Kaspersky Next XDR Expert
- Kaspersky Next XDR Expert
- Quick links
- What's new
- About Kaspersky Next XDR Expert
- Architecture of Open Single Management Platform
- OSMP Console interface
- Licensing
- About data provision
- Quick start guide
- Deployment of Kaspersky Next XDR Expert
- Hardening Guide
- Deployment schemes
- Ports used by Kaspersky Next XDR Expert
- Preparation work and deployment
- Multi-node deployment: Preparing the administrator and target hosts
- Single node deployment: Preparing the administrator and target hosts
- Preparing the hosts for installation of the KUMA services
- Installing a database management system
- Configuring the PostgreSQL or Postgres Pro server for working with Open Single Management Platform
- Preparing the KUMA inventory file
- Multi-node deployment: Specifying the installation parameters
- Single-node deployment: Specifying the installation parameters
- Specifying the installation parameters by using the Configuration wizard
- Installing Kaspersky Next XDR Expert
- Configuring internet access for the target hosts
- Synchronizing time on machines
- Installing KUMA services
- Deployment of multiple Kubernetes clusters and Kaspersky Next XDR Expert instances
- Pre-check of infrastructure readiness for deployment
- Signing in to Kaspersky Next XDR Expert
- Kaspersky Next XDR Expert maintenance
- Upgrading Kaspersky Next XDR Expert from version 1.1 to 1.2
- Updating Kaspersky Next XDR Expert components
- Adding and deleting nodes of the Kubernetes cluster
- Versioning the configuration file
- Uninstalling Kaspersky Next XDR Expert
- Manual uninstalling of Kaspersky Next XDR Expert components
- Reinstalling Kaspersky Next XDR Expert components
- Stopping the Kubernetes cluster nodes
- Using certificates for public Kaspersky Next XDR Expert services
- Calculation and changing of disk space for storing Administration Server data
- Rotation of secrets
- Adding hosts for installing the additional KUMA services
- Replacing a host that uses KUMA storage
- Migration to Kaspersky Next XDR Expert
- Integration with other solutions
- Threat detection
- Working with alerts
- About alerts
- Alert data model
- Viewing the alert table
- Viewing alert details
- Assigning alerts to analysts
- Changing an alert status
- Creating alerts manually
- Linking alerts to incidents
- Unlinking alerts from incidents
- Linking events to alerts
- Unlinking events from alerts
- Editing alerts by using playbooks
- Working with alerts on the investigation graph
- Aggregation rules
- Working with incidents
- About incidents
- Incident data model
- Creating incidents
- Viewing the incident table
- Exporting information about incidents
- Viewing incident details
- Assigning incidents to analysts
- Changing an incident status
- Changing an incident priority
- Merging incidents
- Editing incidents by using playbooks
- Investigation graph
- Segmentation rules
- Copying segmentation rules to another tenant
- Managing incident types
- Managing incident workflows
- Configuring the retention period of alerts and incidents
- Viewing asset details
- Working with alerts
- Threat hunting
- Threat response
- Response actions
- Terminating processes
- Moving devices to another administration group
- Running a malware scan
- Viewing the result of the malware scan
- Updating databases
- Moving files to quarantine
- Changing authorization status of devices
- Viewing information about KASAP users and changing learning groups
- Responding through Active Directory
- Responding through KATA/KEDR
- Responding through UserGate
- Responding through Ideco NGFW
- Responding through Ideco UTM
- Responding through Redmine
- Responding through Check Point NGFW
- Responding through Sophos Firewall
- Responding through Continent 4
- Responding through SKDPU NT
- Responding through FortiGate
- Viewing response history from alert or incident details
- Playbooks
- Viewing the playbooks table
- Creating playbooks
- Editing playbooks
- Customizing playbooks
- Viewing playbook properties
- Terminating playbooks
- Deleting playbooks
- Launching playbooks and response actions
- Configuring manual approval of response actions
- Approving playbooks or response actions
- Enrichment from playbook
- Viewing response history
- Predefined playbooks
- Playbook trigger
- Playbook algorithm
- Editing incidents by using playbooks
- Editing alerts by using playbooks
- Response actions
- REST API
- API Reference Guide
- Managing Kaspersky Unified Monitoring and Analysis Platform
- About Kaspersky Unified Monitoring and Analysis Platform
- Program architecture
- Administrator's guide
- Logging in to the KUMA Console
- KUMA services
- Services tools
- Service resource sets
- Creating a storage
- Creating a correlator
- Creating an event router
- Creating a collector
- Predefined collectors
- Creating an agent
- Creating a set of resources for an agent
- Managing connections for an agent
- Creating an agent service in the KUMA Console
- Installing an agent in a KUMA network infrastructure
- Automatically created agents
- Update agents
- Transferring events from isolated network segments to KUMA
- Transferring events from Windows machines to KUMA
- AI services
- Configuring event sources
- Configuring receipt of Auditd events
- Configuring receipt of KATA/EDR events
- Configuring Open Single Management Platform for export of events to the KUMA SIEM-system
- Configuring receiving Open Single Management Platform event from MS SQL
- Creating an account in the MS SQL database
- Configuring the SQL Server Browser service
- Creating a secret in KUMA
- Configuring a connector
- Configuring the KUMA Collector for receiving Open Single Management Platform events from an MS SQL database
- Installing the KUMA Collector for receiving Open Single Management Platform events from the MS SQL database
- Configuring receipt of events from Windows devices using KUMA Agent (WEC)
