Updating Kaspersky Security Center and managed applications

This section describes steps you must take to update Kaspersky Security Center and managed applications.

Scenario: Regular updating Kaspersky databases and applications

This section provides a scenario for regular updating of Kaspersky databases, software modules, and applications. After you complete the Configuring network protection scenario, you must maintain the reliability of the protection system to make sure that the Administration Servers and managed devices are kept protected against various threats, including viruses, network attacks, and phishing attacks.

Network protection is kept up-to-date by regular updates of the following:

• Kaspersky databases and software modules
• Installed Kaspersky applications, including Kaspersky Security Center components and security applications

When you complete this scenario, you can be sure of the following:

• Your network is protected by the most recent Kaspersky software, including Kaspersky Security Center components and security applications.
• The anti-virus databases and other Kaspersky databases critical for the network safety are always up-to-date.

Prerequisites

The managed devices must have a connection to the Administration Server. If they do not have a connection, consider updating Kaspersky databases, software modules, and applications manually or directly from the Kaspersky update servers.

Administration Server must have a connection to the internet.

Before you start, make sure that you have done the following:

1. Deployed the Kaspersky security applications to the managed devices according to the scenario of deploying Kaspersky applications through Kaspersky Security Center 13.1 Web Console.
2. Created and configured all required policies, policy profiles, and tasks according to the scenario of configuring network protection.
3. Assigned an appropriate amount of distribution points in accordance with the number of managed devices and the network topology.

Updating Kaspersky databases and applications proceeds in stages:

1. Choosing an update scheme

   There are several schemes that you can use to install updates to Kaspersky Security Center components and security applications. Choose the scheme or several schemes that meet the requirements of your network best.

2. Creating the task for downloading updates to the repository of the Administration Server

   This task is created automatically by Kaspersky Security Center Quick Start Wizard. If you did not run the Wizard, create the task now.

   This task is required to download updates from Kaspersky update servers to the repository of the Administration Server, as well as to update Kaspersky databases and software modules for Kaspersky Security Center. After the updates are downloaded, they can be propagated to the managed devices.

   If your network has assigned distribution points, the updates are automatically downloaded from the Administration Server repository to the repositories of the distribution points. In this case the managed devices included in the scope of a distribution point download the updates from the repository of the distribution point instead of the Administration Server repository.

   How-to instructions:

   • Administration Console: Creating the task for downloading updates to the repository of the Administration Server

   or

   • Kaspersky Security Center 13.1 Web Console: Creating the task for downloading updates to the repository of the Administration Server
3. Creating the task for downloading updates to the repositories of distribution points (optional)

   By default, the updates are downloaded to the distribution points from the Administration server. You can configure Kaspersky Security Center to download the updates to the distribution points directly from Kaspersky update servers. Download to the repositories of distribution points is preferable if the traffic between the Administration Server and the distribution points is more expensive than the traffic between the distribution points and Kaspersky update servers, or if your Administration Server does not have internet access.

   When your network has assigned distribution points and the Download updates to the repositories of distribution points task is created, the distribution points download updates from Kaspersky update servers, and not from the Administration Server repository.

   How-to instructions:

   • Administration Console: Creating the task for downloading updates to the repositories of distribution points

   or

   • Kaspersky Security Center 13.1 Web Console: Creating the task for downloading updates to the repositories of distribution points
4. Configuring distribution points

   When your network has assigned distribution points, make sure that the Deploy updates option is enabled in the properties of all required distribution points. When this option is disabled for a distribution point, the devices included in the scope of the distribution point download updates from the repository of the Administration Server.

   If you want the managed devices to receive updates only from the distribution points, enable the Distribute files through distribution points only option in the Network Agent policy.

5. Optimizing the update process by using the offline model of update download or diff files (optional)

   You can optimize the update process by using the offline model of update download (enabled by default) or by using diff files. For each network segment, you have to choose which of these two features to enable, because they cannot work simultaneously.

   When the offline model of update download is enabled, Network Agent downloads the required updates to the managed device once the updates are downloaded to the Administration Server repository, before the security application requests the updates. This enhances the reliability of the update process. To use this feature, enable the Download updates and anti-virus databases from the Administration Server in advance option in the Network Agent policy.

