0% found this document useful (0 votes)

2 views

Adm Guide

The document provides comprehensive information on Kaspersky Embedded Systems Security, including installation, configuration, and management of the software. It covers various aspects such as system requirements, application interface, licensing, and security features, along with detailed instructions for using the Administration Plug-in and Console. Additionally, it discusses the management of tasks, policies, and logs, ensuring effective security for embedded systems.

Uploaded by

MN Uthmân

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

2 views

Adm Guide

Uploaded by

MN Uthmân

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 514

Kaspersky Embedded Systems

Security

© 2021 AO Kaspersky Lab

1
Contents
About Kaspersky Embedded Systems Security
What's new
Sources of information about Kaspersky Embedded Systems Security
Sources for independent retrieval of information
Discussing Kaspersky applications in the community
Kaspersky Embedded Systems Security
Distribution kit
Hardware and software requirements
Functional requirements and limitations
Installation and uninstallation
File Integrity Monitor
Firewall Management
Other limitations
Installing and removing the application
Kaspersky Embedded Systems Security software component codes for the Windows Installer service
Kaspersky Embedded Systems Security software components
"Administration tools" software component
System changes after Kaspersky Embedded Systems Security installation
Kaspersky Embedded Systems Security processes
Installation and uninstallation settings and command line options for the Windows Installer service
Kaspersky Embedded Systems Security install and uninstall logs
Installation planning
Selecting administration tools
Selecting the installation type
Installing and uninstalling the application using a wizard
Installing using the Setup Wizard
Kaspersky Embedded Systems Security installation
Kaspersky Embedded Systems Security Console installation
Advanced settings after installation of the Application Console on another device
Allowing anonymous remote access to COM applications
Allowing network connections for the Kaspersky Embedded Systems Security remote management process
Adding outbound rule for Windows Firewall
Actions to perform after Kaspersky Embedded Systems Security installation
Starting and con guring Kaspersky Embedded Systems Security Database Update task
Critical Areas Scan
Modifying the set of components and repairing Kaspersky Embedded Systems Security
Uninstalling using the Setup Wizard
Kaspersky Embedded Systems Security uninstallation
Kaspersky Embedded Systems Security Console uninstallation
Installing and uninstalling the application from the command line
About installing and uninstalling Kaspersky Embedded Systems Security from command line
Example commands for installing Kaspersky Embedded Systems Security
Actions to perform after Kaspersky Embedded Systems Security installation
Adding and removing components. Sample commands
Kaspersky Embedded Systems Security uninstallation. Sample commands
Return codes
2
Installing and uninstalling the application using Kaspersky Security Center
General information about installing via Kaspersky Security Center
Rights to install or uninstall Kaspersky Embedded Systems Security
Installing Kaspersky Embedded Systems Security via Kaspersky Security Center
Actions to perform after Kaspersky Embedded Systems Security installation
Installing the Application Console via Kaspersky Security Center
Uninstalling Kaspersky Embedded Systems Security via Kaspersky Security Center
Installing and uninstalling via Active Directory group policies
Installing Kaspersky Embedded Systems Security via Active Directory group policies
Actions to perform after Kaspersky Embedded Systems Security installation
Uninstalling Kaspersky Embedded Systems Security via Active Directory group policies
Checking Kaspersky Embedded Systems Security functions. Using the EICAR test virus
About the EICAR test virus
Checking the Real-Time File Protection and On-Demand Scan features
Application interface
Application licensing
About the End User License Agreement
About the license
About license certi cate
About the key
About the key le
About activation code
About data provision
Activating the application with a key le
Activating the application with an activation code
Viewing information about the current license
Functional limitations when the license expires
Renewing the license
Deleting the key
Working with the Administration Plug-in
Managing Kaspersky Embedded Systems Security from Kaspersky Security Center
Managing application settings
Navigation
Opening general settings via the policy
Opening general settings in the application properties window
Con guring general application settings in Kaspersky Security Center
Con guring scalability, interface, and scan settings in Kaspersky Security Center
Con guring security settings in Kaspersky Security Center
Con guring connection settings using Kaspersky Security Center
Con guring scheduled start of local system tasks
Con guring Quarantine and Backup settings in Kaspersky Security Center
Creating and con guring policies
Creating a policy
Kaspersky Embedded Systems Security policy settings sections
Con guring a policy
Creating and con guring tasks using Kaspersky Security Center
About task creation in Kaspersky Security Center
Creating a task using Kaspersky Security Center

3
Con guring local tasks in the Application settings window of the Kaspersky Security Center
Con guring group tasks in Kaspersky Security Center
Activation of the Application task
Update tasks
Application Integrity Control
Con guring crash diagnostics settings in Kaspersky Security Center
Managing task schedules
Scheduling tasks
Enabling and disabling scheduled tasks
Reports in Kaspersky Security Center
Working with the Kaspersky Embedded Systems Security Console
About the Kaspersky Embedded Systems Security Console
Kaspersky Embedded Systems Security Console interface
Kaspersky Embedded Systems Security Console window
System Tray Icon in the noti cation area
Managing Kaspersky Embedded Systems Security via the Application Console on another device
Con guring general application settings via the Application Console
Managing Kaspersky Embedded Systems Security tasks
Kaspersky Embedded Systems Security task categories
Starting, pausing, resuming, and stopping tasks manually
Managing task schedules
Con guring the task schedule settings
Enabling and disabling scheduled tasks
Using user accounts to start tasks
About using accounts to start tasks
Specifying a user account to start a task
Importing and exporting settings
About importing and exporting settings
Exporting settings
Importing settings
Using security settings templates
About security settings templates
Creating a security settings template
Viewing security settings in a template
Applying a security settings template
Deleting a security settings template
Viewing protection status and Kaspersky Embedded Systems Security information
Working with the Web Plug-in from Web Console and Cloud Console
Managing Kaspersky Embedded Systems Security from Web Console and Cloud Console
Web Plug-in limitations
Managing application settings
Con guring general application settings in Web Plug-in
Con guring scalability, interface, and scan settings in Web Plug-in
Con guring security settings in Web Plug-in
Con guring connection settings in Web Plug-in
Con guring scheduled start of local system tasks
Con guring Quarantine and Backup settings in Web Plug-in
Creating and con guring policies

4
Creating a policy
Kaspersky Embedded Systems Security policy settings sections
Creating and con guring tasks using Kaspersky Security Center
About task creation in Web Plug-in
Creating a task in Web Plug-in
Con guring group tasks in Web Plug-in
Con guring Activation of the Application task in Web Plug-in
Con guring Update tasks in Web Plug-in
Con guring crash diagnostics settings in Web Plug-in
Managing task schedules
Scheduling tasks
Enabling and disabling scheduled tasks
Reports in Kaspersky Security Center
Compact Diagnostic Interface
About the Compact Diagnostic Interface
Reviewing the Kaspersky Embedded Systems Security status via the Compact Diagnostic Interface
Reviewing security event statistics
Reviewing current application activity
Con guring writing of dump and trace les
Updating Kaspersky Embedded Systems Security databases and software modules
About Update tasks
About Software Modules Update
About Database Update
Schemes for updating anti-virus application databases and modules used within an organization
Con guring Update tasks
Con guring settings for working with Kaspersky Embedded Systems Security update sources
Optimizing disk I/O when running the Database Update task
Con guring Copying Updates task settings
Con guring Software Modules Update task settings
Rolling back Kaspersky Embedded Systems Security database updates
Rolling back application module updates
Update task statistics
Isolating objects and copying backups
Isolating probably infected objects. Quarantine
About quarantining probably infected objects
Viewing quarantine objects
Sorting quarantined objects
Filtering quarantined objects
Quarantine Scan
Restoring quarantined objects
Moving objects to Quarantine
Deleting objects from Quarantine
Sending probably infected objects to Kaspersky for analysis
Con guring Quarantine settings
Quarantine statistics
Making backup copies of objects. Backup
About backing up objects before disinfection or deletion
Viewing objects stored in Backup

5
Sorting les in Backup
Filtering les in Backup
Restoring les from Backup
Deleting les from Backup
Con guring Backup settings
Backup statistics
Blocking access to network resources. Blocked Hosts
About the Blocked Hosts storage
Managing Blocked Hosts via the Administration Plug-in
Enabling untrusted hosts blocking
Con guring Blocked Hosts settings
Managing Blocked Hosts via the Application Console
Enabling untrusted hosts blocking
Con guring Blocked Hosts settings
Managing Blocked Hosts via the Web Plug-in
Enabling hosts blocking
Con guring Blocked Hosts settings
Event registration. Kaspersky Embedded Systems Security logs
Ways to register Kaspersky Embedded Systems Security events
System audit log
Sorting events in the system audit log
Filtering events in the system audit log
Deleting events from the system audit log
Task logs
About task logs
Viewing the list of events in task logs
Sorting task logs
Filtering task logs
Viewing statistics and information about a Kaspersky Embedded Systems Security task in task logs
Exporting information from a task log
Deleting task logs
Security log
Viewing the event log of Kaspersky Embedded Systems Security in Event Viewer
Con guring log settings in Administration Plug-in
About SIEM integration
Con guring SIEM integration settings
Con guring logs and noti cations
Con guring log settings
Security log
Con guring SIEM integration settings
Con guring noti cation settings
Con guring interaction with the Administration Server
Noti cation settings
Administrator and user noti cation methods
Con guring administrator and user noti cations
Starting and stopping Kaspersky Embedded Systems Security
Starting the Kaspersky Embedded Systems Security Administration Plug-in
Starting the Kaspersky Embedded Systems Security Console from the Start menu

6
Starting and stopping the Kaspersky Security Service
Starting Kaspersky Embedded Systems Security components in the operating system safe mode
About Kaspersky Embedded Systems Security working in the operating system safe mode
Starting Kaspersky Embedded Systems Security in safe mode
Kaspersky Embedded Systems Security self-defense
About Kaspersky Embedded Systems Security self-defense
Protection from changes to folders with installed Kaspersky Embedded Systems Security components
Protection from changes to Kaspersky Embedded Systems Security registry keys
Registering the Kaspersky Security Service as a protected service
Managing access permissions for Kaspersky Embedded Systems Security functions
About permissions to manage Kaspersky Embedded Systems Security
About permissions to manage registered services
About access permissions for the Kaspersky Security Management Service
About permissions to manage the Kaspersky Security Service
Managing access permissions via the Administration Plug-in
Con guring access permissions for Kaspersky Embedded Systems Security and the Kaspersky Security Service
Password-protected access to Kaspersky Embedded Systems Security functions
Managing access permissions via the Application Console
Con guring access permissions for managing Kaspersky Embedded Systems Security and the Kaspersky Security
Service
Password-protected access to Kaspersky Embedded Systems Security functions
Managing access permissions via the Web Plug-in
Con guring access permissions for Kaspersky Embedded Systems Security and the Kaspersky Security Service
Password-protected access to Kaspersky Embedded Systems Security functions
Real-Time File Protection
About Real-Time File Protection task
About the task protection scope and security settings
About virtual protection scopes
Prede ned protection scopes
About prede ned security levels
File extensions scanned by default in the Real-Time File Protection task
Default Real-Time File Protection task settings
Managing the Real-Time File Protection task via the Administration Plug-in
Navigation
Opening policy settings for the Real-Time File Protection task
Opening the Real-Time File Protection task properties
Con guring the Real-Time File Protection task
Selecting the protection mode
Con guring Heuristic Analyzer and integration with other application components
Scheduling tasks
Creating and con guring the task protection scope
Selecting prede ned security levels for On-Demand Scan tasks
Con guring security settings manually
Con guring general task settings
Con guring actions
Con guring performance
Managing the Real-Time File Protection task via the Application Console
Navigation

7
Opening the Real-Time File Protection task settings
Opening the Real-Time File Protection task scope settings
Con guring the Real-Time File Protection task
Selecting protection mode
Con guring Heuristic Analyzer and integration with other application components
Con guring the task schedule settings
Creating a protection scope
Con guring the view for network le resources
Creating a protection scope
Including network objects in the protection scope
Creating a virtual protection scope
Con guring security settings manually
Selecting prede ned security levels for Real-Time File Protection task
Con guring general task settings
Con guring actions
Con guring performance
Real-Time File Protection task statistics
Managing Real-Time File Protection task via the Web Plug-in
Con guring Real-Time File Protection task
Con guring the task protection scope
KSN Usage
About the KSN Usage task
Default KSN Usage task settings
Managing KSN Usage via the Administration Plug-In
Con guring the KSN Usage task
Con guring Data Processing
Managing KSN Usage via the Application Console
Con guring KSN Usage task
Con guring Data handling
Managing KSN Usage via the Web Plug-in
Con guring additional data transfer
KSN Usage task statistics
Network Threat Protection
About the Network Threat Protection task
Default Network Threat Protection task settings
Con guring the Network Threat Protection task via the Application Console
General task settings
Adding exclusions
Con guring the Network Threat Protection task via the Administration Plug-in
General task settings
Adding exclusions
Con guring the Network Threat Protection task via the Web Plug-in
General task settings
Adding exclusions
Applications Launch Control
About the Applications Launch Control task
About Applications Launch Control rules
About Software Distribution Control

8
About KSN usage for the Applications Launch Control task
About Applications Launch Control rules generation
Default Applications Launch Control task settings
Managing Applications Launch Control via the Administration Plug-in
Navigation
Opening policy settings for the Applications Launch Control task
Opening the Applications Launch Control rules list
Opening the Rule Generator for Applications Launch Control task wizard and properties
Con guring Applications Launch Control task settings
Con guring Software Distribution Control
Con guring the Rule Generator for Applications Launch Control task
Con guring Applications Launch Control rules via the Kaspersky Security Center
Adding an Applications Launch Control rule
Enabling the Default Allow mode
Creating allowing rules from Kaspersky Security Center events
Importing rules from a Kaspersky Security Center report on blocked applications
Importing Applications Launch Control rules from an XML le
Checking application launches
Creating a Rule Generator for Applications Launch Control task
Restricting the task usage scope
Actions to perform during automatic rule generation
Actions to perform upon completion of automatic rule generation
Managing Applications Launch Control via the Application Console
Navigation
Opening the Applications Launch Control task settings
Opening the Applications Launch Control rules window
Opening the Rule Generator for Applications Launch Control task settings
Con guring Applications Launch Control task settings
Selecting the mode of the Applications Launch Control task
Con guring the scope of the Applications Launch Control task
Con guring KSN usage
Software Distribution Control
Con guring Applications Launch Control rules
Adding an Applications Launch Control rule
Enabling the Default Allow mode
Creating allowing rules from Applications Launch Control task events
Exporting Applications Launch Control rules
Importing Applications Launch Control rules from an XML le
Removing Applications Launch Control rules
Con guring a Rule Generator for Applications Launch Control task
Restricting the task usage scope
Actions to perform during automatic rule generation
Actions to perform upon completion of automatic rule generation
Managing Applications Launch Control via the Web Plug-in
Device Control
About Device Control task
About Device Control rules
About Device Control rules generation

9
About Rule Generator for Device Control task
Device Control default task settings
Managing Device Control via the Administration Plug-in
Navigation
Opening policy settings for the Device Control task
Opening the Device Control rules list
Opening the Rule Generator for Device Control task wizard and properties
Con guring Device Control task
Con guring the Rule Generator for Device Control task
Con guring Device Control rules via the Kaspersky Security Center
Creating allowing rules based on system data in a Kaspersky Security Center policy
Generating rules for connected devices
Importing rules from the Kaspersky Security Center report on blocked devices
Creating rules using the Rule Generator for Device Control task
Adding generated rules to the Device Control rules list
Managing Device Control via the Application Console
Navigation
Opening the Device Control task settings
Opening the Device Control rules window
Opening the Rule Generator for Device Control task settings
Con guring Device Control task settings
Con guring Device Control rules
Importing Device Control rules from XML le
Filling rules list basing on Device Control task events
Adding an allowing rule for one or several external devices
Removing Device Control rules
Exporting Device Control rules
Activating and deactivating of Device Control rules
Expanding Device Control rules usage scope
Con guring Rule Generator for Device Control task
Managing Device Control via the Application Console Web Plug-in
Firewall Management
About the Firewall Management task
About Firewall rules
Default Firewall Management task settings
Managing Firewall rules via the Administration Plug-in
Enabling and disabling Firewall rules
Adding Firewall rules manually
Deleting Firewall rules
Managing Firewall rules via the Application Console
Enabling and disabling Firewall rules
Adding Firewall rules manually
Deleting Firewall rules
Managing Firewall rules via the Web Plug-in
Enabling and disabling Firewall rules
Adding Firewall rules manually
Deleting Firewall rules
File Integrity Monitor

10
About the File Integrity Monitor task
About le operation monitoring rules
Default File Integrity Monitor task settings
Manage File Integrity Monitor via the Administration Plug-in
Con guring the File Integrity Monitor task
Con guring monitoring rules
Manage File Integrity Monitor via the Application Console
Con guring File Integrity Monitor task settings
Con guring monitoring rules
Manage File Integrity Monitor via the Web Plug-in
Con guring the File Integrity Monitor task
Con guring monitoring rules
Registry Access Monitor
About the Registry Access Monitor task
About System registry monitoring rules
Default Registry Access Monitor task settings
Managing the Registry Access Monitor via the Administration Plug-in
Con gure the Registry Access Monitor task settings
Con guring monitoring rules
Managing the Registry Access Monitor via the Administration Console
Con guring the Registry Access Monitor task settings
Con guring monitoring rules
Managing the Registry Access Monitor via the Web Plug-in
Con guring the Registry Access Monitor task
Con guring monitoring rules
Log Inspection
About the Log Inspection task
Default Log Inspection task settings
Managing Log Inspection rules via the Administration Plug-in
Con guring prede ned task rules
Adding Log Inspection rules via the Administration Plug-in
Managing Log Inspection rules via the Application Console
Con guring prede ned task rules
Adding Log Inspection rules via the Application Console
Managing Log Inspection rules via the Web Plug-in
On-Demand Scan
About On-Demand Scan tasks
About the task scan scope and security settings
Prede ned scan scopes
Online storage le scanning
About prede ned security levels
About the Removable Drives Scan
About the Baseline File Integrity Monitor task
Enabling start of On-Demand Scan task from context menu
Default On-Demand Scan tasks settings
Managing On-Demand Scan tasks via the Administration Plug-in
Navigation
Opening the On-Demand Scan task wizard

11
Opening the On-Demand Scan task properties
Creating an On-Demand Scan task
Assigning the Critical Areas Scan status to an On-Demand Scan task
Running an On-Demand Scan task in the background
Registering execution of a Critical Areas Scan
Con guring the task scan scope
Selecting prede ned security levels for On-Demand Scan tasks
Con guring security settings manually
Con guring general task settings
Con guring actions
Con guring performance
Con guring Removable Drives Scan
Con guring a Baseline File Integrity Monitor task
Managing On-Demand Scan tasks via the Application Console
Navigation
Opening the On-Demand Scan task settings
Opening the On-Demand Scan task scope settings
Creating and con guring an On-Demand Scan task
Scan scope in On-Demand Scan tasks
Con guring the view for network le resources
Creating a scan scope
Including network objects in the scan scope
Creating a virtual scan scope
Con guring security settings
Selecting prede ned security levels for On-Demand Scan tasks
Con guring general task settings
Con guring actions
Con guring performance
Con guring hierarchical storage
Scanning removable drives
On-Demand Scan task statistics
Creating and con guring a Baseline File Integrity Monitor task
Managing On-Demand Scan tasks via the Web Plug-in
Opening the On-Demand Scan task wizard
Opening the On-Demand Scan task properties
Con guring the task scan scope
Con guring the task settings
Trusted Zone
About the Trusted Zone
Managing the Trusted Zone via the Administration Plug-in
Navigation
Opening the Trusted Zone policy settings
Opening the Trusted Zone properties window
Con guring Trusted Zone settings via the Administration Plug-in
Adding an exclusion
Adding trusted processes
Applying the not-a-virus mask
Managing the Trusted Zone via the Application Console

12
Applying the Trusted Zone to tasks in the Application Console
Con guring Trusted Zone settings in the Application Console
Adding an exclusion to the Trusted Zone
Adding trusted processes
Applying the not-a-virus mask
Managing the Trusted Zone via the Web Plug-in
Exploit Prevention
About Exploit Prevention
Managing Exploit Prevention via the Administration Plug-in
Navigation
Opening policy settings for Exploit Prevention
Opening the Exploit Prevention properties window
Con guring process memory protection settings
Adding a process to the protection scope
Managing Exploit Prevention via the Application Console
Navigation
Opening the Exploit Prevention general settings
Opening the Exploit Prevention process protection settings
Con guring process memory protection settings
Adding a process to the protection scope
Managing Exploit Prevention via the Web Plug-in
Con guring process memory protection settings
Adding a process to the protection scope
Exploit prevention techniques
Integrating with third-party systems
Performance counters for System Monitor
About Kaspersky Embedded Systems Security performance counters
Total number of requests denied
Total number of requests skipped
Number of requests not processed because of lack of system resources
Number of requests sent to be processed
Average number of le interception dispatcher streams
Maximum number of le interception dispatcher streams
Number of elements in the infected objects queue
Number of objects processed per second
Kaspersky Embedded Systems Security SNMP counters and traps
About Kaspersky Embedded Systems Security SNMP counters and traps
Kaspersky Embedded Systems Security SNMP counters
Performance counters
Quarantine counters
Backup counter
General counters
Update counter
Real-Time File Protection counters
Kaspersky Embedded Systems Security SNMP traps and their options
Kaspersky Embedded Systems Security SNMP traps options descriptions and possible values
Integrating with WMI
Working with Kaspersky Embedded Systems Security from the command line

13
Commands
Displaying Kaspersky Embedded Systems Security command help: KAVSHELL HELP
Starting and stopping the Kaspersky Security Service KAVSHELL START: KAVSHELL STOP
Scanning a selected area: KAVSHELL SCAN
Starting the Critical Areas Scan task: KAVSHELL SCANCRITICAL
Managing tasks asynchronously: KAVSHELL TASK
Removing the PPL attribute: KAVSHELL CONFIG
Starting and stopping Real-Time Computer Protection tasks: KAVSHELL RTP
Managing the Applications Launch Control task: KAVSHELL APPCONTROL /CONFIG
Rule Generator for Applications Launch Control: KAVSHELL APPCONTROL /GENERATE
Filling the list of Applications Launch Control rules: KAVSHELL APPCONTROL
Filling the list of Device Control rules: KAVSHELL DEVCONTROL
Starting the Database Update task: KAVSHELL UPDATE
Rolling back Kaspersky Embedded Systems Security database updates: KAVSHELL ROLLBACK
Managing log inspection: KAVSHELL TASK LOG-INSPECTOR
Activating the application: KAVSHELL LICENSE
Enabling, con guring and disabling trace logs: KAVSHELL TRACE
Defragmenting Kaspersky Embedded Systems Security log les: KAVSHELL VACUUM
Cleaning iSwift base: KAVSHELL FBRESET
Enabling and disabling dump le creation: KAVSHELL DUMP
Importing settings: KAVSHELL IMPORT
Exporting settings: KAVSHELL EXPORT
Integration with Microsoft Operations Management Suite: KAVSHELL OMSINFO
Managing the Baseline File Integrity Monitor task: KAVSHELL FIM /BASELINE
Command return codes
Return codes for the KAVSHELL START and KAVSHELL STOP commands
Return code for KAVSHELL SCAN and KAVSHELL SCANCRITICAL commands
Return codes for the KAVSHELL TASK LOG-INSPECTOR command
Return codes for the KAVSHELL TASK command
Return codes for the KAVSHELL RTP command
Return codes for the KAVSHELL UPDATE command
Return codes for the KAVSHELL ROLLBACK command
Return codes for the KAVSHELL LICENSE command
Return codes for the KAVSHELL TRACE command
Return codes for the KAVSHELL FBRESET command
Return codes for the KAVSHELL DUMP command
Return codes for the KAVSHELL IMPORT command
Return codes for the KAVSHELL EXPORT command
Return codes for the KAVSHELL FIM /BASELINE command
Contacting Technical Support
How to get technical support
Technical Support via Kaspersky CompanyAccount
Using trace les and AVZ scripts
Glossary
Active key
Administration Server
Anti-virus databases
Archive

14
Backup
Disinfection
Event severity
False positive
File mask
Heuristic analyzer
Infectable le
Infected object
Kaspersky Security Network (KSN)
License term
Local task
OLE object
Policy
Protection status
Quarantine
Security level
SIEM
Startup objects
Task
Task settings
Update
Vulnerability
Information about third-party code
Trademark notices

15
About Kaspersky Embedded Systems Security
Kaspersky Embedded Systems Security protects computers and other embedded systems under Microsoft®
Windows® (hereinafter also referred to as protected devices) against viruses and other computer threats.
Kaspersky Embedded Systems Security users are corporate network administrators and specialists responsible
for anti-virus protection of the corporate network.

You can install Kaspersky Embedded Systems Security on a variety embedded systems under Windows, including
the following devices types:

ATM (automated tellers machines)

POS (points of sales)

Kaspersky Embedded Systems Security can be managed in the following ways:

Via the Application Console installed on the same protected device as Kaspersky Embedded Systems Security,
or on a di erent device

Using commands in the command line

Via the Kaspersky Security Center Administration Console

The Kaspersky Security Center application can also be used for centralized administration of multiple protected
devices running Kaspersky Embedded Systems Security.

It is possible to review Kaspersky Embedded Systems Security performance counters for the "System Monitor"
application, as well as SNMP counters and traps.

Kaspersky Embedded Systems Security components and functions

The application includes the following components:

Real-Time File Protection . Kaspersky Embedded Systems Security scans objects when they are accessed.
Kaspersky Embedded Systems Security scans the following objects:

Files

Alternate le system streams (NTFS streams)

Master boot records and boot sectors on local hard and removable drives

On-Demand Scan. Kaspersky Embedded Systems Security runs a single scan of the speci ed area for viruses
and other computer security threats. Application scans les, RAM, and autorun objects on a protected device.

Applications Launch Control. The component tracks users' attempts to launch applications and controls
applications launches on a protected device.

Device Control. The component controls registration and usage of external devices in order to protect the
device against computer security threats that may arise while exchanging les with USB-connected ash drives
or other types of external device.

Firewall Management. This component provides the ability to manage the Windows Firewall: con gure settings
and operating system rewall rules, and block any possibility of external rewall con guration.

16
File Integrity Monitor. Kaspersky Embedded Systems Security detects changes in les within the monitoring
scopes speci ed in the task settings. These changes may indicate a security breach on the protected device.

Log Inspection. This component monitors the integrity of the protected environment based on the results of
an inspection of Windows event logs.

The following functions are implemented in the application:

Database Update and Software Modules Update. Kaspersky Embedded Systems Security downloads
updates of application databases and modules from Kaspersky's FTP or HTTP update servers, Kaspersky
Security Center Administration Server, or other update sources.

Quarantine. Kaspersky Embedded Systems Security quarantines probably infected objects by moving such
objects from their original location to the Quarantine folder. For security purposes, objects in the Quarantine
folder are stored in encrypted form.

Backup. Kaspersky Embedded Systems Security stores encrypted copies of objects classi ed as Infected in
Backup before disinfecting or deleting them.

Administrator and user noti cations. You can con gure the application to notify the administrator and users
who access the protected device about events in Kaspersky Embedded Systems Security operation and the
status of anti-virus protection on the device.

Importing and exporting settings. You can export Kaspersky Embedded Systems Security settings to an XML
con guration le and import settings into Kaspersky Embedded Systems Security from the con guration le.
You can save all application settings or only settings for individual components to a con guration le.

Applying templates. You can manually con gure a node's security settings in the tree or in a list of the
protected device's le resources, and save the con gured setting values as a template. This template can then
be used to con gure the security settings of other nodes in Kaspersky Embedded Systems Security protection
and scan tasks.

Managing access permissions for Kaspersky Embedded Systems Security functions. You can con gure the
rights to manage Kaspersky Embedded Systems Security and the Windows services registered by the
application, for users and groups of users.

Writing events to the Windows Event Log. Kaspersky Embedded Systems Security logs information about
software component settings, the current status of tasks, events that occur while tasks run, events associated
with Kaspersky Embedded Systems Security management, and information required to diagnose errors in
Kaspersky Embedded Systems Security.

Trusted Zone. You can generate a list of exclusions from the protection or scan scope, that Kaspersky
Embedded Systems Security will apply in the On-Demand and Real-Time Computer Protection tasks.

Exploit Prevention. You can protect process memory from exploits using an Agent injected into the process.

17
What's new
The new version of Kaspersky Embedded Systems Security introduces the following new features and
improvements:

The following operating systems are now supported:

Microsoft Windows 10 21H2

Microsoft Windows 11

Licensing: when the license key expires, the system components remain operational, except for the Database
Update component and Kaspersky Security Network service.

Licensing: support for activation codes is implemented.

Improvements to the System Inspection settings: in the File Integrity Monitor task, you can block changing les
for the selected monitoring area after you create a respective rule. Also, you can Apply Trusted Zone to exclude
trusted objects and trusted users from the monitoring area.

Improvements to the System Inspection settings: in the Registry Access Monitor task, you can compile
statistics or block changes for the registry keys and values in the selected monitoring area after you create a
respective rule. Also, you can Apply Trusted Zone to exclude trusted processes and trusted users from the
monitoring area.

The option to enable control of the early start for Kaspersky Embedded Systems Security service is added.

For Kaspersky Security Center component status reports, the set of standard statuses was expanded. The
new status provides you with the information whether a component operates in the Active mode or only
compiles statistics and noti es about threats.

Self-defense settings improvement: in the Kaspersky Embedded Systems Security Console and Kaspersky
Embedded Systems Security Administration Plug-in policy properties, it is now possible to enable or disable
protection of Kaspersky Embedded Systems Security les and registry keys against external threats.

When you start Kaspersky Embedded Systems Security, the application assigns individual tags to the
protected devices. Tags help you to identify di erent devices in the pool of protected devices registered with
the same name and the same IP address.

The following dialogs of the application web plug-in are now available for Kaspersky Security Center users:

File Integrity Monitor

Applications Launch Control

Log Inspection

You can use Kaspersky Embedded Systems Security as part of Kaspersky Cloud Console.

In Kaspersky Embedded Systems Security, you can con gure the Delayed start mode for Kaspersky Security
Service. In this mode, Kaspersky Security Service is started once all other operating system components are
loaded.

Changes to the Device Control task: now you can con gure the task to compile the statistics or block the
devices connected via USB that support UAS technology.

18
The link to the application life cycle table is now available in the online documentation.

Bugs from the previous versions are xed: the application includes the bug- xes issued for the previous
versions.

19
Sources of information about Kaspersky Embedded Systems Security
This section lists sources of information about the application.

You can select the most suitable information source, depending on the importance level and urgency of the issue.

Sources for independent retrieval of information

You can use the following sources to nd information about Kaspersky Embedded Systems Security:

Kaspersky Embedded Systems Security page on the Kaspersky website.

Kaspersky Embedded Systems Security page on the Technical Support website (Knowledge Base).

Manuals.

If you did not nd a solution to your problem, contact Kaspersky Technical Support .

An Internet connection is required to use online information sources.

Kaspersky Embedded Systems Security page on the Kaspersky website

On the Kaspersky Embedded Systems Security page , you can view general information about the application, its
functions and features.

The Kaspersky Embedded Systems Security page contains a link to eStore. There you can purchase the
application or renew your license.

Kaspersky Embedded Systems Security page in Knowledge Base

Knowledge Base is a section on the Technical Support website.

The Kaspersky Embedded Systems Security page in the Knowledge Base features articles that provide useful
information, recommendations, and answers to frequently asked questions about how to purchase, install, and use
the application.

Knowledge Base articles can answer questions relating to not only Kaspersky Embedded Systems Security but
also to other Kaspersky applications. Knowledge Base articles can also include Technical Support news.

Kaspersky Embedded Systems Security documentation

Kaspersky Embedded Systems Security Administrator's Guide contains information about the application
installation, uninstallation, settings con guring and usage.

Discussing Kaspersky applications in the community

20
If your question does not require an immediate answer, you can discuss it with Kaspersky experts and other users
in our community .

In our online community, you can view existing topics, leave comments, and create new discussion topics.

21
Kaspersky Embedded Systems Security
This section describes the functions, components, and distribution kit of Kaspersky Embedded Systems Security,
and provides a list of hardware and software requirements of Kaspersky Embedded Systems Security.

Distribution kit
The distribution kit includes the welcome application that lets you do the following:

Start the Kaspersky Embedded Systems Security Installation Wizard.

Start the Kaspersky Embedded Systems Security Console Installation Wizard.

Start the Installation Wizard that will install Kaspersky Embedded Systems Security Administration Plug-in for
managing the application via the Kaspersky Security Center.

Read the Administrator’s Guide.

Go to Kaspersky Embedded Systems Security page on the Kaspersky website.

Visit the Technical Support website .

Read information about the current version of Kaspersky Embedded Systems Security.

The \console folder contains les for the installation of Application Console ("Kaspersky Embedded Systems
Security Administration Tools" set of components).

The \product folder contains:

Files for the installation of Kaspersky Embedded Systems Security components on a protected device running
a 32-bit or 64-bit Microsoft Windows operating system.

File for the installation of the Administration Plug-in for managing Kaspersky Embedded Systems Security via
the Kaspersky Security Center.

Archive of anti-virus databases current at the time the application was released.

File with the text of the End User License Agreement and Privacy Policy.

The \product_no_avbases folder contains installation les for Kaspersky Embedded Systems Security
components and the Administration Plug-in without the anti-virus databases.

The \setup folder contains greeting program start les.

The distribution kit les are stored in di erent folders depending on their intended use (see table below).

Kaspersky Embedded Systems Security distribution kit les

File Purpose

autorun.inf Autorun le for the Kaspersky Embedded Systems Security

Installation Wizard when installing the application from removable
drive.

release_notes.txt The le contains release information.

22
migration.txt The le describes migration from previous application versions.

setup.exe Greeting program start le (starts setup.hta).

\console\esstools_x86.msi Windows Installer package; installs the Application Console on the

protected device running a 32-bit Microsoft Windows operating
system.

\console\esstools_x64.msi Windows Installer package; installs the Application Console on the

protected device running a 64-bit Microsoft Windows operating
system.

\console\setup.exe The le that starts the setup wizard for the "Administration tools" set
of components (including the Application Console); it starts the
esstools.msi installation package le using the settings speci ed in the
setup wizard.

\product\bases.cab Archive of anti-virus databases current at the time of application

release.

\product\setup.exe The le for installing Kaspersky Embedded Systems Security on the

protected device by means of the wizard; it starts the installation
package le ess.msi with the installation settings speci ed in the
wizard.

\product\ess_x86.msi Windows Installer package; installs the Protect computer with Anti-
Virus Bases con guration of Kaspersky Embedded Systems
Security on the protected device running a 32-bit Microsoft Windows
operating system.

If the Protect computer with Anti-Virus Bases con guration is

selected, all Kaspersky Embedded Systems Security components
are included by default except the Firewall Management and
Performance Counters components.
When you install the Protect computer with Anti-Virus Bases
con guration of Kaspersky Embedded Systems Security over the
application version that does not use signature analysis and anti-
virus databases to protect your computer, the set of application
components will be automatically expanded by adding the
following components:
Real-Time File Protection

On-Demand Scan

Network Threat Protection

\product\ess_x64.msi Windows Installer package; installs the Protect computer with Anti-
Virus Bases con guration of Kaspersky Embedded Systems
Security on the protected device running a 64-bit Microsoft Windows
operating system.

23
If the Protect computer with Anti-Virus Bases con guration is
selected, all Kaspersky Embedded Systems Security components
are included by default except the Firewall Management and
Performance Counters components.
When you install the Protect computer with Anti-Virus Bases
con guration of Kaspersky Embedded Systems Security over the
application version that does not use signature analysis and anti-
virus databases to protect your computer, the set of application
components will be automatically expanded by adding the
following components:
Real-Time File Protection

On-Demand Scan

Network Threat Protection

\product\ess.kud File in Kaspersky Unicode De nition format with a description of the

installation package for remote installation of Kaspersky Embedded
Systems Security via Kaspersky Security Center.

\product\klcfginst.exe Installer for Administration Plug-in for managing Kaspersky Embedded

Systems Security via the Kaspersky Security Center. Install the
Administration Plug-in on each protected device where the Kaspersky
Security Center Administration Console is installed if you plan to use it
to manage Kaspersky Embedded Systems Security.

\product\license.txt Text of the End User License Agreement and Privacy Policy.

\product_long_term\setup.exe The le for installing Kaspersky Embedded Systems Security on the

protected device by means of the wizard; it starts the installation
package le ess.msi with the installation settings speci ed in the
wizard.

\product_long_term\ess_x86.msi Windows Installer package; installs the Protect computer with Default
Deny technology con guration of Kaspersky Embedded Systems
Security on the protected device running a 32-bit Microsoft Windows
operating system.

24
The components enabling updates are not included in the
Protect computer with Default Deny technology
con guration.

If the Protect computer with Default Deny technology

con guration is selected, the following components are included
by default:
Core

Exploit Prevention

Application Launch Control

System Tray Icon

When you install the Protect computer with Default Deny
technology con guration of Kaspersky Embedded Systems
Security over the application version that uses signature analysis
and anti-virus databases to protect your computer, the set of
application components will be automatically reduced by
removing the following components:
Real-Time File Protection

On-Demand Scan

the components enabling updates

This con guration is recommended for protecting systems with
limited resources. In this case, you can activate the application for
a long term, and the Applications Launch Control component
provides computer protection.

\product_long_term\ess_x64.msi Windows Installer package; installs the Protect computer with Default
Deny technology con guration of Kaspersky Embedded Systems
Security on the protected device running a 64-bit Microsoft Windows
operating system.

25
The components enabling updates are not included in the
Protect computer with Default Deny technology
con guration.

If the Protect computer with Default Deny technology

con guration is selected, the following components are included
by default:
Core

Exploit Prevention

Application Launch Control

System Tray Icon

On-Demand Scan

the components enabling updates

\product_long_term\ess_light.kud File in Kaspersky Unicode De nition format with a description of the

installation package for remote installation of Kaspersky Embedded
Systems Security via Kaspersky Security Center.

\product_long_term\klcfginst.exe Installer for Administration Plug-in for managing Kaspersky Embedded

\product_long_term\license.txt Text of the End User License Agreement and Privacy Policy.

\setup\setup.hta Greeting program start le.

Hardware and software requirements

Before installing Kaspersky Embedded Systems Security, you must uninstall other anti-virus applications from
the device.

26
Software requirements for the protected device

You can install Kaspersky Embedded Systems Security on a device under a 32-bit or 64-bit Microsoft Windows
operating system.

Windows Installer 3.1 is required for a proper application installation and work on a protected device under
Microsoft Windows XP.

To install and use Kaspersky Embedded Systems Security on the protected devices with embedded operating
systems, Filter Manager component is required.

Before you install Kaspersky Embedded Systems Security, make sure that the required updates covering SHA-
2 support are installed on the operating system of the protected devices. If SHA-2 is not supported, the
installed application modules may fail to function properly, which results in the operating system malfunction.
For detailed information, see: https://support.kaspersky.com/15728.

You can install Kaspersky Embedded Systems Security on a device under one of the following 32-bit or 64-bit
Microsoft Windows operating systems:

Windows XP Embedded SP3 (32-bit)

Windows Embedded POSReady 2009 (32-bit)

Windows Embedded Standard 7 SP1 (32-bit, 64-bit)

Windows Embedded Enterprise 7 SP1 (32-bit, 64-bit)

Windows Embedded POSReady 7 (32-bit, 64-bit)

Windows Embedded 8.0 Standard (32-bit, 64-bit)

Windows Embedded 8.1 Industry Professional / Enterprise (32-bit, 64-bit)

Windows 10 IoT Enterprise (32-bit, 64-bit)

Windows XP Professional SP2 / SP3 (32-bit)

Windows 7 Professional / Enterprise SP1 (32-bit, 64-bit)

Windows 8 Professional / Enterprise (32-bit, 64-bit)

Windows 8.1 Professional / Enterprise (32-bit, 64-bit)

Windows 10 Professional / Enterprise (32-bit, 64-bit)

Windows 10 version 1607 Professional / Enterprise / IoT Enterprise (32-bit, 64-bit)

Windows 10 version 1703 Professional / Enterprise / IoT Enterprise (32-bit, 64-bit)

Windows 10 version 1709 Professional / Enterprise / IoT Enterprise (32-bit, 64-bit)

27
Windows 10 version 1803 Professional / Enterprise / IoT Enterprise (32-bit, 64-bit)

Windows 10 version 1809 Professional / Enterprise / IoT Enterprise (32-bit, 64-bit)

Windows 10 19H2 Professional / Enterprise / IoT Enterprise (32-bit, 64-bit)

Windows 10 21H2 Professional / Enterprise / IoT Enterprise (32-bit, 64-bit)

Windows 10 Enterprise LTSC 2016 (32-bit, 64-bit)

Windows 10 Enterprise LTSC 2019 (32-bit, 64-bit)

Windows 10 Enterprise LTSC 2021 (32-bit, 64-bit)

Windows 11 21H2 Professional / Enterprise (64-bit)

Hardware requirements for the protected device

Hardware requirements for the protected device vary depending on the installed Windows operating system:

Hardware requirements for a device under Windows XP (32 / 64-bit), Windows Embedded XP, Windows
Embedded POSReady 2009, or Windows Embedded POSReady 7 operating system:

Minimum con guration:

Disk space requirements:

To install the Applications Launch Control component – 50 MB.

To install all Kaspersky Embedded Systems Security components – 2 GB.

RAM:

256 MB to install only the Applications Launch Control component on the device under Microsoft
Windows operating system.

512 MB to perform full installation of all components.

Processor requirements:

for 32-bit Microsoft Windows operating systems:

1.4 GHz single-core processor

Intel® Pentium® III.

for 64-bit Microsoft Windows operating systems:

1.4 GHz single-core processor

Intel Pentium IV.

Recommended con guration:

Disk space requirements:

28
To install the Applications Launch Control component – 2 GB.

To install all Kaspersky Embedded Systems Security components – 4 GB.

RAM: 2 GB.

Processor requirements: 2.4 GHz quad-core processor.

Hardware requirements for a device under Windows Embedded 7, Windows Embedded 8 or Windows
Embedded 10 operating system:

Minimum con guration:

Disk space requirements:

To install the Applications Launch Control component – 50 MB.

To install all Kaspersky Embedded Systems Security components – 2 GB.

RAM: 1 GB.

Processor requirements: 1.4 GHz single-core processor Intel Pentium IV.

Recommended con guration:

Disk space requirements:

To install the Applications Launch Control component – 2 GB.

To install all Kaspersky Embedded Systems Security components – 4 GB.

RAM: 2 GB.

Processor requirements: 2.4 GHz quad-core processor.

Hardware requirements for a device under Windows 7 (64-bit), Windows 8 (64-bit), Windows 10 (64-bit) or
Windows 11 (64-bit) operating system:

Minimum con guration:

Disk space requirements:

To install the Applications Launch Control component – 50 MB.

To install all Kaspersky Embedded Systems Security components – 2 GB.

RAM:

1 GB to install only the Applications Launch Control component on the device under Microsoft
Windows operating system.

2 GB to perform full installation of all components.

Processor requirements:

1.4 GHz single-core processor

29
Intel Pentium IV.

Recommended con guration:

Disk space requirements:

To install the Applications Launch Control component – 2 GB.

To install all Kaspersky Embedded Systems Security components – 4 GB.

RAM:

2 GB to install only the Applications Launch Control component on the device under Microsoft
Windows operating system.

4 GB to perform full installation of all components.

Processor requirements: 2.4 GHz quad-core processor.

Hardware requirements for a device under Windows 7 (32-bit), Windows 8 (32-bit) or Windows 10 (32-bit):

Minimum con guration:

Disk space requirements:

To install the Applications Launch Control component – 50 MB.

To install all Kaspersky Embedded Systems Security components – 2 GB.

RAM:

256 MB to install only the Applications Launch Control component on the device under Microsoft
Windows operating system.

1 GB to perform full installation of all components.

Processor requirements:

for 32-bit Microsoft Windows operating systems:

1.4 GHz single-core processor

Intel Pentium III.

for 64-bit Microsoft Windows operating systems:

1.4 GHz single-core processor

Intel Pentium IV.

Recommended con guration:

Disk space requirements:

To install the Applications Launch Control component – 2 GB.

30
To install all Kaspersky Embedded Systems Security components – 4 GB.

RAM: 2 GB.

Processor requirements: 2.4 GHz quad-core processor.

Functional requirements and limitations

This section describes additional functional requirements and existing limitations for Kaspersky Embedded
Systems Security components.

Installation and uninstallation

During application installation a warning appears if the new path to the Kaspersky Embedded Systems Security
installation folder contains more than 150 symbols. The warning does not a ect the installation process:
Kaspersky Embedded Systems Security will install and run successfully.

For installation of the SNMP protocol support component the SNMP service must be restarted, if it is running.

For installation and operation of Kaspersky Embedded Systems Security on a device running an embedded
operating system, the Filter Manager component must be installed.

Kaspersky Embedded Systems Security Administration Tools cannot be installed via Microsoft Active
Directory® group policies.

When installing the application on protected devices running older operating systems that cannot receive
regular updates, the following root certi cates should be checked: DigiCert Assured ID Root CA,
DigiCert_High_Assurance_EV_Root_CA, DigiCertAssuredIDRootCA. If these certi cates are missing, the
application may not function correctly. We recommend that you install these certi cates in any possible way.

File Integrity Monitor

By default, the File Integrity Monitor does not monitor changes in system folders or the le system's housekeeping
les in order to not clutter task reports with information about routine le changes performed constantly by the
operating system. The user cannot manually include such folders in the monitoring scope.

The following folders/ les are excluded from the monitoring scope:

NTFS housekeeping les with le id from 0 to 33

"%SystemRoot%\\Prefetch\\"

"%SystemRoot%\\ServicePro les\\LocalService\\AppData\\Local\\"

"%SystemRoot%\\System32\\LogFiles\\Scm\\"

"%SystemRoot%\\Microsoft.NET\\Framework\\v4.0.30319\\"

31
"%SystemRoot%\\Microsoft.NET\\Framework64\\v4.0.30319\\"

"%SystemRoot%\\Microsoft.NET\\"

"%SystemRoot%\\System32\\con g\\"

"%SystemRoot%\\Temp\\"

"%SystemRoot%\\ServicePro les\\LocalService\\"

"%SystemRoot%\\System32\\winevt\\Logs\\"

"%SystemRoot%\\System32\\wbem\\repository\\"

"%SystemRoot%\\System32\\wbem\\Logs\\"

"%ProgramData%\\Microsoft\\Windows\\WER\\ReportQueue\\"

"%SystemRoot%\\SoftwareDistribution\\DataStore\\"

"%SystemRoot%\\SoftwareDistribution\\DataStore\\Logs\\"

"%ProgramData%\\Microsoft\\Windows\\AppRepository\\"

"%ProgramData%\\Microsoft\\Search\\Data\\Applications\\Windows\\"

"%SystemRoot%\\Logs\\SystemRestore\\"

"%SystemRoot%\\System32\\Tasks\\Microsoft\\Windows\\TaskScheduler\\"

The application excludes top-level folders.

The component does not monitor les changes that bypass the ReFS/NTFS le system ( le changes made
through BIOS, LiveCD, etc.).

Firewall Management
Working with IPv6 addresses is not available when the speci ed rule scope consists of one address.

Preset Firewall policy rules support basic scenarios of interaction between protected devices and
Administration Server. To make full use of Kaspersky Security Center functions, you need to set up port rules
manually. To learn more about port numbers, protocols and their functions, please see
https://support.kaspersky.com/KSC/13.2/en-US/158830.htm.

The application does not control modi cation of Windows Firewall rules and rule groups during the Firewall
management task if those rules were not added to the task con guration when the application was installed. To
update the status and include such rules, the Firewall management task must be restarted.

When the Firewall Management task is started, the following types of rules are automatically removed from the
operating system's rewall settings:

denying rules;

rules monitoring outgoing tra ic.

32
Other limitations
On-Demand Scan, Real-Time File Protection :

Scanning of connected MTP-devices is not available.

Archive scanning is not available without SFX-archive scanning: if archive scanning is enabled in the protection
settings of Kaspersky Embedded Systems Security, the application automatically scans objects in both
archives and SFX-archives. SFX-archive scanning is available without archive scanning.

If Deeper analysis of launching processes (process launch is blocked until the analysis ends) checkbox and
KSN Usage service are enabled simultaneously, any launched process that receives URL web-address as an
argument will be blocked, even if Only Statistics mode had been chosen. To avoid blocking the process, please
choose one of the options:

Disable KSN Usage service

Disable Deeper analysis of launching processes (process launch is blocked until the analysis ends)
checkbox

Recommended option: Disable Deeper analysis of launching processes checkbox

Licensing:

The application cannot be activated with a key via the Setup wizard if the key is stored on a disk created using
the SUBST command, or if the path to the key le is a network path.

Updates:

After Kaspersky Embedded Systems Security critical modules updates are installed, the application icon is
hidden by default.

KLRAMDISK is not supported on protected devices running the Windows XP or Windows Server 2003
operating system.

Interface:

In the Application Console, ltering in the Quarantine, Backup, System audit log or Task log is case sensitive.

When con guring a protection or scan scope in the Application Console, you can use only one mask and only at
the end of the path. Some examples of correct masks include: "C:\Temp\Temp*", or "C:\Temp\Temp???.doc", and
"C:\Temp\Temp*.doc". This limitation does not a ect con guration of the Trusted Zone.

Security:

If the operating system’s User Account Control feature is enabled, a user account must be part of the
KAVWSEE Administrators group to open the Application Console with a double-click on the application icon in
the tray noti cation area. Otherwise, it will be necessary to login as a user whose is allowed to open the
Compact Diagnostic Interface or Microsoft Management Console snap-in.

The application cannot be uninstalled via the Microsoft Windows Programs and Features window if User
Account Control is enabled.

Integration with Kaspersky Security Center:

33
Administration Server veri es database updates when update packages are received, before sending the
updates to protected devices on the network. Administration Server does not verify software module updates.

Make sure the required check boxes are selected in the Interaction with the Administration Server settings
when you use components that transmit dynamic data to Kaspersky Security Center using network lists
(Quarantine, Backup).

Exploit prevention:

Exploit Prevention is not available if the apphelp.dll libraries are not loaded in the current environment
con guration.

The Exploit Prevention component is incompatible with Microsoft’s EMET utility on protected devices running
the Microsoft Windows 10 operating system: Kaspersky Embedded Systems Security blocks EMET, if the
Exploit Prevention component is being installed on a protected device with EMET installed.

34
Installing and removing the application
This section provides step-by-step instructions for installing and removing Kaspersky Embedded Systems
Security.

Kaspersky Embedded Systems Security software component codes for the

Windows Installer service
The \product_long_term\ess_x86.msi and \product_long_term\ess_x64.msi les are designed to install the
Protect computer with Default Deny technology con guration of Kaspersky Embedded Systems Security, and
the \product\ess_x86.msi and \product\ess_x64.msi les are designed to install the Protect computer with Anti-
Virus Bases con guration of Kaspersky Embedded Systems Security.

If the Protect computer with Anti-Virus Bases con guration is selected, all Kaspersky Embedded Systems
Security components are included by default except the Firewall Management and Performance Counters
components.
When you install the Protect computer with Anti-Virus Bases con guration of Kaspersky Embedded Systems
Security over the application version that does not use signature analysis and anti-virus databases to protect
your computer, the set of application components will be automatically expanded by adding the following
components:
Real-Time File Protection

On-Demand Scan

Network Threat Protection

35
The components enabling updates are not included in the Protect computer with Default Deny
technology con guration.

If the Protect computer with Default Deny technology con guration is selected, the following components
are included by default:
Core

Exploit Prevention

Application Launch Control

System Tray Icon

When you install the Protect computer with Default Deny technology con guration of Kaspersky Embedded
Systems Security over the application version that uses signature analysis and anti-virus databases to
protect your computer, the set of application components will be automatically reduced by removing the
following components:
Real-Time File Protection

On-Demand Scan

the components enabling updates

This con guration is recommended for protecting systems with limited resources. In this case, you can
activate the application for a long term, and the Applications Launch Control component provides computer
protection.

The \console\esstools_x86.msi and \console\esstools_x64.msi les install all software components in the
"Administration Tools" set.

The following sections list the Kaspersky Embedded Systems Security component codes for the Windows Installer
service. These codes can be used to de ne a list of components to be installed when installing Kaspersky
Embedded Systems Security from the command line.

Kaspersky Embedded Systems Security software components

The following table contains codes and descriptions of Kaspersky Embedded Systems Security software
components.

Description of Kaspersky Embedded Systems Security software components

Component Identi er Functions performed

Basic Core This component contains the set of basic application functions and
functionality ensures their operation.
If other Kaspersky Embedded Systems Security components are
speci ed when installing Kaspersky Embedded Systems Security from
the command line, but the Core component is not speci ed, the Core
component is installed automatically.

Applications AppCtrl This component monitors user attempts to start applications and
Launch allows or denies application launch in accordance with speci ed
Control Applications Launch Control rules.
36
It is implemented in the Applications Launch Control task.

Device DevCtrl This component tracks attempts to connect external devices to a

Control protected device and allows or denies use of these devices according
to the speci ed device control rules.
The component is implemented in the Device Control task.

Anti-Virus AVProtection This component provides anti-virus protection and contains the
protection following components:
On-Demand Scan

Real-Time File Protection

Network Threat Protection

Network IDS This component scans inbound network tra ic for activity that is
Threat typical of network attacks. Upon detecting an attempted network
Protection attack that targets your computer, Kaspersky Embedded Systems
Security blocks network activity from the attacking computer.

On-Demand Ods This component installs Kaspersky Embedded Systems Security system
Scan les and provides On-Demand scan tasks (scanning of objects on the
protected device upon request).

Real-Time Oas This component performs virus scans of les on the protected device
File when these les are accessed.
Protection
It implements the Real-Time File Protection task.

Kaspersky Ksn This component provides protection based on Kaspersky cloud

Security technologies.
Network
It implements the KSN Usage task (sending requests to and receiving
Usage
conclusions from the Kaspersky Security Network service).

File Integrity Fim This component logs operations performed on les in the speci ed
Monitor monitoring scope.
The component implements the File Integrity Monitor task.

Registry RegMonitor This component is designed to track actions performed with the
Access speci ed registry branches and keys in the monitoring scopes de ned
Monitor in the task settings. You can use the task to detect the changes
indicating a security breach on the protected device.

The component implements the Registry Access Monitor task.

Exploit AntiExploit This component makes it possible to manage settings to protect

Prevention memory used by processes in a device's memory.

Firewall Firewall This component makes it possible to manage Windows Firewall through
Management the Kaspersky Embedded Systems Security graphical user interface.
The component implements the Firewall Management task.

Module for AKIntegration This component provides a connection between the Kaspersky
integration Embedded Systems Security and the Kaspersky Security Center
with Network Agent.
Kaspersky
You can install this component on the protected device if you intend to
Security
manage the application via the Kaspersky Security Center.
Center
Network
Agent

37
Log LogInspector This component monitors the integrity of the protected environment
Inspection based on the results of an inspection of Windows event logs.

Set of PerfMonCounters This component installs a set of System Monitor performance

"System counters. Performance counters enable Kaspersky Embedded Systems
Monitor" Security performance to be measured and potential bottlenecks to be
performance located on the protected device when Kaspersky Embedded Systems
counters Security is used with other programs.

SNMP SnmpSupport This component publishes Kaspersky Embedded Systems Security

counters counters and traps via Simple Network Management Protocol (SNMP)
and traps on Microsoft Windows. This component may be installed on the
protected device only if Microsoft SNMP service is installed on the
same protected device.

Kaspersky TrayApp This component displays the Kaspersky Embedded Systems Security
Embedded icon in the task tray noti cation area of the protected device. The
Systems Kaspersky Embedded Systems Security icon displays the status of
Security device protection and can be used to open the Kaspersky Embedded
icon in the Systems Security Console in Microsoft Management Console (if
noti cation installed) and the About the application window.
area

"Administration tools" software component

The following table contains the code and the description of the "Administration tools" software component.

Description of the "Administration tools" software component

Component Code Component functions

Kaspersky MmcSnapin This component installs the Microsoft Management Console snap-in to
Embedded manage the application via the Kaspersky Embedded Systems Security
Systems Security Console.
snap-in
If other components are speci ed during installation of "Administration
Tools" from the command line, and the MmcSnapin component is not
speci ed, the component will be installed automatically.

System changes after Kaspersky Embedded Systems Security installation

When Kaspersky Embedded Systems Security and the set of "Administration Tools" (including the Application
Console) are installed together, the Windows Installer service will make the following modi cations on the
protected device:

Kaspersky Embedded Systems Security folders are created on the protected device and on the protected
device where the Application Console is installed.

Kaspersky Embedded Systems Security services are registered.

Kaspersky Embedded Systems Security user group is created.

Kaspersky Embedded Systems Security keys are registered in the system registry.

These changes are described below.

38
Kaspersky Embedded Systems Security folders on a protected device

When Kaspersky Embedded Systems Security is installed, the following folders are created on a protected device:

Kaspersky Embedded Systems Security default installation folder containing the Kaspersky Embedded
Systems Security executable les depend on the operating system bit set. Therefore, the default installation
folders are as follows:

On the 32-bit version of Microsoft Windows: %ProgramFiles%\Kaspersky Lab\Kaspersky Embedded

Systems Security

On the 64-bit version of Microsoft Windows: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Embedded

Systems Security

Management Information Base (MIB) les containing a description of the counters and hooks published by
Kaspersky Embedded Systems Security via the SNMP protocol:

%Kaspersky Embedded Systems Security%\mibs

64-bit versions of Kaspersky Embedded Systems Security executable les (this folder will be created only
during installation of Kaspersky Embedded Systems Security on the 64-bit version of Microsoft Windows):

%Kaspersky Embedded Systems Security%\x64

Kaspersky Embedded Systems Security service les:

%ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.1\Data

%ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.1\Settings

%ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.1\Dskm

For Windows XP the path to the Kaspersky Lab folder is %ALLUSERSPROFILE%\Application Data

Files with settings for update sources:

%ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.1\Update
%ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.1\Update

Updates of databases and software modules downloaded using the Copying Updates task (the folder will be
created the rst time updates are downloaded using the Copying Updates task).
%ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.1\Update\Distribution

Task logs and system audit log.

%ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.1\Reports

Set of databases currently in use.

%ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.1\Bases\Current

Backup copies of databases; they are overwritten each time the databases are updated.
%ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.1\Bases\Backup

Temporary les created during execution of update tasks.

39
%ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.1\Bases\Temp

Quarantined objects (default folder).

%ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.1\Quarantine

Objects in backup (default folder).

%ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.1\Backup

Objects restored from backup and quarantine (default folder for restored objects).
%ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.1\Restored

Folder created during installation of Application Console

The Application Console default installation folders containing the "Administration Tools" les depend on the
operating system bit set. Therefore, the default installation folders are as follows:

On the 32-bit version of Microsoft Windows: %ProgramFiles%\Kaspersky Lab\Kaspersky Embedded Systems

Security Admins Tools

On the 64-bit version of Microsoft Windows: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Embedded

Systems Security Admins Tools

Kaspersky Embedded Systems Security services

The following Kaspersky Embedded Systems Security services start using the local system (SYSTEM) account:

Kaspersky Security Service (KAVFS) – essential Kaspersky Embedded Systems Security service that manages
Kaspersky Embedded Systems Security tasks and work ows.