- Configuring audit of events from Windows devices
- Configuring centralized receipt of events from Windows devices using the Windows Event Collector service
- Granting permissions to view Windows events
- Granting permissions to log on as a service
- Configuring the KUMA Collector for receiving events from Windows devices
- Installing the KUMA Collector for receiving events from Windows devices
- Configuring forwarding of events from Windows devices to KUMA using KUMA Agent (WEC)
- Configuring receipt of events from Windows devices using KUMA Agent (WMI)
- Configuring receipt of DNS server events using the ETW agent
- Configuring receipt of PostgreSQL events
- Configuring receipt of IVK Kolchuga-K events
- Configuring receipt of CryptoPro NGate events
- Configuring receipt of Ideco UTM events
- Configuring receipt of KWTS events
- Configuring receipt of KLMS events
- Configuring receipt of KSMG events
- Configuring the receipt of KICS for Networks events
- Configuring receipt of PT NAD events
- Configuring receipt of events using the MariaDB Audit Plugin
- Configuring receipt of Apache Cassandra events
- Configuring receipt of FreeIPA events
- Configuring receipt of VipNet TIAS events
- Configuring receipt of Nextcloud events
- Configuring receipt of Snort events
- Configuring receipt of Suricata events
- Configuring receipt of FreeRADIUS events
- Configuring receipt of VMware vCenter events
- Configuring receipt of zVirt events
- Configuring receipt of Zeek IDS events
- Configuring Windows event reception using Kaspersky Endpoint Security for Windows
- Configuring receipt of Codemaster Mirada events
- Configuring receipt of Postfix events
- Configuring receipt of CommuniGate Pro events
- Configuring receipt of Yandex Cloud events
- Configuring receipt of Microsoft 365 events
- Monitoring event sources
- Managing assets
- Adding an asset category
- Configuring the table of assets
- Searching assets
- Exporting asset data
- Viewing asset details
- Adding assets
- Adding asset information in the KUMA Console
- Importing asset information and asset vulnerability information from Open Single Management Platform
- Importing asset information from MaxPatrol
- Importing asset information from KICS for Networks
- Examples of asset field comparison during import
- Settings of the kuma-ptvm-config.yaml configuration file
- Assigning a category to an asset
- Editing the parameters of assets
- Archiving assets
- Deleting assets
- Bulk deletion of assets
- Updating third-party applications and fixing vulnerabilities on Open Single Management Platform assets
- Moving assets to a selected administration group
- Asset audit
- Custom asset fields
- Critical information infrastructure assets
- Integration with other solutions
- Integration with Open Single Management Platform
- Configuring Open Single Management Platform integration settings
- Adding a tenant to the list for Open Single Management Platform integration
- Creating Open Single Management Platform connection
- Editing Open Single Management Platform connection
- Deleting Open Single Management Platform connection
- Importing events from the Open Single Management Platform database
- Kaspersky Endpoint Detection and Response integration
- Integration with Kaspersky CyberTrace
- Integration with Kaspersky Threat Intelligence Portal
- Connecting over LDAP
- Enabling and disabling LDAP integration
- Adding a tenant to the LDAP server integration list
- Creating an LDAP server connection
- Creating a copy of an LDAP server connection
- Changing an LDAP server connection
- Changing the data update frequency
- Changing the data storage period
- Starting account data update tasks
- Deleting an LDAP server connection
- Integration with the Security Orchestration Automation and Response Platform (SOAR)
- Integration with KICS/KATA
- Integration with Neurodat SIEM IM
- Kaspersky Automated Security Awareness Platform
- Sending notifications to Telegram
- UserGate integration
- Integration with Kaspersky Web Traffic Security
- Integration with Kaspersky Secure Mail Gateway
- Importing asset information from RedCheck
- Configuring receipt of Sendmail events
- Integration with Open Single Management Platform
- Managing KUMA
- Working with geographic data
- User guide
- KUMA resources
- Operations with resources
- Creating, renaming, moving, and deleting resource folders
- Creating, duplicating, moving, editing, and deleting resources
- Bulk deletion of resources
- Link correlators to a correlation rule
- Updating resources
- Exporting resources
- Importing resources
- Tag management
- Resource usage tracing
- Resource versioning
- Destinations
- Normalizers
- Aggregation rules
- Enrichment rules
- Data collection and analysis rules
- Correlation rules
- Filters
- Active lists
- Viewing the table of active lists
- Adding active list
- Viewing the settings of an active list
- Changing the settings of an active list
- Duplicating the settings of an active list
- Deleting an active list
- Viewing records in the active list
- Searching for records in the active list
- Adding a record to an active list
- Duplicating records in the active list
- Changing a record in the active list
- Deleting records from the active list
- Import data to an active list
- Exporting data from the active list
- Predefined active lists
- Dictionaries
- Response rules
- Connectors
- Viewing connector settings
- Adding a connector
- Connector settings
- Connector, internal type
- Connector, tcp type
- Connector, udp type
- Connector, netflow type
- Connector, sflow type
- Connector, nats-jetstream type
- Connector, kafka type
- Connector, http type
- Connector, sql type
- Connector, file type
- Connector, 1c-log type
- Connector, 1c-xml type
- Connector, diode type
- Connector, ftp type
- Connector, nfs type
- Connector, wmi type
- Connector, wec type
