[Topic 187780]

Kaspersky Next help

New features

• What's new in each version of Kaspersky Next
• Endpoint Detection and Response
  
  

Feature comparison

• Comparison of Kaspersky Next features in different editions
• Comparison of Kaspersky Next features for different Windows types
  
  

How to start

• Getting started with Kaspersky Next
• Initial setup of Kaspersky Next
• Deployment in Kaspersky Next
  
  

Monitoring and reporting

• Widgets and list of events
• Reports on device protection
  
  

Advanced features

• Data Discovery
• Cloud Discovery
• Vulnerability Assessment and Patch Management

[Topic 147133]

What's new

This section contains information about the new features and improvements in each version of Kaspersky Next and Kaspersky Business Hub.

Updates functionality (including providing anti-malware signature updates and codebase updates), as well as KSN functionality may not be available in the software in the U.S.

VERSION 1.0

The first version of Kaspersky Next has been released.

Kaspersky Next is a software solution developed specifically for small, medium-sized, and large businesses. It lets you manage security for multiple endpoints, mobile devices, and file servers remotely, by using a cloud-based console.

Kaspersky Next has two views:

• Pro View

  It provides easier GUI and less features. Recommended for small and medium-sized businesses.

• Expert View

  It provides more complicated GUI and more features. Recommended for large-scale businesses.

By using Kaspersky Next, you can do the following:

• Install and update Kaspersky applications in a centralized way on the computers and mobile devices of your company employees that have been connected to Kaspersky Next.
• Manage device settings and protection by using security profiles.
• Manage and edit user account properties, create user groups, and grant various rights to users.

Kaspersky Next is hosted and maintained by Kaspersky. You do not have to install Kaspersky Next on your computer. You only need a browser and internet access to use Kaspersky Next.

Key features for devices running Windows and macOS include File Threat Protection, Mail Threat Protection, Network Threat Protection, Web Threat Protection, and Firewall.

Key mobile protection features include Web Control, Configurable password; Anti-Malware protection, App Control, and Compliance Control for Android; Configurable Wi-Fi network connection; and Management of embedded iOS features.

[Topic 123486]

About Kaspersky Next

Kaspersky Next is a software solution developed specifically for small and medium-sized businesses. It lets you manage security for multiple endpoints, mobile devices, and file servers remotely, by using a cloud-based console.

By using Kaspersky Next, you can do the following:

• Install and update Kaspersky applications in a centralized way on the computers and mobile devices of your company employees that have been connected to Kaspersky Next.
• Manage device settings and protection by using security profiles.
• Manage and edit user account properties, create user groups, and grant various rights to users.

Kaspersky Next is hosted and maintained by Kaspersky. You do not have to install Kaspersky Next on your computer. You only need a browser and internet access to use Kaspersky Next.

[Topic 177858]

Key features of Kaspersky Next

Kaspersky Next benefits are divided into three main sections.

Ease of use

Simple, intuitive, cloud-based console

Kaspersky Next is managed from a simple cloud-based console. It's available anytime, from any location, and does not require an administrator's device to be located in the same network as the managed devices. When the administrator logs in to the console, a dedicated Getting started page provides straightforward steps for protecting company devices. This page also indicates whether the security setup has reached the Required level, which is adequate most of the time, and how to reach the Recommended level.

After a

Default preconfigured security profile

To save time setting up security, every Kaspersky Next workspace contains a default security profile (see the figure below). A workspace is configured to provide efficient protection for a typical environment. The default security profile is automatically applied on every device after it is connected to the Management Console component of Kaspersky Next. This design lets you save time on security configuration and provides out-of-the-box protection, even without the involvement of an administrator.

Default and custom security profiles

One security profile for all devices

Every security profile contains security settings for devices running Microsoft Windows, Apple macOS, Google Android, and Apple iOS and iPadOS. This arrangement allows you to set up and maintain a single security profile instead of four, assign the profile to users or user groups, and keep the security settings consistent for users.

Simple deployment

Because Kaspersky Next is managed through a browser, the only deployment required is that of security applications on corporate devices. This process consists of four easy steps:

1. Enter the email addresses of employees, in Kaspersky Next.
2. Send the employees an email message with instructions for installing security applications on user devices. The message contains links for downloading the applications.
3. Make sure that employees install the applications on their devices.
4. Match devices, which appear in the Devices section of Kaspersky Next Management Console, with users.

The email message that is generated and sent to employees by Kaspersky Next contains just one installation link. When an employee opens this link on a device, Kaspersky Next identifies the operating system and starts to download the correct installation package. This minimizes potential errors on the staff side.

Advanced security features

Some of the features mentioned in this section are available only if you activated Kaspersky Next under a Kaspersky Next EDR Optimum or XDR Expert license (please refer to the comparison of features for details).

Full set of endpoint protection features

The Kaspersky Endpoint Security components File Threat Protection, Mail Threat Protection, Network Threat Protection, and Web Threat Protection include technologies that shield users from malware, phishing, and other types of threats.

A firewall manages network activity and allows you to block potentially dangerous connections, such as remote desktop connections.

Protection against ransomware

Kaspersky Endpoint Security for Windows provides protection from ransomware for workstations running Windows operating systems and (starting from version 11) also protection from ransomware for file servers running Windows operating systems. The Kaspersky Endpoint Security components Behavior Detection, Exploit Prevention, and Remediation Engine monitor activity of applications on devices and block malicious actions.

Protection of mobile devices

In the corporate environment, mobile devices are becoming as important as wired computers: employees read corporate email, communicate with customers, and handle other crucial information. Kaspersky Next provides all core functionality for the protection and management of mobile devices, which includes the following:

1. Password protection—Guards mobile devices against unauthorized access.
2. Anti-theft protection for Android, iOS, and iPadOS devices—Protects a device from unauthorized access. If the device is lost or stolen, it can be locked remotely or all data can be wiped from it.
3. Anti-malware protection for Android—Protects a device against infections in real time.
4. Feature Control and Web Control—Help to ensure that mobile devices are used for corporate and not personal work.

Vulnerability Assessment and Patch Management

Vulnerability Assessment allows you to detect software

Patch Management allows you to manage updates for the applications installed on your users' devices running Windows, including

Cloud security features

Some of the features mentioned in this section are available only if you activated Kaspersky Next under a Kaspersky Next EDR Optimum or XDR Expert license (please refer to the comparison of features for details).

Cloud Discovery

Cloud Discovery allows you to monitor the use of cloud services on managed devices running Windows and to block access to cloud services that you consider unwanted. Cloud Discovery tracks user attempts to gain access to these services through both browsers and desktop applications. This feature helps you to detect and halt the use of cloud services by shadow IT.

Data Discovery

Data Discovery detects critical information in files that are located in Office 365 cloud storages. You can view the information about each detected file—its name, sharing type (private, within the company, or outside the company), and who edited it last.

Microsoft Office 365 protection

You can use your Kaspersky Next EDR Optimum or XDR Expert license to activate Kaspersky Security for Microsoft Office 365.

Kaspersky Security for Microsoft Office 365 protects your Office 365 corporate email, file sharing, communication, and collaboration services against malware, phishing, spam, and other threats. The available number of mailboxes that you can protect is 1.5 times greater than the number of users in your license limit (rounded up to the nearest integer).

For information about how to work with Kaspersky Security for Microsoft Office 365, please refer to Kaspersky Security for Microsoft Office 365 Help.

Management capabilities

Some of the features mentioned in this section are available only if you activated Kaspersky Next under a Kaspersky Next EDR Optimum or XDR Expert license (please refer to the comparison of features for details).

Web Control

Web Control allows you to manage user actions on the internet, thus improving employee productivity by restricting or blocking access to specific web resources.

Device Control

Device Control ensures the security of confidential data by restricting user access to devices that might be connected to the computer.

Encryption Management

Encryption Management allows you to configure encryption of managed devices running Windows and macOS. Encryption prevents other users from gaining unauthorized access to data stored on the user's device.

Devices running Windows are encrypted by using BitLocker Drive Encryption. Devices running macOS are encrypted by using the FileVault disk encryption feature.

Root-Cause Analysis

Root-Cause Analysis allows you to detect and root out advanced attacks, perform root-cause analysis with a visualized threat development chain graph, and drill down to details for further review.

Endpoint Detection and Response

Endpoint Detection and Response monitors and analyzes threat progression, and provides you with information about possible attacks, to facilitate a timely manual response; or performs the predefined automated response.

[Topic 101540]

Comparison of Kaspersky Next editions

Kaspersky Next comes in three editions: Kaspersky Next EDR Foundations, Kaspersky Next EDR Optimum, and Kaspersky Next XDR Expert. The table below compares the features available in these editions.

Page top

[Topic 138000]

Comparison of Kaspersky Next features for different Windows operating system types

The table below compares Kaspersky Next features available for different Windows operating system types (workstation or server) installed on managed devices.

Page top

[Topic 180753]

About per-user licensing

Kaspersky Next uses per-user licensing. For each user, Kaspersky Next can protect one desktop, laptop, or file server, and up to two Android, iOS, or iPadOS mobile devices.

A user considered as a licensing unit is not the same as a user added to the Management Console. An actual user can own more than the above-mentioned number of devices; or, there can be devices without assigned owners. In either case, these devices will be protected.

The number of users that use Kaspersky Next under a license is calculated by the number of protected devices. The number of users is the total number of protected desktops, laptops, and file servers, or half of the total number of Android, iOS, or iPadOS mobile devices—whichever is larger.

Examples:

• If you protect 10 desktops, laptops, or file servers, and 12 Android, iOS, or iPadOS mobile devices, the number of users that use the software under the license is 10 (which is the number of desktops, laptops, and file servers).
• If you protect 10 desktops, laptops, or file servers, and 32 Android, iOS, or iPadOS mobile devices, the number of users that use the software under the license is 16 (which is half of the number of mobile devices).

You can view the number of users that use the software under your licenses in Kaspersky Next Management Console or on Kaspersky Business Hub.

[Topic 123619]

Hardware and software requirements

You need only a browser to use Kaspersky Next.

Kaspersky Next supports the following browsers:

• Google Chrome 133.0.6943.53 or later
• Microsoft Edge 134.0.3124.66 or later
• Safari 17.6 on macOS
• Yandex Browser 25.2.3.809 or later
• Mozilla Firefox Extended Support Release 128.8.0 or later

When running, Kaspersky Next uses the following Kaspersky applications:

• Kaspersky Endpoint Security 12.7 for Windows

  Once you have prepared the distribution package of the latest version in Management Console, preparing the distribution package of a previous version will not be possible.

  For hardware and software requirements of the security application, refer to Kaspersky Endpoint Security for Windows Help.

• Kaspersky Endpoint Security 12.1 for Mac

  Once you have prepared the distribution package of the latest version in Management Console, preparing the distribution package of a previous version will not be possible.

  For hardware and software requirements of the security application, refer to Kaspersky Endpoint Security for Mac Help.

  Kaspersky Endpoint Security 10 for Mac does not support macOS 10.15 Catalina.
  After the macOS upgrade to the above-mentioned version, the protection of your users' devices by Kaspersky Endpoint Security 10 for Mac is terminated.
  To resume protection of devices, you must download the distribution package of Kaspersky Endpoint Security 11 for Mac, and then deliver it to your macOS users. Users must then install the new version of Kaspersky Endpoint Security for Mac on their devices.

• Kaspersky Endpoint Security 10 for Android

  For hardware and software requirements of the security application, refer to Kaspersky Security for Mobile Help.

[Topic 208747]

Network ports used by Kaspersky Next

To perform various operations in Kaspersky Next, you must open certain ports in the Firewall or proxy server. The required ports are listed in the table below:

Network ports used by Kaspersky Next

Page top

[Topic 254854]

Migrating from Pro View to Expert View

You can migrate your Kaspersky Next workspace from Pro View to Expert View. Expert View is a cloud-based solution that provides you with a much wider range of capabilities for managing the protection of your users' devices.

Migration is an irreversible action. If you decide to go back to Pro View, you will have to connect all devices and define all settings from scratch.

What is migrated and what is not

Migration affects the following objects:

• Users and user groups
• Devices running Windows and macOS
• Security profiles and their settings
• Settings of malware scan and anti-malware database update
• Settings of vulnerability detection and update installation
• IoC scan settings

The following objects are not migrated:

• Devices running Android, iOS, and iPadOS
• Distribution packages of Kaspersky Endpoint Security for Windows and Kaspersky Endpoint Security for Mac
• Endpoint Detection and Response alerts
• Event log

Which Pro View features are not supported by Expert View

Temporarily, Expert View does not support some features of Pro View. To continue using these features, you need to activate your workspace under a Kaspersky Next license during migration.

The following features are accessible in Pro View:

• Managing iOS and iPadOS devices
• Data Discovery

The following features are accessible on Kaspersky Business Hub:

• Creating a Kaspersky Security for Microsoft Office 365 workspace
• Taking cybersecurity training

Migration procedure

To migrate from Pro View to Expert View:

1. Do either of the following:
   • Enter the activation code of a Kaspersky Next license that provides automatic migration to Expert View.
   • If the current license in Kaspersky Next provides manual migration to Expert View, go to Settings, and then click the Start migration link.

   The wizard for migrating to Expert View starts.

2. In the welcome window of the wizard, click the Start wizard button.
3. At the Accept agreements of Expert View step of the wizard, read and accept the terms and conditions of the Agreement and Data Processing Agreement of Expert View.

   If you do not accept the terms and conditions of these agreements, you will not be able to use Expert View.

4. At the Accept End User License Agreements for Network Agents step of the wizard, read and accept the terms and conditions of the End User License Agreements for Network Agents to be installed on devices running Windows and macOS.

   If you do not accept the terms and conditions of these agreements, you will not be able to use Expert View.

5. If Network Agents on your users' devices are protected by a password, the Specify Network Agent password step of the wizard is displayed. Enter the password here, so that the devices are able to connect to Expert View.
6. If your users' devices include devices running Windows and/or macOS, the Select operating system restart options step of the wizard is displayed. Select the required option:
   • Restart devices manually

     Managed devices are not restarted automatically after the operation. To complete the operation, users must restart their devices. This option is suitable for servers and other devices where continuous operation is critical.

   • Restart devices automatically

     Managed devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for devices for which regular pauses in their operation (shutdown or restart) are acceptable.

   • Prompt the user for action

     The restart reminder is displayed on the screen of the managed device, prompting the user to restart it manually. You can change the text of the message for the user. This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     If the Restart the device forcibly after (minutes) option is enabled, after prompting the user, the application forces a restart of the operating system upon expiration of the specified time interval. Otherwise, users must restart their devices manually. If necessary, change the default value of the time interval (30 minutes).

7. If you started the migration by entering an activation code, and if your users' devices include devices running iOS and iPadOS or Data Discovery is enabled in the workspace, the Activate this workspace under a new license step of the wizard is displayed. Select the check box if you want to continue using features that are not temporarily available in Expert View.

   Click the Start migration button to continue.

8. In the migration confirmation window, click the Start migration button to start migration.

Migration to Expert View starts. During migration, you cannot sign in to your Kaspersky Next workspace.

After migration

After migration completes, the Kaspersky Next workspace works as follows:

• Operation modes of the workspace in Pro View

  If you activated your workspace under a Kaspersky Next license during migration, the mode in which your workspace in Pro View operates is called distributed mode. You can continue using features that are not temporarily available in Expert View only in distributed mode.

  If you skipped activation, the mode is called post-migrated mode. In this case, all protection management is performed in Expert View.

  After migration, you can activate your workspace in Pro View under a Kaspersky Next license as well.

• Devices running Windows and macOS

  The software starts connecting these devices to Expert View automatically. In the Devices → Devices being migrated window in Pro View, you can find the list of devices that are being migrated and their migration status. When a device is successfully migrated, you may delete it from Pro View.

  If the Kaspersky Endpoint Security for Windows version installed on the devices is 12.3 or less, you must update the security application on the devices from Expert View. Otherwise, some features may not work.

• Devices running Android

  You must connect Android devices to Expert View manually. After that, you may delete them from Pro View.

• Devices running iOS and iPadOS

  Temporarily, you can continue managing iOS and iPadOS devices in your workspace in Pro View that operates only in distributed mode.

• Distribution packages of Kaspersky Endpoint Security for Windows and Kaspersky Endpoint Security for Mac

  You can create and download actual distribution packages in Expert View.

For detailed information about how to use Expert View, refer to the Expert View help.

[Topic 169565]

Quick Start Guide

Read this Quick Start Guide to get started with Kaspersky Next. The Guide contains tips for managing the accounts of your users and installing security applications on their devices.

Quick start scenario

After you complete the scenario, the devices in your organization will be protected. The scenario proceeds in stages:

1. Create an account

   To start using Kaspersky Next, you need an account on Kaspersky Business Hub.

   To create an account:

   1. Open your browser and enter the following URL: https://cloud.kaspersky.com.
   2. Click the Create an account button.
   3. Follow the onscreen instructions.
2. Create a workspace

   After you create the account, you can create your first workspace. We recommend that you first create one test workspace, connect your own devices to it, and then test any modifications to the settings, noting the results.

   We recommend that you create a separate workspace for each company that you manage, even if a company has only a few users. By doing this, you will be able to do the following:

   • Change settings for each company individually.
   • Keep track of the license count, and the increase or decrease of the number of users in the company.
   • Assign administrator rights to a user within the company, who can access only that company's workspace.

   To create a company workspace:

   1. Open your browser and enter the following URL: https://cloud.kaspersky.com.
   2. Click the Sign in button.
   3. Follow the onscreen instructions.
3. Perform initial setup of Kaspersky Next

   After you create a company workspace, you must perform initial setup of Kaspersky Next. The initial setup begins automatically when you start Kaspersky Next Management Console for the first time. The Welcome to Kaspersky Next window is displayed. Follow the onscreen instructions.

   When initial setup is complete, Kaspersky Next Management Console is ready to use.

4. Deploy security applications on your users' devices

   When your first workspace is prepared, follow the main setup steps provided in the Information panel → Getting started section. These steps include adding user accounts, connecting devices to Kaspersky Next, and creating a certificate for iOS and iPadOS devices.

   These steps are divided into three groups:

   • Preconfigured

     You already took these steps when you created the workspace.

   • Required

     You must take this step to start protection of the devices.

     Add users by providing their email addresses. An invitation is sent to the email address and it contains the download link to the security application. When the user clicks the link, Kaspersky Next recognizes the device operating system, thus ensuring that the proper software is downloaded.

     As an alternative, you can simultaneously protect multiple devices that are running Windows. To do this, you can deploy security applications by using a Group Policy script.

   • Recommended

     We recommend that you take these steps to enhance the protection of devices.

     1. Once the software has been downloaded and installed on the device of the user, assign the user as the device owner.
     2. Create an Apple Push Notification service (APNs) certificate. The APNs certificate is created in one run. You must follow the steps for its creation without interruption, because the signing process has a time stamp that will expire if the creation process takes too long.
5. Manage protection

   After the security application is installed on a device, the device is assigned the Default security profile. This is the security profile with the default settings that are recommended by Kaspersky experts.

   In the Security management → Security profiles section, you can create different security profiles. Every new security profile holds the default settings until you modify them. You can also copy existing security profiles.

   Each security profile has a tab for each platform: Windows, macOS, Android, and iOS with iPadOS. Note that iOS and iPadOS are configured together.

   When you assign a security profile to a user, the security profile is applied to all devices owned by the user. Only the Default security profile can be applied to devices without owners.

   When creating a security profile, take into consideration the organizational structure of the company that you manage. For example, the security profile for a developer may differ from the one used for a sales representative or a human resources assistant. Name each security profile accordingly.

   We recommend that you prevent users from modifying or deleting the security applications installed on their devices. Therefore, define the following settings:

   • For Windows devices, do the following:
     1. On the Windows → Advanced → Interaction with end users tab, make sure that Password protection is enabled.
     2. Select the operations that a user will be allowed to perform only with the password.
   • For Mac devices, do the following:
     1. On the Mac → Advanced → Interaction with end users tab, choose whether you want the Kaspersky Endpoint Security for Mac application icon visible on the menu bar or not.
     2. On each device in system preferences, use the macOS account type settings (admin or standard user) and the "lock" icon () to prevent the user from removing the software.
   • For Android devices, do the following:
     1. On the Android → Security settings tab, make sure that Screen lock is enabled to protect the device from unauthorized access.
     2. On the Advanced tab, make sure that Kaspersky Endpoint Security for Android cannot be removed.
   • For iOS and iPadOS devices: on the iOS → Security settings tab, make sure that Screen lock is enabled to protect the device from unauthorized access.

   After defining the required settings of security profiles, you can assign security profiles to the intended users.

6. Specify licenses

   After you have created a workspace, you are granted a 30-day trial license that is embedded in your workspace. To continue using Kaspersky Next after the trial license expires, you must purchase a commercial license or a subscription. Click Information panel → License, and then enter the activation code.

   The activation code will be distributed automatically to the security applications, which may take 15 minutes, as the applications attempt to sync with the workspace every 15 minutes.

7. Define other settings (optional)

   You can define other optional settings.

   • By default,
     background scan

     The background scan mode of Kaspersky Endpoint Security for Windows does not display notifications for the user. This scan requires less computer resources than other types of scans (such as a full scan). In this mode, Kaspersky Endpoint Security for Windows scans startup objects, the boot sector, system memory, and the system partition.

     The background scan mode of Kaspersky Endpoint Security for Windows does not display notifications for the user. This scan requires less computer resources than other types of scans (such as a full scan). In this mode, Kaspersky Endpoint Security for Windows scans startup objects, the boot sector, system memory, and the system partition.

     is enabled for devices running Windows. Autorun objects, system memory, and the system partition are scanned when the device is idling for five or more minutes. If you want, you can click the Settings tab and set the schedule for the malware scan. From the Devices tab, you can start the malware scan task.
   • The security applications mostly use the Kaspersky Security Network cloud service in their operation and to a lesser extent the application's anti-malware databases. If you want, you can click the Settings tab and set the schedule for the anti-malware database update. On the Devices tab, you can start the anti-malware database update task.
   • On the Settings tab, you can configure which event notifications you want to view in your events overview.