Kaspersky Security Management Service (KAVFSGT) – this service is intended for Kaspersky Embedded
Systems Security application management through the Application Console.

Kaspersky Security Exploit Prevention Service (KAVFSSLP)– a service that acts as an intermediary to
communicate security settings to external security agents, and to receive data about security events.

Kaspersky Embedded Systems Security group

ESS Administrators is a group on the protected device, which users have full access to the Kaspersky Security
Management Service and to all Kaspersky Embedded Systems Security functions.

System registry keys

When Kaspersky Embedded Systems Security is installed, the following system registry keys are created:

Properties of the Kaspersky Embedded Systems Security:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KAVFS]

Kaspersky Embedded Systems Security event log settings (Kaspersky Event Log):
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Kaspersky Security]

40
Properties of the Kaspersky Embedded Systems Security management service:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KAVFSGT]

Performance counter settings:

On the 32-bit version of Microsoft Windows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kaspersky Security\Performance]

On the 64-bit version of Microsoft Windows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kaspersky Security x64\Performance]

SNMP Protocol Support component settings:

On the 32-bit version of Microsoft Windows:

[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\ESS\3.1\SnmpAgent]

On the 64-bit version of Microsoft Windows:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\ESS\3.1\SnmpAgent]

Dump le settings:

On the 32-bit version of Microsoft Windows:

[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\ESS\3.1\CrashDump]

On the 64-bit version of Microsoft Windows:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\ESS\3.1\CrashDump]

Trace le settings:

On the 32-bit version of Microsoft Windows:

[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\ESS\3.1\Trace]

On the 64-bit version of Microsoft Windows:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\ESS\3.1\Trace]

Con guration of the application's tasks and functions:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\ESS\3.1\Environment]

Kaspersky Embedded Systems Security processes

Kaspersky Embedded Systems Security starts processes described in the table below.

Kaspersky Embedded Systems Security processes

File name Purpose

kavfswp.exe Kaspersky Embedded Systems Security work ow

kavtray.exe Process for the System Tray Icon

kavfsmui.exe Process for the Compact Diagnostic Interface component

kavshell.exe Command line utility process

kavfsrcn.exe Kaspersky Embedded Systems Security remote management process

kavfs.exe Kaspersky Security Service process

41
kavfsgt.exe Kaspersky Security Management Service process

kavfswh.exe Kaspersky Security Exploit Prevention Service process

Installation and uninstallation settings and command line options for the
Windows Installer service
This section contains descriptions of the settings for installing and uninstalling Kaspersky Embedded Systems
Security, their default values, keys for changing the installation settings, and their possible values. These keys can
be used in conjunction with standard keys for the Windows Installer service's msiexec command when installing
Kaspersky Embedded Systems Security from the command line.

Installation settings and command line options in Windows Installer

Acceptance of the terms of the End User License Agreement: you must accept the terms to install Kaspersky
Embedded Systems Security.
The possible values for EULA=<value> command line option are as follows:

0 – you reject the terms of the End User License Agreement (default value).

1 – you accept the terms of the End User License Agreement.

Acceptance of the terms of the Privacy Policy: you must accept the terms to install Kaspersky Embedded
Systems Security.
The possible values for PRIVACYPOLICY=<value> command line option are as follows:

0 – you reject the terms of the Privacy Policy (default value).

1 – you accept the terms of the Privacy Policy.

Allow installation of Kaspersky Embedded Systems Security if the KB4528760 update not installed. For detailed
information about the KB4528760 update please visit Microsoft website .
The possible values for SKIPCVEWINDOWS10=<value> command line option are as follows:

0 – cancel the installation of Kaspersky Embedded Systems Security if the KB4528760 update is not
installed (default value).

1 – allow the installation of Kaspersky Embedded Systems Security if the KB4528760 update is not installed.

The KB4528760 update xes the CVE-2020-0601 security vulnerability. For detailed information about the
CVE-2020-0601 security vulnerability please visit the Microsoft website .

Installation of Kaspersky Embedded Systems Security with a preliminary scan of active processes and the boot
sectors of local disks.
The possible values for PRESCAN=<value> command line option are as follows:

0 – do not perform a preliminary scan of active processes and the boot sectors of local disks during the
installation (default value).

42
1 – perform a preliminary scan of active processes and the boot sectors of local disks during the
installation.

Destination folder where Kaspersky Embedded Systems Security les will be saved during installation. A
di erent folder can be speci ed.
The default values for INSTALLDIR=<full path to the folder> command line option are as follows:

Kaspersky Embedded Systems Security: %ProgramFiles%\Kaspersky Lab\Kaspersky Embedded Systems

Security

Administration tools: %ProgramFiles%\Kaspersky Lab\Kaspersky Embedded Systems Security Admins

Tools

On the x64-bit version of Microsoft Windows: %ProgramFiles(x86)%

The Real-Time File Protection task starts immediately after Kaspersky Embedded Systems Security starts.
Turn on this setting to start Real-Time File Protection when Kaspersky Embedded Systems Security starts
(recommended).
The possible values for RUNRTP=<value> command line option are as follows:

1 – start (default value).

0 – do not start.

Protection exclusions recommended by Microsoft Corporation. In the Real-Time File Protection task exclude
from the protection scope objects on the device that Microsoft Corporation recommends to exclude. Some
applications on the protected device may become unstable when an anti-virus application intercepts or
modi es the les they use. For example, Microsoft Corporation includes some domain controller applications in
the list of such objects.
The possible values for ADDMSEXCLUSION=<value> command line option are as follows:

1 – exclude (default value).

0 – do not exclude.

Objects excluded from the protection scope according to Kaspersky recommendations. In the Real-Time File
Protection task exclude from the protection scope objects on the device that Kaspersky recommends to
exclude.
The possible values for ADDKLEXCLUSION=<value> command line option are as follows:

1 – exclude (default value).

0 – do not exclude.

Allow remote connection to the Application Console. By default, remote connection is not allowed to the
Application Console installed on the protected device. During the installation, you can allow connection.
Kaspersky Embedded Systems Security creates allowing rules for the process kavfsgt.exe using the TCP
protocol for all ports.
The possible values for ALLOWREMOTECON=<value> command line option are as follows:

1 – allow.

0 – deny (default value).

Path to the key le (LICENSEKEYPATH

43
)

. By default, the Windows Installer attempts to nd the le with .key extension in the \product folder of the
distribution kit. If the \product folder contains several key les, the Windows Installer will select the key le that
has the farthest expiration date. A key le can be saved beforehand in the \product folder or by specifying
another path to the key le using the Add key setting. You can add a key after Kaspersky Embedded Systems
Security is installed using an administrative tool of your choice: for example, the Application Console. If you do
not add a key during installation of the application, Kaspersky Embedded Systems Security will not function.

Path to the con guration le. Kaspersky Embedded Systems Security imports settings from the speci ed
con guration le created in the application. Kaspersky Embedded Systems Security does not import
passwords from the con guration le, for example, account passwords for starting tasks, or passwords for
connecting to a proxy server. Once the settings are imported, you will have to enter all passwords manually. If
the con guration le is not speci ed, the application will start to work with the default settings after setup.
The default value for CONFIGPATH=<configuration file name> is not speci ed.

Enabling network connections for the Application Console option is used to install Kaspersky Embedded
Systems Security Console on another device. You can remotely manage device protection from another device
with the Kaspersky Embedded Systems Security Console installed. Port 135 (TCP) is opened in Microsoft
Windows Firewall, network connections are allowed for the executable le kavfsrcn.exe for remote management
of Kaspersky Embedded Systems Security, and access is granted to DCOM applications. When installation is
complete, add users to the ESS Administrators group to let them remotely manage the application, and allow
network connections to the Kaspersky Security Management Service (kavfsgt.exe le) on the protected
device. You can read more about additional con guration when the Kaspersky Embedded Systems Security
Console is installed on another device.
The possible values for ADDWFEXCLUSION=<value> command line option are as follows:

1 – allow.

0 – deny (default value).

Disabling the check for incompatible software. Use this setting to enable or disable the check for incompatible
software during background installation of the application on the protected device.Regardless of the value of
this setting, during installation of Kaspersky Embedded Systems Security, the application always warns about
other versions of the application installed on the protected device.
The possible values for SKIPINCOMPATIBLESW=<value> command line option are as follows:

0 – The check for incompatible software is performed (default value).

1 – The check for incompatible software is not performed.

Uninstallation settings and command line options in Windows Installer

Restoring quarantined objects.

The possible values for RESTOREQTN=<value> command line option are as follows:

0 – Remove quarantined content (default value).

1 – Restore quarantined content to the folder speci ed by the RESTOREPATH parameter into the
\Quarantine subfolder.

Restoring the content of backup.

The possible values for RESTOREBCK=<value> command line option are as follows:

44
0 – Remove backup content (default value).

1 – Restore backup contents to the folder speci ed by the RESTOREPATH parameter into the \Backup
subfolder.

Enter the current password to con rm the uninstallation (if password protection is enabled).
The default value for UNLOCK_PASSWORD=<specified password> is not speci ed.

Folder for restored objects. Restored objects will be saved to the speci ed folder.
The default value for RESTOREPATH=<full path to the folder> command line option is
%ALLUSERSPROFILE%\Application Data\Kaspersky Lab\Kaspersky Embedded Systems
Security\3.1\Restored

Kaspersky Embedded Systems Security install and uninstall logs

If Kaspersky Embedded Systems Security is installed or uninstalled using the Installation (Uninstallation) Wizard, the
Windows Installer service creates an install (uninstall) log. A log le named ess_v3.1_install_<uid>.log (where <uid> is
a unique 8-character log identi er) will be saved in the %temp% folder for the user whose account was used to
start the setup.exe le.

If you run the Modify or Remove option for the Application Console or Kaspersky Embedded Systems Security
from the Start menu, a log le named ess_3.1_maintenance.log is automatically created in the %temp% folder.

If Kaspersky Embedded Systems Security is installed or uninstalled from the command line, the install log le will
not be created by default.

To install Kaspersky Embedded Systems Security and create a log le on disk C:\:

msiexec /i ess_x86.msi /l*v C:\ess.log /qn EULA=1 PRIVACYPOLICY=1

msiexec /i ess_x64.msi /l*v C:\ess.log /qn EULA=1 PRIVACYPOLICY=1

Installation planning
This section describes the set of Kaspersky Embedded Systems Security administration tools, and special aspects
of installing and uninstalling Kaspersky Embedded Systems Security using a wizard, command line, using Kaspersky
Security Center and via an Active Directory group policy.

Before starting installation of Kaspersky Embedded Systems Security, plan the main stages of the installation.

1. Determine which administration tools will be used to manage and con gure Kaspersky Embedded Systems
Security.

2. Select the necessary application components for installation.

3. Select the installation method.

Selecting administration tools

45
Determine the administration tools that will be used to con gure Kaspersky Embedded Systems Security settings
and to manage the application. Kaspersky Embedded Systems Security can be managed using the Application
Console, command-line utility, and Kaspersky Security Center Administration Console.

Kaspersky Embedded Systems Security Console

Kaspersky Embedded Systems Security Console is a standalone snap-in added to the Microsoft Management
Console. Kaspersky Embedded Systems Security can be managed via the Application Console installed on the
protected device or on another device on the corporate network.

Multiple Kaspersky Embedded Systems Security snap-ins can be added to one Microsoft Management Console
opened in author mode to use it to manage the protection of multiple device with Kaspersky Embedded Systems
Security installed.

The Application Console is included in the set of "Administration Tools" application components.

Command line utility

You can manage Kaspersky Embedded Systems Security from the command line of a protected device.

The command line utility is included in the Kaspersky Embedded Systems Security software components group.

Kaspersky Security Center

If Kaspersky Security Center is used for centralized management of anti-virus protection of devices at your
company, you can manage Kaspersky Embedded Systems Security via the Kaspersky Security Center
Administration Console.

The following components must be installed:

Module for integration with Kaspersky Security Center Network Agent. This component is included in the
Kaspersky Embedded Systems Security software components group. It allows Kaspersky Embedded Systems
Security to communicate with the Network Agent. Install the module for integration with Kaspersky Security
Center Network Agent on the protected device.

Kaspersky Security Center Network Agent. Install this component on each protected device. This
component supports interaction between Kaspersky Embedded Systems Security installed on the protected
device and Kaspersky Security Center Administration Console. The Network Agent installation le is included in
the Kaspersky Security Center distribution kit folder.

Kaspersky Embedded Systems Security 3.1 Administration Plug-in. Additionally, install the Administration
Plug-in for managing Kaspersky Embedded Systems Security via the Administration Console on the protected
device where the Kaspersky Security Center Administration Server is installed. This provides the interface for
application management via Kaspersky Security Center. The Administration Plug-in installation le,
\product\klcfginst.exe, is included in the Kaspersky Embedded Systems Security distribution kit.

Selecting the installation type

After specifying the software components for installation of Kaspersky Embedded Systems Security, you need to
select the application installation method.

46
Select the installation method depending on the network architecture and the following conditions:

Whether you need special Kaspersky Embedded Systems Security installation settings, or the recommended
installation settings.

Whether the installation settings will be the same for all protected devices or speci c to each protected
device.

Kaspersky Embedded Systems Security can be installed interactively using the Setup Wizard or in silent mode
without user involvement, and can be invoked by running the installation package le with installation settings from
the command line. A centralized remote installation of Kaspersky Embedded Systems Security can be performed
using Active Directory group policies or using the Kaspersky Security Center remote installation task.

Kaspersky Embedded Systems Security can be installed and con gured on a single protected device with its
settings saved to a con guration le; the le can then be used to install Kaspersky Embedded Systems Security on
other protected devices. Note that this ability does not exist when the application is installed using Active
Directory group policies.

Starting the Setup Wizard

The Setup Wizard can install the following:

Kaspersky Embedded Systems Security components on a protected device out of a \product\setup.exe le

included in the distribution kit.

Kaspersky Embedded Systems Security Console from the \console\setup.exe le in the distribution kit on the
protected device or another LAN host.

Running the installation package le from the command line with the necessary installation
settings

If the installation package le is started without command-line options, Kaspersky Embedded Systems Security will
be installed with the default settings. Kaspersky Embedded Systems Security options can be used to modify the
installation settings.

The Application Console can be installed on the protected device and / or administrator's workstation.

You can also use sample commands for the installation of Kaspersky Embedded Systems Security and the
Application Console.

Centralized installation via Kaspersky Security Center

If Kaspersky Security Center is used in your network for managing networked devices' anti-virus protection,
Kaspersky Embedded Systems Security can be installed on multiple devices by using the remote installation task.

The protected devices on which you want to install Kaspersky Embedded Systems Security using Kaspersky
Security Center may be in the same domain as Kaspersky Security Center in a di erent domain, or in no domain at
all.

Centralized installation using Active Directory group policies

47
Active Directory group policies can be used to install Kaspersky Embedded Systems Security on the protected
device. The Application Console can be installed on the protected device or administrator's workstation.

Kaspersky Embedded Systems Security can be installed using just the recommended installation settings.

The protected devices on which Kaspersky Embedded Systems Security is installed using Active Directory group
policies must be located in the same domain and the same organizational unit. Installation is performed at
protected device start before logging in to Microsoft Windows.

Installing and uninstalling the application using a wizard

This section describes the installation and uninstallation of Kaspersky Embedded Systems Security and the
Application Console by means of the Setup Wizard, and contains information about additional con guration of
Kaspersky Embedded Systems Security and actions to be performed upon installation.

Installing using the Setup Wizard

The following sections contain information about installation of Kaspersky Embedded Systems Security and the
Application Console.

To install and proceed to use Kaspersky Embedded Systems Security:

1. Install Kaspersky Embedded Systems Security on a protected device.

2. Install the Application Console on the devices from which you intend to manage Kaspersky Embedded Systems
Security.

3. If the Application Console has been installed on any device in the network, other than protected device,
perform the additional con guration to allow Application Console users to manage Kaspersky Embedded
Systems Security remotely.

4. Perform actions after installation of Kaspersky Embedded Systems Security.

Kaspersky Embedded Systems Security installation

Before installing Kaspersky Embedded Systems Security, do the following:

1. Make sure no other anti-virus programs are installed on the protected device.

2. Make sure that the account which you are using to start the Setup Wizard belongs to the administrators group
on the protected device.

After completing the actions described above, proceed with the installation procedure. Following the Setup
Wizard instructions, specify the installation settings for Kaspersky Embedded Systems Security. The Kaspersky
Embedded Systems Security installation process can be stopped at any step of the Setup Wizard. To do so, click
the Cancel button in the Setup Wizard's window.

You can read more about the installation (uninstallation) settings.

To install Kaspersky Embedded Systems Security using the Setup Wizard:

48
1. Start the setup.exe le on the protected device.

2. In the window that opens, in the Installation section, click the Protect computer with Default Deny technology
or Protect computer with Anti-Virus Bases link.

If the Protect computer with Anti-Virus Bases con guration is selected, all Kaspersky Embedded Systems
Security components are included by default except the Firewall Management and Performance Counters
components.
When you install the Protect computer with Anti-Virus Bases con guration of Kaspersky Embedded
Systems Security over the application version that does not use signature analysis and anti-virus
databases to protect your computer, the set of application components will be automatically expanded by
adding the following components:
Real-Time File Protection

On-Demand Scan

Network Threat Protection

The components enabling updates are not included in the Protect computer with Default Deny
technology con guration.

If the Protect computer with Default Deny technology con guration is selected, the following components
are included by default:
Core

Exploit Prevention

Application Launch Control

System Tray Icon

When you install the Protect computer with Default Deny technology con guration of Kaspersky
Embedded Systems Security over the application version that uses signature analysis and anti-virus
databases to protect your computer, the set of application components will be automatically reduced by
removing the following components:
Real-Time File Protection

On-Demand Scan

the components enabling updates

This con guration is recommended for protecting systems with limited resources. In this case, you can
activate the application for a long term, and the Applications Launch Control component provides
computer protection.

3. In the welcome screen of the Kaspersky Embedded Systems Security Setup Wizard, click the Next button.
The End User License Agreement and Privacy Policy window opens.

4. Review the terms of the License Agreement and Privacy Policy.

5. If you agree to the terms and conditions of End User License Agreement and Privacy Policy, select the I con rm
that I have fully read, understood, and accept the terms and conditions of this End User License
49
Agreement and I am aware and agree that my data will be handled and transmitted (including to third
countries) as described in the Privacy Policy. I con rm that I have fully read and understand the Privacy
Policy check boxes in order to proceed with the installation.

If you do not accept the End User License Agreement and/or Privacy Policy the installation will be aborted.

6. Click the Next button.

The Custom installation window opens.

7. Select the components to be installed.

The SNMP Protocol Support component of Kaspersky Embedded Systems Security will only appear in the
list of components suggested for installation if the Microsoft Windows SNMP service is installed on the
protected device.

8. To cancel all changes, click the Reset button in the Custom installation window. Click the Next button.

9. In the Select a destination folder window:

If required, specify a folder to which Kaspersky Embedded Systems Security les will be copied.

If required, review the information about available space on local drives by clicking the Disk button.

Click the Next button.

10. In the Advanced installation settings window, con gure the following installation settings:

Enable real-time protection after installation of application.

Add Microsoft recommended les to exclusions list.

Add Kaspersky recommended les to exclusions list.

Click the Next button.

11. In the Import settings from con guration le window:

a. Specify the con guration le to import Kaspersky Embedded Systems Security settings from an existing
con guration le created in any compatible previous version of the application.

b. Click the Next button.

12. In the Activation of the application window, do one of the following:

If you want to activate the application, specify a Kaspersky Embedded Systems Security key le for
application activation.

If you want to activate the application later, click the Next button.

If a key le was previously saved in the \product folder of the distribution kit, the name of this le will be
displayed in the Key eld.

50
To add a key using a key le stored in another folder, specify the key le.

Once the key le is added, license information will be shown in the window. Kaspersky Embedded Systems
Security displays the license's calculated expiration date. The license term runs from the time when you add
a key and expires no later than the expiration date of the key le.
Click the Next button to apply the key le in the application.

13. In the Ready to install window, click the Install button. The wizard will start the installation of Kaspersky
Embedded Systems Security components.

14. The Installation complete window opens when installation is complete.

15. Select the View Release Notes check box to view information about the release after the Setup Wizard is
done.

16. Click Finish.

The Setup Wizard closes. Once installation is complete, Kaspersky Embedded Systems Security is ready to use
if you have added an activation key.

Kaspersky Embedded Systems Security Console installation

Follow the instructions of the Setup Wizard to con gure installation settings for the Application Console. The
installation process can be stopped at any step of the wizard. To do so, click the Cancel button in the Setup
Wizard window.

To install the Application Console:

1. Make sure that the account you use to run the Setup Wizard belongs to the administrators group on the
device.

2. Run the setup.exe le on the protected device.

The welcome window opens.

3. Click on the Install Kaspersky Embedded Systems Security Console link.

The Setup Wizard's welcome window opens.

4. Click the Next button.

5. In the window that opens, review the terms of the End User License Agreement and Privacy Policy, and select
the check boxes under the I con rm that I have fully read, understood, and accept the terms and conditions
of this End User License Agreement caption in order to proceed with the installation.

6. Click the Next button.

The Advanced installation settings window opens.

7. In the Advanced installation settings window:

If you intend to use the Application Console to manage Kaspersky Embedded Systems Security installed on
a remote device, select the Allow remote access check box.

To open the Custom installation window and select components:

51
a. Click the Advanced button.
The Custom installation window opens.

b. Select the "Administration Tools" components from the list.

By default, all the components are installed.

c. Click the Next button.

You can nd more detailed information about Kaspersky Embedded Systems Security components.

8. In the Select a destination folder window:

a. If required, specify a di erent folder to which the les being installed should be saved.

b. Click the Next button.

9. In the Ready to install window, click the Install button.

The wizard will begin installing the selected components.

10. Click Finish.

The Setup Wizard closes. The Application Console will be installed on the protected device.

If the "Administration tools" set has been installed on any device in the network other than protected device,
con gure the advanced settings.

Advanced settings after installation of the Application Console on another

device
If the Application Console has been installed on any device in the network, other than a protected device, perform
the following actions to allow users to manage Kaspersky Embedded Systems Security remotely:

Add Kaspersky Embedded Systems Security users to the ESS Administrators group on the protected device.

Allow network connections for the Kaspersky Security Management Service (kavfsgt.exe), if the protected
device uses Windows Firewall or a third-party rewall.

If the Allow remote access check box is not selected during installation of the Application Console on a device
running Microsoft Windows, manually allow network connections for the Application Console via the device's
rewall.

The Application Console on the remote device uses the DCOM protocol to receive information about Kaspersky
Embedded Systems Security events (such as objects scanned, tasks completed, etc.) from the Kaspersky Security
Management Service on the protected device. You need to allow network connections for the Application Console
in the Windows Firewall settings in order to establish connections between the Application Console and the
Kaspersky Security Management Service.

On the remote device, where the Application Console is installed, do the following:

Make sure that anonymous remote access to COM applications is allowed (but not remote start and activation
of COM applications).

52
In Windows Firewall, open TCP port 135 and allow network connections for kavfsrcn.exe, the executable le of
the Kaspersky Embedded Systems Security remote management process.
The device where the Application Console is installed uses TCP port 135 to access the protected device and to
receive a response.

Con gure an outbound rule for Windows Firewall to allow the connection.
Unlike the traditional TCP/IP and UDP/IP services where a single protocol has a xed port, DCOM dynamically
assigns ports to remote COM objects. If a rewall exists between the client (where the Application Console is
installed) and the DCOM endpoint (the protected device), a large range of ports must be opened.

The same steps should be applied to con gure any other software or hardware rewall.

If the Application Console is open while you con gure the connection between the protected device and the
device on which the Application Console is installed:

1. Close the Application Console.

2. Wait until the Kaspersky Embedded Systems Security remote management process kavfsrcn.exe is nished.

3. Restart the Application Console.

The new connection settings will be applied.

Allowing anonymous remote access to COM applications

The names of settings may vary depending on the installed Windows operating system.

To allow anonymous remote access to COM applications:

1. On the remote device with the Kaspersky Embedded Systems Security Console installed, open the Component
Services console.

2. Select Start → Run.

3. Enter the command dcomcnfg.

4. Click OK.

5. Expand the Computers node in the Component Services console on your protected device.

6. Open the context menu on the My Computer node.

7. Select Properties.

8. On the COM Security tab of the Properties window, click the Edit Limits button in the Access permissions
settings group.

9. Make sure that the Allow Remote Access check box is selected for the ANONYMOUS LOGON user in the
Allow Remote Access window.

10. Click OK.

53
Allowing network connections for the Kaspersky Embedded Systems Security remote
management process

The names of settings may vary depending on the installed Windows operating system.

To open TCP port 135 in Windows Firewall and to allow network connections for the Kaspersky Embedded Systems
Security remote management process:

1. Close the Kaspersky Embedded Systems Security Console on the remote device.

2. Perform one of the following steps:

On Microsoft Windows XP SP2 or later:

a. Select Start > Windows Firewall.

b. In the Windows Firewall window (or Windows Firewall settings), click the Add port button on the
Exclusions tab.

c. In the Name eld, specify the port name RPC (TCP/135) or enter another name, for example Kaspersky
Embedded Systems Security DCOM, and specify the port number (135) in the Port name eld.

d. Select the TCP protocol.

e. Click OK.

f. Click the Add button on the Exclusions tab.

On Microsoft Windows 7 or later:

a. Select Start > Control Panel > Windows Firewall.

b. In the Windows Firewall window, select Allow a program or feature through Windows Firewall.

c. In the Allow programs to communicate through Windows Firewall window click the Allow another
program button.

3. Specify the kavfsrcn.exe le in the Add Program window. It is located in the destination folder speci ed during
installation of Kaspersky Embedded Systems Security Console using Microsoft Management Console.

4. Click OK.

5. Click the OK button in the Windows Firewall (Windows Firewall settings) window.

Adding outbound rule for Windows Firewall

The names of settings may vary depending on the installed Windows operating system.

54
To add the outbound rule for Windows Firewall:

1. Select Start > Control Panel > Windows Firewall.

2. In the Windows Firewall window, click the Advanced settings link.

The Windows Firewall with Advanced Security window opens.

3. Select the Outbound Rules child node.

4. Click on the New Rule option in the Actions pane.

5. In the New Outbound Rule Wizard window that opens, select the Port option and click Next.

6. Select the TCP protocol.

7. In the Speci c remote ports eld specify the following ports range for allowing outgoing connections: 1024-
65535.

8. In the Action window, select the Allow the connection option.

9. Save the new rule and close the Windows Firewall with Advanced Security window.

The Windows Firewall will now allow network connections between the Application Console and Kaspersky
Security Management Service.

Actions to perform after Kaspersky Embedded Systems Security

installation
Kaspersky Embedded Systems Security starts protection and scan tasks immediately after installation if you have
activated the application. If Enable real-time protection after installation of application (default option) is
selected during installation of Kaspersky Embedded Systems Security, the application scans the device's le
system objects when they are accessed. Kaspersky Embedded Systems Security will run the Critical Areas Scan
task every Friday at 8:00 PM.

We recommend taking the following steps after installing Kaspersky Embedded Systems Security:

Start the application database update task. After installation Kaspersky Embedded Systems Security will scan
objects using the database included in the application distribution kit.

We recommend updating Kaspersky Embedded Systems Security databases immediately since they may
be out of date.

The application will then update the databases every hour according to the default schedule con gured in the
task.

Run a Critical Areas Scan on the device if no anti-virus software with real-time le protection was installed on
the device before installation of Kaspersky Embedded Systems Security.

Con gure administrator noti cations about Kaspersky Embedded Systems Security events.

55
Starting and con guring Kaspersky Embedded Systems Security Database Update task
To update the application database after installation:

1. In the Database Update task settings, con gure a connection to an update source – Kaspersky HTTP or FTP
update servers.

2. Start the Database Update task.

Web Proxy Auto-Discovery Protocol (WPAD) may not be con gured on your network to detect proxy server
settings automatically in the LAN. At that, your network may require authentication when accessing the proxy
server.

To specify the optional proxy server settings and authentication settings for accessing the proxy server:

1. Open the context menu of the Kaspersky Embedded Systems Security node.

2. Select the Properties item.

The Application settings window opens.

3. Select the Connection settings tab.

4. In the Proxy server settings section, select the Use the speci ed proxy server check box.

5. Enter the proxy server address in the Address eld, and enter the port number for the proxy server in the Port
eld.

6. In the Proxy server authentication settings section, select the necessary authentication method in the drop-
down list:

Use NTLM authentication, if the proxy server supports the built-in Microsoft Windows NTLM
authentication. Kaspersky Embedded Systems Security will use the user account speci ed in the task
settings to access the proxy server (by default the task will run under the local system (SYSTEM) user
account).

Use NTLM authentication with user name and password, if the proxy server supports the built-in
Microsoft Windows NTLM authentication. Kaspersky Embedded Systems Security will use the speci ed
account to access the proxy server. Enter a user name and password or select a user from the list.

Apply user name and password, to select basic authentication. Enter a user name and password or select a
user from the list.

7. Click OK in the Application settings window.

To con gure the connection to Kaspersky's update servers, in the Database Update task:

1. Start Application Console in one of the following ways:

Open the Application Console on the protected device. To do this, select Start > All Programs > Kaspersky
Embedded Systems Security > Administration Tools > Kaspersky Embedded Systems Security 3.1
Console.

56
If the Application Console has been started on a device other than the protected one, connect to the
device:

a. Open the context menu of the Kaspersky Embedded Systems Security node in the Application
Console tree.

b. Select the Connect to another computer item.

c. In the Select protected device window, select Another device and in the text eld indicate the network
name of the protected device.

If the account you used to sign in to Microsoft Windows does not have access permissions for the
Kaspersky Security Management Service, indicate an account with the required permissions.

The Application Console window opens.

2. In the Application Console tree, expand the Update node.

3. Select the Database Update child node.

4. Click the Properties link in the results pane.

5. In the Task settings window that opens, open the Connection settings tab.

6. Select Use proxy server settings to connect to Kaspersky update servers.

7. Click OK in the Task settings window.

The settings for connecting to the update source in the Database Update task will be saved.

To run the Database Update task:

1. In the Application Console tree, expand the Update node.

2. In the context menu on the Database Update child node, select the Start item.

The Database Update task starts.

After the task has successfully completed, you can view the release date of the latest database updates
installed in the results pane of the Kaspersky Embedded Systems Security node.

Critical Areas Scan

After you have updated the Kaspersky Embedded Systems Security databases, scan the protected device for
malware using the Critical Areas Scan task.

To run the Critical Areas Scan task:

1. Expand the On-Demand Scan node in the Application Console tree.

2. In the context menu of the Critical Areas Scan child node, select the Start command.

The task starts; the Running task status is displayed in the results pane.
57
To view the task log,

in the results pane of the Critical Areas Scan node, click the Open task log link.

Modifying the set of components and repairing Kaspersky Embedded

Systems Security
Kaspersky Embedded Systems Security components can be added or removed. You need to stop the Real-Time
File Protection task before you can remove the Real-Time File Protection component. In other circumstances there
is no need to stop the Real-Time File Protection task or Kaspersky Security Service.

If application management is password protected, Kaspersky Embedded Systems Security requests the
password when you attempt to remove components or modify the set of components in the Setup Wizard.

To modify the set of Kaspersky Embedded Systems Security components:

1. In the Start menu, select All programs > Kaspersky Embedded Systems Security > Modify or Remove
Kaspersky Embedded Systems Security.
The Setup Wizard's Modify, repair or remove installation window opens.

2. Select Modify components set. Click the Next button.

The Custom installation window opens.

3. In the Custom installation window, in the list of available components, select the components that you want to
add or remove from Kaspersky Embedded Systems Security. To do this, perform the following actions:

To change the set of components, click the button next to the name of the selected component. Then in
the context menu, select:

Component will be installed on local hard drive, if you want to install one component;

Component and its subcomponents will be installed on local hard drive, if you want to install a group
of components.

To remove previously installed components, click the button next to the name of the selected component.
Then in the context menu, select Component will be unavailable.

Click the Next button.

4. In the Ready to install window, con rm the change to the set of software components by clicking the Install
button.

5. In the window that opens when installation is complete, click the OK button.

The set of Kaspersky Embedded Systems Security components will be modi ed based on the speci ed
settings.

If problems occur in the operation of Kaspersky Embedded Systems Security (Kaspersky Embedded Systems
Security crashes; tasks crash or do not start), it is possible to attempt to repair Kaspersky Embedded Systems
Security. You can perform a repair while saving the current Kaspersky Embedded Systems Security settings, or you
can select an option to reset all Kaspersky Embedded Systems Security settings to their default values.

58
To repair Kaspersky Embedded Systems Security after the application or a task crashes:

1. In the Start menu, select All programs.

2. Select Kaspersky Embedded Systems Security.

3. Select Modify or Remove Kaspersky Embedded Systems Security.

The Setup Wizard's Modify, repair or remove installation window opens.

4. Select Repair installed components. Click the Next button.

This opens the Repair installed components window.

5. In the Repair installed components window, select the Restore recommended application settings check box
if you want to reset the application settings and restore Kaspersky Embedded Systems Security with its
default settings. Click the Next button.

6. In the Ready to repair window, con rm the repair operation by clicking the Install button.

7. In the window that opens when the repair operation is complete, click the OK button.

Kaspersky Embedded Systems Security will be repaired using the speci ed settings.

Uninstalling using the Setup Wizard

This section contains instructions on removing Kaspersky Embedded Systems Security and the Application
Console from a protected device using the Setup / Uninstallation Wizard.

Kaspersky Embedded Systems Security uninstallation

Dump and trace les are not deleted on uninstalling Kaspersky Embedded Systems Security. You can manually
delete dump and trace les from the folder speci ed during the con guration of dump and trace les writing.

The names of settings may vary under di erent Windows operating systems.

Kaspersky Embedded Systems Security can be uninstalled from the protected device using the Setup /
Uninstallation Wizard.

After uninstalling Kaspersky Embedded Systems Security from a protected device a restart may be required. The
restart can be postponed.

Uninstallation, repair and installation of the application is not available via the Windows Control Panel if the
operating system uses the UAC feature (User Account Control) or access to the application is password
protected.

59
If application management is password protected, Kaspersky Embedded Systems Security requests the
password when you attempt to remove components or modify the set of components in the Setup Wizard.

To uninstall Kaspersky Embedded Systems Security:

1. In the Start menu, select All programs.

2. Select Kaspersky Embedded Systems Security.

3. Select Modify or Remove Kaspersky Embedded Systems Security.

The Setup Wizard's Modify, repair or remove installation window opens.

4. Select Remove software components. Click the Next button.

The Advanced application uninstallation settings window opens.

5. If necessary, in the Advanced application uninstallation settings window:

a. Select the Export quarantine objects check box to make Kaspersky Embedded Systems Security export
objects that have been quarantined. The check box is cleared by default.

b. Check the Export Backup objects check box to export objects from Kaspersky Embedded Systems
Security Backup. The check box is cleared by default.

c. Click the Save to button and select the folder to which you want to export the objects. By default, the
objects will be exported to %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems
Security\Uninstall.
Click the Next button.

6. In the Ready to uninstall window, con rm the uninstallation by clicking the Uninstall button.

7. In the window that opens when the uninstallation is complete, click the OK button.

Kaspersky Embedded Systems Security will be uninstalled from the protected device.

Kaspersky Embedded Systems Security Console uninstallation

The names of settings may vary under di erent Windows operating systems.

You can uninstall the Application Console from the protected device using the Setup / Uninstallation Wizard.

After uninstalling the Application Console, you do not need to restart the protected device.

To uninstall the Application Console:

1. In the Start menu, select All programs.

2. Select Kaspersky Embedded Systems Security.

3. Select Modify or Remove Kaspersky Embedded Systems Security.

The wizard's Modify, repair or remove installation window opens.

60
4. Select Remove software components and click the Next button.

5. The Ready to uninstall window opens. Click the Uninstall button.

The Uninstallation complete window opens.

6. Click OK.

Uninstallation is now complete, and the Setup Wizard closes.

Installing and uninstalling the application from the command line

This section describes the particulars of installing and uninstalling Kaspersky Embedded Systems Security from
the command line and contains examples of commands to install and uninstall Kaspersky Embedded Systems
Security from the command line, and examples of commands to add and remove Kaspersky Embedded Systems
Security components from the command line.

About installing and uninstalling Kaspersky Embedded Systems Security

from command line

Kaspersky Embedded Systems Security can be installed or uninstalled, and its components added or removed, by
running the \product\ess_x86.msi or \product\ess_x64.msi installation package le from the command line after
the installation settings have been speci ed using keys.

The "Administration Tools" set can be installed on the protected device or on another device on the network to
work with the Application Console locally or remotely. To do this, use the \console\esstools.msi installation
package.

Perform the installation using an account included in the administrators group on the protected device where
the application is installed.

If one of the \product\ess_x86.msi or \product\ess_x64.msi les is run on the protected device without additional
keys, Kaspersky Embedded Systems Security will be installed with the recommended installation settings.

The set of components to be installed can be assigned using the ADDLOCAL command-line option by listing the
codes for the selected components or sets of components.

Example commands for installing Kaspersky Embedded Systems Security

This section provides examples of commands used to install Kaspersky Embedded Systems Security.

61
On protected devices running a 32-bit version of Microsoft Windows, run the les with the x86 su ix in the
distribution kit. On protected devices running a 64-bit version of Microsoft Windows, run the les with the x64
su ix in the distribution kit.

Detailed information about the use of Windows Installer's standard commands and command-line options is
provided in the documentation supplied by Microsoft.

Examples of installing Kaspersky Embedded Systems Security from the setup.exe le

To install Kaspersky Embedded Systems Security with the recommended installation settings without user
involvement, run the following command:

\product\setup.exe /s /p EULA=1 /p PRIVACYPOLICY=1

You can install Kaspersky Embedded Systems Security with the following settings:

only install the Real-Time File Protection and On-Demand Scan components;

do not run Real-Time File Protection when starting Kaspersky Embedded Systems Security;

do not exclude les that Microsoft Corporation recommends to exclude from the scan scope.

To do so, run the following command:

\product\setup.exe /p ADDLOCAL=Oas /p RUNRTP=0 /p ADDMSEXCLUSION=0

Examples of commands used for installation: running an .msi le

To install Kaspersky Embedded Systems Security with the recommended installation settings without user
involvement, run the following command:

msiexec /i ess.msi /qn EULA=1 PRIVACYPOLICY=1

To install Kaspersky Embedded Systems Security with the recommended installation settings and display the
installation interface, run the following command:

msiexec /i ess.msi /qf EULA=1 PRIVACYPOLICY=1

To install and activate Kaspersky Embedded Systems Security using the key le C:\0000000A.key:

msiexec /i ess.msi LICENSEKEYPATH=C:\0000000A.key /qn EULA=1 PRIVACYPOLICY=1

To install Kaspersky Embedded Systems Security with a preliminary scan of active processes and the boot sectors
of local disks, run the following command:

msiexec /i ess.msi PRESCAN=1 /qn EULA=1 PRIVACYPOLICY=1

To install Kaspersky Embedded Systems Security in the installation folder C:\ESS, run the following command:

msiexec /i ess.msi INSTALLDIR=C:\ESS /qn EULA=1 PRIVACYPOLICY=1

62
To install Kaspersky Embedded Systems Security and save an installation log le named ess.log in the folder where
the Kaspersky Embedded Systems Security msi le is stored, run the following command:

msiexec /i ess.msi /l*v ess.log /qn EULA=1 PRIVACYPOLICY=1

To install Kaspersky Embedded Systems Security Console, run the following command:

msiexec /i esstools.msi /qn EULA=1

To install and activate Kaspersky Embedded Systems Security using the key le C:\0000000A.key and con gure
Kaspersky Embedded Systems Security according to the settings in the con guration le C:\settings.xml, run the
following command:

msiexec /i ess.msi LICENSEKEYPATH=C:\0000000A.key CONFIGPATH=C:\settings.xml /qn EULA=1

PRIVACYPOLICY=1

To install an application patch when Kaspersky Embedded Systems Security is password-protected, run the
following command:

msiexec /p "<msp file name with path>" UNLOCK_PASSWORD=<password>

Actions to perform after Kaspersky Embedded Systems Security

installation
Kaspersky Embedded Systems Security starts protection and scan tasks immediately after installation if you have
activated the application. If you select Enable real-time protection after installation of application during
installation of Kaspersky Embedded Systems Security, the application scans the device's le system objects when
they are accessed. Kaspersky Embedded Systems Security will run the Critical Areas Scan task every Friday at
8:00 P.M.

We recommend taking the following steps after installing Kaspersky Embedded Systems Security:

Start the Kaspersky Embedded Systems Security Database Update task. After installation Kaspersky
Embedded Systems Security will scan objects using the database included in its distribution kit. We
recommend updating the Kaspersky Embedded Systems Security database immediately. To do so, you must
run the Database Update task. The database will then be updated every hour according to the default schedule.
For example, you can run the Database Update task by running the following command:
KAVSHELL UPDATE /KL /PROXY:proxy.company.com:8080 /AUTHTYPE:1 /PROXYUSER:inetuser
/PROXYPWD:123456
In this case, Kaspersky Embedded Systems Security database updates are downloaded from Kaspersky update
servers. Connection to an update source is established via a proxy server (proxy server address:
proxy.company.com, port: 8080) using built-in Windows NTLM authentication to access the server under an
account (user name: inetuser; password: 123456).

Run a Critical Areas Scan of the device if no anti-virus software with real-time le protection was installed on
the device before installation of Kaspersky Embedded Systems Security.

To start the Critical Areas Scan task using the command line:

KAVSHELL SCANCRITICAL /W:scancritical.log

This command saves the task log in a le named scancritical.log contained in the current folder.
Con gure administrator noti cations about Kaspersky Embedded Systems Security events.

63
Adding and removing components. Sample commands
The Applications Launch Control component is installed automatically.

To install the On-Demand Scan component, run the following command:

msiexec /i ess.msi ADDLOCAL=Oas,Ods /qn

\product\setup.exe /s /p ADDLOCAL=Oas,Ods

After you add the components to the list, Kaspersky Embedded Systems Security reinstalls the existing
components and installs the speci ed components.

To remove the installed components, run the following command:

msiexec /i ess.msi REMOVE=Firewall,PerfMonCounters EULA=1 PRIVACYPOLICY=1 /qn

To install new components, run the following command:

msiexec /i ess.msi
ADDLOCAL=AKIntegration,AVProtection,AntiExploit,AppCtrl,DevCtrl,Fim,Ksn,LogInspector,Oas
EULA=1 PRIVACYPOLICY=1 /qn

After you list the components that you want to install and remove, Kaspersky Embedded Systems Security
installs and removes the components accordingly.

Kaspersky Embedded Systems Security uninstallation. Sample commands

To uninstall Kaspersky Embedded Systems Security from the protected device, run the following command:

msiexec /x ess.msi /qn

For 32-bit operating systems:

msiexec /x {941B0F6E-2DFA-4557-90AE-D9DF81E985C2} /qn

For 64-bit operating systems:

msiexec /x {6BF23C65-7BE8-44F8-8B7F-3A6B419F6816} /qn

To uninstall Kaspersky Embedded Systems Security Console, run the following command:

msiexec /x esstools.msi /qn

64
or

msiexec /x {15BA7FF5-3082-436E-AF0D-F937685F6E89} /qn

To uninstall Kaspersky Embedded Systems Security from a device on which password protection is enabled,
perform the following command:

For 32-bit operating systems:

msiexec /x {941B0F6E-2DFA-4557-90AE-D9DF81E985C2} UNLOCK_PASSWORD=*** /qn

For 64-bit operating systems:

msiexec /x {6BF23C65-7BE8-44F8-8B7F-3A6B419F6816} UNLOCK_PASSWORD=*** /qn

Return codes
The table below contains a list of command-line return codes.

Return codes

Code Description

1324 The destination folder name contains invalid characters.

25001 Insu icient rights to install Kaspersky Embedded Systems Security. To install the application, start
the installation wizard with local administrator rights.

25003 Kaspersky Embedded Systems Security cannot be installed on devices running this version of
Microsoft Windows. Please start the installation wizard for 64-bit versions of Microsoft Windows.

25004 Incompatible software detected. To continue the installation, uninstall the following software: <list
of incompatible software>.

25010 The indicated path cannot be used to save quarantined objects.

25011 The name of the folder for saving quarantined objects contains invalid characters.

26251 Unable to download the Performance Counters DLL.

26252 Unable to download the Performance Counters DLL.

27300 The driver cannot be installed.

27301 The driver cannot be uninstalled.

27302 The network component cannot be installed. Maximum supported number of ltered devices
reached.

27303 Anti-virus databases not found.

Installing and uninstalling the application using Kaspersky Security Center

This section contains general information about installing Kaspersky Embedded Systems Security via Kaspersky
Security Center. It also describes how to install and uninstall Kaspersky Embedded Systems Security via Kaspersky
Security Center and actions to perform after installing Kaspersky Embedded Systems Security.

65
General information about installing via Kaspersky Security Center
You can install Kaspersky Embedded Systems Security via Kaspersky Security Center using the remote installation
task.

After the remote installation task is complete, Kaspersky Embedded Systems Security will be installed with
identical settings on multiple protected devices.

All protected devices can be combined in a single administration group, and a group task can be created to install
Kaspersky Embedded Systems Security on the protected devices in this group.

You can create a task to remotely install Kaspersky Embedded Systems Security on a set of protected devices
that are not in the same administration group. When creating this task, you must generate the list of individual
protected devices that Kaspersky Embedded Systems Security should be installed on.

Detailed information on the remote installation task is provided in Kaspersky Security Center Help.

Rights to install or uninstall Kaspersky Embedded Systems Security

The account speci ed in the remote installation (removal) task must be included in the administrators group on
each of the protected devices in all cases except those described below:

If the Kaspersky Security Center Network Agent is already installed on the protected devices on which
Kaspersky Embedded Systems Security is to be installed (regardless of which domain the protected devices
are in or whether they belong to any domain).

If the Network Agent is not yet installed on the protected devices, you can install it with Kaspersky
Embedded Systems Security using a remote installation task. Before installing the Network Agent, make
sure that the account you want to specify in the task is included in the administrators group on each of the
protected devices.

All protected devices on which you want to install Kaspersky Embedded Systems Security are in the same
domain as the Administration Server, and the Administration Server is registered as the Domain Admin account
(if this account has local administrator's rights on the protected devices within the domain).

By default, when using the Forced installation method, the remote installation task is run from the account
running the Administration Server.

When working with group tasks or with tasks for sets of protected devices under forced installation (uninstallation)
mode, an account must have the following rights on the protected device:

Right to execute applications remotely.

Rights to the Admin$ share.

Right to Log on as a service.

66
Installing Kaspersky Embedded Systems Security via Kaspersky Security
Center

Detailed information about generating an installation package and creating a remote installation task is
provided in the Kaspersky Security Center Implementation Guide.

If you intend to manage Kaspersky Embedded Systems Security via Kaspersky Security Center in the future, make
sure that the following conditions are met:

The protected device where the Kaspersky Security Center Administration Server is installed also has the
Administration Plug-in installed (\product\klcfginst.exe le in the Kaspersky Embedded Systems Security
distribution kit).

Kaspersky Security Center Network Agent is installed on protected devices. If Kaspersky Security Center
Network Agent is not installed on protected devices, you can install it together with Kaspersky Embedded
Systems Security using a remote installation task.

Devices can also be combined into an administration group in order to later manage the protection settings using
Kaspersky Security Center policies and group tasks.

To install Kaspersky Embedded Systems Security using a remote installation task:

1. Start the Kaspersky Security Center Administration Console.

2. In Kaspersky Security Center, expand the Advanced node.

3. Expand the Remote installation child node.

4. In the results pane of the Installation packages child node, click the Create installation package button.

5. Select the Create installation package for a Kaspersky application installation package type.

6. Enter the installation package name.

7. Specify the ess.kud le from the Kaspersky Embedded Systems Security distribution kit as the installation
package le.
The End User License Agreement and Privacy Policy window opens.

8. If you agree to the terms and conditions of End User License Agreement and Privacy Policy, select the I con rm
that I have fully read, understood, and accept the terms and conditions of this End User License
Agreement and I am aware and agree that my data will be handled and transmitted (including to third
countries) as described in the Privacy Policy. I con rm that I have fully read and understand the Privacy
Policy check boxes in order to proceed with the installation.

You must accept the License Agreement and the Privacy Policy to proceed.

9. To change the set of Kaspersky Embedded Systems Security components to be installed and the default
installation settings in the installation package:

a. In Kaspersky Security Center, expand the Remote installation node.

67
b. In the results pane of the Installation packages child node, open the context menu of the created
Kaspersky Embedded Systems Security installation package and select Properties.

c. In the Properties: <name of installation package> window open the Settings section.

In the Components to install settings group, select the check boxes next to the names of the
Kaspersky Embedded Systems Security components you want to install.

d. In order to indicate a destination folder other than the default one, specify the folder name and path in the
Destination folder eld.
The path to the destination folder may contain system environment variables. If the folder does not exist on
the protected device, it will be created.

e. In the Advanced installation settings group, con gure the following settings:

Scan the protected device for viruses before installation

Enable real-time protection after installation of application

Add Microsoft recommended les to exclusions list

Add Kaspersky recommended les to exclusions list

Enable delayed start of the Kaspersky Security Service at operating system startup

f. In the Properties: <name of installation package> dialog window, click OK.

10. In the Installation packages node create a task to remotely install Kaspersky Embedded Systems Security on
the selected protected devices (administration group). Con gure the task settings.
To learn more about creating and con guring remote installation tasks, see the Kaspersky Security Center Help.

11. Run the Kaspersky Embedded Systems Security remote installation task.

Kaspersky Embedded Systems Security will be installed on the protected devices speci ed in the task.

Actions to perform after Kaspersky Embedded Systems Security

installation
After you install Kaspersky Embedded Systems Security, we recommend that you update Kaspersky Embedded
Systems Security databases on the devices, and perform a Critical Areas Scan of the devices if no anti-virus
applications with enabled real-time protection were installed on the devices before installation of Kaspersky
Embedded Systems Security.

If the protected devices on which Kaspersky Embedded Systems Security was installed are part of the same
administration group in the Kaspersky Security Center, you can perform these tasks using the following methods:

1. Create Database Update tasks for the group of protected devices on which Kaspersky Embedded Systems
Security was installed. Set the Kaspersky Security Center Administration Server as the update source.

68
2. Create an On-Demand Scan group task with the Critical Areas Scan status. Kaspersky Security Center
evaluates the security status of each protected device in the group based on the results of this task, not based
on the results of the Critical Areas Scan task.

3. Create a new policy for the group of protected devices. In the policy properties, in the Application settings
section, deactivate the scheduled start of local system on-demand scan tasks and the Database Update tasks
on the administration group's protected devices in the settings of the Run local system tasks subsection.

You can also con gure administrator noti cations about Kaspersky Embedded Systems Security events.

Installing the Application Console via Kaspersky Security Center

Detailed information about creating an installation package and a remote installation task is provided in the
Kaspersky Security Center Implementation Guide.

To install the Application Console using a remote installation task:

1. In the Kaspersky Security Center Administration Console expand the Advanced node.

2. Expand the Remote installation child node.

3. In the results pane of the Installation packages child node, click the Create installation package button. While
creating the new installation package:

a. In the New Package Wizard window, select Create installation package for speci ed executable le as a
package type.

b. Enter the new installation package name.

c. Select the \console\setup.exe le from the Kaspersky Embedded Systems Security distribution kit folder
and select the Copy entire folder to the installation package check box.

d. If required, use the ADDLOCAL command-line option to modify the set of components to be installed in the
Executable le launch settings (optional) eld and change the destination folder.
For instance, in order to install the Application Console alone in the folder C:\KasperskyConsole without
installing the help le and documentation, use the following command-line options:
/s /p "ADDLOCAL=MmcSnapin INSTALLDIR=C:\KasperskyConsole EULA=1"

4. In the Installation packages child node, create a task to remotely install the Application Console on the
selected protected devices (administration group). Con gure the task settings.

To learn more about creating and con guring remote installation tasks, see the Kaspersky Security Center
Help.

5. Run the remote installation task.

The Application Console is installed on the protected devices speci ed in the task.

69
Uninstalling Kaspersky Embedded Systems Security via Kaspersky Security
Center

If management of Kaspersky Embedded Systems Security on network devices is password protected, enter
the password when creating a task to uninstall multiple applications. If the password protection is not
managed centrally by a Kaspersky Security Center policy, Kaspersky Embedded Systems Security will be
successfully uninstalled from the devices, on which the entered password matched the set value. Kaspersky
Embedded Systems Security will not be uninstalled from other protected devices.

To uninstall Kaspersky Embedded Systems Security:

1. In the Kaspersky Security Center Administration Console, create and start an application removal task.

2. In the task, select the uninstallation method (similar to selecting the installation method; see the previous
section) and specify the account that Administration Server will use to access the protected devices. You can
uninstall Kaspersky Embedded Systems Security with only the default uninstallation settings.

Installing and uninstalling via Active Directory group policies

This section describes installing and uninstalling Kaspersky Embedded Systems Security via Active Directory group
polices. It also contains information about actions to perform after installing Kaspersky Embedded Systems
Security through group policies.

Installing Kaspersky Embedded Systems Security via Active Directory group

policies
You can install Kaspersky Embedded Systems Security on several protected devices via the Active Directory group
policy. You can install the Application Console the same way.

The protected devices on which you want to install Kaspersky Embedded Systems Security or the Application
Console must be in the same domain and a single organizational unit.

The operating systems on the protected devices on which you want to install Kaspersky Embedded Systems
Security using the policy must be of the same bitness (32-bit or 64-bit).

You must have domain administrator rights.

To install Kaspersky Embedded Systems Security, use the ess_x86.msi or ess_x64.msi installation package. To
install the Application Console, use the esstools.msi installation package.

70
Detailed information about the use of Active Directory group policies is provided in the documentation
supplied by Microsoft.

To install Kaspersky Embedded Systems Security (or the Application Console):

1. Save the msi le corresponding to the bitness (32- or 64-bit) of the installed version of the Microsoft Windows
operating system in the public folder on the domain controller.

2. Save the key le in the same public folder on the domain controller.

3. In the same public folder on the domain controller, create an install_props.json le with the contents below,
which means that you accept the terms of the License Agreement and the Privacy Policy.
{
"EULA": "1",
"PRIVACYPOLICY": "1"
}

4. On the domain controller create a new policy for the group that the protected devices belong to.

5. Using the Group Policy Object Editor, create a new installation package in the Computer Con guration node.
Specify the path to the msi le for Kaspersky Embedded Systems Security (or Application Console) in UNC
(Universal Naming Convention) format.

6. Select the Windows Installer's Always install with elevated privileges check box in both the Computer
Con guration node and in the User Con guration node of the selected group.

7. Apply the changes using the gpupdate /force command.

Kaspersky Embedded Systems Security will be installed on the protected devices of the group after they have
been restarted.

Actions to perform after Kaspersky Embedded Systems Security

installation
After installing Kaspersky Embedded Systems Security on the protected devices, it is recommended that you
immediately update the application databases and run a Critical Areas Scan. You can perform these actions from
the Application Console.

You can also con gure administrator noti cations about Kaspersky Embedded Systems Security events.

Uninstalling Kaspersky Embedded Systems Security via Active Directory

group policies

71
If you used an Active Directory group policy to install Kaspersky Embedded Systems Security (or the Application
Console) on the group of protected devices, you can use this policy to uninstall Kaspersky Embedded Systems
Security (or the Application Console).

You can uninstall the application only with the default uninstallation parameters.

Detailed information about the use of Active Directory group policies is provided in the documentation
supplied by Microsoft.

If application management is password protected, you cannot uninstall Kaspersky Embedded Systems
Security using Active Directory group policies.

To uninstall Kaspersky Embedded Systems Security (or the Application Console):

1. On the domain controller, select the organizational unit from whose protected devices you want to uninstall
Kaspersky Embedded Systems Security or the Application Console.

2. Select the policy created for the installation of Kaspersky Embedded Systems Security and in the Group
Policies Object Editor, in the Software installation node (Computer Con guration > Software Settings >
Software installation) open the context menu of the Kaspersky Embedded Systems Security (or the
Application Console) installation package and select the All tasks > Remove command.

3. Select the uninstallation method Immediately uninstall the software from users and computers.

4. Apply the changes using the gpupdate / force command.

Kaspersky Embedded Systems Security is removed from the protected devices after they are restarted and
before logging in to Microsoft Windows.

Checking Kaspersky Embedded Systems Security functions. Using the

EICAR test virus
This section describes the EICAR test virus and how to use the EICAR test virus to check the Real-Time File
Protection and On-Demand Scan features of Kaspersky Embedded Systems Security.

About the EICAR test virus

This test virus is designed to verify the operation of anti-virus applications. It was developed by the European
Institute for Computer Antivirus Research (EICAR).

The test virus is not a malicious object and does not contain executable code for your device, but most
vendors' anti-virus applications identify it as a threat.

The le containing this test virus is called eicar.com. You can download it from the EICAR website .

72
Before saving the le in a folder on the device's hard drive, make sure that Real-Time File Protection is disabled
on that drive.

The eicar.com le contains a line of text. When scanning the le Kaspersky Embedded Systems Security detects
the test threat in this line of text, assigns the Infected status to the le, and deletes it. Information about the
threat detected in the le will appear in the Application Console and in the task log.

You can use the eicar.com le to check how Kaspersky Embedded Systems Security disinfects infected objects
and how it detects probably infected objects. To do this, open the le using a text editor, add one of the pre xes
listed in the table below to the beginning of the line of text in the le, and save the le under a new name, e.g.
eicar_cure.com.

To make sure that Kaspersky Embedded Systems Security processes the eicar.com le with a pre x, in the
Objects protection security settings section, set the All objects value for the Real-Time Computer
Protection tasks and Default On-Demand Scan tasks of Kaspersky Embedded Systems Security.

Pre xes in EICAR les

Pre x File status after the scan and Kaspersky Embedded Systems Security action

No Kaspersky Embedded Systems Security assigns the Infected status to the object and
pre x deletes it.

SUSP– Kaspersky Embedded Systems Security assigns the Probably infected status to the object
detected by the heuristic analyzer and deletes it since probably infected objects are not
disinfected.

WARN– Kaspersky Embedded Systems Security assigns the Probably infected status to the object (the
object's code partly matches the code of a known threat) and deletes it since probably infected
objects are not disinfected.

CURE– Kaspersky Embedded Systems Security assigns the Infected status to the object and disinfects
it. If disinfection is successful, the entire text in the le is replaced with the word "CURE".

Checking the Real-Time File Protection and On-Demand Scan features

After installing Kaspersky Embedded Systems Security, you can con rm that Kaspersky Embedded Systems
Security nds objects containing malicious code. To check this, you can use a test virus from EICAR.

To check the Real-Time File Protection feature:

1. Download the eicar.com le from the EICAR website . Save it in a public folder on the local drive of any device
on the network.

Before you save the le to the folder, make sure that Real-Time File Protection is disabled for the folder.