   If you do not use the offline model of update download, you can optimize traffic between the Administration Server and the managed devices by using diff files. When this feature is enabled, the Administration Server or a distribution point downloads diff files instead of entire files of Kaspersky databases or software modules. A diff file describes the differences between two versions of a file of a database or software module. Therefore, a diff file occupies less space than an entire file. This results in decrease in the traffic between the Administration Server or distribution points and the managed devices. To use this feature, enable the Download diff files option in the properties of the Download updates to the Administration Server repository task and/or the Download updates to the repositories of distribution points task.

   How-to instructions:

   • Using diff files for updating Kaspersky databases and software modules
   • Administration Console: Enabling and disabling the offline model of update download

   or

   • Kaspersky Security Center 13.1 Web Console: Enabling and disabling the offline model of update download
6. Verifying downloaded updates (optional)

   Before installing the downloaded updates, you can verify the updates through the Update verification task. This task sequentially runs the device update tasks and virus scan tasks configured through settings for the specified collection of test devices. Upon obtaining the task results, the Administration Server starts or blocks the update propagation to the remaining devices.

   The Update verification task can be performed as part of the Download updates to the repository of the Administration Server task. In the properties of the Download updates to the repository of the Administration Server task, enable the Verify updates before distributing option in the Administration Console or the Run update verification option in Kaspersky Security Center 13.1 Web Console.

   How-to instructions:

   • Administration Console: Verifying downloaded updates

   or

   • Kaspersky Security Center 13.1 Web Console: Verifying downloaded updates
7. Approving and declining software updates

   By default, the downloaded software updates have the Undefined status. You can change the status to Approved or Declined. The approved updates are always installed. If an update requires reviewing and accepting the terms of the End User License Agreement, then you first need to accept the terms. After that the update can be propagated to the managed devices. The undefined updates can only be installed on Network Agent and other Kaspersky Security Center components in accordance with the Network Agent policy settings. The updates for which you set Declined status will not be installed on devices. If a declined update for a security application was previously installed, Kaspersky Security Center will try to uninstall the update from all devices. Updates for Kaspersky Security Center components cannot be uninstalled.

   How-to instructions:

   • Administration Console: Approving and declining software updates

   or

   • Kaspersky Security Center 13.1 Web Console: Approving and declining software updates
8. Configuring automatic installation of updates and patches for Kaspersky Security Center components

   Starting from version 10 Service Pack 2, the downloaded updates and patches for Network Agent and other Kaspersky Security Center components are installed automatically. If you have left the Automatically install applicable updates and patches for components that have the Undefined status option enabled in the Network Agent properties, then all updates will be installed automatically after they are downloaded to the repository (or several repositories). If this option is disabled, Kaspersky patches that have been downloaded and tagged with the Undefined status will be installed only after you change their status to Approved.

   For Network Agent versions earlier than 10 Service Pack 2, make sure that the Update Network Agent modules option is enabled in the properties of the Download updates to the repository of the Administration Server task or the Download updates to the repositories of distribution points task.

   How-to instructions:

   • Administration Console: Enabling and disabling automatic updating and patching for Kaspersky Security Center components

   or

   • Kaspersky Security Center 13.1 Web Console: Enabling and disabling automatic updating and patching for Kaspersky Security Center components
9. Installation of updates for the Administration Server

   Software updates for the Administration Server do not depend on the update statuses. They are not installed automatically and must be preliminarily approved by the administrator on the Monitoring tab in the Administration Console (Administration Server <server name> → Monitoring) or on the NOTIFICATIONS section in Kaspersky Security Center 13.1 Web Console (MONITORING & REPORTING → NOTIFICATIONS). After that, the administrator must explicitly run installation of the updates.

10. Configuring automatic installation of updates for the security applications

    Create the Update tasks for the managed applications to provide timely updates to the applications, software modules and Kaspersky databases, including anti-virus databases. To ensure timely updates, we recommend that you select the When new updates are downloaded to the repository option when configuring the task schedule.

