, you can use the following schemes of downloading and distributing the required updates to the managed devices:

• Using the Download updates to the repositories of distribution points task
• Manually through a local folder, a shared folder, or an FTP server
• Directly from Kaspersky update servers to the security applications on the managed devices

Using the Download updates to the repositories of distribution points task

In this scheme, Kaspersky Security Center Cloud Console downloads updates through the Download updates to the repositories of distribution points task. The managed devices included in the scope of a distribution point download the updates from the repository of the distribution point (see figure below).

Distribution point devices running macOS cannot download updates from Kaspersky update servers.

If one or more devices running macOS are within the scope of the Download updates to the repositories of distribution points task, the task completes with the Failed status, even if it has successfully completed on all Windows devices.

Updating by using the Download updates to the repositories of distribution points task

When the Download updates to the repositories of distribution points task is complete, the following updates are downloaded to the distribution point repository:

• Kaspersky databases and software modules for the security applications on the managed devices

  These updates are installed through the Update task for Kaspersky Endpoint Security for Windows.

• Updates for the components of Kaspersky Security Center Cloud Console

  By default, these updates are installed automatically. You can change the settings in the Network Agent policy.

• Updates for the security applications

  By default, Kaspersky Endpoint Security for Windows installs only those updates that you approve. The updates are installed through the Update task and can be configured in the properties of this task.

Each Kaspersky application requests required updates from Administration Server. Administration Server aggregates these requests and downloads to the distribution point repositories only those updates that are requested by any application. This ensures that the same updates are not downloaded multiple times and that unnecessary updates are not downloaded at all. When running the Download updates to the repositories of distribution points task, Administration Server sends the following information to Kaspersky update servers automatically in order to ensure the downloading of relevant versions of Kaspersky databases and software modules:

• Application ID and version
• Application installation ID
• Active key ID
• Download task run ID

None of the transmitted information contains personal or other confidential data. AO Kaspersky Lab protects information in accordance with requirements established by law.

Manually through a local folder, a shared folder, or an FTP server

If the client devices do not have a connection to a distribution point, you can use a local folder or a shared resource as a source for updating Kaspersky databases, software modules, and applications. In this scheme, you have to copy required updates from a distribution point repository to a removable drive, and then copy the updates to the local folder or the shared resource specified as an update source in the settings of Kaspersky Endpoint Security for Windows (see figure below).

Updating through a local folder, a shared folder, or an FTP server

Directly from Kaspersky update servers to Kaspersky Endpoint Security for Windows on the managed devices

On the managed devices, you can configure Kaspersky Endpoint Security for Windows to receive updates directly from Kaspersky update servers (see figure below).

Updating security applications directly from Kaspersky update servers

In this scheme, the security application does not use the repositories provided by Kaspersky Security Center Cloud Console. To receive updates directly from Kaspersky update servers, specify Kaspersky update servers as an update source in the interface of the security application. For a full description of these settings, please refer to the Kaspersky Endpoint Security for Windows documentation.

Creating the task for downloading updates to the repositories of distribution points

Expand all | Collapse all

Distribution point devices running macOS cannot download updates from Kaspersky update servers.

If one or more devices running macOS are within the scope of the Download updates to the repositories of distribution points task, the task completes with the Failed status, even if it has successfully completed on all Windows devices.

You can create the Download updates to the repositories of distribution points task for an administration group. This task will run for distribution points included in the specified administration group.

This task is required to download updates from Kaspersky update servers to the repositories of distribution points. The list of updates includes:

• Updates to databases and software modules for Kaspersky security applications
• Updates to Kaspersky Security Center Cloud Console components
• Updates to Kaspersky security applications

After the updates are downloaded, they can be propagated to the managed devices.

To create the Download updates to the repositories of distribution points task, for a selected administration group:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click the Add button.

   The New task wizard starts. Follow the steps of the wizard.

3. For the Kaspersky Security Center Cloud Console application, in the Task type field select Download updates to the repositories of distribution points.
4. Specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
5. Select an option button to specify the administration group, the device selection, or the devices to which the task applies.
6. At the Finish task creation step, if you enable the Open task details when creation is complete option, you can modify the default task settings. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
7. Click the Create button.

   The task is created and displayed in the list of tasks.