- Connector, etw type
- Connector, snmp type
- Connector, snmp-trap type
- Connector, kata/edr type
- Connector, vmware type
- Connector, elastic type
- Connector, office365 type
- Predefined connectors
- Secrets
- Context tables
- Viewing the list of context tables
- Adding a context table
- Viewing context table settings
- Editing context table settings
- Duplicating context table settings
- Deleting a context table
- Viewing context table records
- Searching context table records
- Adding a context table record
- Editing a context table record
- Deleting a context table record
- Importing data into a context table
- Exporting data from a context table
- Operations with resources
- Analytics
- KUMA resources
- Working with Open Single Management Platform
- Basic concepts
- Administration Server
- Hierarchy of Administration Servers
- Virtual Administration Server
- Web Server
- Network Agent
- Administration groups
- Managed device
- Unassigned device
- Administrator's workstation
- Management web plug-in
- Policies
- Policy profiles
- Tasks
- Task scope
- How local application settings relate to policies
- Distribution point
- Connection gateway
- Configuring Administration Server
- Configuring the connection of OSMP Console to Administration Server
- Configuring internet access settings
- Certificates for work with Open Single Management Platform
- About Open Single Management Platform certificates
- Requirements for custom certificates used in Open Single Management Platform
- Reissuing the certificate for OSMP Console
- Replacing certificate for OSMP Console
- Converting a PFX certificate to the PEM format
- Scenario: Specifying the custom Administration Server certificate
- Replacing the Administration Server certificate by using the klsetsrvcert utility
- Connecting Network Agents to Administration Server by using the klmover utility
- Hierarchy of Administration Servers
- Creating a hierarchy of Administration Servers: adding a secondary Administration Server
- Viewing the list of secondary Administration Servers
- Managing virtual Administration Servers
- Configuring Administration Server connection events logging
- Setting the maximum number of events in the event repository
- Changing DBMS credentials
- Backup copying and restoration of the Administration Server data
- Deleting a hierarchy of Administration Servers
- Access to public DNS servers
- Configuring the interface
- Encrypt communication with TLS
- Discovering networked devices
- Managing client devices
- Settings of a managed device
- Creating administration groups
- Device moving rules
- Adding devices to an administration group manually
- Moving devices or clusters to an administration group manually
- About clusters and server arrays
- Properties of a cluster or server array
- Adjustment of distribution points and connection gateways
- Standard configuration of distribution points: Single office
- Standard configuration of distribution points: Multiple small remote offices
- Calculating the number and configuration of distribution points
- Assigning distribution points automatically
- Assigning distribution points manually
- Modifying the list of distribution points for an administration group
- Enabling a push server
- About device statuses
- Configuring the switching of device statuses
- Device selections
- Device tags
- Device tags
- Creating a device tag
- Renaming a device tag
- Deleting a device tag
- Viewing devices to which a tag is assigned
- Viewing tags assigned to a device
- Tagging a device manually
- Removing an assigned tag from a device
- Viewing rules for tagging devices automatically
- Editing a rule for tagging devices automatically
- Creating a rule for tagging devices automatically
- Running rules for auto-tagging devices
- Deleting a rule for tagging devices automatically
- Data encryption and protection
- Changing the Administration Server for client devices
- Viewing and configuring the actions when devices show inactivity
- Deploying Kaspersky applications
- Scenario: Kaspersky applications deployment
- Protection deployment wizard
- Step 1. Starting Protection deployment wizard
- Step 2. Selecting the installation package
- Step 3. Selecting a method for distribution of key file or activation code
- Step 4. Selecting Network Agent version
- Step 5. Selecting devices
- Step 6. Specifying the remote installation task settings
- Step 7. Removing incompatible applications before installation
- Step 8. Moving devices to Managed devices
- Step 9. Selecting accounts to access devices
- Step 10. Starting installation
- Adding management plug-ins for Kaspersky applications
- Removing management web plug-ins
- Viewing the list of components integrated in Open Single Management Platform
- Viewing names, parameters, and custom actions of Kaspersky Next XDR Expert components
- Downloading and creating installation packages for Kaspersky applications
- Creating installation packages from a file
- Creating stand-alone installation packages
- Changing the limit on the size of custom installation package data
- Installing Network Agent for Linux in silent mode (with an answer file)
- Preparing a device running Astra Linux in the closed software environment mode for installation of Network Agent
- Viewing the list of stand-alone installation packages
- Distributing installation packages to secondary Administration Servers
- Preparing a Linux device and installing Network Agent on a Linux device remotely
- Installing applications using a remote installation task
- Specifying settings for remote installation on Unix devices
- Starting and stopping Kaspersky applications
- Replacing third-party security applications
- Removing applications or software updates remotely
- Preparing a device running SUSE Linux Enterprise Server 15 for installation of Network Agent
- Preparing a Windows device for remote installation