    By default, updates for Kaspersky Endpoint Security for Windows and Kaspersky Endpoint Security for Linux are installed only after you change the update status to Approved. You can change the update settings in the Update task.

    If an update requires reviewing and accepting the terms of the End User License Agreement, then you first need to accept the terms. After that the update can be propagated to the managed devices.

    How-to instructions:

    • Administration Console: Automatic installation of Kaspersky Endpoint Security updates on devices

    or

    • Kaspersky Security Center 13.1 Web Console: Automatic installation of Kaspersky Endpoint Security updates on devices

Results

Upon completion of the scenario, Kaspersky Security Center is configured to update Kaspersky databases and installed Kaspersky applications after the updates are downloaded to the repository of the Administration Server or to the repositories of distribution points. You can then proceed to monitoring the network status.

About updating Kaspersky databases, software modules, and applications

To be sure that the protection of your Administration Servers and managed devices is up-to-date, you must provide timely updates of the following:

• Kaspersky databases and software modules
• Installed Kaspersky applications, including Kaspersky Security Center components and security applications

Depending on the configuration of your network, you can use the following schemes of downloading and distributing the required updates to the managed devices:

• By using a single task: Download updates to the Administration Server repository
• By using two tasks:
  • The Download updates to the Administration Server repository task
  • The Download updates to the repositories of distribution points task
• Manually through a local folder, a shared folder, or an FTP server
• Directly from Kaspersky update servers to Kaspersky Endpoint Security on the managed devices

Using the Download updates to the Administration Server repository task

In this scheme, Kaspersky Security Center downloads updates through the Download updates to the Administration Server repository task. In small networks that contain less than 300 managed devices in a single network segment or less than 10 managed devices in each network segment, the updates are distributed to the managed devices directly from the Administration Server repository (see figure below).

Updating by using the Download updates to the Administration Server repository task without distribution points

By default, the Administration Server communicates with Kaspersky update servers and downloads updates by using the HTTPS protocol. You can configure the Administration Server to use the HTTP protocol instead of HTTPS.

If your network contains more than 300 managed devices in a single network segment or if your network consists of several network segments with more than 9 managed devices in each network segment, we recommend that you use distribution points to propagate the updates to the managed devices (see figure below). Distribution points reduce the load on the Administration Server and optimize traffic between the Administration Server and the managed devices. You can calculate the number and configuration of distribution points required for your network.

In this scheme, the updates are automatically downloaded from the Administration Server repository to the repositories of the distribution points. The managed devices included in the scope of a distribution point download the updates from the repository of the distribution point instead of the Administration Server repository.

Updating by using the Download updates to the Administration Server repository task with distribution points

When the Download updates to the Administration Server repository task is complete, the following updates are downloaded to the Administration Server repository:

• Kaspersky databases and software modules for Kaspersky Security Center

  These updates are installed automatically.

• Kaspersky databases and software modules for the security applications on the managed devices

  These updates are installed through the Update task for Kaspersky Endpoint Security for Windows.

• Updates for the Administration Server

  These updates are not installed automatically. The administrator must explicitly approve and run installation of the updates.

  Local administrator rights are required for installing patches on the Administration Server.

• Updates for the components of Kaspersky Security Center

  By default, these updates are installed automatically. You can change the settings in the Network Agent policy.

• Updates for the security applications

  By default, Kaspersky Endpoint Security for Windows installs only those updates that you approve. (You can approve updates via the Administration Console or via Kaspersky Security Center 13.1 Web Console). The updates are installed through the Update task and can be configured in the properties of this task.

The Download updates to the repository of the Administration Server task is not available on virtual Administration Servers. The repository of the virtual Administration Server displays updates downloaded to the primary Administration Server.

You can configure the updates to be verified for operability and errors on a set of test devices. If the verification is successful, the updates are distributed to other managed devices.