2. If you want to check that network user noti cations are working, make sure that the Microsoft Windows
Messenger Service is enabled both on the protected device and on the device where you saved the eicar.com
le.

3. Open the Application Console on the protected device.

4. Copy the saved eicar.com le to the local drive of the protected device using one of the following methods:
73
To test noti cations through a Terminal Services window, copy the eicar.com le to the protected device
after connecting to the protected device using the Remote Desktop Connection utility.

To test noti cations through the Microsoft Windows Messenger Service, use the device's network places to
copy the eicar.com le from the device where you saved it.

Real-Time File Protection is working correctly if the following conditions are met:

The eicar.com le is deleted from the protected device.

In the Application Console, the task log is given the Critical status. The log has a new line with information about
a threat in the eicar.com le. (To view the task log, in the Application Console tree, expand the Real-Time
Computer Protection node, select the Real-Time File Protection task and in the results panel of the node
click the Open task log link).

The following Microsoft Windows Messenger Service message appears on the device from which you
copied the le: Kaspersky Embedded Systems Security blocked access to <path to file on
the device>\eicar.com on computer <network name of the device> at <time that event
occurred>. Reason: Threat detected. Virus: EICAR-Test-File. User name: <user name>.
Computer name: <network name of the device from which you copied the file>.

Make sure that the Microsoft Windows Messenger Service is running on the device from which you copied
the eicar.com le.

To check the On-Demand Scan feature:

1. Download the eicar.com le from the EICAR website . Save it in a public folder on the local drive of any device
on the network.

Before you save the le to the folder, make sure that Real-Time File Protection is disabled for the folder.

2. Open the Application Console.

3. Do the following:

a. Expand the On-Demand Scan node in the Application Console tree.

b. Select the Critical Areas Scan child node.

c. On the Scan scope settings tab, open the context menu on the Network node and select Add network
le.

d. Enter the network path to the eicar.com le on the remote device in UNC (Universal Naming Convention)
format.

e. Select the check box to include the added network path in the scan scope.

f. Run the Critical Areas Scan task.

The On-Demand Scan is working as it should if the following conditions are met:

The eicar.com le is deleted from the device's hard drive.

74
In the Application Console, the task log is given the Critical status. The Critical Areas Scan task log has a new
line with information about a threat in the eicar.com le. (To view the task log, in the Application Console tree,
expand the On-Demand Scan child node, select the Critical Areas Scan task and in the results panel, click the
Open task log link).

75
Application interface
You can control Kaspersky Embedded Systems Security using the following interfaces:

Local Application Console.

Kaspersky Security Center Administration Console.

Kaspersky Security Center Web Console.

Kaspersky Security Center Cloud Console.

Kaspersky Security Center Administration Console

Kaspersky Security Center lets you remotely install and uninstall, start and stop Kaspersky Embedded Systems
Security, con gure application settings, change the set of available application components, add keys, and start
and stop tasks.

The application can be managed via Kaspersky Security Center using the Kaspersky Embedded Systems Security
Administration Plug-in. See detailed information about the Kaspersky Security Center interface in the Kaspersky
Security Center Help.

Kaspersky Security Center Web Console and Cloud Console

Kaspersky Security Center Web Console (hereinafter also referred to as Web Console) is a web application
intended for centrally performing the main tasks to manage and maintain the security system of an organization's
network. Web Console is a Kaspersky Security Center component that provides a user interface. For detailed
information about Kaspersky Security Center Web Console, please refer to the Kaspersky Security Center Help.

Kaspersky Security Center Cloud Console (hereinafter also referred to as the Cloud Console) is a cloud-based
solution for protecting and managing an organization's network. For detailed information about Kaspersky Security
Center Cloud Console, please refer to the Kaspersky Security Center Cloud Console Help.

Web Console and Cloud Console let you do the following:

Monitor the status of your organization's security system.

Install Kaspersky applications on devices within your network.

Manage installed applications.

View reports on the security system status.

76
Application licensing
This section provides information about the main concepts related to licensing of the application.

About the End User License Agreement

The End User License Agreement is a binding agreement between you and AO Kaspersky Lab, stipulating the terms
on which you may use the application.

Carefully review the terms of the End User License Agreement before you start using the application.

You can review the terms of the End User License Agreement in the following ways:

During the Kaspersky Embedded Systems Security installation

By reading the le license.txt. This document is included in the application's distribution kit

By con rming that you agree with the End User License Agreement when installing the application, you signify your
acceptance of the terms of the End User License Agreement. If you do not accept the terms of the End User
License Agreement, you must abort application installation and must not use the application.

About the license

A license is a time-limited right to use the application, granted under the End User License Agreement.

A valid license entitles you to receive the following services:

Use of the application in accordance with the terms of the End User License Agreement

Technical support

The scope of service and the period of application use depend on the type of license used to activate the
application.

You can activate the application in two ways:

Using a key le, which grants you the usage under the commercial license

Using an activation code to purchase a commercial license.

The commercial license is a paid license granted upon purchase of the application.

You can purchase Kaspersky Embedded Systems Security standard license or Kaspersky Embedded Systems
Security Compliance Edition extended license, which includes two additional system inspection components: File
Integrity Monitor and Log Inspection.

When a commercial license expires, the application continues to run, but the following features become
unavailable:

Integrating with Kaspersky Security Network

77
Kaspersky Embedded Systems Security database update

When a trial license expires, the application continues to run; the On-Demand Scan and Real-Time File Protection
tasks remain available, but all other tasks and Kaspersky Embedded Systems Security database updates are
unavailable. The same happens if you remove the license or if your license is added to the denylist.

To continue using all Kaspersky Embedded Systems Security features, you must renew the license.

To ensure maximum protection of your device, we recommend that you renew the license before it expires.

Make sure that the expiration date for the additional key is later than for the active one

About license certi cate

A license certi cate is a document that you receive along with a key le or an activation code (if applicable).

A license certi cate contains the following information about the current license:

Order number

Information about the user who has been granted the license

Information about the application that can be activated under the license provided

Limit of the number of licensing units (e.g., devices on which the application can be used under the license
provided)

License validity start date

License expiration date or license term

License type

About the key

A key is a sequence of bits with which you can activate and subsequently use the application in accordance with
the terms of the End User License Agreement. A key is generated by Kaspersky.

You can add a key to the application by using a key le. After you add a key to the application, the key is displayed in
the application interface as a unique alphanumeric sequence.

Kaspersky can add a key to the denylist due to violations of the License Agreement. If your key is blocked, a
di erent key must be added in order for the application to work.

A key may be an "active key" or an "additional key".

An active key is the key that the application currently uses to function. A key for a commercial or trial license may
be added as the active key. The application can have no more than one active key.

78
An additional key is a key that con rms the right to use the application but is not currently in use. An additional key
automatically becomes active when the license associated with the current active key expires. An additional key
may be added only if there is an active key.

About the key le

A key le is a le with the .key extension provided to you by Kaspersky. Key les are designed to activate the
application by adding a license key.

You receive a key le at the email address that you provided when you bought Kaspersky Embedded Systems
Security or ordered the trial version of Kaspersky Embedded Systems Security.

You do not need to connect to Kaspersky activation servers in order to activate the application with a key le.

You can restore a key le if it has been accidentally deleted. You may need a key le to register a Kaspersky
CompanyAccount, for example.

To restore your key le, perform any of the following actions:

Contact the license seller.

Receive a key le through Kaspersky website by using your available activation code.

About activation code

An activation code is a unique sequence of 20 letters and numbers. You have to enter an activation code in order
to add a key for activating Kaspersky Embedded Systems Security. You receive the activation code at the email
address that you provided when you bought Kaspersky Embedded Systems Security or ordered the trial version of
Kaspersky Embedded Systems Security.

To activate the application with an activation code, you need Internet access in order to connect to Kaspersky
activation servers.

If you have lost your activation code after installing the application, it can be recovered. You may need the
activation code to register a Kaspersky CompanyAccount, for example. To recover your activation code, contact
the Kaspersky Lab partner from whom you purchased the license.

About data provision

The License Agreement for Kaspersky Embedded Systems Security, speci cally the section entitled "Terms of
data processing", speci es the terms, liability, and procedure for sending and processing the data indicated in this
Guide. Before accepting the License Agreement, carefully review its terms as well as all documents linked to by the
License Agreement.

The data Kaspersky receives from you when you use the application is protected and processed in accordance
with the Privacy Policy available at www.kaspersky.com/Products-and-Services-Privacy-Policy .

The terms of the License Agreement and Privacy Policy are available during the Kaspersky Embedded Systems
Security installation, as a part of distribution kit, and from the Start menu (All programs > Kaspersky Embedded
Systems Security > EULA and Privacy Policy) after the installation.

79
During the Kaspersky Embedded Systems Security uninstallation, all the data stored by Kaspersky Embedded
Systems Security on the protected device is deleted.

By accepting the terms of the License Agreement, you agree to automatically send the following data to
Kaspersky:

To support the mechanism for receiving updates – information about the installed application and its
activation: identi er of the application being installed and its full version, including build number, type, and
license identi er, installation identi er, update task identi er.

To use the ability to navigate to Knowledge Base articles when application errors occur (Redirector service) –
information about the application and link type: the name, locale, and full version number of the application,
type of redirecting link, and error identi er.

To manage con rmations for data processing – information about the status of acceptance of license
agreements and other documents, that stipulate data transferring terms: identi er and version of the License
Agreement or other document, as a part of which the data processing terms are accepted or declined; an
attribute, signifying the user’s action (con rmation or recall of the terms acceptance); date and time of status
changes of the data processing terms acceptance.

Local data processing

While executing the application primary functions described in this Guide, Kaspersky Embedded Systems Security
locally processes and stores a sequence of data on the protected computer.

The table below contains information about local processing and storing by Kaspersky Embedded Systems
Security of data contained in reports.

Processing and storing of data contained in reports

Functional Event registration

area

Type of Kaspersky Embedded Systems Security stores the data locally and sends the data to the
use Administration Server. The Administration Server database stores information about
application events that occur on the managed protected devices.

Storage %ALLUSERSPROFILE%\Kaspersky Lab\Kaspersky Embedded Systems Security\<product

version>\Reports

%SystemRoot%\System32\Winevt\Logs\Kaspersky Security.evtx

Administration Server database

Security Access-control list.

measures

Storage Kaspersky Embedded Systems Security stores the data until the uninstallation of Kaspersky
period Embedded Systems Security.
During the Kaspersky Embedded Systems Security uninstallation, all the data stored by
Kaspersky Embedded Systems Security on the protected device is deleted.

Purpose Providing primary functionality.

80
Kaspersky Embedded Systems Security does not delete events in the Windows Event Log including during
the Kaspersky Embedded Systems Security uninstallation.

In order to provide event registration functionality, Kaspersky Embedded Systems Security locally processes the
following data:

Names, checksums (MD5, SHA-256) and attributes of processed les and full paths to them on the scanned
media.

Actions taken on scanned les by Kaspersky Embedded Systems Security.

User actions taken on scanned les on the protected computer.

Information about accounts of users performing any actions on the protected network or protected device.

Device Instance Path values for devices added to the Device Control rules.

Information about processes and scripts running on the system: checksums (MD5, SHA-256) and full paths to
executable les, information about digital certi cates.

Windows Firewall settings.

Windows Event Log entries.

Names of user accounts taking actions on scanned les on the protected computer.

Instances of executable les being started, and the types, names, checksums, and attributes of these les.

Information about network activity:

The IP addresses of blocked external devices.

Processed IP addresses.

Information about the Windows USN Journal status.

The following table contains information about the service data processed by the Kaspersky Embedded Systems
Security. The service data includes: program parameters, quarantined and backup les, information in the
program’s service databases, license data.

The table below contains information about local processing and storing by Kaspersky Embedded Systems
Security of data about parameters speci ed by a user.

Processing and storing of data about parameters speci ed by a user

Functional All Kaspersky Embedded Systems Security functionality

area

Type of Kaspersky Embedded Systems Security stores the data locally and sends the data to the
use Administration Server. The data is stored in Administration Server database.
The data processed by the application locally is not automatically sent to Kaspersky or other
third-party systems.

Storage
%ALLUSERSPROFILE%\Kaspersky Lab\Kaspersky Embedded Systems Security\<product
version>\

81
Administration Server database

Security Access-control list.

measures

Processing Kaspersky Embedded Systems Security stores the data until the uninstallation of Kaspersky
period Embedded Systems Security.
During the Kaspersky Embedded Systems Security uninstallation, all the data stored by
Kaspersky Embedded Systems Security on the protected device is deleted.
Kaspersky Embedded Systems Security does not delete the data about parameters exported
into con guration le.
Kaspersky Embedded Systems Security does not delete Quarantine objects and Backup
objects if the Export quarantine objects and Export Backup objects check boxes are
selected in the Setup Wizard.

Purpose Providing primary functionality.

For speci ed purposes, Kaspersky Embedded Systems Security locally processes the following data:

Objects placed in Quarantine or Backup.

Information about user accounts (username and password) under which Kaspersky Embedded Systems
Security runs tasks.

Kaspersky Embedded Systems Security password.

IP addresses and identi ers of blocked logon sessions.

Windows Firewall settings and Windows Firewall rules settings.

Checksums (MD5, SHA-256) and paths to executable les added to the Application Launch Control task rules.

Device Instance Path values for devices added to the Device Control rules.

Information about les and folders included in scopes of Kaspersky Embedded Systems Security tasks.

IP addresses included or excluded from the protection scope.

Information about events in the Windows Event Log.

Information about detections with the use of iSwift or iChecker technology.

Checksums (MD5, SHA-256), full paths and masks speci ed in exclusions settings.

Information about processes added to the Trusted Zone.

Information about added license keys.

Information about digital certi cates.

Files unpacked from an archive or other composite object during the scan.

Kaspersky Embedded Systems Security processes and stores data as part of the application basic functionality,
including to log application events and receive diagnostic data. Locally processed data is protected in accordance
with the con gured and applied application settings.

82
Kaspersky Embedded Systems Security lets you con gure the level of protection for data processed locally
(Managing access permissions for Kaspersky Embedded Systems Security functions, Event registration. Kaspersky
Embedded Systems Security logs): you can change user privileges to access process data, change data retention
periods for such data, entirely or partially disable functionality that involves data logging, and change the path and
attributes of the folder where the data is logged.

The data processed by the application locally is not automatically sent to Kaspersky or other third-party systems.

By default, all data locally processed by the application during operation is removed after Kaspersky Embedded
Systems Security removal from the protected device.

Exception applies to les with diagnostics information (trace and dump les), the application events in the
Windows Event Log, and les with exported Kaspersky Embedded Systems Security settings - it is recommended
to manually remove these les.

You can nd the detailed information about working with les containing diagnostic data of the application in the
corresponding sections of this Guide.

You can delete Windows Event Log les containing the program events of Kaspersky Embedded Systems Security
via standard means of the operating system.

Local data processing by means of the application auxiliary components

The Kaspersky Embedded Systems Security installation package comprises the application auxiliary components,
which can be installed on your device even if Kaspersky Embedded Systems Security is not installed on it. Such
auxiliary components are:

The Application Console. This component is included in the Kaspersky Embedded Systems Security
Administration Tools set and is represented by a Microsoft Management Console snap-in.

The Administration Plug-in. This component provides a full integration with Kaspersky Security Center
application.

While performing the main functions of the application described in this Guide, the application auxiliary
components locally process and store a set of data on the protected device where they are installed, even if they
are installed separately from Kaspersky Embedded Systems Security.

The application components locally process and store the following data:

The Application Console: the name of the protected device with installed Kaspersky Embedded Systems
Security (IP address or domain name) to which the Application Console last connected remotely; display
parameters con gured in the Microsoft Management Console snap-in; data about the last folder in which the
user selected objects via the Application Console (by means of system dialog opened by clicking the Browse
button). The Application Console trace les can also contain the following data: the name of the protected
device with installed Kaspersky Embedded Systems Security application to which the remote connection was
established, the name of the user account under which the remote connection was established.

The Administration Plug-in can process and temporarily store data processed by Kaspersky Embedded
Systems Security; for example, con gured parameters of the application tasks and components, parameters of
Kaspersky Security Center policies, data sent in network lists.

The table below contains information about local processing and storing by Kaspersky Embedded Systems
Security of data written in dump and trace les.

Kaspersky Embedded Systems Security locally processes and stores the following data written in dump and trace
les:

83
Information about actions performed by Kaspersky Embedded Systems Security on the protected device.

Information about objects processed by Kaspersky Embedded Systems Security.

Information about activity on the protected device processed by Kaspersky Embedded Systems Security.

Information about errors that occurred during the running of Kaspersky Embedded Systems Security.

The data processed by the auxiliary components is not automatically sent to Kaspersky or other third-party
systems.

By default, all data locally processed by the application auxiliary components during the operation is deleted after
removal of these components.

The exceptions are trace les of the application auxiliary components, it is recommended to delete this les
manually.

Data in trace and dump les

Kaspersky Embedded Systems Security can, in accordance with the settings, write debug information to trace
les for the purposes of technical support during the operation of Kaspersky Embedded Systems Security.

Kaspersky Embedded Systems Security dump les are generated by the operating system during application
crashes and are overwritten by the next crash.

Trace and dump les can include any personal data of a user or con dential data of your organization.

Do not use Kaspersky Embedded Systems Security on devices for which data submission is prohibited by the
policy of your organization.

By default, Kaspersky Embedded Systems Security does not record debug information.

Trace and dump les are not automatically submitted beyond the host on which they were generated. The content
of trace les can be viewed using standard text le viewers. Trace and dump les are kept inde nitely and are not
deleted on uninstalling Kaspersky Embedded Systems Security.

Debug information can be useful for Technical Support.

No special mechanisms are provided for limiting access to trace and dump les. The administrator can con gure
this data to be written to a protected folder.

The path to the trace and dump le folder is not con gured by default. To use the trace and dump folder, the
administrator must specify it.

Data in trace and dump les can contain:

Actions performed by Kaspersky Embedded Systems Security on the host.

Information about objects processed by Kaspersky Endpoint Agent.

Errors arising during the operation of Kaspersky Endpoint Agent.

84
Activating the application with a key le
You can activate Kaspersky Embedded Systems Security by applying a key le.

If an active key has already been added to Kaspersky Embedded Systems Security and you add another key as the
active key, the new key replaces the previously added key. The previously added key is removed.

If an additional key has already been added to Kaspersky Embedded Systems Security and you add another key as
an additional key, the new key replaces the previously added key. The previously added additional key is removed.

If an active key and an additional key have already been added to Kaspersky Embedded Systems Security and you
add a new key as the active key, the new key replaces the previously added active key; the additional key is not
removed.

To activate Kaspersky Embedded Systems Security using a key le:

1. In the Application Console tree, expand the Licensing node.

2. In the results pane of the Licensing node, click the Add key link.

3. In the window that opens, click the Browse button.

4. Select a key le with the .key extension.

You can also add a key as an additional key. To add a key as an additional key, select the Use as additional
key check box.

5. Click OK.

The selected key le will be applied. Information about the added key will be available on the Licensing node.

Activating the application with an activation code

To activate the application using an activation code, the protected device must be connected to the Internet.

You can activate Kaspersky Embedded Systems Security by using an activation code.

When activating the application with this method, Kaspersky Embedded Systems Security sends data to the
activation server to verify the entered code:

If the activation code veri cation is successful, the application is activated.

If the activation code veri cation fails, the corresponding noti cation is displayed. In this case, you must
contact the software vendor from whom you purchased your Kaspersky Embedded Systems Security license.

If the number of activations with the activation code is exceeded, the corresponding noti cation is displayed.
The application activation procedure is interrupted, and the application suggests that you contact Kaspersky
Technical Support.

85
You can activate Kaspersky Embedded Systems Security with an activation code using the Application Console, or
by creating the Activation of the Application group task via the Administration Plug-in or via the Web Plug-in.

To activate Kaspersky Embedded Systems Security with an activation code using the Application Console:

1. In the Application Console tree, expand the Licensing node.

2. In the results pane of the Licensing node, click the Add activation code link.

3. In the window that opens, enter the activation code in the Activation code eld.

If you want to use the activation code as an additional key, enable Use as additional key check box.

If you want to view the license information, click the Show license information button; it will be displayed in
the License information group box.

4. Click OK.
Kaspersky Embedded Systems Security sends information about the applied activation code to the activation
server.

Viewing information about the current license

Viewing licensing information

Information about the current license is displayed in the details pane of the Kaspersky Embedded Systems
Security node of the Application Console. A key can have the following statuses:

Checking the key status – Kaspersky Embedded Systems Security is checking the applied key le or activation
code and waiting for a response about the current key status.

License expiration date – Kaspersky Embedded Systems Security has been activated until the speci ed date
and time. The key status is highlighted in yellow in the following cases:

The license will expire in 14 days and no additional key has been applied.

The added key has been added to the denylist and is about to be blocked.

License has expired – Kaspersky Embedded Systems Security is not activated because the license has
expired. The status is highlighted in red.

End User License Agreement has been violated – Kaspersky Embedded Systems Security is not activated
because the terms of the End User License Agreement have been violated. The status is highlighted in red.

Key is in denylist – The added key has been blocked and added to the denylist by Kaspersky, for example, if the
key has been used by third parties to activate the application illegally. The status is highlighted in red.

Viewing information about the current license

To view information about the current license,

in the Application Console tree, expand the Licensing node.

86
General information about the current license is displayed in the details pane of the Licensing node (see the table
below).

General information about the license in the Licensing node

Field Description

Activation The activation code. This eld is lled in if you activate the application using an activation
code code.

Activation Information about the activation status of the application. The Activation status column of
status the Licensing node's details pane can have the following statuses:
Applied – if you have activated the application using an activation code or key le.

Activation – if you have applied an activation code to activate the application, but the
activation process has not been nalized yet. The status changes to Applied after
activation of the application is complete and the contents of the node's details pane are
refreshed.

Activation error – if application activation failed. You can view the cause of unsuccessful
activation in the task log.

Key The key used to activate the application.

License License type: commercial or trial.

type

Expiration Expiration date and time of the license associated with the active key.
date

Activation Activation code status or key status: Active or Additional.

code
status or
key status

To view detailed information about the license,

on the Licensing node, open the context menu on the line with license data that you want to expand and select
Properties.
In the Key properties window, the General tab displays detailed information about the current license, and the
Advanced tab displays information about the customer and the contact details of Kaspersky or the retailer from
whom you purchased Kaspersky Embedded Systems Security (see the table below).

Detailed license information in the Properties: <Activation code status or key status> window

Field Description

General tab

Key The key used to activate the application.

Key Date when the key was added to the application.

addition
date

License License type: commercial or trial.

type

Days till Number of days remaining until the expiration of the license associated with the active key.
expiration

Expiration Expiration date and time of the license associated with the active key. If you activate the

87
date application under an unlimited subscription, the eld value is Unlimited. If Kaspersky
Embedded Systems Security is unable to determine the license expiration date, the eld
value is Unknown.

Application The name of the application activated with the key le or activation code.

Key usage Restriction on use of the key (if any).

restriction

Eligible for Information on whether Kaspersky or one of its partners will provide technical support under
technical the license terms.
support
Advanced tab

Information Current license key.

about the
license

Support Contact details of Kaspersky or its partner providing technical support. This eld may be
information empty if technical support is not provided.

Owner Information about the license owner: a customer name and the name of the organization for
information which the license was acquired.

Functional limitations when the license expires

When the current license expires, the following limitations are applied to the functional components:

All tasks are stopped, except the Real-Time File Protection, On-Demand Scan and Application Integrity Control
tasks.

You cannot start any tasks except the Real-Time File Protection, On-Demand Scan and Application Integrity
Control. These tasks continue to run using the old anti-virus databases.

Exploit Prevention functionality is limited:

Processes are protected until they are restarted.

New processes cannot be added to the protection scope.

Other functions (repositories, logs, diagnostic information) are still available.

Renewing the license

By default, when the license has 14 days remaining before expiration, Kaspersky Embedded Systems Security
noti es you about the approaching expiration. In this case, the License expiration date status is highlighted in
yellow in the results pane of the Kaspersky Embedded Systems Security node.

You can renew the license before the expiration date using an additional key. This ensures that your device remains
protected after expiration of the current license and before you activate the application with a new license.

To renew a license:

1. Obtain a new activation code or a key le.

88
2. In the Application Console tree, open the Licensing node.

3. Perform one of the following actions in the results pane of the Licensing node:

If you want to renew a license using a key le:

a. Click the Add key link.

b. In the window that opens, click the Browse button.

c. Select a new key le with the .key extension.

d. Select the Use as additional key check box.

If you want to renew a license using an activation code:

a. Click the Add activation code link.

b. Enter the purchased activation code in the window that opens.

c. Select the Use as additional key check box.

An Internet connection is required to apply an activation code.

4. Click OK.

The additional key will be added and automatically applied upon expiration of the current Kaspersky Embedded
Systems Security license.

Deleting the key

You can remove the added key.

If an additional key has been added to Kaspersky Embedded Systems Security and you remove the active key, the
additional key automatically becomes the active key.

If you delete an added key, you can restore it by re-applying the key le.

To remove a key that has been added:

1. In the Application Console tree, select the Licensing node.

2. In the results pane of the Licensing node in the table containing information on added keys, select the key that
you want to remove.

3. In the context menu of the line containing information on the selected key, select Remove.

4. Click the Yes button in the con rmation window to con rm that you want to delete the key.

The selected key will be removed.

89
Working with the Administration Plug-in
This section provides information about the Kaspersky Embedded Systems Security Administration Plug-in and
describes how to manage the application installed on a protected device or on a group of protected devices.

Managing Kaspersky Embedded Systems Security from Kaspersky Security

Center
You can centrally manage several protected devices with Kaspersky Embedded Systems Security installed and
included in an administration group via the Kaspersky Embedded Systems Security Administration Plug-in.
Kaspersky Security Center can also separately con gure each protected device in the administration group.

An administration group is created manually via Kaspersky Security Center. The group includes several devices
with Kaspersky Embedded Systems Security installed and for which you want to con gure the same control and
protection settings. For details on using administration groups, see Kaspersky Security Center Help.

Application settings for a single protected device are unavailable if the operation of Kaspersky Embedded
Systems Security on the protected device is controlled by an active Kaspersky Security Center policy.

Kaspersky Embedded Systems Security can be managed from Kaspersky Security Center in the following ways:

Using Kaspersky Security Center policies. Kaspersky Security Center policies can be used to remotely de ne
the same protection settings for a group of devices. Task settings speci ed in the active policy have priority
over task settings con gured locally in the Application Console or remotely in the Properties: <Protected
device name> window of Kaspersky Security Center.
You can use policies to con gure general application settings, Real-Time Computer Protection task settings,
Local Activity Control tasks settings, and scheduled local system task start settings.

Using Kaspersky Security Center group tasks. Kaspersky Security Center group tasks allow remote
con guration of common settings of tasks with an expiration period for a group of devices.
You can use group tasks to activate the application, con gure On-Demand Scan task settings, update task
settings, and Rule Generator for Applications Launch Control task settings.

Using tasks for a set of devices. Tasks for a set of devices allow remote con guration of common task
settings with a limited execution period for protected devices that do not belong to any administration group.

Using the properties window of a single device. In the Properties: <Protected device name> window, you can
remotely con gure the task settings for a single protected device included in an administration group. You can
also con gure both general application settings and settings for all Kaspersky Embedded Systems Security
tasks if the selected protected device is not controlled by an active Kaspersky Security Center policy.

Kaspersky Security Center allows you to con gure application settings and advanced features, and also work with
logs and noti cations. You can con gure these settings for a group of protected devices and for an individual
protected device.

Managing application settings

This section contains information about con guring Kaspersky Embedded Systems Security general settings in
Kaspersky Security Center Web Console.

90
Navigation
Learn how to navigate to the required task settings via the chosen interface.

Opening general settings via the policy

To open the application settings of the Kaspersky Embedded Systems Security via the policy:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Policies tab.

4. Double-click the policy name you want to con gure.

5. In the Properties: <Policy name> window that opens, select the Application settings section.

6. Click the Settings button in the subsection of the setting that you want to con gure.

Opening general settings in the application properties window

To open the properties window of the Kaspersky Embedded Systems Security for a single protected device:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Devices tab.

4. Open the Properties: <Protected device name> window in one of the following ways:

Double-click the name of the protected device.

Select the Properties item in the context menu of the protected device.

The Properties: <Protected device name> window opens.

5. In the Applications section, select Kaspersky Embedded Systems Security 3.1.

6. Click the Properties button.

The Kaspersky Embedded Systems Security 3.1 settings window opens.

7. Select the Application settings section.

91
Con guring general application settings in Kaspersky Security Center
You can con gure Kaspersky Embedded Systems Security general settings from Kaspersky Security Center for a
group of protected devices or for one protected device.

Con guring scalability, interface, and scan settings in Kaspersky Security

Center
To con gure scalability, interface, and scan settings:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Application settings section, in the Scalability, interface and scan settings subsection, click Settings.

5. In the Advanced application settings window on the General tab, con gure the following settings:

In the Scalability settings section, con gure the settings that de ne the number of processes used by
Kaspersky Embedded Systems Security:

Automatically detect scalability settings

Set the number of working processes manually

Maximum number of active processes

Number of processes for real-time protection

Number of processes for background on-demand scan tasks

In the Interaction with user section, con gure whether the System Tray Icon will be displayed in the
noti cation area by clearing or selecting the Display System Tray Icon in the taskbar check box.

6. On the Scan settings tab, con gure the following settings:

Restore le attributes after scanning

92
Limit CPU usage for scanning threads

Upper limit (per cent)

Folder for temporary les created during scanning

7. On the Hierarchical storage tab, select the option for accessing the hierarchical storage.

8. Click OK.

The con gured application settings are saved.

Con guring security settings in Kaspersky Security Center

To con gure security settings manually:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Application settings section, click the Settings button in the Security and reliability subsection.

5. In the Security settings window, con gure the following settings:

In the Password protection settings section, enable or disable the Protect application processes from
external threats option.

In the Password protection settings section, set a password to protect access to Kaspersky Embedded
Systems Security functions.

In the Self-defense section, con gure the settings for recovery of Kaspersky Embedded Systems Security
tasks when the application returns an error or terminates.

Perform task recovery

Reliability settings

In the Recover on-demand scan tasks no more than (times) section, specify limitations on protected
device load created by Kaspersky Embedded Systems Security after switching to UPS power:

Do not start scheduled scan tasks

93
Stop current scan tasks

In the Password protection settings section, set a password to protect access to Kaspersky Embedded
Systems Security functions.

6. Click OK.

The scalability and reliability settings are saved.

Con guring connection settings using Kaspersky Security Center

The con gured connection settings are used to connect Kaspersky Embedded Systems Security to update and
activation servers and during integration of applications with KSN services.

To con gure the connection settings take the following steps:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Application settings section, click the Settings button in the Connections subsection.
The Connection settings window opens.

5. In the Connection settings window, con gure the following settings:

In the Proxy server settings section, select the proxy server usage settings:

Do not use proxy server .

Use the speci ed proxy server .

IP address or symbolic name of the proxy server and the port number.

Do not use proxy server for local addresses .

In the Proxy server authentication settings section, specify the authentication settings:

Select the authentication settings in the drop-down list.

Do not use authentication – authentication is not performed. This mode is selected by default.

94
Use NTLM authentication – authentication is performed using the NTLM network authentication
protocol developed by Microsoft.

Use NTLM authentication with user name and password – authentication is performed with a user
name and password using the NTLM network authentication protocol developed by Microsoft.

Apply user name and password – authentication is performed using the user name and password.

Enter the user name and password, if needed.

In the Licensing section, clear or select the Use Kaspersky Security Center as a proxy server when
activating the application.

6. Click OK.

The con gured connection settings are saved.

Con guring scheduled start of local system tasks

You can use policies to allow or block start of the local system On-Demand Scan task and the Update task
according to the schedule con gured locally on each protected device in the administration group:

If the scheduled start of a speci c type of local system task is prohibited by a policy, these tasks will not be
performed on the protected device according to the schedule. You can start local system tasks manually.

If the scheduled start of a speci c type of local system task is allowed by a policy, these tasks will be performed
in accordance with the scheduled parameters con gured locally for this task.

By default, starting a local system task is prohibited by policy.

We recommend that you do not allow local system tasks to start if updates or on-demand scans are
administered by Kaspersky Security Center group tasks.

If you do not use group update or on-demand scan tasks, allow local system tasks to be started in the policy.
Kaspersky Embedded Systems Security will perform application database and module updates, and start all local
system on-demand scan tasks in accordance with the default schedule.

You can use policies to allow or block the scheduled start of the following local system tasks:

On-Demand Scan tasks: Critical Areas Scan, Quarantine Scan, Scan at Operating System Startup, Application
Integrity Control, Baseline File Integrity Monitor.

Update tasks: Database Update, Software Modules Update, Copying Updates.

If the protected device is excluded from the administration group, the local system tasks schedule will be
enabled automatically.

To allow or block the scheduled start of Kaspersky Embedded Systems Security local system tasks in a policy:

1. In the Managed devices node in the Administration Console tree, expand the required group and select the
Policies tab.

95
2. On the Policies tab, in the context menu of the policy for which you want to schedule Kaspersky Embedded
Systems Security local system tasks for the group of protected devices, select Properties.

3. In the Properties: <Policy name> window, open the Application settings section. In the Run local system tasks
section, click the Settings button and do one of the following:

Select the On-demand scan tasks and Update tasks and Copying Update task check boxes to allow the
scheduled launch of the listed tasks.

Clear the On-demand scan tasks and Update tasks and Copying Update task check boxes to disable the
scheduled launch of the listed tasks.

Selecting or clearing the check box will not a ect the start settings of any local custom tasks of this type.

4. Make certain that the policy you are con guring is active and applied to the selected group of protected
devices.

5. Click OK.

The con gured task schedule settings are applied for the selected tasks.

Con guring Quarantine and Backup settings in Kaspersky Security Center

To con gure general Backup settings in Kaspersky Security Center:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Supplementary section, click the Settings button in the Storages subsection.

5. Use the Backup tab of the Storages settings window to con gure the following Backup settings:

To specify the backup folder, use the Backup folder eld to select the required folder on the local drive of
the protected device, or enter its full path.

To set the maximum Backup size, select the Maximum Backup size (MB) check box and specify the relevant
value in megabytes in the entry eld.

To set the Backup free space threshold:

96
De ne the value of the Maximum Backup size (MB) setting.

Select the Threshold value for space available (MB) check box.

Specify the minimum value of free space in the Backup folder in megabytes.

To specify a folder for restored objects, do one of the following:

Select the relevant folder on a local drive of the protected device in the Restoration settings section.

Enter the name of the folder and the full path to it in the Target folder for restoring objects eld.

6. In the Storages settings window on the Quarantine tab, con gure the following Quarantine settings:

To change the Quarantine folder, in the Quarantine folder entry eld specify the complete path to the
folder on the local drive of the protected device.

To set the maximum Quarantine size, select the Maximum Quarantine size (MB) check box and specify the
value of this parameter in megabytes in the entry eld.

To set the minimum amount of free space in Quarantine, select the Maximum Quarantine size (MB) check
box and the Threshold value for space available (MB) check box, and then specify the value of this
parameter in megabytes in the entry eld.

To change the folder to which objects are restored from Quarantine, in the Target folder for restoring
objects eld specify the complete path to the folder on the local drive of the protected device.

7. Click OK.

The con gured Quarantine and Backup settings are saved.

Creating and con guring policies

This section provides information on using Kaspersky Security Center policies for managing Kaspersky Embedded
Systems Security on several protected devices.

Global Kaspersky Security Center policies can be created to manage protection on several devices where
Kaspersky Embedded Systems Security is installed.

A policy enforces the Kaspersky Embedded Systems Security settings, functions and speci ed tasks on all the
protected devices for one administration group.

Several policies for one administration group can be created and enforced in turns. The policy currently active for a
group has active status in the Administration Console.

Information on policy enforcement is logged in the Kaspersky Embedded Systems Security system audit log. This
information can be viewed in the Application Console in the System audit log node.

Kaspersky Security Center o ers one way to apply policies on protected devices: Prohibit changing the settings.
After a policy has been applied, Kaspersky Embedded Systems Security uses the values of settings for which you
have selected the icon in the policy properties on protected devices. In this case, Kaspersky Embedded Systems
Security does not use the values of settings in e ect before the policy was applied. Kaspersky Embedded
Systems Security does not apply the values of active policy settings for which the icon is selected in the policy
properties.

97
If a policy is active, the values of settings marked with the icon in the policy are displayed in the Application
Console but cannot be edited. The values of other settings (marked with the icon in the policy) can be edited in
the Application Console.

The settings con gured in the active policy and marked with the icon also block changes in Kaspersky Security
Center for one protected device in the Properties: <Protected device name> window.

Settings that are speci ed and sent to the protected device using an active policy are saved in the local task
settings after the active policy is disabled.

If the policy de nes the settings for a Real-Time Computer Protection task, and if such a task is currently running,
then any settings de ned by the policy will be modi ed as soon as the policy is applied. If the task is not running,
the settings are applied when it starts.

Creating a policy
The process of creating a policy involves the following steps:

1. Creating a policy using the policy wizard. The Real-Time Computer Protection tasks settings can be con gured
using the wizard dialogs.

2. Con guring policy settings. In the Properties: <Policy name> window of the created policy, you can de ne the
Real-Time Computer Protection tasks settings, the general settings of Kaspersky Embedded Systems Security,
the Quarantine and Backup settings, the level of detail for task logs, as well as user and administrator
noti cations about Kaspersky Embedded Systems Security events.

To create a policy for a group of protected devices running the installed Kaspersky Embedded Systems Security:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree, then select
the administration group containing the protected devices for which you wish to create a policy.

2. In the details pane of the selected administration group, select the Policies tab and click the Create a policy
link to start the wizard and create a policy.
The New Policy Wizard window opens.

3. In the Select the application for which you want to create a group policy window, select Kaspersky
Embedded Systems Security and click Next.

4. Enter a group policy name in the Name eld.

The policy name cannot contain the following symbols: " * < : > ? \ | .

5. To apply a policy con guration used in a previous version of the application:

a. Select the Use settings from policy for previous versions of application check box.

b. Click the Select button.

c. Select the policy you want to apply.

d. Click Next.
98
6. In the Operation type selection window, select one of the following options:

New, to create new a policy with default settings.

Import policy created with previous versions of Kaspersky Embedded Systems Security, to use the
imported policy as a template.

Click Browse and select a con guration le with an existing policy.

7. In the Real-Time Computer Protection window, con gure the Real-Time File Protection, KSN Usage tasks,
Exploit Prevention, and Script Monitoring as required. Allow or block the use of con gured policy tasks on
protected devices on the network:

Click the button to allow changes to task settings on network protected devices and block the application
of task settings con gured in the policy.

Click the button to deny changes to task settings on network protected devices and allow the application
of task settings con gured in the policy.

The newly created policy uses the default settings of the Real-Time Computer Protection tasks.

To edit the default settings of the Real-Time File Protection task, click the Settings button in the Real-Time
File Protection subsection. In the window that opens, con gure the task according to your needs. Click OK.

To edit the default settings of the KSN Usage task, click the Settings button in the KSN Usage subsection.
In the window that opens, con gure the task according to your needs. Click OK.

To start the KSN Usage task, you need to accept the KSN Statement in the KSN data handling window.

To edit the default settings of the Exploit Prevention component, click the Settings button in the Exploit
Prevention subsection. In the window that opens, con gure the functionality according to your needs. Click
OK.

8. Select one of the following policy statuses in the Create the group policy for the application window:

Active policy if you want to apply the policy immediately after it is created. If an active policy already exists
in the group, it is deactivated and a new policy is applied.

Inactive policy if you do not want to apply the created policy immediately. In this case the policy may be
activated later.

Select the Open policy properties immediately after they are created check box to automatically close
the New Policy Wizard and con gure the newly created policy after clicking the Next button.

9. Click the Finish button.

The created policy appears in the list of policies on the Policies tab of the selected administration group. In the
Properties: <Policy name> window, you can con gure other settings, tasks and functions of Kaspersky
Embedded Systems Security.

Kaspersky Embedded Systems Security policy settings sections

General
99
In the General section, you can con gure the following policy settings:
Indicate the policy status.

Con gure the inheritance settings for parent and child policies.

Event noti cation

In the Event noti cation section, you can con gure settings for the following event categories:
Critical events

Functional failure

Warning

Informational message
You can use the Properties button to con gure the following settings for the selected events:

Indicate the storage location and retention period for information about logged events.

Indicate the noti cation method for logged events.

Application settings

Settings of the Application Settings section

Section Options

Scalability, In the Scalability, interface and scan settings subsection, you can click the Settings
interface and button to con gure the following settings:
scan settings Choose whether to con gure scalability settings automatically or manually.

Con gure the application icon display settings.

Security and In the Security and reliability subsection, you can click the Settings button to con gure
reliability the following settings:
Con gure the task run settings.

Specify how the application should behave when the protected device is running on
UPS power.

Enable or disable password-protection of application functions.

Connections In the Connections subsection, you can use the Settings button to con gure the
following proxy server settings for connecting with update servers, activation servers,
and KSN:
Con gure the proxy server settings.

Specify the proxy server authentication settings.

Run local In the Run local system tasks subsection, you can use the Settings button to allow or
system tasks block the start of the following local system tasks according to a schedule con gured on
protected devices:
100
On-Demand Scan task.

Update tasks and Copying Update task.

Supplementary

Settings of the Supplementary section

Section Options

Trusted Zone Click the Settings button on the Trusted Zone subsection to con gure the
following Trusted Zone application settings:
Create a list of Trusted Zone exclusions.

Enable or disable scanning of le backup operations.

Create a list of trusted processes.

Removable Drives Scan In the Removable Drives Scan subsection, you can use the Settings button
to con gure scan settings for removable drives.

User access permissions In the User access permissions for Kaspersky Security Service
for Kaspersky Security management subsection, you can con gure user rights and user group rights
Service management to manage the Kaspersky Security Service.

Storages In the Storages subsection, click the Settings button to con gure the
following Quarantine, Backup and Blocked Hosts settings:
Specify the path to the folder where you want to place Quarantine or
Backup objects.

Con gure the maximum size of Backup and Quarantine and also specify
the free space threshold.

Specify the path to the folder where you want to place objects restored
from Quarantine or Backup.

Con gure how long hosts are blocked.

Real-Time Computer Protection

Settings of the Real-Time Computer Protection section

Section Options

Real-Time File In the Real-Time File Protection subsection, you can click the Settings button to
Protection con gure the following task settings:
Indicate the protection mode.

Con gure use of the Heuristic Analyzer.

101
Con gure use of the Trusted Zone.

Indicate the protection scope.

Set the security level for the selected protection scope: you can select a prede ned
security level or con gure the security settings manually.

Con gure the task start settings.

KSN Usage In the KSN Usage subsection, you can click the Settings button to con gure the following
task settings:
Indicate the actions to perform on KSN untrusted objects.

Con gure data transfer and usage of Kaspersky Security Center as a KSN proxy server.
Click the Data processing button to accept or reject the KSN Statement, and
con gure data exchange settings.

Exploit In the Exploit Prevention subsection, you can click the Settings button to con gure the
Prevention following task settings:
Select the process memory protection mode.

Indicate the actions to reduce exploit risks.

Add to and edit the list of protected processes.

Local activity control

Settings of the Local Activity Control section

Section Options

Applications In the Applications Launch Control subsection, you can use the Settings button to
Launch Control con gure the following task settings:
Select the task operating mode.

Con gure settings for controlling subsequent application launches.

Indicate the scope of the Applications Launch Control rules.

Con gure use of KSN.

Con gure the task start settings.

Device Control In the Device Control subsection, you can click the Settings button to con gure the
following task settings:
Select the task operating mode.

Con gure the task start settings.

102
Network activity control

Settings of the Network activity control section

Section Options

Firewall In the Firewall Management subsection, you can click the Settings button to con gure
Management the following task settings:
Con gure rewall rules.

Con gure the task start settings.

System inspection

Settings of the System Inspection section

Section Options

File In the File Integrity Monitor subsection, you can con gure control over changes in les that
Integrity can signify a security breach on a protected device.
Monitor

Log In the Log Inspection section, you can con gure protected device integrity monitoring based
Inspection on the results of an analysis of the Windows Event Log.

Logs and noti cations

Settings of the Logs and Noti cations section

Section Options

Task logs In the Task logs subsection, you can click the Settings button to con gure the following
settings:
Specify the importance level of the logged events for the selected software
components.

Specify the task log storage settings.

Specify the SIEM integration with Kaspersky Security Center settings.

Event In the Event noti cations subsection, you can click the Settings button to con gure the
noti cations following settings:
Specify the user noti cation settings for the Object detected, Untrusted external
device detected and restricted, and Host listed as untrusted events.

Specify the administrator noti cation settings for any event selected in the event list
in the Noti cation settings section.

Interaction In the Interaction with Administration Server section, you can click the Settings button
with to select the types of objects (including Quarantine and Backup objects) that Kaspersky
Administration Embedded Systems Security will report to Administration Server.
Server

103
Revision history

In the Revision history section, you can manage revisions: compare with the current revision or other policy, add
descriptions of revisions, save revisions to a le or perform a rollback.

Con guring a policy

In the Properties: <Policy name> window of an existing policy, you can con gure:

General Kaspersky Embedded Systems Security settings.

Quarantine and Backup settings.

Trusted Zone, Real-Time Computer Protection, and Local Activity Control settings.

Level of detail for task logs.

User and administrator noti cations about Kaspersky Embedded Systems Security events.

Access privileges for managing the application and the Kaspersky Security Service.

To con gure the policy settings:

1. Expand the Managed devices node in the tree of the Administration Console of Kaspersky Security Center.

2. Expand the administration group for which you want to con gure the associated policy settings, and open the
Policies tab in the details pane.

3. Select the policy you want to con gure and open the Properties: <Policy name> window using one of the
following methods:

Selecting the Properties option in the policy context menu.

Clicking the Con gure policy link in the right details pane of the selected policy.

Double-clicking the selected policy.

4. On the General tab in the Policy status section, enable or disable the policy. To do so, select one of the options
below:

Active policy, if you want the policy to be applied on all protected devices within the selected
administration group.

Inactive policy, if you want to activate the policy later on all protected devices within the selected
administration group.

The Out-of-o ice policy setting is not available when you manage Kaspersky Embedded Systems
Security.

5. In the Event con guration, Application settings, Supplementary, Logs and noti cations, and Revision
history sections, you can modify the application con guration (see table below).

104
6. In the Real-Time Computer Protection , Local activity control, Network activity control, and System
inspection sections, con gure the application settings and application launch settings (see the table below).

You can enable or disable the execution of any task on all protected devices within the administration
group by means of a Kaspersky Security Center policy.

You can con gure the application of policy settings on all network protected devices for each individual
software component.

7. Click OK.

The con gured settings are applied in the policy.

Creating and con guring tasks using Kaspersky Security Center

This section contains information about Kaspersky Embedded Systems Security tasks, and how to create them,
con gure task settings, and start and stop them.

About task creation in Kaspersky Security Center

You can create group tasks for administration groups and sets of protected devices. You can create the following
types of tasks via Kaspersky Security Center:

Activation of the Application

Copying Updates

Database Update

Software Modules Update

Rollback of Database Update

On-Demand Scan

Application Integrity Control

Baseline File Integrity Monitor

Rule Generator for Applications Launch Control

Rule Generator for Device Control

You can create local and group tasks in the following ways:

For one protected device: in the Properties <Protected device name> window in the Tasks section.

For an administration group: in the results pane of the node of the selected group of protected devices on the
Tasks tab.
105
For a set of protected devices: in the results pane of the Device selections node.

You can use policies to disable schedules for update and On-Demand Scan local system tasks on all protected
devices in the same administration group.

General information on tasks in Kaspersky Security Center is provided in Kaspersky Security Center Help.

Creating a task using Kaspersky Security Center

To create a new task in the Kaspersky Security Center Administration Console:

1. Start the task wizard in one of the following ways:

To create a local task:

a. Expand the Managed devices node in the Administration Console tree and select the group that the
protected device belongs to.

b. In the results pane of the Devices tab, open the context menu of the protected device and select
Properties.

c. In the window that opens, click the Add button in the Tasks section.

To create a group task:

a. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

b. Select the administration group for which you want to create a task.

c. In the results pane, open the Tasks tab and select Create a task.

To create a task for a custom set of protected devices:

a. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

b. Select the administration group containing the protected devices.

c. Select a protected device or a custom set of protected devices.

d. From the Perform action drop-down list, select the Create a task option.

The task wizard window opens.

2. In the Select the task type window, under the heading Kaspersky Embedded Systems Security 3.1, select the
type of the task to be created.

3. If you selected any task type except Rollback of Database Update, Application Integrity Control or Activation
of the Application, the Settings window opens. Depending on the task type, the settings may vary:

Create an On-Demand Scan task.

To create an update task, con gure task settings based on your requirements:

106
a. Select an update source in the Update source window.

b. Click the Connection settings button. The Connection settings window opens.

c. In the Connection settings window:

Specify the FTP server mode for connecting to the protected device.
Modify the connection timeout when connecting to the update source, if required.
Con gure proxy server access settings when connecting to the update source.
Specify the location of the protected device(s) to optimize update downloads.

To create a Software Modules Update task, con gure the required application module update settings in the
Settings for application software module updates window:

a. Select whether to copy and install critical software module updates, or only to check for their availability
without installation.

b. If Copy and install critical software modules updates is selected: a protected device restart may be
required to apply the installed software modules. If you wish Kaspersky Embedded Systems Security to
restart the protected device automatically upon task completion, select the Allow operating system
restart check box.

c. To obtain information about Kaspersky Embedded Systems Security module upgrades, select Receive
information about available scheduled software modules updates.
Kaspersky does not publish planned update packages on the update servers for automatic installation;
these can be downloaded manually from the Kaspersky website. An administrator noti cation about the
New scheduled software modules update is available event can be con gured. This will contain the
URL of our website from which scheduled updates can be downloaded.

To create the Copying Updates task, specify the set of updates and the destination folder in the Copying
updates settings window.

To create the Activation of the Application task:

a. In the Activation Settings window, specify the key le that you want to use to activate the application.

b. Select the Use as additional key check box if you want to create a task for renewing the license.

Create the Rule Generator for Applications Launch Control task.

Create the Rule Generator for Device Control task.

4. Con gure the task schedule.

You can con gure a schedule for all task types except the Rollback of Database Update task.

5. Click OK.

6. If the task is being created for a set of protected devices, select the network (or group) of protected devices
on which this task will be executed.

7. In the Selecting an account to run the task window, specify the account you want to use to run the task.

8. In the De ne the task name window, enter the task name (no longer than 100 characters) not containing the
symbols " * < > ? \ | : .

107
We recommend that you add the task type to the task name (for example, "On-demand scan of shared
folders").

9. In the Finishing creating the task window:

a. Select the Run task after Wizard nishes check box if you want the task to start as soon as it is created.

b. Click Finish.

The task created is displayed in the Tasks list.

Con guring local tasks in the Application settings window of the Kaspersky
Security Center
To con gure local tasks or general application settings for a single network protected device:

1. Expand the Managed devices node in the tree of the Administration Server of Kaspersky Security Center and
select the group that the protected device belongs to.

2. In the results pane, select the Devices tab.

3. Open the Properties: <Protected device name> window in one of the following ways:

Double-click the name of the protected device.

Open the context menu of the protected device name and select the Properties item.

The Properties: <Protected device name> window opens.

4. To con gure local task settings, perform the following steps:

a. Go to the Tasks section.

b. In the task list, select a local task to con gure:

Double-click the task name in the list of tasks.

Select the task name and click the Properties button.

Select Properties in the context menu of the selected task.

The Properties: <Task name> window opens.

5. To con gure application settings, perform the following steps:

a. Go to the Applications section.

b. In the installed applications list, select an application to con gure:

Double-click the application name in the list of installed applications.

Select the application name in the list of installed applications and click the Properties button.

Open the context menu of the application name in the list of installed applications and select the
Properties item.
108
The <Application name> settings window opens.

If the application is currently under the Kaspersky Security Center policy and this policy prohibits
changing the application settings, you cannot edit these settings via the <Application name> settings
window.

Con guring group tasks in Kaspersky Security Center

When managing Kaspersky Embedded Systems Security from Kaspersky Security Center Cloud Console, you
cannot add custom HTTP and FTP servers or network folders manually.

To con gure a group task for multiple protected devices:

1. In the Kaspersky Security Center Administration Console tree, expand the Managed devices node and select
the administration group for which you want to con gure the application tasks.

2. In the details pane of a selected administration group, open the Tasks tab.

3. In the list of previously created group tasks, select a task you want to con gure.

4. Open the Properties: <Task name> window in one of the following ways:

Double-click the name of the task in the list of created tasks.

Select the name of the task in the list of created tasks and click the Con gure task link.

Open the context menu of the task name in the list of created tasks and select the Properties item.

In the Noti cation section, con gure the task event noti cation settings. For detailed information on how
to con gure settings in this section, see Kaspersky Security Center Help.

5. Depending on the type of con gured task, do one of the following actions:

To con gure an On-Demand Scan task:

In the Scan scope section, con gure a scan scope.

In the Options section, con gure the task priority level and integration with other software components.

To con gure an update task, adjust the task settings based on your requirements:

In the Settings section, con gure update source settings and disk subsystem optimization.

Click the Connection settings button to con gure update source connection settings.

To con gure the Software Modules Update task:

Go to the Settings for application software module updates section.

109
Choose an action to perform: copy and install critical updates of software modules or only check for
them.

To con gure the Copying Updates task, specify the set of updates and the destination folder in the
Copying updates settings section.

To con gure the Activation of the Application task:

In the Activation Settings section, apply the key le that you want to use to activate the application.

Select the Use as additional key check box if you want to add an activation code or key le for renewing
the license.

To con gure the automatic generation of allowing rules for Device Control, in the Settings section, specify
the settings that will be used to create the list of allowing rules.

6. Con gure the task schedule in the Schedule section. You can schedule all task types except Rollback of
Database Update.

7. In the Account section, specify the account whose rights will be used to run the task. For detailed information
regarding con guring settings in this section, see the Kaspersky Security Center Help.

8. If required, specify the objects to exclude from the task scope in the Exclusions from task scope section. For
detailed information regarding con guring settings in this section, see Kaspersky Security Center Help.

9. In the Properties: <Task name> window, click OK.

The newly con gured group task settings are saved.

Con gurable group task settings are summarized in the table below.

Kaspersky Embedded Systems Security group tasks settings

Kaspersky Section in the Task settings

Embedded Properties:
Systems <Task name>
Security window
task types

Rule Settings While con guring the Rule Generator for Applications Launch Control task
Generator settings you can select how to create allowing rules:
for
Create allowing rules based on running applications
Applications
Launch
Create allowing rules for applications from the folders
Control

Options You can specify actions to perform while creating allowing rules for
applications launch control:
Use digital certi cate

Use digital certi cate subject and thumbprint

If the certi cate is missing, use

Use SHA256 hash

Generate rules for user or group of users

110
You can con gure settings for con guration les with allowing rule lists
that Kaspersky Embedded Systems Security creates upon task
completion.

Schedule You can con gure settings to schedule a task.

Rule Settings
Select the operation mode: consider system data on all external devices
Generator
that have ever been connected or only consider currently connected
for Device
external devices.
Control
Con gure settings for con guration les with allowing rule lists that
Kaspersky Embedded Systems Security creates upon task completion.

Schedule You can con gure settings to start the task on a schedule.

Activation Activation To activate the application or to renew the license, you can add a key le.
of the Settings
Application
Schedule You can con gure settings to start the task on a schedule.

Copying Update You can specify Kaspersky Security Center Administration Server or
Updates source Kaspersky update servers as an application update source. You can also
create a customized list of update sources: by adding custom HTTP and
FTP servers or network folders manually and setting them as update
sources.
You can specify the usage of Kaspersky update servers, if manually
customized servers are not available.

Connection In the Connection settings window linked from the Update source section,
settings you can specify whether a proxy server should be used to establish the
window connection to Kaspersky update servers or any other server.

Copying You can specify the set of updates intended for copying.
updates
In the Folder for local storage of copied updates eld, specify a path to
settings
the folder that will be used by Kaspersky Embedded Systems Security to
store copied updates.

Schedule You can con gure settings to start the task on a schedule.

Database Settings You can specify Kaspersky Security Center Administration Server or
Update Kaspersky update servers as an application update source in the Update
source group box. You can also create a customized list of update sources:
by adding custom HTTP and FTP servers or network folders manually and
setting them as update sources.
You can specify usage of Kaspersky update servers if manually customized
servers are not available.
In the Disk I/O usage optimization section you can con gure the feature
that reduces the workload on the disk subsystem:
Lower the load on the disk I/O

RAM used for optimization (MB)

Schedule You can con gure settings to start the task on a schedule.

111
Software Update You can specify Kaspersky Security Center Administration Server or
Modules source Kaspersky update servers as an application update source. You can also
Update create a customized list of update sources: by adding custom HTTP and
FTP servers or network folders manually and setting them as update
sources.
You can specify the usage of Kaspersky update servers, if manually
customized servers are not available.

Connection In the Update source connection settings group box, you can specify
settings whether a proxy server should be used to establish the connection to
window Kaspersky update servers or any other server.

Settings You can specify which actions Kaspersky Embedded Systems Security
for should perform when critical software module updates are available or have
application already been installed, and also whether Kaspersky Embedded Systems
software Security should receive information regarding scheduled updates.
module
updates

Schedule You can con gure settings to start the task on a schedule.

On-Demand Scan scope You can specify a scan scope for the On-Demand Scan task and con gure
Scan security level settings.
Settings
On- In the On-demand scan settings window linked from the Scan scope
demand section, you can select one of the prede ned security levels or customize a
scan security level manually.
settings
window

Options You can activate or deactivate use of the heuristic analyzer for the On-
Demand Scan task and set the analysis level using a slider in the Heuristic
analyzer group box.
In the Integration with other components group box, you can con gure the
following settings:
Apply Trusted Zone for On-Demand Scan tasks.

Apply KSN usage for On-Demand Scan tasks.

Set a priority for the On-Demand Scan task: perform task in background
mode (low priority) or consider task a Critical Areas Scan.

Schedule You can con gure settings to start the task on a schedule.

Application Schedule You can con gure settings to start the task on a schedule.
Integrity
Control

Baseline File Schedule You can con gure settings to start the task on a schedule.
Integrity
Monitor

For the Rollback of Database Update task, you can con gure only the standard task settings controlled by
Kaspersky Security Center in the Noti cation and Exclusions from task scope sections.

For detailed information on con guring settings in these sections, see Kaspersky Security Center Help.

112
Activation of the Application task
To con gure an Activation of the Application task:

1. In the Kaspersky Security Center Administration Console tree, expand the Managed devices node and select
the administration group for which you want to con gure the application tasks.

2. In the details pane of a selected administration group, open the Tasks tab.

3. In the list of previously created group tasks, select a task you want to con gure.

4. Open the Properties: <Task name> window in one of the following ways:

Double-click the name of the task in the list of created tasks.

Select the name of the task in the list of created tasks and click the Con gure task link.

Open the context menu of the task name in the list of created tasks and select the Properties item.

In the Noti cation section, con gure the task event noti cation settings. For detailed information on how
to con gure settings in this section, see Kaspersky Security Center Help.