     The information about events is not aggregated. Each event is sent in a separate email message. If you want to configure the delivery of event notifications, be ready to receive a large number of email messages.

   • On the Distribution packages tab, you can download the software directly and prepare new software when it is available. The newly prepared software will then be distributed to newly invited users.

[Topic 138080]

Getting started with Kaspersky Next

This section describes how to sign up for Kaspersky Business Hub and start using Kaspersky Next.

Additional actions that you can perform in Kaspersky Business Hub are described in Help for Kaspersky Business Hub.

[Topic 175415]

About Kaspersky Business Hub

Kaspersky Business Hub is a portal where you can manage company workspaces for the following Kaspersky software solutions:

• Kaspersky Next
• Kaspersky Security for Microsoft Office 365

Using Kaspersky Business Hub, you can do the following:

• Create an account.
• Edit an account.
• Create a company workspace for a supported Kaspersky software solution.
• Purchase and renew a license for a supported Kaspersky software solution.
• Edit information about companies.
• Take a demo training on malicious software.
• Leave feedback about the training.
• Leave feedback about the supported Kaspersky software solutions.
• Delete a company workspace.
• Delete an account.

[Topic 100057]

Signing up for Kaspersky Next

Signing up for Kaspersky Next consists of the following steps:

1. Creating and confirming an account in Kaspersky Business Hub.
2. Creating a Kaspersky Next company workspace in Kaspersky Business Hub.

[Topic 177929]

Creating an account

This article describes how to create an

As an alternative, you can create an account on My Kaspersky, and then use it to sign in to Kaspersky Business Hub and create your workspace.

Your My Kaspersky account must be created directly on the website and not by using an external authentication provider (like Google). Otherwise, you will not be able to use Kaspersky Business Hub.

To create an account in Kaspersky Business Hub:

1. In your browser, go to Kaspersky Business Hub.
2. Click the Create an account button on the start page of Kaspersky Business Hub.

   The Kaspersky Account portal opens.

3. On the Sign up to enter Kaspersky Business Hub page, enter the email address and password for your account (see the figure below).

   

   Creating an account in Kaspersky Business Hub

4. Click the Privacy Policy link and carefully read the Privacy Policy text.
5. If you are aware and agree that your data will be handled and transmitted (including to third countries) as described in the Privacy Policy and you confirm that you have fully read and understand the Privacy Policy, select the check box next to the text of consent to data processing in accordance with the Privacy Policy, and then click the Create button.

   If you do not accept the Privacy Policy, do not use Kaspersky Business Hub.

6. A message from Kaspersky is sent to the email address that you specified. The message contains a one-time security code.

   Open the email message, and then copy the one-time security code that it contains.

7. Return to Kaspersky Account, and then paste the code to the entry field.

Creation of the account in Kaspersky Business Hub is complete.

[Topic 138046]

Creating a company workspace

Immediately after the account is created, you can create a company workspace for Kaspersky Next on Kaspersky Business Hub.

Before you start, make sure that you know the following:

• The name of the company in which you intend to use the software solution.
• The country in which the company is located. If the company is located in Canada, you must also know the province.
• The total number of company computers and mobile devices that you want to protect.

To create a company workspace on Kaspersky Business Hub:

1. In your browser, go to Kaspersky Business Hub.
2. Click the Sign in button on the start page of Kaspersky Business Hub.
3. Enter the email address and password that you specified when you created the account, and then click the Sign in button.

   The portal displays a page prompting you to accept the Terms of Use of Kaspersky Business Hub.

4. Carefully read the Terms of Use of Kaspersky Business Hub.
5. If you accept the Terms of Use, select the check box under the text of the Terms of Use, and then click the I accept the terms button.

   If you do not accept the Terms of Use, do not use Kaspersky Business Hub.

   If you click the I decline button, you will not be able to continue working with Kaspersky Business Hub and use the software solutions accessible on it.

   After you click the I accept the terms button, the country selection page is displayed.

6. Do any of the following:
   • Select a country from the drop-down list, and then click the Confirm button.

     This information is optional. It is requested only once. The information is required to display license prices in the correct currency. If you do not specify a country, license prices will be displayed in the default currency. You can change the country by contacting Technical Support.

   • If you prefer not to specify a country, click the Skip button.

   The Create a Workspace Wizard starts. Proceed through the Wizard by using the Next button.

7. On the Step 01: Select a software solution page of the Wizard, select the Kaspersky software solution that you plan to use:
   • Kaspersky Next, if you want to protect the computers and mobile devices of company employees.
   • Kaspersky Security for Microsoft Office 365, if you want to protect the Exchange Online mailboxes, OneDrive files, and SharePoint Online sites of company employees.

   If you opt to try the free version of a software solution on any Kaspersky promo page, you are redirected to the Create a Workspace Wizard in which this step of the software solution selection is skipped.

8. On the Step 02: Terms of Use of Kaspersky Next page of the Wizard, do the following:
   1. Carefully read the Agreement, the Privacy Policy, and the Data Processing Agreement for the selected software solution.
   2. If you agree to the terms and conditions of the Agreement and the Data Processing Agreement, and if you are aware and agree that your data will be handled and transmitted (including to third countries) as described in the Privacy Policy, and you confirm that you have fully read and understand the Privacy Policy, select the check boxes next to the three listed documents, and then click the I accept the terms button.

      If you do not agree to the terms and conditions, do not use the selected Kaspersky software solution.

      If you click the I decline button, the workspace creation process on Kaspersky Business Hub will be terminated.

9. On the Step 03: Workspace information page of the Wizard, specify the main details of your company:
   1. Fill in the following required fields:
      • Name of your company. Specify the name of the company in which you intend to use the software solution. You can enter a string up to 255 characters long. The string can contain upper- and lowercase characters, numerals, whitespaces, dots, commas, minuses, dashes, and underscores. The specified company name will be displayed on Kaspersky Business Hub and in Kaspersky Next Management Console.
      • Country. In the drop-down list, select the country in which your company is located. If you select Canada, also specify the province in the State drop-down list that appears below this field.
      • Number of devices. Enter the total number of company computers and mobile devices that you want to protect.

        In the entry field, you can enter a number from 5 to 999. In some regions, the maximum available number of devices may be different.

   2. Fill in the Additional company description field (optional).

      It may be useful if you have more than one workspace on Kaspersky Business Hub. You can enter a string up to 255 characters long. The string can contain upper- and lowercase characters, numerals, whitespaces, dots, commas, minuses, dashes, and underscores.

10. On the Step 04: Additional information page of the Wizard, enter your contact details.

    This page of the Wizard is displayed only once, when you create your first workspace.

    1. Fill in the following fields:
       • Your first name.
       • Your last name.
       • Your phone number.
       • Email address. By default, this field displays the email address specified in the settings of your account on Kaspersky Business Hub. You can specify a different email address.
       • Postal code (only for Austria, Ireland, Switzerland, Liechtenstein, Germany, and the United Kingdom).
    2. The other fields of the form on this page of the Wizard are filled automatically with the details that you specified when you entered the company information. Change them, if necessary.
       • Name of your company.
       • Country.
       • Province (only for Canada).
       • Number of devices.
    3. If you agree to provide your contact details for participation in surveys and to receive information about Kaspersky applications, select the check box next to the appropriate text.

       Providing your contact information is optional. Kaspersky receives your data only if you select this check box.

       This check box is cleared by default.

       After you select this check box, Kaspersky Business Hub displays reCAPTCHA. Follow the onscreen instructions.

    Creation of a company workspace on Kaspersky Business Hub is complete.

    Kaspersky Business Hub displays a page prompting you to wait until the company workspace is ready.

11. In the workspace creation message, click the link to go to the list of companies.
12. Click Go to workspace.

After several minutes, when the workspace is ready, Management Console will open. You can also open Management Console by clicking the link in the email message sent from Kaspersky. You receive this message at the email address that you specified when you created an account on Kaspersky Business Hub.

After Management Console opens, you must perform the initial setup of Kaspersky Next.

Page top

[Topic 138081]

Opening Kaspersky Next Management Console

Right after you create a workspace for Kaspersky Next,

To open Kaspersky Next Management Console:

1. In your browser, go to Kaspersky Business Hub.
2. Sign in to your account on Kaspersky Business Hub by specifying the user name and the password.
3. If you set up two-step verification, enter the one-time security code that is either sent to you by SMS or generated in your authenticator app (depending on the two-step verification method that you set up).

   The portal page displays a list of companies for which you are an administrator.

4. Click the link with the company name (or the arrow icon to the left of it) to expand the node of the required company.

   The portal page displays information about the selected company.

5. Under the name of the selected company, click the Kaspersky Next link or the Go to workspace link to proceed to the workspace of the company.

   Occasionally, a workspace may be unavailable due to maintenance. If this is the case, you will not be able to proceed to Kaspersky Next Management Console. If you try to open the Kaspersky Next workspace, a message appears stating that the server is under maintenance. The message includes the date and time when the server status will be refreshed. Sign in to the workspace after the indicated time.

   You cannot open a workspace that is marked for deletion.

6. If any of the Kaspersky Next legal documents have been changed since you accepted their terms and conditions, the portal page displays the changed documents.

   Do the following:

   1. Carefully read the displayed documents.
   2. If you agree to the terms and conditions of the displayed documents, select the check boxes next to the listed documents, and then click the I accept the terms button.

      If you do not agree to the terms and conditions, stop using the selected Kaspersky software solution.

      If you click the I decline button, the operation will be terminated.

Kaspersky Next Management Console opens.

[Topic 224673]

Migrating from Kaspersky Security Center to Kaspersky Next

If you want to stop using Kaspersky Security Center in your infrastructure and switch to Kaspersky Next, you can do this by using two scenarios:

• Manual migration

  You only need to remotely uninstall Network Agent from your users' devices and remotely install Kaspersky Endpoint Security for Windows that you download from Kaspersky Next.

• Automated migration

  We provide you with a script that automates some stages of the migration process.

[Topic 202598]

Scenario: Manual migration from Kaspersky Security Center to Kaspersky Next

If you want to stop using Kaspersky Security Center in your infrastructure and switch to Kaspersky Next, you only need to remotely uninstall Network Agent from your users' devices and remotely install Kaspersky Endpoint Security for Windows that you download from Kaspersky Next. Protection will be enabled automatically on the devices, according to the

After you complete the scenario in this section, your users' devices will be moved from Kaspersky Security Center to Kaspersky Next.

The scenario proceeds in stages:

1. Open Kaspersky Next Management Console
2. Download a distribution package for Kaspersky Endpoint Security for Windows
3. Archive the downloaded distribution package

   Archive the package in any of the following formats: ZIP, CAB, TAR, or TAR.GZ.

   Place the archived distribution package in a folder that is accessible from the computer on which Kaspersky Security Center is installed.

4. In Kaspersky Security Center, create an installation package

   Create a custom installation package from the file of the distribution package that you have archived.

   In the installation package settings, specify the following command-line parameter:

   -s

   For detailed information about how to perform this stage, refer to the Kaspersky Security Center documentation.

5. On the computer with Kaspersky Security Center, edit the executable_package.kpd file

   The executable_package.kpd file is located in the root folder of the created package. You can find the path to the file in the installation package properties, on the General tab.

   Make sure you have the permissions to edit the specified file.

   Changes that you must make.

   [Setup]
Executable=exec\<executable package name>
Params=-s
[Product]
LocalizedName=<executable package name>
Name=executable_package
[Version]
VerMajor=1
VerMinor=0
VerBuild=0
VerPatch=0
[SetupProcessResult]
Wait=1
[SetupProcessResult_SuccessCodes]
0=
1=
[SetupProcessResult_WarningCodes]
3=
[SetupProcessResult_NeedReboot]
1=
3=
5=

6. In Kaspersky Security Center, create and run a task for remote removal of Kaspersky Endpoint Security for Windows from your users' devices

   For detailed information about how to perform this stage, refer to the Kaspersky Security Center documentation.

7. In Kaspersky Security Center, create a task for remote removal of Network Agent from your users' devices

   After the task is created, go to its settings. In the task schedule, select On completing another task, and then select the Kaspersky Endpoint Security for Windows removal task.

   For detailed information about how to perform this stage, refer to the Kaspersky Security Center documentation.

8. In Kaspersky Security Center, create a task for remote installation of Kaspersky Endpoint Security for Windows on your users' devices

   When creating the task, define the following settings:

   • In Application, select Kaspersky Security Center.
   • In Task type, select Install application remotely.
   • In Select installation package, select the package that you created earlier.
   • Select the Using operating system resources through Administration Server check box.
   • Clear the Using Network Agent check box.

   After the task is created, go to its settings. In the task schedule, select On completing another task, and then select the Network Agent removal task.

   For detailed information about how to perform this stage, refer to the Kaspersky Security Center documentation.

[Topic 224325]

Automated migration from Kaspersky Security Center to Kaspersky Next

You can migrate your users' devices from Kaspersky Security Center to Kaspersky Next by using a script, as described in this section.

You can migrate automatically only devices running Windows.

Before starting the migration procedure, make sure that there is no password for uninstallation protection within the Kaspersky Endpoint Security for Windows and Network Agent policies.
For the time of migration, disable the uninstallation protection if it is enabled. When the devices are connected to Kaspersky Next, you will be able to turn this protection on again via the Kaspersky Next console.

As an alternative, you can view a video instruction for using the migration script. The video includes subtitles in all of the languages supported by Kaspersky Next.

To migrate to Kaspersky Next:

1. On the Kaspersky Security Center server, create a folder.
2. Go to your Kaspersky Next workspace.

   If you do not have a workspace yet, create it.

3. Go to the Distribution packages section.
4. Download the distribution package for Kaspersky Endpoint Security for Windows to the created folder.
5. In any text editor, create a file with the migration script:

   Script contents

6. Save the script as a *.ps1 file to the created folder.
7. Run PowerShell, and then drag and drop the created script there.

   The script will automatically create the following Kaspersky Security Center tasks:

   • Uninstallation of Kaspersky Endpoint Security for Windows from all devices in the Managed devices group, excluding the device with Kaspersky Security Center.
   • Reinstallation of Kaspersky Endpoint Security for Windows on the devices, after which they will be connected to Kaspersky Next.
8. Follow the instructions within the script:
   1. Specify whether the devices for migration are in the domain (Are the devices for migration in the domain? Y/N):
      • If the devices for migration are not in the domain, type N and press Enter.

        You will be asked to type the Kaspersky Security Center Installation Administrator credentials, specify the path to the Kaspersky Next installation package, and then choose whether to perform a force restart of the devices (Force Restart? Y/N).

      • If the devices for migration are in the domain, type Y and press Enter.

        You will be asked to type the Kaspersky Security Center Installation Administrator credentials, specify the path to the Kaspersky Next installation package, specify credentials for a local administrator on the devices, and choose whether to perform a force restart of the devices (Force Restart? Y/N).

      When specifying the path to the Kaspersky Next installation package, you can drag and drop it to the PowerShell window or specify the path manually (but do not forget to add the *.exe extension).

      For detailed information about user roles in Kaspersky Security Center, refer to the Kaspersky Security Center documentation.

   2. Specify whether the devices must be forcibly restarted (Force Restart? Y/N):
      • If you need to perform a force restart, type Y and press Enter, specify the restart delay in minutes, and then choose whether to start the migration immediately (Do you want to start migration now? Y/N).
      • If you do not need to perform a force restart, type N and press Enter. In this case, you will have to run both uninstallation and reinstallation tasks manually from Kaspersky Security Center.
   3. Specify whether the migration must start immediately (Do you want to start migration now? Y/N):
      • If you want the uninstallation task to run automatically, type Y and press Enter. You will need to run only the reinstallation task manually from Kaspersky Security Center.
      • If you are going to run both uninstallation and reinstallation tasks manually from Kaspersky Security Center, type N and press Enter.
9. Open the Kaspersky Security Center Administration Console.
10. In the console tree, open the Tasks folder.
11. If the uninstallation task was not started automatically according to the settings that you defined during the script execution, run the KSC to KES Cloud migration – Uninstall task.
12. If you have configured the force restart of the devices, make sure that the devices rebooted successfully.

    This is required for successful completion of the installation task. To determine that the reboot is successful, you may use the execution statistics of the uninstallation task (wait until it fully completes) and the fact that the Network Agent installation status on all of the devices in the Managed devices section is No.

    Otherwise, restart the devices manually.

13. If your users' devices are not in the domain, open the installation task, and then specify a local administrator account on the devices.
14. Run the KSC to KES Cloud migration – Install KES Cloud task.

After the installation task completes successfully, your users' devices running Windows will be connected to Kaspersky Next (the connection may take up to 15 minutes). The Default security profile (configured by Kaspersky experts) will be automatically applied to each device.

[Topic 138049]

Kaspersky Next Management Console

This section describes the operations that you can perform in Kaspersky Next Management Console.

[Topic 177939]

Initial setup of Kaspersky Next

After you create a company workspace, you must perform the initial setup of Kaspersky Next. The initial setup begins automatically when you start Kaspersky Next Management Console for the first time. The Welcome to Kaspersky Next window is displayed. Proceed with the initial setup as described in this section.

Occasionally, a workspace may be unavailable due to maintenance. If this is the case, you will not be able to proceed to Kaspersky Next Management Console. If you try to open the Kaspersky Next workspace, a message appears stating that the server is under maintenance. The message includes the date and time when the server status will be refreshed. Sign in to the workspace after the indicated time.

To perform initial setup of Kaspersky Next:

1. In the Welcome to Kaspersky Next window, click the Get started button.

   The Agreements for Kaspersky Endpoint Security for Windows window opens.

   This window displays the texts of the End User License Agreement for Kaspersky Endpoint Security for Windows, the End User License Agreement for Kaspersky Security Center Network Agent, the Supplemental Clauses regarding Data Processing for Kaspersky Endpoint Security for Windows and Network Agent, and the link to the Kaspersky Lab Products and Services Privacy Policy.

2. Carefully read the text of each document.

   If you agree to the terms and conditions of the agreements, and if you are aware and agree that your data will be handled and transmitted (including to third countries) as described in the Privacy Policy, and you confirm that you have fully read and understand the Privacy Policy, select the check boxes next to the listed documents, and then click the I accept the terms button.

   If you do not agree to the terms and conditions, do not use the security applications. If only some of the check boxes are selected, you will not be able to manage Windows devices in Kaspersky Next. The Agreements for Kaspersky Endpoint Security for Windows window will close.

   You can agree to the terms of the agreements later in the Distribution packages section when you prepare a distribution package of Kaspersky Endpoint Security for Windows.

   The Agreements for Kaspersky Endpoint Security for Mac window opens.

   This window displays the texts of the End User License Agreement for Kaspersky Endpoint Security for Mac, the End User License Agreement for Kaspersky Security Center Network Agent, and the link to the Kaspersky Lab Products and Services Privacy Policy.

3. Carefully read the text of each document.

   If you agree to the terms and conditions of the agreements, and if you are aware and agree that your data will be handled and transmitted (including to third countries) as described in the Privacy Policy, and you confirm that you have fully read and understand the Privacy Policy, select the check boxes next to the listed documents, and then click the I accept the terms button.

   If you do not agree to the terms and conditions, do not use the security applications. If only some of the check boxes are selected, you will not be able to manage Mac devices in Kaspersky Next. The Agreements for Kaspersky Endpoint Security for Mac window will close.

   You can agree to the terms of the agreements later in the Distribution packages section when you prepare a distribution package of Kaspersky Endpoint Security for Mac.

   The Proxy server settings window opens.

4. If necessary, define the proxy server settings, and then click Next.

   The Use of Kaspersky Security Network window opens.

5. Carefully read the Kaspersky Security Network Statement, and then click the I accept the terms button if you agree to them.

   If you click the I decline button, the use of Kaspersky Security Network will be disabled. Other functions of Kaspersky Next will not be affected. If necessary, you can enable the use of Kaspersky Security Network in the Management Console at any time.

   The Get the most out of Kaspersky Next window opens. The window lists the features that Kaspersky experts prompt you to use.

6. If you want to configure these features, make the necessary changes, and then click OK. If configuring a feature requires additional steps, relevant windows open. Follow the onscreen instructions.

   If you click the Later button, you will be able to configure these features at a later time.

The initial setup of Kaspersky Next for your company is complete. Kaspersky Next Management Console is ready to use.

[Topic 101990]

Interface of Kaspersky Next Management Console

This section describes the primary elements of the application interface (see the figure below).

Kaspersky Next Management Console

The left part of the Management Console displays the navigation area.

The right part of the Management Console contains the section contents:

•  Information panel

  In this section, you can:

  • On the Getting started tab—Configure Kaspersky Next and view video instructions for doing this.
  • On the Monitoring tab—Monitor the status of mobile devices and computers.
  • On the Reports tab—Generate and view reports on device protection.
  • On the Event log tab—Monitor events in Kaspersky Next.
  • On the License tab—View, add, or replace the Kaspersky Next license.
•  Users

  In this section, you can:

  • Add and delete users and user groups.
  • Edit user information.
  • Grant administrator rights to users.
•  Devices

  This section displays a list of devices on which users installed security applications. In this section, you can:

  • View the list of devices and device properties.
  • Assign owners to devices.
  • Manage anti-malware database update and malware scan.
  • Send commands to users' mobile devices.
  • Delete devices.
•  Security management

  In this section, you can:

  • In the Security profiles subsection—Manage security profiles (add, configure, and delete security profiles, as well as assign security profiles to users).
  • In the Vulnerability Assessment and Patch Management subsection—View and manage software vulnerabilities that were detected on your users' devices running Windows and updates for the applications installed on the devices, including patches that fix detected vulnerabilities.
  • In the Data Discovery subsection—View the table with the Data Discovery detections.
  • In the Endpoint Detection and Response subsection (if you activated Kaspersky Next under a Kaspersky Next EDR Optimum or XDR Expert license)—View the table with the Endpoint Detection and Response alerts.
  • In the Root-Cause Analysis subsection (if you activated Kaspersky Next under a Kaspersky Next EDR Foundations license)—View the table with the Root-Cause Analysis detections.
  • In the Encryption subsection—Manage the encryption settings of devices running Windows and macOS.
•  Quarantine

  In this section, you can:

  • Disinfect files that could not be disinfected during the malware scan.
  • Restore files to their original folders on the device.
  • Delete files from the section.
•  Distribution packages

  In this section, you can download the distribution packages of the security applications, to install those applications on devices later.