Each Kaspersky application requests required updates from Administration Server. Administration Server aggregates these requests and downloads only those updates that are requested by any application. This ensures that the same updates are not downloaded multiple times and that unnecessary updates are not downloaded at all. When running the Download updates to the Administration Server repository task, Administration Server sends the following information to Kaspersky update servers automatically in order to ensure the downloading of relevant versions of Kaspersky databases and software modules:

• Application ID and version
• Application installation ID
• Active key ID
• Download updates to the repository of the Administration Server task run ID

None of the transmitted information contains personal or other confidential data. AO Kaspersky Lab protects information in accordance with requirements established by law.

Using two tasks: the Download updates to the Administration Server repository task and the Download updates to the repositories of distribution points task

You can download updates to the repositories of distribution points directly from the Kaspersky update servers instead of the Administration Server repository, and then distribute the updates to the managed devices (see figure below). Download to the repositories of distribution points is preferable if the traffic between the Administration Server and the distribution points is more expensive than the traffic between the distribution points and Kaspersky update servers, or if your Administration Server does not have internet access.

Updating by using the Download updates to the Administration Server repository task and the Download updates to the repositories of distribution points task

By default, the Administration Server and distribution points communicate with Kaspersky update servers and download updates by using the HTTPS protocol. You can configure the Administration Server and/or distribution points to use the HTTP protocol instead of HTTPS.

To implement this scheme, create the Download updates to the repositories of distribution points task in addition to the Download updates to the Administration Server repository task. After that the distribution points will download updates from Kaspersky update servers, and not from the Administration Server repository.

Distribution point devices running macOS cannot download updates from Kaspersky update servers.

If one or more devices running macOS are within the scope of the Download updates to the repositories of distribution points task, the task completes with the Failed status, even if it has successfully completed on all Windows devices.

The Download updates to the Administration Server repository task is also required for this scheme, because this task is used to download Kaspersky databases and software modules for Kaspersky Security Center.

Manually through a local folder, a shared folder, or an FTP server

If the client devices do not have a connection to the Administration Server, you can use a local folder or a shared resource as a source for updating Kaspersky databases, software modules, and applications. In this scheme, you need to copy required updates from the Administration Server repository to a removable drive, then copy the updates to the local folder or the shared resource specified as an update source in the settings of Kaspersky Endpoint Security (see figure below).

Updating through a local folder, a shared folder, or an FTP server

For more information about sources of updates in Kaspersky Endpoint Security, see the following Helps:

• Kaspersky Endpoint Security for Windows Help
• Kaspersky Endpoint Security for Linux Help

Directly from Kaspersky update servers to Kaspersky Endpoint Security on the managed devices

On the managed devices, you can configure Kaspersky Endpoint Security to receive updates directly from Kaspersky update servers (see figure below).

Updating security applications directly from Kaspersky update servers

In this scheme, the security application does not use the repositories provided by Kaspersky Security Center. To receive updates directly from Kaspersky update servers, specify Kaspersky update servers as an update source in the interface of the security application. For more information about these settings, see the following Helps:

• Kaspersky Endpoint Security for Windows Help
• Kaspersky Endpoint Security for Linux Help

About using diff files for updating Kaspersky databases and software modules

When Kaspersky Security Center downloads updates from Kaspersky update servers, it optimizes traffic by using diff files. You can also enable the usage of diff files by devices (Administration Servers, distribution points, and client devices) that take updates from other devices on your network.

About the Downloading diff files feature

A diff file describes the differences between two versions of a file of a database or software module. The usage of diff files saves traffic inside your company's network because diff files occupy less space than entire files of databases and software modules. If the Downloading diff files feature is enabled on Administration Server or a distribution point, the diff files are saved on this Administration Server or distribution point. As a result, devices that take updates from this Administration Server or distribution point can use the saved diff files to update their databases and software modules.

To optimize the usage of diff files, we recommend that you synchronize the update schedule of devices with the update schedule of the Administration Server or distribution point from which the devices take updates. However, the traffic can be saved even if devices are updated several times less often than are the Administration Server or distribution point from which the devices take updates.

The Downloading diff files feature can be enabled only on Administration Servers and distribution points of versions starting from version 11. To save diff files on Administration Servers and distribution points of earlier versions, upgrade them to version 11 or later.