5. In the Activation Settings section, specify the key le that you want to use to activate the application. Select
the Use as additional key check box if you want to add a key to extend the license.

6. Con gure the task schedule in the Schedule section (you can con gure a schedule for all task types except
Rollback of Database Update).

7. In the Account section, specify the account whose rights will be used to run the task.

8. If required, specify the objects to exclude from the task scope in the Exclusions from task scope section.

For detailed information on con guring settings in these sections, see Kaspersky Security Center Help.

9. In the Properties: <Task name> window, click OK.

The newly con gured group task settings are saved.

Update tasks
To con gure the Copying Updates, Database Update, or Software Modules Update tasks:

1. In the Kaspersky Security Center Administration Console tree, expand the Managed devices node and select
the administration group for which you want to con gure the application tasks.

2. In the details pane of a selected administration group, open the Tasks tab.

3. In the list of previously created group tasks, select a task you want to con gure.

113
4. Open the Properties: <Task name> window in one of the following ways:

Double-click the name of the task in the list of created tasks.

Select the name of the task in the list of created tasks and click the Con gure task link.

Open the context menu of the task name in the list of created tasks and select the Properties item.

In the Noti cation section, con gure the task event noti cation settings. For detailed information on how
to con gure settings in this section, see Kaspersky Security Center Help.

5. In the Update source section, do the following:

a. Select the update source:

Kaspersky Security Center Administration Server.

Kaspersky update servers.

Custom HTTP or FTP servers, or network folders.

To use an SMB-shared folder as an update source, you need to specify a user account to start a task.

You can specify the usage of Kaspersky update servers if manually customized servers are not available.

b. Click the Connection settings button.

c. In the Connection settings window that opens, con gure the use of a proxy server for connecting to
Kaspersky update servers and other servers.

d. For the Database Update task, in the Disk I/O usage optimization section, con gure the feature that
reduces the workload on the disk subsystem:

The Disk I/O usage optimization section is available only for the Database Update task.

Lower the load on the disk I/O

RAM used for optimization (MB)

6. For the Software Modules Update task, in the Settings for application software module updates section,
specify which actions Kaspersky Embedded Systems Security should perform when critical software module
updates are available or information about planned updates is available.
You can also specify which actions Kaspersky Embedded Systems Security should perform when critical
updates are installed.

The Settings for application software module updates section is available only for the Software Modules
Update task.

7. For the Copying Updates task, in the Copying updates settings section, specify the set of updates and the
destination folder.
114
The Copying updates settings section is available only for the Copying Updates task.

8. Con gure the task schedule in the Schedule section (you can con gure a schedule for all task types except
Rollback of Database Update).

9. In the Account section, specify the account whose rights will be used to run the task.

For detailed information on con guring settings in these sections, see Kaspersky Security Center Help.

10. In the Properties: <Task name> window, click OK.

The newly con gured group task settings are saved.

For the Rollback of Database Update task, you can con gure only the standard task settings controlled by
Kaspersky Security Center in the Noti cations and Exclusions from task scope sections. For detailed
information on con guring settings in these sections, see Kaspersky Security Center Help.

Application Integrity Control

To con gure the Application Integrity Control group task:

1. In the Kaspersky Security Center Administration Console tree, expand the Managed devices node and select
the administration group for which you want to con gure the application tasks.

2. In the details pane of a selected administration group, open the Tasks tab.

3. In the list of previously created group tasks, select a task you want to con gure.

4. Open the Properties: <Task name> window in one of the following ways:

Double-click the name of the task in the list of created tasks.

Select the name of the task in the list of created tasks and click the Con gure task link.

Open the context menu of the task name in the list of created tasks and select the Properties item.

In the Noti cation section, con gure the task event noti cation settings. For detailed information on how
to con gure settings in this section, see Kaspersky Security Center Help.

5. In the Devices section, select the devices for which you want to con gure the Application Integrity Control
task.

6. Con gure the task schedule in the Schedule section (you can con gure a schedule for all task types except
Rollback of Database Update).

7. In the Account section, specify the account whose rights will be used to run the task.

8. If required, specify the objects to exclude from the task scope in the Exclusions from task scope section.

115
For detailed information on con guring settings in these sections, see Kaspersky Security Center Help.

9. In the Properties: <Task name> window, click OK.

The newly con gured group task settings are saved.

Con guring crash diagnostics settings in Kaspersky Security Center

If a problem occurs when operating Kaspersky Embedded Systems Security (for example, the application crashes),
you can diagnose it. To do this, you can enable the creation of trace les and a dump le for the Kaspersky
Embedded Systems Security process and send these les for analysis to Kaspersky Technical Support.

Kaspersky Embedded Systems Security does not send any trace or dump les automatically. Diagnostic data
can only be sent by a user who has the required permissions.

Kaspersky Embedded Systems Security writes information to trace les and the dump le in unencrypted
form. The folder where les are saved is selected by the user and managed by the operating system
con guration and Kaspersky Embedded Systems Security settings. You can con gure access permissions and
allow only required users to access logs, trace les and dump les.

To con gure crash diagnostics settings in Kaspersky Security Center:

1. In the Kaspersky Security Center Administration Console, open the Application settings window.

2. Open the Malfunction diagnosis section.

3. If you want the application to write debug information to a le, select the Write debug information to trace
le check box.

4. In the eld below, specify the folder where Kaspersky Embedded Systems Security will save trace les.

5. Con gure the level of detail of debug information .

6. Specify the maximum size of trace les.

7. Specify the maximum number of les for one trace log.

Kaspersky Embedded Systems Security will create up to the maximum number of trace les for each
component to be debugged.

8. Specify the components to be debugged. Component codes must be separated with a semicolon. The codes
are case sensitive (see table below).

Kaspersky Embedded Systems Security subsystem codes

Component Name of component

Code

* All components.

gui User interface subsystem, Kaspersky Embedded Systems Security snap-in in Microsoft
116
Management Console.

ak_conn Subsystem for integrating Network Agent and Kaspersky Security Center.

bl Control process, implements Kaspersky Embedded Systems Security control tasks.

wp Work process, handles anti-virus protection tasks.

blgate Kaspersky Embedded Systems Security remote management process.

ods On-Demand Scan subsystem.

oas Real-Time File Protection subsystem.

qb Quarantine and Backup subsystem.

scandll Auxiliary module for virus scans.

core Subsystem for basic anti-virus functionality.

avscan Anti-virus processing subsystem.

avserv Subsystem for controlling the anti-virus kernel.

prague Subsystem for basic functionality.

updater Subsystem for updating databases and software modules.

snmp SNMP protocol support subsystem.

perfcount Performance counter subsystem.

The trace settings of the Kaspersky Embedded Systems Security snap-in (gui) and the Administration Plug-in
for Kaspersky Security Center (ak_conn) are applied after these components are restarted. The trace settings
of the SNMP protocol support subsystem (snmp) are applied after the SNMP service is restarted. The trace
settings of the performance counter subsystem (perfcount) are applied after all processes that use
performance counters are restarted. Trace settings for other Kaspersky Embedded Systems Security
subsystems are applied as soon as the crash diagnostics settings are saved.
By default, Kaspersky Embedded Systems Security logs debug information for all Kaspersky Embedded
Systems Security components.
The entry eld is available if the Write debug information to trace le check box is selected.

9. If you want the application to create a dump le, select the Create dump le check box.

10. In the eld below, specify the folder in which Kaspersky Embedded Systems Security will save the dump le.

11. Click OK.

The con gured application settings are applied on the protected device.

Managing task schedules

You can schedule Kaspersky Embedded Systems Security tasks.

Scheduling tasks
You can schedule local system and custom tasks in the Application Console. You cannot schedule group tasks in
the Application Console.

117
To schedule group tasks using the Administration Plug-in:

1. In the Kaspersky Security Center Administration Console tree, expand the Managed devices node.

2. Select the group that the protected device belongs to.

3. In the results pane, select the Tasks tab.

4. Open the Properties: <Task name> window in one of the following ways:

Double-click the name of the task.

Open the context menu of the task name and select the Properties item.

5. Select the Schedule section.

6. In the Schedule settings block, select the Run by schedule check box.

Fields with schedule settings for the On-Demand Scan and Update tasks are unavailable if scheduling of
these tasks is blocked by a Kaspersky Security Center policy.

7. Con gure schedule settings in accordance with your requirements. To do this, perform the following actions:

a. In the Frequency list, select one of the following values:

Hourly, if you want the task to run at intervals of a speci ed number of hours; specify the number of
hours in the Every <number> hour(s) eld.

Daily, if you want the task to run at intervals of a speci ed number of days; specify the number of days in
the Every <number> day(s) eld.

Weekly, if you want the task to run at intervals of a speci ed number of weeks; specify the number of
weeks in the Every <number> week(s) eld. Specify the days of the week to start the task (by default
tasks run on Mondays).

At application launch, if you want the task to run every time Kaspersky Embedded Systems Security
starts.

After application database update, if you want the task to run after every update of the application
databases.

b. Specify the time for the rst task start in the Start time eld.

c. In the Start date eld, specify the date when the schedule starts.

After you have scheduled the start time, date and frequency of the task, the estimated time for the
next start is displayed.

Go to the Schedule tab and open the Task settings window. In the Next start eld in the top of the
window, the estimated start time is displayed. Each time you open the window, this estimated start time
is updated and displayed.

118
The Next start eld displays the Blocked by policy value if Kaspersky Security Center policy settings
prohibit scheduled local system tasks from starting.

8. Use the Advanced tab to con gure the following schedule settings in accordance with your requirements.

In the Task stop settings section:

a. Select the Duration check box and, in the elds to the right, enter the maximum number of hours and
minutes of task execution.

b. Select the Pause from check box and, in the elds to the right, enter the start and end values of a time
interval under 24 hours during which task execution will be paused.

In the Advanced settings section:

a. Select the Cancel schedule from check box and specify the date from which the schedule will cease to
apply.

b. Select the Run skipped tasks check box to enable the start of skipped tasks.

c. Select the Randomize the task start time within the interval of check box and specify a value in
minutes.

9. Click OK.

10. Click the Apply button to save the task start settings.

If you want to con gure application settings for a single task using Kaspersky Security Center, see section
"Con guring local tasks in the Application settings window of the Kaspersky Security Center".

Enabling and disabling scheduled tasks

You can enable and disable scheduled tasks either before or after con guring the schedule settings.

To enable or disable the task start schedule:

1. In the Kaspersky Security Center Administration Console tree, expand the Managed devices node.

2. Select the group that the protected device belongs to.

3. In the results pane, select the Tasks tab.

4. Open the Properties: <Task name> window in one of the following ways:

Double-click the name of the task.

Open the context menu of the task name and select the Properties item.

5. Select the Schedule section.

119
6. Do one of the following:

Select the Run by schedule check box if you want to enable scheduled task start.

Clear the Run by schedule check box if you want to disable scheduled task start.

The con gured task start schedule settings are not deleted and will be applied at the next scheduled
start of the task.

7. Click OK.

8. Click Apply.

The con gured task start schedule settings are saved.

Reports in Kaspersky Security Center

Reports in Kaspersky Security Center contain information about the status of managed devices. Reports are
based on information stored on Administration Server.

Starting from Kaspersky Security Center 11, the following types of reports are available for Kaspersky Embedded
Systems Security:

Report on the status of application components

Report on prohibited applications

Report on prohibited applications in test mode

See Kaspersky Security Center Help for detailed information about all Kaspersky Security Center reports and
how to con gure them.

Report on the status of Kaspersky Embedded Systems Security components

You can monitor the protection status of all network devices and get a structured overview of the set of
components on each device.

The report displays one of the following states for each component: Running, Paused, Stopped, Malfunction, Not
installed, Starting.

The Not Installed status refers to the component, not the application itself. If the application is not installed,
Kaspersky Security Center assigns the N/A (Not available) status.

You can create component selections and use ltering to display network devices with a speci ed set of
components and state.

See Kaspersky Security Center Help for detailed information about creating and using selections.

120
To review the component statuses in the application settings:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree and select
the administration group for which you want to con gure application settings.

2. Select the Devices tab and open the Application settings window.

3. Select the Components section.

4. Review the status table.

To review a Kaspersky Security Center standard report:

1. Select the Administration Server <Administration Server name> node in the Administration Console tree.

2. Open the Reports tab.

3. Double-click the Report on the status of application components list item.

A report is generated.

4. Review the following report details:

Graphical diagram.

Summary table of components and aggregated numbers of network devices where each of the
components is installed, and groups they belong to.

Detailed table specifying the component status, version, device and group.

Reports on prohibited applications in active and test modes

Based on the results of the Applications Launch Control task, two types of reports can be generated: a report on
prohibited applications (if the task is started in Active mode) and a report on prohibited applications in test mode
(if the task is started in Statistics only mode). These reports display information about blocked applications on the
protected devices of the network. Each report is generated for all administration groups and accumulates data
from all the Kaspersky applications installed on the protected devices.

To review a report on prohibited applications in Statistics only mode:

1. Start the Applications Launch Control task in Statistics only mode.

2. Select the Administration Server <Administration Server name> node in the Administration Console tree.

3. Open the Reports tab.

4. Double-click the Report on prohibited applications in test mode item.

A report is generated.

5. Review the following report details:

A graphical diagram that displays the top 10 applications with the largest number of blocked starts.

A summary table of application blocks, specifying the executable le name, reason, time of blocking, and
number of devices where the blocking occurred.

121
A detailed table specifying data about the device, le path and criteria for blocking.

To review a report on prohibited applications in Active mode:

1. Start the Applications Launch Control task in Active mode.

2. Select the Administration Server <Administration Server name> node in the Administration Console tree.

3. Open the Reports tab.

4. Double-click the Report on prohibited applications item.

A report is generated.

This report consists of the same data about blocks as the report on prohibited applications in test mode.

122
Working with the Kaspersky Embedded Systems Security Console
This section provides information about the Kaspersky Embedded Systems Security Console and describes how
to manage the application using the Application Console installed on the protected device or another device.

About the Kaspersky Embedded Systems Security Console

Kaspersky Embedded Systems Security Console is an isolated snap-in that you can add to the Microsoft
Management Console.

You can manage the application via the Application Console installed on the protected device or on another
device on the corporate network.

After the Application Console has been installed on another device, advanced con guration is required.

You can install the Application Console and Kaspersky Embedded Systems Security on di erent protected
devices assigned to di erent domains. In this case, there may be limitations on sending information from the
application to the Application Console. For example, after any application task starts, its status may remain
unchanged in the Application Console.

When installing the Application Console, the installation wizard creates the kavfs.msc le in the installation folder
and adds Kaspersky Embedded Systems Security snap-in to the list of isolated Microsoft Windows snap-ins.

You can start the Application Console from the Start menu. The Kaspersky Embedded Systems Security snap-in
msc- le can be run or added to the Microsoft Management Console as a new element in the tree.

Under a 64-bit version of Microsoft Windows, the Kaspersky Embedded Systems Security snap-in can be
added only in the 32-bit version of Microsoft Management Console. To add the Kaspersky Embedded
Systems Security snap-in, open Microsoft Management Console from the command line by executing the
command: mmc.exe /32.

Multiple Kaspersky Embedded Systems Security snap-ins can be added to one Microsoft Management Console
opened in author mode. You can then manage the protection of multiple devices on which Kaspersky Embedded
Systems Security is installed.

Kaspersky Embedded Systems Security Console interface

This section describes the primary elements of the application interface.

Kaspersky Embedded Systems Security Console window

The Kaspersky Embedded Systems Security Console is displayed in the Microsoft Management Console tree in
the form of a node.

123
After a connection has been established to Kaspersky Embedded Systems Security installed on a di erent
protected device, the name of the node is supplemented with the name of the protected device on which the
application is installed and the name of the user account under which the connection has been established:
Kaspersky Embedded Systems Security <Protected device name> as <account name>. Upon connection to
Kaspersky Embedded Systems Security installed on the same protected device with the Application Console, the
node name is Kaspersky Embedded Systems Security.

The Application Console tree

The Application Console tree displays the Kaspersky Embedded Systems Security node and the child nodes of
functional components of the application.

The Kaspersky Embedded Systems Security node includes the following child nodes:

Real-Time Computer Protection : manages the Real-Time Computer Protection tasks and KSN services. The
Real-Time Computer Protection node allows to con gure the following tasks:

Real-Time File Protection

KSN Usage

Exploit Prevention

Computer Control: controls launches of applications installed on a protected device, as well as external
devices connections. The Computer Control node allows to con gure the following tasks:

Applications Launch Control

Device Control

Firewall Management

Automated rule generators: con guring automatic generation of group and system rules for the Applications
Launch Control task and the Device Control task.

Rule Generator for Applications Launch Control

Rule Generator for Device Control

Rule generation group tasks <Task names> (if any)

Group tasks are created using Kaspersky Security Center. You cannot manage group tasks through the
Application Console.

System Inspection: con guring le operations control and Windows Event Log inspection settings.

File Integrity Monitor

Log Inspection

On-Demand Scan: manage On-Demand Scan tasks. There is a separate node for each task:

Scan at Operating System Startup

Critical Areas Scan

124
Quarantine Scan

Application Integrity Control

Custom tasks <Task names> (if any)

The node displays system tasks created when the application is installed, custom tasks, and group on-demand
scan tasks created and sent to a protected device using Kaspersky Security Center.

Update: manage updates for Kaspersky Embedded Systems Security databases and modules and copies the
update to a local update source folder. The node contains child nodes for administering each update task and
the last Rollback of Application Database Update task:

Database Update

Software Modules Update

Copying Updates

Rollback of Application Database Update

The node displays all custom and group update tasks created and sent to a protected device using Kaspersky
Security Center.

Storages: Management of Quarantine and Backup settings.

Quarantine

Backup

Logs and noti cations: manages local task logs, Security log and Kaspersky Embedded Systems Security
System audit log.

Security log

System audit log

Task logs

Licensing: add or delete Kaspersky Embedded Systems Security license keys, view license details.

Details pane

The details pane displays information about the selected node. If the Kaspersky Embedded Systems Security
node is selected, the details pane displays information about the current device protection status and information
about Kaspersky Embedded Systems Security, the protection status of its functional components, and the license
expiration date.

Context menu of the Kaspersky Embedded Systems Security node

You can use the items of the context menu of the Kaspersky Embedded Systems Security node to perform the
following operations:

125
Connect to another computer. Connect to another device to manage Kaspersky Embedded Systems Security
installed on it. You can also perform this operation by clicking the link in the lower right corner of the details
pane of the Kaspersky Embedded Systems Security node.

Start the service / Stop the service. Start or stop application or a selected task. To carry out these
operations, you can also use the buttons on the toolbar. You can also perform these operations in context
menus of application tasks.

Con gure removable drives scan settings. Con gure scanning of removable drives connected to the
protected device via the USB port.

Con gure Trusted Zone settings. View and con gure Trusted Zone settings.

Modify user rights of application management. View and con gure permissions to access Kaspersky
Embedded Systems Security functions.

Modify user rights of Kaspersky Security Service management. View and con gure user rights to manage
Kaspersky Security Service.

Export settings. Save the application settings in a con guration le in XML format. You can also perform this
operation in context menus of application tasks.

Import settings. Import application settings from a con guration le in XML format. You can also perform this
operation in context menus of application tasks.

Information about the application and available module updates. See information about Kaspersky
Embedded Systems Security and currently available application modules updates.

Refresh. Refresh the contents of the Application Console window. You can also perform this operation in
context menus of application tasks.

Properties. View and con gure settings of Kaspersky Embedded Systems Security or a selected task. You can
also perform this operation in context menus of application tasks.

To do so, you can also use the Application properties link in the details pane of the Kaspersky Embedded
Systems Security node or use the button on the toolbar.

Help. View information in Kaspersky Embedded Systems Security Help. You can also perform this operation in
context menus of application tasks.

Toolbar and context menu of Kaspersky Embedded Systems Security tasks

You can manage Kaspersky Embedded Systems Security tasks using the items of context menus of each task in
the Application Console tree.

You can use the items of the context menu to perform the following operations:

Start / Stop. Start or stop task execution. To carry out these operations, you can also use the buttons on the
toolbar.

Resume / Pause. Resume or pause task execution. To carry out these operations, you can also use the buttons
on the toolbar. This operation is available for the Real-Time Computer Protection tasks and the On-Demand
Scan tasks.

126
Add task. Create new custom task. This operation is available for On-demand scan tasks.

Open log. View and manage a task log. This operation is available for all tasks.

Remove task. Delete custom task. This operation is available for On-demand scan tasks.

Settings templates. Manage templates. This operation is available for Real-Time File Protection and On-
Demand Scan.

System Tray Icon in the noti cation area

Every time Kaspersky Embedded Systems Security automatically starts after a protected device restart, the
System Tray Icon is displayed in the toolbar noti cation area . It is displayed by default if the System Tray Icon
component was installed during application setup.

The appearance of the System Tray Icon re ects the current device protection status. There are two types of
status:

Active (colored icon) – at least one of the following tasks is currently running: Real-Time File
Protection or Applications Launch Control

Inactive (gray icon) – none of the following tasks are currently running: Real-Time File Protection and
Applications Launch Control

You can open the context menu of the System Tray Icon by right-clicking it.

The context menu o ers several commands to display application windows (see table below).

Context menu commands in System Tray Icon

Command Description

Open the Opens Kaspersky Embedded Systems Security Console (if installed).
Application
Console

Open Compact Opens the Compact Diagnostic Interface.

Diagnostic
Interface

About the Opens the About the application window containing information about Kaspersky
application Embedded Systems Security.
For registered Kaspersky Embedded Systems Security users, the About the
application window contains information about urgent updates that have been
installed.

Hide Hides the System Tray Icon in the toolbar noti cation area.

You can display the hidden System Tray Icon again at any time.

To display the System Tray Icon again,

in the Microsoft Windows Start menu, select All Programs > Kaspersky Embedded Systems Security >
System Tray Icon.

127
The names of settings may vary depending on the installed operating system.

In the general settings of Kaspersky Embedded Systems Security, you can enable or disable the display of the
System Tray Icon every time the application starts automatically following a protected device restart.

Managing Kaspersky Embedded Systems Security via the Application

Console on another device
You can manage Kaspersky Embedded Systems Security via the Application Console installed on a remote device.

To manage the application using Kaspersky Embedded Systems Security Console on a remote device, make sure
that:

The Application Console users on the remote device are added to the ESS Administrators group on the
protected device.

Network connections are allowed for the Kaspersky Security Management Service process (kavfsgt.exe) if
Windows Firewall is enabled on the protected device.

During installation of Kaspersky Embedded Systems Security, the Allow remote access check box is selected in
the Installation Wizard window.

If Kaspersky Embedded Systems Security on the remote device is password protected, enter the password to
access application management via the Application Console.

Con guring general application settings via the Application Console

General settings and malfunction diagnostics settings of Kaspersky Embedded Systems Security establish the
general operating conditions for the application. These settings allow you to control the number of working
processes used by Kaspersky Embedded Systems Security, enable recovery of Kaspersky Embedded Systems
Security tasks after an abnormal termination, maintain the log, enable creation of dump les of Kaspersky
Embedded Systems Security processes after abnormal termination, and con gure other general settings.

Application settings cannot be con gured in the Application Console if the active Kaspersky Security Center
policy blocks changes to these settings.

To con gure Kaspersky Embedded Systems Security settings:

1. In the Application Console tree, select the Kaspersky Embedded Systems Security node and do one of the
following:

Click the Application properties link in the details pane of the node.

Select Properties in the node context menu.

The Application settings window opens.

128
2. In the window that opens, con gure Kaspersky Embedded Systems Security general settings according to your
preferences:

The following settings can be con gured on the Scalability and interface tab:

In the Scalability settings section:

Maximum number of working processes that Kaspersky Embedded Systems Security can run

Number of processes for Real-Time Computer Protection

Number of working processes for background On-Demand Scan tasks

In the Interaction with user section select if the System Tray Icon will be displayed in the taskbar after each
application start.

The following settings can be con gured on the Security and reliability tab:

In the Password protection settings section, con gure the protection of application processess .

In the Password protection settings section, con gure the settings for password-protection of the
application functions.

In the Self-defense section, specify the number of attempts to recover an On-Demand Scan task if it
crashes.

In the Recover on-demand scan tasks no more than (times) section, specify actions that Kaspersky
Embedded Systems Security performs after switching to UPS power .

On the Scan settings tab:

Restore le attributes after scanning

Limit CPU usage for scanning threads

Upper limit (per cent)

Folder for temporary les created during scanning

On the Connection settings tab:

In the Proxy server settings section, specify the proxy server settings.

In the Proxy server authentication settings section, specify the authentication type and details
required for authentication on the proxy server.

In the Licensing section, indicate whether Kaspersky Security Center will be used as a proxy-server for
application activation.

On the Malfunction diagnosis tab:

If you want the application to write debug information to a le, select the Write debug information to
trace le check box.

In the eld below specify the folder in which Kaspersky Embedded Systems Security will save trace
les.

129
Con gure the level of detail of debug information .

Specify the maximum size of trace les.

Specify the maximum number of les for one trace log. Kaspersky Embedded Systems Security will
create up to the maximum number of trace les for each component to be debugged.

Specify the components to be debugged .

If you want the application to create a dump le, select the Create crash dump le check box.

Kaspersky Embedded Systems Security does not send any trace or dump les automatically.
Diagnostics data can only be sent by a user with the corresponding permissions.

In the eld below, specify the folder in which Kaspersky Embedded Systems Security will save the dump
le.

Kaspersky Embedded Systems Security writes information to trace les and the dump les in
unencrypted form. The folder where les are saved is selected by the user and is managed by the
operating system con guration and Kaspersky Embedded Systems Security settings. You can
con gure access permissions and allow only required users to access logs, trace les, and dump les.

3. Click OK.

Kaspersky Embedded Systems Security settings are saved.

Managing Kaspersky Embedded Systems Security tasks

This section contains information about how to create, con gure, start, and stop Kaspersky Embedded Systems
Security tasks.

Kaspersky Embedded Systems Security task categories

Real-Time Computer Protection, Computer Control, On-Demand Scan, and Update functions in Kaspersky
Embedded Systems Security are implemented as tasks.

You can manage these tasks using the task context menu in the Application Console tree, the toolbar, and the
quick access bar. You can view task status information in the results pane. Task management operations are
recorded in the system audit log.

There are two types of Kaspersky Embedded Systems Security tasks: local and group.

Local tasks

Local tasks can only be executed on the protected device they were created for. Depending on the start method,
the following types of local tasks exist:

130
Local system tasks. These tasks are created automatically during installation of Kaspersky Embedded Systems
Security. You can edit the settings of all local system tasks, except for the Quarantine Scan and Rollback of
Database Update tasks. Local system tasks cannot be renamed or deleted. You can run local system and
custom On-Demand Scan tasks simultaneously.

Local custom tasks. In the Application Console, you can create On-Demand Scan tasks. In Kaspersky Security
Center, you can create On-Demand Scan, Database Update, Rollback of Database Update, and Copying
Updates tasks. You can rename, con gure, and delete custom tasks. You can run several custom tasks
simultaneously.

Group tasks

You can manage group tasks and tasks for sets of protected devices from the Kaspersky Security Center. All
group tasks are custom tasks. Group tasks are also displayed in the Application Console. In the Application
Console, you can only view the status of group tasks. You cannot use the Application Console to manage or
con gure group tasks.

Starting, pausing, resuming, and stopping tasks manually

You can pause and resume only Real-Time Computer Protection and On-Demand Scan tasks. No other tasks can
be paused or resumed manually.

To start, pause, resume or stop a task:

1. In the Application Console, open the context menu of the task.

2. Select one of the following: Start, Pause, Resume or Stop.

The operation is performed and recorded in the system audit log.

When you resume an On-Demand Scan task, Kaspersky Embedded Systems Security resumes scanning from
the object on which the scan was paused.

Managing task schedules

You can schedule Kaspersky Embedded Systems Security tasks.

Con guring the task schedule settings

In the Application Console, you can schedule when to start local system and custom tasks. However, you cannot
schedule when to start group tasks.

To schedule a task:

1. Open the context menu of the task you want to schedule.

131
2. Select Properties.
The Task settings window opens.

3. In the window that opens, on the Schedule tab, select the Run by schedule check box.

4. Follow these steps to specify schedule settings:

a. In the Frequency drop-down menu, select one of the following:

Hourly: to run the task at hourly intervals; specify the number of hours in the Every <number> hour(s)
eld.

Daily: to run the task at daily intervals; specify the number of days in the Every <number> day(s) eld.

Weekly: to run the task at weekly intervals; specify the number of weeks in the Every <number> week(s)
on eld. Specify the days of the week to start the task (by default the task runs on Mondays).

At application launch: to run the task every time Kaspersky Embedded Systems Security starts.

After application database update: to run the task after every update of the application database.

b. In the Start time eld, specify the time when to start the task for the rst time.

c. In the Start date eld, specify the date when to start the task for the rst time.

After you have speci ed the task start frequency, the time of the rst task start, and the date from
which the schedule applies, the estimated time for the next task start will appear in the top part of the
window in the Next start eld. The estimated time of the next task start will be updated and displayed
each time you open the Task settings window on the Schedule tab.

The Next start eld displays the Blocked by policy value if Kaspersky Security Center active policy
settings prohibit a scheduled local system task from starting.

5. Use the Advanced tab to specify the following schedule settings:

In the Task stop settings section:

a. Select the Duration check box. In the elds to the right, enter maximum task duration in hours and
minutes.

b. Select the Pause from check box. In the elds to the right, enter when to pause and resume the task
(under 24 hours).

In the Advanced settings section:

a. Select the Cancel schedule from check box and specify the task schedule end date.

b. Select the Run skipped tasks check box to start skipped tasks.

c. Select the Randomize the task start within interval of check box and specify a value in minutes.

6. Click OK.

132
The task schedule settings are saved.

Enabling and disabling scheduled tasks

You can enable and disable scheduled tasks before or after specifying task schedule settings.

To enable or disable a scheduled task start:

1. In the Application Console tree, open the context menu for the scheduled task.

2. Select Properties.
The Task settings window opens.

3. In the window that opens, on the Schedule tab, select one of the following options:

Select the Run by schedule check box to enable scheduled task start.

Clear the Run by schedule check box to disable scheduled task start.

The task schedule settings are not deleted, but applied the next time you enable a scheduled task start.

4. Click OK.

The task schedule settings are saved.

Using user accounts to start tasks

You can start tasks under the system account or specify a di erent account.

About using accounts to start tasks

You can specify the account to run the following Kaspersky Embedded Systems Security tasks:

Rule Generator for Applications Launch Control

Rule Generator for Device Control

On-Demand Scan

Update

By default, these tasks are run using system account permissions.

A di erent account with proper access permissions is recommended in the following cases:

Update task: if you speci ed a public folder on a di erent device on the network as the update source.

Update task: if you use a proxy server with built-in Windows NTLM authentication to access the update source.

133
On-Demand Scan tasks: if the system account does not have permission to access the scanned objects (for
example, les in shared folders on the protected device).

Rule Generator for Applications Launch Control task: if the generated rules are exported to a con guration
le that the system account cannot access (for example, in a shared folder on the protected device).

You can run Update, On-Demand Scan, and Rule Generator tasks with system account permissions. Kaspersky
Embedded Systems Security performs these tasks and accesses shared folders on another device in the
network if this device is registered in the same domain as the protected device. In this case, the system
account must have access permissions for these folders. Kaspersky Embedded Systems Security accesses
the device using permissions for the account <domain name \ device_name>.

Specifying a user account to start a task

To specify an account to start a task:

1. In the Application Console tree, open the context menu of the task you want to start by using a speci c
account.

2. Select Properties.
The Task settings window opens.

3. In the window that opens, on the Run as tab, follow these steps:

a. Select User name.

b. Enter the user name and password for the account you want to use.

The selected user must be registered on the protected device or in the same domain as this protected
device.

c. Con rm the password.

4. Click OK.

The modi ed settings are saved.

Importing and exporting settings

This section explains how to export Kaspersky Embedded Systems Security settings. You will also learn how to
export speci c software settings to an XML con guration le, and how to import these settings from a
con guration le back into the application.

About importing and exporting settings

134
You can export Kaspersky Embedded Systems Security settings to an XML con guration le and import settings
into Kaspersky Embedded Systems Security from the con guration le. You can save all application settings or
only settings for individual components to a con guration le.

When you export all settings of Kaspersky Embedded Systems Security to a le, the general application settings
and settings of the following Kaspersky Embedded Systems Security components and functions are saved:

Real-Time File Protection

KSN Usage

Device Control

Applications Launch Control

Rule Generator for Device Control

Rule Generator for Applications Launch Control

On-Demand Scan tasks

File Integrity Monitor

Log Inspector

Kaspersky Embedded Systems Security database and software modules update

Quarantine

Backup

Logs

Administrator and user noti cations

Trusted Zone

Exploit Prevention

Password protection

Also, you can save the general settings of Kaspersky Embedded Systems Security in the le, as well as the rights of
user accounts.

You cannot export group task settings.

Kaspersky Embedded Systems Security exports all passwords used by the application, for example, user account
settings for running tasks or connecting to a proxy server. Exported passwords are saved in encrypted form in the
con guration le. You can import passwords only using Kaspersky Embedded Systems Security installed on this
protected device if it has not been reinstalled or updated.

You cannot import previously saved passwords using Kaspersky Embedded Systems Security installed on a
di erent protected device. After settings have been imported on another protected device, all passwords must be
entered manually.

135
If a Kaspersky Security Center policy is active at the time of export, the application exports the speci ed values
used by that policy.

Settings from a con guration le containing parameters for individual components of Kaspersky Embedded
Systems Security (e.g., from a le created in Kaspersky Embedded Systems Security installed with incomplete set
of components) can be imported. After the settings are imported, only those Kaspersky Embedded Systems
Security settings that were contained in the con guration le are changed. All other settings remain the same.

Settings of an active Kaspersky Security Center policy that have been blocked do not change when importing
the settings.

Exporting settings
To export settings to a con guration le:

1. In the Application Console tree, do one of the following:

In the context menu of the Kaspersky Embedded Systems Security node, select Export settings to
export all Kaspersky Embedded Systems Security settings.

In the context menu of a speci c task, select Export settings to export the settings of an individual
functional component of the application.

To export the Trusted Zone settings:

a. In the Application Console tree, open the Kaspersky Embedded Systems Security node context menu.

b. Select Con gure Trusted Zone settings.

The Trusted Zone window opens.

c. Click the Export button.

The Settings Export Wizard opens.

2. Follow the instructions in the Settings Export Wizard: specify the name and path of the con guration le you
want to use to save the settings.
You can use system environment variables when specifying the path, but not user environment variables.

If a Kaspersky Security Center policy is active at the time of export, the application exports the settings
used by that policy.

3. Click the Close button in the Export of application settings complete window.

The Settings Export Wizard closes and saves the export settings.

Importing settings
To import settings from a saved con guration le:

136
1. In the Application Console tree, do one of the following:

In the context menu of the Kaspersky Embedded Systems Security node, select Import settings to
import all Kaspersky Embedded Systems Security settings.

In the context menu of a speci c task, select Import settings to import the settings of an individual
functional component of the application.

To import the Trusted Zone settings:

a. In the Application Console tree, open the context menu of the Kaspersky Embedded Systems Security
node.

b. Select Con gure Trusted Zone settings.

The Trusted Zone window opens.

c. Click the Import button.

The Settings Import Wizard opens.

2. Follow the instructions in the Settings Import Wizard: specify the con guration le with the settings you want
to import.

After importing the general Kaspersky Embedded Systems Security settings or its functional component
settings to the protected device, you cannot revert to the previous settings.

3. Click the Close button in the Application settings import completed window.
The Settings Import Wizard closes and saves the imported settings.

4. In the Application Console toolbar, click the Refresh button.

The Application Console window displays the imported settings.

Kaspersky Embedded Systems Security does not import passwords (account credentials for starting tasks or
connecting to the proxy server) from a le created on another protected device or on the same protected
device after Kaspersky Embedded Systems Security has been re-installed or updated on it. After import is
complete, passwords must be entered manually.

Using security settings templates

This section contains information about using security settings templates in Kaspersky Embedded Systems
Security protection and scan tasks.

About security settings templates

You can manually con gure the security settings of a node in the tree or in a list of the protected device's le
resources, and save the con gured setting values as a template. This template can then be used to specify the
security settings of other nodes in Kaspersky Embedded Systems Security protection and scan tasks.
137
You can use templates to specify the security settings of the following Kaspersky Embedded Systems Security
tasks:

Real-Time File Protection

Scan at Operating System Startup

Critical Areas Scan

On-Demand Scan tasks

Security settings from a template applied to a parent node in the protected device's le resource tree are applied
to all child nodes. The parent node template is not applied to child nodes in the following cases:

If you speci ed the security settings of the child nodes separately.

If the child nodes are virtual. In this case, you must apply the template to each virtual node separately.

Creating a security settings template

To manually save the security settings of a node to a template:

1. In the Application Console tree, select the task for which you want to create a security settings template.

2. In the details pane of the selected task, click the Con gure protection scope or Con gure scan scope link.

3. In the tree or list of the protected device's network le resources, select the template that you want to view.

4. On the Security level tab, click the Save as template button.

The Template properties window opens.

5. In the Template name eld, enter the name of the template.

6. In the Description eld, enter additional template information.

7. Click OK.

The security settings template is saved.

Viewing security settings in a template

To view security settings in a template that you created:

1. In the Application Console tree, select the task with the security settings template want to view.

2. In the context menu of the selected task, select Settings templates.

The Templates window opens.

3. In the list of templates, select the template that you want to view.

4. Click the View button.

138
The <Template name> window opens. The General tab displays the template name and additional information
about the template. The Options tab lists security settings saved in the template.

Applying a security settings template

To apply security settings from a template to a selected node:

1. In the Application Console tree, select the task to which you want to apply a security settings template.

2. In the details pane of the selected task, click the Con gure protection scope or Con gure scan scope link.

3. In the tree or list of the protected device's network le resources, open the context menu of the node or item
to which you want to apply the template.

4. Select Apply template → <Template name>.

5. Click the Save button.

This applies the security settings template to the selected node in the le resource tree of the protected
device. The value on the Security level tab for the selected node changes to Custom.

If the security settings of a template are applied to a parent node in the protected device le resource tree,
these settings are also applied to all child nodes.

You can con gure the protection or scan scope of child nodes in the le resource tree of the protected
device separately. In this case, the security settings of the template applied to the parent node are not
automatically applied to the child nodes.

To apply security settings from a template to all selected nodes:

1. In the Application Console tree, select the task to which you want to apply the security settings template.

2. In the details pane of the selected task, click the Con gure protection scope or Con gure scan scope link.

3. In the tree or list of the protected device's network le resources, select a parent node to apply the template to
the selected node and its child nodes.

4. In the context menu, select Apply template → <Template name>.

5. Click the Save button.

The security settings template is applied to the parent and all child nodes in the protected device's le resource
tree. The value on the Security level tab for the selected node changes to Custom.

Deleting a security settings template

To delete a security settings template:

1. In the Application Console tree, select the task with the security settings template that you want to delete.

139
2. In the context menu of the selected task, select Settings templates.
The Templates window opens.

In the results pane of the On-Demand Scan parent node you can view settings templates for On-Demand
Scan tasks.

3. In the list of templates, select the template that you want to delete.

4. Click the Remove button.

A window opens to con rm deletion.

5. In the window that opens, click Yes.

The selected template is deleted.

You can apply the security settings template to protect or scan nodes in the le resource tree of the
protected device. In this case, the security settings for such nodes are unchanged after the template is
deleted.

Viewing protection status and Kaspersky Embedded Systems Security

information
To view information about the device protection status Kaspersky Embedded Systems Security,

select the Kaspersky Embedded Systems Security node in the Application Console tree.

By default, information in the details pane of the Application Console is refreshed automatically:

Every 10 seconds in case of a local connection.

Every 15 seconds in case of a remote connection.

You can refresh the information manually.

To refresh information in the Kaspersky Embedded Systems Security node manually,

select the Refresh command in the context menu of the Kaspersky Embedded Systems Security node.

The following application information is displayed in the details pane of the Application Console:

Kaspersky Security Network Usage status.

Device protection status.

Information about database and application module updates.

Actual diagnostic data.

140
Data about protected device control tasks.

License information.

Status of integration with Kaspersky Security Center: details of the server with Kaspersky Security Center
installed and to which the application is connected; information about application tasks controlled by the active
policy.

Di erent colors are used to indicate the protection status:

Green. The task is being run in accordance with the con gured settings. Protection is active.

Yellow. The task was not started, has been paused, or has been stopped. Security threats may occur. You are
advised to con gure and start the task.

Red. The task completed with an error or a security threat was detected while the task was running. You are
advised to start the task or take measures to eliminate the detected security threat.

Some details in this block (for example, task names or the number of threats detected) are links that, when
clicked, take you to the node of the relevant task or open the task log.

The Kaspersky Security Network Usage section displays current task status, for example, Running, Stopped or
Never performed. The indicator can take the following values:
Green color signi es that the KSN Usage task is running and le requests for statuses are being send to KSN.

Yellow color signi es that one of the Statements is accepted, but the task is not running; or the task is running,
but le requests are not sent to KSN.

Computer protection

The Computer protection section (see the table below) displays information about the device's current
protection status.

Information about device protection status

Protection Information
section

Device The color of the panel with the section name re ects the status of tasks being performed in
protection the section. The indicator can take the following values:
status Green – This color is displayed by default and signi es that Real-Time File Protection
indicator component is installed and the task is running.

Yellow – The Real-Time File Protection component is not installed, and the Critical Areas
Scan task has not been performed for a long time.

Red – Real-Time File Protection task is not running.

Real-Time Task status – Current task status, for example, Running or Stopped.
File Detected – Number of objects detected by Kaspersky Embedded Systems Security. For
Protection example, if Kaspersky Embedded Systems Security detects one malicious application in ve
les, the value in this eld increases by one. If the number of detected malicious applications
exceeds 0, the value is highlighted in red.

141
Critical Last scan date – Date and time of the last Critical Areas Scan for viruses and other computer
Areas security threats.
Scan
Never performed – An event that occurs when the Critical Areas Scan task has not been
performed in the last 30 days or longer (default value). You can change the threshold for
generating this event.

Exploit Status – current status of exploit prevention techniques, for example, Applied or Not applied.
prevention Prevention mode – one of two available modes, selected during con guration of process
memory protection: Terminate on exploit or Statistics only.
Processes protected – the total number of processes added to the protection scope and
handled in accordance with the selected mode.

Backed up Backup free space threshold exceeded – This event occurs when the amount of free space in
objects Backup is approaching the speci ed limit. Kaspersky Embedded Systems Security continues
to move objects to Backup. In this case, the value in the Space used eld is highlighted in
yellow.
Maximum Backup size exceeded – This event occurs when the Backup size has reached the
speci ed limit. Kaspersky Embedded Systems Security continues to move objects to Backup.
In this case, the value in the Space used eld is highlighted in red.
Backed up objects – Number of objects currently in Backup.
Space used – Amount of Backup space used.

Update

The Update section (see the table below) displays information about how up-to-date the anti-virus databases and
application modules are.

Information about the status of Kaspersky Embedded Systems Security databases and modules

Update section Information

Status indicator The color of the panel with the section name re ects the status of application
for databases databases and modules. The indicator can take the following values:
and software
modules Green – This color is displayed by default and signi es that application databases
are up to date and that the last database update task was completed successfully.

Yellow – Databases are out of date, or the last database update task failed.

Red – The event Application database is extremely out of date or Application

database is corrupted has occurred.

Database Update Database status – An evaluation of the Database Update status.

and Software
It can take the following values:
Modules Update
Application database is up to date – Application databases were updated no
more than 7 days ago (default).

Application database is out of date – Application databases were updated

between 7 and 14 days ago (default).

Application database is extremely out of date – Application databases were

updated more than 14 days ago (default).
You can change the thresholds for generating the Application database is up to
date and Application database is extremely out of date events.

142
Database release date – Date and time of the release of the latest database
update. The date and time are speci ed in UTC format.
Status of the latest completed Database Update task – Date and time of the
latest database update. The date and time are speci ed according to the local time
of the protected device. The eld is red if the Failed event occurred.
Number of module updates available – Number of Kaspersky Embedded Systems
Security module updates available to be downloaded and installed.
Number of module updates installed – Number of installed Kaspersky Embedded
Systems Security module updates.

Control

The Control section (see table below) displays information about the Applications Launch Control, Device Control
and Firewall Management tasks.

Information about protected device control status

Control Information
section

Status The color of the panel with the section name re ects the status of tasks being performed
indicator for in the section. The indicator can take the following values:
protected
device Green – This color is displayed by default and signi es that the Applications Launch
control Control component is installed and the task is running in the Active mode.

Yellow – Applications Launch Control is running in the Statistics only mode.

Red – The Applications Launch Control task is not running or failed.

Applications Task status – Current task status, for example, Running or Stopped.
Launch Operation mode – One of the two available modes for the Applications Launch Control
Control task: Active or Statistics only.
Applications launches denied – Number of attempts to start applications blocked by
Kaspersky Embedded Systems Security during the Applications Launch Control task. If the
number of blocked application launches exceeds 0, the eld is red.
Average processing time (ms) – Time taken by Kaspersky Embedded Systems Security to
process an attempt to start applications on the protected device.

Device Task status – current task status, for example, Running or Stopped.
control Operation mode – one of the two available modes for the Device Control task: Active or
Statistics only.
Devices blocked – the number of attempts to connect an external device, that were
blocked by Kaspersky Embedded Systems Security during the Device Control task. If the
number of blocked external devices exceeds 0, the eld value is colored in red.

Firewall Task status – current task status, for example, Running or Stopped.
Management Connection attempts blocked – Number of connections to a protected device that were
blocked by the speci ed rewall rules.

Diagnostics

143
The Diagnostics section (see the table below) displays information about the File Integrity Monitor and Log
Inspection tasks.

Information about System Inspection status

Diagnostics Information
section

Diagnostics The color of the panel with the section name re ects the status of tasks being performed in
status the section. The indicator can take the following values:
indicator
Green – This color is displayed by default and signi es that one or both system inspection
components are installed and tasks are running.

Yellow – Both components are installed, but one of the system inspection tasks is not
running; the Not running event occurred.

Red – One of the tasks failed.

File Task status – Current task status, for example, Running or Stopped.
Integrity
Non-sanctioned le operations – Number of changes to les within the monitoring scope.
Monitor
These changes may indicate that the security of a protected device has been breached.

Log Task status – Current task status, for example, Running or Stopped.
Inspection
Violations of the con gured rules – Number of recorded violations based on data from the
Windows Event Log. This number is determined based on the speci ed task rules or using the
heuristic analyzer.

The Kaspersky Embedded Systems Security licensing information is displayed in the row in the bottom left corner
of the details pane of the Kaspersky Embedded Systems Security node.

You can con gure Kaspersky Embedded Systems Security properties by following the Application properties.

You can connect to a di erent protected device by following the Connect to another computer link.

144
Working with the Web Plug-in from Web Console and Cloud Console
This section provides information about the Kaspersky Embedded Systems Security Administration Plug-in and
describes how to manage the application installed on a protected device or on a group of protected devices.

Managing Kaspersky Embedded Systems Security from Web Console and

Cloud Console
You can centrally manage several protected devices with Kaspersky Embedded Systems Security installed and
included in an administration group via the Kaspersky Embedded Systems Security Web Plug-in. Kaspersky
Security Center Web Console and Kaspersky Security Center Cloud Console also let you separately con gure
each protected device in the administration group.

An administration group is created manually on Kaspersky Security Center Web Console. The group includes
several devices with Kaspersky Embedded Systems Security installed for which you want to con gure the same
control and protection settings. For details on using administration groups, see Kaspersky Security Center Help.

Kaspersky Embedded Systems Security can be managed from Kaspersky Security Center Web Console in the
following ways:

Using Kaspersky Security Center policies. Kaspersky Security Center policies can be used to remotely
con gure the same protection settings for a group of devices. Task settings speci ed in the active policy have
priority over task settings con gured locally in the Application Console or remotely in the device properties
window of Kaspersky Security Center Web Console. You can use policies to con gure general application
settings, Real-Time Computer Protection task settings, Local Activity Control tasks settings, and scheduled
local system task start settings.

Using Kaspersky Security Center group tasks. Kaspersky Security Center group tasks allow remote
con guration of common settings of tasks with an expiration period for a group of devices. You can use group
tasks to activate the application, con gure On-Demand Scan task settings, update task settings, and Rule
Generator for Applications Launch Control task settings.

Using the properties window of a single device. In the device properties window, you can remotely con gure
the task settings for a single protected device included in an administration group. You can also con gure both
general application settings and settings for all Kaspersky Embedded Systems Security tasks if the selected
protected device is not controlled by an active Kaspersky Security Center policy.

Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console allow you to con gure
application settings and advanced features, and work with logs and noti cations. You can con gure these settings
for a group of protected devices and for individual protected devices.

Web Plug-in limitations

Kaspersky Embedded Systems Security Web Plug-in has the following limitations compared to Kaspersky
Embedded Systems Security Administration Plug-in:
145
To add users or user groups, you need to specify the security descriptor strings using the security descriptor
de nition language (SDDL).

Prede ned security level cannot be changed for the Real-Time File Protection task.

Application Launch Control task rules cannot be created using digital certi cate or Kaspersky Security Center
events.

Device Control task rules cannot be generated based on connected devices or on system data.

Managing application settings

This section contains information about con guring Kaspersky Embedded Systems Security general settings in
Kaspersky Security Center Web Console.

Con guring general application settings in Web Plug-in

You can con gure Kaspersky Embedded Systems Security general settings in Web Plug-in for a group of
protected devices or one protected device.

Con guring scalability, interface, and scan settings in Web Plug-in

To con gure scalability settings and the application interface:

1. In the main window of the Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Application settings section.

5. Click Settings in the Scalability, interface and scan settings subsection.

6. Con gure the settings described in the table below.

Scalability settings

Setting Description

Automatically Kaspersky Embedded Systems Security automatically controls the number of

detect scalability processes used.
settings This is the default value.

Set the number Kaspersky Embedded Systems Security controls the number of active working
of working processes according to the values speci ed.
processes
manually

Maximum Maximum number of processes that Kaspersky Embedded Systems Security uses.
number of active The entry eld is available if the Set the number of working processes manually
146
processes option is selected.

Number of Maximum number of processes that are used by the Real-Time Computer Protection
processes for task components. The entry eld is available if the Set the number of working
real-time processes manually option is selected.
protection

Number of Maximum number of processes used by the On-Demand Scan component when
processes for running On-Demand Scan tasks in background mode. The entry eld is available if the
background on- Set the number of working processes manually option is selected.
demand scan
tasks

Display System Con gure whether the System Tray Icon will be displayed in the noti cation area.
Tray Icon in the
taskbar

Restore le When Kaspersky Embedded Systems Security performs on-demand scan tasks, the
attributes after time when each scanned le was last accessed is updated. After the scan, Kaspersky
scanning Embedded Systems Security resets the time when the le was last accessed to the
initial value.

This behavior can a ect the work of backup systems by causing creation of backup
copies for les that haven’t been changed. This can also cause false detections in le
change tracking applications.

By default, this option is enabled.

Limit CPU usage Kaspersky Embedded Systems Security limits its use of the protected device CPU
for scanning during on-demand scan tasks to the value speci ed in the Upper limit (per cent)
threads eld.

Enabling of this option can negatively a ect the performance of Kaspersky

Embedded Systems Security.

By default, this option is disabled.

Upper limit (in Maximum allowable value of CPU utilization by Kaspersky Embedded Systems
percentages) Security.

The entry eld is available if the Limit CPU usage for scanning threads option is
selected.

Folder for Folder into which Kaspersky Embedded Systems Security needs to unpack archive
temporary les les during scanning.
created during
scanning By default, the C:\Windows\Temp folder is used.

HSM system Select the option for accessing the hierarchical storage.
settings

Con guring security settings in Web Plug-in

To con gure security settings manually, take the following steps:

1. In the main window of the Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

147
3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Application settings section.

5. Click Settings in the Security and reliability subsection.

6. Con gure the settings described in the table below.

Security settings

Setting Description

Protect application If the Protect application processes from external threats check box is
processes from external selected, the application protects its processes against code injection or
threats accessing of processes data.

When enabling or disabling the option, no need to restart the application

services for changes to apply.

The option is enabled by default.

Perform task recovery
This check box enables or disables the recovery of Kaspersky Embedded
Systems Security tasks when the application returns an error or
terminates.
If the check box is selected, Kaspersky Embedded Systems Security
automatically recovers Kaspersky Embedded Systems Security tasks when
the application returns an error or terminates.
If the check box is cleared, Kaspersky Embedded Systems Security does
not recover Kaspersky Embedded Systems Security tasks when the
application returns an error or terminates.
The check box is selected by default.

Recover On-Demand Scan The number of attempts to recover an On-Demand Scan task after
tasks no more than (times) Kaspersky Embedded Systems Security returns an error. The entry eld is
in range 1 - 10 attempts available if the Perform task recovery check box is selected.

Do not start scheduled

This check box enables or disables the start of a scheduled scan task after
scan tasks
the protected device switches to a UPS source until the standard power
supply is restored.
If the check box is selected, Kaspersky Embedded Systems Security does
not start scheduled scan tasks after the protected device switches to a
UPS source until the standard power supply is restored.
If the check box is cleared, Kaspersky Embedded Systems Security starts
scheduled scan tasks regardless of the power supply.
The check box is selected by default.

Stop current scan tasks

The check box enables or disables running scan tasks after the protected
device switches to a UPS source.
If the check box is selected, Kaspersky Embedded Systems Security
pauses running scan tasks after the protected device switches to a UPS
source.
If the check box is cleared, Kaspersky Embedded Systems Security
continues running scan tasks after the protected device switches to a UPS
source.
The check box is selected by default.

Apply password Set a password to protect access to Kaspersky Embedded Systems

148
protection Security functions.

Con guring connection settings in Web Plug-in

The con gured connection settings are used to connect Kaspersky Embedded Systems Security to update and
activation servers and during integration of applications with KSN services.

To con gure the connection settings take the following steps:

1. In the main window of the Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Application settings section.

5. Click Settings in the Scalability, interface and scan settings subsection.

6. Con gure the settings described in the table below.

Connection settings

Setting Description

Do not use proxy If this option is selected, Kaspersky Embedded Systems Security connects to
server KSN services directly, without using any proxy server.

Use speci ed proxy If this option is selected, Kaspersky Embedded Systems Security connects to
server settings KSN using proxy server settings speci ed manually.

Do not use proxy

This check box enables or disables the use of a proxy server when accessing
server for local
devices located in the same network as the protected device with Kaspersky
addresses
Embedded Systems Security installed.
If this check box is selected, devices are accessed directly from the network
that hosts the protected device with Kaspersky Embedded Systems Security
installed. No proxy server is used.
If the check box is cleared, a proxy server is used to connect to local devices.
The check box is selected by default.

Specify the authentication settings

Proxy server
authentication
settings

Authentication is not performed. This mode is selected by default.

Do not use
authentication

Authentication is performed using the NTLM network authentication protocol

Use NTLM
developed by Microsoft.
authentication

Authentication is performed with a user name and password using the NTLM
Use NTLM
network authentication protocol developed by Microsoft.
authentication with
user name and
password

149
Authentication is performed using the user name and password.
Apply user name and
password

Con guring scheduled start of local system tasks

You can use policies to allow or block the start of the local system On-Demand Scan task and the Update task.
This is done according to the schedule con gured locally on each protected device in the administration group:

If the scheduled start of a speci c type of local system task is allowed by a policy, these tasks will be performed
in accordance with the scheduled parameters con gured locally for this task.

By default, starting of local system tasks is prohibited by policy.

We recommend that you do not allow local system tasks to start if updates or on-demand scans are
administered by Kaspersky Security Center group tasks.

If you do not use group update or on-demand scan tasks, allow local system tasks to be started in the policy:
Kaspersky Embedded Systems Security will perform application database and module updates, and start all local
system on-demand scan tasks in accordance with the default schedule.

You can use policies to allow or block the scheduled start of the following local system tasks:

On-Demand Scan tasks: Critical Areas Scan, Quarantine Scan, Scan at Operating System Startup, Application
Integrity Control, Baseline File Integrity Monitor.

Update tasks: Database Update, Software Modules Update, Copying Updates.

If the protected device is excluded from the administration group, the local system tasks schedule will be
enabled automatically.

To allow or block the scheduled start of Kaspersky Embedded Systems Security local system tasks in a policy:

1. In the main window of the Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Application settings section.

5. Click Settings in the Run local system tasks subsection.

6. Con gure the settings described in the table below.

Scheduled launch of local system tasks settings

Setting Description

150
Allow on-demand scan tasks Select or clear the check box to allow or disallow the scheduled launch
launch of on-demand scan tasks.

Allow update tasks and Select or clear the check box to allow or disallow the scheduled launch
Copying Update task launch of update tasks and Copying Update task.

Con guring Quarantine and Backup settings in Web Plug-in

To con gure general Quarantine and Backup settings in Kaspersky Security Center:

1. In the main window of the Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Supplementary section.

5. Click Settings in the Storages subsection.

6. Con gure the settings described in the table below.

Quarantine and Backup settings

Setting Description

Backup folder Specify the backup folder.

Maximum Backup size Set the maximum Backup size.

(MB)

Threshold value for space Specify the minimum value of free space in the Backup folder.
available (MB)

Target folder for Specify a folder for restored objects.

restoring objects

Quarantine folder Specify the backup folder.

Maximum Quarantine size Set the maximum Backup size.

(MB)

Threshold value for space Specify the minimum value of free space in the Backup folder.
available (MB)

Target folder for Specify a folder for restored objects.

restoring objects

Host blocking term Specify the number of days, hours and minutes after which blocked hosts
regain access to network le resources.

Creating and con guring policies

This section provides information on using Kaspersky Security Center policies for managing Kaspersky Embedded
Systems Security on several protected devices.

151
Global Kaspersky Security Center policies can be created for managing protection on several devices where
Kaspersky Embedded Systems Security is installed.

A policy enforces the speci ed Kaspersky Embedded Systems Security settings, functions and tasks on all
protected devices for one administration group.

Several policies for one administration group can be created and enforced in turns. The policy currently active for a
group has active status in the Administration Console.

Information on policy enforcement is logged in the Kaspersky Embedded Systems Security system audit log. This
information can be viewed in the Application Console in the System audit log node.

Kaspersky Security Center o ers one way to apply policies on protected devices: Prohibit changing the settings.
After a policy has been applied, Kaspersky Embedded Systems Security uses the settings for which you have
selected the icon in the policy properties on protected devices. In this case, the selected settings are used
instead of the settings in e ect before the policy was applied. Kaspersky Embedded Systems Security does not
apply the active policy settings for which the icon is selected in the policy properties.

If a policy is active, the values of settings marked with the icon in the policy are displayed in the Application
Console but cannot be edited. The values of other settings (marked with the icon in the policy) can be edited in
the Application Console.

The settings con gured in the active policy and marked with the icon also block changes in Kaspersky Security
Center for one protected device in the Properties: <Protected device name> window.

Settings that are speci ed and sent to the protected device using an active policy are saved in the local task
settings after the active policy is disabled.

If the policy de nes the settings for any Real-Time Computer Protection task, and if such a task is currently
running, then the settings de ned by the policy will be modi ed as soon as the policy is applied. If the task is not
running, the settings are applied when it starts.