•  Settings

  In this section, you can:

  • Define settings for updates of anti-malware databases, malware scans, and delivery of messages on various events occurring on
    managed devices

    Device with a security application installed that is connected to Kaspersky Next.

    Device with a security application installed that is connected to Kaspersky Next.

    Device with a security application installed that is connected to Kaspersky Next.

    Device with a security application installed that is connected to Kaspersky Next.

    or in Kaspersky Next.
  • Enable and disable Endpoint Detection and Response (if you activated Kaspersky Next under a Kaspersky Next EDR Optimum or XDR Expert license).
  • Enable and disable Root-Cause Analysis (if you activated Kaspersky Next under a Kaspersky Next EDR Foundations license).
  • Enable and disable Data Discovery.
  • Enable and disable Kaspersky Security Network.

The lower part of the left navigation area contains the following links:

• Help

  Click this link to open Help for Kaspersky Next.

• Support

  Click this link to view information about your workspace and your license. You need this information when contacting Kaspersky Technical Support.

• Leave feedback

  Click this link to leave feedback on the Kaspersky Next operation.

• Agreements

  Click this link to view the text of the Agreement and Data Processing Agreement that you accepted when you created your Kaspersky Next workspace.

The upper-left corner of Management Console shows the name of the company whose workspace you are currently in.

The Expand/Collapse () button above the name of the company lets you expand and collapse names of the navigation area settings in the left part of Management Console. If your browser window is too narrow, the names of the navigation area settings and the Expand/Collapse () button are not displayed.

In the lower-left corner of Management Console, clicking the Administrator () icon and your name opens a drop-down list that allows you to do the following:

• Select the Management Console interface language.
• Manage your account settings on Kaspersky Business Hub.
• Proceed to the workspace of another company that you administer on Kaspersky Business Hub.
• Purchase and renew the license on Kaspersky Business Hub.
• Stop your activities and exit Kaspersky Next.

When some Management Console windows (for example, the security profile settings window or certain confirmation windows) open, the main window remains visible but darkened and in the background. When this happens, you can click the left area of the main window. The window that is open in the foreground closes.

[Topic 101048]

Deployment of security applications

This section describes deployment of security applications on the devices of your company's users.

Before you start, make sure that you have an account on Kaspersky Business Hub, have created a workspace for your company, and have opened Kaspersky Next Management Console.

Deployment of security applications includes the following steps:

1. You add users and send them email messages
2. Users install security applications on their devices
3. You view the result of the deployment

As an alternative, you can simultaneously protect multiple devices that are running Windows. To do this, you can deploy security applications by using a Group Policy script.

[Topic 177865]

Adding users and sending email messages

To work with Kaspersky Next, you must add users (company employees) to Kaspersky Next Management Console. Users will be able to independently install

To add users to Kaspersky Next Management Console and send them email messages:

1. Open Kaspersky Next Management Console.
2. Select the Users section.

   The Users section contains a list of users and groups of users that have been added to Kaspersky Next.

   At the beginning, the list displays the single user that has created the workspace.

3. Click the Add users button above the list of users.

   The Add users wizard starts. Proceed through the wizard by using the Next button.

4. At the Enter email addresses step of the wizard, in the entry field, add the email addresses of users.

   You can enter addresses manually, or copy and paste a list of addresses from a text file. Each email address must be typed on a new line or must be separated by a comma (,), a semicolon (;), or a space ( ).

   You can add no more than 999 email addresses of users. If your license permits it, you can add no more than 3000 email addresses of users.

5. At the Check data step of the wizard, verify the data you have entered. The User alias column shows the name of a user mailbox by default.

   If necessary, correct the user email addresses and aliases.

6. At the Send instructions step of the wizard, decide whether you want to send the new users email messages with the instructions for installing a security application on their devices.

   By using a received email message, the user can connect any number of devices running Windows or macOS, but only a single mobile device running Android, iOS, or iPadOS. If the user needs to connect multiple mobile devices, send the user multiple messages based on the number of devices.

   For example, you may want to skip sending instructions when you add administrators who will help you manage users' devices.

   If you activated Kaspersky Next under a trial license, a daily limit of sending email messages is set for the workspace. If this limit is approaching or is exceeded, Management Console warns you that you cannot send the messages to the added users. You can either skip sending instructions or decrease the number of users that you want to add.

7. Click the Finish button to close the wizard.
8. If you proceed through the wizard for the first five times and if you have selected to send instructions, Management Console displays a message with the information about your further actions. Click the OK button to close the message.

   Later, this message will no longer be displayed.

The specified user accounts are added to Kaspersky Next.

If you have selected to send instructions, Kaspersky Next sends users an email message with the instructions for installing security applications on their devices and a link to the security application.

Later, you can send users an email message with instructions at any time by clicking the Send instructions button above the list of users.

[Topic 177941]

Security application installation

After you send users an email message inviting them to connect their devices and a link to the security application, the users can install the security application on their devices.

To install the security application on a device, the user clicks the link in the email message. The download of the proper installation package starts immediately. When the download is complete, installation of the security application starts automatically.

The user can click the link in the message within 336 hours (two weeks) from the time the email message was sent. When this period expires, the user has to request a new email message containing an installation link.

[Topic 177942]

Viewing results of deployment

After users install the security application on their devices, the following changes appear in Kaspersky Next Management Console:

• In the Users section, a list is displayed of the users that have been added, the number of devices connected by each user, and their respective statuses.
• In the Devices section, a list is displayed of the devices on which the users installed the security application. The devices are displayed in the list, with a 15-minute delay following the security application installation. An owner in the Device owner column is specified for all mobile devices. It is recommended to assign owners to all Windows and Mac devices.

[Topic 137548]

Upgrading Kaspersky Next

After Kaspersky Next is upgraded to a new version, you must perform additional setup of the application. Additional setup begins automatically when you start Kaspersky Next Management Console for the first time after an upgrade. The Welcome to the new version of Kaspersky Next window is displayed.

At any time, you can close the additional setup window and skip the procedures described below, as well as reopen it by clicking the New version information link on the Monitoring tab in the Information panel section.

Updates functionality (including providing anti-malware signature updates and codebase updates), as well as KSN functionality may not be available in the software in the U.S.

To perform additional setup of Kaspersky Next:

1. In the Welcome to the new version of Kaspersky Next window, click the Next button.
2. If the new version of Kaspersky Next supports new versions of Kaspersky Endpoint Security for Windows or Kaspersky Endpoint Security for Mac, the New versions of Kaspersky Endpoint Security for Windows and Kaspersky Endpoint Security for Mac are available window opens.

   Click the Prepare button if you want to prepare new distribution packages of the security applications.

   Some time after the distribution package for Kaspersky Endpoint Security for Windows is prepared, the security application on managed devices is automatically updated to the new version. As soon as the automatic update starts, Kaspersky Next displays a notification in the Information panel section. Also, the Distribution packages section displays the status of the automatic update—Package pending (waiting for the distribution package preparation), Pending (waiting for Kaspersky), In progress, or Completed.

   Click the Later button if you want to keep using old versions of the security applications.

3. If obsolete versions of the security applications are installed on managed devices, the Obsolete Kaspersky Endpoint Security 10.0 for Windows is in use window opens.

   Click the I agree button if you want to upgrade the old versions of the security applications to the new ones.

   Click the Later button if you want to keep using old versions of the security applications.

   The Agreements for <security application> window opens.

   This window displays the texts of the End User License Agreement for the security application, the End User License Agreement for Kaspersky Security Center Network Agent, the Supplemental Clauses regarding Data Processing (only for Kaspersky Endpoint Security for Windows), and the link to the Kaspersky Lab Products and Services Privacy Policy.

4. Carefully read the text of each document.

   If you agree to the terms and conditions of the agreements, and if you are aware and agree that your data will be handled and transmitted (including to third countries) as described in the Privacy Policy, and you confirm that you have fully read and understand the Privacy Policy, select the check boxes next to the listed documents, and then click the I accept the terms button.

   If you do not agree to the terms and conditions, do not use the security applications. If only some of the check boxes are selected, you will not be able to upgrade the security applications to the latest versions. The Agreements for <security application> window will close.

   You can agree to the terms and conditions of the agreements later in the Distribution packages section when preparing a distribution package of Kaspersky Endpoint Security for Windows or Kaspersky Endpoint Security for Mac.

   The Proxy server settings window opens.

5. If necessary, define the proxy server settings, and then click Next.

   The Manage features of Kaspersky Next window opens. The window lists the features that Kaspersky experts prompt you to use.

6. If you want to configure these features, make the necessary changes, and then click OK. If configuring a feature requires additional steps, relevant windows open. Follow the onscreen instructions.

   If you click the Later button, you will be able to configure these features at a later time.

   The Use of Kaspersky Security Network window opens.

   The window displays the texts of the Kaspersky Security Network Statement for the security applications that you chose to upgrade.

7. Carefully read each Kaspersky Security Network Statement, and then select the corresponding check boxes if you agree to the described terms and conditions.
8. Click the I accept the terms button.

   If you click the I decline button, the use of Kaspersky Security Network will be disabled. Other functions of Kaspersky Next will not be affected. If necessary, you can enable the use of Kaspersky Security Network in the Management Console at any time.

Additional setup of Kaspersky Next for your company is complete. Kaspersky Next Management Console is ready to use.

[Topic 101288]

Managing user accounts

This section contains information about how to manage user accounts in Kaspersky Next. You can take the following actions on user accounts:

• View and edit the list of users.
• Create groups of users and distribute users among these groups.
• Grant rights to users.
• Edit user information.

[Topic 101706]

Viewing the list of users

The Users section of Kaspersky Next Management Console displays users and groups of users that have been added to the Management Console.

The list contains columns with the following details of users and their devices:

• Status. An icon reflects the protection status of the user's devices (computers and/or mobile devices that have been connected to Kaspersky Next), in descending order of severity:
  • (Critical). A critical event occurred on at least one user's device.
  • (Warning). An important event that must be attended to occurred on at least one user's device.
  • (OK). No critical or important events occurred on user's devices.
  • (No data yet). The user owns no devices that have been connected to Kaspersky Next or no data can be retrieved concerning the events that have occurred on such devices.

  If the user owns several devices with different statuses, the most severe status is displayed. For example, if an important event and a critical event occur on different devices, the status corresponding to the critical one will be displayed.

• User / Group. This contains the user name and email address (for stand-alone users), or the group name and the number of users in the group (for groups of users). You can click the link with the name to go to the page with detailed information about the user or group of users.
• Number of devices. This contains the number of devices that are owned by the user or group of users and are connected to Kaspersky Next.
• Comment. This contains the comment that you typed when editing the user information or adding the group of users.
• Access rights. This contains the access rights that have been granted to the user. The Admin tag means that the user has been granted administrator rights. If the user has not been granted administrator rights, this column remains blank for this user.
• Security profile. This contains the security profile that has been assigned to the user account or group of users. If necessary, you can assign a different security profile by selecting one in the drop-down list. The security profile that you assigned is immediately applied to the user's devices.

You can filter the list of user accounts by status of the user's devices.

To filter the list of user accounts,

Next to Show users, click the link with the required status.

To remove the filter,

Click the All link.

You can sort the list of user accounts by column: Status, User / Group, Number of devices, Comment, or Access rights.

To sort the list,

Click the link containing the column name.

The column name is displayed in uppercase characters. Next to the name of the column, an up arrow (˄) indicates the sorting direction. To change the sorting direction, click one more time. Next to the name of the column, a down arrow (˅) appears.

The Search entry field is located above the list. You can use this field to quickly find and switch to an object in a long list.

Page top

[Topic 101060]

Creating groups of users

You can create groups of users to quickly assign users security profiles that match their respective tasks and scope of duties.

You can create up to 50 groups of users.

To create a group of users:

1. Open Kaspersky Next Management Console.
2. Select the Users section.

   The Users section contains a list of users and groups of users that have been added to Kaspersky Next.

3. Click the Create group button above the list of users.

   The Create a group window opens (see the figure below).

   

   Creating a user group in Kaspersky Next

4. In the Group name and Comment entry fields, enter the name of a user group and a comment.

   You can enter a string up to 255 characters long. The string can contain upper- and lowercase characters, numerals, whitespaces, dots, commas, minuses, dashes, and underscores.

5. In the Security profile drop-down list, select the security profile that you want to assign to the group.

   The Default security profile is selected for each group by default. The Default security profile is configured by Kaspersky experts for devices running Windows, Mac, Android, iOS, and iPadOS.

6. Under Members, select the check boxes next to the user accounts that you want to add to the group. If a user account is currently added to another group, it will be moved to the new one.

   As an alternative, you can add users to the group after it is created.

7. Click the OK button.

A newly created group appears in the list of users and groups of users (see the figure below).

Newly created group in the list of Kaspersky Next users

[Topic 101293]

Editing user information

To edit information about a user:

1. Open Kaspersky Next Management Console.
2. Select the Users section.

   The Users section contains a list of users and groups of users that have been added to Kaspersky Next.

3. In the list, select the check box next to the user whose information you want to edit.
4. Click the Edit button above the list of users.

   This opens a window containing detailed information about the user.

5. Edit the user's information:
   • User alias
   • Email address

     You cannot edit the email addresses of users that have been granted administrator rights. These users can edit their email addresses on their own in Kaspersky Business Hub.

   • Comment

   If you want to move users to a group, grant administrator rights to users (or revoke administrator rights), or send users instructions for installing a security application on their devices, click the corresponding buttons in the Commands section.

6. Click the Save button.

You can also edit user information when opening a user window. To edit user information, click the link with the user account name, and then click Edit.

The information you edited is shown in the list of users and on the page with the user settings.

[Topic 101439]

Adding users to a group

You can add user accounts to a previously created group, either from the list of users or from inside the group.

To add user accounts to a group from the list of users:

1. Open Kaspersky Next Management Console.
2. Select the Users section.

   The Users section contains a list of users and groups of users that have been added to Kaspersky Next.

3. In the list of users, select the check boxes next to the user accounts that you want to add to the group.
4. Click the Move to group button above the list.

   The Move to group button is available only if at least one group has been created.

   The Move users to group window opens.

5. In the drop-down list, select the name of the group to which you want to move the selected user accounts.
6. Click the OK button.

User accounts are added to the group.

A user added to a group does not appear on the general list of users. The security profile that was assigned to the user is replaced with the security profile assigned to the group to which the user account has been added.

To add user accounts to a group from inside the group:

1. Open Kaspersky Next Management Console.
2. Select the Users section.

   The Users section contains a list of users and groups of users that have been added to Kaspersky Next.

3. Click the name of the group to which you want to add user accounts.

   The group window appears.

4. Click the Add users to group button.

   The Add users to the <group name> group window appears.

5. Select whether you want to add existing users or new users, and then click the Next button.
6. If you have selected to add existing users, Kaspersky Next displays the list of user accounts. Select the check boxes next to the user accounts that you want to add to the group, and then click the Save button.

   If you have selected to add new users, the Add users window opens. Further actions are the same as when you initially added users to Kaspersky Next.

User accounts are added to the group.

A user added to a group does not appear on the general list of users. The security profile that was assigned to the user is replaced with the security profile assigned to the group to which the user account has been added.

Page top

[Topic 140895]

User roles and managing user rights

This section contains information about user roles in Kaspersky Next, granting administrator rights to a user, and revoking the administrator rights of a user.

[Topic 140082]

About user roles in Kaspersky Next

A role in Kaspersky Next consists of a set of rights to perform certain actions with objects of Kaspersky Next.

In Kaspersky Next there are two roles:

• Administrator

  Administrators can configure Kaspersky Next by, for example, adding users, adding computers and mobile devices, configuring security profiles, and providing administrator rights to users.

  The users whose accounts are granted administrator rights in Kaspersky Next also acquire Kaspersky Business Hub administrator rights within an organization (including the Kaspersky Security for Microsoft Office 365 workspace for the same company).

• User

  Users can install a security application on their devices (computers and mobile devices).

[Topic 101061]

Granting administrator rights to a user

To grant administrator rights to a user:

1. Open Kaspersky Next Management Console.
2. Select the Users section.

   The Users section contains a list of users and groups of users that have been added to Kaspersky Next.

3. Proceed to the user information page by clicking the link with the user name.
4. Click the Grant administrator rights button to grant the user administrator rights.

The specified user is granted administrator rights.

If the users do not have accounts on Kaspersky Business Hub, they receive an email message containing a registration link for Kaspersky Business Hub. If the users already have accounts on Kaspersky Business Hub, they receive an email message confirming their administrator role in their Kaspersky Next workspace.

On the page containing user information and in the list of user accounts, the Admin tag on the red background appears in the Access rights column next to the name of a user account. This tag indicates that the user has administrator rights.

[Topic 140084]

Revoking the administrator rights of a user

To revoke a user's administrator rights:

1. Open Kaspersky Next Management Console.
2. Select the Users section.

   The Users section contains a list of users and groups of users that have been added to Kaspersky Next.

3. Click the link with the user name.

   A window opens containing user information.

4. Click the Revoke administrator rights button to revoke the user's administrator rights.

The user no longer has administrator rights.

An email message about the revocation of administrator rights is sent to the user.

The Admin tag (white letters on a red background) disappears from the window containing user information and, in the Users section, from the Access rights column next to the name of the account of this user.

[Topic 101291]

Deleting user accounts

To delete user accounts from the list of users:

1. Open Kaspersky Next Management Console.
2. Select the Users section.

   The Users section contains a list of users and groups of users that have been added to Kaspersky Next.

3. If you want to delete user accounts that are added to a certain group, click the name of that group.

   If you want to delete user accounts from the general list of users, skip this step.

4. Select the check boxes next to the names of the user accounts that you want to delete.

   You cannot delete user accounts and groups of users in one operation.

5. Click the Delete button above the list.

After confirmation of user deletion, Kaspersky Next deletes the user accounts from the list.

If a selected user is an administrator, the user is sent an email message about revoking administrator rights. This user can no longer manage the workspace.

If a selected user owned managed devices running Windows and macOS, these devices become unassigned.

There are restrictions on the deletion of users:

• You cannot delete the account of a user that has managed mobile devices. In this case, you must first delete the devices owned by that user.
• You cannot delete your own account.

[Topic 140905]

Deleting groups of users

To delete groups of users from the list of users:

1. Open Kaspersky Next Management Console.
2. Select the Users section.

   The Users section contains a list of users and groups of users that have been added to Kaspersky Next.

3. Select the check boxes next to the names of the groups of users that you want to delete.

   You cannot delete user accounts and groups of users in one operation.

4. Click the Delete button above the list.

   Depending on the number of groups selected for deletion, the Delete group "<group name>" or Delete groups (<number of groups>) window opens.

5. If at least one of the selected groups contains at least one user account, select what to do with these user accounts:
   • Keep users and move to another group

     Select this option if you want to keep user accounts from the groups that are being deleted.

     Under Move users to group, select where to move these user accounts: another existing group or the general list of users.

   • Delete users with a group

     Select this option if you want to delete user accounts together with the groups that are being deleted.

6. Click the Delete button to confirm the group deletion.

If you selected to move user accounts, the groups of users are deleted.

If you selected to delete users together with groups, Kaspersky Next performs the same actions and has the same restrictions as when deleting user accounts. Groups that contained no users or contained only deletable users are deleted. Other groups are kept.

[Topic 101128]

Managing devices

This section contains information about how to connect devices running various operating systems to Kaspersky Next, view the list of devices, rename devices, and remove devices.

[Topic 101710]

Viewing the list of devices

The Devices section of Kaspersky Next Management Console displays a list of devices that are connected to the application. Those are the devices on which a security application is installed.

The list contains columns with the following information about devices and their owners:

• Status. An icon reflects the protection status of the device that has been connected to Kaspersky Next, in descending order of severity:
  • (Critical). A critical event occurred on the device.
  • (Warning). An important event that must be attended to occurred on the device.
  • (OK). Neither critical nor important events occurred on the device.
  • (No data yet). No data can be retrieved concerning the events that have occurred on the device.
• OS. Contains the name of the operating system installed on the device.
• Name. Contains the device name, and specifies the name and version of the operating system installed on the device. You can click the link with the name of a device to proceed to the page containing detailed information about the device.
• Device owner. Contains the user account name of the device owner and the email address of the device owner.

  If the device does not have an assigned owner, Unassigned is displayed instead. If the device is running Windows, Kaspersky Next displays the View last signed-in link that leads to the device properties window. There, you can view the user alias of the last person who signed in on this device.

• Group name. Contains the name of the group to which the device owner belongs.
• Security profile. Contains the name of the security profile assigned to the device.

You can filter the list of devices by device status.

To filter the list of devices,

Next to Show devices, click the link with the required device status.

To remove the filter,

Click the All link.

You can sort the list of devices by column: Status, OS, Name, Device owner, or Group name.

To sort the list,

Click the link containing the column name.

The column name is displayed in uppercase characters. Next to the name of the column, an up arrow (˄) indicates the sorting direction. To change the sorting direction, click one more time. Next to the name of the column, a down arrow (˅) appears.

The Search entry field is located above the list. You can use this field to quickly find and switch to an object in a long list.

Page top

[Topic 143160]

About device statuses

The Devices section of Kaspersky Next Management Console displays the protection statuses of managed devices. The Users section displays the protection statuses of the users' devices.

A device can have one of the following protection statuses:

•  Critical
•  Warning
•  OK
•  No data yet

The  Critical and  Warning protection statuses are based on certain conditions and their values. These conditions and their values are configured by Kaspersky experts. You can find the condition that caused the protection status of a specific device in the properties of the device.

The table below lists these conditions and the possible actions that you can perform to switch the protection status from  Critical or  Warning to  OK:

Conditions that cause the  Critical or  Warning device status, and possible actions

Page top

[Topic 138145]

Viewing the properties of a device

You can view the properties of any managed device, including a device that is marked for deletion.