8. Click the name of the created task to open the task properties window.
9. On the Application settings tab of the task properties window, specify the following settings:
   • Sources of updates

     The following resources can be used as a source of updates for the distribution point:

     • Kaspersky update servers

       HTTP(S) servers at Kaspersky from which Kaspersky applications download database and application module updates.

       This option is selected by default.

     • Primary Administration Server

       This resource applies to tasks created for a secondary or virtual Administration Server.

     • Local or network folder

       A local or network folder that contains the latest updates. A network folder can be an FTP or HTTP server, or an SMB share. If a network folder requires authentication, only the SMB protocol is supported. When selecting a local folder, you must specify a folder on the device that has Administration Server installed.

       An FTP or HTTP server or a network folder used by an update source must contain a folders structure (with updates) that matches the structure created when using Kaspersky update servers.

   • Folder for storing updates

     The path to the specified folder for storing saved updates. You can copy the specified folder path to a clipboard. You cannot change the path to a specified folder for a group task.

   • Download diff files

     This option enables the downloading diff files feature.

     By default, this option is disabled.

   • Download updates by using the old scheme

     Kaspersky Security Center Cloud Console downloads updates of databases and software modules by using the new scheme. For the application to download updates by using the new scheme, the update source must contain the update files with the metadata compatible with the new scheme. If the update source contains the update files with the metadata compatible with the old scheme only, enable the Download updates by using the old scheme option. Otherwise, the update download task will fail.

     For example, you must enable this option when a local or network folder is specified as an update source and the update files in this folder were downloaded by one of the following applications:

     • Kaspersky Update Utility

       This utility downloads updates by using the old scheme.

     • Kaspersky Security Center 13.2 or earlier version

     For example, a distribution point is configured to take the updates from a local or network folder. In this case, you may download updates by using an Administration Server that has an internet connection, and then place the updates to the local folder on the distribution point. If the Administration Server has version 13.2 or earlier, enable the Download updates by using the old scheme option in the Download updates to the repositories of distribution points task.

     By default, this option is disabled.

10. Create a schedule for task start. If necessary, specify the following settings:
    • Start task

      Select the schedule according to which the task runs, and configure the selected schedule.

      • Manually (selected by default)

        The task does not run automatically. You can only start it manually.

        By default, this option is selected.

      • Every N minutes

        The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

        By default, the task runs every 30 minutes, starting from the current system time.

      • Every N hours

        The task runs regularly, with the specified interval in hours, starting from the specified date and time.

        By default, the task runs every 6 hours, starting from the current system date and time.

      • Every N days

        The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

        By default, the task runs every day, starting from the current system date and time.

      • Every N weeks

        The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

        By default, the task runs every Monday at the current system time.

      • Daily (daylight saving time is not supported)

        The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.

        We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center Cloud Console.

        By default, the task starts every day at the current system time.

      • Weekly

        The task runs every week on the specified day and at the specified time.

      • By days of week

        The task runs regularly, on the specified days of the week, at the specified time.

        By default, the task runs every Friday at 6:00:00 PM.

      • Monthly

        The task runs regularly, on the specified day of the month, at the specified time.

        In months that lack the specified day, the task runs on the last day.

        By default, the task runs on the first day of each month, at the current system time.

      • Every month on specified days of selected weeks

        The task runs regularly, on the specified days of each month, at the specified time.

        By default, no days of month are selected. The default start time is 18:00.

      • On virus outbreak

        The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

        • Anti-virus for workstations and file servers
        • Anti-virus for perimeter defense
        • Anti-virus for mail systems

        By default, all application types are selected.

        You may want to run different tasks depending on the security application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

      • On completing another task

        The current task starts after another task completes. This parameter only works if both tasks are assigned to the same devices. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task as a triggering task.

        You have to select the triggering task from the table and the status with which this task must complete (Completed successfully or Failed).

        If necessary, you can search, sort, and filter the tasks in the table as follows:

        • Enter the task name in the search field, to search the task by its name.
        • Click the sort icon to sort the tasks by name.

          By default, the tasks are sorted in alphabetical ascending order.

        • Click the filter icon, and in the window that opens, filter the tasks by group, and then click the Apply button.
    • Run missed tasks

      This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

      If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

      If this option is disabled, only scheduled tasks run on client devices. For Manually, Once and Immediately schedule, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

      By default, this option is disabled.