Creating a policy
To create a policy:

1. In the main window of the Web Console, select Devices → Policies & pro les.

2. Click the Add button.

3. The New policy window opens.

4. In the Select application section, select Kaspersky Embedded Systems Security and click Next.

5. On the General tab, you can perform the following actions:

Change the policy name.

The policy name cannot contain the following symbols: " * < : > ? \ | .

Select the policy status:

152
Active. After the next synchronization, the policy will be used as the active policy on the computer.

Inactive. Backup policy. If necessary, an inactive policy can be switched to active status.

Out-of-o ice. The policy is activated when a computer leaves the organization network perimeter.

Con gure the inheritance of settings:

Inherit settings from parent policy. If this toggle button is switched on, the policy setting values are
inherited from the top-level policy. Policy settings cannot be edited if is set for the parent policy.

Force inheritance of settings in child policies. If the toggle button is on, the values of the policy
settings are propagated to the child policies. In the child policy settings the Inherit settings from parent
policy check box is automatically selected. Child policy settings are inherited from the parent policy,
except for the settings marked with . Child policy settings cannot be edited if is set for the parent
policy.

6. On the Application settings tab, con gure the policy settings as required.

7. Click Save.

The created policy appears in the list of policies on the Policies & pro les tab of the selected administration
group. In the <Policy name> window, you can con gure other settings, tasks and functions of Kaspersky
Embedded Systems Security.

Kaspersky Embedded Systems Security policy settings sections

General

In the General section, you can con gure the following policy settings:
Indicate the policy status.

Con gure the inheritance settings for parent and child policies.

Event con guration

In the Event con guration section, you can con gure settings for the following event categories:
Critical events

Functional failure

Warning

Informational message
You can use the Properties button to con gure the following settings for the selected events:

Indicate the storage location and retention period for information about logged events.

Indicate the noti cation method for logged events.

Application settings
153
Settings of the Application Settings section

Section Options

Scalability, In the Scalability, interface and scan settings subsection, you can click the Settings
interface and button to con gure the following settings:
scan settings
Choose whether to con gure scalability settings automatically or manually.

Con gure the application icon display settings.

Security and In the Security and reliability subsection, you can click the Settings button to con gure
reliability the following settings:
Con gure the task run settings.

Specify how the application should behave when the protected device is running on
UPS power.

Enable or disable password-protection of application functions.

Specify the proxy server authentication settings.

Update tasks and Copying Update task.

Supplementary

Settings of the Supplementary section

Section Options

Trusted Zone Click the Settings button on the Trusted Zone subsection to con gure the
following Trusted Zone application settings:
Create a list of Trusted Zone exclusions.

Enable or disable scanning of le backup operations.

Create a list of trusted processes.

Removable Drives Scan In the Removable Drives Scan subsection, you can use the Settings button
to con gure scan settings for removable drives.

User access permissions In the User access permissions for application management subsection,
for application you can con gure user rights and user group rights to manage Kaspersky
management Embedded Systems Security.
154
User access permissions In the User access permissions for Kaspersky Security Service
for Kaspersky Security management subsection, you can con gure user rights and user group rights
Service management to manage the Kaspersky Security Service.

Con gure the maximum size of Backup and Quarantine and also specify
the free space threshold.

Specify the path to the folder where you want to place objects restored
from Quarantine or Backup.

Con gure transmission of information about Quarantine and Backup

objects to Administration Server.

Con gure how long hosts are blocked.

Real-time computer protection

Settings of the Real-Time Server Protection section

Section Options

Real-Time File In the Real-Time File Protection subsection, you can click the Settings button to
Protection con gure the following task settings:
Indicate the protection mode.

Con gure use of the Heuristic Analyzer.

Con gure use of the Trusted Zone.

Indicate the protection scope.

Set the security level for the selected protection scope: you can select a prede ned
security level or con gure the security settings manually.

Con gure the task start settings.

KSN Usage In the KSN Usage subsection, you can click the Settings button to con gure the following
task settings:
Indicate the actions to perform on KSN untrusted objects.

Con gure data transfer and usage of Kaspersky Security Center as a KSN proxy server.

Exploit In the Exploit Prevention subsection, you can click the Settings button to con gure the
Prevention following task settings:
Select the process memory protection mode.

Indicate the actions to reduce exploit risks.

155
Add to and edit the list of protected processes.

Local activity control

Settings of the Local Activity Control section

Section Options

Applications In the Applications Launch Control subsection, you can use the Settings button to
Launch Control con gure the following task settings:
Select the task operating mode.

Con gure settings for controlling subsequent application launches.

Indicate the scope of the Applications Launch Control rules.

Con gure use of KSN.

Con gure the task start settings.

Device control In the Device control subsection, you can click the Settings button to con gure the
following task settings:
Select the task operating mode.

Con gure the task start settings.

Network activity control

Settings of the Network activity control section

Section Options

Firewall In the Firewall Management subsection, you can click the Settings button to con gure
Management the following task settings:
Con gure rewall rules.

Con gure the task start settings.

System Inspection

Settings of the System Inspection section

Section Options

File In the File Integrity Monitor subsection, you can con gure control over changes in les that
Integrity can signify a security breach on a protected device.
Monitor

Log In the Log Inspection section, you can con gure a protected device integrity monitoring
Inspection based on the results of an analysis of the Windows Event Log.

156
Logs and noti cations

Settings of the Logs and Noti cations section

Section Options

Task logs In the Task logs subsection, you can click the Settings button to con gure the following
settings:
Specify the importance level of the logged events for the selected software
components.

Specify the task log storage settings.

Specify the SIEM integration with Kaspersky Security Center settings.

Event In the Event noti cations subsection, you can click the Settings button to con gure the
noti cations following settings:
Specify the user noti cation settings for the Object detected, Untrusted mass
storage detected and restricted, and Host listed as untrusted events.

Specify the administrator noti cation settings for any event selected in the event list
in the Noti cation settings section.

Interaction In the Interaction with Administration Server subsection, you can click the Settings
with button to select the types of objects that Kaspersky Embedded Systems Security will
Administration report to Administration Server.
Server

Revision history

In the Revision history section, you can manage revisions: compare with the current revision or other policy, add
descriptions of revisions, save revisions to a le or perform a rollback.

Creating and con guring tasks using Kaspersky Security Center

This section contains information about Kaspersky Embedded Systems Security tasks, and how to create them,
con gure task settings, and start and stop them.

About task creation in Web Plug-in

You can create group tasks for administration groups and sets of protected devices. The following types of tasks
can be created:

Activation of the Application

Copying Updates

Database Update

Software Modules Update

157
Rollback of Database Update

On-Demand Scan

Application Integrity Control

Baseline File Integrity Monitor

Rule Generator for Applications Launch Control

Rule Generator for Device Control

You can create local and group tasks in the following ways:

For one protected device: in the Properties <Protected device name> window in the Tasks section.

For an administration group: in the details pane of the node of the selected group of protected devices on the
Tasks tab.

For a set of protected devices: in the details pane of the Device selections node.

You can use policies to disable schedules for update and On-Demand Scan local system tasks on all protected
devices in the same administration group.

General information on tasks in Kaspersky Security Center is provided in the Kaspersky Security Center Help.

Creating a task in Web Plug-in

To create a new task in the Kaspersky Security Center Administration Console:

1. Start the task wizard in one of the following ways:

To create a local task:

a. In the main window of the Web Console, select Devices → Managed devices.

b. Click the Groups tab to select the administration group that the protected device belongs to.

c. Click the protected device name.

d. In the <Device name> window that opens select the Tasks tab.

e. Click Add.

To create a group task:

a. In the main window of the Web Console, select Devices → Managed devices.

b. Click the Groups tab to select the administration group for which you want to create a task.

c. Click Add.

To create a task for a custom set of protected devices:

158
a. In the main window of the Web Console, select Devices → Device selections.

b. Select the selection for which you want to create a task.

c. Click Start.

d. In the Selection results window, select the devices for which you want to create a task.

e. Click New task.

The task wizard window opens.

2. In the Application drop-down list, select Kaspersky Embedded Systems Security.

3. In the Task type drop-down list, select the type of the task to be created.
If you selected any task type except Rollback of Database Update, Application Integrity Control or Activation
of the Application, the settings window opens.

4. Depending on the selected task type, do one of the following:

Create an On-Demand Scan task.

To create an update task, con gure task settings based on your requirements:

a. Select an update source in the Database update source section.

b. In the Connection settings window, con gure the proxy server settings.

After creating a Software Modules Update task, con gure the required application module update settings
in the Software Modules Update window:

a. Select whether to copy and install critical software module updates, or only to check for their availability
without installation.

To create the Copying Updates task, specify the set of updates and the destination folder in the Copying
Updates window.

To create the Activation of the Application task:

a. In the List of keys in Kaspersky Security Center storage window, specify the key le that you want to
use to activate the application.

b. Select the Use as additional key check box if you want to create a task for renewing the license.

159
Create and con gure the Rule Generator for Applications Launch Control task.

Create and con gure the Rule Generator for Device Control task.

5. Click Next.

6. If the task is being created for a set of protected devices, select the network (or group) of protected devices
on which this task will be executed.

7. Click Next.

8. In the Finishing creation window, select the Open task details when creation is complete check box if you
want to con gure task settings.

9. Click the Finish button.

The task created is displayed in the Tasks list.

Con guring group tasks in Web Plug-in

To con gure a group task for multiple protected devices:

1. In the main window of the Web Console, select Devices → Tasks.

2. Click the task name in the list of Kaspersky Security Center tasks.
The <Task name> window opens.

3. Depending on the type of con gured task, do one of the following:

To con gure an On-Demand Scan task:

a. In the Scan scope section, con gure a scan scope.

b. In the Options section, con gure the task priority level and integration with other software components.

To con gure an update task, adjust the task settings based on your requirements:

a. In the Update sources section, con gure update source and proxy server settings.

b. In the Optimization section, con gure disk subsystem optimization.

To con gure the Software Modules Update task, in the Advanced settings section, choose an action to
perform: copy and install critical updates of software modules or only check for them.

To con gure the Copying Updates task, specify the set of updates and the destination folder in the
Copying updates settings section.

To con gure the Activation of the Application task, apply the key le that you want to use to activate the
application. Select the Use as additional key check box if you want to add an activation code or key le for
renewing the license.

To con gure the automatic generation of allowing rules for Device Control, specify the settings that will be
used to create the list of allowing rules.

160
4. Con gure the task schedule in the Schedule section (you can con gure a schedule for all task types except
Rollback of Database Update).

5. On the Settings tab in the Account section, specify the account whose rights will be used to run the task. For
detailed information on con guring settings in this section, see Kaspersky Security Center Help.

6. Click Save.

The newly con gured group task settings are saved.

Con guring Activation of the Application task in Web Plug-in

To con gure an Activation of the Application task:

1. In the main window of the Web Console, select Devices → Tasks.

2. Click the task name in the list of Kaspersky Security Center tasks.
The <Task name> window opens.

3. In the Common section, specify the key le that you want to use to activate the application. Select the Use as
additional key check box if you want to add a key to extend the license.

4. Con gure the task schedule in the Schedule section.

5. In the <Task name> window, click OK.

Con guring Update tasks in Web Plug-in

To con gure the Copying Updates, Database Update, or Software Modules Update tasks:

1. In the main window of the Web Console, select Devices → Tasks.

2. Click the task name in the list of Kaspersky Security Center tasks.
The <Task name> window opens.

3. In the Update sources section, con gure update source settings:

In the Database update source section, specify Kaspersky Security Center Administration Server or
Kaspersky update servers as an application update source. You can also create a customized list of update
sources: by adding custom HTTP and FTP servers or network folders manually, and setting them as update
sources.
You can specify the usage of Kaspersky update servers, if manually customized servers are not available.

To use an SMB-shared folder as an update source, you need to specify a user account to start a task.

When con guring an update task via the Cloud Console, only Distribution points and Kaspersky
update servers settings are available to specify the update source.

161
In the Connection settings section, con gure the use of a proxy server for connecting to Kaspersky update
servers and other servers.

4. In the Optimization section for the Database Update task, you can con gure the feature that reduces the
workload on the disk subsystem:

Disk I/O usage optimization

RAM used for optimization (400 - 9999 MB)

5. Con gure the task schedule in the Schedule section (you can con gure a schedule for all task types except
Rollback of Database Update).

6. In the <Task name> window, click OK.

Con guring crash diagnostics settings in Web Plug-in

If a problem occurs during operation of Kaspersky Embedded Systems Security (for example, Kaspersky
Embedded Systems Security crashes) and you want to diagnose it, you can enable the creation of trace les and a
dump le for the Kaspersky Embedded Systems Security process and send these les for analysis to Kaspersky
Technical Support.

Kaspersky Embedded Systems Security does not send any trace or dump les automatically. Diagnostic data
can only be sent by a user who has the required permissions.

To con gure crash diagnostics settings in Kaspersky Security Center:

1. In the Kaspersky Security Center Administration Console, open the Application settings window.

2. Open the Malfunction diagnosis section and do the following:

If you want the application to write debug information to a le, select the Write debug information to trace
le check box.

In the eld below, specify the folder where Kaspersky Embedded Systems Security will save trace les.

Con gure the level of detail of debug information .

Specify the maximum size of trace les.

Specify the maximum number of les for one trace log.

Kaspersky Embedded Systems Security will create up to the maximum number of trace les for
each component to be debugged.

162
Specify the components to be debugged. Component codes must be separated with a semicolon. The
codes are case sensitive (see the table below).

Kaspersky Embedded Systems Security subsystem codes

Component Name of component

Code

* All components.

gui User interface subsystem, Kaspersky Embedded Systems Security snap-in in Microsoft
Management Console.

ak_conn Subsystem for integrating Network Agent and Kaspersky Security Center.

bl Control process, implements Kaspersky Embedded Systems Security control tasks.

wp Work process, handles anti-virus protection tasks.

blgate Kaspersky Embedded Systems Security remote management process.

ods On-Demand Scan subsystem.

oas Real-Time File Protection subsystem.

qb Quarantine and Backup subsystem.

scandll Auxiliary module for virus scans.

core Subsystem for basic anti-virus functionality.

avscan Anti-virus processing subsystem.

avserv Subsystem for controlling the anti-virus kernel.

prague Subsystem for basic functionality.

updater Subsystem for updating databases and software modules.

snmp SNMP protocol support subsystem.

perfcount Performance counter subsystem.

If you want the application to create a dump le, select the Create dump le check box.

In the eld below, specify the folder in which Kaspersky Embedded Systems Security will save the dump
le.

3. Click OK.

The con gured application settings are applied on the protected device.

Managing task schedules

163
You can con gure the start schedule for Kaspersky Embedded Systems Security tasks, and con gure settings for
running tasks on a schedule.

Scheduling tasks
You can schedule local system and custom tasks in the Application Console. You cannot schedule group tasks in
the Application Console.

To schedule group tasks using the Web Plug-in:

1. In the main window of the Web Console, select Devices → Tasks.

2. Click the task name in the list of Kaspersky Security Center tasks.
The <Task name> window opens.

3. Select the Application settings section.

4. In the Schedule section, select the Run by schedule check box.

Fields with schedule settings for the On-Demand Scan and Update tasks are unavailable if scheduling of
these tasks is blocked by a Kaspersky Security Center policy.

5. Con gure schedule settings in accordance with your requirements. To do this, perform the following actions:

a. In the Frequency list, select one of the following values:

Hourly, if you want the task to run at intervals of a speci ed number of hours; specify the number of
hours in the Every <number> hour(s) eld.

Daily, if you want the task to run at intervals of a speci ed number of days; specify the number of days in
the Every <number> day(s) eld.

Weekly, if you want the task to run at intervals of a speci ed number of weeks; specify the number of
weeks in the Every <number> week(s) eld. Specify the days of the week on which the task will be
started (by default tasks run on Mondays).

At application launch, if you want the task to run every time Kaspersky Embedded Systems Security
starts.

After application database update, if you want the task to run after every update of the application
databases.

b. Specify the time for the rst task start in the Start time eld.

c. In the Start date eld, specify the date when the schedule starts.

6. In the Task stop settings section:

a. Select the Duration check box and, in the elds to the right, enter the maximum number of hours and
minutes of task execution.

164
b. Select the Pause task check box and, in the elds to the right, enter the start and end values of a time
interval under 24 hours during which task execution will be paused.

7. In the Advanced schedule settings section:

a. Select the Cancel schedule check box and specify the date from which the schedule will cease to apply.

b. Select the Run skipped tasks check box to enable the start of skipped tasks.

c. Select the Randomize the task start time within the interval check box and specify a value in minutes.

8. Click the Save button to save the task start settings.

Enabling and disabling scheduled tasks

You can enable and disable scheduled tasks either before or after con guring the schedule settings.

To enable or disable the task start schedule:

1. In the main window of the Web Console, select Devices → Tasks.

2. Click the task name in the list of Kaspersky Security Center tasks.
The <Task name> window opens.

3. Select the Application settings section.

4. Select the Schedule section.

5. Do one of the following:

Select the Run by schedule check box if you want to enable scheduled task start.

Clear the Run by schedule check box if you want to disable scheduled task start.

The con gured task start schedule settings are not deleted and will be applied at the next scheduled
start of the task.

6. Click Save.

The con gured task start schedule settings are saved.

Reports in Kaspersky Security Center

Reports in Kaspersky Security Center contain information about the status of managed devices. Reports are
based on information stored on Administration Server.

Starting from Kaspersky Security Center 11, the following types of reports are available for Kaspersky Embedded
Systems Security:

Report on the status of application components

165
Report on prohibited applications

Report on prohibited applications in test mode

See Kaspersky Security Center Help for detailed information about all Kaspersky Security Center reports and
how to con gure them.

Report on the status of Kaspersky Embedded Systems Security components

You can monitor the protection status of all network devices and get a structured overview of the set of
components on each device.

The report displays one of the following states for each component: Running, Paused, Stopped, Malfunction, Not
installed, Starting.

Not Installed status refers to the component, not the application itself. If the application is not installed, the
Kaspersky Security Center Web Console assigns the N/A (Not available) status.

You can create component selections and use ltering to display network devices with a speci ed set of
components and state.

See Kaspersky Security Center Help for detailed information about creating and using selections.

To review the status of components in the application settings:

1. In the main window of the Web Console, select Devices → Managed devices.

2. Click the protected device name.

3. On the General tab, select the Components section.

4. Review the status table.

Information about Exploit Prevention component status is not available in this table.

To review a Kaspersky Security Center Web Console standard report:

1. Select Monitoring and Reporting → Reports.

2. Select the Report on the status of application components list item and click the Show report button.
A report is generated.

3. Review the following report details:

A graphical diagram.

A summary table of components and aggregated numbers of network devices where each of the
components is installed, and groups they belong to.

166
A detailed table specifying the component status, version, device and group.

Reports on prohibited applications in active and test modes

To review a report on prohibited applications in Statistics only mode:

1. Start the Applications Launch Control task in Statistics only mode.

2. Select Monitoring and Reporting → Reports.

3. Select the Report on prohibited applications in test mode list item and click the Show report button.
A report is generated.

4. Review the following report details:

A graphical diagram that displays the top 10 applications with the largest number of blocked starts.

A summary table of application blocks, specifying the executable le name, reason, time of blocking, and
number of devices where the blocking occurred.

A detailed table specifying data about the device, le path and criteria for blocking.

To review a report on prohibited applications in Active mode:

1. Start the Applications Launch Control task in Active mode.

2. Select Monitoring and Reporting → Reports.

3. Select the Report on prohibited applications in test mode list item and click the Show report button.
A report is generated.

This report consists of the same data about blocks as the report on prohibited applications in test mode.

167
Compact Diagnostic Interface
This section describes how to use the Compact Diagnostic Interface for reviewing protected device status or
current activity, and how to con gure writing of dump and trace les.

About the Compact Diagnostic Interface

The Compact Diagnostic Interface component (also referred to as the "CDI") is installed and uninstalled along with
the System Tray Icon component independently from the Application Console, and can be used when the
Application Console is not installed on the protected device. The CDI is started from the System Tray Icon or by
running kavfsmui.exe from the application folder on the protected device.

From the CDI window, you can do the following:

Review information about general application status.

Review security incidents that have occurred.

Review current activity on the protected device.

Start or stop writing dump and trace les.

Open the Application Console.

Open the About the application window with the list of installed updates and available patches.

The CDI is available even if access to Kaspersky Embedded Systems Security functions is password-protected. No
password is required.

The CDI component cannot be con gured via Kaspersky Security Center.

Reviewing the Kaspersky Embedded Systems Security status via the

Compact Diagnostic Interface
To open the Compact Diagnostic Interface window, perform the following actions:

1. Right-click the Kaspersky Embedded Systems Security System Tray Icon in the toolbar noti cation area.

2. Select the Open Compact Diagnostic Interface option.

The Compact diagnostic interface window opens.

Review the current status of the key, Real-Time Computer Protection tasks, and Update tasks on the Protection
status tab. Di erent colors are used to notify the user about the protection status (see the table below).

Compact Diagnostic Interface protection status.

Section Status

Real-time The panel is green for either of the following scenarios (if any of the conditions are

168
protection status met):
Recommended con guration:

The Real-Time File Protection task is started with the default settings.

The Applications Launch Control task is started in Active mode with the
default settings.

Acceptable con guration:

The Real-Time File Protection task is con gured by the user.

Applications Launch Control task settings are modi ed.

The panel is yellow if one or more of the following conditions are met:
The Real-Time File Protection task is paused (by the user or schedule).

The Applications Launch Control task is started in Statistics only mode.

Exploit Protection and Applications Launch Control are started in Statistics

only mode.

The panel is red if both of the following conditions are met:

The Real-Time File Protection component is not installed or the task is stopped
or paused.

The Applications Launch Control component is not installed or the task is

started in Statistics only mode.

Licensing The panel is green if the current license is valid.

A yellow panel signi es that one of the following events has occurred:
Checking the license status.

The license will expire in 14 days and no additional key or activation code has
been added.

The added key has been added to the denylist and is about to be blocked.

A red panel signi es that one of the following events has occurred:
Application not activated

License has expired

End User License Agreement has been violated

Key is in denylist

Update The panel is green when Application databases are up-to-date.

The panel is yellow when Application databases are out of date.

The panel is red when Application databases are extremely out of date.
169
Reviewing security event statistics
The Statistics tab displays all security events. Each protection task statistic is displayed in a separate block
specifying the number of incidents and the date, and time when the last incident occurred. When an incident is
logged, the block color changes to red.

To review the statistics:

1. Right-click the Kaspersky Embedded Systems Security System Tray Icon in the toolbar noti cation area.

2. Select the Open Compact Diagnostic Interface option.

The Compact diagnostic interface window opens.

3. Open the Statistics tab.

4. Review the security incidents for the protection tasks.

Reviewing current application activity

On this tab, you can review the status of current tasks and application processes, and promptly get noti cations
about critical events that occur.

Di erent colors are used to indicate the application activity status:

In the Tasks section:

Green. There are no conditions that would require yellow or red.

Yellow. Critical areas have not been scanned for a long time.

Red. At least one of the following conditions is true:

No tasks are started and a start schedule is not set up for any of the tasks.

Application launch errors are logged as critical events.

In the Kaspersky Security Network section:

Green. The KSN Usage task is started.

Yellow. The KSN Statement is accepted, but the task is not started.

To review the current application activity on the protected device:

1. Right-click the Kaspersky Embedded Systems Security System Tray Icon in the toolbar noti cation area.

2. Select the Open Compact Diagnostic Interface option.

The Compact diagnostic interface window opens.

3. Open the Current application activity tab.

170
4. Review the following information in the Tasks section:

Critical areas not scanned for a long time

This eld is displayed only if the application returns a corresponding warning about critical area scans.

Running now

Execution failed

Next start de ned by a schedule

5. Review the following information in the Kaspersky Security Network section:

KSN is on. File reputation services are enabled or Protection is o .

KSN is on. File reputation services are enabled, application statistics is being sent to KSN .

The application sends information about malware, including fraudulent software, detected during
execution of the Real-Time File Protection task and the On-Demand Scan tasks, as well as debugging
information about errors during scanning.
The eld is displayed if the Send Kaspersky Security Network statistics check box is selected in the
KSN Usage task settings.

6. Review the following information in the Integration with Kaspersky Security Center section:

Local management is allowed.

Policy is applied: <Administration Server name>.

Con guring writing of dump and trace les

You can con gure the writing of dump and trace les via the CDI.

You can also con gure malfunction diagnostics via the Application Console.

To start writing dump and trace les, perform the following actions:

1. Right-click the Kaspersky Embedded Systems Security System Tray Icon in the toolbar noti cation area.

2. Select the Open Compact Diagnostic Interface option.

The Compact diagnostic interface window opens.

3. Open the Troubleshooting tab.

4. Change the following trace settings if necessary:

a. Select the Write debug information to the trace le in this folder check box.

171
b. Click the Browse button to specify the folder where Kaspersky Embedded Systems Security will save trace
les.
Tracing will be enabled for all components with the default parameters using the Debug level of detail and
the default maximum log size of 50 MB.

5. Change the following dump- le settings if necessary:

a. Select the Create dump le on malfunction in this folder check box.

b. Click the Browse button to specify the folder where Kaspersky Embedded Systems Security will save the
dump le.

6. Click the Apply button.

The new con guration will be applied.

172
Updating Kaspersky Embedded Systems Security databases and software
modules
This section provides information about Kaspersky Embedded Systems Security databases and software module
update tasks, copying updates and rolling back database updates of Kaspersky Embedded Systems Security, as
well as instructions on how to con gure database and software module update tasks.

About Update tasks

Kaspersky Embedded Systems Security provides four system update tasks: Database Update, Software Modules
Update, Copying Updates, and Rollback of Database Update.

By default, Kaspersky Embedded Systems Security connects to the update source (one of Kaspersky's update
protected devices) every hour. You can con gure all Update tasks, except for the Rollback of Database Update
task. When task settings are modi ed, Kaspersky Embedded Systems Security will apply the new values at the next
task start.

You are not allowed to pause and resume Update tasks.

Database Update

By default, Kaspersky Embedded Systems Security copies databases from the update source to the device and
immediately starts using them in the running Real-Time Computer Protection task. The On-Demand Scan tasks
start using the updated database at the next start.

By default, Kaspersky Embedded Systems Security runs the Database Update task every hour.

Software Modules Update

By default, Kaspersky Embedded Systems Security checks whether software module updates are available on the
update source. In order to start using installed software modules, a protected device restart and / or a restart of
Kaspersky Embedded Systems Security is required.

By default, Kaspersky Embedded Systems Security runs the Software Modules Update task on a weekly basis on
Fridays at 4:00 PM (according to the regional time settings of the protected device). During task execution, the
application checks for availability of important and scheduled updates of Kaspersky Embedded Systems Security
modules without distributing them.

Copying Updates

By default, during task execution, Kaspersky Embedded Systems Security downloads Database Update les and
saves them to the speci ed network or local folder without applying them.

The Copying Updates task is disabled by default.

Rollback of Database Update

173
During task execution, Kaspersky Embedded Systems Security returns to using databases from previously installed
updates.

The Rollback of Database Update task is disabled by default.

About Software Modules Update

Kaspersky can issue update packages for Kaspersky Embedded Systems Security modules. The update packages
can be urgent (or critical) or planned. Critical update packages repair vulnerabilities and errors; planned packages
add new features or enhance existing features.

Urgent (critical) update packages are uploaded to Kaspersky's update servers. Their automatic installation can be
con gured using the Software Modules Update task. By default, Kaspersky Embedded Systems Security runs the
Software Modules Update task on a weekly basis on Fridays at 4:00 PM (according to the regional time settings of
the protected device).

Kaspersky does not publish planned update packages on its update servers for automatic update; these can be
downloaded from the Kaspersky website. The Software Modules Update task can be used to receive information
about the release of scheduled Kaspersky Embedded Systems Security updates.

Critical updates can be retrieved from the Internet and applied to each protected device, or one protected device
can be used as an intermediary by copying all updates onto it and then distributing them to the network protected
devices. In order to copy and save updates without installing them, use the Copying Updates task.

Before updates of modules are installed, Kaspersky Embedded Systems Security creates backup copies of the
previously installed modules. If the software module update process is interrupted or results in an error, Kaspersky
Embedded Systems Security will automatically return to using the previously installed software modules. Software
modules can be rolled back manually to the previously installed updates.

During the installation of downloaded updates, the Kaspersky Security Service automatically stops and then
restarts.

About Database Update

Kaspersky Embedded Systems Security databases stored on the protected device quickly become outdated.
Kaspersky's virus analysts detect hundreds of new threats daily, create identifying records for them, and include
them in application database updates. Database updates are a le or set of les containing records that identify
threats discovered during the time since the last update was created. To maintain the required level of device
protection, we recommend that database updates are received regularly.

By default, if the Kaspersky Embedded Systems Security databases are not updated within a week from the time
that the installed database updates were created, the Application database is out of date event occurs. If the
databases are not updated for a period of two weeks, the Application database is extremely out of date event
occurs. Information about the up-to-date status of the databases is displayed in the results pane of the
Kaspersky Embedded Systems Security node of the Application Console tree. You can use Kaspersky
Embedded Systems Security general settings to indicate a di erent number of days before these events occur.
You can also con gure administrator noti cations about these events.

Kaspersky Embedded Systems Security downloads updates of application databases and modules from
Kaspersky's FTP or HTTP update servers, Kaspersky Security Center Administration Server, or other update
sources.

174
Updates can be downloaded to every protected device, or one protected device can be used as an intermediary
by copying all updates onto it and then distributing them to the protected devices. If you use Kaspersky Security
Center for centralized administration of device protection in an organization, you can use Kaspersky Security
Center Administration Server as an intermediary for downloading updates.

Database Update tasks can be started manually or based on a schedule. By default, Kaspersky Embedded Systems
Security runs the Database Update task every hour.

If the update download process is interrupted or results in an error Kaspersky Embedded Systems Security will
automatically switch back to using the databases from the last installed updates. If the Kaspersky Embedded
Systems Security databases become corrupted, they can be manually rolled back to previously installed updates.

Schemes for updating anti-virus application databases and modules used

within an organization
Selection of an update source in update tasks depends on the scheme used for updating databases and program
modules in the organization.

Kaspersky Embedded Systems Security databases and modules can be updated on the protected devices using
the following schemes:

Download updates directly from the Internet to each protected device (Scheme 1).

Download updates from the Internet to an intermediate device and distribute updates to protected devices
from that device.
Any device with the software listed below installed can serve as an intermediate device:

Kaspersky Embedded Systems Security (Scheme 2).

Kaspersky Security Center Administration Server (Scheme 3).

Updating using an intermediate device not only reduces Internet tra ic, but also provides additional network
protected device security.

The update schemes listed are described below.

Scheme 1. Updating databases and modules directly from the Internet

To con gure Kaspersky Embedded Systems Security updates directly from the Internet:

on each protected device in the settings of the Database Update task and the Software Modules Update task,
specify Kaspersky's update servers as the source of updates.

Other HTTP or FTP servers that have an update folder can be con gured as the update source.

Figure 1: Updating databases and modules directly from the Internet

175
Scheme 2. Updating databases and modules via one of the protected devices

To con gure Kaspersky Embedded Systems Security updates via one of the protected devices:

1. Copy updates to the selected protected device. To do this, perform the following actions:

Con gure the Copying Updates task settings on the selected protected device:

a. Specify Kaspersky's update server as the update source.

b. Specify a shared folder to be used as the folder where updates are saved.

2. Distribute updates to other protected devices. To do this, perform the following actions:

On each protected device, con gure the settings for the Database Update task and the Software Modules
Update task (see the gure below):

a. For the update source, specify a folder on the intermediate device's drive to which updates will be
downloaded.

Kaspersky Embedded Systems Security will obtain updates via one of the protected devices.

Figure 2: Updating databases and modules via one of the protected devices

Scheme 3. Updating databases and modules via Kaspersky Security Center Administration
Server

If Kaspersky Security Center is used for centralized administration of anti-virus device protection, updates can be
downloaded via the Kaspersky Security Center Administration Server installed in the local area network (see the
gure below).

176
Figure 3: Updating databases and modules via Kaspersky Security Center Administration Server

To con gure Kaspersky Embedded Systems Security updates via the Kaspersky Security Center Administration
Server:

1. Download updates from Kaspersky's update servers to Kaspersky Security Center Administration Server. To do
this, perform the following actions:

Con gure the Retrieve Updates by Administration Server task for the speci ed set of protected devices:

a. Specify Kaspersky's update servers as the update source.

2. Distribute updates to protected devices. To do so, perform one of the following actions:

On the Kaspersky Security Center con gure an Anti-Virus database (application module) update group task
to distribute updates to protected devices:

a. In the task schedule specify After Administration Server has retrieved updates as the start frequency.
Administration Server will start the task each time it receives updates (recommended method).

The After Administration Server has retrieved updates start frequency cannot be speci ed in the
Application Console.

On each protected device, con gure the Database Update task and the Software Modules Update task:

a. Specify the Kaspersky Security Center Administration Server as the update source.

b. Con gure the task schedule if necessary.

If Kaspersky Embedded Systems Security anti-virus databases are rarely updated (from once a month
to once a year), the likelihood of detecting threats decreases and the frequency of false alarms raised
by application components increases.

Kaspersky Embedded Systems Security will obtain updates via the Kaspersky Security Center Administration
Server.

177
If you plan to use Kaspersky Security Center Administration Server to distribute updates, install Network Agent (an
application component included in the Kaspersky Security Center distribution kit) on each of the protected
devices. This ensures interaction between the Administration Server and Kaspersky Embedded Systems Security
on the protected device. Detailed information about Network Agent and its con guration using Kaspersky
Security Center is provided in the Kaspersky Security Center Help.

Con guring Update tasks

This section provides instructions on how to con gure Kaspersky Embedded Systems Security update tasks.

Con guring settings for working with Kaspersky Embedded Systems

Security update sources
For each update task except the Rollback of Database Update task, you can specify one or more update sources,
add user-de ned update sources, and con gure the settings for connecting to the speci ed sources.

After update task settings are modi ed, the new settings will not be immediately applied in running update
tasks. The con gured settings will be applied only when the task is restarted.

To specify the type of update source:

1. In the Application Console tree, expand the Update node.

2. Select the child node corresponding to the update task that you want to con gure.

3. Click the Properties link in the results pane of the selected node.
The Task settings window opens on the General tab.

4. In the Update source section, select the type of Kaspersky Embedded Systems Security update source:

Kaspersky Security Center Administration Server

Kaspersky update servers

Custom HTTP or FTP servers, or network folders

5. If required, con gure the advanced settings for user-de ned update sources:

a. Click on the Custom HTTP or FTP servers, or network folders link.

1. In the Update servers window that opens, select or clear the check boxes next to user-de ned update
sources in order to start or stop using them.

2. Click OK.

b. In the Update source section on the General tab, select or clear the Use Kaspersky update servers if
speci ed servers are not available check box.

6. In the Task settings window, select the Connection settings tab to con gure the settings for connecting to
update sources:
178
Clear or select the Use proxy server settings to connect to Kaspersky update servers check box.

Clear or select the Use proxy server settings to connect to other servers check box.

For information about con guring the optional proxy server settings and authentication settings for
accessing the proxy server, see Starting and con guring Kaspersky Embedded Systems Security Database
Update task section.

7. Click OK.

The con gured settings for the Kaspersky Embedded Systems Security update source will be saved and applied
at the next task start.

You can manage the list of user-de ned Kaspersky Embedded Systems Security update sources.

To edit the list of user-de ned application update sources:

1. In the Application Console tree, expand the Update node.

2. Select the child node corresponding to the update task that you want to con gure.

3. Click the Properties link in the results pane of the selected node.
The Task settings window opens on the General tab.

4. Click on the Custom HTTP or FTP servers, or network folders link.

The Update servers window opens.

5. Do the following:

To add a new user-de ned update source, click Add and in the entry eld specify the address of the folder
containing update les on the FTP or HTTP server. Specify a local or network folder in the UNC (Universal
Naming Convention) format. Press ENTER.
By default, the added folder is used as the source of updates.

To disable use of a user-de ned source, clear the check box next to the source in the list.

To enable use of a user-de ned source, select the check box next to the source in the list.

In order to change the order in which Kaspersky Embedded Systems Security accesses user-de ned
update sources, use the Move up and Move down buttons to move the selected source toward the
beginning or end of the list, depending on whether it is to be used before or after other sources.

To change the path to a user-de ned source, select the source in the list and click the Edit button, make the
required changes in the entry eld, and press the ENTER key.

To remove a user-de ned source, select it in the list and click the Remove button.

You cannot delete the only remaining user-de ned source from the list.

6. Click OK.

The changes in the list of user-de ned application update sources will be saved.
179
Optimizing disk I/O when running the Database Update task
When running the Database Update task, Kaspersky Embedded Systems Security stores update les on the
protected device's local disk. You can lower the workload on the protected device's disk I/O subsystem by storing
update les on a virtual drive in RAM when running the update task.

This feature is available for Microsoft Windows 7 operating systems and higher.

When using this feature while running the Database Update task, an extra logical drive may appear in the
operating system. This logical drive will be removed from the operating system after the task is completed.

To lower the workload on your protected devices's disk I/O subsystem during the Database Update task:

1. In the Application Console tree, expand the Update node.

2. Select the Database Update child node.

3. Click the Properties link in the results pane of the Database Update node.
The Task settings window opens on the General tab.

4. In the Disk I/O usage optimization section, de ne the following settings:

Clear or select the Lower the load on the disk I/O check box.

In the RAM used for optimization, MB eld, specify the RAM volume (in MB). The operating system
temporarily allocates the speci ed RAM volume to store update les while running the task. The default
RAM size is 512 MB. The minimum RAM size is 400 MB.
When running the Database Update task with the disk subsystem optimization feature enabled, one of the
following may occur, depending on the amount of RAM allocated for the feature:

If the value is too small, the allocated amount of RAM might be insu icient to complete the database
update task (for example, during the rst update), which will lead to the completion of the task with an
error.
In this case, it is recommended to allocate more RAM for the disk subsystem optimization feature.

If the value is too large, at the start of the Database Update task, it might be impossible to create a
virtual drive of a selected size in RAM. As a result, the disk subsystem optimization feature automatically
disables, and the Database Update task runs without the optimization feature.
In this case, it is recommended to allocate less RAM for the disk subsystem optimization feature.

5. Click OK.

The con gured settings will be saved and applied at the next task start.

Con guring Copying Updates task settings

To con gure the Copying Updates task:

180
1. In the Application Console tree, expand the Update node.

2. Select the Copying Updates child node.

3. Click the Properties link in the results pane of the Copying Updates node.
The Task settings window opens.

4. On the General and Connection settings tabs, con gure the settings for working with update sources.

5. On the General tab in the Copying updates settings section:

Specify the conditions for copying updates:

Copy database updates .

Copy critical software modules updates .

Copy database updates and critical software modules updates .

Specify the local or network folder to which Kaspersky Embedded Systems Security will be distributing
downloaded updates.

6. On the Schedule and Advanced tabs con gure the task start schedule.

7. On the Run as tab, con gure the task to start using a speci c user account.

8. Click OK.

The con gured settings will be saved and applied at the next task start.

Con guring Software Modules Update task settings

To con gure the Software Modules Update task:

1. In the Application Console tree, expand the Update node.

2. Select the Software Modules Update child node.

3. Click the Properties link in the results pane of the Software Modules Update node.
The Task settings window opens.

4. On the General and Connection settings tabs, con gure the settings for working with update sources.

5. On the General tab in the Update settings section, con gure the settings for updating application modules:

Only check for available critical software modules updates

Copy and install critical software modules updates

Allow operating system restart

Receive information about available scheduled software modules updates

181
6. On the Schedule and Advanced tabs, con gure the task start schedule. By default, Kaspersky Embedded
Systems Security runs the Software Modules Update task on a weekly basis on Fridays at 4:00 PM (according
to the regional time settings of the protected device).

7. On the Run as tab, con gure the task to start using a speci c user account.

8. Click OK.

The con gured settings will be saved and applied at the next task start.

Kaspersky does not publish planned update packages on the update servers for automatic installation; these can
be downloaded manually from the Kaspersky website. You can con gure administrator noti cation about the New
critical and scheduled updates are available event; the noti cation will contain the URL of the web page where
scheduled updates can be downloaded.

Rolling back Kaspersky Embedded Systems Security database updates

Before database updates are applied, Kaspersky Embedded Systems Security creates backup copies of the
previously used databases. If an update is interrupted or results in an error, Kaspersky Embedded Systems
Security will automatically return to using the previously installed databases.

If any problems arise after you have updated the databases, they can be rolled back to the previously installed
updates through the Rollback of Database Update task.

To start the Rollback of Database Update task:

click the Start link in the results pane of the Rollback of Application Database Update node.

Rolling back application module updates

The names of settings may vary under di erent Windows operating systems.

Before applying software module updates, Kaspersky Embedded Systems Security creates backup copies of the
modules currently in use. If the module update process is interrupted or results in an error, Kaspersky Embedded
Systems Security will automatically return to using modules from the latest installed updates.

In order to roll back software modules, use the Install and delete applications feature in Microsoft Windows.

Update task statistics

While the update task is running, the real-time information is displayed about the amount of data downloaded
since the task started, as well as other task execution statistics.

When the task is complete or stopped, the information is available in the task log.

To view update task statistics:

1. In the Application Console tree, expand the Update node.

182
2. Select the child node that corresponds to the task whose statistics you want to view.

Task statistics are displayed in the Statistics section of the results pane of the selected node.

If you are viewing the Database Update task or the Copying Updates task, the Statistics section shows the
volume of data downloaded by Kaspersky Embedded Systems Security as of the present moment (Received
data).

The following table contains the details for the Software Modules Update task.

Information about the Software Modules Update task

Field Description

Received data Total amount of downloaded data.

Available critical Number of critical updates available for installation.

updates

Available Number of planned updates available for installation.

scheduled
updates

Errors applying If the value of this eld is non-zero, the update was not applied. The name of the update
updates that resulted in an error can be viewed in the task log.

183
Isolating objects and copying backups
This section provides information about backing up detected malicious objects before they are disinfected or
removed, and information about quarantining probably infected objects.

Isolating probably infected objects. Quarantine

This section describes how to isolate probably infected objects by quarantining them and how to con gure
Quarantine settings.

About quarantining probably infected objects

Kaspersky Embedded Systems Security quarantines probably infected objects by moving such objects from their
original location to the Quarantine folder. For security purposes, objects in the Quarantine folder are stored in
encrypted form.

Viewing quarantine objects

Quarantined objects can be viewed in the Quarantine node of the Application Console.

To view quarantined objects:

1. In the Application Console tree, expand the Storages node.

2. Select the Quarantine child node.

Information about quarantined objects is displayed in the results pane of the selected node.

To nd the desired object in the list of quarantined objects,

sort the objects or lter the objects.

Sorting quarantined objects

By default, objects in the list of quarantined objects are sorted by quarantine date in reverse chronological order.
To nd the desired object you may sort objects by the columns with object information. The sorted results will be
saved if you close and then re-open the Quarantine node, or if you close the Application Console, save the msc
le and then re-open it from this le.

To sort objects:

1. In the Application Console tree, expand the Storages node.

2. Select the Quarantine child node.

184
3. In the results pane of the Quarantine node, select the column heading that you wish to use to sort the objects
in the list.

Objects in the list will be sorted based on the selected setting.

Filtering quarantined objects

To nd the desired quarantined object, you can lter objects in the list, i.e. display only those objects that satisfy
the ltering criteria ( lters) that you specify. The ltered results are saved if you close and then reopen the
Quarantine node or if you close the Application Console, save the msc le and then reopen it from this le.

To specify one or more lters:

1. In the Application Console tree, expand the Storages node.

2. Select the Quarantine child node.

3. Select Filter in the context menu of the node's name.

The Filter settings window opens.

4. To add a lter, perform the following steps:

a. In the Field name list, select the eld that will form the basis of the lter.

b. In the Operator list, select the ltering condition. The ltering conditions in the list may di er depending on
the value you selected in the Field name list.

c. Enter the lter value in the Field value eld or select it from the list.

d. Click the Add button.

The lter you have added will appear in the list of lters in the Filter settings window. Repeat steps a-d for each
lter you add. Use the following guidelines while working with lters:

To combine multiple lters using the logical operator "AND", select If all conditions are met.

To combine multiple lters using the logical operator "OR", select If any condition is met.

To delete a lter, select the lter you wish to delete in the lter list, and click the Remove button.

To edit a lter, select the lter in the list in the Filter settings window. Then change the required values in the
Field name, Operator or Field value elds and click the Replace button.

5. After all lters have been added, click the Apply button.

The created lters will be saved.

To return to displaying all quarantined objects,

select Remove lter in the context menu of the Quarantine node.

Quarantine Scan
185
By default, after each database update, Kaspersky Embedded Systems Security performs the Quarantine Scan
local system task. The task settings are described in the table below. The Quarantine Scan task settings cannot be
modi ed.

You can con gure the task start schedule, start it manually, and modify the permissions of the account used to
start the task.

After scanning quarantined objects following a database update, Kaspersky Embedded Systems Security may
reclassify some of them as not infected: the status of such objects is changed to False alarm. Other objects may
be reclassi ed as infected, in which case Kaspersky Embedded Systems Security handles such objects as
speci ed by the Quarantine Scan task settings: disinfect, or delete if disinfection failed.

Quarantine Scan task settings

Quarantine Scan task Value

setting

Scan scope Quarantine folder

Security settings The same for the entire scan scope; their values are provided in the next
table

Scan settings in the Quarantine Scan task

Security setting Value

Scan objects All objects included in the scan scope

Performance Disabled

Action to perform on infected and other objects Disinfect, delete if disinfection is impossible

Action to perform on probably infected objects Skip

Exclude les No

Do not detect No

Stop scanning if it takes longer than (sec.) Not con gured

Do not scan objects larger than (MB) Not con gured

Scan alternate NTFS streams Enabled

Scan disk boot sectors and MBR Disabled

Use iChecker technology Disabled

Use iSwift technology Disabled

Scan compound objects Archives*

SFX archives*

Packed objects*

Embedded OLE objects*

* Scan only new and modi ed les is disabled.

Check Microsoft signature in les Not performed

Use heuristic analyzer Enabled with Deep analysis level

Trusted Zone Not applied

186
Restoring quarantined objects
Kaspersky Embedded Systems Security places probably infected objects into the Quarantine folder in encrypted
form to shield the protected device against any possible harmful e ects.

You can restore any object from Quarantine. This may be required in the following cases:

After a Quarantine Scan using an updated database, the status of the object changes to False alarm or
Disinfected.

You consider the object harmless for the protected device and want to use it. If you do not want Kaspersky
Embedded Systems Security to isolate the object during the subsequent scans, you can exclude the object
from processing in the Real-Time File Protection task and On-Demand Scan tasks. To do this, specify the
object in the Exclude les (by lename) or Do not detect security setting in those tasks, or add it to the
Trusted Zone.

When you restore objects you can select where the object being restored will be saved: the original location
(default), special folder for restored objects on the protected device, or custom folder on the protected device
where the Application Console is installed or on another device in the network.

You can specify the folder used for storing restored objects on the protected device. You can con gure special
security settings for it to be scanned. The path to this folder is set by the Quarantine settings.

Restoring objects from Quarantine may lead to protected device infection.

You can restore the object and save a copy of it in the Quarantine folder to use later, for example, to rescan the
object after the database has been updated.

If a quarantined object was contained in a compound object (for example, in an archive), Kaspersky Embedded
Systems Security will not include the quarantined object into the compound object during the restoration,
rather the quarantined object will be saved separately into a selected folder.

You can restore one or more objects.

To restore quarantined objects, perform the following steps:

1. In the Application Console tree, expand the Storages node.

2. Select the Quarantine child node.

3. Perform one of the following actions in the results pane of the Quarantine node:

To restore one object, select Restore from the context menu of the object that you want to restore.

To restore multiple objects, select the objects you wish to restore using the CTRL or SHIFT key, right-click
one of the selected objects, and select Restore from the context menu.

The Restore object window opens.

4. In the Restore object window, specify the folder in which the object being restored will be saved for each
selected object.

187
The name of the object is displayed in the Object eld in the upper part of the window. If you selected
several objects, the name of the rst object in the list of selected objects will be displayed.

5. Perform one of the following steps:

To restore an object to its original location, select Restore to the source folder.

To restore an object to the folder speci ed as the location for restored objects in the settings, select
Restore to the default folder for restoration.

To save an object to a di erent folder on the protected device where the Application Console is installed or
to a shared folder, select Restore to folder on your local computer and then select the required folder or
specify the path to it.

6. If you want to save a copy of the object in the Quarantine folder after the object is restored, clear the Remove
objects from storage after they are restored check box.

7. To apply the speci ed restoration conditions to the rest of the selected objects, check the Apply to all
selected objects box.
All selected objects are restored and saved in the speci ed location. If you selected Restore to the source
folder, each of the objects will be saved in its original location; if you selected Restore to the default folder for
restoration or Restore to folder on your local computer, all objects will then be saved in one speci ed folder.

8. Click OK.
Kaspersky Embedded Systems Security will start restoring the rst of the selected objects.

9. If an object with this name already exists in the speci ed location, the Object with this name already exists
window opens.

a. Select one of the following Kaspersky Embedded Systems Security actions:

Replace, to replace the existing object with the restored object.

Rename, to save the restored object under a di erent name. In the entry eld, enter the new restored
object's lename and full path.

Rename by adding su ix, to rename the restored object by adding a su ix to its lename. Enter the
su ix in the entry eld.

b. If you selected several objects to be restored, then select the Apply to all selected objects check box to
apply the selected action (Replace or Rename) to the rest of the selected objects. If you selected Rename,
the Apply to all selected objects check box will be unavailable.

c. Click OK.

The object will be restored. Information about the restoration operation will be recorded in the system audit log.
If you did not select Apply to all selected objects in the Restore object window, the Restore object window
may open again. Use this window to specify the location where the next selected object will be saved (see Step
4 of this procedure).

Moving objects to Quarantine

188
You can quarantine les manually.

To quarantine a le:

1. In the Application Console tree, open the context menu of the Quarantine node.

2. Select Add.

3. In the Open window, select the le on the disk that you wish to quarantine.

4. Click OK.

Kaspersky Embedded Systems Security will quarantine the selected le.

Deleting objects from Quarantine

Based on the Quarantine Scan task settings, Kaspersky Embedded Systems Security automatically deletes
objects from the Quarantine folder if their status changed to Infected during a Quarantine Scan with updated
databases and if Kaspersky Embedded Systems Security failed to disinfect them. Kaspersky Embedded Systems
Security does not remove other objects from Quarantine.

One or more objects can be deleted from Quarantine.

To delete one or more objects from Quarantine:

1. In the Application Console tree, expand the Storages node.

2. Select the Quarantine child node.

3. Perform one of the following steps:

To remove one object, select Remove in the context menu of the name of the object.

To delete multiple objects, select the objects that you want to delete using the Ctrl or Shift key, open the
context menu on any one of the selected objects, and select Remove.

4. In the con rmation window, click the Yes button to con rm the operation.

The selected objects will be removed from Quarantine.

Sending probably infected objects to Kaspersky for analysis

If the behavior of a le gives you a reason to suspect that it contains a threat, and Kaspersky Embedded Systems
Security considers the le to be clean, you may have encountered an unknown threat whose signature has not yet
been added to the databases. You can send this le to Kaspersky for analysis. Kaspersky's Anti-Virus analysts will
analyze it and, if they detect a new threat, will add a record identifying it in the databases. When you rescan the
object after the database has been updated, it is likely that Kaspersky Embedded Systems Security will identify
the object as infected and will be able to disinfect it. You will not only be able to keep the object, but will also
prevent a virus outbreak.

Only quarantined les can be sent for analysis. Quarantined les are stored in encrypted form and are not deleted
by the Anti-Virus application installed on the mail server when they are sent.

189
A quarantined object cannot be sent to Kaspersky for analysis after the license expires.

To send a le for analysis to Kaspersky:

1. If the le was not quarantined, rst move it into Quarantine.

2. In the Quarantine node, open the context menu on the le you want to send for analysis and select Send
object for analysis in the context menu.

3. In the con rmation window that opens, click Yes if you are sure you want to send the selected object for
analysis.

4. If a mail client is con gured on the protected device on which the Application Console is installed, a new email
message is created. Review it and click the Send button.
The Receiver eld contains the Kaspersky email address [email protected]. The Subject eld will
contain the text "Quarantined object".
The body of the message will contain the following text: "This le will be sent to Kaspersky for analysis". Any
additional information about the le, why you considered it probably infected or dangerous, how it behaves, or
how it a ects the system, can be included in the body of the message.
An archive named <object name>.cab will be attached to the message. This archive will contain a <uuid>.klq le
with the object in encrypted form, a <uuid>.txt le with information about the object extracted by Kaspersky
Embedded Systems Security, and a Sysinfo.txt le, which contains the following information about Kaspersky
Embedded Systems Security and the operation system installed on the protected device:

Name and version of the operating system.

Name and version of Kaspersky Embedded Systems Security.

Release date of the latest database update installed.

Active key.

This information is required by Kaspersky's anti-virus analysts to analyze your le faster and more e iciently.
However, if you do not wish to send this information, you can delete the Sysinfo.txt le from the archive.

If a mail client is not installed on the protected device with the Application Console, the application prompts you to
save the selected encrypted object to le. This le can be sent to Kaspersky manually.

To save an encrypted object to a le:

1. In the window that opens with a prompt to save the object, click OK.

2. Select a folder on the drive of the protected device or a network folder where the le containing the object will
be saved.

The object will be saved to a CAB le.

Con guring Quarantine settings

You can con gure Quarantine settings. New Quarantine settings are applied immediately after saving.

To con gure Quarantine settings:

190
1. In the Application Console tree, expand the Storages node.

2. Open the context menu of the Quarantine child node.

3. Select Properties.

4. In the Quarantine Properties window, con gure the necessary Quarantine settings in accordance with your
requirements:

In the Quarantine settings section:

Quarantine folder

Maximum Quarantine size (MB)

Threshold value for space available (MB)

If the size of objects in Quarantine exceeds the maximum quarantine size or exceeds the available
space threshold, Kaspersky Embedded Systems Security will notify you about this while continuing to
place objects in Quarantine.

In the Restoration settings section:

Target folder for restoring objects

5. Click OK.

The newly con gured Quarantine settings will be saved.

Quarantine statistics
You can view information about the number of quarantined objects, i.e. quarantine statistics.

To view quarantine statistics,

in the context menu of the Quarantine node in the Application Console tree, select Statistics.

The Quarantine statistics window displays information about the number of objects currently stored in
Quarantine (see the following table):

Field Description

Probably Number of objects found by Kaspersky Embedded Systems Security to be probably

infected infected.
objects

Used Total amount of data in the Quarantine folder.

quarantine
space

False alarms The number of objects that received False alarm status because they were classi ed as
non-infected during a Quarantine Scan using updated databases.

Objects The number of objects that received Disinfected status after the Quarantine Scan.

191
disinfected

Total number Total number of objects in Quarantine.

of objects

Making backup copies of objects. Backup

This section provides information about backup of detected malicious objects before disinfection or deletion, as
well as instructions for con guring Backup.

About backing up objects before disinfection or deletion

Kaspersky Embedded Systems Security stores encrypted copies of objects classi ed as Infected in Backup
before disinfecting or deleting them.

If the object is a part of a compound object (for example, part of an archive), Kaspersky Embedded Systems
Security will save the compound object in its entirety in Backup. For example, if Kaspersky Embedded Systems
Security has detected that one of the objects from a mail database is infected, it will back up the entire mail
database.

Large objects placed in Backup by Kaspersky Embedded Systems Security can slow down the system and
reduce available disk space on the hard drive.

Files can be restored from Backup either to their original folder or to a di erent folder on the protected device or
on another device in the local area network. A le can be restored from Backup, for example, if an infected le
contains important information, but Kaspersky Embedded Systems Security is unable to disinfect it without
damaging its integrity and losing the information.

Restoring les from Backup may lead to protected device infection.

Viewing objects stored in Backup

Objects can be viewed in the Backup folder only by using the Application Console in the Backup node. They
cannot be viewed using Microsoft Windows le managers.

To view the objects in Backup,

1. In the Application Console tree, expand the Storages node.

2. Select the Backup child node.

Information about objects placed in Backup is displayed in the results pane of the selected node.

To nd the necessary object in the list of objects in Backup,

sort the objects or lter the objects.

192
Sorting les in Backup
By default, les in Backup are sorted by the backup date in reverse chronological order. To nd the desired le, you
can sort les according to the content of any column in the results pane.

The sorted results are saved if you close and then reopen the Backup node or if you close the Application
Console, save the msc le and then reopen it from this le.

To sort les in Backup:

1. In the Application Console tree, expand the Storages node.

2. Select the Backup child node.

3. In the list of les in Backup, select the column heading which you want to use to sort the objects.

Files in Backup will be sorted based on the selected criterion.

Filtering les in Backup

To nd the desired le in Backup you can lter les: display in the Backup node only those les which satisfy the
ltering criteria you have speci ed ( lters).

The sorting result will be saved if you close and then re-open the Backup node or if you close the Application
Console, save the msc le and then re-open it from this le.

To lter les in Backup:

1. In the Application Console tree, open the context menu of the Backup node and select Filter.
The Filter settings window opens.

2. To add a lter, perform the following steps:

a. In the Field name list, select the eld that will form the basis of the lter.

b. In the Operator list select the ltering condition. The ltering conditions in the list may di er depending on
the value you selected in the Field name eld.

c. Enter the lter value in the Field value eld or select a lter value.

d. Click the Add button.

The lter you added will appear in the list of lters in the Filter settings window. Repeat these steps for each
lter you add. The following guidelines can be used while working with lters:

To combine multiple lters using the logical operator "AND", select If all conditions are met.

To combine multiple lters using the logical operator "OR", select If any condition is met.

To delete a lter, select the lter you wish to delete in the lter list, and click the Remove button.

193
To edit the lter, select it from the lter list in the Filter settings window, modify the required values in the
Field name, Operator or Field value elds and click the Replace button.

When all lters have been added, click the Apply button. Only les that match the lters you have speci ed will
be displayed in the list.

To display all les included in the list of objects stored in Backup,

select Remove lter in the context menu of the Backup node.

Restoring les from Backup

Kaspersky Embedded Systems Security stores les in the Backup folder in encrypted form to shield the protected
device against possible harmful e ects.

Any le can be restored from Backup.

A le may need to be restored in the following cases:

The original infected le contained important information and Kaspersky Embedded Systems Security failed to
keep its integrity so, as a result, the information in the le became unavailable.

You consider the le harmless to the protected device and want to use it. If you do not want Kaspersky
Embedded Systems Security to consider this le infected or probably infected, during subsequent scans you
can exclude it from processing in the Real-Time File Protection task and On-Demand Scan tasks. To do this,
specify the le in the Exclude les setting or the Do not detect setting in the corresponding tasks.

Restoring les from Backup may lead to protected device infection.

When you restore a le you can select where it will be saved: the original location (default), the special folder for
restored objects on the protected device, or a custom folder on the protected device where the Application
Console is installed or another device in the network.

You can specify the folder for storing restored objects on the protected device. You can con gure special security
settings for it to be scanned. The path to this folder is speci ed by Backup settings.