To view the properties of a device,

Do any of the following:

• For any device: In the Devices section or in the Devices → Marked for deletion section, click the link with the device name.
• For a device that is running Windows and that is not assigned an owner: In the Devices section or in the Devices → Marked for deletion section, click the View last signed-in link.

The device properties window opens. Depending on the operating system of the device, this window can show the following details:

• Device status

  Device protection status. These statuses are the same as those in the list of devices.

  If the status is Critical or Warning, Kaspersky Next displays information about the problems with the device and, if available, recommendations from Kaspersky experts about how to fix the problems.

• Security application uninstallation status and detailed information (only for the devices that are marked for deletion). The uninstallation statuses are the same as those in the list of devices that are marked for deletion.
• Device type

  Type of the device: Server or Workstation.

• NetBIOS name

  Windows network name of the device.

• Device owner

  Name and email address of the device owner.

  If no owner is assigned to the device, Unassigned is displayed instead. You can assign an owner to the device.

  If a device without an owner is running Windows, Kaspersky Next displays the user alias of the last person who signed in on this device. You can use this information when selecting the user that you want to assign as the device owner.

• Security profile

  Name of the security profile applied to the device.

• Total number of threats detected

  Total number of threats detected on the device since installation of the security application (first scan).

• Status of anti-malware databases

  Information about whether the anti-malware databases on the device are up to date.

• Anti-malware databases last updated on

  Date and time when the anti-malware databases on the device were last updated. If the device is running Windows, this field also takes into account updates of the Kaspersky Endpoint Security for Windows components on the device.

• Last connected to Server

  Date and time Network Agent installed on the device last connected to the Administration Server.

• Operating system (for devices running Windows or macOS) or Device model and OS (for devices running Android, iOS, or iPadOS)
• IMEI

  International Mobile Equipment Identity, a unique number to identify mobile devices.

• Unlock code

  Code for unlocking the mobile device (if supported).

• Version of Kaspersky Endpoint Security for Windows or Version of Kaspersky Endpoint Security for Mac
• Version of Network Agent

  A program component that enables interaction between the Administration Server and the security applications that are installed on devices connected to Kaspersky Next. Security applications for Windows devices and for Mac devices use different versions of Network Agent.

  A program component that enables interaction between the Administration Server and the security applications that are installed on devices connected to Kaspersky Next. Security applications for Windows devices and for Mac devices use different versions of Network Agent.

  A program component that enables interaction between the Administration Server and the security applications that are installed on devices connected to Kaspersky Next. Security applications for Windows devices and for Mac devices use different versions of Network Agent.

  A program component that enables interaction between the Administration Server and the security applications that are installed on devices connected to Kaspersky Next. Security applications for Windows devices and for Mac devices use different versions of Network Agent.

  A program component that enables interaction between the Administration Server and the security applications that are installed on devices connected to Kaspersky Next. Security applications for Windows devices and for Mac devices use different versions of Network Agent.

• Encryption recovery key

  Information about the recovery key (for encrypted devices running Windows or macOS). This data will allow you to help a user who has forgotten an encryption password.

• Device IP address

  IP address of the device.

• Connection IP address

  IP address of the network device (for example, a router) that the device uses to connect to the server. If a network device is not used, this field is not displayed.

• Event log

  List of the latest events that occurred on the device.

In the device properties window, you can do the following:

• Rename the device.
• Assign the device owner, if the device is running Windows or macOS, and if an owner is not assigned yet.
• View and edit the security profile that is assigned to the device owner.
• Send commands to the device, if the device is running Windows, Android, iOS, or iPadOS.
• Start a malware scan on the device if the device is running macOS 11.3 or later, or Windows.

[Topic 101066]

Connecting Windows devices and Mac devices

You can connect Windows devices and Mac devices to Kaspersky Next by using one of the following methods:

• When adding user accounts, send an email message with an automatically generated link to download a security application. A user that receives the message clicks the link in the message, and then installs an application on the device.
• Download the distribution package of the security application and install the downloaded application on the device.

  This method can be used for adding devices that have no defined users (for example, servers).

• Copy a link to the distribution package of the security application and send it in any convenient way.

  This method can be used if you want other users to add devices that have no defined users (for example, servers).

• Use a Group Policy script to deploy security applications on multiple devices.

During installation, Kaspersky Endpoint Security for Windows tries to uninstall an incompatible security application from a device.

After you install the security application by using any of the above methods, the device is displayed in Kaspersky Next Management Console.

Regardless of the method for connecting the Windows device or Mac device, it is recommended to assign the device owner.

[Topic 138029]

Preparing the distribution package of a security application

You can download the distribution package of a security application or copy a link to the distribution package only if you first prepared the distribution package. Preparing a distribution package includes accepting the terms of the following documents for the security application: End User License Agreement (EULA), Privacy Policy, and Kaspersky Security Network Statement. If you accepted the terms of these documents when you first opened Kaspersky Next Management Console, the distribution packages are prepared.

To prepare a distribution package after the first opening of Management Console:

1. Open Kaspersky Next Management Console.
2. Select the Distribution packages section.

   The Distribution packages section contains distribution packages of security applications for Windows and Mac devices.

3. In the block of the required distribution package, click the Prepare button.

   If the distribution package has already been prepared, the Download button is displayed on the right. No further actions are required.

4. If an old version of the security application is found, the application prompts you to remove this version. Click the I agree button to remove the old version of the security application.

   The Agreements for <security application> window opens.

   This window displays the texts of the End User License Agreement for the security application, the End User License Agreement for Kaspersky Security Center Network Agent, the Supplemental Clauses regarding Data Processing (only for Kaspersky Endpoint Security for Windows), and the link to the Kaspersky Lab Products and Services Privacy Policy.

5. Carefully read the text of each document.

   If you agree to the terms and conditions of the agreements, and if you are aware and agree that your data will be handled and transmitted (including to third countries) as described in the Privacy Policy, and you confirm that you have fully read and understand the Privacy Policy, select the check boxes next to the listed documents, and then click the I accept the terms button.

   If you do not agree to the terms and conditions, do not use the security applications. If only some of the check boxes are selected, you will not be able to download the distribution package. The Agreements for <security application> window will close.

   The proxy server settings window opens.

6. If necessary, define the proxy server settings, and then click Next.

   The Use of Kaspersky Security Network window opens.

7. Carefully read the Kaspersky Security Network Statement, and then click the I accept the terms button if you agree to them.

   If you click the I decline button, the use of Kaspersky Security Network will be disabled. If you want, you can enable the use of Kaspersky Security Network in the Management Console at any time.

The distribution package is prepared.

You can now download the distribution package or copy the link to the distribution package.

Some time after the distribution package for Kaspersky Endpoint Security for Windows is prepared, the security application on managed devices is automatically updated to the new version. As soon as the automatic update starts, Kaspersky Next displays a notification in the Information panel section. Also, the Distribution packages section displays the status of the automatic update—Package pending (waiting for the distribution package preparation), Pending (waiting for Kaspersky), In progress, or Completed.

Users of macOS devices must install the new version of Kaspersky Endpoint Security for Mac on their devices manually.

[Topic 138111]

Downloading distribution package of a security application

You must download the distribution package of a security application if you want to install the application on Windows devices or Mac devices that have no defined users (for example, on servers), or if you want to simultaneously protect multiple devices running Windows.

Also, after a new version of Kaspersky Endpoint Security for Mac is released, you must download and deliver the distribution package to your macOS users. Users can then install the new version of Kaspersky Endpoint Security for Mac on their devices. On devices with Kaspersky Endpoint Security for Windows, the security application is automatically updated to the new version.

A distribution package is valid for approximately 30 days. We recommend that you download the distribution package anew every time you plan to install the security application or deliver the distribution package to your users.

As an alternative, you can copy a link to a distribution package and send this link to another user in any convenient way. That user will download the distribution package by clicking the received link.

To download the distribution package of a security application:

1. Open Kaspersky Next Management Console.
2. Select the Distribution packages section.

   The Distribution packages section contains distribution packages of security applications for Windows and Mac devices. Email messages that you send to users also include a link to these packages.

3. If the required distribution package is not prepared, the Prepare button is displayed on the right. Click this button and prepare the distribution package.
4. If necessary, click the Proxy server link below the required distribution package and define the proxy server settings.
5. Next to the required distribution package, click the Download button.

   The distribution package will be downloaded to the computer in the default folder that is configured for saving downloaded files.

   To save the distribution package to a specific folder on the computer, you can select Save as in the context menu of the relevant distribution package. In the window that opens, specify the folder and file name.

The selected distribution package is downloaded.

[Topic 256050]

Copying a link to a distribution package

As an alternative to downloading a distribution package from Management Console, you can copy a link to a distribution package and send this link in any convenient way. Use this method if you want another user to install the application on Windows devices or Mac devices that have no defined users (for example, on servers), or to simultaneously protect multiple devices running Windows.

Also, after a new version of Kaspersky Endpoint Security for Mac is released, you must deliver the link to the distribution package to your macOS users. Users can then install the new version of Kaspersky Endpoint Security for Mac on their devices. On devices with Kaspersky Endpoint Security for Windows, the security application is automatically updated to the new version.

The link is identical for the distribution packages of Kaspersky Endpoint Security for Windows and Kaspersky Endpoint Security for Mac. It means that if you need to download both security applications, you can copy the link only once.

A distribution package is valid for approximately 30 days. We recommend that you copy a link anew every time you want users to install the security application.

To copy a link to a distribution package:

1. Open Kaspersky Next Management Console.
2. Select the Distribution packages section.

   The Distribution packages section contains distribution packages of security applications for Windows and Mac devices.

3. If the required distribution package is not prepared, the Prepare button is displayed on the right. Click this button and prepare the distribution package.
4. In the block of the required distribution package, click the vertical ellipsis, and then click Copy link.

   The vertical ellipsis is available only if the most recent distribution package for the security application has been prepared.

The link to the distribution package is copied to the Clipboard. You can now send this link to another user in any convenient way.

[Topic 159962]

Adding Windows devices and Mac devices without users

This section describes how to protect devices that have no defined users (for example, servers).

To add a Windows device or a Mac device to Kaspersky Next:

1. Download the distribution package of the required security application.
2. When the download is complete, open the folder with the distribution package, and then run installation of the distribution package, depending on the device's operating system.

   You can copy the distribution package to a removable drive (such as a flash drive) for further installation on other Windows devices or Mac devices of the company.

After the security application is installed, the added Windows devices and Mac devices appear in the Devices list. The security profile named Default is applied to these devices.

[Topic 153113]

Deploying security applications by using Active Directory

If Active Directory is used in your company, you can deploy Kaspersky Endpoint Security for Windows on multiple devices simultaneously.

The procedure in this section contains a pre-configured logon script. This script runs automatically every time a device starts up and checks whether Kaspersky Endpoint Security for Windows installation has been started on the device. If it has not been started, the script runs the installation in silent mode.

To deploy security applications on multiple Windows devices by using Active Directory:

1. Download the distribution package of the required security application.
2. Save the package to a shared folder that is accessible to the devices on which you want to deploy security applications.

   We recommend that you select a folder for which the full path does not contain space characters.

   If the package name contains spaces, remove them or change them to the underscore (_) character.

3. Go to the folder with the downloaded package and create a .bat file with the following script:

   set SHARE_PATH=<path to distribution package>
set PACKAGE_NAME=<name of distribution package>
set __KESCLOUD_ROOT_KEY="HKLM\Software\KasperskyLab\KESCloud"
set __KESCLOUD_KEY_NAME="<name of registry entry>"
set __KESCLOUD_PACKAGE_FULL_PATH="%SHARE_PATH%\%PACKAGE_NAME%"
set __KESCLOUD_PACKAGE_ARGUMENTS=-s
REG QUERY %__KESCLOUD_ROOT_KEY% /v %__KESCLOUD_KEY_NAME% | FIND "0x1"
IF %ERRORLEVEL% == 1 GOTO INSTALL
GOTO END
:INSTALL
REG ADD %__KESCLOUD_ROOT_KEY% /v %__KESCLOUD_KEY_NAME% /t REG_DWORD /f /D 1
%__KESCLOUD_PACKAGE_FULL_PATH% %__KESCLOUD_PACKAGE_ARGUMENTS%
:END

   Here:

   • <path to distribution package> stands for the actual path to the shared folder with the downloaded distribution package. We recommend that you avoid using quotation marks.
   • <name of distribution package> stands for the actual name of the downloaded distribution package. We recommend that you avoid using quotation marks.
   • "<name of registry entry>" stands for the name of the registry entry that is used to confirm that the installation has been started. You can specify any name that contains numeric and Latin characters. We recommend that you use the Kaspersky Endpoint Security for Windows version number in quotation marks.
4. Go to Control Panel → Administrative Tools, and then open Group Policy Management.
5. Expand the node with the required domain, and then click Group Policy Objects.

   

   Group Policy Objects node in Group Policy Management window

6. In the right pane, right-click the empty space, and then select New.

   

   New context menu item in Group Policy Management window

7. Name the new object as you like. Click OK to save the object.
8. Right-click the created object, and then select Edit.
9. Specify that you want Kaspersky Endpoint Security for Windows installed on the devices at the operating system startup. To do so:
   1. Expand the Computer Configuration → Policies → Windows Settings node, and then select Scripts (Startup/Shutdown).
   2. In the right pane, right-click Startup, and then select Properties.

      

   Properties context menu item in Group Policy Management window

   1. In the Startup Properties window that opens, click Add.
   2. In the Add a Script window that opens, click Browse, and then select the file of the script that you have created. No script parameters are required.
   3. Click OK to close the Add a Script window.
   4. Click OK to close the Startup Properties window.
10. Associate the created object with the devices to which Kaspersky Endpoint Security for Windows must be installed. The simplest method is to associate the object with the entire domain. To do so:
    1. Right-click the required domain, and then select Link an Existing GPO.

       

    Link an Existing GPO context menu item in Group Policy Management window

    1. In the Select GPO window that opens, select the created object.
    2. Click OK to close the Select GPO window.

    In a similar way, you can associate the created group policy object with an organizational unit or a site.

11. Depending on the selected moment when you want Kaspersky Endpoint Security for Windows installed on the devices, do one of the following:
    • If you selected to install Kaspersky Endpoint Security for Windows at the operating system startup, tell the users to restart their devices.
    • If you selected to install Kaspersky Endpoint Security for Windows at the user logon, tell the users either to re-log on to their devices or to restart their devices.

After the security application is installed, the added Windows devices appear in the Devices list. The security profile named Default is applied to these devices.

Page top

[Topic 100000]

Renaming devices

You can rename devices that are added to Kaspersky Next.

To rename one or several devices:

1. Open Kaspersky Next Management Console.
2. Select the Devices section.

   The Devices section contains a list of devices that have been added to Kaspersky Next.

3. Select the check boxes next to the names of the devices that you want to rename.
4. Click the Rename button.
5. In the displayed window, specify the new name of the selected devices.

   If you selected several devices for renaming, the window displays the names of the owners of the selected devices. You can use these owner names to differentiate devices with identical names.

6. Click OK.

The selected devices are renamed.

If you selected many devices, the renaming process takes some time. While a device is being renamed, the (Update) icon is displayed next to its name in the list of devices.

[Topic 123338]

Assigning the owner of a Windows device or a Mac device

Assigning an

The Default security profile is applied to a device that has no owner, for example, a server. You cannot assign a security profile configured by you to a device that lacks an owner.

You can assign the same owner to a group of devices. You can also assign an owner to an individual Windows device or Mac device.

To assign or change an owner of one or several Windows and Mac devices:

1. Open Kaspersky Next Management Console.
2. Select the Devices section.

   The Devices section contains a list of devices that have been added to Kaspersky Next.

3. Select the check boxes next to the names of the devices to which you want to assign an owner.
4. Click the Assign owner button above the list of devices.

   A list of users is displayed.

5. If necessary, click the link containing the column name to sort the list of users or use the Search entry field to quickly switch to a user in a long list.
6. Click the row of the user whom you want to assign as the device owner.
7. Click the OK button in the list of users.

   The list of users is closed.

The list of devices displays the assigned owners of the Windows and Mac devices. If a device had an owner before, the new owner replaces the old one.

To assign an owner to an individual Windows device or Mac device that has not been assigned an owner:

1. View the properties of a device that is running Windows or Mac.

   If a device without an owner is running Windows, Kaspersky Next displays the user alias of the last person who signed in on this device. You can use this information when selecting the user that you want to assign as the device owner.

2. In the device properties window, click the Assign owner link.

   A list of users is displayed.

3. If necessary, click the link containing the column name to sort the list of users or use the Search entry field to quickly switch to a user in a long list.
4. Click the row of the user whom you want to assign as the device owner.
5. Click the OK button in the list of users.

   The list of users is closed. You are returned to the device properties window.

The list of devices displays the owner assigned to the Windows or Mac device.

[Topic 101063]

Scenario: Creating, renewing, and uploading an APNs certificate

To manage iOS and iPadOS mobile devices (by sending commands to devices or modifying device settings), an Apple Push Notification service certificate (APNs certificate) must be created and uploaded to Kaspersky Next Management Console. The activities of creating and uploading a certificate are performed once for each workspace.

Without an APNs certificate, it is not possible to manage iOS and iPadOS devices.

The scenario of creating, renewing, or uploading an APNs certificate proceeds in stages:

1. In Kaspersky Next Management Console, you create a certificate signing request (CSR).
2. On the Apple Inc. portal, you receive an APNs certificate by using the CSR you signed, and then save this certificate on your computer.
3. You upload the APNs certificate that you received to Kaspersky Next Management Console.

Prerequisite

To create an APNs certificate, you must obtain an Apple ID. If you do not have an Apple ID, register on Apple Push Certificates Portal. We recommend that you avoid using your personal Apple ID.

Creating or renewing an APNs certificate

The procedures for creating a new APNs certificate and renewing an existing APNs certificate that has expired are similar.

If you have an active APNs certificate, you can upload it to Kaspersky Next Management Console without having to create or renew an APNs certificate. See the second procedure in this section.

The APNs certificate is created in one run. You must follow the steps for its creation without interruption, because the signing process has a time stamp that will expire if the creation process takes too long.

To create or renew an APNs certificate:

1. In the Information panel section, on the Getting started tab, under Recommended, click the Create or update an APNs certificate link.

   The Create, renew, or upload an Apple Push Notification service certificate (APNs certificate) Wizard starts with a page listing possible actions.

2. Select the Create an APNs certificate or Renew an APNs certificate option, and then click Next.

   This opens a page containing a list of steps to complete to obtain an APNs certificate.

   If you only want to upload a prepared APNs certificate to Kaspersky Next Management Console, use the Uploading a previously prepared APNs certificate procedure below.

3. In the list of steps on the Wizard page, click the Create a Certificate Signing Request (CSR) link.

   The Create a CSR page opens.

4. Fill in the following entry fields: Name, Company, Department, City, State or Province, and Country and region. In the Name field, specify your name.

   By default, the Company field specifies the name of your company, and the Country and region field specifies the name of the country and the region where your company is located. All of these entry fields are required.

5. Click the Create CSR button.

   A CSR file is created. The CSR file you created is saved to a folder on your computer. By default, all downloaded files are saved in the Downloads folder.

   The Request the public key of the APNs certificate page opens.

6. Click the indicated link to sign in to the Apple Push Certificates Portal.

   The new browser tab displays the Sign In window with the Apple ID and Password entry fields.

7. Enter the Apple ID and Password of your company, and then click Sign In.

   The Create a New Push Certificate window opens.

8. Click Browse to select the signed CSR file on your computer, and then click Upload.

   The Certificates for Third-Party Servers window opens, showing your certificate.

9. In the data string of your certificate, click Download.

   The APNs certificate is saved to the folder on your computer.

10. In Kaspersky Next Management Console, on the Request the public key of the APNs certificate page of the Wizard, click Next.
11. On the Upload a prepared APNs certificate to the Management Console page that opens, click the Browse button, and then select an APNs certificate file from the displayed list of files on your computer.
12. Click Next.

    This opens the Apple Push Notification service certificate details page that contains the name of the downloaded file, the name of the certification center, and the certificate validity start and end dates.

13. Click Next.

    This opens a page prompting you to create a password-protected backup copy of the APNs certificate on your computer hard drive.

14. Select the action to take on the APNs certificate:
    • Finish creating or renewing the APNs certificate without creating a backup copy.
    • Create a password-protected copy of the APNs certificate on your computer's hard drive.

    The Create a password-protected copy of the APNs certificate on your computer's hard drive option is selected by default.

15. If you chose the option that includes creating a copy of the APNs certificate, enter the password for protecting the APNs certificate, confirm the password, and then click the Save protected copy of APNs certificate button.
16. Click OK.

    If you chose the option that includes creating a copy of the APNs certificate, a password-protected copy of the APNs certificate is saved on your computer's hard drive. The APNs Certificate Preparation Wizard closes.

The creation or renewal of the APNs certificate is complete. The APNs certificate is uploaded to Kaspersky Next Management Console.

At each step of the procedure for creating or renewing an APNs certificate, you can return to the previous step by clicking the Back button.

After the successful creation or renewal of an APNs certificate, you can connect iOS and iPadOS devices to Kaspersky Next, send commands to iOS and iPadOS devices, install apps on iOS and iPadOS devices, and configure these devices by using a security profile.

Uploading a previously prepared APNs certificate

To upload a previously prepared APNs certificate to Kaspersky Next Management Console:

1. In the Information panel section, on the Getting started tab, under Recommended, click the Create or update an APNs certificate link.

   The Create, renew, or upload an Apple Push Notification service certificate (APNs certificate) Wizard starts with a page listing possible actions.

2. Select the Upload a prepared APNs certificate option, and then click Next.

   This opens the Upload a previously prepared APNs certificate page.

3. On the Upload a previously prepared APNs certificate page, click the Browse button, and then select an APNs certificate file from the displayed list of files on your computer.
4. Click Next.

   If the APNs certificate file is password-protected, a page with the password request opens.

5. On the page with the password request, enter the password protecting the APNs certificate file, and then click Next.

   This opens the Details of downloaded certificate file page that indicates the name of the downloaded file, the name of the certification center, and the certificate validity start and end dates.