    • Use automatically randomized delay for task starts

      If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

      The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

      If this option is disabled, the task starts on client devices according to the schedule.

    • Use automatically randomized delay for task starts within an interval of

      If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

      If this option is disabled, the task starts on client devices according to the schedule.

      By default, this option is disabled. The default time interval is one minute.

11. Click the Save button.

The task is created and configured.

In addition to the settings that you specify during task creation, you can change other properties of a created task.

When the Download updates to the repositories of distribution points task is performed, updates for databases and software modules are downloaded from the update source and stored in the shared folder. Downloaded updates will only be used by distribution points that are included in the specified administration group and that have no update download task explicitly set for them.

Configuring managed devices to receive updates only from distribution points

Managed devices can retrieve updates of Kaspersky databases, software modules, and Kaspersky applications from various sources: directly from update servers, from distribution points, or from a local or network folder. You can specify distribution points as the only possible source of updates.

To configure managed devices to receive updates only from distribution points:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Click the Network Agent policy.
3. In the policy properties window, open the Application settings tab.
4. In the Settings section, turn on the Distribute files through distribution points only toggle button.
5. Set the lock () for this toggle button.
6. Click the Save button.

The policy will be applied to the selected devices, and the devices will receive updates only from distribution points.

Enabling and disabling automatic updating and patching for Kaspersky Security Center Cloud Console components

Automatic installation of updates and patches for Kaspersky Security Center Cloud Console components is enabled by default during Network Agent installation on the device. You can disable it during Network Agent installation, or you can disable it later by using a policy.

To disable automatic updating and patching for Kaspersky Security Center Cloud Console components during local installation of Network Agent on a device:

1. Start local installation of Network Agent on the device.
2. At the Advanced settings step, clear the Automatically install applicable updates and patches for components that have Undefined status check box.
3. Follow the instructions of the wizard.

Network Agent with disabled automatic updating and patching for Kaspersky Security Center Cloud Console components will be installed on the device. You can enable automatic updating and patching later by using a policy.

To disable automatic updating and patching for Kaspersky Security Center Cloud Console components during Network Agent installation on the device through an installation package:

1. In the main menu, go to Operations → Repositories → Installation packages.
2. Click the Kaspersky Security Center Network Agent <version number> package.
3. In the properties window, select the Settings tab.
4. Turn off the Automatically install applicable updates and patches for components that have the Undefined status toggle button.

Network Agent with disabled automatic updating and patching for Kaspersky Security Center Cloud Console components will be installed from this package. You can enable automatic updating and patching later by using a policy.

If the check box in step 4 was selected (or cleared) during Network Agent installation on the device, you can subsequently enable (or disable) automatic updating by using the Network Agent policy.

To enable or disable automatic updating and patching for Kaspersky Security Center Cloud Console components by using the Network Agent policy:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Click the Network Agent policy.
3. In the policy properties window, select the Application settings tab.
4. In the Manage patches and updates section, turn on or off the Automatically install applicable updates and patches for components that have the Undefined status toggle button to enable or disable, respectively, automatic updating and patching.
5. Make sure to set (Enforce) the lock () for this toggle button.

The policy will be applied to the selected devices, and automatic updating and patching for Kaspersky Security Center Cloud Console components will be enabled (or disabled) on these devices.

Automatic installation of updates for Kaspersky Endpoint Security for Windows

You can configure automatic updates of databases and software modules of Kaspersky Endpoint Security for Windows on client devices.

To configure download and automatic installation of updates of Kaspersky Endpoint Security for Windows on devices:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click the Add button.

   The New task wizard starts. Follow the steps of the wizard.

3. For the Kaspersky Endpoint Security for Windows application, select Update as the task subtype.
4. Specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
5. Choose the task scope.
6. Specify the administration group, the device selection, or the devices to which the task applies.
7. At the Finish task creation step, if you enable the Open task details when creation is complete option, you can modify the default task settings. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
8. Click the Create button.

   The task is created and displayed in the list of tasks.