By default when Kaspersky Embedded Systems Security restores a le, it makes a copy of it in Backup. The le
copy can be deleted from Backup after it is restored.

To restore les from Backup:

1. In the Application Console tree, expand the Storages node.

2. Select the Backup child node.

3. Perform one of the following actions in the results pane of the Backup node:

To restore one object, select Restore from the context menu of the object that you want to restore.

To restore multiple objects, select the objects you wish to restore using the CTRL or SHIFT key, right-click
one of the selected objects, and select Restore from the context menu.

The Restore object window opens.

194
4. In the Restore object window, specify the folder in which the object being restored will be saved for each
selected object.

The name of the object is displayed in the Object eld in the upper part of the window. If you selected
several objects, the name of the rst object in the list of selected objects will be displayed.

5. Perform one of the following steps:

To restore an object to its original location, select Restore to the source folder.

To restore an object to the folder speci ed as the location for restored objects in the settings, select
Restore to the default folder for restoration.

6. If you do not want to save a copy of the le in the Backup folder after it is restored, select the Remove objects
from storage after they are restored check box (by default, this check box is cleared).

8. Click OK.
Kaspersky Embedded Systems Security will start restoring the rst of the selected objects.

9. If an object with this name already exists in the speci ed location, the Object with this name already exists
window opens.

a. Select one of the following Kaspersky Embedded Systems Security actions:

Replace, to replace the existing object with the restored object.

Rename, to save the restored object under a di erent name. In the entry eld, enter the new restored
object's lename and full path.

Rename by adding su ix, to rename the restored object by adding a su ix to its lename. Enter the
su ix in the entry eld.

c. Click OK.

The object will be restored. Information about the restoration operation will be recorded in the system audit log.

If you did not select Apply to all selected objects in the Restore object window, the Restore object window may
open again. Use this window to specify the location where the next selected object will be saved (see Step 4 of
this procedure).

195
Deleting les from Backup
To delete one or more les from Backup:

1. In the Application Console tree, expand the Storages node.

2. Select the Backup child node.

3. Perform one of the following steps:

To remove one object, select Remove in the context menu of the name of the object.

To delete multiple objects, select the objects that you want to delete using the Ctrl or Shift key, open the
context menu on any one of the selected objects, and select Remove.

4. In the con rmation window, click the Yes button to con rm the operation.

The selected les will be deleted from Backup.

Con guring Backup settings

To con gure Backup settings:

1. In the Application Console tree, expand the Storages node.

2. Open the context menu of the Backup child node.

3. Select Properties.

4. In the Backup Properties window, con gure the necessary Backup settings in accordance with your
requirements:
In the Backup settings section:

Backup folder

Maximum Backup size (MB)

Threshold value for space available (MB)

If the size of objects in Backup exceeds the maximum Backup size or exceeds the available space
threshold, Kaspersky Embedded Systems Security will notify you about this while continuing to place
objects in Backup.

In the Restoration settings section:

Target folder for restoring objects

5. Click OK.

The con gured Backup settings will be saved.

196
Backup statistics
You can view information about the current status of Backup, i.e. Backup statistics.

To view Backup statistics,

open the context menu on the Backup node in the Application Console tree and select Statistics. The Backup
statistics window opens.

The Backup statistics window displays information about the current Backup status (see the table below).

Information about the current Backup status

Field Description

Current Backup size Amount of data in the Backup folder; the application calculates the le size in
encrypted form

Total number of Current total number of objects in Backup

objects

Blocking access to network resources. Blocked Hosts

This section describes how to block remote devices and con gure the Blocked Hosts storage settings.

About the Blocked Hosts storage

The Blocked Hosts storage is installed by default if any of the following components is installed: Real-Time File
Protection, Network Threat Protection. These components discover remote hosts' attempts to encrypt, open or
execute objects on the protected device or network attached storage shared folders in accordance with the list of
blocked hosts. Information about blocked hosts from all protected devices is sent to the Kaspersky Security
Center. Kaspersky Embedded Systems Security blocks access to protected device shared folders or network
attached storage folders for all remote hosts in the list of blocked hosts.

The Blocked Hosts storage is populated when at least one of the following tasks is started in active mode (under
speci ed conditions):

For the Real-Time File Protection task: malicious activity by a device accessing network le resources is
detected and in the Real-Time File Protection task settings the Block access to network shared resources for
the hosts that show malicious activity check box is selected.

For the Network Threat Protection task: activity typical of network attacks is detected.

After malicious activity or an encryption attempt is detected, the task sends information about the attacking host
to the Blocked Hosts storage and the application creates a Warning event for the host blocking. Any attempts by
this host to access the protected shared network folders will be blocked.

If the locally unique identi er (LUID) of an attacking host is added to the list of blocked hosts, Kaspersky
Embedded Systems Security determines the IP address of this host and adds it to the list of blocked hosts instead
of the LUID of the attacking host.

197
By default, Kaspersky Embedded Systems Security removes blocked hosts from the list 30 minutes after they
were added to the list. Computers' access to network le resources is restored automatically after they are
deleted from the list of blocked hosts. You can specify the period of time after which blocked hosts are
automatically unblocked.

Note that when you restrict access to storage management for any user account, the Blocked Hosts storage
will still be available. The Blocked Hosts settings cannot be changed unless the selected user account has Edit
permissions for managing Kaspersky Embedded Systems Security.

Managing Blocked Hosts via the Administration Plug-in

In this section, learn how to con gure the Blocked Hosts storage settings via the Administration Plug-in interface.

Enabling untrusted hosts blocking

To add hosts showing any malicious or encrypting activity to the Blocked Hosts storage and block access to
network le resources for those hosts, at least one of the following tasks must run in the active mode:

Real-Time File Protection

Network Threat Protection

Con gure the Real-Time File Protection task:

1. In the Kaspersky Security Center Administration Console tree, expand the Managed devices node.

2. Select the Policies tab and open <Policy name> >Real-Time Computer Protection > Settings in the Real-Time
File Protection block.
The Real-Time Computer Protection window opens.

3. In the Integration with other components section, select the List hosts showing malicious activity as
untrusted check box if you want Kaspersky Embedded Systems Security to block access to network le
resources for hosts on which malicious activity is detected while the Real-Time File Protection task is running.

4. If the task has not been started, open the Task management tab:

a. Select the Run by schedule check box.

b. Select the At application launch frequency in the drop-down list.

5. In the Real-Time Computer Protection window, click OK.

The newly con gured settings are saved.

Con gure the Network Threat Protection task:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.
198
3. Select the Policies tab.

4. Double-click the policy name you want to con gure.

5. In the Properties: <Policy name> window that opens, select the section.

6. Click the Settings button in the Network Threat Protection subsection.

The Network Threat Protection window opens.

7. Open the General tab.

8. In the Processing mode section select the Block connections when attack is detected processing mode.

The check box enables or disables adding hosts showing activity typical of network attacks to the list of
blocked hosts.
If this mode is selected, Kaspersky Embedded Systems Security scans inbound network tra ic for activity
that is typical of network attacks, logs events about detected activity, and adds IP addresses of hosts
showing activity typical of network attacks to the list of blocked hosts.
The mode is selected by default.
You can view the list of blocked hosts in the Blocked Hosts storage.

You can restore access to blocked hosts, and specify the number of days, hours and minutes after which
hosts regain access to network le resources after being blocked by con guring the Blocked Hosts
storage settings.

9. If the task has not been started, open the Task management tab:

a. Select the Run by schedule check box.

b. Select the At application launch frequency in the drop-down list.

10. In the window, click OK.

11. The newly con gured settings are saved.

Con guring Blocked Hosts settings

To con gure the Blocked Hosts storage:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

199
If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Supplementary section, click the Settings button in the Storages subsection.
The Storages settings window is displayed.

5. In the Host blocking terms section of the Blocked Hosts Storage tab, specify the number of days, hours and
minutes after which blocked hosts regain access to network le resources after being blocked.

6. Click OK.

Managing Blocked Hosts via the Application Console

In this section, learn how to con gure the Blocked Hosts storage settings via the Application Console interface.

Enabling untrusted hosts blocking

To add hosts showing any malicious or encryption activity to the Blocked Hosts storage and block access to
network le resources for those hosts, at least one of the following tasks must be running in active mode:

Real-Time File Protection

Network Threat Protection

Con gure the Real-Time File Protection task:

1. In the Application Console tree, expand the Real-Time Computer Protection node.

2. Select the Real-Time File Protection child node.

3. Click the Properties link in the results pane.

The Task settings window opens.

4. In the Deep section, select the Block access to network shared resources for the hosts that show malicious
activity check box if you want Kaspersky Embedded Systems Security to block hosts on which malicious
activity is detected while the Real-Time File Protection task is running.

5. If the task has not been started, open the Schedule tab:

a. Select the Run by schedule check box.

b. Select the At application launch frequency in the drop-down list.

6. In the Task settings window, click OK.

The newly con gured settings are saved.

Con gure the Network Threat Protection task:

200
1. In the Application Console tree, expand the Real-Time Computer Protection node.

2. Select the Network Threat Protection child node.

3. Click the Properties link in the details pane of the Network Threat Protection node.

4. The Task settings window opens.

5. Open the General tab.

6. In the Processing mode section select the Block connections when attack is detected processing mode.

7. Select or clear the Don't stop tra ic analysis when the task is not running check box.

If this check box is selected, when Network Threat Protection task is stopped, Kaspersky Embedded
Systems Security scans inbound network tra ic for activity that is typical of network attacks and blocks
network activity from the attacking computer depending on the selected processing mode.
If this check box is cleared, when Network Threat Protection task is stopped, Kaspersky Embedded
Systems Security doesn't scan inbound network tra ic for activity that is typical of network attacks and
doesn't block network activity from the attacking computer.
The check box is cleared by default.

8. If the task has not been started, open the Schedule tab:

a. Select the Run by schedule check box.

b. Select the At application launch frequency in the drop-down list.

9. In the Task settings window, click OK.

The newly con gured settings are saved.

Con guring Blocked Hosts settings

To con gure the Blocked Hosts storage:

1. In the Application Console tree, expand the Storages node.

2. Open the context menu of the Blocked Hosts child node.

201
3. Select the Properties menu option.
The Blocked hosts storage settings window is displayed.

4. In the Host blocking term section, specify the number of days, hours and minutes after which blocked hosts
regain access to network le resources after being blocked.

5. Click OK.

6. To restore access for all blocked hosts:

a. Open the context menu of the Blocked Hosts child node.

b. Select the Unblock all option.

All hosts will be removed from the list and unblocked.

7. To remove several hosts from the list of blocked hosts:

a. In the list of blocked hosts, which is displayed in the results pane, select one or more hosts.

b. Open the context menu of the Blocked Hosts child node.

c. Select the Unblock selected option.

The selected hosts are unblocked.

Managing Blocked Hosts via the Web Plug-in

In this section, learn how to con gure the Blocked Hosts storage settings via the Web Plug-in interface.

Enabling hosts blocking

Real-Time File Protection

Network Threat Protection

Con gure the Real-Time File Protection task:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Real-time computer protection section.

5. Click Settings in the Real-Time File Protection subsection.

202
6. In the Integration with other components section, select the Block access to network shared resources for
the hosts that show malicious activity check box if you want Kaspersky Embedded Systems Security to block
access to network le resources for hosts on which malicious activity is detected while the Real-Time File
Protection task is running.

7. If the task has not been started, open the Task management tab:

a. Select the Run by schedule check box.

b. Select the At application launch frequency in the drop-down list.

8. Click Save.

The newly con gured settings are saved.

Con guring Blocked Hosts settings

To con gure the Blocked Hosts storage:

1. In the main window of Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Supplementary section.

5. Click Settings in the Storages subsection.

6. In the Supplementary section, click the Settings button in the Storages subsection.
The Storages window is displayed.

7. In the Host blocking term section of the Blocked Hosts Storage tab, specify the number of days, hours and
minutes after which blocked hosts regain access to network le resources after being blocked.

8. Click OK.

203
Event registration. Kaspersky Embedded Systems Security logs
This section provides information about working with Kaspersky Embedded Systems Security logs: the system
audit log, task execution logs, and the event log.

Ways to register Kaspersky Embedded Systems Security events

Events of Kaspersky Embedded Systems Security are divided into two groups:

Events related to the processing of objects in Kaspersky Embedded Systems Security tasks.

Events related to the administration of Kaspersky Embedded Systems Security, such as starting the
application, creating or deleting tasks, or editing task settings.

Kaspersky Embedded Systems Security uses the following methods to log events:

Task logs. A task log contains information about the current task status and events that occurred during task
execution.

System audit log. The system audit log contains information about events related to the administration of
Kaspersky Embedded Systems Security.

Event Log. The Event Log contains information about events required to diagnose failures in the operation of
Kaspersky Embedded Systems Security. The Event Log is available in Microsoft Windows Event Viewer.

Security log. The Security log contains information about events associated with security breaches or
attempted security breaches on the protected device.

If a problem occurs during operation of Kaspersky Embedded Systems Security (for example, Kaspersky
Embedded Systems Security or an individual task terminates abnormally or does not start), you can create a trace
le and a dump le of Kaspersky Embedded Systems Security processes and send les with this information to
Kaspersky Technical Support for analysis in order to diagnose the problem.

Kaspersky Embedded Systems Security does not send any trace or dump les automatically. Diagnostic data
can only be sent by a user who has the required permissions.

Files that can be downloaded by the following links contain tables with the full lists of Kaspersky Embedded
Systems Security events of the following categories:

Events that Kaspersky Embedded Systems Security writes to the Event Log.

DOWNLOAD KESS-WEL-EVENTS.ZIP

Events that Kaspersky Embedded Systems Security sends to the Administration Server.

DOWNLOAD KESS-KSC-EVENTS.ZIP
204
System audit log
Kaspersky Embedded Systems Security performs a system audit of events related to the administration of
Kaspersky Embedded Systems Security. The application logs information about, for example, start of the
application, starts and stops of Kaspersky Embedded Systems Security tasks, changes in task settings, and
creation and deletion of On-Demand Scan tasks. Records of all those events are displayed in the results pane
when you select the System audit log node in the Application Console.

By default Kaspersky Embedded Systems Security stores records in the system audit log for an unlimited period of
time. You specify the storage period for records in the system audit log.

You can specify a folder that Kaspersky Embedded Systems Security will use to store les containing system audit
log other than the default one.

Sorting events in the system audit log

By default, events in the system audit log node are displayed in reverse chronological order.

Events can be sorted by the contents of any column except the Event column.

To sort events in the system audit log:

1. In the Application Console tree, expand the Logs and noti cations node.

2. Select the System audit log child node.

3. In the results pane, select the header of the column that you want to use to sort the events in the list.

The sorted results will be saved for the next time you view the system audit log.

Filtering events in the system audit log

You can con gure the system audit log to display only the records of events that meet the ltering conditions
( lters) that you have speci ed.

To lter events in the system audit log:

1. In the Application Console tree, expand the Logs and noti cations node.

2. Open the context menu of the System audit log child node and select Filter.
The Filter settings window opens.

3. To add a lter, perform the following steps:

a. In the Field name, select a column to lter events.

b. In the Operator list, select the ltering condition. Filtering conditions vary depending on the item selected in
the Field name list.

205
c. In the Field value, select a value for the lter.

d. Click the Add button.

The lter you added will appear in the list of lters in the Filter settings window.

4. If necessary, perform one of the following actions:

To combine multiple lters using the logical operator "AND", select If all conditions are met.

To combine multiple lters using the logical operator "OR", select If any condition is met.

5. Click the Apply button to save the ltering conditions in the system audit log.
The list of events of the system audit log displays only events that meet the ltering conditions. The ltered
results will be saved for the next time you view the system audit log.

To disable the lter:

1. In the Application Console tree, expand the Logs and noti cations node.

2. Open the context menu of the System audit log child node and select Remove lter.
The list of events of the system audit log will then display all events.

Deleting events from the system audit log

By default, Kaspersky Embedded Systems Security stores records in the system audit log for an unlimited period
of time. You can specify the storage period for records in the system audit log.

You can manually delete all events from the system audit log.

To delete events from the system audit log:

1. In the Application Console tree, expand the Logs and noti cations node.

2. Open the context menu of the System audit log child node and select Clear.

3. Perform one of the following steps:

If you want to save the log contents as a le in CSV or TXT format before deleting events from the system
audit log, click the Yes button in the deletion con rmation window. In the window that opens, specify the
name and location of the le.

If you do not want to save the log contents as a le, click the No button in the deletion con rmation window.

The system audit log will be cleared.

Task logs
This section provides information about Kaspersky Embedded Systems Security task logs and instructions on how
to manage them.

206
About task logs
Information about the execution of Kaspersky Embedded Systems Security tasks is displayed in the results pane
when you select the Task logs node in the Application Console.

In the log of each task, you can view task execution statistics, details of each of the objects that have been
processed by the application since the task started, and task settings.

By default, Kaspersky Embedded Systems Security stores records in task logs for 30 days after a task is done. You
can change the storage period for records in task logs.

You can specify a folder that Kaspersky Embedded Systems Security will use to store les containing task logs
other than the default one. You can also select events that Kaspersky Embedded Systems Security will record in
task logs.

Viewing the list of events in task logs

To view task logs:

1. In the Application Console tree, expand the Logs and noti cations node.

2. Select the Task logs subnode.

The list of events saved in Kaspersky Embedded Systems Security task logs will be displayed in the results pane.

Events can be sorted by any column or ltered.

Sorting task logs

By default, task logs are displayed in reverse chronological order. They can be sorted by any column.

To sort task logs:

1. In the Application Console tree, expand the Logs and noti cations node.

2. Select the Task logs subnode.

3. In the results pane, select the header of the column that you want to use to sort Kaspersky Embedded Systems
Security task logs.

The sorted results will be saved for the next time you view the task logs.

Filtering task logs

You can con gure the list of task logs to display only the task logs that meet the ltering conditions ( lters) that
you have speci ed.

To lter task logs:

207
1. In the Application Console tree, expand the Logs and noti cations node.

2. Open the context menu of the Task logs child node and select Filter.
The Filter settings window opens.

3. To add a lter, perform the following steps:

a. In the Field name, select a column to lter task logs.

b. In the Operator list, select the ltering condition. Filtering conditions vary depending on the item selected in
the Field name list.

c. In the Field value, select a value for the lter.

d. Click the Add button.

The lter you added will appear in the list of lters in the Filter settings window.

4. If necessary, perform one of the following actions:

To combine multiple lters using the logical operator "AND", select If all conditions are met.

To combine multiple lters using the logical operator "OR", select If any condition is met.

5. Click the Apply button to save the ltering conditions in the list of task logs.

The list of task logs displays only task logs that meet the ltering conditions. The ltered results will be saved for
the next time you view the task logs.

To disable the lter:

1. In the Application Console tree, expand the Logs and noti cations node.

2. Open the context menu of the Task logs child node and select Remove lter.

The list of task logs will then display all task logs.

Viewing statistics and information about a Kaspersky Embedded Systems

Security task in task logs
In task logs, you can view detailed information about all events that have occurred in tasks since they started, as
well as task execution statistics and task settings.

To view statistics and information about a Kaspersky Embedded Systems Security task:

1. In the Application Console tree, expand the Logs and noti cations node.

2. Select the Task logs subnode.

3. In the results pane, open the Logs window using one of the following methods:

Double-click the task log you want to view.

208
Open the context menu of the task log you want to view and select View log.

4. In the window that opens, the following details are displayed:

The Statistics tab displays the time of task start and completion, as well as task statistics.

The Events tab displays a list of events logged during task execution.

The Options tab displays the task settings.

5. If necessary, click the Filter button to lter the events in the task log.

6. If necessary, click the Export button to export data from the task log into a le in CSV or TXT format.

7. Click the Close button.

The Logs window will be closed.

Exporting information from a task log

You can export data from a task log into a le in CSV or TXT format.

To export data from a task log:

1. In the Application Console tree, expand the Logs and noti cations node.

2. Select the Task logs subnode.

3. In the results pane, open the Logs window using one of the following methods:

Double-click the task log you want to view.

Open the context menu of the task log you want to view and select View log.

4. In the lower part of the Logs window, click the Export button.
The Save as window opens.

5. Specify the name, location, type, and encoding of the le to which you want to export data from the task log.

6. Click the Save button.

The speci ed settings are saved.

Deleting task logs

By default, Kaspersky Embedded Systems Security stores records in task logs for 30 days after a task is done. You
can change the storage period for records in task logs.

You can manually delete task logs that are already complete.

209
Events from the logs of tasks that are currently running and tasks being used by other users will not be
deleted.

To delete the task logs:

1. In the Application Console tree, expand the Logs and noti cations node.

2. Select the Task logs subnode.

3. Perform one of the following steps:

If you want to delete the logs of all tasks that are already complete, open the context menu of the Task logs
child node and select Clear.

If you want to clear the log of an individual task, in the results pane, open the context menu the task log you
want to clear, and select Remove.

If you want to clear the logs of several tasks:

a. In the results pane, use the Ctrl or Shift key to select the task logs you want to clear.

b. Open the context menu of any selected task log and select Remove.

4. Click the Yes button in the deletion con rmation window to con rm that you want to delete the logs.

The task logs that you selected will be cleared. The deletion of task logs will be recorded in the system audit log.

Security log
Kaspersky Embedded Systems Security maintains a log of events associated with security breaches or attempted
security breaches on the protected device. The following events are recorded in this log:

Exploit Prevention events.

Critical Log Inspection events.

Critical events that indicate an attempted security breach (for the Real-Time Computer Protection, On-
Demand Scan, File Integrity Monitor, Applications Launch Control, and Device Control tasks).

You can clear the Security log as well as the system audit log. Moreover, Kaspersky Embedded Systems Security
records a system audit event when the Security log is cleared.

Viewing the event log of Kaspersky Embedded Systems Security in Event

Viewer
You can view the event log of Kaspersky Embedded Systems Security using the Microsoft Windows Event Viewer
snap-in for Microsoft Management Console. The log contains events registered by Kaspersky Embedded Systems
Security and required to diagnose failures in its operation.

Events that will be registered in the event log can be selected based on the following criteria:

210
by event types.

by level of detail. The level of detail corresponds to the importance level of the events registered in the log
(informational, important, or critical events). The most detailed is the Informational level, which registers all
events. The least detailed is the Critical level, which registers only critical events.

To view the Kaspersky Embedded Systems Security event log:

1. Click the Start button, enter the mmc command at the search bar, and press ENTER.
Microsoft Management Console opens.

2. Select File > Add or remove snap-in.

The Add or remove snap-ins window opens.

3. In the list of available snap-ins, select the Event Viewer snap-in and click the Add button.
The Select computer window opens.

4. In the Select computer window, specify the protected device on which Kaspersky Embedded Systems
Security is installed, and click OK.

5. In the Add and remove snap-ins window, click OK.

In the Microsoft Management Console tree, the Event Viewer node appears.

6. Expand the Event Viewer node and select the Applications and Services Logs > Kaspersky Embedded
Systems Security child node.

The Kaspersky Embedded Systems Security event log opens.

Con guring log settings in Administration Plug-in

You can edit the following settings of Kaspersky Embedded Systems Security logs:

Length of the storage period for events in task logs and the system audit log.

Location of the folder in which Kaspersky Embedded Systems Security stores task log les and the system
audit log le.

Events generation thresholds for Application database is out of date, Application database is extremely out of
date and Critical areas scan has not been performed for a long time.

Events that Kaspersky Embedded Systems Security saves in task logs, the system audit log, and the event log
of Kaspersky Embedded Systems Security in Event Viewer.

Settings for publishing audit events and task performance events to the syslog server via the Syslog protocol.

To con gure Kaspersky Embedded Systems Security logs, perform the following steps:

1. In the Application Console tree, open the context menu of the Logs and noti cations node and select
Properties.
The Logs and noti cations settings window opens.

2. In the Logs and noti cations settings window, con gure the logs in accordance with your requirements. To do
this, perform the following actions:

211
On the General tab, if necessary, select events that Kaspersky Embedded Systems Security will save in task
logs, the system audit log, and the event log of Kaspersky Embedded Systems Security in Event Viewer. To
do this, perform the following actions:

In the Component list, select the component of Kaspersky Embedded Systems Security for which you
want to set the detail level.

For the Real-Time File Protection, On-Demand Scan, and Update components, events are recorded in
tasks logs and the event log. For these components, the event table contains the Task log and
Windows Event Log columns. Events for the Quarantine and Backup components are registered in the
system audit log and the event log. For these components, the event table contains the Audit and
Windows Event Log columns.

In the Importance level list, select a detail level for events in task logs, the system audit log, and the
event log for the selected component.
In the following table with a list of events, the check boxes are selected next to events that are registered
in task logs, the system audit log, and the event log, according to the current detail level.

If you want to manually enable registration of speci c events for a selected component, perform the
following actions:

a. In the Importance level list, select Custom.

b. In the table with the list of events, select the check boxes next to events that you want to be registered
in task logs, the system audit log, and the event log.

On the Advanced tab, con gure the log storage settings and event generation thresholds for device
protection status:

In the Log storage section:

Logs folder

Remove task logs older than (days)

Remove from the system audit log events older than (days)

In the Event generation thresholds section:

Specify the number of days after which the Application database is out of date, Application
database is extremely out of date and Critical areas scan has not been performed for a long time
events will occur .

On the SIEM integration tab, con gure the settings for publishing audit events and task performance
events to the syslog server.

3. Click OK to save the changes.

About SIEM integration

212
To reduce the load on low-performance devices and to reduce the risk of system degradation as a result of
increased application log sizes, you can con gure the publication of audit events and task performance events to
the syslog server via the Syslog protocol.

A syslog server is an external server for aggregating events (SIEM). It stores and analyzes received events and
performs other log management actions.

You can use SIEM integration in two modes:

Duplicate events on the syslog server: in this mode, all task performance events whose publication is con gured
in log settings, as well as all system audit events, continue to be stored on the protected device even after they
are sent to the SIEM server.
We recommend that you use this mode to reduce the load on the protected device as much as possible.

Delete local copies of events: in this mode, all events that are registered during application operation and
published to the SIEM server will be deleted from the protected device.

The application never deletes local versions of the security log.

Kaspersky Embedded Systems Security can convert events in application logs into formats supported by the
syslog server so that those events can be transmitted and successfully recognized by the SIEM server. The
application supports conversion into structured data format and into JSON format.

We recommend that you select the format of events based on the con guration of the utilized SIEM server.

Reliability settings

You can reduce the risk that events will be relayed to the SIEM server unsuccessfully by de ning the settings for
connecting to a mirror syslog server.

A mirror syslog server is an additional syslog server to which the application switches automatically if the
connection to the main syslog server is unavailable or if the main server cannot be used.

Kaspersky Embedded Systems Security also uses system audit events to notify you about unsuccessful attempts
to connect to the SIEM server and about errors while sending events to the SIEM server.

Con guring SIEM integration settings

By default, SIEM integration is not used. You can enable and disable SIEM integration, and con gure relevant
settings (see the table below).

SIEM integration settings

Setting Default Description

value

Send events to a remote Not You can enable or disable SIEM integration by selecting or
syslog server via syslog applied clearing the check box, respectively.
protocol

Remove local copies for Not You can con gure the settings for storing local copies of logs
events that have been sent applied after they are sent to the SIEM server by selecting or clearing
to a remote syslog server the check box.

Events format Structured You can select one of two formats to which the application
213
data converts its events prior to sending them to the syslog server
for better recognition of these events by the SIEM server.

Connection protocol TCP You can use the drop-down list to con gure the connection to
the main and mirror syslog servers via the UDP or TCP
protocols.

Main syslog server IP address: You can use the appropriate elds to con gure the IP address
connection settings 127.0.0.1 and port used to connect to the main syslog server.
Port: 514 You can specify the IP address only in IPv4 format.

Use mirror syslog server if Not You can use the check box to enable or disable the use of a
the main server is not applied mirror syslog server.
accessible

Mirror syslog server IP address: You can use the appropriate elds to con gure the IP address
connection settings 127.0.0.1 and port used to connect to the mirror syslog server.
Port: 514 You can specify the IP address only in IPv4 format.

To con gure SIEM integration settings:

1. In the Application Console tree, open the context menu of the Logs and noti cations node.

2. Select Properties.
The Logs and noti cations settings window opens.

3. Select the SIEM integration tab.

4. In the Integration settings section, select the Send events to a remote syslog server via syslog protocol
check box.

5. If necessary, in the Integration settings section, select the Remove local copies for events that have been
sent to a remote syslog server check box.

The status of the Remove local copies for events that have been sent to a remote syslog server check
box does not a ect the settings for storing events of the security log: the application never automatically
deletes security log events.

6. In the Events format section, specify the format to which you want to convert application events so that they
can be sent to the SIEM server.
By default, the application converts them into a structured data format.

7. In the Connection settings section:

Specify the SIEM connection protocol.

Specify the settings for connecting to the main syslog server.

You can only specify an IP address in IPv4 format.

Select the Use mirror syslog server if the main server is not accessible check box if you want the
application to use other connection settings when unable to send events to the main syslog server.
Specify the following settings for connecting to the mirror syslog server: Address and Port.
The Address and Port elds for the mirror syslog server cannot be edited if the Use mirror syslog server if
the main server is not accessible check box is cleared.
You can only specify an IP address in IPv4 format.
214
8. Click OK.
The con gured SIEM integration settings will be applied.

Con guring logs and noti cations

The Kaspersky Security Center Administration Console can be used to con gure noti cations for administrator
and users about the following events related to Kaspersky Embedded Systems Security and the status of Anti-
Virus protection on the device:

The administrator can receive information about events of selected types;

LAN users who access the protected device and terminal protected device users can receive information
about Object detected events.

Noti cations about Kaspersky Embedded Systems Security events can be con gured either for a single protected
device using the Properties: <Protected device name> window of the selected protected device, or for a group of
protected devices in the Properties: <Policy name> window of the selected administration group.

On the Event noti cations tab or in the Noti cation settings window, you can con gure the following types of
noti cations:

Administrator noti cations about events of selected types can be con gured using the Event noti cations
tab (the standard tab in Kaspersky Security Center). For details on noti cation methods, see the Kaspersky
Security Center Help.

Both administrator and user noti cations can be con gured in the Noti cation settings window.

You can con gure noti cations for some event types only in the window or on the tab; you can use both the
window and tab to con gure noti cations for other event types.

If you con gure noti cations about events of the same type using the same mode on the Event noti cations
tab and in the Noti cation settings window, the system administrator will receive noti cations for those
events twice but in the same mode.

Con guring log settings

To con gure Kaspersky Embedded Systems Security logs, perform the following steps:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

215
If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Logs and noti cations section, click the Settings button in the Task logs subsection.

5. In the Logs settings window de ne the following settings of Kaspersky Embedded Systems Security according
to your requirements:

Con gure the level of detail of events in logs. To do this, perform the following actions:

a. In the Component list select the component of Kaspersky Embedded Systems Security for which you
want to set the detail level.

b. To de ne the level of detail in the task logs and system audit log for the selected component, choose the
level you need from Importance level.

To change the default location for logs, specify the full path to the folder or click the Browse button to
select it.

Specify how many days task logs will be stored.

Specify how many days information displayed in the System audit log node will be stored.

6. Click OK.

The con gured log settings are saved.

Exploit Prevention events.

Critical Log Inspection events.

Critical events that indicate an attempted security breach (for the Real-Time Computer Protection, On-
Demand Scan, File Integrity Monitor, Applications Launch Control, and Device Control tasks).

You can clear the Security log as well as the system audit log. Moreover, Kaspersky Embedded Systems Security
records a system audit event when the Security log is cleared.

Con guring SIEM integration settings

To reduce the load on low-performance devices and to reduce the risk of system degradation as a result of
increased application log sizes, you can con gure the publication of audit events and task performance events to
the syslog server via the Syslog protocol.

A syslog server is an external server for aggregating events (SIEM). It stores and analyzes received events and
performs other log management actions.

You can use SIEM integration in two modes:

216
Duplicate events on the syslog server: in this mode, all task performance events whose publication is con gured
in log settings, as well as all system audit events, continue to be stored on the protected device even after they
are sent to the SIEM server.
We recommend that you use this mode to reduce the load on the protected device as much as possible.

Delete local copies of events: in this mode, all events that are registered during application operation and
published to the SIEM server will be deleted from the protected device.

The application never deletes local versions of the security log.

To reduce the risk that events will be relayed to the SIEM server unsuccessfully, you can de ne settings for
connecting to a mirror syslog server.

A mirror syslog server is an additional syslog server to which the application switches automatically if the
connection to the main syslog server is unavailable or if the main server cannot be used.

By default, SIEM integration is not used. You can enable and disable SIEM integration, and con gure relevant
settings (see the table below).

SIEM integration settings

Setting Default Description

value

Send events to a remote Not You can enable or disable SIEM integration by selecting or
syslog server via syslog applied clearing the check box, respectively.
protocol

Events format Structured You can select one of two formats to which the application
data converts its events prior to sending them to the syslog server
for better recognition of these events by the SIEM server.

Connection protocol TCP You can use the drop-down list to con gure the connection to
the main syslog server via the UDP or TCP protocols; to the
mirror syslog server via the TCP protocol.

Use mirror syslog server if Not You can use the check box to enable or disable the use of a
the main server is not applied mirror syslog server.
accessible

To con gure SIEM integration settings:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
217
2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Logs and noti cations section click the Settings button in the Task logs subsection.
The Logs and noti cations settings window opens.

5. Select the SIEM integration tab.

6. In the Integration settings section, select the Send events to a remote syslog server via syslog protocol
check box.

7. If necessary, in the Integration settings section, select the Remove local copies for events that have been
sent to a remote syslog server check box.

8. In the Events format section, specify the format to which you want to convert application events so that they
can be sent to the SIEM server.
By default, the application converts them into a structured data format.

9. In the Connection settings section:

Specify the SIEM connection protocol.

Specify the settings for connecting to the main syslog server.

You can only specify an IP address in IPv4 format.

10. Click OK.

The con gured SIEM integration settings will be applied.

218
Con guring noti cation settings
To con gure Kaspersky Embedded Systems Security noti cations, perform the following steps:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Logs and noti cations section, click the Settings button in the Event noti cations subsection.

5. In the Noti cation settings window, de ne the following settings of Kaspersky Embedded Systems Security
according to your requirements:

In the Noti cation settings list select the type of noti cation whose settings you want to con gure.

In the Notify users section con gure the user noti cation method. If necessary, enter the text of the
noti cation message.

In the Notify administrators section con gure the administrator noti cation method. If necessary, enter
the text of the noti cation message. If necessary, con gure additional noti cation settings by clicking the
Settings button.

In the Event generation thresholds section, specify the time intervals after which Kaspersky Embedded
Systems Security logs Application database is out of date, Application database is extremely out of date
and Critical areas scan has not been performed for a long time events.

Application database is out of date (days)

Application database is extremely out of date (days)

Critical areas scan has not been performed for a long time (days)

6. Click OK.

The con gured noti cation settings are saved.

Con guring interaction with the Administration Server

To select the types of objects about which Kaspersky Embedded Systems Security sends information to the
Kaspersky Security Center Administration Server:
219
1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Logs and noti cations section, click the Settings button in the Interaction with Administration Server
subsection.
The Administration Server Network lists window opens.

5. In the Administration Server Network lists window, select the types of objects about which Kaspersky
Embedded Systems Security will send information to the Kaspersky Security Center Administration Server:

Quarantined objects.

Backed up objects.

6. Click OK.
Kaspersky Embedded Systems Security will send information about the selected object types to the
Administration Server.

220
Noti cation settings
This section provides information about ways in which users and administrators of Kaspersky Embedded Systems
Security can be noti ed about application events and the device protection status, as well as instructions on how
to con gure noti cations.

Administrator and user noti cation methods

You can con gure the application to notify the administrator and users who access the device about events in the
operation of Kaspersky Embedded Systems Security and the anti-virus protection status on the device.

The application ensures performance of the following tasks:

The administrator can receive information about events of selected types.

LAN users who access a device and terminal device users can receive information about events of the Object
detected type in the Real-Time File Protection task.

In the Application Console, administrator or user noti cations can be activated using several methods:

User noti cation methods:

a. Terminal service tools.

You can apply this method for notifying terminal protected device users if the protected device is used as
terminal.

b. Message service tools.

You can apply this method for noti cation via Microsoft Windows message services.

Administrator noti cation methods:

a. Message service tools.

You can apply this method for noti cation via Microsoft Windows message services.

b. Running an executable le.

This method runs an executable le stored on the protected device's local drive when an event occurs.

c. Sending by email.
This method uses email to transmit messages.

You can create the text of a message for individual event types. It can include an information eld to describe an
event. By default, the application uses a default message to notify users.

Con guring administrator and user noti cations

Event noti cation settings give you a choice of methods for con guring and composing a message text.

To con gure event noti cation settings:

221
1. In the Application Console tree, open the context menu of the Logs and noti cations node and select
Properties.
The Logs and noti cations settings window opens.

2. On the Noti cations tab select the noti cation mode:

a. Select the event for which you wish to select a noti cation method from the Event type list.

b. In the Notify administrators or Notify users group settings, select the check box next to the noti cation
methods that you wish to con gure.

You can only con gure user noti cations for the following events: Object detected, Untrusted
external device detected and restricted event, and Host listed as untrusted event.

3. To add the text of a message:

a. Click the Message text button.

b. In the window that opens, enter the text to be displayed in the corresponding event message.

You can create the same message for several event types: after selecting a noti cation method for one
event type, use the Ctrl or Shift key to select the other event types for which you want to use the same
message, and then click the Message text button.

a. To add elds with information about an event, click the Macro button and select the relevant elds from the
drop-down list. Fields with event information are described in the table in this section.

b. To restore the default event message text, click the By default button.

4. To con gure administrator noti cation methods for the selected event, select the Noti cations tab, click the
Settings button in the Notify administrators section and con gure the selected methods in the Advanced
settings window. To do this, perform the following actions:

a. For email noti cations, open the Email tab and specify the email addresses of recipients (delimit addresses
with semicolon), name or network address of the SMTP server, and port number in the appropriate elds. If
necessary, specify the text that will be displayed in the Subject and From elds. The text in the Subject eld
can also include variables with information about the event (see table below).
If you want to apply user account authentication when connecting to the SMTP server, select Use SMTP
authentication in the Authentication settings group and specify the name and password of the user
whose user account will be authenticated.

b. For noti cations using Windows Messenger Service, create a list of recipient protected devices for
noti cations on the Windows Messenger Service tab: for each protected device that you wish to add, click
the Add button and enter its network name in the input eld.

c. To run an executable le, select the le on the protected device's local drive that will be executed on the
protected device when an event occurs or enter its full path on the Executable le tab. Enter the user name
and password which will be used to execute the le.
System environment variables can be used when the path to the executable le is speci ed; user
environment variables are not allowed.
If you wish to limit the number of messages of one event type over a period of time, on the Advanced tab,
select Do not send the same noti cation more than and specify the number of times and a time interval.

222
5. Click OK.

The con gured noti cation settings are saved.

Fields with event information

Variable Description

%EVENT_TYPE% Event type.

%EVENT_TIME% Event time.

%EVENT_SEVERITY% Importance level.

%OBJECT% Object name (in Real-Time Computer Protection and On-Demand Scan tasks).
The Software Modules Update task includes the name of the update and the
address of the web page with information on the update.

%VIRUS_NAME% The name of the object according to the Virus Encyclopedia classi cation . This
name is included in the full name of the detected object that Kaspersky
Embedded Systems Security returns on detecting an object. You can view the full
name of the detected object in the task log.

%VIRUS_TYPE% The type of detected object according to the Kaspersky classi cation, such as
"virus" or "trojan". It is included in the full name of the detected object, which is
returned by Kaspersky Embedded Systems Security when it nds an object
infected or probably infected. You can view the full name of the detected object
in the task log.

%USER_COMPUTER% In the Real-time File Protection task the protected device name for the user who
accessed the object on the device.

%USER_NAME% In the Real-Time File Protection task the name of the user who accessed the
object on the device.

%FROM_COMPUTER% Name of the protected device where the noti cation originated.

%EVENT_REASON% Reason the event occurred (some events do not have this eld).

%ERROR_CODE% Error code (only for the "internal task error" event).

%TASK_NAME% Task name (only for events related to task performance).

223
Starting and stopping Kaspersky Embedded Systems Security
This section contains information about starting Application Console and about starting and stopping the
Kaspersky Security Service.

Starting the Kaspersky Embedded Systems Security Administration Plug-in

No additional actions are required to start the Kaspersky Embedded Systems Security Administration Plug-in in
Kaspersky Security Center. Once the Plug-in is installed on the administrator's protected device, it is started
together with Kaspersky Security Center. Detailed information about starting Kaspersky Security Center can be
found in the Kaspersky Security Center Help.

Starting the Kaspersky Embedded Systems Security Console from the

Start menu

The names of settings may vary under di erent Windows operating systems.

To start the Application Console from the Start menu:

1. In the Start menu, select Programs > Kaspersky Embedded Systems Security > Administration Tools >
Kaspersky Embedded Systems Security Console.

To add other snap-ins to the Application Console, start the Application Console in author mode.

To start the Application Console in author mode:

1. In the Start menu, select Programs > Kaspersky Embedded Systems Security > Administration Tools.

2. In the context menu of the Application Console, select the Author command.

The Application Console is started in author mode.

If the Application Console has been started on the protected device, the Application Console window opens.

If you started the Application Console on a non-protected device, connect to the protected device.

To connect to the protected device:

1. In the Application Console tree, open the context menu of the Kaspersky Embedded Systems Security node.

2. Select the Connect to another computer command.

The Select protected device window opens.

3. Select Another device in the window that opens.

4. Specify the network name of the protected device in the entry eld on the right.

5. Click OK.

224
The Application Console will connect to the protected device.

If the user account that you are using to log in to Microsoft Windows does not have su icient permissions to
access the Kaspersky Security Management Service on the protected device, select the Connect as user check
box and specify a di erent user account that the required permissions.

Starting and stopping the Kaspersky Security Service

By default, the Kaspersky Security Service starts automatically immediately after the operating system. The
Kaspersky Security Service manages the work processes that execute the Real-Time Computer Protection,
Computer Control, On-Demand Scan and update tasks.

By default when Kaspersky Embedded Systems Security is started, the Real-Time File Protection and Scan at
Operating System Startup tasks are started, as well as other tasks that are scheduled to start At application
launch.

If the Kaspersky Security Service is stopped, all running tasks are stopped. After you restart the Kaspersky
Security Service, the application automatically starts only those tasks scheduled to run At application launch,
while other tasks have to be started manually.

You can start and stop the Kaspersky Security Service using the context menu of the Kaspersky Embedded
Systems Security node or using the Microsoft Windows Services snap-in.

You can start and stop Kaspersky Embedded Systems Security if you are a member of the Administrators
group on the protected device.

To stop or start the application using the Application Console:

1. In the Application Console tree, open the context menu of the Kaspersky Embedded Systems Security node.

2. Select one of the following items:

Stop the service.

Start the service.

The Kaspersky Security Service will be started or stopped.

Starting Kaspersky Embedded Systems Security components in the

operating system safe mode
This section provides information about Kaspersky Embedded Systems Security working in the operating system
safe mode.

About Kaspersky Embedded Systems Security working in the operating

system safe mode

225
Kaspersky Embedded Systems Security components can be started when the operating system loads in safe
mode. In addition to the Kaspersky Security Service (kavfs.exe), the klam.sys driver is loaded. It is used to register
the Kaspersky Security Service as a protected service during the start of the operating system. For more details,
see section Registering the Kaspersky Security Service as a protected service.

Kaspersky Embedded Systems Security can be started in the following safe modes of the operating system:

Safe Mode Minimal – This mode is started when the standard option of the operating system safe mode is
selected. At that, Kaspersky Embedded Systems Security can start the following components:

Real-Time File Protection.

On-Demand Scan.

Applications Launch Control and Rule Generator for Applications Launch Control.

Log Inspection.

File Integrity Monitor.

Baseline File Integrity Monitor.

Application Integrity Control.

Safe Mode with Networking – In this mode, the operating system is loaded in safe mode with network drivers. In
addition to the components started in Safe Mode Minimal, Kaspersky Embedded Systems Security can start the
following components in this mode:

Database Update.

Software Modules Update.

Starting Kaspersky Embedded Systems Security in safe mode

By default, Kaspersky Embedded Systems Security is not started when the operating system is loaded in safe
mode.

To make Kaspersky Embedded Systems Security start in the operating system safe mode:

1. Start Windows Registry Editor (C:\Windows\regedit.exe).

2. Open the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klam\Parameters] key of the

system registry.

3. Open the LoadInSafeMode parameter.

4. Set the value to 1.

5. Click OK.

To cancel start of Kaspersky Embedded Systems Security in the operating system safe mode:

1. Start Windows Registry Editor (C:\Windows\regedit.exe).

226
2. Open the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klam\Parameters] key of the
system registry.

3. Open the LoadInSafeMode parameter.

4. Set the value to 0.

5. Click OK.

227
Kaspersky Embedded Systems Security self-defense
This section provides information about Kaspersky Embedded Systems Security self-defense mechanisms.

About Kaspersky Embedded Systems Security self-defense

Kaspersky Embedded Systems Security has self-defense mechanisms that protect the application against
modi cation or deletion of its folders, memory processes, and system registry entries.

Protection from changes to folders with installed Kaspersky Embedded

Systems Security components
Kaspersky Embedded Systems Security blocks renaming and deletion of folders with the installed application
components by any user account. By default, the paths to the application installation folders are as follows:

On the 32-bit version of Microsoft Windows: %ProgramFiles%\Kaspersky Lab\Kaspersky Embedded Systems

Security\

On the 64-bit version of Microsoft Windows: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Embedded

Systems Security\

Protection from changes to Kaspersky Embedded Systems Security

registry keys
Kaspersky Embedded Systems Security restricts access to the following registry branches and keys, which
facilitates loading of application drivers and services:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\ESS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kavfs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kavfsgt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kavfsslp]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klam]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klelaml]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kl tdev]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klramdisk]

[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\ESS\3.1\CrashDump]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\ESS\3.1] (on the 64-bit version of

Microsoft Windows)

228
[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\ESS\3.1\Trace]

The rights to change these registry branches and keys are granted to Local System (SYSTEM) account only. User
and Administrator accounts are granted read-only rights.

Protection from changes to the memory of program service parts

To protect program service parts from third-party processes, Kaspersky Embedded Systems Security drivers
restrict access to the following executable les:

kavfs.exe

kavfswp.exe

kavfswh.exe

kavfsgt.exe

By default, access to the memory of Kaspersky Embedded Systems Security service parts is restricted for third-
party processes.

You can enable the self-defense functions in the Kaspersky Embedded Systems Security Console and Kaspersky
Embedded Systems Security Administration Plug-in policy properties.

Registering the Kaspersky Security Service as a protected service

Protected Process Light (also referred to as "PPL") technology ensures that the operating system only loads
trusted services and processes. For a service to run as a protected service, an Early Launch Antimalware driver
must be installed on the protected device.

An Early Launch Antimalware (also referred to as "ELAM") driver provides protection for the devices in your
network when they start and before third-party drivers are initialized.

The ELAM driver is automatically installed during the Kaspersky Embedded Systems Security installation and is
used for registering the Kaspersky Security Service as PPL when the operating system starts. When the
Kaspersky Security Service (KAVFS) is started as a system protected process, other non-protected processes on
the system are not able to inject threads, write into the virtual memory of the protected process, or stop the
service.

When a process is started as PPL, it cannot be managed by user disregarding the assigned user permissions.
The Kaspersky Security Service registration as PPL using the ELAM driver is supported on the Microsoft
Windows 10 and higher operating systems. If you install Kaspersky Embedded Systems Security on a server
running PPL-supporting operating system, the permission management for Kaspersky Security Service
(KAVFS) will not be available.

To install Kaspersky Embedded Systems Security as PPL, run the following command:

msiexec /i ess_x64.msi NOPPL=0 EULA=1 PRIVACYPOLICY=1 /qn

229
Managing access permissions for Kaspersky Embedded Systems Security
functions
This section contains information about permissions to manage Kaspersky Embedded Systems Security and
operating system services registered by the application, and instructions on how to con gure these permissions.

About permissions to manage Kaspersky Embedded Systems Security

By default, access to all Kaspersky Embedded Systems Security functions is granted to users of the
Administrators group on the protected device, users of the ESS Administrators group created on the protected
device during installation of Kaspersky Embedded Systems Security, and the SYSTEM group.

Users who have Edit permissions access level for Kaspersky Embedded Systems Security can grant access to
Kaspersky Embedded Systems Security functions to other users registered on the protected device or included in
the domain.

Users who are not registered in the list of Kaspersky Embedded Systems Security users cannot open the
Application Console.

You can choose one of the following preset access levels for a user or group of users:

Full control – access to all application functions: the ability to view and edit Kaspersky Embedded Systems
Security general settings, component settings, and Kaspersky Embedded Systems Security user permissions;
and the ability to view Kaspersky Embedded Systems Security statistics.

Modi cation – access to all application functions except editing of user permissions: the ability to view and
edit Kaspersky Embedded Systems Security general settings and Kaspersky Embedded Systems Security
component settings.

Read – the ability to view Kaspersky Embedded Systems Security general settings, Kaspersky Embedded
Systems Security component settings, Kaspersky Embedded Systems Security statistics, and Kaspersky
Embedded Systems Security user permissions.

You can also con gure advanced access permissions: allow or block access to speci c functions of Kaspersky
Embedded Systems Security.

If you have manually con gured access permissions for a user or group, then the Special permissions access level
is set for this user or group.

About access permissions for Kaspersky Embedded Systems Security functions

User rights Description

Task management Ability to start / stop / pause / resume Kaspersky Embedded Systems
Security tasks.

Create and delete On-Demand Ability to create and delete On-Demand Scan tasks.
Scan tasks

Edit settings Ability to:

Import Kaspersky Embedded Systems Security settings from a
con guration le.

230
Edit the application settings.

Read settings Ability to:

View Kaspersky Embedded Systems Security general settings and
task settings.

Export Kaspersky Embedded Systems Security settings to a

con guration le.

View settings for task logs, system audit log, and noti cations.

Manage repositories Ability to:

Move objects to Quarantine.

Remove objects from Quarantine and Backup.

Restore objects from Quarantine and Backup.

Manage logs Ability to delete task logs and clear the system audit log.

Read logs Ability to view Anti-Virus events in task logs and the system audit log.

Read statistics Ability to view statistics for each Kaspersky Embedded Systems Security
task.

Application licensing Ability to activate Kaspersky Embedded Systems Security.

Uninstalling the application Ability to uninstall Kaspersky Embedded Systems Security.

Read permissions Ability to view the list of Kaspersky Embedded Systems Security users
and user access privileges.

Edit permissions Ability to:

Edit the list of users with access to application management.

Edit user access permissions for Kaspersky Embedded Systems

Security functions.

About permissions to manage registered services

During installation, Kaspersky Embedded Systems Security registers in Windows the Kaspersky Security Service
(KAVFS), the Kaspersky Security Management Service (KAVFSGT) and Kaspersky Security Exploit Prevention
(KAVFSSLP).

The Kaspersky Security Service can be registered as a Protected Process Light using the ELAM driver on
Microsoft Windows 10 and higher operating systems. When a process is started as a PPL, it cannot be
managed by a user regardless of the assigned user permissions. If you install Kaspersky Embedded Systems
Security on a protected device running an operating system that supports PPL, permission management will
not be available for the Kaspersky Security Service (KAVFS).

231
Kaspersky Security Service

By default, access permissions for managing the Kaspersky Security Service are granted to users in the
Administrators group on the protected device, as well as to the SERVICE and INTERACTIVE groups with read
permissions and to the SYSTEM group with read and execute permissions.

Users who have the Edit permissions level access can grant access permissions for managing Kaspersky Security
Service to other users registered on the protected device or included in the domain.

Kaspersky Security Management Service

To manage the application via the Application Console installed on a di erent protected device, the account
whose permissions are used to connect to Kaspersky Embedded Systems Security must have full access to the
Kaspersky Security Management Service on the protected device.

By default, access to the Kaspersky Security Management Service is granted to users of the Administrators group
on the protected device and users of the ESS Administrators group created on the protected device during
Kaspersky Embedded Systems Security installation.

You can only manage the Kaspersky Security Management Service via the Microsoft Windows Services snap-in.

Kaspersky Security Exploit Prevention

By default, access permissions for managing the Kaspersky Security Exploit Prevention service are granted to
users in the Administrators group on the protected device, as well as to the SYSTEM group with read and execute
permissions.

About access permissions for the Kaspersky Security Management Service

You can review the list of Kaspersky Embedded Systems Security services.

During installation, Kaspersky Embedded Systems Security registers the Kaspersky Security Management Service
(KAVFSGT). To manage the application via the Application Console installed on a di erent protected device, the
account used to connect to Kaspersky Embedded Systems Security must have full access to the Kaspersky
Security Management Service on the protected device.

You can manage the Kaspersky Security Management Service only via the Microsoft Windows Services snap-in.

You cannot allow or block user access to the Kaspersky Security Management Service by con guring
Kaspersky Embedded Systems Security.

You can connect to Kaspersky Embedded Systems Security from a local account if an account with the same
user name and password is registered on the protected device.

232
About permissions to manage the Kaspersky Security Service
During installation, Kaspersky Embedded Systems Security registers the Kaspersky Security Service (KAVFS) in
Windows, and internally enables the functional components that are started at operating system startup. To
reduce the risk of third-party access to application functions and security settings on a protected device through
management of the Kaspersky Security Service, you can restrict permissions for managing the Kaspersky Security
Service from the Application Console or the Administration Plug-in.

By default, access permissions for managing the Kaspersky Security Service are granted to users in the
Administrators group on the protected device. Read permissions are granted to the SERVICE and INTERACTIVE
groups, and read and execute permissions are granted to the SYSTEM group.

You cannot delete the SYSTEM user account or edit permissions for this account. If the permissions for the
SYSTEM account are edited, the maximum privileges are restored for this account when you save the
changes.

Users who have access to functions that require Edit permissions can grant access permissions for managing the
Kaspersky Security Service to other users registered on the protected device or included in the domain.

You can choose one of the following preset permission levels for a user or group of users of Kaspersky Embedded
Systems Security to manage the Kaspersky Security Service:

Full control: ability to view and edit general settings and user permissions for the Kaspersky Security Service,
and to start and stop the Kaspersky Security Service.

Read: ability to view Kaspersky Security Service general settings and user permissions.

Modi cation: ability to view and edit Kaspersky Security Service general settings and user permissions.

Execution: ability to start and stop the Kaspersky Security Service.

You can also con gure advanced access permissions: allow or deny access to speci c Kaspersky Embedded
Systems Security functions (see the table below).

If you have manually con gured access permissions for a user or group, then the Special permissions access level
is set for this user or group.

Access permissions for Kaspersky Security Service functions

Feature Description

View service con gurations Ability to view Kaspersky Security Service general settings and user
permissions.

Request service status from Ability to request the execution status of the Kaspersky Security Service
Service Control Manager from Microsoft Windows Service Control Manager.

Request status from service Ability to request the service execution status from the Kaspersky Security
Service.

Read list of dependent Ability to view a list of services that the Kaspersky Security Service
services depends on and which depend on the Kaspersky Security Service.

Editing service settings Ability to view and edit Kaspersky Security Service general settings and
user permissions.

233
Start the service Ability to start the Kaspersky Security Service.

Stop the service Ability to stop the Kaspersky Security Service.

Pause / Resume the service Ability to pause and resume the Kaspersky Security Service.

Read permissions Ability to view the list of Kaspersky Security Service users and each user's
access privileges.

Edit permissions Ability to:

Add and remove Kaspersky Security Service users.

Edit user access permissions for the Kaspersky Security Service.

Delete the service Ability to unregister the Kaspersky Security Service in the Microsoft
Windows Service Control Manager.

User de ned requests to Ability to create and send user requests to the Kaspersky Security Service.
service

Managing access permissions via the Administration Plug-in

In this section, learn how to navigate the Administration Plug-In interface and con gure access permissions for one
or all protected devices on the network.

Con guring access permissions for Kaspersky Embedded Systems Security

and the Kaspersky Security Service
You can edit the list of users and user groups allowed to access Kaspersky Embedded Systems Security functions
and manage the Kaspersky Security Service. You can also edit the access permissions of those users and user
groups.

To add or remove a user or group from the list:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

234
4. In the Supplementary section, perform one of the following steps:

Click Settings in the User access permissions for application management subsection if you want to edit
the list of users who have access permissions for managing Kaspersky Embedded Systems Security
functions.

Click Settings in the User access permissions for Kaspersky Security Service management subsection if
you want to edit the list of users who have access permissions for managing the Kaspersky Security
Service.
The Permissions for Kaspersky Embedded Systems Security 3.1 group window opens.

5. In the window that opens, perform the following operations:

In order to add a user or group to the list, click the Add button and select the user or group that you want to
grant privileges to.

To remove a user or group from the list, select the user or group whose access you want to restrict, and
click the Remove button.

6. Click the Apply button.

The selected users (groups) are added or removed.

To edit the permissions of a user or group to manage Kaspersky Embedded Systems Security or the Kaspersky
Security Service:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Supplementary section, perform one of the following steps:

Click Settings in the User access permissions for Kaspersky Security Service management subsection if
you want to edit the list of users who have access permissions for managing the application via the
Kaspersky Security Service.
The Permissions for Kaspersky Embedded Systems Security group window opens.

5. In the window that opens, in the Group or user names list, select the user or group of users whose permissions
you want to change.

235
6. In the Permissions for <User (Group)> section, select the Allow or Deny check boxes for the following access
levels:

Full control: full set of permissions to manage Kaspersky Embedded Systems Security or the Kaspersky
Security Service.

Read:

The following permissions to manage Kaspersky Embedded Systems Security: Retrieve statistics, Read
settings, Read logs and Read permissions.

The following permissions to manage the Kaspersky Security Service: Read service settings, Request
status from Service Control Manager, Request status from service, Read list of dependent services,
Read permissions.

Modi cation:

All permissions to manage Kaspersky Embedded Systems Security, except Edit permissions.

The following permissions to manage the Kaspersky Security Service: Modify service settings, Read
permissions.

Special permissions: the following permissions to manage the Kaspersky Security Service: Starting
service, Stop service, Pause / Resume service, Read permissions, User de ned requests to service.

7. To con gure advanced permissions for a user or group (Special permissions), click the Advanced button.

a. In the Advanced security settings for Kaspersky Embedded Systems Security window that opens, select
the desired user or group.

b. Click the Edit button.

c. In the drop-down list in the top part of the window, select the type of access control (Allow or Block).

d. Select the check boxes next to the functions that you want to allow or block for the selected user or group.

e. Click OK.

f. In the Advanced security settings for Kaspersky Embedded Systems Security window, click OK.

8. In the Permissions for Kaspersky Embedded Systems Security window, click the Apply button.

The con gured permissions for managing Kaspersky Embedded Systems Security or the Kaspersky Security
Service are saved.

Password-protected access to Kaspersky Embedded Systems Security

functions
You can restrict access to application management and registered services by con guring user permissions. You
can also set password protection in the Kaspersky Embedded Systems Security settings for additional protection
of critical operations.