- Configuring Kaspersky applications
- Scenario: Configuring network protection
- About device-centric and user-centric security management approaches
- Policy setup and propagation: Device-centric approach
- Policy setup and propagation: User-centric approach
- Policies and policy profiles
- Network Agent policy settings
- Usage of Network Agent for Windows, Linux, and macOS: Comparison
- Comparison of Network Agent settings by operating systems
- Manual setup of the Kaspersky Endpoint Security policy
- Configuring Kaspersky Security Network
- Checking the list of the networks protected by Firewall
- Disabling the scan of network drives
- Excluding software details from the Administration Server memory
- Configuring access to the Kaspersky Endpoint Security for Windows interface on workstations
- Saving important policy events in the Administration Server database
- Manual setup of the group update task for Kaspersky Endpoint Security
- Kaspersky Security Network (KSN)
- Managing tasks
- About tasks
- About task scope
- Creating a task
- Starting a task manually
- Starting a task for selected devices
- Viewing the task list
- General task settings
- Exporting a task
- Importing a task
- Starting the Change tasks password wizard
- Viewing task run results stored on the Administration Server
- Manual setup of the group task for scanning a device with Kaspersky Endpoint Security
- General task settings
- Application tags
- Granting offline access to the external device blocked by Device Control
- Registering Kaspersky Industrial CyberSecurity for Networks application in OSMP Console
- Managing users and user roles
- About user accounts
- About user roles
- Configuring access rights to application features. Role-based access control
- Adding an account of an internal user
- Creating a security group
- Editing an account of an internal user
- Editing a security group
- Assigning a role to a user or a security group
- Adding user accounts to an internal security group
- Assigning a user as a device owner
- Two-step verification
- Scenario: Configuring two-step verification for all users
- About two-step verification for an account
- Enabling two-step verification for your own account
- Enabling required two-step verification for all users
- Disabling two-step verification for a user account
- Disabling required two-step verification for all users
- Excluding accounts from two-step verification
- Configuring two-step verification for your own account
- Prohibit new users from setting up two-step verification for themselves
- Generating a new secret key
- Editing the name of a security code issuer
- Changing the number of allowed password entry attempts
- Deleting a user or a security group
- Changing the password for a user account
- Creating a user role
- Editing a user role
- Editing the scope of a user role
- Deleting a user role
- Associating policy profiles with roles
- Updating Kaspersky databases and applications
- Scenario: Regular updating Kaspersky databases and applications
- About updating Kaspersky databases, software modules, and applications
- Creating the Download updates to the Administration Server repository task
- Viewing downloaded updates
- Verifying downloaded updates
- Creating the task for downloading updates to the repositories of distribution points
- Adding sources of updates for the Download updates to the Administration Server repository task
- Approving and declining software updates
- Automatic installation of updates for Kaspersky Endpoint Security for Windows
- About using diff files for updating Kaspersky databases and software modules
- Enabling the Downloading diff files feature
- Downloading updates by distribution points
- Updating Kaspersky databases and software modules on offline devices
- Remote diagnostics of client devices
- Opening the remote diagnostics window
- Enabling and disabling tracing for applications
- Downloading trace files of an application
- Deleting trace files
- Downloading application settings
- Downloading system information from a client device
- Downloading event logs
- Starting, stopping, restarting the application
- Running the remote diagnostics of Kaspersky Security Center Network Agent and downloading the results
- Running an application on a client device
- Generating a dump file for an application
- Running remote diagnostics on a Linux-based client device
- Managing third-party applications and executable files on client devices
- Using Application Control to manage executable files
- Application Control modes and categories
- Obtaining and viewing a list of applications installed on client devices
- Obtaining and viewing a list of executable files stored on client devices
- Creating an application category with content added manually
- Creating an application category that includes executable files from selected devices
- Creating an application category that includes executable files from selected folder
- Viewing the list of application categories
- Configuring Application Control in the Kaspersky Endpoint Security for Windows policy
- Adding event-related executable files to the application category
- About the license
- Basic concepts
- Monitoring, reporting, and audit
- Scenario: Monitoring and reporting
- About types of monitoring and reporting
- Triggering of rules in Smart Training mode
- Dashboard and widgets
- Reports
- Events and event selections
- About events in Open Single Management Platform
- Events of Open Single Management Platform components
- Using event selections
- Creating an event selection
- Editing an event selection
- Viewing a list of an event selection
- Exporting an event selection
- Importing an event selection
- Viewing details of an event
- Exporting events to a file
- Viewing an object history from an event
- Deleting events
- Deleting event selections