9. Click the name of the created task to open the task properties window.
10. On the Application settings tab of the task properties window, define the update task settings in local or mobile mode:
    • Local mode: The settings on this tab define how the device receives updates when connection is established between the device and the Administration Server.
    • Mobile mode: The settings on this tab define how the device receives updates when no connection is established between Kaspersky Security Center Cloud Console and the device (for example, when the device is not connected to the internet).
11. Enable the update sources that you want to use to update databases and application modules for Kaspersky Endpoint Security for Windows. If required, change the positions of the sources in the list by using the Move up and Move down buttons. If several update sources are enabled, Kaspersky Endpoint Security for Windows tries to connect to them one after another, starting from the top of the list, and performs the update task by retrieving the update package from the first available source.

    When Kaspersky Security Center Cloud Console is set as an update source, the updates are downloaded from a distribution point repository, not from the Administration Server repository. Ensure that you assigned distribution points and created the Download updates to the repositories of distribution points task.

12. Enable the Install approved application module updates option to download and install software module updates together with the application databases.

    If the option is enabled, Kaspersky Endpoint Security for Windows notifies the user about available software module updates and includes software module updates in the update package when running the update task. Kaspersky Endpoint Security for Windows installs only those updates for which you have set the Approved status; they will be installed locally through the application interface or through Kaspersky Security Center Cloud Console.

    You can also enable the Automatically install critical application module updates option. If any updates are available for software modules, Kaspersky Endpoint Security for Windows automatically installs those that have Critical status; the remaining updates will be installed after you approve them.

    If updating the software module requires reviewing and accepting the terms of the License Agreement and Privacy Policy, the application installs updates after the terms of the License Agreement and Privacy Policy have been accepted by the user.

13. Select the Copy updates to folder check box in order for the application to save downloaded updates to a folder, and then specify the folder path.
14. Schedule the task. To ensure timely updates, we recommend that you select the When new updates are downloaded to the repository option.
15. Click Save.

When the Update task is running, the application sends requests to Kaspersky update servers.

Some updates require installation of the latest versions of management plug-ins.

About update statuses

Status is an attribute of software updates that defines whether a particular software update must be installed on a networked device.

An update can have the following statuses:

• Undefined

  By default, the downloaded software updates have the Undefined status. The undefined updates can only be installed on Network Agent and other Kaspersky Security Center Cloud Console components in accordance with the Network Agent policy settings.

• Approved

  The approved updates are always installed. If an update requires reviewing and accepting the terms of the End User License Agreement, then you first need to accept the terms.

• Declined

  The updates for which you set Declined status will not be installed on devices.

You can change statuses of updates for the following software:

• Network Agent and other Kaspersky Security Center Cloud Console components

  By default, the downloaded updates and patches for Kaspersky Security Center Cloud Console components are installed automatically. If you have left the Automatically install applicable updates and patches for components that have the Undefined status option enabled in the Network Agent properties, then all updates will be installed automatically after they are downloaded to the repository (or several repositories). If this option is disabled, Kaspersky patches that have been downloaded and tagged with the Undefined status will be installed only after you change their status to Approved.

  Updates for Kaspersky Security Center Cloud Console components cannot be uninstalled, even if you set an update the Declined status.

• Kaspersky security applications

  By default, updates for the managed applications are installed only after you change the update status to Approved. If a declined update for a security application was previously installed, Kaspersky Security Center Cloud Console will try to uninstall the update from all devices.

Approving and declining software updates

The settings of an update installation task may require approval of updates that are to be installed. You can approve updates that must be installed and decline updates that must not be installed.

For example, you may want to first check the installation of updates in a test environment and make sure that they do not interfere with the operation of devices, and only then allow the installation of these updates on client devices.

Approving and declining updates is available only for Network Agent and managed applications installed on the Windows-based and Linux-based client devices. Seamless updating of Administration Server, Kaspersky Security Center Cloud Console, and management web plug-ins is not supported. To update these components, you have to download the latest versions from the Kaspersky website, and then install them manually.

To approve or decline one or several updates:

1. In the main menu, go to Operations → Kaspersky applications → Seamless updates.

   A list of available updates appears.

   Updates of managed applications may require a specific minimum version of Kaspersky Security Center to be installed. If this version is later than your current version, these updates are displayed but cannot be approved. Also, no installation packages can be created from such updates until you upgrade Kaspersky Security Center. You are prompted to upgrade your Kaspersky Security Center instance to the required minimum version.

2. If necessary, accept EULA by clicking the View and accept License Agreements button.
3. Select the updates that you want to approve or decline.
4. Click Approve to approve the selected updates or Decline to decline the selected updates.

   The default value is Undefined.