Kaspersky Embedded Systems Security requests a password when you attempt to access the following
application functions:

236
connect to the Application Console;

uninstall Kaspersky Embedded Systems Security;

modify Kaspersky Embedded Systems Security components;

execute command-line commands.

The Kaspersky Embedded Systems Security interface disguises the speci ed password on screen. Kaspersky
Embedded Systems Security stores the password as a checksum calculated when the password is entered.

Kaspersky Embedded Systems Security doesn't check password strength and doesn't block password entry
after a number of failed attempts.

When creating a password, you are recommended to meet the following conditions:

The password doesn't contain the account name or computer name.

The password is at least 8 characters long.

The password contains characters that match at least three of the following categories:

uppercase latin letters (A-Z);

lowercase latin letters (a-z);

numbers (0-9);

symbols of exclamation point (!), dollar sign ($), pound sign (#) and percent sign (%).

You can export and import a password-protected application con guration. A con guration le created by
exporting a protected application con guration contains the password checksum and the value of the modi er
used to pad the password string.

Do not change the checksum or modi er in the con guration le. Importing a password-protected
con guration that has been changed manually may cause access to the application to be entirely blocked.

To protect access to Kaspersky Embedded Systems Security functions:

1. In the tree of Kaspersky Security Center Administration Console, expand the Managed devices node. Select
the administration group with the protected devices whose application settings you want to con gure.

2. Perform one of the following actions in the details pane of the selected administration group:

To con gure policy settings for a group of protected devices, select the Policies tab and open the
properties of the <Policy name> by means of the context menu.

If you want to con gure application settings for a single protected device, open the required settings in the
Application settings window in the Kaspersky Security Center.

3. In the Security and reliability section of the Application settings tab, click the Settings button.
The Security settings window opens.

237
4. In the Password protection settings section, select the Apply password protection check box.
The Password and Con rm password elds become active.

5. In the Password eld, enter the password you want to use to protect access to Kaspersky Embedded Systems
Security functions.

6. In the Con rm password eld, enter your password again.

7. Click OK.

The speci ed settings are saved. Kaspersky Embedded Systems Security will request the speci ed password to
access protected functions.

This password cannot be recovered. Losing your password will result in the complete loss of control of the
application. Additionally, it will be impossible to uninstall the application from the protected device.

You can reset the password at any time. To do that, clear the Apply password protection check box and save
changes. Password protection will be disabled and the old password checksum will be removed. Repeat the
password creation process with a new password.

Managing access permissions via the Application Console

In this section, learn how to navigate the Application Console interface and con gure access permissions on a
protected device.

Con guring access permissions for managing Kaspersky Embedded

Systems Security and the Kaspersky Security Service
You can edit the list of users and user groups allowed to access Kaspersky Embedded Systems Security functions
and manage the Kaspersky Security Service. You can also edit the access permissions of those users and user
groups.

To add or remove a user or group from the list:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

238
4. In the Supplementary section, perform one of the following steps:

5. In the window that opens, perform the following operations:

In order to add a user or group to the list, click the Add button and select the user or group that you want to
grant privileges to.

To remove a user or group from the list, select the user or group whose access you want to restrict, and
click the Remove button.

6. Click the Apply button.

The selected users (groups) are added or removed.

To edit a user’s or group’s permissions to manage Kaspersky Embedded Systems Security or the Kaspersky
Security Service:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Supplementary section, perform one of the following steps:

Click Settings in the User access permissions for Kaspersky Security Service management subsection if
you want to edit the list of users who have access permissions for managing the application via the
Kaspersky Security Service.
The Permissions for Kaspersky Embedded Systems Security group window opens.

5. In the window that opens, in the Group or user names list, select the user or group of users whose permissions
you want to change.

239
6. In the Permissions for <User (Group)> section, select the Allow or Deny check boxes for the following access
levels:

Full control: full set of permissions to manage Kaspersky Embedded Systems Security or the Kaspersky
Security Service.

Read:

The following permissions to manage Kaspersky Embedded Systems Security: Retrieve statistics, Read
settings, Read logs and Read permissions.

Modi cation:

All permissions to manage Kaspersky Embedded Systems Security, except Edit permissions.

The following permissions to manage the Kaspersky Security Service: Modify service settings, Read
permissions.

Special permissions: the following permissions to manage the Kaspersky Security Service: Starting
service, Stop service, Pause / Resume service, Read permissions, User de ned requests to service.

7. To con gure advanced permissions for a user or group (Special permissions), click the Advanced button.

a. In the Advanced security settings for Kaspersky Embedded Systems Security window that opens, select
the desired user or group.

b. Click the Edit button.

c. In the drop-down list in the top part of the window, select the type of access control (Allow or Block).

d. Select the check boxes next to the functions that you want to allow or block for the selected user or group.

e. Click OK.

f. In the Advanced security settings for Kaspersky Embedded Systems Security window, click OK.

8. In the Permissions for Kaspersky Embedded Systems Security window, click the Apply button.

9. The con gured permissions for managing Kaspersky Embedded Systems Security or the Kaspersky Security
Service are saved.

Password-protected access to Kaspersky Embedded Systems Security

Kaspersky Embedded Systems Security requests a password when you attempt to access the following
application functions:
240
connect to the Application Console;

uninstall Kaspersky Embedded Systems Security;

modify Kaspersky Embedded Systems Security components;

execute command-line commands.

Do not change the checksum or modi er in the con guration le. Importing a password-protected
con guration that has been changed manually may cause access to the application to be entirely blocked.

To protect access to Kaspersky Embedded Systems Security functions:

1. In the Application Console tree, select the Kaspersky Embedded Systems Security node and do one of the
following:

Click the Application properties link in the results pane of the node.

Select Properties in the node's context menu.

The Application settings window opens.

2. On the Security and reliability tab in the Password protection settings section, select the Apply password
protection check box.
The Password and Con rm password elds become active.

3. In the Password eld, enter the password you want to use to protect access to Kaspersky Embedded Systems
Security functions.

4. In the Con rm password eld, enter the password again.

5. Click OK.

This password cannot be recovered. Losing your password results in complete loss of control of the
application. Additionally, it will be impossible to uninstall the application from the protected device.

Managing access permissions via the Web Plug-in

In this section, learn how to navigate the Web Plug-In interface and con gure access permissions for one or all
protected devices on the network.

241
Con guring access permissions for Kaspersky Embedded Systems Security
and the Kaspersky Security Service
To con gure the access permissions for a user or group you need to specify the security descriptor string using
the security descriptor de nition language (SDDL). For detailed information about the security descriptor string,
please visit the Microsoft website.

To con gure the access permissions for a user or group:

1. In the main window of the Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Supplementary section.

5. Perform one of the following steps:

6. Add a user or group by specifying the security descriptor string in the User access permissions for
application management or User access permissions for Kaspersky Security Service management window.

7. Click OK.

Password-protected access to Kaspersky Embedded Systems Security

Kaspersky Embedded Systems Security requests a password when you attempt to access the following
application functions:

connect to the Application Console;

uninstall Kaspersky Embedded Systems Security;

modify Kaspersky Embedded Systems Security components;

execute command-line commands.

242
The Kaspersky Embedded Systems Security interface disguises the speci ed password on screen. Kaspersky
Embedded Systems Security stores the password as a checksum calculated when the password is entered.

Do not change the checksum or modi er in the con guration le. Importing a password-protected
con guration that has been changed manually may cause access to the application to be entirely blocked.

To protect access to Kaspersky Embedded Systems Security functions:

1. In the main window of the Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Application settings section.

5. In the Security and reliability section, click the Settings button.

6. In the Password protection settings section, select the Apply password protection check box.

7. In the Password eld, enter the password you want to use to protect access to Kaspersky Embedded Systems
Security functions.

8. Click OK.

The speci ed settings are saved. Kaspersky Embedded Systems Security will request the speci ed password to
access protected functions.

243
Real-Time File Protection
This section contains information about the Real-Time File Protection task and how to con gure it.

About Real-Time File Protection task

When the Real-Time File Protection task is running, Kaspersky Embedded Systems Security scans the following
protected device objects when they are accessed:

Files.

NTFS alternate data streams.

Master boot records and boot sectors on local hard drives and external devices.

When any application writes a le to the protected device or reads a le from it, Kaspersky Embedded Systems
Security intercepts the le, scans it for threats, and, if a threat is detected, performs a default action or an action
you have speci ed: try to disinfect, move to Quarantine, or delete it. Before disinfection or deletion, Kaspersky
Embedded Systems Security saves an encrypted copy of the source le to the Backup folder.

Kaspersky Embedded Systems Security also detects malware for processes running under Windows Subsystem
for Linux®. For such processes, the Real-Time File Protection task applies the action de ned by the current
con guration.

About the task protection scope and security settings

By default, the Real-Time File Protection task protects all objects of the device le system. If there is no security
requirement to protect all objects of the le system or you want to exclude any objects from the task scope, you
can limit the protection scope.

In the Application Console, the protection scope is displayed as a tree or list of the device's le resources that
Kaspersky Embedded Systems Security can monitor. By default, the network le resources of the device are
displayed as a list.

In the Administration Plug-in, only the list view is available.

To display network le resources as a tree in the Application Console,

open the drop-down list in the upper left section of the Protection scope settings window and select Tree-
view.

Whether the protected device's le resources are displayed as a list or a tree, the node icons have the following
meanings:

The node is included in the protection scope.

The node is excluded from the protection scope.

At least one of this node's child nodes is excluded from the protection scope, or the security settings of the child
node(s) di er(s) from those of the parent node (for the tree view only).

244
The icon is displayed if all child nodes are selected, but the parent node is not selected. In this case, changes
in the composition of the parent node's les and folders are disregarded automatically when the protection
scope for the selected child node is created.

Using the Application Console, you can also add virtual drives to the protection scope. The names of the
virtual nodes are displayed in blue.

Security settings

The task security settings can be con gured as common settings for all nodes or items included in the protection
scope, or as di erent settings for each node or item in the device's le resource tree or list.

Security settings con gured for the selected parent node are automatically applied to all its child nodes. The
security settings of the parent node are not applied to child nodes that are con gured separately.

The settings for a selected protection scope can be con gured using one of the following methods:

Selecting one of three prede ned security levels.

Con guring the security settings manually for the selected nodes or items in the le resource tree or list (the
security level changes to Custom).

A set of settings for a node or item can be saved in a template in order to be applied later to other nodes or items.

About virtual protection scopes

Kaspersky Embedded Systems Security can scan not only existing folders and les on hard drives and removable
drives, but also drives that are dynamically created on the protected device by various applications and services.

If all device objects are included in the protection scope, these dynamic nodes will automatically be included in the
protection scope. However, if you want to specify special values for the security settings of these dynamic nodes
or if you have selected only part of the device for protection, then in order to include virtual drives, les or folders
in the protection scope, you will rst have to create them in the Application Console: that is, specify the virtual
protection scope. The drives, les and folders created will exist only in the Application Console, but not in the le
structure of the protected device.

If, while creating a protection scope, all subfolders or les are selected without the parent folder being selected,
then all virtual folders or les that appear in it will not automatically be included in the protected scope. "Virtual
copies" of these should be created in the Application Console and added to the protection scope.

Prede ned protection scopes

The le resource tree or list displays the nodes to which you have read-access based on the con gured
Microsoft Windows security settings.

Kaspersky Embedded Systems Security covers the following prede ned protection scopes:

245
Local hard drives. Kaspersky Embedded Systems Security protects les on the device hard drives.

Removable drives. Kaspersky Embedded Systems Security protects les on external devices, such as CDs or
removable drives. All removable drives, individual disks, folders or les can be included in or excluded from the
protection scope.

Network. Kaspersky Embedded Systems Security protects les that are written to network folders or read
from them by applications running on the device. Kaspersky Embedded Systems Security does not protect les
when such les are accessed by applications from other protected devices.

Virtual drives. Virtual folders, les, and drives temporarily connected to the device can be included in the
protection scope, for example, common cluster drives.

By default, you can view and con gure prede ned protection scopes in the scope list; you can also add prede ned
scopes to the list during its formation in the protection scope settings.

By default, the protection scope includes all prede ned areas except virtual drives.

Virtual drives created using the SUBST command are not displayed in the protected device’s le resource tree
in the Application Console. To include objects on the virtual drive in the protection scope, include the device
folder associated with the virtual drive in the protection scope.

Connected network drives will also not be displayed in the protected device’s le resource list. To include
objects on network drives in the protection scope, specify the path to the folder that corresponds to this
network drive in UNC format.

About prede ned security levels

One of the following prede ned security levels for the nodes selected either in the protected device's le resource
tree or le resource list can be applied: Maximum performance, Recommended, and Maximum protection. Each
of these levels contains its own prede ned set of security settings (see the table below).

Maximum performance

The Maximum performance security level is recommended if your network has additional protected device
security measures, for example, rewalls and existing security policies, beyond using Kaspersky Embedded Systems
Security on protected devices.

Recommended

The Recommended security level ensures the best combination of protection and performance impact on
devices. Kaspersky experts recommend this level as adequate to protect devices on most corporate networks.
The Recommended security level is set by default.

Maximum protection

The Maximum protection security level is recommended if your organization's network has elevated device
security requirements.
246
Preset security levels and corresponding setting values

Options Security level

Maximum Recommended Maximum

performance protection

Objects protection By extension By format By format

Protect only new and modi ed les Enabled Enabled Disabled

Action to perform on infected and other Block access and Notify only Block access and
objects disinfect. Remove if disinfect. Remove
disinfection fails if disinfection fails

Action to perform on probably infected Block access and Notify only Block access and
objects quarantine quarantine

Exclude les No No No

Do not detect No No No

Stop scanning if it takes longer than (sec.) 60 sec. 60 sec. 60 sec.

Do not scan compound objects larger than 8 MB 8 MB Not set

(MB)

Scan alternate NTFS streams Yes Yes Yes

Scan disk boot sectors and MBR Yes Yes Yes

Compound objects protection

Packed objects* SFX SFX archives*
*New and archives*
modi ed objects Packed
only Packed objects*
objects*
Embedded
Embedded OLE objects*
OLE *All objects
objects*
*New and
modi ed
objects
only

Entirely remove compound le that cannot No No Yes

be modi ed by the application in case of
embedded object detection

The Objects protection, Use iChecker technology, Use iSwift technology, and Use heuristic analyzer
settings are not included in the settings of the prede ned security levels. If you edit the Objects protection,
Use iChecker technology, Use iSwift technology, or Use heuristic analyzer security settings after selecting
one of the prede ned security levels, the security level that you have selected will not change.

File extensions scanned by default in the Real-Time File Protection task

Kaspersky Embedded Systems Security scans les with the following extensions by default:

247
386;

acm;

ade, adp;

asp;

asx;

ax;

bas;

bat;

bin;

chm;

cla, clas*;

cmd;

com;

cpl;

crt;

dll;

dpl;

drv;

dvb;

dwg;

e ;

emf;

eml;

exe;

fon;

fpm;

hlp;

hta;

248
htm, html*;

htt;

ico;

inf;

ini;

ins;

isp;

jpg, jpe;

js, jse;

lnk;

mbx;

msc;

msg;

msi;

msp;

mst;

nws;

ocx;

oft;

otm;

pcd;

pdf;

php;

pht;

phtm*;

pif;

plg;

png;

249
pot;

prf;

prg;

reg;

rsc;

rtf;

scf;

scr;

sct;

shb;

shs;

sht;

shtm*;

swf;

sys;

the;

them*;

tsp;

url;

vb;

vbe;

vbs;

vxd;

wma;

wmf;

wmv;

wsc;

wsf;

250
wsh;

do?;

md?;

mp?;

ov?;

pp?;

vs?;

xl?.

Default Real-Time File Protection task settings

By default, the Real-Time File Protection task uses the settings described in the table below. You can change the
values of these settings.

Default Real-Time File Protection task settings

Setting Default value Description

Protection scope The entire protected device, You can change the protection scope.
excluding virtual drives.

Security settings Common settings for the entire For nodes selected in the protected
protection scope correspond device’s le resource list or tree, you can:
to the Recommended security
Select a di erent prede ned security
level.
level

Manually change security settings

You can save a group of security settings
for a selected node as a template to use
later for a di erent node.

Objects protection mode Smart mode You can select the protection mode, i.e.
de ne the type of access attempts for
which Kaspersky Embedded Systems
Security scans objects.

Heuristic analyzer The Medium security level is The Heuristic Analyzer can be enabled or
applied. disabled and the analysis level can be
con gured.

Apply Trusted Zone Applied. General list of exclusions that can be used in
selected tasks.

Use KSN for protection Applied. You can improve your device’s protection
using the Kaspersky Security Network cloud
service (available if the KSN Statement is
accepted).

Task start schedule At application start. You can con gure for scheduled task start.

251
Block access to network Not applied. You can add hosts showing malicious
shared resources for the activity to the list of blocked hosts.
hosts that show
malicious activity

Launch critical areas Applied. When active infection is detected,

scan when active Kaspersky Embedded Systems Security
infection is detected creates and launches a temporary Critical
Areas Scan task.

Managing the Real-Time File Protection task via the Administration Plug-in
In this section, learn how to navigate the Administration Plug-In interface and con gure task settings for one or all
protected devices on the network.

Navigation
Learn how to navigate to the required task settings via the chosen interface.

Opening policy settings for the Real-Time File Protection task

To open the Real-Time File Protection task settings via the Kaspersky Security Center policy:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Policies tab.

4. Double-click the policy name you want to con gure.

5. In the Properties: <Policy name> window that opens, select the Real-Time Computer Protection section.

6. Click the Settings button in the Real-Time File Protection subsection.

The Real-time le protection window opens.

If a protected device is being managed by an active Kaspersky Security Center policy and this policy blocks
changes to the application settings, these settings cannot be edited via the Application Console.

Opening the Real-Time File Protection task properties

To open the Real-Time File Protection task settings window for a single network device:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

252
2. Select the administration group for which you want to con gure the task.

3. Select the Devices tab.

4. Open the Properties: <Protected device name> window in one of the following ways:

Double-click the name of the protected device.

Select the Properties item in the context menu of the protected device.

The Properties: <Protected device name> window opens.

5. In the Tasks section, select the Real-Time File Protection task.

6. Click the Properties button.

The Properties: Real-Time File Protection window opens.

Con guring the Real-Time File Protection task

To con gure the Real-Time File Protection task settings:

1. Open the Real-time le protection window.

2. Con gure the following task settings:

On the General tab:

Interception parameters

Heuristic analyzer

Integration with other components

On the Task management tab:

Scheduled task start settings.

3. Select the Protection scope tab and do the following:

Click the Add or Edit button to edit the protection scope.

In the window that opens, choose what you want to include in the task protection scope:

Prede ned scope

Disk, folder or network location

File

Select one of the prede ned security levels or manually con gure the protection settings.

4. Click OK in the Real-time le protection window.

253
Kaspersky Embedded Systems Security immediately applies the new settings to a running task. The date and
time when the settings were modi ed, and the values of task settings before and after modi cation, are saved in
the system audit log.

Selecting the protection mode

In the Real-Time File Protection task, the protection mode can be selected. The Objects protection mode section
lets you specify the type of access attempts for which Kaspersky Embedded Systems Security scans objects.

The value of the Objects protection mode setting applies to the entire protection scope speci ed in the task. You
cannot specify di erent values for the setting for individual nodes within the protection scope.

To select the protection mode:

1. Open the Real-time le protection window.

2. In the window that opens, open the General tab and select the protection mode that you want to set:

Smart mode

On access and modi cation

On access

When run

Deeper analysis of launching processes (process launch is blocked until the analysis ends)

3. Click OK.

The selected protection mode will take e ect.

Con guring Heuristic Analyzer and integration with other application

components

To start the KSN Usage task, you must accept the Kaspersky Security Network Statement.

To con gure Heuristic Analyzer and integration with other components:

1. Open the Real-time le protection window.

2. On the General tab, clear or select the Use heuristic analyzer check box.

3. If necessary, adjust the level of analysis using the slider .

4. In the Integration with other components section, con gure the following settings:

Select or clear the Apply Trusted Zone check box.

254
Select or clear the Use KSN for protection check box.

The Send data about scanned les check box must be selected in the KSN Usage task settings.

Select or clear the Block access to network shared resources for the hosts that show malicious activity
check box.

Select or clear the Launch critical areas scan when active infection is detected check box.

5. Click OK.

The con gured task settings are applied immediately to a running task. If the task is not running, the modi ed
settings are applied at next start.

Scheduling tasks
You can schedule local system and custom tasks in the Application Console. You cannot schedule group tasks in
the Application Console.

To schedule group tasks using the Administration Plug-in:

1. In the Kaspersky Security Center Administration Console tree, expand the Managed devices node.

2. Select the group that the protected device belongs to.

3. In the results pane, select the Tasks tab.

4. Open the Properties: <Task name> window in one of the following ways:

Double-click the name of the task.

Open the context menu of the task name and select the Properties item.

5. Select the Schedule section.

6. In the Schedule settings block, select the Run by schedule check box.

Fields with schedule settings for the On-Demand Scan and Update tasks are unavailable if scheduling of
these tasks is blocked by a Kaspersky Security Center policy.

7. Con gure schedule settings in accordance with your requirements. To do this, perform the following actions:

a. In the Frequency list, select one of the following values:

Hourly, if you want the task to run at intervals of a speci ed number of hours; specify the number of
hours in the Every <number> hour(s) eld.

Daily, if you want the task to run at intervals of a speci ed number of days; specify the number of days in
the Every <number> day(s) eld.

At application launch, if you want the task to run every time Kaspersky Embedded Systems Security
starts.

After application database update, if you want the task to run after every update of the application
databases.

b. Specify the time for the rst task start in the Start time eld.

c. In the Start date eld, specify the date when the schedule starts.

After you have scheduled the start time, date and frequency of the task, the estimated time for the
next start is displayed.

The Next start eld displays the Blocked by policy value if Kaspersky Security Center policy settings
prohibit scheduled local system tasks from starting.

8. Use the Advanced tab to con gure the following schedule settings in accordance with your requirements.

In the Task stop settings section:

a. Select the Duration check box and, in the elds to the right, enter the maximum number of hours and
minutes of task execution.

b. Select the Pause from check box and, in the elds to the right, enter the start and end values of a time
interval under 24 hours during which task execution will be paused.

In the Advanced settings section:

a. Select the Cancel schedule from check box and specify the date from which the schedule will cease to
apply.

b. Select the Run skipped tasks check box to enable the start of skipped tasks.

c. Select the Randomize the task start time within the interval of check box and specify a value in
minutes.

9. Click OK.

10. Click the Apply button to save the task start settings.

256
Creating and con guring the task protection scope
To create and con gure the task protection scope via the Kaspersky Security Center:

1. Open the Real-time le protection window.

2. Select the Protection scope tab.

All items already protected by the task are listed in the Protection scope table.

3. Click the Add button to add new item to the list.

The Add objects to protection scope window opens.

4. Select an object type to add it to a protection scope:

Prede ned scope - to include one of the prede ned scopes in the protection scope on the device. Then in
the drop-down list, select the desired protection scope.

Disk, folder or network location - to include individual drive, folder or a network object in the protection
scope. Then select the desired protection scope by clicking the Browse button.

File - to include an individual le in the protection scope. Then select the desired protection scope by
clicking the Browse button.

You cannot add an object to a protection scope if it has already been added as an exclusion from a
protection scope.

5. To exclude individual items from the protection scope, clear check boxes next to the names of these items or
take the following steps:

a. Open the context menu of the protection scope by right-clicking it.

b. In the context menu, select the Add exclusion option.

c. In the Add exclusion window, select an object type that you want to add as an exclusion from the protection
scope following the procedure used when adding an object to the protection scope.

6. To modify the protection scope or an existing exclusion, select the Edit scope option in the context menu of
the desired protection scope.

7. To hide a previously added protection scope or an exclusion in the list of network le resources, select the
Remove scope option in the context menu of the desired protection scope.

A protection scope is removed from the Real-Time File Protection task scope when it is removed from the
network le resource list.

8. Click OK.

The Protection scope settings window closes. Your newly con gured settings are saved.

257
The Real-Time File Protection task can be started if at least one of the device’s le resource nodes is
included in a protection scope.

Selecting prede ned security levels for On-Demand Scan tasks

You can apply one of the following three prede ned security levels to a node selected in the device's le resource
list: Maximum performance, Recommended, and Maximum protection.

To select one of the prede ned security levels:

1. Open the Properties: Real-Time File Protection window.

2. Select the Protection scope tab.

3. In the protected device's list, select an item included in the protection scope in order to set a prede ned
security level.

4. Click the Con gure button.

The Real-time le protection settings window opens.

5. On the Security level, tab select the security level to be applied.

The window displays the list of security settings corresponding to the security level selected.

6. Click OK.

7. Click OK in the Properties: Real-Time File Protection window.

Con gured task settings are saved and applied immediately to a running task. If the task is not running, the
modi ed settings are applied at next start.

Con guring security settings manually

By default, the Real-Time File Protection task uses common security settings for the entire protection scope.
These settings correspond to the Recommended prede ned security level.

The default values of security settings can be modi ed by con guring them as common settings for the entire
protection scope or as di erent settings for individual items in the device's le resource list or nodes in the tree.

To con gure the security settings of the selected node manually:

1. Open the Real-time le protection window.

2. On the Protection scope tab, select the node whose security settings you want to con gure, and click
Con gure.
The Real-time le protection settings window opens.

3. On the Security level tab, click the Settings button to customize the con guration.

4. You can con gure custom security settings for the selected node in accordance with your requirements:

258
General settings

Actions

Performance

5. Click OK in the Real-time le protection window.

The new protection scope settings are saved.

Con guring general task settings

To con gure the general security settings of the Real-Time File Protection task:

1. Open the Real-time le protection settings window.

2. Select the General tab.

3. In the Objects protection section, specify the objects types that you want to include in the protection scope:

All objects

Objects scanned by format

Objects scanned according to list of extensions speci ed in anti-virus database

Objects scanned by speci ed list of extensions

Scan disk boot sectors and MBR

Scan alternate NTFS streams

4. In the Performance group box, select or clear the Protect only new and modi ed les check box.

To switch between available options when the check box is cleared, click on the All / Only new link for each
of the compound object types.

5. In the Compound objects protection section, specify the compound objects that you want to include in the
protection scope:

All / Only new archives

All / Only new SFX archives

All / Only new email databases

All / Only new packed objects

All / Only new plain email

All / Only new embedded OLE objects

259
6. Click Save.

The new task con guration will be saved.

Con guring actions

To con gure actions on infected and other detected objects during the Real-Time File Protection task:

1. Open the Real-time le protection settings window.

2. Select the Actions tab.

3. Select the action to be performed on infected and other detected objects:

Notify only .

Block access .

Perform additional action.

Select the action from the drop-down list:

Disinfect.

Disinfect. Remove if disinfection fails.

Remove .

Recommended .

4. Select the action to be performed on probably infected objects:

Notify only .

Block access .

Perform additional action.

Select the action from the drop-down list:

Quarantine.

Remove .

Recommended .

5. Con gure actions to be performed on objects depending on the type of object detected:

a. Clear or select the Perform actions depending on the type of object detected check box.

b. Click the Settings button.

c. In the window that opens, select a primary action and a secondary action (to be performed if the primary
action fails) for each type of detected object.

d. Click OK.
260
6. Select the action to perform on unmodi able compound les: select or clear the Entirely remove compound
le that cannot be modi ed by the application in case of embedded object detection check box.

7. Click Save.

The new task con guration will be saved.

Con guring performance

To con gure performance settings for the Real-Time File Protection task:

1. Open the Real-time le protection settings window.

2. Select the Performance tab.

3. In the Exclusions section:

Clear or select the Exclude les check box.

Clear or select the Do not detect check box.

Click the Edit button for each setting to add exclusions.

4. In the Advanced settings section:

Stop scanning if it takes longer than (sec.)

Do not scan compound objects larger than (MB)

Use iSwift technology

Use iChecker technology

Managing the Real-Time File Protection task via the Application Console
In this section, you will learn how to navigate the Application Console interface and con gure task settings on a
protected device.

Navigation
Learn how to navigate to the required task settings via the chosen interface.

Opening the Real-Time File Protection task settings

To open the general task settings window:

261
1. In the Application Console tree, expand the Real-Time Computer Protection node.

2. Select the Real-Time File Protection child node.

3. Click the Properties link in the results pane.

The Task settings window opens.

Opening the Real-Time File Protection task scope settings

To open the Protection scope settings window for the Real-Time File Protection task:

1. In the Application Console tree, expand the Real-Time Computer Protection node.

2. Select the Real-Time File Protection child node.

3. Click the Con gure protection scope link in the results pane.
The Protection scope settings window opens.

Con guring the Real-Time File Protection task

To con gure the Real-Time File Protection task settings:

1. Open the Task settings window.

2. On the General tab, con gure the following task settings:

Objects protection mode

Heuristic analyzer

Integration with other components

3. On the Schedule and Advanced tabs, specify the scheduled start settings.

4. Click OK in the Task settings window.

The modi ed settings are saved.

5. In the results pane of the Real-Time File Protection node click the Con gure protection scope link.

6. Do the following:

In the tree or list of the device's le resources, select the nodes or items that you want to be included in the
task protection scope.

Select one of the prede ned security levels or con gure the object protection settings manually.

7. In the Protection scope settings window, click the Save button.

262
Kaspersky Embedded Systems Security immediately applies the new settings to a running task. The date and
time of the settings modi cation, and the values of task settings set before and after modi cation, are saved in
the system audit log.

Selecting protection mode

To select the protection mode:

1. Open the Task settings window.

2. In the window that opens, open the General tab and select the protection mode that you want to set:

Smart mode

On access and modi cation

On access

When run

Deeper analysis of launching processes (process launch is blocked until the analysis ends)

3. Click OK.

The selected protection mode will take e ect.

Con guring Heuristic Analyzer and integration with other application

components

To start the KSN Usage task, you must accept the Kaspersky Security Network Statement.

To con gure Heuristic Analyzer and integration with other components:

1. Open the Task settings window.

2. On the General tab, clear or select the Use heuristic analyzer check box.

3. If necessary, adjust the level of analysis using the slider .

4. In the Integration with other components section, con gure the following settings:

Select or clear the Apply Trusted Zone check box.

Click the Trusted Zone link to open the Trusted Zone settings.

263
Select or clear the Use KSN for protection check box.

The Send data about scanned les check box must be selected in the KSN Usage task settings.

Select or clear the Block access to network shared resources for the hosts that show malicious activity
check box.

Select or clear the Launch critical areas scan when active infection is detected check box.

5. Click OK.

The newly con gured settings will be applied.

Con guring the task schedule settings

In the Application Console, you can schedule when to start local system and custom tasks. However, you cannot
schedule when to start group tasks.

To schedule a task:

1. Open the context menu of the task you want to schedule.

2. Select Properties.
The Task settings window opens.

3. In the window that opens, on the Schedule tab, select the Run by schedule check box.

4. Follow these steps to specify schedule settings:

a. In the Frequency drop-down menu, select one of the following:

Hourly: to run the task at hourly intervals; specify the number of hours in the Every <number> hour(s)
eld.

Daily: to run the task at daily intervals; specify the number of days in the Every <number> day(s) eld.

Weekly: to run the task at weekly intervals; specify the number of weeks in the Every <number> week(s)
on eld. Specify the days of the week to start the task (by default the task runs on Mondays).

At application launch: to run the task every time Kaspersky Embedded Systems Security starts.

After application database update: to run the task after every update of the application database.

b. In the Start time eld, specify the time when to start the task for the rst time.

c. In the Start date eld, specify the date when to start the task for the rst time.

264
The Next start eld displays the Blocked by policy value if Kaspersky Security Center active policy
settings prohibit a scheduled local system task from starting.

5. Use the Advanced tab to specify the following schedule settings:

In the Task stop settings section:

a. Select the Duration check box. In the elds to the right, enter maximum task duration in hours and
minutes.

b. Select the Pause from check box. In the elds to the right, enter when to pause and resume the task
(under 24 hours).

In the Advanced settings section:

a. Select the Cancel schedule from check box and specify the task schedule end date.

b. Select the Run skipped tasks check box to start skipped tasks.

c. Select the Randomize the task start within interval of check box and specify a value in minutes.

6. Click OK.

The task schedule settings are saved.

Creating a protection scope

This section provides instructions on creating and managing a protection scope in the Real-Time File Protection
task.

Con guring the view for network le resources

To select the view for network le resources during con guration of protection scope settings:

1. Open the Protection scope settings window.

2. Open the drop-down list in the upper left section of the window and select one of the following options:

Select the Tree-view option to display the network le resources as a tree.

Select the List-view option to display the network le resources as a list.

By default, the network le resources of the protected device are displayed as a list.

3. Click the Save button.

265
Creating a protection scope
The procedure for creating the Real-Time File Protection task scope depends on the selected network le
resource view. You can view the network le resources as a tree or a list (set as default).

To apply the new protection scope settings to the task, the Real-Time File Protection task must be restarted.

To create a protection scope using the network le resource tree:

1. Open the Protection scope settings window.

2. In the left section of the window, open the network le resource tree to display all the nodes and child nodes.

3. Do the following:

To exclude individual nodes from the protection scope, clear check boxes next to the names of these nodes.

To include individual nodes in the protection scope, clear the My Computer check box and do the following:

If all drives of one type are to be included in the protection scope, select the check box opposite the
name of the required disk type (for example, to add all removable drives on the device, select the
Removable drives check box).

If an individual disk of a certain type is to be included in the protection scope, expand the node that
contains the list of drives of this type and check the box next to the name of the required drive. For
example, in order to select removable drive F:, expand the Removable drives node and check the box for
F: drive.

If you would like to include only a single folder or le on the drive, select the check box next to the name
of that folder or le.

4. Click the Save button.

The Protection scope settings window closes. Your newly con gured settings are saved.

To create a protection scope using the network le resources list:

1. Open the Protection scope settings window.

2. To include individual nodes in the protection scope, clear the My Computer check box and do the following:

a. Open the context menu of the protection scope by right-clicking it.

b. In the context menu of the button, select Add protection scope.

c. In the Add protection scope window select an object type to add it to the protection scope:

Prede ned scope - to include one of the prede ned scopes in the protection scope on the device. Then
in the drop-down list, select the desired protection scope.

Disk, folder or network location - to include an individual drive, folder or a network object in the
protection scope. Then select the desired scope by clicking the Browse button.
266
File - to include an individual le in the protection scope. Then select the desired scope by clicking the
Browse button.

You cannot add an object to a protection scope if it has already been added as an exclusion from a
protection scope.

3. To exclude individual nodes from the protection scope, clear check boxes next to the names of these nodes or
take the following steps:

a. Open the context menu of the protection scope by right-clicking it.

b. In the context menu, select the Add exclusion option.

c. In the Add exclusion window, select an object type that you want to add as an exclusion from the protection
scope following the procedure used when adding an object to the protection scope.

4. To modify the protection scope or an existing exclusion, select the Edit scope option in the context menu of
the desired protection scope.

5. To hide a previously added protection scope or an exclusion in the list of network le resources, select the
Remove from the list option in the context menu of the desired protection scope.

A protection scope is removed from the Real-Time File Protection task scope when it is removed from the
network le resource list.

6. Click the Save button.

The Protection scope settings window closes. Your newly con gured settings are saved.

The Real-Time File Protection task can be started if at least one of the device's le resource nodes is included
in a protection scope.

If a complex protection scope is speci ed, for example, if di erent security values for settings for multiple
nodes in the device's le resource tree are speci ed, this may slow the scanning of objects when they are
accessed.

Including network objects in the protection scope

Network drives, folders or les can be added to the protection scope by specifying their path in UNC (Universal
Naming Convention) format.

You can scan network folders under the system account.

To add a network location to the protection scope:

1. Open the Protection scope settings window.

267
2. Open the drop-down list in the upper left part of the window and select Tree-view.

3. In the context menu of the Network node:

Select Add network folder, if you want to add a network folder to the protection scope.

Select Add network le, if you want to add a network le to the protection scope.

4. Enter the path to the network folder or le in UNC format.

5. Press the ENTER key.

6. Select the check box next to the newly added network object to include it in the protection scope.

7. If necessary, change the security settings for the added network object.

8. Click the Save button.

The modi ed task settings are saved.

Creating a virtual protection scope

You can expand the protection / scan scope by adding individual virtual drives, folders, or les only if the
protection / scan scope is presented as a tree of le resources.

To add a virtual drive to the protection scope:

1. Open the Protection scope settings window.

2. Open the drop-down list in the window upper left sector and select Tree-view.

3. Open the context menu of the Virtual drives node.

4. Select the Add virtual drive option.

5. In the list of available names, select the name of the virtual drive that is being created.

6. Select the check box next to the drive to include the drive in the protection scope.

7. In the Protection scope settings window, click the Save button.

Your newly con gured settings are saved.

To add a virtual folder or virtual le to the protection scope:

1. Open the Protection scope settings window.

2. Open the drop-down list in the upper left part of the window and select Tree-view.

3. Open the context menu of the virtual drive to which you want to add a folder or a le, and select one of the
following options:

268
Add virtual folder - if you want to add a virtual folder to the protection scope.

Add virtual le - if you want to add a virtual le to the protection scope.

4. In the entry eld, specify the name of the folder or le.

5. In the line containing the name of the created folder or le, select the check box to include the folder or le in
the protection scope.

6. In the Protection scope settings window, click the Save button.

The modi ed task settings are saved.

Con guring security settings manually

By default Real-Time Computer Protection tasks use common security settings for the entire protection scope.
These settings correspond to the Recommended prede ned security level.

When working with the protected device's le resource tree, security settings that are con gured for the selected
parent node are automatically applied to all child nodes. The security settings of the parent node are not applied to
child nodes that are con gured separately.

To con gure security settings manually:

1. Open the Protection scope settings window.

2. In the left window section select the node to con gure security settings.
A prede ned template containing security settings can be applied for a selected node or item in the protection
scope.
In the left part of the window, you can select the view for network le resources, create a protection scope, or
create a virtual protection scope.

3. In the right part of the window, do one of the following:

On the Security level tab select the security level to be applied.

Con gure the required security settings of the selected node or item in accordance with your requirements
in the following tabs:

General

Actions

Performance

4. In the Protection scope settings window, click the Save button.

The new protection scope settings are saved.

269
Selecting prede ned security levels for Real-Time File Protection task
You can apply one of the following three prede ned security levels to a node selected in the protected device's le
resource tree or list: Maximum performance, Recommended, and Maximum protection.

To select one of the prede ned security levels:

1. Open the Protection scope settings window.

2. In the protected device's network le resource tree or list, select a node or item to set the prede ned security
level.

3. Make sure that the selected node or item is included in the protection scope.

4. In the right part of the window, on the Security level tab select the security level to be applied.
The window displays the list of security settings corresponding to the selected security level.

5. Click the Save button.

The task settings are saved and applied immediately to the running task. If the task is not running, the modi ed
settings are applied at the next start.

Con guring general task settings

To con gure the general security settings of the Real-Time File Protection task:

1. Open the Protection scope settings window.

2. Select the General tab.

3. In the Objects protection section, specify the objects that you want to include in the protection scope:

All objects

Objects scanned by format

Objects scanned according to list of extensions speci ed in anti-virus database

Objects scanned by speci ed list of extensions

Scan disk boot sectors and MBR

Scan alternate NTFS streams

4. In the Performance group box, select or clear the Protect only new and modi ed les check box.

To switch between available options when the check box is cleared, click on the All / Only new link for each
of the compound object types.

270
5. In the Compound objects protection section, specify the compound objects that you want to include in the
protection scope:

All / Only new archives

All / Only new SFX archives

All / Only new email databases

All / Only new packed objects

All / Only new plain email

All / Only new embedded OLE objects

6. Click Save.

The new task con guration will be saved.

Con guring actions

To con gure actions on infected and other detected objects for the Real-Time File Protection task:

1. Open the Protection scope settings window.

2. Select the Actions tab.

3. Select the action to be performed on infected and other detected objects:

Notify only .

Block access .

Perform additional action.

Select the action from the drop-down list:

Disinfect.

Disinfect. Remove if disinfection fails.

Remove .

Recommended .

4. Select the action to be performed on probably infected objects:

Notify only .

Block access .

Perform additional action.

Select the action from the drop-down list:

Quarantine.
271
Remove .

Recommended .

5. Con gure actions to be performed on objects depending on the type of object detected:

a. Clear or select the Perform actions depending on the type of object detected check box.

b. Click the Settings button.

c. In the window that opens, select a primary action and a secondary action (to be performed if the primary
action fails) for each type of detected object.

d. Click OK.

6. Select the action to perform on unmodi able compound les: select or clear the Entirely remove compound
le that cannot be modi ed by the application in case of embedded object detection check box.

7. Click Save.

The new task con guration will be saved.

Con guring performance

To con gure performance settings for the Real-Time File Protection task:

1. Open the Protection scope settings window.

2. Select the Performance tab.

3. In the Exclusions section:

Clear or select the Exclude les check box.

Clear or select the Do not detect check box.

Click the Edit button for each setting to add exclusions.

4. In the Advanced settings section:

Stop scanning if it takes longer than (sec.)

Do not scan compound objects larger than (MB)

Use iSwift technology

Use iChecker technology

Real-Time File Protection task statistics

When the Real-Time File Protection task is running, you can view detailed real-time information about the number
of objects processed by Kaspersky Embedded Systems Security since the task was started.
272
To view the Real-Time File Protection task statistics:

1. In the Application Console tree, expand the Real-Time Computer Protection node.

2. Select the Real-Time File Protection child node.

Task statistics are displayed in the Statistics section of the results pane of the selected node.

The information can be viewed about objects processed by Kaspersky Embedded Systems Security since it was
started (see the table below).

Real-Time File Protection task statistics

Field Description

Detected Number of objects detected by Kaspersky Embedded Systems Security. For example, if
Kaspersky Embedded Systems Security detects one malicious object in ve les, the value
in this eld increases by one.

Infected and Number of objects that Kaspersky Embedded Systems Security found and classi ed as
other objects infected, or number of found legitimate software les that can be used by intruders to
detected damage your device or personal data.

Probably Number of objects detected by Kaspersky Embedded Systems Security as probably

infected infected.
objects
detected

Objects not Number of objects that Kaspersky Embedded Systems Security did not disinfect for the
disinfected following reasons:
The detected object is of a type that cannot be disinfected.

An error occurred during disinfection.

Objects not Number of objects that Kaspersky Embedded Systems Security attempted to quarantine
moved to unsuccessfully, for example, due to insu icient disk space.
Quarantine

Objects not Number of objects that Kaspersky Embedded Systems Security attempted to delete
removed unsuccessfully, for example, because access to the object was blocked by another
application.

Objects not Number of objects in the protection scope that Kaspersky Embedded Systems Security
scanned failed to scan, because, for example, access to the object was blocked by another
application.

Objects not Number of objects whose copies Kaspersky Embedded Systems Security attempted to
backed up save in Backup unsuccessfully, for example, due to insu icient disk space.

Processing Number of objects whose processing resulted in an error.

errors

Objects Number of objects disinfected by Kaspersky Embedded Systems Security.

disinfected

Moved to Number of objects quarantined by Kaspersky Embedded Systems Security.

Quarantine

Moved to Number of objects whose copies Kaspersky Embedded Systems Security saved to Backup.
Backup

Objects Number of objects removed by Kaspersky Embedded Systems Security.

273
removed

Password- Number of objects (archives, for example) that Kaspersky Embedded Systems Security
protected missed because they were password protected.
objects

Corrupted Number of objects skipped by Kaspersky Embedded Systems Security because their
objects format was corrupted.

Objects Total number of objects processed by Kaspersky Embedded Systems Security.

processed

You can view the Real-Time File Protection task statistics in the task log by clicking the Open task log link in the
Management section in the detail pane.

If the value of the Total events eld in the Real-Time File Protection task log window exceeds 0, we
recommend that you manually process the events in the task log on the Events tab.

Managing Real-Time File Protection task via the Web Plug-in

In this section, learn how to manage the Real-Time File Protection task via the Web Plug-in interface.

Con guring Real-Time File Protection task

Prede ned security level can not be changed for the Real-Time File Protection task via the Web Plug-in.

To con gure Real-Time File Protection task via the Web Plug-in:

1. In the main window of the Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Real-time computer protection section.

5. Click Settings in the Real-Time File Protection subsection.

6. Con gure the settings described in the table below.

Real-Time File Protection task settings

Setting Description

Smart mode Kaspersky Embedded Systems Security selects objects to be scanned on its own.
An object is scanned on being opened and then again after being saved if the
object has been modi ed. If the object is accessed multiple times and modi ed by
the process, Kaspersky Embedded Systems Security rescans the object only after
the object is saved by the process for the last time.

On access Kaspersky Embedded Systems Security scans all objects when they are opened for
reading, execution, or modi cation.
274
On access and
Kaspersky Embedded Systems Security scans an object when it is opened and
modi cation
rescans after it is saved, if the object was modi ed.
This option is selected by default.
When run Kaspersky Embedded Systems Security scans a le only when it is accessed to be
executed.

Deeper analysis Kaspersky Embedded Systems Security performs longer analysis of launching
of launching processes with higher probability to detect a threat. The process launch is blocked
processes until the end of analysis.
(process launch
is blocked until
the analysis
ends)

Use Heuristic
This check box enables / disables Heuristic Analyzer during object scanning.
Analyzer
If the check box is selected, Heuristic Analyzer is enabled.
If the check box is cleared, Heuristic Analyzer is disabled.
The check box is selected by default.

Heuristic analysis
The heuristic analysis level sets the balance between the thoroughness of searches
level
for threats, the load on the operating system's resources and the time required for
scanning.
The following scanning sensitivity levels are available:
Light. Heuristic Analyzer performs fewer instructions within executable les.
The probability of threat detection in this mode is somewhat lower. Scanning
is faster and less resource-intensive.

Medium. Heuristic Analyzer performs the number of executable le

instructions recommended by Kaspersky experts.

This level is selected by default.

Deep. Heuristic Analyzer performs more instructions within executable les.
The probability of threat detection in this mode is higher. Scanning uses more
system resources, takes more time, and can produce a higher number of false
alarms.

The setting is available if the Use heuristic analyzer check box is selected.
Apply Trusted
This check box enables / disables use of the Trusted Zone for a task.
Zone
If the check box is selected, Kaspersky Embedded Systems Security adds le
operations of trusted processes to the scan exclusions con gured in the task
settings.
If the check box is cleared, Kaspersky Embedded Systems Security disregards the
le operations of trusted processes when forming the protection scope for the
task.
The check box is selected by default.

Use KSN for

This check box enables or disables the use of KSN services.
protection
If the check box is selected, the application uses Kaspersky Security Network data
to ensure that the application responds more quickly to new threats and to reduce
the likelihood of false positives.
If the check box is cleared, the task does not use KSN services.
275
The check box is selected by default.

Block access to The check box enables or disables adding hosts showing malicious activity to the
network shared list of blocked hosts.
resources for the
hosts that show If the check box is selected, Kaspersky Embedded Systems Security adds hosts
malicious activity showing malicious activity to the list of blocked hosts.

If the check box is cleared, Kaspersky Embedded Systems Security does not add
hosts showing malicious activity to the list of blocked hosts.

The check box is cleared by default.

You can view the list of blocked hosts in the Blocked Hosts storage.

You can restore access to blocked hosts, and specify the number of days, hours
and minutes after which hosts regain access to network le resources after being
blocked by con guring the Blocked Hosts storage settings.

Launch critical
If the check box is selected, when active infection is detected, Kaspersky
areas scan when
Embedded Systems Security creates and launches a temporary Critical Areas Scan
active infection
task. When the Critical Areas Scan temporary task nishes, Kaspersky Embedded
is detected
Systems Security removes this temporary task.
If the check box is cleared, when active infection is detected, Kaspersky Embedded
Systems Security does not create and launch Critical Areas Scan task.
The check box is selected by default.

Protection scope
You can con gure security settings of the protection scope.

Con guring the task protection scope

To con gure a protection scope for Real-Time File Protection task:

1. In the main window of the Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Real-time computer protection section.

5. Click Settings in the Real-Time File Protection subsection.

6. Select the Protection scope section.

7. Do one of the following:

Click Add button to add a new rule.

Select an existing rule and click Edit button.

The Edit scope window opens.

276
8. Switch the toggle button to Active and select an object type.

9. In the Objects protection section, con gure the following settings:

Objects protection mode:

All objects

Objects scanned by format

Objects scanned according to list of extensions speci ed in anti-virus database

Objects scanned by speci ed list of extensions

Scan disk boot sectors and MBR

Scan alternate NTFS streams

10. In the Objects protection section, select or clear the Protect only new and modi ed les check box.

11. In the Compound objects protection section, specify the compound objects that you want to include in the
scan scope:

Embedded OLE objects

Entirely remove compound le that cannot be modi ed by the application in case of embedded object
detection

12. Select the action to be performed on infected and other detected objects:

Notify only .

Block access .

Perform additional action.

Select the action from the drop-down list:

Disinfect.

Disinfect. Remove if disinfection fails.

Remove .

Recommended .

13. Select the action to be performed on probably infected objects:

277
Notify only .

Block access .

Perform additional action.

Select the action from the drop-down list:

Quarantine.

Remove .

Recommended .

14. Con gure actions to be performed on objects depending on the type of object detected:

a. Clear or select the Perform actions depending on the type of object detected check box.

b. Click the Settings button.

c. In the window that opens, select a primary action and a secondary action (to be performed if the primary
action fails) for each type of detected object.

d. Click OK.

15. In the Exclusions section, con gure the following settings:

Clear or select the Exclude les check box.

Clear or select the Do not detect check box.

16. In the Performance section, con gure the following settings:

Stop scanning if it takes longer than (sec.)

Do not scan compound objects larger than (MB)

Use iSwift technology

Use iChecker technology

17. Click the OK button.

278
KSN Usage
This section contains information about the KSN Usage task and how to con gure it.

About the KSN Usage task

Kaspersky Security Network (also referred to as "KSN") is an infrastructure of online services providing access to
Kaspersky's operative knowledge base on the reputation of les, web resources and programs. Kaspersky Security
Network allows Kaspersky Embedded Systems Security to react very promptly to new threats, improves the
performance of several protection components, and reduces the likelihood of false positives.

To start the KSN Usage task, you must accept the Kaspersky Security Network Statement.

Information received by Kaspersky Embedded Systems Security from Kaspersky Security Network pertains
only to the reputation of programs.

Participation in KSN allows Kaspersky to receive real-time information about types and sources of new threats,
develop ways to neutralize them, and reduce the number of false positives in application components.

More detailed information about the transferring, processing, storage, and destruction of information about
application usage is available in the Data handling window of the KSN Usage task, and in the Privacy Policy
on the Kaspersky's website.

Participation in Kaspersky Security Network is voluntary. The decision regarding participation in Kaspersky Security
Network is made after installation of Kaspersky Embedded Systems Security. You can change your decision about
participation in Kaspersky Security Network at any time.

Kaspersky Security Network can be used in the following Kaspersky Embedded Systems Security tasks:

Real-Time File Protection.

On-Demand Scan.

Applications Launch Control.

Kaspersky Private Security Network

See details about how to con gure Kaspersky Private Security Network (hereinafter referred to "Private KSN")
in the Kaspersky Security Center Help.

If you use Private KSN on the device, in the Data handling window of the KSN Usage task you can read the KSN
Statement and enable the task by selecting the I accept the terms of participation in Kaspersky Security
Network check box. By accepting the terms you agree to send all types of data mentioned in KSN Statement
(security requests, statistical data) to KSN services.

279
After accepting the Private KSN terms, the check boxes that adjust the Global KSN usage are not available.

If you disable Private KSN when the KSN Usage task is running, the License violation error occurs and the task
stops. To continue protecting the device you need to accept the KSN Statement in the Data handling window and
restart the task.

Withdrawal of the KSN Statement acceptance

You can withdraw the acceptance and stop any data exchange with the Kaspersky Security Network at any
moment. The following actions are considered as the full or partial withdrawal of KSN Statement:

Clearing the Send data about scanned les check box: the application stops sending checksums of scanned
les to KSN service for analysis.

Clearing the Send Kaspersky Security Network statistics check box: the application stops processing data
with additional KSN statistics.

Clearing the I accept the terms of participation in Kaspersky Security Network check box: the application
stops all KSN-related data processing, the KSN Usage task stops.

Uninstalling the KSN Usage component: all KSN-related data processing stops.

Uninstalling the Kaspersky Embedded Systems Security: all KSN-related data processing stops.

Uninstalling a license key for the Kaspersky Embedded Systems Security or the license is suspended: all KSN-
related data processing stops.

Default KSN Usage task settings

You can change the default settings of the KSN Usage task (see the table below).

Default KSN Usage task settings

Setting Default Value Description

Action to Remove You can specify actions that Kaspersky Embedded Systems
perform on Security will take on objects identi ed by KSN as untrusted.
KSN untrusted
objects

Data transfer The le checksum You can specify the maximum size of les for which a checksum
(MD5 hash) is is calculated using the MD5 algorithm for delivery to KSN. If the
calculated for les check box is cleared, Kaspersky Embedded Systems Security
that do not exceed 2 calculates the MD5 hash for les of any size.
MB in size.

Task start First run is not You can start the task manually or con gure a scheduled start.
schedule scheduled.

Use Kaspersky Selected By default the data is sent to KSN via Kaspersky Security
Security Center.
Center as KSN
You can change this setting only via the Administration Plug-in.
Proxy

I accept the Cleared If selected, participation in KSN after the installation is

280
terms of accepted. You can change your decision at any moment.
participation in
Kaspersky
Security
Network

Send Selected (applied only If the KSN Statement is accepted, the KSN Statistics will be
Kaspersky if the KSN Statement sent automatically, unless you clear the check box.
Security is accepted)
Network
statistics

Send data Selected (applied only If the KSN Statement is accepted, the data about les that
about scanned if the KSN Statement were scanned and analyzed since the task has been started, is
les is accepted) sent. You can clear the check box at any time.

Managing KSN Usage via the Administration Plug-In

In this section, learn how con gure the KSN Usage task and Data Handling via the Administration Plug-In.

Con guring the KSN Usage task

To con gure the KSN Usage task:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Real-Time Computer Protection section, click the Settings button in the KSN Usage subsection.
The KSN Usage window opens.

5. On the General tab, con gure the following task settings:

In the Action to perform on KSN untrusted objects section, specify the action that Kaspersky Embedded
Systems Security is to perform if it detects an object identi ed by KSN as untrusted:

Remove

Log information

281
In the Data transfer section, restrict the size of les for which the checksum is calculated:

Clear or select the Do not calculate checksum before sending to KSN if le size exceeds (MB) check
box.

If required, in the eld to the right, change the maximum size of les for which Kaspersky Embedded
Systems Security calculates the checksum.

In the KSN Proxy section, clear or select the Use Kaspersky Security Center as KSN Proxy check box.

To enable KSN Proxy the KSN Statement must be accepted and Kaspersky Security Center properly
con gured. See Kaspersky Security Center Help for more details.

6. If needed, con gure the task start schedule on the Task management tab. For example, you can start the task
by schedule and specify the At application launch frequency, if you want the task to run automatically when
the protected device is restarted.
The application will automatically start the KSN Usage task by schedule.

7. Con gure the data handling before starting the task.

8. Click OK.

The modi ed settings are applied. The date and time of modifying the settings, as well as information about the
task settings before and after modi cation, are saved in the system audit log.

Con guring Data Processing

To con gure what data will be processed by the KSN services and accept the KSN Statement:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Real-Time Computer Protection section click the Data processing button in the KSN Usage
subsection.
The KSN data handling window opens.

5. On the Statistics and services tab, read the Statement and select the I accept the terms of participation in
Kaspersky Security Network check box.
282
6. To increase the protection level, the following check boxes are automatically selected:

Send data about scanned les .

Send Kaspersky Security Network statistics .

You can clear these check boxes and stop sending additional data at any moment.

7. The Send Kaspersky Security Network statistics check box is selected by default. You can clear the check
box at any time, if you don't want Kaspersky Embedded Systems Security to send additional statistics to
Kaspersky.

8. Click OK.
The data processing con guration will be saved.

Managing KSN Usage via the Application Console

In this section, learn how con gure the KSN Usage task and Data handling via the Application Console.

Con guring KSN Usage task

To con gure the KSN Usage task:

1. In the Application Console tree, expand the Real-Time Computer Protection node.

2. Select the KSN Usage child node.

3. Click the Properties link in the results pane.

The Task settings window opens on the General tab.

4. Con gure the task:

In the Action to perform on KSN untrusted objects section, specify the action that Kaspersky Embedded
Systems Security is to perform if it detects an object identi ed by KSN as untrusted:

Remove

Log information

In the Data transfer section, restrict the size of les for which the checksum is calculated:

Clear or select the Do not calculate checksum before sending to KSN if le size exceeds (MB) check
box.

If required, in the eld to the right, change the maximum size of les for which Kaspersky Embedded
Systems Security calculates the checksum.

5. If needed, con gure the task start schedule on the Schedule and Advanced tabs. For example, you can enable
task start by schedule and specify the start frequency of the At application launch if you want the task to run
automatically when the protected device is restarted.

283
The application will automatically start the KSN Usage task by schedule.

6. Con gure the Data handling before starting the task.

7. Click OK.

The modi ed settings are applied. The date and time of modifying the settings, as well as information about the
task settings before and after modi cation, are saved in the system audit log.

Con guring Data handling

To con gure what data will be processed by the KSN services and accept the KSN Statement:

1. In the Application Console tree, expand the Real-Time Computer Protection node.

2. Select the KSN Usage child node.

3. Click the Data processing link in the results pane.

The Data handling window opens.

4. On the Statistics and services tab, read the Statement and select the I accept the terms of participation in
Kaspersky Security Network check box.

5. To increase the protection level, the following check boxes are automatically selected:

Send data about scanned les .

Send Kaspersky Security Network statistics .

You can clear these check boxes and stop sending additional data at any moment.

6. The Send Kaspersky Security Network statistics check box is selected by default. You can clear the check
box at any time, if you don't want Kaspersky Embedded Systems Security to send additional statistics to
Kaspersky.

7. Click OK.

The data processing con guration will be saved.

Managing KSN Usage via the Web Plug-in

To con gure the KSN Usage task and Data Handling via the Web Plug-in:

1. In the main window of the Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Real-time computer protection section.

284
5. Click Settings in the KSN Usage subsection.

6. Con gure the settings described in the table below.

KSN Usage task and Data Handling via the Administration Plug-In settings

Setting Description

Remove
Kaspersky Embedded Systems Security deletes the object with KSN-untrusted status
and places a copy of it in Backup.
This option is selected by default.

Log
Kaspersky Embedded Systems Security records information about the object with KSN-
information
untrusted status in the task log. Kaspersky Embedded Systems Security does not delete
the untrusted object.

Do not
This check box enables or disables calculation of the checksum for les of the speci ed
calculate
size for delivery of this information to the KSN service.
checksum
before The duration of the checksum calculation depends on the le size.
sending to If this check box is selected, Kaspersky Embedded Systems Security does not calculate
KSN if le the checksum for les that exceed the speci ed size (in MB).
size exceeds
If the check box is cleared, Kaspersky Embedded Systems Security calculates the
checksum for les of any size.
The check box is selected by default.