   If the APNs certificate file does not correspond to the workspace with which you are currently working, an error message is displayed.

6. Click OK.

The APNs certificate is uploaded to Kaspersky Next Management Console.

At each step of the procedure for uploading an APNs certificate, you can return to the previous step by clicking the Back button.

After the successful upload of an APNs certificate, you can connect iOS and iPadOS devices to Kaspersky Next, send commands to iOS and iPadOS devices, install apps on iOS and iPadOS devices, and configure these devices by using a security profile.

[Topic 141730]

Connecting mobile devices

The following is the process for connecting mobile devices to Kaspersky Next:

1. By using Kaspersky Next Management Console, you send mobile device users a message to prompt them to connect their devices.

   You can only send a message with instructions to users whose email addresses have been added to the Management Console.

   Using a message containing instructions, a user can connect only a single device. To protect multiple devices owned by a single user, you must send the user a separate message for each device.

2. The user clicks the link in the message or uses the attached QR code to download and install the security application on his or her device.
3. Kaspersky Next detects the type of the operating system (whether it is Android, iOS, or iPadOS) on the device. It also checks the company workspace for an APNs certificate. Depending on the type of operating system and the availability of a certificate, Kaspersky Next prompts the user to download the necessary software to the device.
   • Android device.

     The installation proceeds as follows:

     1. Kaspersky Next redirects the user to the Kaspersky website.
     2. The user downloads and installs Kaspersky Endpoint Security for Android.

        As an alternative, the user can download the app from Samsung Galaxy Store, Huawei AppGallery, RuStore, Xiaomi GetApps, or from the official Kaspersky website.

     3. When the app is run for the first time, in the first launch wizard, the user must copy the download link from the email message with the instructions, and then paste it in the Server field of the Connection Settings step.

     When the configuration completes, the device connects to Kaspersky Next.

     Kaspersky Next cannot manage an Android device if Kaspersky Endpoint Security for Android is installed via KNOX Mobile Enrollment or through third-party Enterprise Mobility Management (EMM) solutions. In this case, the user must remove Kaspersky Endpoint Security for Android, and then install it again, as described in this section.

   • iOS or iPadOS device with an APNs certificate installed.

     Kaspersky Next automatically downloads an iOS MDM profile. After that, the user must go to the settings on his or her device, and then install the downloaded profile. When the iOS MDM profile is installed, the iOS or iPadOS device connects to Kaspersky Next.

     Without an APNs certificate, it is not possible to manage iOS and iPadOS devices.

   After the applications are installed and run automatically, the device appears in the list of devices in Kaspersky Next Management Console.

To send users a message containing instructions for downloading and installing a security application:

1. Open Kaspersky Next Management Console.
2. Select the Users section.

   The Users section contains a list of users and groups of users that have been added to Kaspersky Next.

3. Select the check boxes next to the names of user accounts to which you intend to send a message containing instructions for installing security applications on devices.
4. Above the list of user accounts, click the Send instructions button.

   You can also send messages in the details window of a user, inviting that user to install a security application on the device. To send a message containing instructions, click the link with a user account name in the list of users, and then click the Send instructions to install button.

   After the user installs the security applications and all the devices are connected to Kaspersky Next, information in the Devices and Users lists will be updated and expanded. The Devices list will show the connected devices. The Users list will show the number of devices that have been connected by the user and their respective statuses.

[Topic 230634]

Sending commands to users' devices

This section describes how to send commands to your users' Windows devices and mobile devices.

[Topic 228145]

Wiping data from a Windows device

From Kaspersky Next Management Console, you can send a command to remotely wipe data from a user's device that is running Windows.

This feature is available only if you activated Kaspersky Next under a Kaspersky Next EDR Optimum or XDR Expert license.

Depending on the data wipe settings, you can remotely wipe some or all of the following data:

• Documents

  Files in the standard Documents folder of the operating system, and its subfolders.

• Cookies

  Files in which the browser saves data from the websites visited by the user (such as user authorization data).

• Desktop

  Files in the standard Desktop folder of the operating system, and its subfolders.

• Temporary Internet Explorer files

  Temporary files related to the operation of Internet Explorer, such as copies of web pages, images, and media files.

• Temporary files

  Temporary files related to the operation of applications installed on the computer. For example, Microsoft Office applications create temporary files containing backup copies of documents.

• Outlook files

  Files related to the operation of the Outlook mail client: data files (PST), offline data files (OST), offline address book files (OAB), and personal address book files (PAB).

• User profile

  Set of files and folders that store operating system settings for the local user account.

To wipe data from a device:

1. Open Kaspersky Next Management Console.
2. Select the Devices section.

   The Devices section contains a list of devices that have been added to Kaspersky Next.

3. Click the link with the device name.

   This opens a page containing detailed information about the device. The left part of the page shows the Commands list, which contains buttons with the commands that are available for the device.

4. Click the Wipe data button.
5. In the Wipe data from <Device name> window that opens, define the data wipe settings:
   1. How to wipe:
      • Completely

        Files are overwritten with random data. It is practically impossible to restore data after it is deleted.

      • Quickly

        Files are deleted by using the operating system resources, as if you delete them manually to the recycle bin, and then empty the recycle bin.

   2. What to wipe:
      • All standard folders

        All of the above-mentioned data is deleted.

      • Custom folders

        Select the specific data to be deleted.

6. Click the Wipe button.
7. In the Wipe data window that opens, click the Confirm button to confirm the data wipe.

The specified data is wiped from the selected device.

[Topic 129312]

Sending commands to mobile devices

From Kaspersky Next Management Console, you can send commands to connected mobile devices (for example, to locate or lock a device).

To send a command to a device:

1. Open Kaspersky Next Management Console.
2. Select the Devices section.

   The Devices section contains a list of devices that have been added to Kaspersky Next.

3. Select the check box in the list next to the name of the device to which you need to send a command.
4. In the list of devices, click the link with the device name.

   This opens a page containing detailed information about the device. The right part of the page shows a list of commands that were sent to the device, including the date and time the commands were sent. The left part of the page shows the Commands list, which contains buttons with the commands that are available for the device.

5. Click the button with the name of the command.

   The button name will change to Abort command <Name of selected command>. Execution of the command takes some time. Upon execution, the command is displayed in the list of executed commands in the right part of the page.

The set of supported commands depends on the operating system installed on the mobile device.

Set of supported commands for Android devices

Set of supported commands for iOS and iPadOS devices

Page top

[Topic 101319]

Deleting devices from the list of devices

When you delete devices from the list of devices, they are first moved to the list of devices that are marked for deletion. Further actions depend on the operating system that the devices are running and on the security application versions that are installed on the devices.

Before deleting devices running Windows or macOS, make sure the devices are decrypted. After deletion, you will not be able to decrypt the device from the console.

• For devices running Windows or macOS, the security application is uninstalled automatically or manually.

  After the security application is uninstalled automatically, the device finally disappears from Kaspersky Next. After you uninstall the security application manually, you must permanently delete the device from the list of devices that are marked for deletion.

  If you do not uninstall the security application from the device, the device will reconnect to Kaspersky Next and will appear in the list of managed devices.

  After the device is finally deleted from Kaspersky Next, the security application license that the device uses is released.

• For devices running Android, iOS, or iPadOS, all corporate data is automatically wiped.

  Users of devices running Android are prompted to manually remove Kaspersky Endpoint Security for Android from their devices. You can permanently delete devices from the list of devices that are marked for deletion at any time.

You cannot undo the deletion of devices. Later, you can connect the deleted devices again.

[Topic 138147]

Marking devices for deletion

Marking devices for deletion is the first step in deleting them from the list of managed devices.

You cannot undo marking devices for deletion.

Before deleting devices running Windows or macOS, make sure the devices are decrypted. After deletion, you will not be able to decrypt the device from the console.

To mark devices for deletion:

1. Open Kaspersky Next Management Console.
2. Select the Devices section.

   The Devices section contains a list of devices that have been added to Kaspersky Next.

3. Select the check boxes next to the required devices.
4. Above the list of devices, click the Delete button.
5. In the Delete device window that opens, click the Delete button.

The devices are moved to the list of devices that are marked for deletion. To view the devices that are marked for deletion, you can click the Show marked for deletion button in the Devices section of the Management Console.

[Topic 138146]

Viewing the list of devices that are marked for deletion

The Devices → Marked for deletion section of Kaspersky Next Management Console displays a list of devices that you plan to delete.

The list contains columns with the following information about devices and their owners:

• Progress. An icon reflects the status of the security application uninstallation from a device that has been connected to Kaspersky Next:
  • (Scheduled). The security application uninstallation is scheduled or in progress.
  • (Done). The security application has been successfully uninstalled. Devices with this status are automatically deleted from the list every 24 hours. If you do not want to wait, you can permanently delete the device manually.
  • (Error). An error has occurred during uninstallation of the security application. You can find detailed information about the error on the page containing detailed information about the device.

    In this case, the security application must be uninstalled manually. After that, you can permanently delete the device from the list.

  • (Manual). The security application must be uninstalled manually. After that, you can permanently delete the device from the list.
• OS. Contains the name of the operating system installed on the device.
• Name. Contains the device name, and specifies the name and version of the operating system installed on the device. You can click the link with the name of a device to proceed to the page containing detailed information about the device.
• Device owner. Contains the user account name and email address of the device owner.

  If the device does not have an assigned owner, Unassigned is displayed instead. If the device is running Windows, Kaspersky Next displays the View last signed-in link that leads to the device properties window. There, you can view the user alias of the last person who signed in on this device.

• Group name. Contains the name of the group to which the device owner belongs.
• Security profile. Contains the name of the security profile assigned to the device.

You can filter the list of devices by uninstallation status.

To filter the list of devices,

Next to Show devices, click the link with the required uninstallation status.

To remove the filter,

Click the All link.

You can sort the list of devices by column: Progress, OS, Name, Device owner, or Group name.

To sort the list,

Click the link containing the column name.

The column name is displayed in uppercase characters. Next to the name of the column, an up arrow (˄) indicates the sorting direction. To change the sorting direction, click one more time. Next to the name of the column, a down arrow (˅) appears.

You cannot undo the deletion of devices. Later, you can connect the deleted devices again.

Page top

[Topic 138148]

Uninstalling security applications from devices

Security applications are automatically uninstalled from devices that are marked for deletion in the following cases:

• A device is running Windows.

  Automatic uninstallation of Kaspersky Endpoint Security for Windows is not available if Kaspersky Endpoint Security 10.0 for Windows is still in use in your workspace. We recommend that you prepare the distribution package of the latest version of Kaspersky Endpoint Security for Windows.

• A device is running macOS and the installed version of Kaspersky Endpoint Security for Mac is 11.0 or later.

In other cases, you must uninstall security applications manually.

Automatic uninstallation is scheduled to start every three hours. Other settings of automatic uninstallation can be changed.

Starting uninstallation forcibly

If you want, you can forcibly uninstall the security applications ahead of schedule.

To forcibly uninstall security applications:

1. Open Kaspersky Next Management Console.
2. Select the Devices section.

   The Devices section contains a list of devices that have been added to Kaspersky Next.

3. Click the Show marked for deletion button.

   Management Console displays the list of devices that have been marked for deletion.

4. Click the link with the name of any device with the (Scheduled) status.

   The device properties window opens. At the top of the window, the security application uninstallation status with detailed information is displayed.

5. Click the Run uninstallation now link in the detailed information.
6. In the Run uninstallation now window that opens, click the Uninstall button.

Uninstallation of security applications starts on all of the devices on which uninstallation is scheduled.

[Topic 138691]

Configuring automatic uninstallation of security applications

You can configure automatic uninstallation of security applications from devices that are marked for deletion.

To configure automatic uninstallation of security applications:

1. Open Kaspersky Next Management Console.
2. Select the Devices section.

   The Devices section contains a list of devices that have been added to Kaspersky Next.

3. Click the Show marked for deletion button.

   Management Console displays the list of devices that have been marked for deletion.

4. Click the Uninstallation settings link.

   The Uninstallation settings window opens.

5. Under Operating system restart option, select what to do if the uninstallation requires the restart of the device operating system:
   • Do not restart the device

     Managed devices are not restarted automatically after the operation. To complete the operation, users must restart their devices. This option is suitable for servers and other devices where continuous operation is critical.

   • Restart the device

     Managed devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for devices for which regular pauses in their operation (shutdown or restart) are acceptable.

   • Prompt the user for action

     The restart reminder is displayed on the screen of the managed device, prompting the user to restart it manually. You can change the text of the message for the user. This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     If the Restart the device after 180 minutes option is enabled, after prompting the user, the application forces a restart of the operating system upon expiration of the specified time interval. Otherwise, users must restart their devices manually.

6. If uninstallation of the security applications from devices running Windows is protected by password, specify access settings for the security applications:
   1. Under Access settings, select the check boxes next to the applications protected by password.
   2. If you select Kaspersky Endpoint Security for Windows, specify the user name and password that protect the application.
   3. If you select Network Agent, specify the password that protects the application.

      If Network Agent is protected by the same password as Kaspersky Endpoint Security for Windows, it is enough to specify the settings only for Kaspersky Endpoint Security for Windows. Kaspersky Next will automatically use the specified password for uninstalling Network Agent.

7. Click the OK button to save the changes.

The security applications are automatically uninstalled from the devices, according to the defined settings.

[Topic 138149]

Permanently deleting devices that are marked for deletion

When you permanently delete a device that is marked for deletion, the information about the device is deleted from Kaspersky Next without the possibility of recovery. The security application license that the device uses is released for later use on another device.

Before deleting devices running Windows or macOS, make sure the devices are decrypted. After deletion, you will not be able to decrypt the device from the console.

After the security application is automatically uninstalled from a device running Windows or macOS, Kaspersky Next permanently deletes the device within 24 hours. We do not recommend that you permanently delete a device running Windows or macOS until the security application is uninstalled from the device.

If a device has the (Scheduled) status of security application uninstallation for more than 48 hours, you can check that the security application has been actually uninstalled from the device and then permanently delete the device.

A device running Android, iOS, or iPadOS can be permanently deleted immediately after it is marked for deletion.

To permanently delete devices that are marked for deletion:

1. Open Kaspersky Next Management Console.
2. Select the Devices section.

   The Devices section contains a list of devices that have been added to Kaspersky Next.

3. Click the Show marked for deletion button.

   The Management Console displays the list of devices that have been marked for deletion.

4. Select the check boxes next to the required devices.
5. Above the list of devices, click the Permanently delete button.
6. In the Permanently delete device window that opens, click the Delete button.

The selected devices disappear from Kaspersky Next.

You cannot undo the deletion of devices. Later, you can connect the deleted devices again.

Page top

[Topic 166135]

Starting and stopping anti-malware database updates and malware scans

Regardless of the settings of the anti-malware database update mode and malware scan task run mode, you can force a start of these tasks at any time. You may also have to force any of these tasks to stop. It may be necessary to start any of these tasks immediately if, for example, the task is configured for manual start but users have not run the task in a long time.

As an alternative, you can start a malware scan task on a single device.

You can start and stop an anti-malware database update and malware scan for Windows devices and Mac devices.

To force a start of an anti-malware database update or malware scan:

1. Open Kaspersky Next Management Console.
2. Select the Devices section.

   The Devices section contains a list of devices that have been added to Kaspersky Next.

3. Click More → Manage database update / Manage malware scan.

   The Manage anti-malware database update / Manage malware scan window opens.

4. If necessary, click the Database update settings / Scan start settings link, and then modify the database update settings / malware scan settings.
5. Click the Start database update / Start scan button.

The database update or malware scan starts.

You can use a filter to view information about the status of the running task on all devices, on devices with outdated databases, or on devices with up-to-date databases. The All devices filter is enabled by default. You can also use the device search function.

To force a start of a malware scan on a single device:

1. Open Kaspersky Next Management Console.
2. Select the Devices section.

   The Devices section contains a list of devices that have been added to Kaspersky Next.

3. Click the link with the device name.

   This opens a page containing detailed information about the device. The left part of the page shows the Commands list, which contains buttons with the commands that are available for the device.

4. Click the Run scan button.

The malware scan starts.

To force a stop of an anti-malware database update or malware scan:

1. Open Kaspersky Next Management Console.
2. Select the Devices section.

   The Devices section contains a list of devices that have been added to Kaspersky Next.

3. Click More → Manage database update / Manage malware scan.

   The Manage anti-malware database update / Manage malware scan window opens.

4. Select the devices on which you want to stop the database update or stop the malware scan.

   You can use a filter to view information about the status of the running task on all devices, on devices with outdated databases, or on devices with up-to-date databases. The All devices filter is enabled by default. You can also use the device search function.

5. Click the Stop database update / Stop scan button.

The database update or malware scan stops.

Starting and stopping of tasks on devices occurs with a delay. This delay is necessary for the synchronization of devices with Kaspersky Next. Synchronization of devices with Kaspersky Next occurs automatically at a certain frequency or is performed manually on devices by sending the Synchronize command.

[Topic 152776]

Updating the security application on devices running Windows and macOS

On devices running Windows

Kaspersky Endpoint Security for Windows is updated automatically on your users' devices. The Distribution packages section displays the status of the automatic update:

• Package pending

  A new version of Kaspersky Endpoint Security for Windows is ready. You must prepare the distribution package of the new version.

• Pending

  The distribution package of the new version is prepared and is waiting for Kaspersky. When the new version of Kaspersky Endpoint Security for Windows passes all the required procedures at our side, the automatic update starts.

  As soon as the automatic update starts, Kaspersky Next displays a notification in the Information panel section.

• In progress

  The automatic update has started on at least one of your users' devices.

• Completed

  The automatic update has completed on all of your users' devices.

If a device restart is required, the security application prompts users to restart their devices.

In most cases, Network Agent is also updated automatically on a device. However, even if a previous version of Network Agent is installed on a device, the protection of the device is not affected.

On devices running macOS

To update Kaspersky Endpoint Security for Mac to a new version, you must download and deliver the prepared distribution package to your macOS users. Users can then install the new version of Kaspersky Endpoint Security for Mac on their devices.

[Topic 101126]

Managing security profiles

This section describes the purpose of security profiles in Kaspersky Next, as well as how to create, configure, copy, apply, and delete security profiles.

[Topic 101384]

About security profiles

Kaspersky Next lets you centrally protect and manage devices by using security profiles.

A security profile is a named collection of settings of Kaspersky applications. This collection of settings ensures security on computers and mobile devices added to Kaspersky Next. A single profile (see the figure below) contains the settings for Windows, Mac, Android, iOS, and iPadOS devices. After a security profile is applied to a device that has been added to Kaspersky Next, the settings of the Kaspersky application on the device are replaced with those specified in the profile.

Single security profile

Using security profiles, you can perform the following actions:

• Create, define, and apply standard collections of settings for specific users and user groups in your company.
• Quickly change the values of specific settings or groups of settings, in case of urgency or if the users' working conditions have changed.

You can assign a security profile only to users and groups of users. The security profile assigned to the device owner is applied to the device.

Only one security profile can be assigned to a user or a group of users.

Kaspersky Next features the Default security profile configured by Kaspersky experts. The Default profile is automatically applied to a device after that device is added to the list of devices of Kaspersky Next, if the device owner has not been assigned a different profile.

Each security profile has a power. The security profile power shows how well the profile protects your users' devices. The profile power depends on whether the protection components are enabled in the profile settings and on whether you use Kaspersky Security Network in your workspace. You can manage the profile power on a single page.

[Topic 130069]

Viewing the list of security profiles

To view the list of security profiles:

1. Open Kaspersky Next Management Console.
2. Select the Security management → Security profiles section.

   The list of profiles is displayed as a table containing the following columns (see the figure below):

   

   List of security profiles in Kaspersky Next Management Console

   • Name. Clicking the link with the name of a profile allows you to proceed to the settings page of that profile.
   • Profile power. The security profile power shows how well the profile protects your users' devices. The profile power can be Low, Optimal, or High.
   • Assigned to. Clicking the link in this column allows you to view user accounts and groups of user accounts that have been assigned the profile.

You can sort the list of security profiles by the Name column.

To sort the list,

Click the link containing the column name.

The column name is displayed in uppercase characters. Next to the name of the column, an up arrow (˄) indicates the sorting direction. To change the sorting direction, click one more time. Next to the name of the column, a down arrow (˅) appears.

Page top

[Topic 101075]

Creating a security profile

After initial setup of Kaspersky Next, the Default security profile is applied to devices of all users. You can create your own custom security profiles on the basis of the Default security profile.

You can create up to 20 security profiles.

To create a security profile:

1. Open Kaspersky Next Management Console.
2. Select the Security management → Security profiles section.

   The Security profiles section contains a list of security profiles configured in Kaspersky Next.

3. Above the list of security profiles, click the Add → Create button.

   The Create a security profile window opens.

4. In the Security profile name entry field, enter a name for the security profile.

   You can enter a string up to 255 characters long. The string can contain upper- and lowercase characters, numerals, whitespaces, dots, commas, minuses, dashes, and underscores.

5. Click the Create button.

A new security profile will be created, which will have the name you specified and the settings of the default profile. After the security profile is created, you can edit it as you like.

[Topic 138041]

Editing a security profile

To edit a security profile:

1. Open Kaspersky Next Management Console.
2. Select the Security management → Security profiles section.

   The Security profiles section contains a list of security profiles configured in Kaspersky Next.

3. Click the link with the name of the security profile that you want to edit.

   The profile properties page opens. The page contains information about the profile power and collections of security profile settings for managed devices. The security profile power shows how well the profile protects your users' devices. Collections of settings for devices running different operating systems are grouped into the Windows, Mac, iOS, and Android sections.

4. If you want, increase the profile power in the Security profile audit section. To do so, enable the protection components (for example, click Enable File Threat Protection), and then enable the use of Kaspersky Security Network. As an alternative, you can click the Enable all components button to enable all of the disabled protection components and the use of Kaspersky Security Network at once.

   The use of Kaspersky Security Network is enabled or disabled across the workspace. It means that if you enable the use of Kaspersky Security Network in one security profile, it is automatically enabled in all of your profiles.