- Setting the storage term for an event
- Blocking frequent events
- Event processing and storage on the Administration Server
- Notifications and device statuses
- Kaspersky announcements
- Cloud Discovery
- Exporting events to SIEM systems
- Configuring event export to SIEM systems
- Before you begin
- About event export
- About configuring event export in a SIEM system
- Marking of events for export to SIEM systems in Syslog format
- About exporting events using Syslog format
- Configuring Open Single Management Platform for export of events to a SIEM system
- Exporting events directly from the database
- Viewing export results
- Managing object revisions
- Deletion of objects
- Downloading and deleting files from Quarantine and Backup
- Operation diagnostics of the Kaspersky Next XDR Expert components
- Multitenancy
- Contact Technical Support
- Known issues
- Appendices
- Commands for components manual starting and installing
- Integrity check of KUMA files
- Normalized event data model
- Configuring the data model of a normalized event from KATA EDR
- Asset data model
- User account data model
- KUMA audit events
- Event fields with general information
- User successfully signed in or failed to sign in
- User successfully logged out
- Changed the set of spaces to differentiate access to events
- Service was successfully created
- Service was successfully deleted
- Service was successfully started
- Service was successfully paired
- Service was successfully reloaded
- Service was successfully restarted
- Service status was changed
- Storage partition was deleted automatically due to expiration
- Storage partition was deleted by user
- Active list was successfully cleared or operation failed
- Active list item was successfully changed, or operation was unsuccessful
- Active list item was successfully deleted or operation was unsuccessful
- Active list was successfully imported or operation failed
- Active list was exported successfully
- Resource was successfully added
- Resource was successfully deleted
- Resource was successfully updated
- Asset was successfully created
- Asset was successfully deleted
- Asset category was successfully added
- Asset category was deleted successfully
- Settings were updated successfully
- Updated data retention policy after changing drives
- The dictionary was successfully updated on the service or operation was unsuccessful
- Request sent to KIRA
- Response in Active Directory
- Response via KICS for Networks
- Kaspersky Automated Security Awareness Platform response
- KEDR response
- Correlation rules
- Time format
- Mapping fields of predefined normalizers
- Glossary
- Administrator host
- Agent
- Alert
- Asset
- Bootstrap
- Collector
- Configuration file
- Context
- Correlation rule
- Correlator
- Custom actions
- Distribution package
- Event
- Incident
- Investigation graph
- Kaspersky Deployment Toolkit
- Kubernetes cluster
- KUMA inventory file
- KUMA services
- Multitenancy
- Network Agent
- Node
- Normalized event
- Observables
- Playbook
- Playbook algorithm
- Registry
- Response actions
- Segmentation rules
- Storage
- Target hosts
- Tenant
- Threat development chain
- Transport archive
- Information about third-party code
- Trademark notices
Network Agent policy settings
To configure the Network Agent policy:
- In the main menu, go to Assets (Devices) → Policies & profiles.
- Click the name of the Network Agent policy.
The properties window of the Network Agent policy opens. The properties window contains the tabs and settings described below.
See the comparison table detailing how the settings below apply, depending on the type of operating system used.
General
On this tab, you can modify the policy name, policy status, and specify the inheritance of policy settings:
- In the Name field, you can modify the policy name.
- In the Policy status block, you can select one of the following policy modes:
- In the Settings inheritance settings group, you can configure the policy inheritance:
- Inherit settings from parent policy
If this option is enabled, the policy setting values are inherited from the upper-level group policy and, therefore, are locked.
By default, this option is enabled.
- Force inheritance of settings in child policies
If this option is enabled, after policy changes are applied, the following actions will be performed:
- The values of the policy settings will be propagated to the policies of administration subgroups, that is, to the child policies.
- In the Settings inheritance block of the General section in the properties window of each child policy, the Inherit settings from parent policy option will be automatically enabled.
If this option is enabled, the child policies settings are locked.
By default, this option is disabled.
- Inherit settings from parent policy
Event configuration
On this tab, you can configure event logging and event notification. Events are distributed according to importance level in the following sections:
- Functional failure
- Warning
- Info
In each section, the list shows the types of events and the default event storage period on the Administration Server (in days). After you click the event type, you can specify the settings of event logging and notifications about events selected in the list. By default, common notification settings specified for the entire Administration Server are used for all event types. However, you can change specific settings for the required event types.
For example, in the Warning section, you can configure the Security issue has occurred event type. Such events may happen, for instance, when the free disk space of a distribution point is less than 2 GB (at least 4 GB are required to install applications and download updates remotely). To configure the Security issue has occurred event, click it and specify where to store the occurred events and how to notify about them.