I con rm
By selecting this check box you con rm that you have read and accepted the terms of
that I have
the Kaspersky Security Network Statement.
fully read,
understood,
and accept
the terms of
participation
in Kaspersky
Security
Network

Send data
If the check box is selected, Kaspersky Embedded Systems Security sends the
about
checksum of scanned les to the Kaspersky. Conclusion about each le security is based
scanned
on the reputation received from KSN.
les
If the check box is cleared, Kaspersky Embedded Systems Security does not send
checksum of les to KSN.
Note, than the le reputation requests might be sent in a limited mode. The limitations
are used for protection of the Kaspersky reputation servers from the DDoS attacks. In
this scenario, the parameters of le reputation requests, that are being sent, are de ned
by the rules and methods established by the Kaspersky experts and cannot be
con gured by user on a protected device. Updates of these rules and methods are
received along with the application database updates. If the limitations are applied, the
enabled by Kaspersky for protecting KSN servers against DDoS status is displayed in the
KSN Usage task statistics.
The check box is selected by default.

Agree to
If the check box is selected the Kaspersky Embedded Systems Security sends additional
process
statistics, which may contain personal data. The list of all data, that is sent as KSN
data as a
statistics, is speci ed in the KSN Statement. The data received by Kaspersky is used to
part of the
improve the quality of applications and level of threat detection rates.
Kaspersky
Security
285
Network If the check box is cleared, Kaspersky Embedded Systems Security does not send
statistics additional statistics.
The check box is selected by default.
Task You can con gure settings to start the task on a schedule.
management

Con guring additional data transfer

Kaspersky Embedded Systems Security can be con gured to send the following data to Kaspersky:

Checksums of scanned les (Send data about scanned les check box).

Additional statistics, including personal data (Send Kaspersky Security Network statistics check box).

See the "Local data handling" section of this guide for detailed information about data that is sent to
Kaspersky.

The corresponding check boxes can be selected or cleared only if the I accept the terms of participation in
Kaspersky Security Network check box is selected.

By default Kaspersky Embedded Systems Security sends checksums of les and additional statistics after you
accept the KSN Statement.

The I accept the terms of participation in Kaspersky Security Network check box is not editable only if the
Kaspersky Security Center policy blocks changes of the data handling settings.

Possible check box states and corresponding conditions

Check Conditions for the Send Conditions for the Send Conditions for the I accept the terms
box data about scanned les Kaspersky Security Network of participation in Kaspersky Security
state check box state statistics check box state Network check box state

reputation requests additional statistics is sent the terms of the Kaspersky

are sent Security Network Statement are
check box is editable accepted
check box is editable
check box is editable

reputation requests additional statistics is sent the terms of the Kaspersky

are sent Security Network Statement are
check box is not editable accepted
check box is not
editable check box is not editable

reputation requests additional statistics is not the terms of the Kaspersky

are not sent sent Security Network Statement are
not accepted
check box is editable check box is editable
check box is editable
286
reputation requests additional statistics is not the terms of the Kaspersky
are not sent sent Security Network Statement are
not accepted
check box is not check box is not editable
editable check box is not editable

KSN Usage task statistics

While the KSN Usage task is being executed, detailed information can be viewed in real time about the number of
objects processed by Kaspersky Embedded Systems Security since it was started up till now. Information about all
events that occur during the task performing is recorded in the task log.

To view KSN Usage task statistics:

1. In the Application Console tree, expand the Real-Time Computer Protection node.

2. Select the KSN Usage child node.

Task statistics are displayed in the Statistics section of the details pane of the selected node.

You can view information about objects processed by Kaspersky Embedded Systems Security since the task was
started (see the table below).

KSN Usage task statistics

Field Description

Request Number of KSN requests whose processing resulted in a task error.

sending
errors

Statistics Number of generated statistic packages sent to KSN.

formed

Objects Number of objects that Kaspersky Embedded Systems Security deleted when running the KSN
removed Usage task.

Moved to The number of object copies that Kaspersky Embedded Systems Security saved to Backup.
Backup

Objects The number of objects that Kaspersky Embedded Systems Security attempted but was unable
not to delete, because, for example, access to the object was blocked by another application.
removed Information about such objects is recorded in the task log.

Objects The number of objects the copies of which Kaspersky Embedded Systems Security attempted
not to save in Backup but was unable to do so, for example, due to insu icient disk space. The
backed application does not disinfect or delete les that it could not move to Backup. Information
up about such objects is recorded in the task log.

Limited The status signi es whether the application sends le reputation requests in a limited mode. In
mode a limited mode Kaspersky Embedded Systems Security sends only a part of le reputation
requests according to Kaspersky experts recommendation.

287
Network Threat Protection
This section contains information about the Network Threat Protection task and how to con gure it.

About the Network Threat Protection task

The Network Threat Protection can only be installed on a device running Microsoft Windows 7 and any later
version or Windows Server 2008 R2 and any later version.

The Network Threat Protection task scans inbound network tra ic for activity that is typical of network attacks.
Upon detecting an attempted network attack that targets your computer, Kaspersky Embedded Systems Security
blocks network activity from the attacking computer. Your screen then displays a warning stating that a network
attack was attempted, and shows information about the attacking computer.

By default, the Network Threat Protection task runs in the Block connections when attack is detected mode. In
this mode, Kaspersky Embedded Systems Security adds IP addresses of hosts showing activity typical of network
attacks to the list of blocked hosts.

You can view the list of blocked hosts in the Blocked Hosts storage.

You can restore access to blocked hosts, and specify the number of days, hours and minutes after which hosts
regain access to network le resources after being blocked by con guring the Blocked Hosts storage settings.

The IP addresses of hosts showing activity typical of network attacks are deleted from the list of blocked hosts in
the following cases:

Kaspersky Embedded Systems Security is uninstalled.

The IP address was deleted manually from the list of blocked hosts.

Host blocking term has expired.

The Network Threat Protection task was stopped and the Don't stop tra ic analysis when the task is not
running check boxed is cleared.

The Block connections when attack is detected mode was turned o .

Default Network Threat Protection task settings

The Network Threat Protection task uses the default settings described in the table below. You can change the
values of these settings.
Default Network Threat Protection task settings

Setting Default value Description

Processing Block connections when The Network Threat Protection task can be started in Pass-
mode attack is detected through , Only inform about network attacks or Block
connections when attack is detected mode.

288
The check box enables or disables adding hosts showing
activity typical of network attacks to the list of blocked
hosts.
If this mode is selected, Kaspersky Embedded Systems
Security scans inbound network tra ic for activity that is
typical of network attacks, logs events about detected
activity, and adds IP addresses of hosts showing activity
typical of network attacks to the list of blocked hosts.
The mode is selected by default.
You can view the list of blocked hosts in the Blocked Hosts
storage.

You can restore access to blocked hosts, and specify the

number of days, hours and minutes after which hosts regain
access to network le resources after being blocked by
con guring the Blocked Hosts storage settings.

If this mode is selected, Kaspersky Embedded Systems

Security scans inbound network tra ic for activity that is
typical of network attacks, logs events about detected
activity, but doesn't block network activity from the
attacking computer.

If this mode is selected, Kaspersky Embedded Systems

Security scans inbound network tra ic for activity that is
typical of network attacks, but doesn't log events about
detected activity and doesn't block network activity from
the attacking computer.
For example, you can use this mode in case of a decrease in
the protected device's performance.

Exclusions The exclusion list is not Specify areas that you want to exclude from the task protection
applied. scope.

Schedule By default, the Network You can con gure the schedule.
settings Threat Protection task
starts automatically when
Kaspersky Embedded
Systems Security starts.

Con guring the Network Threat Protection task via the Application Console
In this section, learn how to manage the Network Threat Protection task via the Application Console interface.

General task settings

289
To con gure the general task settings:

1. In the Application Console tree, expand the Real-Time Computer Protection node.

2. Select the Network Threat Protection child node.

3. Click the Properties link in the details pane of the Network Threat Protection node.
The Task settings window opens.

4. Open the General tab.

5. In the Processing mode section select the processing mode:

Pass-through .

If this mode is selected, Kaspersky Embedded Systems Security scans inbound network tra ic for
activity that is typical of network attacks, but doesn't log events about detected activity and doesn't
block network activity from the attacking computer.
For example, you can use this mode in case of a decrease in the protected device's performance.

Only inform about network attacks .

If this mode is selected, Kaspersky Embedded Systems Security scans inbound network tra ic for
activity that is typical of network attacks, logs events about detected activity, but doesn't block
network activity from the attacking computer.

Block connections when attack is detected .

The check box enables or disables adding hosts showing activity typical of network attacks to the list
of blocked hosts.
If this mode is selected, Kaspersky Embedded Systems Security scans inbound network tra ic for
activity that is typical of network attacks, logs events about detected activity, and adds IP addresses
of hosts showing activity typical of network attacks to the list of blocked hosts.
The mode is selected by default.
You can view the list of blocked hosts in the Blocked Hosts storage.

You can restore access to blocked hosts, and specify the number of days, hours and minutes after
which hosts regain access to network le resources after being blocked by con guring the Blocked
Hosts storage settings.

6. Select or clear the Don't stop tra ic analysis when the task is not running check box.

7. Click OK.
290
Adding exclusions
To add exclusions for Network Threat Protection task, take the following steps:

1. In the Application Console tree, expand the Real-Time Computer Protection node.

2. Select the Network Threat Protection child node.

3. Click the Properties link in the details pane of the Network Threat Protection node.
The Task settings window opens.

4. On the Exclusions tab, select the Do not control excluded IP-addresses check box.

If this check box is selected, Kaspersky Embedded Systems Security doesn't scan inbound network tra ic
for excluded IP addresses.
If this check box is cleared, Kaspersky Embedded Systems Security doesn't apply the exclusion list.

5. Specify the IP address and click Add button.

6. Click OK.

Con guring the Network Threat Protection task via the Administration Plug-
in
In this section, learn how to manage the Network Threat Protection task via the Administration Plug-in interface.

General task settings

To con gure the general task settings:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

291
4. In the Real-Time Computer Protection section, click the Settings button in the Network Threat Protection
subsection.
The Network Threat Protection window opens.

5. Open the General tab.

6. In the Processing mode section select the processing mode:

Pass-through .

Only inform about network attacks .

Block connections when attack is detected .

The check box enables or disables adding hosts showing activity typical of network attacks to the list
of blocked hosts.
If this mode is selected, Kaspersky Embedded Systems Security scans inbound network tra ic for
activity that is typical of network attacks, logs events about detected activity, and adds IP addresses
of hosts showing activity typical of network attacks to the list of blocked hosts.
The mode is selected by default.
You can view the list of blocked hosts in the Blocked Hosts storage.

You can restore access to blocked hosts, and specify the number of days, hours and minutes after
which hosts regain access to network le resources after being blocked by con guring the Blocked
Hosts storage settings.

7. Select or clear the Don't stop tra ic analysis when the task is not running check box.

8. Click OK.

Adding exclusions
292
To add exclusions for Network Threat Protection task, take the following steps:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure application settings.

3. Perform one of the following actions in the details pane of the selected administration group:

To con gure application settings for a group of protected devices, select the Policies tab and open the
Properties: <Policy name> window.

To con gure the application for a single protected device, select the Devices tab and open the Application
settings window.

If an active Kaspersky Security Center policy is applied to a device and blocks changes to application
settings, then these settings cannot be edited in the Application settings window.

4. In the Real-Time Computer Protection section, click the Settings button in the Network Threat Protection
subsection.
The Network Threat Protection window opens.

5. On the Exclusions tab, select the Do not control excluded IP-addresses check box.

6. Specify the IP address and click Add button.

7. Click OK.

Con guring the Network Threat Protection task via the Web Plug-in
In this section, learn how to manage the Network Threat Protection task via the Web Plug-in interface.

General task settings

To con gure the general task settings:

1. In the main window of the Web Console, select Devices → Policies & pro les.

2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Real-time computer protection section.

5. Click Settings in the Network Threat Protection subsection.

293
6. Open the General tab.

7. In the Processing mode section select the processing mode:

Pass-through .

Only inform about network attacks .

Block connections when attack is detected .

The check box enables or disables adding hosts showing activity typical of network attacks to the list
of blocked hosts.
If this mode is selected, Kaspersky Embedded Systems Security scans inbound network tra ic for
activity that is typical of network attacks, logs events about detected activity, and adds IP addresses
of hosts showing activity typical of network attacks to the list of blocked hosts.
The mode is selected by default.
You can view the list of blocked hosts in the Blocked Hosts storage.

You can restore access to blocked hosts, and specify the number of days, hours and minutes after
which hosts regain access to network le resources after being blocked by con guring the Blocked
Hosts storage settings.

8. Select or clear the Don't stop tra ic analysis when the task is not running check box.

9. Click OK.

Adding exclusions
To add exclusions for Network Threat Protection task, take the following steps:

1. In the main window of the Web Console, select Devices → Policies & pro les.

294
2. Click the policy name you want to con gure.

3. In the <Policy name> window that opens select the Application settings tab.

4. Select the Real-time computer protection section.

5. Click Settings in the Network Threat Protection subsection.

6. On the Exclusions tab, select the Do not control excluded IP-addresses check box.

7. Specify the IP address and click Add button.

8. Click OK.

295
Applications Launch Control
This section contains information about the Applications Launch Control task and how to con gure it.

About the Applications Launch Control task

When running the Applications Launch Control task, Kaspersky Embedded Systems Security monitors user's
attempts to start applications and allows or denies start of these applications. The Applications Launch Control
task relies on the Default Deny principle, which means that any applications that are not allowed in the task
settings will be blocked automatically.

You can allow applications to start using one of the following methods:

Set allowing rules for trusted applications.

Check trusted applications reputation in KSN on launch.

The task gives top priority to denying the start of applications. For example, if an application is prevented from
starting by one of the blocking rules, the application start will be denied regardless of the trusted conclusion for
KSN. At that, if the application is not trusted by the KSN services but is included in the scope of an allowing rule,
the application start will be denied.

All attempts to start applications are recorded in the task log.

The Applications Launch Control task can operate in one of two modes:

Active. Kaspersky Embedded Systems Security uses a set of rules to control the start of applications that fall
within the scope of the Applications Launch Control rules. The scope of the Applications Launch Control rules
is speci ed in the settings of this task. If an application falls within the scope of the Applications Launch
Control rules, and the task settings do not satisfy any speci ed rule, the application launch will be denied.
Launches of applications that do not fall within the scope of any rule speci ed in the Applications Launch
Control task settings are denied regardless of the Applications Launch Control task settings.

The Applications Launch Control task cannot be started in Active mode if no rules have been created or
if there are more than 65,535 rules for one protected device.

Statistics only. Kaspersky Embedded Systems Security does not use Applications Launch Control rules to
allow or deny the start of applications. Instead, it only records information about application starts, rules
satis ed by running applications, and actions that would have been performed if the task was running in Active
mode. All applications are allowed to start. This mode is set by default.
You can use this mode to create Applications Launch Control rules based on information recorded in the task
log.

You can con gure the Applications Launch Control task according to one of the following scenarios:

Advanced rule con guration and usage for Application Launch Control.

Basic rules con guration and KSN usage for Application Launch Control.

296
If operating system les fall within the scope of the Applications Launch Control task, we recommend that
when creating Applications Launch Control rules you make sure that such applications are allowed by the
newly created rules. Otherwise, the operating system may fail to start.

Kaspersky Embedded Systems Security also intercepts processes launched under the Windows Subsystem for
Linux (except for scripts run from the UNIX™ shell, or command line interpreters). For such processes, the
Applications Launch Control task applies the action de ned by the current con guration. The Rule Generator for
Applications Launch Control task detects application launches and generates corresponding rules for applications
running under the Windows Subsystem for Linux.

About Applications Launch Control rules

How Applications Launch Control rules work

The operation of Applications Launch Control rules is based on the following components:

Type of rule.
Applications Launch Control rules can allow or deny the start of application. Accordingly, they are called
allowing or denying rules. To create a list of allowing rules for Applications Launch Control, you can use the Rule
Generator for generating allowing rules or use the Applications Launch Control task in Statistics only mode.
You can also add allowing rules manually.

User and / or user group.

Applications Launch Control rules can control the start of speci ed applications by a user and / or user group.

Rule usage scope.

Applications Launch Control rules can be applied to executable les, scripts, and MSI packages.

Rule-triggering criterion.
Applications Launch Control rules control the launch of les that satisfy one of the criteria speci ed in the rule
settings: signed by the speci ed digital certi cate, matching the speci ed SHA256 hash, or located at the
speci ed path.
If Digital certi cate is set as the rule-triggering criterion, the created rule controls the start of all trusted
applications in the operating system. You can set stricter conditions for this criterion by selecting the following
check boxes:

Use subject

Use thumb

Thumbprints allow for the most restrictive triggering of application start rules based on a digital certi cate,
because a thumbprint uniquely identi es a digital certi cate and cannot be forged, unlike the subject of a
digital certi cate.

You can specify exclusions for Applications Launch Control rules. Exclusions to Applications Launch Control rules
are based on the same criteria used to trigger rules: digital certi cate, SHA256 hash, and le path. Exclusions to
Applications Launch Control rules may be required for certain allowing rules: for example, if you want to allow users
to start applications from the C:\Windows path, while blocking launch of the Regedit.exe le.

297
If operating system les fall within the scope of the Applications Launch Control task, we recommend that
when creating Applications Launch Control rules you make sure that such applications are allowed by the
newly created rules. Otherwise, the operating system may fail to start.

Managing Applications Launch Control rules

You can perform the following actions with Applications Launch Control rules:

Add rules manually.

Generate and add rules automatically.

Remove rules.

Export rules to le.

Check selected les for rules that allow execution of these les.

Filter the rules in the list according to speci ed criterion.

About Software Distribution Control

Generating Applications Launch Control rules can be complicated if you also need to control software distribution
on a protected device, for example, on protected devices where installed software is periodically automatically
updated. In this case, the list of allowing rules must be updated after each software update for newly created les
to be considered in the Applications Launch Control task settings. To simplify launch control in software
distribution scenarios, you can use the Software Distribution Control subsystem.

A software distribution package (hereinafter referred to as “package”) represents a software application to be

installed on a protected device. Each package contains at least one application and may also contain individual
les, updates, or even an individual command, in addition to applications, particularly when you are installing a
software application or update.

The Software Distribution Control subsystem is implemented as an additional list of exclusions. When you add a
software distribution package to this list, the application allows these trusted packages to be decompressed and
allows software installed or modi ed by a trusted package to be started automatically. The extracted les can
inherit the trusted attribute of the primary distribution package. A primary distribution package is a package that
has been added to the list of Software Distribution Control exclusions by a user and has become a trusted
package.

Kaspersky Embedded Systems Security controls only full software distribution cycles. The application cannot
correctly process the launch of les modi ed by a trusted package if, when the package is started for the rst
time, software distribution control is turned o or the Application Launch Control component is not installed.

Software distribution control is not available if the Apply rules to executable les check box is cleared in the
Applications Launch Control task settings.

298
Software distribution cache

Kaspersky Embedded Systems Security uses a dynamically generated software distribution cache (“distribution
cache”) to establishes the relationship between trusted packages and les created during software distribution.
When a package is rst started, Kaspersky Embedded Systems Security detects all les created by the package
during the software distribution process and stores le checksums and paths in the distribution cache. Then all
les in the distribution cache are allowed to start by default.

You cannot review, clear or manually modify the distribution cache via the user interface. The cache is populated
and controlled by Kaspersky Embedded Systems Security.

You can export the distribution cache to a con guration le (XML format) and clear the cache using command line
options.

To export the distribution cache to a con guration le, execute the following command:

kavshell appcontrol /config /savetofile:<full path> /sdc

To clear the distribution cache, execute the following command:

kavshell appcontrol /config /clearsdc

Kaspersky Embedded Systems Security updates the distribution cache every 24 hours. If the checksum of a
previously allowed le is changed, the application deletes the record for this le from the distribution cache. If the
Applications Launch Control task is started in Active mode, subsequent attempts to start this le will be blocked.
If the full path to the previously allowed le is changed, subsequent attempts to start this le will not be blocked,
because the checksum is stored within the distribution cache.

Processing the extracted les

All les extracted from a trusted package inherit the trusted attribute upon rst launch of the package. If you
clear the check box after rst launch, all les extracted from the package will retain the inherited attribute. To
reset the inherited attribute on all extracted les, you need to clear the distribution cache and clear the Allow
the further distribution of programs created from this distribution package check box before starting the
trusted distribution package again.

Extracted les and packages created by a trusted primary distribution package inherit the trusted attribute when
their checksums are added to the distribution cache when the software distribution package in the exclusion list is
opened for the rst time. Hence, the distribution package itself and all les extracted from this package will also be
trusted. By default, the number of levels of inheritance of the trusted attribute is unlimited.

Extracted les will retain the trusted attribute after the operating system restarts.

The processing of les is con gured in the Software Distribution Control settings by selecting or clearing the
Allow the further distribution of programs created from this distribution package check box.

For example, suppose you add a test.msi package containing several other packages and applications to the
exclusions list and select the check box. In this case, all packages and applications contained in the test.msi
package are allowed to run or be extracted if they contain other les. This scenario works for extracted les on all
nested levels.

299
If you add a test.msi package to the exclusions list and clear the Allow the further distribution of programs
created from this distribution package check box, the application will assign the trusted attribute only to the
packages and executable les extracted directly from the primary trusted package (on the rst level of nesting).
The checksums of such les are stored in the distribution cache. All les on the second level of nesting and beyond
will be blocked by the Default Deny principle.

Working with the Applications Launch Control rule list

The list of trusted packages of software distribution control subsystem is a list of exclusions, which ampli es, but
does not replace the general list of applications launch control rules.

Denying applications launch control rules have the highest priority: trusted package decompression and start of
new or modi ed les will be blocked, if these packages and les are a ected by the applications launch control
denying rules.

Software distribution control exclusions are applied both for trusted packages and les created or modi ed by
these packages, if no denying rules in the applications launch control list are applied for those packages and les.

Using KSN conclusions

KSN conclusions that a le is untrusted have a higher priority than the software distribution control exclusions:
decompression of trusted packages and start of les created or modi ed by these packages will be blocked if KSN
reports that these les are untrusted.

At that, after unpacking from a trusted package, all child les will be allowed to run regardless of KSN usage within
the Applications Launch Control scope. At that, states of Deny applications untrusted by KSN and Allow
applications trusted by KSN check boxes do not a ect the operation of the Allow the further distribution of
programs created from this distribution package check box.

About KSN usage for the Applications Launch Control task

To start the KSN Usage task, you must accept the KSN Statement.

If KSN data about an application’s reputation is used by the Applications Launch Control task, the KSN application
reputation is considered a criterion for allowing or denying launch of that application. If KSN reports to Kaspersky
Embedded Systems Security that an application is untrusted when the user attempts to launch the application,
the application launch is denied. If KSN reports to Kaspersky Embedded Systems Security that the application is
trusted when the user attempts to launch the application, the application launch is allowed. KSN can be used along
with Applications Launch Control rules or as an independent criterion for denying launch of applications.

Using KSN conclusions as independent criterion for denying application launch

This scenario lets you securely control application launches on a protected device without requiring advanced
con guration of the rule list.

You can apply KSN conclusions to Kaspersky Embedded Systems Security together with the only speci ed rule.
The application will only allow the start of applications that are trusted in KSN or are allowed by a speci ed rule.

For such a scenario, we recommend that you set a rule allowing start of the application based on a digital
certi cate.

300
All other applications are denied in accordance with the Default Deny policy. Using KSN when no rules are applied
protects a device from applications that KSN considers to be a threat.

Using KSN conclusions simultaneously with Applications Launch Control rules

When using KSN conclusions simultaneously with Applications Launch Control rules, the following conditions apply:

Kaspersky Embedded Systems Security always denies launch of an application if it is included in the scope of at
least one denying rule. If the application is considered trusted by KSN, the corresponding conclusion has a lower
priority and is not considered; the application launch will still be denied. This lets you expand the list of blocked
applications.

Kaspersky Embedded Systems Security always denies the launch of an application if the launch of applications
not trusted in KSN is prohibited and the application is not trusted in KSN. If an allowing rule is set for the
application, it has a lower priority and is not considered; the application launch will still be denied. This protects
the device from applications that KSN considers to be a threat but were not considered during initial
con guration of the rules.

About Applications Launch Control rules generation

You can create lists of Applications Launch Control rules using Kaspersky Security Center tasks and policies
simultaneously for all protected devices and groups of protected devices on the corporate network. The scenarios
listed below are recommended if the corporate network does not have a reference machine and you are unable to
create a list of allowing rules based on applications installed on the template machine.

You can run the Rule Generator for Applications Launch Control task locally via the Application Console to
create a list of rules based on the applications running on a single protected device.

The Applications Launch Control component is installed with two preset allowing rules:

Allowing rule for scripts and Windows Installer packages with a certi cate trusted by the operating system.

Allowing rule for executable les with a certi cate trusted by the operating system.

You can create lists of Applications Launch Control rules on the side of Kaspersky Security Center in one of the
following ways:

Using a Rule Generator for Applications Launch Control group task.

Under this scenario, a group task generates its own list of Applications Launch Control rules for each protected
device on the network and saves those lists to an XML le in the speci ed shared folder. The XML le
generated by the Rule Generator for Applications Launch Control task contains the allowing rules speci ed in
task settings before the task starts.No rules will be created for applications that are not allowed to start in the
speci ed task settings. The start of such applications is denied by default. You can then manually import the
created list of rules into the Applications Launch Control task for the Kaspersky Security Center policy.
You can con gure the generated rules to be automatically imported into the list of rules for the Applications
Launch Control task.
This scenario is recommended when you need to quickly create lists of Applications Launch Control rules. We
recommend that you con gure the scheduled launch of the Rule Generator for Applications Launch Control
task only if the applied allowing rules include folders and les you know to be safe.

301
Before using the Applications Launch Control task in the network, make sure that all protected devices
have access to a shared folder. If the organization's policy does not provide for the use of a shared folder
in the network, we recommend that you start the Rule Generator for Applications Launch Control task on
a protected device in the test protected devices group or on a template machine.

Based on a report of task events generated in Kaspersky Security Center by the Applications Launch Control
task running in Statistics only mode.
Under this scenario, Kaspersky Embedded Systems Security does not deny the launch of applications. Instead,
with Applications Launch Control running in the Statistics only mode, it reports all allowed and denied
application launches across all network protected devices in the Events tab of the Administration Server
node's workspace in the Kaspersky Security Center. Kaspersky Security Center uses the reports to generate a
single list of events in which application launches were denied.
You need to con gure the task execution period so that all possible scenarios involving the protected devices
and protected device groups, and at least one protected device restart are performed during the speci ed
time period. After the end of the task execution period, you can import application launch data from the saved
Kaspersky Security Center event report (TXT format) and generate Applications Launch Control allowing rules
for such applications based on this data.
This scenario is recommended if a corporate network includes a large number of protected devices of di erent
type (with a di erent software installed).

Based on denied application launch events received through Kaspersky Security Center, without creating and
importing a con guration le.
To use this feature, the Applications Launch Control task on the protected device must be running under an
active Kaspersky Security Center policy. In this case, all events on the protected device are sent to the
Administration Server.

We recommend that you update the list of rules when the set of applications installed on network protected
devices changes (for example, when updates are installed or operating systems are reinstalled). We recommend
that you generate an updated list of rules by running the Rule Generator for Applications Launch Control task or
the Applications Launch Control task in Statistics only mode on protected devices in the test administration
group. The test administration group includes the protected devices required to test the launch of new
applications before they are installed on network protected devices.

XML les containing lists of allowing rules are created based on an analysis of tasks started on the protected
device. To account for all applications used on the network when generating lists of rules you are advised to
start the Rule Generator for Applications Launch Control task and the Applications Launch Control task in
Statistics only mode on a template machine.

Before generating allowing rules based on the applications launched on a reference machine, make sure that
the template machine is secure and there is no malware on it.

Before adding allowing rules, select one of the available rule application modes. The list of Kaspersky Security
Center policy rules displays only rules speci ed by the policy, regardless of the rule application mode. The local
rule list includes all applied rules — both local rules and rules added through a policy.

Default Applications Launch Control task settings

302
By default, the Applications Launch Control task has the settings described in the table below. You can change the
values of these settings.

Default Applications Launch Control task settings

Setting Default value Description

Task mode Statistics only. The task records You can select Active mode after the nal
denied launch events and allowed list of rules is generated.
launch events based on the set
rules. Application launch is not
actually denied.

Repeat action taken Not applied You can repeat actions taken for the rst
for the rst le le launch on all the subsequent launches
launch on all the for this le.
subsequent launches
for this le

Deny the command Not applied. You can deny launch of command
interpreters launch interpreters with no command to execute.
with no command to
execute

Rules managing Add policy rules to the local rules You can select a mode in which rules
speci ed in a policy are applied together
with the rules on the protected device.

Rule usage scope The task controls the launch of You can specify the le types for which
executable les, scripts, and MSI launch is controlled by rules.
packages.The task also monitors
loading of DLL modules.

KSN Usage KSN application reputation data is You can use KSN application reputation
not used. data when running the Applications Launch
Control task.

Automatically allow Not applied. You can allow software distribution using
software distribution the installers and applications speci ed in
via applications and the settings. By default, software
packages listed distribution is only allowed using the
Windows Installer service.

Always allow Applied (can be changed only when You can allow any software installation or
software distribution the Automatically allow software update if the operations are performed via
via Windows Installer distribution via applications and Windows Installer.
packages listed setting is enabled).

Always allow Not applied (can be changed only You can turn on or o automatic software
software distribution when the Automatically allow distribution using the System Center
via SCCM using the software distribution via Con guration Manager.
Background applications and packages listed
Intelligent Transfer setting is enabled).
Service

Task start First run is not scheduled. The Applications Launch Control task does
not start automatically at start of
Kaspersky Embedded Systems Security.
You can start the task manually or con gure
a scheduled start.

Rule Generator for Applications Launch Control task default settings

Setting Default Value Description

303
Pre x for Identical to the name of the You can change the pre x for names of allowing rules.
allowing protected device on which
rules names Kaspersky Embedded Systems
Security is installed.

Allowing The scope of allowing rules You can change the protection scope by adding or
rules usage includes the following le removing folder paths and specifying the types of les
scope categories by default: that will be allowed to launch by the automatically
generated rules. You can also ignore running applications
Files with the EXE extension
when creating allowing rules.
located in the folders
C:\Windows, C:\Program Files
(x86) and C:\Program Files

MSI packages stored in the

C:\Windows folder

Scripts stored in the

C:\Windows folder
The task also creates rules for
all running applications,
regardless of their location
and format.

Criteria for The digital certi cate subject and You can use the SHA256 hash when generating allowing
generation thumbprint are used; rules are rules.
of allowing generated for all users and
You can select a user and group of users for which
rules groups of users.
allowing rules need to be automatically generated.

Actions Allowing rules are added to the You can add rules to the existing rules without merging
upon task list of Applications Launch them and without deleting duplicate rules, or replace
completion Control rules; new rules are existing rules with the new allowing rules, or con gure
merged with existing rules; export of the allowing rules to a le.
duplicate rules are removed.

Task launch The task is started under a You can allow the Rule Generator for Applications Launch
settings system account. Control task to start under a system account or using
with the permissions of a speci ed user.
permissions

Task start First run is not scheduled. The Rule Generator for Applications Launch Control task
schedule does not start automatically when Kaspersky Embedded
Systems Security starts. You can start the task manually
or con gure a scheduled start.

Managing Applications Launch Control via the Administration Plug-in

In this section, learn how to navigate the Administration Plug-In interface and con gure task settings for one or all
protected devices on the network.

Navigation
Learn how to navigate to the required task settings via the chosen interface.

304
Opening policy settings for the Applications Launch Control task
To open the Applications Launch Control task settings via the Kaspersky Security Center policy:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Policies tab.

4. Double-click the policy name you want to con gure.

5. In the Properties: <Policy name> window that opens, select the Local activity control section.

6. Click the Settings button in the Applications Launch Control subsection.

The Applications Launch Control window opens.

Con gure the policy as required.

Opening the Applications Launch Control rules list

To open the Applications Launch Control rules list via the Kaspersky Security Center:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Policies tab.

4. Double-click the policy name you want to con gure.

5. In the Properties: <Policy name> window that opens, select the Local activity control section.

6. Click the Settings button in the Applications Launch Control subsection.

The Applications Launch Control window opens.

7. On the General tab, click the Rules list button.

The Applications Launch Control rules window opens.

Con gure the rules list as required.

Opening the Rule Generator for Applications Launch Control task wizard
and properties
To start creating a Rule Generator for Applications Launch Control task:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
305
2. Select the administration group for which you want to con gure the task.

3. Select the Tasks tab.

4. Click Create a task button.

The New Task Wizard window opens.

5. Select the Rule Generator for Applications Launch Control task.

6. Click Next.
The Settings window opens.

To con gure the existing Rule Generator for Applications Launch Control task:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.

2. Select the administration group for which you want to con gure the task.

3. Select the Tasks tab.

4. Double-click the task name in the list of Kaspersky Security Center tasks.
The Properties: Rule Generator for Applications Launch Control window opens.

See the Con guring the Rule Generator for Applications Launch Control task section for details on con guring
the task.

Con guring Applications Launch Control task settings

To con gure general Applications Launch Control task settings:

1. Open the Applications Launch Control window.

2. On the General tab, select the following settings in the Task mode section:

In the Task mode drop-down list, specify the task mode.

Clear or select the Repeat action taken for the rst le launch on all the subsequent launches for this
le check box.

Clear or select the Deny the command interpreters launch with no command to execute check box.

3. In the Rules managing section, con gure settings for applying rules:

a. Click the Rules list button to add allowing rules for the Applications Launch Control task.

Kaspersky Embedded Systems Security does not recognize paths that contain slashes ("/"). Use
backslash ("\") to enter the path correctly.

b. Select the mode for applying rules:

Replace local rules with policy rules.

306
The application applies the rule list speci ed in the policy for centralized application launch control on a
group of protected devices. Local rule lists cannot be created, edited, or applied.

Add policy rules to the local rules.

The application applies the rule list speci ed in a policy together with local rule lists. You can edit the local
rule lists using the Rule Generator for Applications Launch Control task.

4. In the Rule usage scope section, specify the following settings:

Apply rules to executable les .

Monitor loading of DLL modules .

Controlling loading of DLL modules may a ect the performance of the operating system.

Apply rules to scripts and MSI packages .

5. In the KSN Usage group box, con gure the following application launch settings:

Deny applications untrusted by KSN .

Allow applications trusted by KSN .

Users and / or user groups allowed to launch applications trusted in KSN.

6. On the Software Distribution Control tab, con gure the settings for software distribution control.

7. On the Task management tab, con gure the scheduled task start settings.

8. Click OK in the Applications Launch Control window.

Kaspersky Embedded Systems Security immediately applies the new settings to the running task. Information
about the date and time when the settings were modi ed, and the values of task settings before and after
modi cation, are saved in the system audit log.

Con guring Software Distribution Control

To add a trusted distribution package:

1. Open the Applications Launch Control window.

2. On the Software Distribution Control tab, select the Automatically allow software distribution via applications
and packages listed check box.

You can select the Automatically allow software distribution via applications and packages listed, if the
Apply rules to executable les check box in the General tab is selected in the Applications Launch
Control task settings.

3. Clear the Always allow software distribution via Windows Installer check box if required.

307
Clearing the Always allow software distribution via Windows Installer check box is only recommended if
it is absolutely necessary. Turning o this function may cause issues with updating operating system les
and also prevent the launch of les extracted from a distribution package.

4. If required, select the Always allow software distribution via SCCM using the Background Intelligent
Transfer Service check box.

The application controls the software distribution cycle on the protected device — from package delivery
to installation or update. The application does not control processes if any stage of distribution was
performed before installation of the application on the protected device.

5. To edit the list of trusted distribution packages, click Change packages list and select one of the following
methods in the window that opens:

Add one distribution package.

a. Click the Browse button.

b. Select the executable le or distribution package.

The Trusting criteria section is automatically populated with data about the selected le.

c. Clear or select the Allow the further distribution of programs created from this distribution package
check box.

d. Select one of two available options for criteria to use to determine whether a le or distribution package
is trusted:

Use digital certi cate

Use SHA256 hash

Add several packages by hash.

You can select an unlimited number of executable les and distribution packages, and add them to the
list all at the same time. Kaspersky Embedded Systems Security examines the hash and allows the
operating system to launch the speci ed les.

Change selected package.

Use this option to select a di erent executable le or distribution package, or to change the trust criteria.

Import distribution packages list from le .

In the Open window, specify the con guration le containing a list of trusted distribution packages.

6. If you want to remove a previously added application or distribution package for the trusted list, click the
Delete distribution packages button. Extracted les will be allowed to run.

To prevent extracted les from starting, uninstall the application on the protected device or create a
denying rule in the Applications Launch Control task settings.

7. Click OK.
308
Your newly con gured settings are saved.

Con guring the Rule Generator for Applications Launch Control task
To con gure the Rule Generator for Applications Launch Control task:

1. Open the Properties: Rule Generator for Applications Launch Control window.

2. In the Noti cation section, con gure the task event noti cation settings.

For detailed information regarding con guring settings in this section, see the Kaspersky Security Center
Help.

3. In the Settings section, you can con gure the following settings:

Add pre x for rule names.

Select how to create allowing rules:

Create allowing rules based on running applications

Create allowing rules for applications from the folders

4. In the Options section, you can specify actions to perform while creating allowing rules for applications launch
control:

Use digital certi cate

Use digital certi cate subject and thumbprint

If the certi cate is missing, use

SHA256 hash. The checksum of the le used to generate the rule is set as a criterion for triggering the
allowing rule for Applications Launch Control. The application will allow start of programs launched using
les with the speci ed checksum.

path to le. The path to the le used to generate the rule is set as a criterion for triggering the allowing
rule for Applications Launch Control. The application will now allow start of programs launched using les
located in the folders speci ed in the Create allowing rules for applications from the folders table in
the Settings section.

Use SHA256 hash

Generate rules for user or group of users .

You can con gure settings for con guration les with allowing rules lists that Kaspersky Embedded Systems
Security creates upon the task completion.

5. Con gure the task schedule in the Schedule section (you can con gure a schedule for all task types except
Rollback of Database Update).

6. In the Account section, specify the account whose rights will be used to run the task.

309
7. If required, specify the objects to exclude from the task scope in the Exclusions from task scope section.

For detailed information on con guring settings in these sections, see Kaspersky Security Center Help.

8. In the Properties: <Task name> window, click OK.

The newly con gured group task settings are saved.

Con guring Applications Launch Control rules via the Kaspersky Security
Center
Learn how to generate a list of rules based on various criteria or manually create allowing or denying rules using the
Application Launch Control task.

Adding an Applications Launch Control rule

To add an Applications Launch Control rule:

1. Open the Applications Launch Control rules window.

2. Click the Add button.

3. In the context menu of the button, select Add one rule.

The Rule settings window opens.

4. Specify the following settings:

a. In the Name eld, enter the name of the rule.

b. In the Type drop-down list, select the rule type:

Allowing if you want the rule to allow launch of applications in accordance with the criteria speci ed in
the rule settings.

Denying if you want the rule to block launch of applications in accordance with the criteria speci ed in
the rule settings.

c. In the Scope drop-down list, select the type of les whose execution will be controlled by the rule:

Executable les if you want the rule to control launch of executable les.

Scripts and MSI packages if you want the rule to control launch of scripts and MSI packages.

d. In the User or user group eld, specify the users who will be allowed or not allowed to start programs based
on the type of rule. To do this, perform the following actions:

1. Click the Browse button.

2. The standard Microsoft Windows Select user or groups window opens.

310
3. Specify the list of users and/or user groups.

4. Click OK.

e. If you want to take the values of the rule-triggering criteria listed in the Rule triggering criterion section
from a speci c le:

1. Click the Set rule triggering criterion from le properties button.

The standard Microsoft Windows Open window opens.

2. Select the le.

3. Click the Open button.

The criteria values in the le are displayed in the elds in the Rule triggering criterion group box. The
criterion for which data are available in the le properties is selected by default.

f. In the Rule triggering criterion group box, select one of the following options:

Digital certi cate if you want the rule to control the start of applications launched using les signed with
a digital certi cate:

Select the Use subject check box if you want the rule to control the launch of les signed with a
digital certi cate only with the speci ed header.

Select the Use thumb check box if you want the rule to only control the launch of les signed with a
digital certi cate with the speci ed thumbprint.

SHA256 hash if you want the rule to control the start of programs launched using les whose checksum
matches the one speci ed.

Path to le if you want the rule to control the start of programs launched using les located at the
speci ed path.

Kaspersky Embedded Systems Security does not recognize paths that contain slashes ("/"). Use
backslash ("\") to enter the path correctly.

When specifying the objects, you can use le masks (via ? and * characters) and the following types
of environment variables: %WINDIR%, %SYSTEM32%, %OSDRIVE%, %PROGRAMFILES%.

g. If you want to add rule exclusions:

1. In the Exclusions from rule section, click the Add button.

The Exclusion from rule window opens.

2. In the Name eld, enter the name of the exclusion.

3. Specify the settings for exclusion of application les from the Applications Launch Control rule. You can
ll out the settings elds from the le properties by clicking the Set exclusion based on le properties
button.

Digital certi cate

Use subject
311
Use thumb

SHA256 hash

Path to le

4. Click OK.

5. If necessary, repeat steps (i)-(iv) to add additional exclusions.

5. Click OK in the Rule settings window.

The created rule is displayed in the list in the Applications Launch Control rules window.

Enabling the Default Allow mode

Default Allow mode allows all applications to start if they are not blocked by rules or by a conclusion from KSN that
they are not trusted. Default Allow mode can be enabled by adding speci c allowing rules. You can enable Default
Allow for only scripts or for all executable les.

To add a Default Allow rule:

1. Open the Applications Launch Control rules window.

2. Click the Add button and, in the button’s context menu, select Add one rule.
The Rule settings window opens.

3. In the Name eld, enter the name of the rule.

4. In the Type drop-down list, select the Allowing rule type.

5. In the Scope drop-down list, select the type of les whose execution will be controlled by the rule:

Executable les if you want the rule to control the launch of executable les.

Scripts and MSI packages if you want the rule to control the launch of scripts and MSI packages.

6. In the Rule triggering criterion group box, select the Path to le option.

7. Enter the following mask: ?:\

8. Click OK in the Rule settings window.

Kaspersky Embedded Systems Security applies the Default Allow mode.

Creating allowing rules from Kaspersky Security Center events

To generate allowing rules for applications from Kaspersky Security Center events in Applications Launch Control:

1. Open the Applications Launch Control rules window.

312
2. Click the Add button and, in the button’s context menu, select Create allowing rules for applications from
Kaspersky Security Center events.

3. Select the principle for adding the rules to the list of previously created Application Launch Control rules:

Add to existing rules if you want to add the imported rules to the list of existing rules. Rules with identical
settings are duplicated.

Replace existing rules if you want to replace the existing rules with the imported rules.

Merge with existing rules if you want to add the imported rules to the list of existing rules. Rules with
identical settings are not added; the rule is added if at least one rule parameter is unique.

The Applications launch control rules generation window opens.

4. Select the types of events that you want the rule generation task to use:

Statistics only mode: application launch denied.

Application launch denied.

5. Select the time period from the Request events that were generated within the period drop-down list.

6. Select or clear the Prioritize the use of hash when generating rules check box.

If the check box is selected, Kaspersky Embedded Systems Security uses the checksum of the le to
generate the rule when both the checksum and the certi cate of the le are available.

If the check box is cleared, Kaspersky Embedded Systems Security uses the digital certi cate of the le to
generate the rule when both the checksum and the certi cate of the le are available.

7. Click the Generate rules button.

8. Click the Save button in the Applications Launch Control rules window.
The rule list in the Applications Launch Control task will be populated with new rules generated based on
system data from the protected device with the Kaspersky Security Center Administration Console installed.

If the list of Application Launch Control rules is already speci ed in the policy, Kaspersky Embedded
Systems Security adds the selected rules from the blocking events to the already speci ed rules. Rules
with the same hash are not added, because all rules in the list must be unique.

Importing rules from a Kaspersky Security Center report on blocked

applications
You can import data on blocked application launches from a report generated in Kaspersky Security Center after
the Applications Launch Control task is run in Statistics only mode and use this data to generate a list of
Applications Launch Control allowing rules in the policy being con gured.

When generating a report on events occurring during the Applications Launch Control task, you can keep track of
the applications whose launch is blocked.

313
When importing data from a report on blocked applications into policy settings, make sure that the list you are
using contains only applications whose launch you want to allow.

To specify Applications Launch Control allowing rules for a group of protected devices based on a blocked
applications report from Kaspersky Security Center:

1. Open the Applications Launch Control window.

2. In the Task mode section, select Statistics only mode.

3. In the policy properties in the Event noti cation section, make sure that:

For Critical Events, the task log retention period for Application launch denied events exceeds the
planned period for running the task in Statistics only mode (the default value is 30 days).

For events with an importance level of Warning, the task log retention period for Statistics only mode:
application launch denied events exceeds the planned period for running the task in Statistics only mode
(the default value is 30 days).

When the retention period for events elapses, information about the logged events is deleted and is
not re ected in the report le. Before running the Applications Launch Control task in Statistics only
mode, make sure that the task run time does not exceed the con gured period for the speci ed events.

4. When the task has nished, export the logged events to a TXT le:

a. In the workspace of the Administration Server node in Kaspersky Security Center, select the Events tab.

b. Click the Create a selection button to create a selection of events based on the Blocked criterion to view
the applications whose start will be blocked by the Applications Launch Control task.

c. In the results pane of the selection, click Export events to le to save the blocked application starts report
to a TXT le.

Before importing and applying the generated report in a policy, make sure that the report only contains
data on the applications whose start you want to allow.

5. Import data on blocked application starts into the Applications Launch Control task. To do so, in the policy
properties in the Applications Launch Control task settings:

a. On the General tab, click the Rules list button.

The Applications Launch Control rules window opens.

b. Click the Add button and, in the button’s context menu, select Import data of blocked applications from
Kaspersky Security Center report.

c. Select the principle for adding rules from the list created based on a Kaspersky Security Center report to
the list of previously con gured Applications Launch Control rules:

Add to existing rules if you want to add the imported rules to the list of existing rules. Rules with
identical settings are duplicated.

Replace existing rules if you want to replace the existing rules with the imported rules.
314
Merge with existing rules if you want to add the imported rules to the list of existing rules. Rules with
identical settings are not added; the rule is added if at least one rule parameter is unique.

d. In the standard Microsoft Windows window that opens, select the TXT le to which events from the blocked
application launch report have been exported.

e. Click Save in the Applications Launch Control rules window.

Rules created based on the Kaspersky Security Center report on blocked applications are added to the list of
Applications Launch Control rules.

Importing Applications Launch Control rules from an XML le

You can import reports generated by the Rule Generator for Applications Launch Control group task and apply
them as a list of allowing rules in the policy you are con guring.

When the Rule Generator for Applications Launch Control group task nishes, the application exports the created
allowing rules into XML les saved in the speci ed shared folder. Each le with a rule list is created by analyzing les
executed and applications launched on each separate protected device on the corporate network. The lists
contain allowing rules for les and applications whose type matches the type speci ed in the Rule Generator for
Applications Launch Control group task.

To specify Applications Launch Control allowing rules for a group of protected devices based on an automatically
generated list of allowing rules:

1. On the Tasks tab in the detail pane of the group of protected devices you are con guring, create a Rule
Generator for Applications Launch Control group task or select an existing task.

2. In the properties of the created Rule Generator for Applications Launch Control group task or in the task
wizard, specify the following settings:

In the Noti cation section, con gure the settings for saving the task execution report.

For detailed instructions on con guring settings in this section, see the Kaspersky Security Center
Help.

In the Settings section, specify the types of applications whose start will be allowed by the rules that are
created. You can edit the set of folders containing allowed applications: exclude default folders from the
task scope or add new folders manually.

In the Options section, specify the operations to be performed by the task while it is running and after it is
nished. Specify the rule-generating criterion and the name of the le to which the generated rules will be
exported.

In the Schedule section, con gure the task start schedule settings.

In the Account section, specify the user account under which the task will be executed.

In the Exclusions from task scope section, specify the groups of protected devices to be excluded from
the task scope.

315
Kaspersky Embedded Systems Security does not create allowing rules for applications launched on
excluded protected devices.

3. On the Tasks tab on the detail pane of the group of protected devices being con gured, in the list of group
tasks select the Rule Generator for Applications Launch Control task that you have created, and click the Start
button to start the task.
When the task is nished, the automatically generated lists of allowing rules are saved in XML les in a shared
folder.

Before using the Applications Launch Control task in the network, make sure that all protected devices
have access to a shared folder. If the organization’s policy does not provide for the use of a shared folder
in the network, we recommend that you start the Rule Generator for Applications Launch Control task on
a protected device in the test protected devices group or on a reference machine.

4. To add the generated lists of allowing rules to the Applications Launch Control task:

a. Open the Applications Launch Control rules window.

b. Click the Add button and in the list that opens select Import rules from XML le.

c. Select the principle for adding the automatically generated allowing rules to the list of previously created
Applications Launch Control rules:

Add to existing rules if you want to add the imported rules to the list of existing rules. Rules with
identical settings are duplicated.

Replace existing rules if you want to replace the existing rules with the imported rules.

Merge with existing rules if you want to add the imported rules to the list of existing rules. Rules with
identical settings are not added; the rule is added if at least one rule parameter is unique.

d. In the standard Microsoft Windows window that opens, select XML les created after completion of the
Rule Generator for Applications Launch Control group task.

e. Click Save in the Applications Launch Control rules window.

5. If you want to apply the created rules to control the launch of application, in the policy in the properties of the
Applications Launch Control task, select the Active mode for the task.

Allowing rules automatically generated based on task runs on each separate protected device are applied to all
network protected devices covered by the policy being con gured. On these protected devices, the application
will allow the launch of only those applications for which allowing rules have been created.

Checking application launches

Before applying the con gured Applications Launch Control rules, you can test any application to determine which
Applications Launch Control rules are triggered by that application.

By default, Kaspersky Embedded Systems Security denies the launch of applications whose launch is not allowed
by a single rule. To avoid the denial of the launch of important applications, you need to create allowing rules for
them.

316
If the launch of an application is controlled by several rules of di erent types, denying rules are given priority: the
launch of an application will be denied if it falls under even one denying rule.

To test Applications Launch Control rules:

1. Open the Applications Launch Control rules window.

2. In the window that opens, click the Show rules for the le button.
The standard Microsoft Windows window opens.

3. Select the le whose start control you want to test.

The path to the speci ed le is displayed in the search eld. The list contains all rules that will be triggered when
the selected le is started.

Creating a Rule Generator for Applications Launch Control task

To create and con gure the Rule Generator for Applications Launch Control task settings:

1. Open the Settings window in the New Task Wizard.

2. Con gure the following:

Specify Pre x for rule names .

Con gure the allowing-rules usage scope.

3. Click Next.

4. Specify the actions that must be performed by Kaspersky Embedded Systems Security:

When generating allowing rules.

Upon task completion.

5. In the Schedule window, set the scheduled task start settings.

6. Click Next.

7. In the Selecting an account to run the task window, specify the account you want to use.

8. Click Next.

9. Specify a task name.

10. Click Next.

The task name should be no longer than 100 characters and cannot contain the following symbols: " * < > & \
:|

The Finish creating the task window opens.

317
11. You can optionally run the task after the Wizard nishes by selecting the Run task after Wizard nishes check
box.

12. Click Finish to nish creating the task.

To con gure an existing rule in Kaspersky Security Center,

open the Properties: Rule Generator for Applications Launch Control window and adjust the settings
described above.

Information about the date and time when the settings were modi ed, and the values of task settings before and
after modi cation, are saved in the system audit log.

Restricting the task usage scope

To restrict the scope of the Rule Generator for Applications Launch Control task:

1. Open the Properties: Rule Generator for Applications Launch Control window.

2. Select how to create allowing rules:

Create allowing rules based on running applications

Create allowing rules for applications from the folders

3. Click OK.

The speci ed settings are saved.

Actions to perform during automatic rule generation

To con gure the actions that Kaspersky Embedded Systems Security while the Rule Generator for Applications
Launch Control task is running:

1. Open the Properties: Rule Generator for Applications Launch Control window.

2. Open the Options tab.

3. In the While generating allowing rules section, con gure the following settings:

Use digital certi cate

Use digital certi cate subject and thumbprint

If the certi cate is missing, use

318
path to le. The path to the le used to generate the rule is set as a criterion for triggering the allowing
rule for Applications Launch Control. The application will now allow start of programs launched using les
located in the folders speci ed in the Create allowing rules for applications from the folders table in
the Settings section.

Use SHA256 hash

Generate rules for user or group of users .

4. Click OK.

The speci ed settings are saved.

Actions to perform upon completion of automatic rule generation

To con gure the actions to be taken by Kaspersky Embedded Systems Security after the Rule Generator for
Applications Launch Control task is nished:

1. Open the Properties: Rule Generator for Applications Launch Control window.

2. Open the Options tab.

3. In the After task completes section, con gure the following settings:

Add allowing rules to the list of Applications Launch Control rules .

Principle of adding .

Export allowing rules to le.

Add protected device details to le name .

4. Click OK.

The speci ed settings are saved.

Managing Applications Launch Control via the Application Console

In this section, you will learn how to navigate the Application Console interface and con gure task settings on a
protected device.

Navigation
Learn how to navigate to the required task settings via the chosen interface.

Opening the Applications Launch Control task settings

To open the Applications Launch Control general task settings via the Application Console:
319
1. In the Application Console tree, expand the Computer Control node.

2. Select the Applications Launch Control child node.

3. In the details pane of the Applications Launch Control child node, click the Properties link.
The Task settings window opens.

Opening the Applications Launch Control rules window

To open the Applications Launch Control rule list via the Application Console:

1. In the Application Console tree, expand the Computer Control node.

2. Select the Applications Launch Control child node.

3. In the results pane of the Applications Launch Control node, click the Applications Launch Control rules link.
The Applications Launch Control rules window opens.

4. Con gure the rules list as required.

Opening the Rule Generator for Applications Launch Control task settings
To con gure the Rule Generator for Applications Launch Control task:

1. In the Application Console tree, expand the Automated rule generators node.

2. Select the Rule Generator for Applications Launch Control child node.

3. In the results pane of the Rule Generator for Applications Launch Control child node, click the Properties link.
The Task settings window opens.

4. Con gure the task as required.

Con guring Applications Launch Control task settings

To con gure general Applications Launch Control task settings:

1. Open the Task settings window.

2. Con gure the following task settings:

On the General tab:

Applications Launch Control task mode.

Rule usage scope in the task.

320
KSN Usage.

Software Distribution Control settings on the Software Distribution Control tab.

Task start schedule settings on the Schedule and Advanced tabs.

3. Click OK in the Task settings window.

The modi ed settings are saved.

Selecting the mode of the Applications Launch Control task

To con gure the mode of the Applications Launch Control task:

1. Open the Task settings window.

2. On the General tab, in the Task mode drop-down list, specify the task mode.

3. Clear or select the Repeat action taken for the rst le launch on all the subsequent launches for this le
check box.

Kaspersky Embedded Systems Security creates a new list of cached events every time the Applications
Launch Control task settings are modi ed. This means that Applications Launch Control is performed
according to the current security settings.

4. Clear or select the Deny the command interpreters launch with no command to execute .

5. Click OK in the Task settings window.

The speci ed settings are saved.

All attempts to start applications are recorded in the task log.

Con guring the scope of the Applications Launch Control task

To de ne the scope of the Applications Launch Control task:

1. Open the Task settings window.

2. On the General tab, in the Rule usage scope section, specify the following settings:

Apply rules to executable les

Monitor loading of DLL modules

321
Controlling loading of DLL modules may a ect the performance of the operating system.

Apply rules to scripts and MSI packages

3. Click OK in the Task settings window.

The speci ed settings are saved.

Con guring KSN usage

To con gure the use of KSN services for the Applications Launch Control task:

1. Open the Task settings window.

2. On the General tab, in the KSN Usage section, specify the settings for use of KSN services:

If necessary, select the Deny applications untrusted by KSN check box.

If necessary, select the Allow applications trusted by KSN check box.

If the Allow applications trusted by KSN check box is selected, indicate the users and/or groups of users
allowed to start applications trusted in KSN. To do this, perform the following actions:

a. Click the Edit button.

The standard Microsoft Windows Select users or groups window opens.

By default, access to programs trusted in KSN is allowed to all users.

b. Specify the list of users and/or user groups.

c. Click OK.

3. Click OK in the Task settings window.

The speci ed settings are saved.

Software Distribution Control

To add a trusted distribution package:

1. Open the Task settings window.

2. On the Software Distribution Control tab, select the Automatically allow software distribution via
applications and packages listed check box.

322
3. Clear the Always allow software distribution via Windows Installer check box if required.

Clearing the Always allow software distribution via Windows Installer check box is only recommended if
it is absolutely necessary. Turning o this function may cause issues with updating operating system les
and also prevent the launch of les extracted from a distribution package.

4. If required, select the Always allow software distribution via SCCM using the Background Intelligent
Transfer Service check box.

5. To edit the list of trusted distribution packages, click Change packages list and select one of the following
methods in the window that opens:

Add one distribution package.

a. Click the Browse button.

b. Select the executable le or distribution package.

The Trusting criteria section is automatically populated with data about the selected le.

c. Clear or select the Allow the further distribution of programs created from this distribution package
check box.

d. Select one of two available options for criteria to use to determine whether a le or distribution package
is trusted:

Use digital certi cate

Use SHA256 hash

Add several packages by hash.

Change selected package.

Use this option to select a di erent executable le or distribution package, or to change the trust criteria.

Import distribution packages list from le .

In the Open window, specify the con guration le containing a list of trusted distribution packages.

6. If you want to remove a previously added application or distribution package for the trusted list, click the
Delete distribution packages button. Extracted les will be allowed to run.

To prevent extracted les from starting, uninstall the application on the protected device or create a
denying rule in the Applications Launch Control task settings.

323
7. Click OK.

Your newly con gured settings are saved.

Con guring Applications Launch Control rules

Learn how to generate, import and export a list of rules, or manually create allowing or denying rules using the
Application Launch Control task.

Adding an Applications Launch Control rule

To add an Applications Launch Control rule:

1. Open the Applications Launch Control rules window.

2. Click the Add button.

3. In the context menu of the button, select Add one rule.

The Rule settings window opens.

4. Specify the following settings:

a. In the Name eld, enter the name of the rule.

b. In the Type drop-down list, select the rule type:

Allowing if you want the rule to allow launch of applications in accordance with the criteria speci ed in
the rule settings.

Denying if you want the rule to block launch of applications in accordance with the criteria speci ed in
the rule settings.

c. In the Scope drop-down list, select the type of les whose execution will be controlled by the rule:

Executable les if you want the rule to control launch of executable les.

Scripts and MSI packages if you want the rule to control launch of scripts and MSI packages.

d. In the User or user group eld, specify the users who will be allowed or not allowed to start programs based
on the type of rule. To do this, perform the following actions:

1. Click the Browse button.

2. The standard Microsoft Windows Select user or groups window opens.

3. Specify the list of users and/or user groups.

4. Click OK.

e. If you want to take the values of the rule-triggering criteria listed in the Rule triggering criterion section
from a speci c le:

324
1. Click the Set rule triggering criterion from le properties button.
The standard Microsoft Windows Open window opens.