The Downloading diff files feature is incompatible with the offline model of update download. This means that Network Agents that use the offline model of update download do not download diff files even if the Downloading diff files feature is enabled on the Administration Server or distribution point that delivers updates to these Network Agents.

Distribution points do not use IP multicasting for automatic distribution of diff files.

Enabling the Downloading diff files feature: scenario

Prerequisites

Prerequisites for the scenario are as follows:

• Administration Servers and distribution points are upgraded to version 11 or later.
• Offline model of update download is disabled in the settings of the Network Agent policy.

Stages

1. Enabling the feature on Administration Server

   Enable the feature in the settings of a Download updates to the repository of the Administration Server task.

2. Enabling the feature for a distribution point

   Enable the feature for a distribution point that receives updates by means of a Download updates to the repositories of distribution points task.

   Then enable the feature for a distribution point that receives updates from Administration Server.

   The feature is enabled in the Network Agent policy settings and—if the distribution points are assigned manually and if you want to override policy settings—in the Distribution points section of the Administration Server properties.

To check that the Downloading diff files feature is successfully enabled, you can measure the internal traffic before and after you perform the scenario.

Creating the task for downloading updates to the repository of the Administration Server

Expand all | Collapse all

The Download updates to the repository of the Administration Server task of the Administration Server is created automatically by the Kaspersky Security Center Quick Start Wizard. You can create only one Download updates to the repository of the Administration Server task. Therefore, you can create a Download updates to the repository of the Administration Server task only if this task was removed from the Administration Server tasks list.

To create a Download updates to the repository of the Administration Server task:

1. In the console tree, select the Tasks folder.
2. Start creation of the task in one of the following ways:
   • In the context menu of the Tasks folder in the console tree, select New → Task.
   • In the workspace of the Tasks folder, click the Create a task button.

   The Add Task Wizard starts. Follow the steps of the Wizard.

3. On the Select the task type page of the Wizard, select Download updates to the Administration Server repository.
4. On the Settings page of the Wizard, specify the task settings as follows:
   • Sources of updates

     The following resources can be used as a source of updates for the Administration Server:

     • Kaspersky update servers

       HTTP(S) servers at Kaspersky from which Kaspersky applications download database and application module updates. By default, the Administration Server communicates with Kaspersky update servers and downloads updates by using the HTTPS protocol. You can configure the Administration Server to use the HTTP protocol instead of HTTPS.

       Selected by default.

     • Primary Administration Server

       This resource applies to tasks created for a secondary or virtual Administration Server.

     • Local or network folder

       A local or network folder that contains the latest updates. A network folder can be an FTP or HTTP server, or an SMB share. When selecting a local folder, you must specify a folder on the device that has Administration Server installed.

       An FTP or HTTP server or a network folder used by an update source must contain a folders structure (with updates) that matches the structure created when using Kaspersky update servers.

   • Other settings:
     • Force update of secondary Administration Servers

       If this option is enabled, the Administration Server starts the update tasks on the secondary Administration Servers as soon as new updates are downloaded. Otherwise, the update tasks on the secondary Administration Servers start according to their schedules.

       By default, this option is disabled.

     • Copy downloaded updates to additional folders

       After the Administration Server receives updates, it copies them to the specified folders. Use this option if you want to manually manage the distribution of updates on your network.

       For example, you may want to use this option in the following situation: the network of your organization consists of several independent subnets, and devices from each of the subnets do not have access to other subnets. However devices in all of the subnets have access to a common network share. In this case, you set Administration Server in one of the subnets to download updates from Kaspersky update servers, enable this option, and then specify this network share. In downloaded updates to the repository tasks for other Administration Servers, specify the same network share as the update source.

       By default, this option is disabled.

       • Do not force updating of devices and secondary Administration Servers unless copying is complete

         The tasks of downloading updates to client devices and secondary Administration Servers start only after those updates are copied from the main update folder to additional update folders.

         This option must be enabled if client devices and secondary Administration Servers download updates from additional network folders.

         By default, this option is disabled.