If the Network Agent detects a security issue, you can manage this issue by using the settings of a managed device.
Application settings
Settings
In the Settings section, you can configure the Network Agent policy:
- Distribute files through distribution points only
If this option is enabled, Network Agents on managed devices retrieve updates from distribution points only.
If this option is disabled, Network Agents on managed devices retrieve updates from distribution points or from Administration Server.
Note that the security applications on managed devices retrieve updates from the source set in the update task for each security application. If you enable the Distribute files through distribution points only option, make sure that Open Single Management Platform is set as an update source in the update tasks.
By default, this option is disabled.
- Maximum size of event queue, in MB
In this field you can specify the maximum space on the drive that an event queue can occupy.
The default value is 2 megabytes (MB).
- Application is allowed to retrieve policy's extended data on device
Network Agent installed on a managed device transfers information about the applied security application policy to the security application (for example, Kaspersky Endpoint Security for Linux). You can view the transferred information in the security application interface.
Network Agent transfers the following information:
- Time of the policy delivery to the managed device
- Name of the active or out-of-office policy at the moment of the policy delivery to the managed device
- Name and full path to the administration group that contained the managed device at the moment of the policy delivery to the managed device
- List of active policy profiles
You can use the information to ensure the correct policy is applied to the device and for troubleshooting purposes. By default, this option is disabled.
- Protect the Network Agent service against unauthorized removal or termination, and prevent changes to the settings
When this option is enabled, after Network Agent is installed on a managed device, the component cannot be removed or reconfigured without required privileges. The Network Agent service cannot be stopped. This option has no effect on domain controllers.
Enable this option to protect Network Agent on workstations operated with local administrator rights.
By default, this option is disabled.
- Use uninstallation password
If this option is enabled, by clicking the Modify button you can specify the password for the klmover utility.
By default, this option is disabled.
Disable this option to uninstall Network Agent remotely.
Repositories
In the Repositories section, you can select the types of objects whose details will be sent from Network Agent to Administration Server:
- Details of installed applications
If this option is enabled, information about applications installed on client devices is sent to the Administration Server.
By default, this option is enabled.
- Include information about patches
Information about patches of applications installed on client devices is sent to the Administration Server. Enabling this option may increase the load on the Administration Server and DBMS, as well as cause increased volume of the database.
By default, this option is enabled. It is available only for Windows.
- Details of Windows Update updates
If this option is enabled, information about mandatory Microsoft Windows Update updates that must be installed on client devices is sent to the Administration Server.
By default, this option is enabled. It is available only for Windows.
Information about optional Microsoft Windows updates is not being sent to the Administration Server.
- Details of software vulnerabilities and corresponding updates
If this option is enabled, information about vulnerabilities in third-party software (including Microsoft software), detected on managed devices, and about software updates to fix third-party vulnerabilities (not including Microsoft software) is sent to the Administration Server.
Selecting this option (Details of software vulnerabilities and corresponding updates) increases the network load, Administration Server disk load, and Network Agent resource consumption.
By default, this option is enabled. It is available only for Windows.
To manage software updates of Microsoft software, use the Details of Windows Update updates option.
- Hardware registry details
Network Agent installed on a device sends information about the device hardware to the Administration Server. You can view the hardware details in the device properties.
Ensure that the lshw utility is installed on Linux devices from which you want to fetch hardware details. Hardware details fetched from virtual machines may be incomplete depending on the hypervisor used.
If modification of some settings in this section is prohibited by the Network Agent policy, you cannot modify these settings.
Software updates and vulnerabilities
In the Software updates and vulnerabilities section, you can enable scanning of executable files for vulnerabilities:
- Scan executable files for vulnerabilities when running them
If this option is enabled, executable files are scanned for vulnerabilities when they are run.
By default, this option is enabled.
Restart management
In the Restart management section, you can specify the action to be performed if the operating system of a managed device has to be restarted for correct use, installation, or uninstallation of an application:
- Do not restart the operating system
Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.
- Restart the operating system automatically, if necessary
Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).
- Prompt user for action
The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.
By default, this option is selected.
- Repeat the prompt every (min)
If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.
By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.
If this option is disabled, the prompt is displayed only once.
- Force restart after (min)
After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.
By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.
- Force closure of applications in blocked sessions
Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.
If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.
If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.
By default, this option is disabled.
- Repeat the prompt every (min)
Manage patches and updates
In the Manage patches and updates section, you can configure the download and distribution of updates, as well as the installation of patches, on managed devices:
- Automatically install applicable updates and patches for components that have the Undefined status
If this option is enabled, Kaspersky patches that have the Undefined approval status are automatically installed on managed devices immediately after they are downloaded from update servers.
If this option is disabled, Kaspersky patches that have been downloaded and tagged with the Undefined status will be installed only after you change their status to Approved.
By default, this option is enabled.