   If you have not prepared a distribution package of a Kaspersky security application (for example, Kaspersky Endpoint Security for Mac), the components in the corresponding area are excluded from the calculation of the security profile power. Also, you cannot enable or disable these components in the Security profile audit section. As soon as a distribution package is prepared, these components will be taken into account.

5. Define the security profile settings as you like.

   Use the detailed instructions on configuring security profiles for Windows devices, Mac devices, Android devices, iOS, and iPadOS devices.

The new values of the security profile settings will be applied to the devices of users to whose accounts this security profile was assigned.

[Topic 101432]

Assigning a security profile to a user or group of users

A security profile (with the exception of the Default profile) can be assigned to no more than 50 groups of users or individual users.

To assign a security profile to a user or group of users:

1. Open Kaspersky Next Management Console.
2. Select the Security management → Security profiles section.

   The Security profiles section contains a list of security profiles configured in Kaspersky Next.

3. Select the check box next to the name of the security profile that you want to assign to a user or group of users.
4. Click the Assign to users button above the list of security profiles or click the Assign to users link in the list of security profiles.

   A window containing a list of users opens.

5. Select the check boxes next to the users and groups of users to which you want to assign the security profile.

   If you selected a security profile other than the Default one and the total number of selected groups of users and individual users exceeds 50, a warning is displayed. Clear extra check boxes to get rid of the warning.

6. Click OK.

The security profile is assigned to the selected users and groups of users. The security profile that has been assigned to a user appears in the general list of users and on the page with the user information. The security profile that has been assigned to a group of users is applied to all users in that group. You cannot assign an individual security profile to a user that is part of a group of users.

[Topic 142928]

Copying a security profile

If you need to configure a security profile whose settings mostly repeat the values of settings of a previously configured profile, you can reduce configuration time by copying the existing security profile. In the copy, you have to specify the portion of settings that must differ from the settings of the original security profile.

By default, the copied security profile is not assigned to any user account or group of user accounts.

To copy a security profile:

1. Open Kaspersky Next Management Console.
2. Select the Security management → Security profiles section.

   The Security profiles section contains a list of security profiles configured in Kaspersky Next.

3. Select the check box next to the name of the security profile that you want to copy.
4. Above the list of security profiles, click the Copy button.

   The Copy security profile <security profile name> window opens.

5. In the entry field, enter a name for the new security profile.

   You can enter a string up to 255 characters long. The string can contain upper- and lowercase characters, numerals, whitespaces, dots, commas, minuses, dashes, and underscores. The name of the new security profile must not match the name of an existing security profile.

6. Click the Copy button.

   If a security profile with the entered name already exists, the Copy button will not be available. To continue copying, enter a name that satisfies the requirements.

The copied security profile will be displayed in the list of security profiles. You can proceed to configure the security profile and assign this security profile to user accounts or groups of user accounts.

[Topic 225597]

Exporting and importing security profiles

The export and import of security profiles allows you to transfer the security settings that you configure in one workspace to another workspace. You just export a security profile to a file, and then import it to another workspace in a few clicks.

When Kaspersky Next creates a file with the security settings, it encrypts the file. If you want, you can additionally protect the file by using a password. In this case, you must specify this password when importing the profile from the file.

[Topic 226160]

Exporting a security profile to a file

You can export a security profile to a file, and then import it to another workspace in a few clicks.

To export a security profile to a file:

1. Open Kaspersky Next Management Console.
2. Select the Security management → Security profiles section.

   The Security profiles section contains a list of security profiles configured in Kaspersky Next.

3. Select the check box next to the profile that you want to export, and then click the Export button.

   The Export a security profile window opens.

4. Verify the workspace name and the security profile name that you selected.
5. If you want to provide additional protection to the file, click the down arrow (˅) next to Additional parameters, and then specify and confirm the password.
6. Click the Export button to start the export.

A file with the settings from the selected security profile is created and downloaded on your device. The file name has the following format: <profile name> (<workspace name>).sps.

You can now import the profile in another workspace.

[Topic 226161]

Importing a security profile from a file

You can export a security profile to a file, and then import it to another workspace in a few clicks.

To import a security profile from a file:

1. Open Kaspersky Next Management Console.
2. Select the Security management → Security profiles section.

   The Security profiles section contains a list of security profiles configured in Kaspersky Next.

3. Above the list of security profiles, click the Add → Import button.

   The button is not available if the workspace already contains 20 security profiles.

4. Click the Browse button, and then select the file with the profile settings that you exported earlier.
5. If you protected the file with a password during export, a field for entering the password appears. Specify the password, and then click the Submit button.
6. Kaspersky Next analyzes the file and determines whether the file is valid, and whether the profile settings can be imported from it. Further actions depend on the analysis results:
   • No error messages and no important notes appear.

     The profile can be imported. Click the Import button to start import.

   • One or several important notes appear (for example, a security profile with the same name as specified in the file exists in this workspace).

     The profile can be imported. If you agree with the solutions described in the notes (for example, the imported profile will be automatically renamed), click the Import button to start import.

   • There is a problem with the selected file or with the import in general (for example, the file was manually edited or you specified a wrong password).

     The profile cannot be imported. Do as instructed by Kaspersky Next (for example, select another file or re-type your password).

The security profile is imported to the workspace.

[Topic 270603]

Resetting a security profile

If you are not satisfied with how a security profile works, you can reset it to the predefined settings. These are the settings that are recommended by the Kaspersky experts and are defined when a new profile is created.

The operation cannot be undone.

To reset a security profile:

1. Open Kaspersky Next Management Console.
2. Select the Security management → Security profiles section.

   The Security profiles section contains a list of security profiles configured in Kaspersky Next.

3. In the list, select the security profile that you want to reset.
4. In the Security profile audit section, click the Reset to predefined settings button.
5. In the confirmation window that opens, click the Reset button.

Settings of the security profile are reset to the predefined values.

The use of Kaspersky Security Network is enabled or disabled across the workspace. It means that when you reset a security profile, the Kaspersky Security Network settings are not affected.

[Topic 101442]

Deleting a security profile

The Default security profile cannot be deleted.

To delete a security profile:

1. Open Kaspersky Next Management Console.
2. Select the Security management → Security profiles section.

   The Security profiles section contains a list of security profiles configured in Kaspersky Next.

3. Select the check box next to the name of the security profile that you need to delete.
4. Above the list of security profiles, click the Delete button.

The security profile will be deleted from the list of security profiles. User accounts that had been assigned the deleted security profile will be assigned the Default security profile.

[Topic 231626]

Endpoint Detection and Response

This section contains information about Endpoint Detection and Response.

The Endpoint Detection and Response feature monitors and analyzes threat progression, and provides you with information about possible attacks, to facilitate a timely manual response; or performs the predefined automated response.

This feature is available only if you activated Kaspersky Next under a Kaspersky Next EDR Optimum or XDR Expert license.
If you activated Kaspersky Next under a Kaspersky Next EDR Foundations license, you have access to a limited functionality called Root-Cause Analysis.

To use this feature, you need Kaspersky Endpoint Security 11.8 for Windows or later.

[Topic 231757]

About Endpoint Detection and Response

Kaspersky Next monitors and analyzes threat progression, and provides you with information about possible attacks, to facilitate a timely manual response; or performs the predefined automated response.

This feature is available only if you activated Kaspersky Next under a Kaspersky Next EDR Optimum or XDR Expert license.
If you activated Kaspersky Next under a Kaspersky Next EDR Foundations license, you have access to a limited functionality called Root-Cause Analysis.

To use this feature, you need Kaspersky Endpoint Security 11.8 for Windows or later.

Endpoint Detection and Response detects threats in the following types of objects:

• Process
• File
• Registry key
• Network connection

You can start using the Endpoint Detection and Response feature when you start Kaspersky Next Management Console for the first time or after Kaspersky Next is upgraded to a new version. If you did not start using Endpoint Detection and Response during the initial or additional setup of Kaspersky Next, you can do it later.

To use Endpoint Detection and Response in the automatic mode, you must first configure it.

The Endpoint Detection and Response widget and table display alerts that occur on your users' devices. The widget shows up to 10 alerts and the table shows up to 1000 alerts. From the table, you can export information about all of the current alerts to a CSV file.

While analyzing the alert details, you may want to take additional measures or fine-tune the Endpoint Detection and Response feature.

If you want to stop using the feature, you can disable it and later enable it again.

[Topic 231798]

About Indicators of Compromise

An Indicator of Compromise (IoC) is a set of data about an object or activity that indicates unauthorized access to the device (compromise of data). For example, the path to a file in which a threat has been detected on one of your users' devices is an Indicator of Compromise for other devices.

Kaspersky Next can detect threats by using the following types of IoCs:

• File indicators:
  • MD5 checksum of a file
  • SHA256 checksum of a file
  • Path to a file
• IP address of a remote computer
• Registry key

[Topic 231764]

Starting the use of Endpoint Detection and Response

You can start using the Endpoint Detection and Response feature when you start Kaspersky Next Management Console for the first time or after Kaspersky Next is upgraded to a new version. If you did not start using Endpoint Detection and Response during the initial or additional setup of Kaspersky Next, you can do it as described in this section.

After you start using the feature, the distribution package of Kaspersky Endpoint Security for Windows (version 11.8 or later) is automatically prepared. Then, Kaspersky Endpoint Security for Windows is automatically upgraded on managed devices running Windows.

To start using Endpoint Detection and Response:

1. Open Kaspersky Next Management Console.
2. Do any of the following:
   • In the Information panel section, select the Getting started tab.
   • In the Information panel section, select the Monitoring tab.
   • In the Settings section, click the Settings link below Use of Endpoint Detection and Response.

     The Endpoint Detection and Response page opens.

3. Click Enable Endpoint Detection and Response.

   The Enable Use of Endpoint Detection and Response Wizard opens.

   Some steps of the Wizard may be missing if you performed them during the initial or additional setup of Kaspersky Next.

   The Agreements for Kaspersky Endpoint Security for Windows window opens.

   This window displays the texts of the End User License Agreement for Kaspersky Endpoint Security for Windows, the End User License Agreement for Kaspersky Security Center Network Agent, the Supplemental Clauses regarding Data Processing for Kaspersky Endpoint Security for Windows and Network Agent, and the link to the Kaspersky Lab Products and Services Privacy Policy.

4. Carefully read the text of each document.

   If you agree to the terms and conditions of the agreements, and if you are aware and agree that your data will be handled and transmitted (including to third countries) as described in the Privacy Policy, and you confirm that you have fully read and understand the Privacy Policy, select the check boxes next to the listed documents, and then click the I accept the terms button.

   If you do not agree to the terms and conditions, do not use the security applications. If only some of the check boxes are selected, you will not be able to use Endpoint Detection and Response. The Agreements for Kaspersky Endpoint Security for Windows window will close.

   The Proxy server settings window opens.

5. If necessary, define the proxy server settings, and then click Next.

Endpoint Detection and Response is enabled.

Later, you can disable the feature if you want to stop using it.

[Topic 231813]

Scenario: Configuring and using Endpoint Detection and Response

To use Endpoint Detection and Response in the automatic mode, you must first configure it.

The scenario proceeds in stages:

1. Configure IoC scans for potential threats

   By using IoC scans, you can configure a regular search for Indicators of Compromise (IoCs) on devices and automatic response measures to be taken if IoCs are found.

2. Configure execution prevention

   You can define settings according to which Kaspersky Endpoint Security for Windows prevents the execution of certain objects (executable files and scripts) or the opening of Microsoft Office documents on your users' devices.

3. View and analyze information about occurred alerts
4. Take manual response measures

   While analyzing details of an alert, you may want to take additional measures or fine-tune the Endpoint Detection and Response feature:

   • Take manual response measures (for example, move the detected file to Quarantine or isolate the device on which the alert occurred).
   • Add the found IoCs to the settings of regular IoC scans, to check other devices for the same threat.
   • Add the detected object to the list of execution prevention rules, to prevent it from being executed in the future on the same and other devices.

[Topic 231796]

Configuring IoC scans for potential threats

By using IoC scans, you can configure a regular search for Indicators of Compromise (IoCs) on devices and automatic response measures to be taken if IoCs are found.

You can define settings of three IoC scans:

• Proactive scan

  If you find somewhere (for example, on the internet) that a certain threat is characterized by a set of IoCs, you can add these IoCs to this scan, to check your users' devices.

  The scan scope is all of your users' devices running Windows. It cannot be modified. All new devices that are added in the future will be automatically included in the scan scope.

• Reactive scan

  If Kaspersky Next detects a threat on one of your users' devices, you can add IoCs of that threat to this scan, to check other devices.

  The scan scope is all of your users' devices running Windows. It cannot be modified. All new devices that are added in the future will be automatically included in the scan scope.

• Custom scan

  You can add any threat to this scan, to check your users' devices.

  The scan scope is a custom selection of your users' devices running Windows. All new devices that are added in the future will be automatically included in the scan scope.

Later, when analyzing alerts about Endpoint Protection Platform (EPP) detections on your users' devices, you may want to add the found IoCs to the settings of Reactive scan, to check other devices for the same threat.

To configure IoC scans:

1. Open Kaspersky Next Management Console.
2. Select the Security management → Endpoint Detection and Response section.
3. Click the IoC scan button.
4. In the IoC scan window that opens, define the settings of the required IoC scans.
5. Click Close to close the IoC scan window.

IoC scans are configured.

[Topic 231840]

Adding a threat to an IoC scan

When configuring regular scans for threats on devices or after a threat is already detected on one of your users' devices, you can add a threat to an IoC scan, so that it will check other devices for that threat.

To each IoC scan, you can add a maximum of 200 threats.

To add a threat to an IoC scan:

1. Open Kaspersky Next Management Console.
2. Select the Security management → Endpoint Detection and Response section.
3. Click the IoC scan button.
4. Add a threat in either of the following ways:
   • To add a threat to Proactive scan, click the Add a threat button.
   • To add a threat to any scan, click the View link on the respective tile, and then click the Add button.

   The Add a threat window opens.

5. Enter the threat name.
6. If necessary, enter the threat description.
7. Under Indicators of compromise (IoCs), specify IoCs of this threat:
   1. If you plan to specify two or more IoCs, in the Detection criteria list, select the detection criteria (the logical operator):
      • Match ANY of the following, if you want an alert to occur if at least one of the IoCs is found on a device (the OR logical operator).
      • Match ALL of the following, if you want an alert to occur only if all of the IoCs are found on a device simultaneously (the AND logical operator).
   2. Under Indicator 1, select the IoC type, and then specify its value.

      When adding a registry key as an IoC, start from a registry hive (for example, HKEY_LOCAL_MACHINE\Software\Microsoft).
      When you add a registry key as an IoC, Kaspersky Endpoint Security for Windows scans only some of the registry keys.

   3. If you want to add more IoCs to the threat, click + Add an indicator, and then specify another IoC.

      To each threat, you can add a maximum of 100 IoCs.

8. Click Save to save the changes.

The threat is added to the selected IoC scan.

[Topic 232885]

IoC scan scope in the registry

When scanning Registry for threats, Kaspersky Endpoint Security for Windows scans only those registry keys that are most vulnerable to attacks.

When you add a registry key as an IoC, Kaspersky Next checks the entered value and accepts only the registry keys that start with the following values:

HKEY_CLASSES_ROOT\htafile

HKEY_CLASSES_ROOT\batfile

HKEY_CLASSES_ROOT\exefile

HKEY_CLASSES_ROOT\comfile

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\NetworkProvider

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

HKEY_LOCAL_MACHINE\Software\Classes\piffile

HKEY_LOCAL_MACHINE\Software\Classes\htafile

HKEY_LOCAL_MACHINE\Software\Classes\exefile

HKEY_LOCAL_MACHINE\Software\Classes\comfile

HKEY_LOCAL_MACHINE\Software\Classes\CLSID

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Aedebug

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

[Topic 231841]

Defining IoC scan settings

When configuring regular scans for threats on devices, you can define the following scan settings: schedule, scope, and automatic response actions.

To define settings of an IoC scan:

1. Open Kaspersky Next Management Console.
2. Select the Security management → Endpoint Detection and Response section.
3. Click the IoC scan button.
4. On the tile of the required scan, point to the vertical ellipsis, and then click Define scan settings.

   The Scan settings window opens.

5. In the Schedule list, select the required value:
   • Not specified (by default)

     The IoC scan never runs.

   • Every day

     Specify the time when the IoC scan must run.

   • Every week

     Specify the day of week and the time when the IoC scan must run.

   Custom scan will run at the specified time in the UTC±00:00 time zone. Proactive scan and Reactive scan will run at the specified time in the time zone of the device operating system. If a protected device is offline at the scheduled time, the task will run as soon as the device goes online.

6. Under Scan scope, click the Edit link to specify the list of devices on which the IoC scan must run.

   Select the check boxes next to the devices to be included and clear the check boxes next to the devices to be excluded. Click Save to save the changes.

   This setting is available only for Custom scan. For other scans (Proactive scan and Reactive scan), the scope is all of your users' devices running Windows. It cannot be modified.

   All new devices that are added in the future will be automatically included in the scan scope. So, if you want to exclude them from the scope of the custom scan, you must do it manually.

7. Under Response actions, select the response actions to be taken if the specified threats are detected:
   • Alert only

     The event of detecting a threat is added to the Event log. No other actions are taken.

   • Alert and response

     The event of detecting a threat is added to the Event log. Additionally, the selected response actions are taken:

     • Run scan of critical areas

       Kaspersky Endpoint Security for Windows scans the kernel memory, running processes, and disk boot sectors of an affected device.

     • Move copy to Quarantine and delete object

       Kaspersky Endpoint Security for Windows first creates a backup copy of the malicious object found on the device, in case the object needs to be restored later. The backup copy is moved to Quarantine. Then, Kaspersky Endpoint Security for Windows deletes the object.

     • Isolate device from the network

       Kaspersky Endpoint Security for Windows isolates the device from the network, to prevent the threat from spreading or prevent a breach of sensitive information. To configure the isolation duration, click Settings, and then select the required value.

       The isolation duration is common for all three IoC scans. If you change the value in the settings of one scan, it will be propagated to other scans.
       As an alternative, you can configure the isolation duration by selecting the Security management → Endpoint Detection and Response section, and then clicking Response settings → Network isolation.

8. Click Save to save the changes.

The settings of the selected IoC scan are defined.

[Topic 231850]

Resetting IoC scan settings to default values

If necessary, you can reset the settings of any regular scan for threats to the default values. You can reset the scan schedule, scope, and response actions. The set of threats that are scanned for is not changed.

To reset IoC scan settings to default values:

1. Open Kaspersky Next Management Console.
2. Select the Security management → Endpoint Detection and Response section.
3. Click the IoC scan button.
4. On the tile of the required scan, point to the vertical ellipsis, and then click Reset settings to default.
5. In the Reset settings to default window that opens, click the Confirm button to confirm the action.

The settings of the selected IoC scan are reset to the default values.

[Topic 231822]

Configuring execution prevention

You can define settings according to which Kaspersky Endpoint Security for Windows prevents the execution of certain objects (executable files and scripts) or the opening of Microsoft Office documents on your users' devices.

Later, when analyzing Endpoint Detection and Response alerts, you may want to add a detected object to the list of execution prevention rules, to prevent it from being executed in the future on the same and other devices.

Execution prevention has the following limitations:

• Prevention rules do not cover files on CDs, DVDs, or in ISO images. Kaspersky Endpoint Security for Windows does not block the execution or opening of these files.
• It is impossible to block the startup of a system-critical object (SCO). SCOs are files that the operating system and Kaspersky Endpoint Security for Windows require to be able to run.
• You can add up to 1000 execution prevention rules.

To configure execution prevention:

1. Open Kaspersky Next Management Console.
2. Select the Security management → Endpoint Detection and Response section.
3. Click Response settings → Execution prevention.
4. Set the toggle switch to Execution prevention is enabled.
5. Under Action, select the action to be taken when the user tries to execute or open one of the specified unwanted objects:
   • Block and add to Event log (by default)

     The information about the detection is added to the Event log. The execution or opening of the object is blocked.

   • Add to Event log only

     The information about the detection is added to the Event log. No other actions are taken.

6. Under Execution prevention rules, specify the list of objects that are controlled by Execution prevention.

   Do any of the following:

   • To add an execution prevention rule:
     1. Click the Add button.
     2. In the Add an execution prevention rule window that opens, define the rule settings, as described later in this section.
     3. Click Save to close the Add an execution prevention rule window.
   • To enable or disable an added execution prevention rule, set the toggle switch next to that rule to the desired state:
     • If the toggle switch is green, the rule is enabled. The execution or opening of the object specified in the rule settings is detected.

       By default, a newly added rule is enabled.

     • If the toggle switch is gray, the rule is disabled. The execution or opening of the object specified in the rule settings is ignored.
   • To edit an added execution prevention rule:
     1. Select the check box next to the required rule.
     2. Click the Edit button.
     3. In the Edit execution prevention rule window that opens, define the new settings of the rule, as described later in this section.
     4. Click Save to close the Edit execution prevention rule window.
   • To delete execution prevention rules that were added:
     1. Select the check boxes next to the required rules.
     2. Click the Delete button.
7. Click Save to save the changes.

The list of execution prevention rules is updated.

To define the settings of an execution prevention rule:

1. Start adding or editing a rule, as described earlier in this section.
2. In the Rule name field, enter the name of the rule.
3. Select the criteria according to which you want to specify the required object.

   You can specify either of the following criteria:

   • Path to object

     If you want to specify the object by its path, select Use in the list, and then enter the value.

   • Object checksum

     If you want to specify the object by its MD5 or SHA256 checksum, select the required value in the list, and then enter the checksum value.

   If you specify both criteria, the rule will be applied to objects that match both of them simultaneously.

4. Click Save to save the changes.

The defined settings are saved.

[Topic 231765]

Viewing information about Endpoint Detection and Response alerts

You can view information about Endpoint Detection and Response alerts in a widget and a table. The widget shows up to 10 alerts and the table shows up to 1000 alerts.

If you have configured notifications about the IoC found events, sometimes you may be notified about a detected IoC before the respective alert is displayed inside Kaspersky Next. This is because events occur when the IoC scan is still in progress, while an alert appears only after the scan ends.