The updates to which you assign Approved status are placed in a queue for installation.

The updates to which you assign Declined status are uninstalled (if possible) from all devices on which they were previously installed. Also, they will not be installed on other devices in future.

Some updates for Kaspersky applications cannot be uninstalled. If you set Declined status for them, Kaspersky Security Center Cloud Console will not uninstall these updates from the devices on which they were previously installed. However, these updates will never be installed on other devices in future.

If you set Declined status for third-party software updates, these updates will not be installed on devices for which they were planned but have not yet been installed. Updates will remain on devices on which they were already installed. If you have to delete the updates, you can manually delete them locally.

Using diff files for updating Kaspersky databases and software modules

A diff file describes the differences between two versions of a file of a database or software module. The usage of diff files limits traffic on your company's network because diff files occupy less space than entire files of databases and software modules. If the Downloading diff files feature is enabled on a distribution point, the diff files are saved on this distribution point. As a result, devices that take updates from this distribution point can use the saved diff files to update their databases and software modules.

To optimize the usage of diff files, we recommend that you synchronize the update schedule of devices with the update schedule of the distribution point from which the devices take updates. However, the traffic can be saved even if devices are updated several times less often than is the distribution point from which the devices take updates.

Distribution points do not use IP multicasting for automatic distribution of diff files.

To enable the Downloading diff files feature:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click the Download updates to the repositories of distribution points task to open the task properties.
3. On the Application settings tab, enable the Download diff files option.
4. Click the Save button.

The Downloading diff files feature is enabled. Diff files of updates will be downloaded in addition to the update files each time the Download updates to the repositories of distribution points task is run.

To check that the Downloading diff files feature is successfully enabled, you can measure the internal traffic before and after you perform the scenario.

Updating Kaspersky databases and software modules on offline devices

Updating Kaspersky databases and software modules on managed devices is an important task for maintaining protection of the devices against viruses and other threats. Administrators usually configure regular updates through usage of the repositories of distribution points.

When you need to update databases and software modules on a device (or a group of devices) that is not connected to a distribution point or the internet, you have to use alternative sources of updates, such as an FTP server or a local folder. In this case you have to deliver the files of the required updates by using a mass storage device, such as a flash drive or an external hard drive.

You can copy the required updates from the following sources:

• Distribution point.

  To be sure the distribution point repository contains the updates required for the security application installed on an offline device, at least one of the managed online devices in the scope of the distribution point must have the same security application installed. This application must be configured to receive the updates from the distribution point repository through the Download updates to the repositories of distribution points task.

• Any device that has the same security application installed and configured to receive the updates from a distribution point repository or directly from the Kaspersky update servers.

Below is an example of configuring updates of databases and software modules by copying them from a distribution point repository.

To update Kaspersky databases and software modules on offline devices:

1. Connect the removable drive to the distribution point device.
2. Copy the updates files to the removable drive.

   By default, the updates are located at: %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\1103\Updates.

3. On offline devices, configure the security application (for example, Kaspersky Endpoint Security for Windows) to receive updates from a local folder or a shared resource, such as an FTP server or a shared folder.
4. Copy the updates files from the removable drive to the local folder or the shared resource that you want to use as an update source.
5. On the offline device that requires update installation, start the update task of Kaspersky Endpoint Security for Windows.

After the update task is complete, the Kaspersky databases and software modules are up-to-date on the device.

Updating Kaspersky Security for Windows Server databases

You can install Kaspersky Security for Windows Server on managed devices and you might want to launch this application's Real-Time File Protection task. However, the application comes without the databases that are needed for it to work correctly. The databases are downloaded to the managed device only after the Download updates to the repositories of distribution points task has completed.

If you want to start the Real-Time File Protection task on a managed device right after Kaspersky Security for Windows Server is installed on it, you must make sure that the databases for that application are downloaded and are up to date. Otherwise, the task might work incorrectly.

To make sure that Kaspersky Security for Windows Server databases are up to date:

1. Make sure that the Download updates to the repositories of distribution points task has completed on Administration Server.
2. Do one of the following:
   • In the settings of the Real-Time File Protection task, set the start to At application launch, and then restart the managed device.
   • In the settings of the Real-Time File Protection task, manually set the start time to the time you want.

The Real-Time File Protection task in Kaspersky Security for Windows Server is ready to work correctly.