- Download updates and anti-virus databases from Administration Server in advance (recommended)
If this option is enabled, the offline model of update download is used. When the Administration Server receives updates, it notifies Network Agent (on devices where it is installed) of the updates that will be required for managed applications. When Network Agent receives information about these updates, it downloads the relevant files from the Administration Server in advance. At the first connection with Network Agent, the Administration Server initiates an update download. After Network Agent downloads all the updates to a client device, the updates become available for applications on that device.
When a managed application on a client device attempts to access Network Agent for updates, Network Agent checks whether it has all required updates. If the updates are received from the Administration Server not more than 25 hours before they were requested by the managed application, Network Agent does not connect to the Administration Server but supplies the managed application with updates from the local cache instead. Connection with the Administration Server may not be established when Network Agent provides updates to applications on client devices, but connection is not required for updating.
If this option is disabled, the offline model of update download is not used. Updates are distributed according to the schedule of the update download task.
By default, this option is enabled.
Connectivity
The Connectivity section includes three subsections:
- Network
- Connection profiles
- Connection schedule
In the Network subsection, you can configure the connection to Administration Server, enable the use of a UDP port, and specify the UDP port number.
- In the Connect to Administration Server settings group, you can configure connection to the Administration Server and specify the time interval for synchronization between client devices and the Administration Server:
- Synchronization interval (min)
Network Agent synchronizes the managed device with the Administration Server. We recommend that you set the synchronization interval (also referred to as the heartbeat) to 15 minutes per 10,000 managed devices.
If the synchronization interval is set to less than 15 minutes, synchronization is performed every 15 minutes. If synchronization interval is set to 15 minutes or more, synchronization is performed at the specified synchronization interval.
- Compress network traffic
If this option is enabled, the speed of data transfer by Network Agent is increased by means of a decrease in the amount of information being transferred and a consequent decreased load on the Administration Server.
The workload on the CPU of the client computer may increase.
By default, this check box is enabled.
- Open Network Agent ports in Microsoft Windows Firewall
If this option is enabled, the ports, necessary for the work of Network Agent, are added to the Microsoft Windows Firewall exclusion list.
By default, this option is enabled.
- Use SSL connection
If this option is enabled, connection to the Administration Server is established through a secure port via SSL.
By default, this option is enabled.
- Use the connection gateway on a distribution point (if available), under the default connection settings
If this option is enabled, the connection gateway on the distribution point is used under the settings specified in the administration group properties.
By default, this option is enabled.
- Synchronization interval (min)
- Use UDP port
If you need Network Agent to connect to Administration Server through a UDP port, enable the Use UDP port option and specify a UDP port number. By default, this option is enabled. The default UDP port to connect to Administration Server is 15000.
- UDP port number
In this field you can enter the UDP port number. The default port number is 15000.
The decimal system is used for records.
- Use distribution point to force connection to Administration Server
Select this option if you selected the Use this distribution point as a push server option in the distribution point settings window. Otherwise, the distribution point will not act as a push server.
In the Connection profiles subsection, you can specify the network location settings and enable out-of-office mode when Administration Server is not available:
- Network location settings
Network location settings define the characteristics of the network to which the client device is connected and specify rules for Network Agent switching from one Administration Server connection profile to another when those network characteristics are altered.
- Administration Server connection profiles
Connection profiles are supported only for devices running Windows.
You can view and add profiles for Network Agent connection to the Administration Server. In this section, you can also create rules for switching Network Agent to different Administration Servers when the following events occur:
- When the client device connects to a different local network
- When the device loses connection with the local network of the organization
- When the connection gateway address is changed or the DNS server address is modified
- Enable out-of-office mode when Administration Server is not available
If this option is enabled, in case of connection through this profile, applications installed on the client device use policy profiles for devices in out-of-office mode, as well as out-of-office policies. If no out-of-office policy has been defined for the application, the active policy will be used.
If this option is disabled, applications will use active policies.
By default, this option is disabled.
In the Connection schedule subsection, you can specify the time intervals during which Network Agent sends data to the Administration Server:
- Connect when necessary
If this option is selected, the connection is established when Network Agent has to send data to the Administration Server.
By default, this option is selected.
- Connect at specified time intervals
If this option is selected, Network Agent connects to the Administration Server at a specified time. You can add several connection time periods.
Network polling by distribution points
In the Network polling by distribution points section, you can configure automatic polling of the network. You can use the following options to enable the polling and set its frequency:
- IP ranges
If the option is enabled, the distribution point automatically polls IP ranges according to the schedule that you configured by clicking the Set polling schedule button.
If this option is disabled, the distribution point does not poll IP ranges.
The frequency of IP range polling for Network Agent versions prior to 10.2 can be configured in the Poll interval (min) field. The field is available if the option is enabled.
By default, this option is disabled.
- Zeroconf
If this option is enabled, the distribution point automatically polls the network with IPv6 devices by using zero-configuration networking (also referred to as Zeroconf). In this case, the enabled IP range polling is ignored, because the distribution point polls the whole network.
To start to use Zeroconf, the following conditions must be fulfilled:
- The distribution point must run Linux.
- You must install the avahi-browse utility on the distribution point.