Endpoint Detection and Response widget

To view the Endpoint Detection and Response widget:

1. Open Kaspersky Next Management Console.
2. In the Information panel section, click the Monitoring tab.
3. If Endpoint Detection and Response is disabled, start using the feature.

The widget displays the requested information.

From the displayed widget, you can proceed to the following:

• Properties of the device on which a detection occurred.
• Alert details, depending on the technology that detected the alert:
  • If the alert was detected by Endpoint Protection Platform (EPP)—threat development chain graph, to perform root-cause analysis of the attack and take response measures.
  • If the alert was detected by Indicators of Compromise Scan (IoC Scan)—objects that have been detected by using IoCs and automatic response measures that have been taken.
• Table with the Endpoint Detection and Response alerts.

Endpoint Detection and Response table

To view the table with the Endpoint Detection and Response alerts:

1. Open Kaspersky Next Management Console.
2. Open the Endpoint Detection and Response alerts window in any of the following ways:
   • In the Information panel section, click the Monitoring tab, and then click the Go to the list of alerts link in the Endpoint Detection and Response widget.
   • Select the Security management → Endpoint Detection and Response section.
3. If Endpoint Detection and Response is disabled, start using the feature.

   The table displays the requested information.

4. Filter the displayed records by selecting the required values in the drop-down lists:
   • Detected on

     The period over which alerts have occurred.

   • Status

     The status of alerts, depending on the technology that detected them:

     • If an alert was detected by EPP—whether the detected objects have been treated or untreated (deleted).
     • If an alert was detected by IoC scan—whether IoCs have been only detected or automatic response measures have been taken.
   • Technology

     The technology that detected alerts: EPP or IoC scan.

From the displayed table, you can proceed to the following:

• Properties of the device on which a detection occurred.
• Settings of the security profile that is assigned to the user who owns an affected device.
• Alert details, depending on the technology that detected the alert:
  • If the alert was detected by Endpoint Protection Platform (EPP)—threat development chain graph, to perform root-cause analysis of the attack and take response measures.
  • If the alert was detected by Indicators of Compromise Scan (IoC Scan)—objects that have been detected by using IoCs and automatic response measures that have been taken.

Also, you can export information about all of the current alerts to a CSV file.

[Topic 231766]

Viewing a threat development chain graph

For each alert that has been detected by Endpoint Detection and Response by using the Endpoint Protection Platform (EPP) technology and that is displayed on a widget or in a table, you can view a threat development chain graph.

A threat development chain graph is a tool for analyzing the root cause of an attack. The graph provides visual information about the objects involved in the attack, for example, processes on a managed device, network connections, or registry keys.

While analyzing the threat development chain graph, you may want to take manual response measures or fine-tune the Endpoint Detection and Response feature.

To view a threat development chain graph:

1. Proceed to the Endpoint Detection and Response widget or table.
2. In the required line where the Technology column value is EPP, click Examine.

The Threat development chain graph window opens. The window contains a threat development chain graph and detailed information about the alert.

A threat development chain graph shows the following types of objects:

• Process
• File
• Network connection
• Registry key

A graph is generated according to the following rules:

1. The central point of a graph is a process that meets either of the following rules:
   • If the threat has been detected in a process, it is this process.
   • If the threat has been detected in a file, it is the process that created this file.
2. For the process that is mentioned in rule 1, the graph shows up to two parent processes. A parent process is the one that either generated or modified a child process.
3. For the process that is mentioned in rule 1, the graph shows all other related objects: created files, created and modified child processes, organized network connections, and modified registry keys.

When you click any object on a graph, the area below shows detailed information about the selected object.

When you click a link in the SHA256, MD5, IP address, or URL fields in the detailed information about a file, you are taken to the Kaspersky Threat Intelligence Portal https://opentip.kaspersky.com/. The portal brings together all of the knowledge that Kaspersky has acquired about cyberthreats into a single web service. It allows you to check any suspicious threat indicator, whether it is a file, file hash, IP address, or web address.

Page top

[Topic 231627]

Example of analyzing a threat development chain graph

This section contains an example of a threat development chain graph and how you can use it for analyzing an attack on your users' devices.

Let's consider an attack using a phishing email message that contains an attachment. The attachment is an executable file.

The user saves and runs the file on his or her device. Kaspersky Endpoint Security for Windows makes a detection of the Malicious object detected type.

A detection in Kaspersky Endpoint Security for Windows

The Endpoint Detection and Response widget shows up to 10 alerts.

Endpoint Detection and Response widget

By clicking the Examine link in the required line of the widget, you can proceed to a threat development chain graph.

A threat development chain graph

The threat development chain graph provides you with information about the alert, for example: actions that occurred on the device during the alert, category of the detected threat, the file origin (in this example, an email), the user who downloaded the file (in this example, an administrator). Also, the chain graph shows that additional files were created on the device, that several network connections were established, and that some registry keys were changed.

Based on this information, you can do the following:

• Verify the settings of the mail server.
• Add the email message sender to the denylist (if the sender is external), or address him or her directly (if the sender is internal).
• Check whether other devices have connected to the same IP addresses.
• Add these IP addresses to the denylist.

When you click a link in the SHA256, MD5, IP address, or URL fields in the detailed information about a file, you are taken to the Kaspersky Threat Intelligence Portal https://opentip.kaspersky.com/. The Portal shows that the detected file is neither a threat nor a known file.

Kaspersky Threat Intelligence Portal

This example shows the importance of the Endpoint Detection and Response feature. The parent file of the detected file is untrusted, but it is not a malicious one. It means that it has not been detected by Kaspersky Endpoint Security for Windows. This file is still present on the device and within the organization. If the organization has devices on which some protection components are disabled (for example, Behavior Detection) or on which anti-malware databases are not up-to-date, the malicious activity of the parent file will not be detected and the criminals may have a chance to penetrate your organization's infrastructure.

[Topic 231873]

Viewing IoC scan results

For each alert that has been detected by Endpoint Detection and Response by using the Indicators of Compromise Scan (IoC Scan) technology and that is displayed on a widget or in a table, you can view information about the objects that have been detected by using IoCs and the automatic response measures that have been taken.

While analyzing the IoC scan results, you may want to take manual response measures or fine-tune the Endpoint Detection and Response feature.

To view IoC scan results:

1. Proceed to the Endpoint Detection and Response widget or table.
2. In the required line where the Technology column value is IoC, click Examine.

The IoC scan results window opens. This window contains detailed information about the IoCs that have been found and the automatic response measures that have been taken.

[Topic 231875]

Taking manual response measures

While analyzing alert details, you may want to take manual response measures or fine-tune the Endpoint Detection and Response feature.

You can take the following response measures:

• Isolate the affected device from the network.
• Add the Indicators of Compromise (IoCs) of the detected threat to a regular scan for threats on devices (applicable only to alerts detected by EPP).
• Prevent execution of the detected object.
• Move the copy of the detected object to Quarantine and delete the object.

To isolate a device from the network:

1. In the message about the object detection and processing, point to the horizontal ellipsis, and then click Isolate device.
2. Select the required isolation duration.
3. Click the Isolate device button to isolate the device.

The device is isolated from the network.

This setting overrides the general isolation settings and is applied only to the current device. General isolation settings are not changed.

To add the IoCs of a detected threat to a regular scan for threats:

1. In the section with detailed information about a detected object, either click the Add to IoC scan button or point to the horizontal ellipsis, and then click Add to IoC scan.
2. If necessary, edit the threat name and description. By default, the threat is named "[Threat Graph] <Threat name from the EPP alert>".
3. If necessary, edit the detection criteria (the logical operator):
   • Match ANY of the following, if you want an alert to occur if at least one of the IoCs is found on a device (the OR logical operator).
   • Match ALL of the following, if you want an alert to occur only if all of the IoCs are found on a device simultaneously (the AND logical operator).
4. If necessary, edit the list of IoCs. The list of IoCs consists of two parts:
   • New IoCs

     IoCs that are taken from the alert.

   • Previously added IoCs

     IoCs that have been added to the same threat earlier (if any).

5. If necessary, remove any of the IoCs by clicking the Delete () icon next to it.
6. Click the Run scan button to save and run the IoC scan.

The IoC scan settings are changed. The scan has re-started on the devices.

To prevent execution of a detected object:

1. Do either of the following:
   • [For an alert detected by EPP] In the section with detailed information about a detected object, either click the Prevent execution button or point to the horizontal ellipsis, and then click Prevent execution.
   • [For an alert detected by IoC Scan] In the section with detailed information about a detected IoC, next to Manual response, click Actions, and then select Prevent execution.
2. Review the properties of the planned operation: the unwanted objects whose execution will be prevented and the action that will be taken upon execution or opening of these objects.
3. Click Confirm to confirm the operation.

The detected object is added to the execution prevention rules.

To move the copy of a detected object to Quarantine and delete the object:

1. Do either of the following:
   • [For an alert detected by EPP] In the section with detailed information about a detected object, either click the Move to Quarantine button or point to the horizontal ellipsis, and then click Move to Quarantine.
   • [For an alert detected by IoC Scan] In the section with detailed information about a detected IoC, next to Manual response, click Actions, and then select Move to Quarantine.
2. Review the properties of the planned operation: the file that will be moved to Quarantine and the device on which this will happen.
3. Click Move to confirm the operation.

Kaspersky Endpoint Security for Windows first creates a backup copy of the malicious object found on the device, in case the object needs to be restored later. The backup copy is moved to Quarantine. Then, Kaspersky Endpoint Security for Windows deletes the object.

[Topic 231888]

Canceling network isolation of a Windows device

Depending on the settings of regular scans for threats or on your decision when analyzing occurred alerts, a device on which a threat has been detected may be isolated from the network for a certain period. When you are sure that the isolation is no longer needed (for example, you have stopped the threat spreading or data breach), you can send a command to cancel isolation of a device before the specified period elapses.

To cancel network isolation of a Windows device:

1. Open Kaspersky Next Management Console.
2. Select the Devices section.

   The Devices section contains a list of devices that have been added to Kaspersky Next.

3. Do either of the following:
   • Select the check box next to the required isolated device, and then click the Cancel isolation button.
   • Click the link with the device name.

     This opens a page containing detailed information about the device. The left part of the page shows the Commands list, which contains buttons with the commands that are available for the device.

     Click the Cancel isolation button.

The isolation cancelation command is sent to the device. Its execution takes some time.

[Topic 231768]

Exporting information about Endpoint Detection and Response alerts

From the table with Endpoint Detection and Response alerts, you can export information about all of the current alerts to a CSV file. For example, you can use a file with alerts to prepare a report for your management.

To export information about Endpoint Detection and Response alerts:

1. Proceed to the table with the Endpoint Detection and Response alerts.
2. Click the Export alerts button.

   The Export Endpoint Detection and Response alerts window opens.

3. Click Export to confirm the export.

A file with Endpoint Detection and Response alerts is created and automatically downloaded. The file contains the same columns as the table with alerts.

Page top

[Topic 231769]

Disabling Endpoint Detection and Response

If you want to stop using Endpoint Detection and Response, you can disable the feature as described in this section.

To disable Endpoint Detection and Response:

1. Open Kaspersky Next Management Console.
2. Select the Settings section.

   The General settings of Kaspersky Next page is displayed.

3. Click the Settings link in the Use of Endpoint Detection and Response section.

   The Endpoint Detection and Response page opens.

4. Click the Disable Endpoint Detection and Response button.
5. In the confirmation window that opens, click the Disable button.

Endpoint Detection and Response is disabled.

Later, you can enable the feature again.

[Topic 212583]

Root-Cause Analysis

This section contains information about Root-Cause Analysis.

The Root-Cause Analysis feature allows you to detect and root out advanced attacks, perform root-cause analysis with a visualized threat development chain graph, and drill down to details for further review.

This feature is available only if you activated Kaspersky Next under a Kaspersky Next EDR Foundations license.
If you activated Kaspersky Next under a Kaspersky Next EDR Optimum or XDR Expert license, you have access to the full-fledged Endpoint Detection and Response.

To use this feature, you need Kaspersky Endpoint Security 11.8 for Windows or later.

[Topic 212591]

About Root-Cause Analysis

Kaspersky Next allows you to detect and root out advanced attacks, perform root-cause analysis with a visualized threat development chain graph, and drill down to details for further review.

This feature is available only if you activated Kaspersky Next under a Kaspersky Next EDR Foundations license.
If you activated Kaspersky Next under a Kaspersky Next EDR Optimum or XDR Expert license, you have access to the full-fledged Endpoint Detection and Response.

To use this feature, you need Kaspersky Endpoint Security 11.8 for Windows or later.

Root-Cause Analysis detects threats in the following types of objects:

• Process
• File
• Registry key
• Network connection

You can start using the Root-Cause Analysis feature when you start Kaspersky Next Management Console for the first time or after Kaspersky Next is upgraded to a new version. If you did not start using Root-Cause Analysis during the initial or additional setup of Kaspersky Next, you can do it later.

The Root-Cause Analysis widget and table display detections that occur on your users' devices and allow you to investigate a threat development chain graph for each detection. The widget shows up to 10 detections and the table shows up to 1000 detections.

From the Root-Cause Analysis table, you can export information about all of the current detections to a CSV file.

If you want to stop using the feature, you can disable it and later enable it again.

[Topic 212597]

Starting the use of Root-Cause Analysis

You can start using the Root-Cause Analysis feature when you start Kaspersky Next Management Console for the first time or after Kaspersky Next is upgraded to a new version. If you did not start using Root-Cause Analysis during the initial or additional setup of Kaspersky Next, you can do it as described in this section.

After you start using the feature, the distribution package of Kaspersky Endpoint Security for Windows (version 11.8 or later) is automatically prepared. Then, Kaspersky Endpoint Security for Windows is automatically upgraded on managed devices running Windows.

To start using Root-Cause Analysis:

1. Open Kaspersky Next Management Console.
2. Do any of the following:
   • In the Information panel section, select the Getting started tab.
   • In the Information panel section, select the Monitoring tab.
   • In the Settings section, click the Settings link below Use of Root-Cause Analysis.

     The Root-Cause Analysis page opens.

3. Click Enable Root-Cause Analysis.

   The Enable Use of Root-Cause Analysis Wizard opens.

   Some steps of the Wizard may be missing if you performed them during the initial or additional setup of Kaspersky Next.

   The Agreements for Kaspersky Endpoint Security for Windows window opens.

   This window displays the texts of the End User License Agreement for Kaspersky Endpoint Security for Windows, the End User License Agreement for Kaspersky Security Center Network Agent, the Supplemental Clauses regarding Data Processing for Kaspersky Endpoint Security for Windows and Network Agent, and the link to the Kaspersky Lab Products and Services Privacy Policy.

4. Carefully read the text of each document.

   If you agree to the terms and conditions of the agreements, and if you are aware and agree that your data will be handled and transmitted (including to third countries) as described in the Privacy Policy, and you confirm that you have fully read and understand the Privacy Policy, select the check boxes next to the listed documents, and then click the I accept the terms button.

   If you do not agree to the terms and conditions, do not use the security applications. If only some of the check boxes are selected, you will not be able to use Root-Cause Analysis. The Agreements for Kaspersky Endpoint Security for Windows window will close.

   The Proxy server settings window opens.

5. If necessary, define the proxy server settings, and then click Next.

Root-Cause Analysis is enabled.

Later, you can disable the feature if you want to stop using it.

[Topic 212607]

Viewing information about Root-Cause Analysis detections

You can view information about Root-Cause Analysis detections in a widget and a table. The widget shows up to 10 detections and the table shows up to 1000 detections.

Root-Cause Analysis widget

To view the Root-Cause Analysis widget:

1. Open Kaspersky Next Management Console.
2. In the Information panel section, click the Monitoring tab.
3. If Root-Cause Analysis is disabled, start using the feature.

The widget displays the requested information.

From the displayed widget, you can proceed to the following:

• Properties of the device on which a detection occurred.
• Threat development chain graph, to perform root-cause analysis of the attack.
• Table with the Root-Cause Analysis detections.

Root-Cause Analysis table

To view the table with the Root-Cause Analysis detections:

1. Open Kaspersky Next Management Console.
2. Open the Root-Cause Analysis detections window in any of the following ways:
   • In the Information panel section, click the Monitoring tab, and then click the Go to the list of detections link in the Root-Cause Analysis widget.
   • Select the Security management → Root-Cause Analysis section.
3. If Root-Cause Analysis is disabled, start using the feature.

   The table displays the requested information.

4. Filter the displayed records by selecting the required values in the drop-down lists:
   • Detected on

     The period over which detections have occurred.

   • Status

     Whether the detected objects have been treated or untreated (deleted).

From the displayed table, you can proceed to the following:

• Properties of the device on which a detection occurred.
• Settings of the security profile that is assigned to the user who owns an affected device.
• Threat development chain graph, to perform root-cause analysis of the attack.

Also, you can export information about all of the current detections to a CSV file.

[Topic 212965]

Viewing a threat development chain graph

For each detection that has been made by Root-Cause Analysis and is displayed on a widget or in a table, you can view a threat development chain graph.

A threat development chain graph is a tool for analyzing the root cause of an attack. The graph provides visual information about the objects involved in the attack, for example, processes on a managed device, network connections, or registry keys.

To view a threat development chain graph:

1. Proceed to the Root-Cause Analysis widget or table.
2. In the required line, click Examine.

The Root-Cause Analysis detection details window opens. The window contains a threat development chain graph and detailed information about the detection.

A threat development chain graph shows the following types of objects:

• Process
• File
• Network connection
• Registry key

A graph is generated according to the following rules:

1. The central point of a graph is a process that meets either of the following rules:
   • If the threat has been detected in a process, it is this process.
   • If the threat has been detected in a file, it is the process that created this file.
2. For the process that is mentioned in rule 1, the graph shows up to two parent processes. A parent process is the one that either generated or modified a child process.
3. For the process that is mentioned in rule 1, the graph shows all other related objects: created files, created and modified child processes, organized network connections, and modified registry keys.

When you click any object on a graph, the area below shows detailed information about the selected object.

When you click a link in the SHA256, MD5, IP address, or URL fields in the detailed information about a file, you are taken to the Kaspersky Threat Intelligence Portal https://opentip.kaspersky.com/. The portal brings together all of the knowledge that Kaspersky has acquired about cyberthreats into a single web service. It allows you to check any suspicious threat indicator, whether it is a file, file hash, IP address, or web address.

Page top

[Topic 213463]

Example of analyzing a threat development chain graph

This section contains an example of a threat development chain graph and how you can use it for analyzing an attack on your users' devices.

Let's consider an attack using a phishing email message that contains an attachment. The attachment is an executable file.

The user saves and runs the file on his or her device. Kaspersky Endpoint Security for Windows makes a detection of the Malicious object detected type.

A detection in Kaspersky Endpoint Security for Windows

The Root-Cause Analysis widget shows up to 10 detections.

Root-Cause Analysis widget

By clicking the Examine link in the required line of the widget, you can proceed to a threat development chain graph.

A threat development chain graph

The threat development chain graph provides you with information about the detection, for example: actions that occurred on the device during the detection, category of the detected threat, the file origin (in this example, an email), the user who downloaded the file (in this example, an administrator). Also, the chain graph shows that additional files were created on the device, that several network connections were established, and that some registry keys were changed.

Based on this information, you can do the following:

• Verify the settings of the mail server.
• Add the email message sender to the denylist (if the sender is external), or address him or her directly (if the sender is internal).
• Check whether other devices have connected to the same IP addresses.
• Add these IP addresses to the denylist.

When you click a link in the SHA256, MD5, IP address, or URL fields in the detailed information about a file, you are taken to the Kaspersky Threat Intelligence Portal https://opentip.kaspersky.com/. The Portal shows that the detected file is neither a threat nor a known file.

Kaspersky Threat Intelligence Portal

This example shows the importance of the Root-Cause Analysis feature. The parent file of the detected file is untrusted, but it is not a malicious one. It means that it has not been detected by Kaspersky Endpoint Security for Windows. This file is still present on the device and within the organization. If the organization has devices on which some protection components are disabled (for example, Behavior Detection) or on which anti-malware databases are not up-to-date, the malicious activity of the parent file will not be detected and the criminals may have a chance to penetrate your organization's infrastructure.

[Topic 215962]

Exporting information about Root-Cause Analysis detections

From the table with Root-Cause Analysis detections, you can export information about all of the current detections to a CSV file. For example, you can use a file with detections to prepare a report for your management.

To export information about Root-Cause Analysis detections:

1. Proceed to the table with the Root-Cause Analysis detections.
2. Click the Export detections button.

   The Export Root-Cause Analysis detections window opens.

3. Click Export to confirm the export.

A file with Root-Cause Analysis detections is created and automatically downloaded. The file contains the same columns as the table with detections.

Page top

[Topic 212599]

Disabling Root-Cause Analysis

If you want to stop using Root-Cause Analysis, you can disable the feature as described in this section.

To disable Root-Cause Analysis:

1. Open Kaspersky Next Management Console.
2. Select the Settings section.

   The General settings of Kaspersky Next page is displayed.

3. Click the Settings link in the Use of Root-Cause Analysis section.

   The Root-Cause Analysis page opens.

4. Click the Disable Root-Cause Analysis button.
5. In the confirmation window that opens, click the Disable button.

Root-Cause Analysis is disabled.

Later, you can enable the feature again.

[Topic 228146]

Adaptive Anomaly Control

This section contains information about Adaptive Anomaly Control.

The Adaptive Anomaly Control feature monitors and blocks actions that are not typical of the Windows devices in a company's network.

This feature is available only if you activated Kaspersky Next under a Kaspersky Next EDR Optimum or XDR Expert license.

[Topic 230902]

About Adaptive Anomaly Control

Kaspersky Next monitors and blocks actions that are not typical of the Windows devices in a company's network.

This feature is available only if you activated Kaspersky Next under a Kaspersky Next EDR Optimum or XDR Expert license.

Adaptive Anomaly Control uses a set of rules to track uncharacteristic behavior (for example, the Start of Microsoft PowerShell from office application rule). Rules are created by Kaspersky experts, based on typical scenarios of malicious activity. You can configure how Adaptive Anomaly Control handles each rule and, for example, allow the execution of PowerShell scripts that automate certain workflow tasks. Kaspersky Next updates the set of rules along with the application databases.

Each Adaptive Anomaly Control rule can be in one of the following modes:

• Notify

  The detections made by this rule are only added to the Event log. No other actions are made.

• Block

  The feature blocks all actions that are associated with the rule.

• Smart

  First, you train the rule by selecting whether the detections made by it are actually uncharacteristic behavior or false positives. After the training period ends, the feature allows or blocks further actions according to the training results.

You can enable and configure Adaptive Anomaly Control. After the feature detects some uncharacteristic behavior, you can process the list of detections and either confirm them or add to exclusions, depending on whether a detection is actually anomalous behavior or not.

Kaspersky Next also provides you with two reports related to the feature.

[Topic 230967]

Configuring Adaptive Anomaly Control

To configure Adaptive Anomaly Control:

1. Open Kaspersky Next Management Console.
2. Select the Security management → Security profiles section.

   The Security profiles section contains a list of security profiles configured in Kaspersky Next.

3. In the list, select the security profile for the devices on which you want to configure Adaptive Anomaly Control.
4. Click the link with the profile name to open the security profile properties window.

   The security profile properties window displays settings available for all devices.

5. In the Windows group, select the Management settings section.
6. Set the toggle switch to Adaptive Anomaly Control is enabled.
7. Click the Settings link below the Adaptive Anomaly Control is enabled toggle switch.

   The Adaptive Anomaly Control component settings page opens.

8. Enable or disable the required Adaptive Anomaly Control rules:
   • To enable a rule, enable the toggle switch in the Status column.
   • To disable a rule, disable the toggle switch in the Status column.
9. In the Action column, select the mode of each rule:
   • Notify

     The detections made by this rule are only added to the Event log. No other actions are made.

   • Block

     The feature blocks all actions that are associated with the rule.

   • Smart

     First, you train the rule by selecting whether the detections made by it are actually uncharacteristic behavior or false positives. After the training period ends, the feature allows or blocks further actions according to the training results.

10. If necessary, change exclusions to the rules.
11. Click the Save button.

After the security profile is applied, the Adaptive Anomaly Control component is enabled and configured on Windows devices.

[Topic 231584]

Changing exclusions to Adaptive Anomaly Control rules

You can add, modify, and delete exclusions to Adaptive Anomaly Control rules.

Adding exclusions

You can add exclusions in either of the following ways:

• When processing Adaptive Anomaly Control detections.
• When configuring Adaptive Anomaly Control, as described later in this section.

To add an exclusion to an Adaptive Anomaly Control rule:

1. Proceed to the Adaptive Anomaly Control settings page.
2. Select the check box next to required rule.
3. Click the Edit button.

   The Exclusions from rule <rule name> window opens.

4. Click the Add button.

   The Add an exclusion window opens.

5. Define the exclusion settings:
   • Source process and Source object

     The object that performed the detected actions (for example, a file that the user opened).

   • Target process and Target object

     The object on which the detected actions were performed (for example, a browser that uses a library that is loaded into the computer memory as a result of opening the file).

6. Click OK to close the Add an exclusion window.

The added record appears in the list of exclusions in the Exclusions from rule <rule name> window.

Modifying exclusions

To modify an exclusion to an Adaptive Anomaly Control rule:

1. Proceed to the Adaptive Anomaly Control settings page.
2. Select the check box next to required rule.
3. Click the Edit button.

   The Exclusions from rule <rule name> window opens.

4. Select the check box next to the required exclusion.
5. Click the Edit button.

   The Add an exclusion window opens. It contains details about the selected exclusion.

6. Make the necessary changes.
7. Click OK to close the Add an exclusion window.

The modified record is displayed in the list of exclusions in the Exclusions from rule <rule name> window.

Deleting exclusions

You may want to delete an exclusion from an Adaptive Anomaly Control rule if, for example, you added it by mistake.

To delete exclusions from an Adaptive Anomaly Control rule:

1. Proceed to the Adaptive Anomaly Control settings page.
2. Select the check box next to required rule.
3. Click the Edit button.

   The Exclusions from rule <rule name> window opens.

4. Select the check boxes next to the required exclusions
5. Click Delete.

The deleted exclusions disappear from the list of exclusions in the Exclusions from rule <rule name> window.

[Topic 231503]

Scenario: Configuring Adaptive Anomaly Control rules in the Smart mode

Configuring the Adaptive Anomaly Control rules proceeds in stages:

1. Training

   After you enable Adaptive Anomaly Control, its rules are in the "Smart training" state. During the training, Adaptive Anomaly Control monitors detections made by the rule and sends detection events to the server.

   If a rule is not triggered at all on a certain device during the training, Adaptive Anomaly Control considers the actions associated with this rule as non-typical. Kaspersky Next will block all actions associated with that rule on that device.

   If a rule is triggered during the training, Kaspersky Next adds events to the detections report and to the Detections of Adaptive Anomaly Control rules repository of the Quarantine.

2. Processing the list of detections

   Analyze the list of detections in the Detections of Adaptive Anomaly Control rules repository. For each detection, perform one of the following actions:

   • If the detection is not anomalous, add it to exclusions. As a result, this detection and all detections of the same object on other devices are removed from the list. Later, this object will not be detected again on any of your users' devices.

     You can add up to 1000 exclusions for all rules.

   • If the detection is actually anomalous, confirm it. As a result, the detection is removed from the list. Later, if this object is detected again on the same or any other device, it will re-appear in the list of detections.

Each rule has its own training duration that is set by Kaspersky experts. Normally, the training lasts two weeks. The training time is counted separately for each device and only when Kaspersky Endpoint Security for Windows is working on the device. For example, if the training on a device has lasted for a week, and then the device is turned off during a month, the second training week starts only when the device is turned on again.

The training for a rule on a device ends when there are no unprocessed detections over the training duration. That is why we recommend that you process detections at least once a week.

[Topic 228262]

Processing Adaptive Anomaly Control detections

During the training of Adaptive Anomaly Control rules in the Smart mode, events about detections are added to the Detections of Adaptive Anomaly Control rules repository of the Quarantine. When processing the list of detections, you can either confirm them or add to exclusions, depending on whether a detection is actually anomalous behavior or not.

We recommend that you process detections at least once a week. Otherwise, the training of the rules may never complete and the rules may not start blocking malicious activity on devices.

To process Adaptive Anomaly Control detections:

1. Open Kaspersky Next Management Console.
2. Select the Quarantine section.

   The Quarantine section contains a list of objects belonging to the following categories: Quarantine and backup, Unprocessed files, and Detections of Adaptive Anomaly Control rules.

3. In the File category drop-down list, select Detections of Adaptive Anomaly Control rules.

   The page displays all active detections that have not been processed.

   From the displayed table, you can proceed to the following:

   • Properties of the device on which a detection occurred.
   • Settings of the security profile that is assigned to the user who owns an affected device.
   • Detailed information about the detection.
4. Click the link in the Detected object column, to view detailed information about a detection.

   The Detection details window opens.

5. Analyze the detection details.
6. Do either of the following:
   • If the detection is not anomalous, add it to exclusions. As a result, this detection and all detections of the same object on other devices are removed from the list. Later, this object will not be detected again on any of your users' devices.

     You can add up to 1000 exclusions for all rules.

   • If the detection is actually anomalous, confirm it. As a result, the detection is removed from the list. Later, if this object is detected again on the same or any other device, it will re-appear in the list of detections.
7. If necessary, process another detection.

The detections are processed.

[Topic 208434]

Data Discovery

This section contains information about Data Discovery.

The Data Discovery feature detects critical information in files that are located in Office 365 cloud storages.

This feature is available only if you activated Kaspersky Next under a Kaspersky Next EDR Optimum or XDR Expert license.

[Topic 208594]

About Data Discovery

Kaspersky Next detects critical information in files that are located in Office 365 cloud storages. You can view the information about each detected file—its name, sharing type (private, within the company, or outside the company), and who edited it last.

This feature is available only if you activated Kaspersky Next under a Kaspersky Next EDR Optimum or XDR Expert license.

You can start using the Data Discovery feature when you start Kaspersky Next Management Console for the first time or after Kaspersky Next is upgraded to a new version. If you did not start using Data Discovery during the initial or additional setup of Kaspersky Next, you can do it later. After you start using the feature, connect your Office 365 organization to your workspace.

The Data Discovery widget and table display detections of critical information in files. The widget shows up to 10 detected files and the table shows up to 1000 detections.

From the Data Discovery table, you can export information about all of the current detections to a CSV file.

If you want to stop using the feature, you can disable it. Later, you can enable it again.

If you delete your workspace after starting the use of Data Discovery, or if you disable the feature and do not want to use it again, you must go to your Office 365 and manually revoke the permissions that you granted to the Kaspersky Next – DLP scanner application.

[Topic 271753]

Categories of information detected by Data Discovery

Kaspersky Next detects the following categories of critical information:

• Credit/Debit Card Number
• Brazilian Personally Identifiable Information:
  • Brazilian Driver's License (CNH)
  • Brazilian Identity Card (RG)
  • Brazilian Individual Taxpayer Registry (CPF)
  • Brazilian Passport
• Chilean Personally Identifiable Information:
  • Chilean Driver's License
  • Chilean Identity Card
  • Chilean Passport
  • Chilean Unique Taxpayer Number
• Colombian Personally Identifiable Information:
  • Colombian Driver's License
  • Colombian Identity Card
  • Colombian Passport
  • Colombian Unique Taxpayer Number (NIT)
• French Personally Identifiable Information:
  • French Driver's License
  • French Identity Card
  • French Passport
  • French Social Security Number
• German Personally Identifiable Information:
  • German Driver's License
  • German Identity Card
  • German Passport
  • German Residence Permit
  • German Social Insurance Number (SIN)
  • German Tax Identification number (TIN)
• Italian Personally Identifiable Information:
  • Italian Driver's License
  • Italian Fiscal Code
  • Italian Identity Card
  • Italian Passport
• Mexican Personally Identifiable Information:
  • Mexican Citizen Card (CURP)
  • Mexican Individual Taxpayer Registry (RFC)
  • Mexican Passport
  • Mexican Social Security Number
• Portuguese Personally Identifiable Information:
  • Portuguese Citizen Card
  • Portuguese Driver's License
  • Portuguese Passport
  • Portuguese Social Security Number (NISS)
  • Portuguese Tax Identification Number (NIF)
• Spanish Personally Identifiable Information:
  • Spanish Identity Card
  • Spanish National Insurance Number
  • Spanish Passport
  • Spanish Unique Taxpayer Reference
• UK Personally Identifiable Information:
  • UK Driving License
  • UK National Insurance Number
  • UK Passport
  • UK Residence Permit
  • UK Unique Taxpayer Reference (UTR)
• USA Personally Identifiable Information:
  • US Driver's License
  • US Individual Taxpayer Identification Number (ITIN)
  • US Passport
  • US Social Security Number (SSN)

[Topic 208595]

Starting the use of Data Discovery

You can start using the Data Discovery feature when you start Kaspersky Next Management Console for the first time or after Kaspersky Next is upgraded to a new version. If you did not start using Data Discovery during the initial or additional setup of Kaspersky Next, you can do it as described in this section.

To start using Data Discovery:

1. Open Kaspersky Next Management Console.
2. Do any of the following:
   • In the Information panel section, select the Getting started tab.
   • In the Information panel section, select the Monitoring tab.
   • In the Settings section, click the Settings link below Use of Data Discovery for Microsoft Office 365.

     The Data Discovery page opens.

3. Click Enable Data Discovery.

   The Data Discovery Agreement window opens.

4. Carefully read the Limitation of Liability Agreement, select the check box under the agreement text, and click the I accept the terms button if you agree to them.

   If you click the I decline button, you will not be able to use Data Discovery.

Data Discovery is enabled.

Next, you must connect your Office 365 organization to your workspace. After that, you will be able to view information about detections.

Later, you can disable the feature if you want to stop using it.

[Topic 208627]

Connecting an Office 365 organization to your workspace

After you start using the Data Discovery feature, you must connect your Office 365 organization to your Kaspersky Next workspace, as described in this section. After that, you will be able to view the Data Discovery detections in Management Console.

To connect an Office 365 organization to your workspace:

1. Open Kaspersky Next Management Console.
2. Do any of the following:
   • In the Information panel section, select the Getting started tab, and then click Connect Office 365 organization.
   • In the Information panel section, select the Monitoring tab, and then click either the Connect Office 365 organization button or the Connect Office 365 organization link.

   You are redirected to the Microsoft Online website.

3. Specify the required Office 365 Global Administrator account and accept the granting of the requested permissions.

   The Global Administrator account that you specify must belong to the same Office 365 organization about which you want to view the information. Note that Kaspersky Next does not store the Global Administrator credentials and uses the acquired consent only.

   You are returned to the Kaspersky Next Management Console.

After the specified credentials are checked and verified, your Office 365 organization is connected to your Kaspersky Next workspace. Kaspersky Next starts the first scan of files that are located in Office 365 cloud storages.

After the scan completes, you can view the detections in the Data Discovery widget and table.

[Topic 208596]

Viewing information about Data Discovery detections

You can view information about Data Discovery detections in a widget and a table. The widget shows up to 10 detected files and the table shows up to 1000 detections.

Data Discovery widget

To view the Data Discovery widget:

1. Open Kaspersky Next Management Console.
2. In the Information panel section, click the Monitoring tab.
3. If Data Discovery is disabled, start using the feature.

   The Data Discovery widget displays up to 10 detected files.

4. Select or clear the Private, Company, and Public check boxes, to view up to 10 detected files shared to the selected audience (privately, within the company, or outside the company).
5. Click the link in the Data categories or File name column, to view detailed information about a detected file.

The widget displays the requested information.

From the widget, you can proceed to the table with the Data Discovery detections.

Data Discovery table

To view the table with the Data Discovery detections:

1. Open Kaspersky Next Management Console.
2. Do any of the following:
   • In the Information panel section, click the Monitoring tab, and then click the Go to the list of detections link in the Data Discovery widget.
   • Select the Security management → Data Discovery section.
3. If Data Discovery is disabled, start the use of the feature.

   The table displays up to 1000 detected files.

4. Filter the displayed records:
   1. By default, the quick filter is displayed. You can filter the displayed records by the Office 365 service that stores the detected files.
   2. Click Extended filter to use the extended filter.
   3. Select the required values in the drop-down lists:
      • Last edited on—The period over which files are detected.
      • Data categories—Categories of critical information that are detected in the files.
      • Access type—The audience to which the files are shared (privately, within the company, or outside the company).
      • Last edited by—If you select Custom, the Last edited by window opens. There, specify a text fragment to find accounts of the users who last edited the detected files.
      • Service name—Office 365 service that stores the detected files.
   4. Click Quick filter to return to the quick filter.
5. Click the link in the File name or Data categories column, to view detailed information about a detected file.

The table displays the requested information.

From the displayed table, you can export information about all of the current detections to a CSV file.

[Topic 215856]

Example of analyzing a Data Discovery detection

This section contains an example of a Data Discovery detection and how you can analyze and process it.

Let's consider that you open the Data Discovery widget (see the figure below) and see a file that is accessible to everyone (the value in the Access type column is Public).

Data Discovery widget with a file that is accessible to everyone

From the value in the Data categories column, you conclude that the file contains credit card details. The value in the Last edited by column most often shows the user who configured the accessibility of the file.

By clicking the link in the Data categories or File name column, you can view detailed information about the detected file (see the figure below).

Data Discovery detection details

You can copy either the direct link to the file (Link to the file in Office 365) or the structure of the path to it (under Full path to the file).

Then you can address the user directly, show him or her the file, and explain that making a file with personal details accessible to everyone may lead to a data breach. Then, you can ask the user to reduce the file audience to the user himself or herself.

Some time later, after the user follows your advice, you can open the Data Discovery table, apply the filters (if necessary), and see the same document that is accessible only to its owner (see the figure below).

Data Discovery table with applied filters

[Topic 215862]

Exporting information about Data Discovery detections

From the table with Data Discovery detections, you can export information about all of the current detections to a CSV file. For example, you can use a file with detections to prepare a report for your management.

To export information about Data Discovery detections:

1. Proceed to the table with the Data Discovery detections.
2. Click the Export detections button.

   The Export Data Discovery detections window opens.

3. Click Export to confirm the export.

A file with Data Discovery detections is created and automatically downloaded. The file contains the same columns as the table with detections.

[Topic 208688]

Disabling Data Discovery

If you want to stop using Data Discovery, you can disable the feature as described in this section.

To disable Data Discovery:

1. Open Kaspersky Next Management Console.
2. Select the Settings section.

   The General settings of Kaspersky Next page is displayed.

3. Click the Settings link in the Use of Data Discovery for Microsoft Office 365 section.

   The Data Discovery page opens.

4. Click the Disable Data Discovery button.
5. In the confirmation window that opens, click the Disable button.

Data Discovery is disabled.

Later, you can enable the feature again.

[Topic 126963]

Cloud Discovery

This section contains information about Cloud Discovery.

The Cloud Discovery feature allows you to monitor the use of cloud services on managed devices running Windows and to block access to cloud services that you consider unwanted.

The blocking capability is available only if you activated Kaspersky Next under a Kaspersky Next EDR Optimum or XDR Expert license.

The blocking capability is available only if you use Kaspersky Endpoint Security 11.2 for Windows or later. Earlier versions of the security application only allow you to monitor the use of cloud services.

[Topic 100054]

About Cloud Discovery

Kaspersky Next allows you to monitor the use of cloud services on managed devices running Windows and to block access to cloud services that you consider unwanted. Cloud Discovery tracks user attempts to gain access to these services through both browsers and desktop applications. This feature helps you to detect and halt the use of cloud services by shadow IT.

Cloud Discovery tracks user attempts to gain access to cloud services over unencrypted connections (for example, using the HTTP protocol). If you enable the Encrypted Connections Scan feature, Cloud Discovery also tracks attempts to gain access to cloud services over encrypted connections (for example, using the HTTPS protocol). You can also configure the list of trusted domains. The feature does not control or block encrypted connections made during visits to those domains.

You can start using the Cloud Discovery feature and select the security profiles for which you want to enable the feature. You can also enable or disable the feature separately in each security profile. You can block access to cloud services that you do not want users to access.

The Cloud Discovery widget and the Cloud Discovery reports display information about attempts to gain access to cloud services. The widget also displays the risk level of each cloud service. Kaspersky Next gets information about the use of cloud services from all of the managed devices that are protected only by the security profiles that have the feature enabled.

Page top

[Topic 138009]

Starting the use of Cloud Discovery

You can start using the Cloud Discovery feature when you start Kaspersky Next Management Console for the first time or after Kaspersky Next is upgraded to a new version. If you did not start using Cloud Discovery during the initial or additional setup of Kaspersky Next, you can do it as described in this section.

To start using Cloud Discovery:

1. Open Kaspersky Next Management Console.
2. Do any of the following:
   • In the Information panel section, select the Getting started tab, and then click Enable Cloud Discovery.
   • In the Information panel section, select the Monitoring tab, and then click Enable Cloud Discovery in security profiles.

   The Enable Cloud Discovery in security profiles window opens.

3. Select the check boxes next to the security profiles for which you want to enable Cloud Discovery. To select all security profiles, select the check box in the table heading.

   Kaspersky Next gets information about the use of cloud services from all of the managed devices that are protected only by the security profiles that have the feature enabled. Later, you will be able to enable and disable the feature separately in each security profile.

4. Click the Enable Cloud Discovery button.

   If you click the Later button, the Cloud Discovery feature will not be enabled in any security profiles.

Cloud Discovery is enabled in the selected security profiles.

[Topic 101058]

Enabling and disabling Cloud Discovery in security profiles

When you start using the Cloud Discovery feature, you can select the security profiles for which you want to enable Cloud Discovery. Kaspersky Next gets information about the use of cloud services from all of the managed devices that are protected only by the security profiles that have the feature enabled. Later, you can enable and disable the feature separately in each security profile, as described in this section.

To enable or disable Cloud Discovery in a specific security profile:

1. Open Kaspersky Next Management Console.
2. Select the Security management → Security profiles section.

   The Security profiles section contains a list of security profiles configured in Kaspersky Next.

3. In the list, select the security profile for the devices on which you want to configure Cloud Discovery.
4. Click the link with the profile name to open the security profile properties window.

   The security profile properties window displays settings available for all devices.

5. In the Cloud security group, select the Cloud Discovery section.
6. To enable Cloud Discovery in the security profile, set the toggle switch to Cloud Discovery is enabled.

   You can also click the Settings link below the Cloud Discovery is enabled toggle switch and block access to cloud services that you consider unwanted.

   To disable Cloud Discovery in the security profile, set the toggle switch to Cloud Discovery is disabled.

7. Click the Save button.

Cloud Discovery is enabled or disabled in the settings of the selected security profile.

[Topic 123382]

Viewing information about the use of cloud services

You can view the Cloud Discovery widget that shows information about attempts to gain access to cloud services. The widget also displays the risk level of each cloud service. Kaspersky Next gets information about the use of cloud services from all of the managed devices that are protected only by the security profiles that have the feature enabled.

To view the Cloud Discovery widget:

1. Open Kaspersky Next Management Console.
2. In the Information panel section, click the Monitoring tab.
3. On the left side of the Cloud Discovery information widget, select a category of cloud services.

   The table on the right side of the widget displays up to five services, from the selected category, to which users most often try to gain access. Both successful and blocked attempts are counted.

4. On the right side of the widget, select a specific service.

   The table below displays up to ten users who most often attempt to gain access to the service.

The widget displays the requested information.

From the displayed widget, you can do the following:

• Proceed to the Information panel → Reports section to view the Cloud Discovery reports.
• Proceed to the settings of the security profile that is assigned to a user.
• Block or allow access to the selected cloud service in the settings of the security profile that is assigned to a user.
• If the selected cloud service has been blocked only in some security profiles, view the list of profiles in which the service is blocked and where it is allowed.