If this option is disabled, the distribution point does not poll networks with IPv6 devices.
By default, this option is disabled.
- Domain controllers
If the option is enabled, the distribution point automatically polls domain controllers according to the schedule that you configured by clicking the Set polling schedule button.
If this option is disabled, the distribution point does not poll domain controllers.
The frequency of domain controller polling for Network Agent versions prior to 10.2 can be configured in the Poll interval (min) field. The field is available if this option is enabled.
By default, this option is disabled.
Network settings for distribution points
In the Network settings for distribution points section, you can specify the internet access settings:
- Use proxy server
- Address
- Port number
- Bypass proxy server for local addresses
If this option is enabled, no proxy server is used to connect to devices on the local network.
By default, this option is disabled.
- Proxy server authentication
If this check box is selected, in the entry fields you can specify the credentials for proxy server authentication.
By default, this check box is cleared.
KSN Proxy (distribution points)
In the KSN Proxy (distribution points) section, you can configure the application to use the distribution point to forward Kaspersky Security Network (KSN) requests from the managed devices:
- Enable KSN Proxy on the distribution point side
The KSN proxy service is run on the device that is used as a distribution point. Use this feature to redistribute and optimize traffic on the network.
The distribution point sends the KSN statistics, which are listed in the Kaspersky Security Network statement, to Kaspersky.
By default, this option is disabled. Enabling this option takes effect only if the Use Administration Server as a proxy server and I agree to use Kaspersky Security Network options are enabled in the Administration Server properties window.
You can assign a node of an active-passive cluster to a distribution point and enable KSN proxy server on this node.
- Forward KSN requests to Administration Server
The distribution point forwards KSN requests from the managed devices to the Administration Server.
By default, this option is enabled.
- Access KSN Cloud/KPSN directly over the internet
The distribution point forwards KSN requests from managed devices to the KSN Cloud or KPSN. The KSN requests generated on the distribution point itself are also sent directly to the KSN Cloud or KPSN.
- TCP port
The number of the TCP port that the managed devices will use to connect to KSN proxy server. The default port number is 13111.
- UDP port
If you need Network Agent to connect to Administration Server through a UDP port, enable the Use UDP port option and specify a UDP port number. By default, this option is enabled. The default UDP port to connect to Administration Server is 15000.
- HTTPS through port
If you need the managed devices to connect to the KSN proxy server through an HTTPS port, enable the Use HTTPS option, and then specify a port number in the HTTPS through port field. By default, this option is disabled. The default HTTPS port to connect to the KSN proxy server is 17111.
Updates (distribution points)
In the Updates (distribution points) section, you can enable the downloading diff files feature, so distribution points take updates in the form of diff files from Kaspersky update servers.
Local account management (Linux only)
The Local account management (Linux only) section includes three subsections:
- User certificates management
- Add or edit applicable local administrator groups
- Upload a reference file to protect the sudoers file on the user's device from changes
In the User certificates management subsection, you can specify which root certificates to install. These certificates can be used, for example, to verify the authenticity of websites or web servers.
- Install root certificates
If this option is enabled, certificates added to the table will be installed on the specified devices.
If this option is disabled, no certificates will be installed on the specified devices.
By default, this option is disabled.
- Add
Clicking this button opens a window, in which where you can add a certificate.
The certificate must be less than 10 MB.
Kaspersky Security Center supports certificates with CER, CRT, CERT, PEM, and KEY extensions.
In the Add or edit applicable local administrator groups subsection, you can manage local administrator groups. These groups are used, for example, when revoking local administrator rights. You can also check the list of privileged user accounts using the Report on privileged device users (Linux only).
- Add
Clicking this button opens a window, where you can add a local administrator group.
- Edit
Clicking this button opens a window, where you can edit the local administrator group.
This button is available if the check box next to the local administrator group is selected.
- Delete
Clicking this button deletes the selected local administrator group from the table.
This button is available if the check box next to the local administrator group is selected.
In the Upload a reference file to protect the sudoers file on the user's device from changes subsection, you can configure control of the sudoers file. Privileged groups and device users are defined by the sudoers file on the device. The sudoers file is located at /etc/sudoers. You can upload a reference sudoers file to protect the sudoers file from changes. This will prevent unwanted changes to the sudoers file.
An invalid reference sudoers file may cause the user's device to malfunction.
- Control sudoers file
If this option is enabled, the sudoers file will be replaced by the current reference sudoers file.
If this option is disabled, the sudoers file will remain unchanged.
By default, this option is disabled.
- Reference sudoers file
This field displays the name of the uploaded reference sudoers file.
- Upload
Clicking this button opens a window, where you can upload a reference sudoers file.
- Current reference sudoers file
Clicking this button shows the contents of the current sudoers file.
Revision history
On the Revision history tab, you can:
- View and save the history of policy revisions.
- Roll back to a policy revision.
- Add and edit policy revision descriptions.
|
See also: Scenario: Regular updating Kaspersky databases and applications |