     • Update Network Agent modules (for Network Agent versions earlier than 10 Service Pack 2)

       If this option is enabled, updates for software modules of Network Agent are installed automatically after the Administration Server completes the download updates to the repository task. Otherwise, updates received for Network Agent modules can be installed manually.

       This option is only applicable to Network Agent versions earlier than 10 Service Pack 2. Starting from version 10 Service Pack 2, Network Agents are updated automatically.

       By default, this option is enabled.

5. On the Configure task schedule page of the Wizard, you can create a schedule for task start. If necessary, specify the following settings:
   • Scheduled start:

     Select the schedule according to which the task runs, and configure the selected schedule.

     • Every N hours

       The task runs regularly, with the specified interval in hours, starting from the specified date and time.

       By default, the task runs every six hours, starting from the current system date and time.

     • Every N days

       The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

       By default, the task runs every day, starting from the current system date and time.

     • Every N weeks

       The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

       By default, the task runs every Monday at the current system time.

     • Every N minutes

       The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

       By default, the task runs every 30 minutes, starting from the current system time.

     • Daily (daylight saving time is not supported)

       The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.

       We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center.

       By default, the task starts every day at the current system time.

     • Weekly

       The task runs every week on the specified day and at the specified time.

     • By days of week

       The task runs regularly, on the specified days of week, at the specified time.

       By default, the task runs every Friday at 6:00:00 PM.

     • Monthly

       The task runs regularly, on the specified day of the month, at the specified time.

       In months that lack the specified day, the task runs on the last day.

       By default, the task runs on the first day of each month, at the current system time.

     • Manually (selected by default)

       The task does not run automatically. You can only start it manually.

       By default, this option is enabled.

     • Every month on specified days of selected weeks

       The task runs regularly, on the specified days of each month, at the specified time.

       By default, no days of month are selected; the default start time is 6:00:00 PM.

     • On virus outbreak

       The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

       • Anti-virus for workstations and file servers
       • Anti-virus for perimeter defense
       • Anti-virus for mail systems

       By default, all application types are selected.

       You may want to run different tasks depending on the anti-virus application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

     • On completing another task

       The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task.

   • Run missed tasks

     This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

     If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

     If this option is disabled, only scheduled tasks run on client devices; for Manually, Once and Immediately, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

     By default, this option is enabled.

   • Use automatically randomized delay for task starts

     If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

     The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

     If this option is disabled, the task starts on client devices according to the schedule.

   • Use randomized delay for task starts within an interval of (min)

     If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

     If this option is disabled, the task starts on client devices according to the schedule.

     By default, this option is disabled. The default time interval is one minute.

6. On the Define the task name page of the Wizard, specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
7. On the Finish task creation page of the Wizard, click the Finish button to close the Wizard.

   If you want the task to start as soon as the Wizard finishes, select the Run the task after the Wizard finishes check box.

After the Wizard finishes, Download updates to the Administration Server repository appears in the list of Administration Server tasks in the workspace.

In addition to the settings that you specify during task creation, you can change other properties of a created task.

When Administration Server performs the Download updates to the repository of the Administration Server task, updates to databases and software modules are downloaded from the updates source and stored in the shared folder of Administration Server. If you create this task for an administration group, it will only be applied to Network Agents included in the specified administration group.

Updates are distributed to client devices and secondary Administration Servers from the shared folder of Administration Server.

Creating the Download updates to the repositories of distribution points task

Expand all | Collapse all

Distribution point devices running macOS cannot download updates from Kaspersky update servers.

If one or more devices running macOS are within the scope of the Download updates to the repositories of distribution points task, the task completes with the Failed status, even if it has successfully completed on all Windows devices.

You can create the Download updates to the repositories of distribution points task for an administration group. This task will run for distribution points included in the specified administration group.

You can use this task, for example, if the traffic between the Administration Server and the distribution point(s) is more expensive than the traffic between the distribution point(s) and Kaspersky update servers, or if your Administration Server does not have internet access.

To create the Download updates to the repositories of distribution points task for a selected administration group:

1. In the console tree, select the Tasks folder.
2. In the workspace of this folder, click the Create a task button.

   The Add Task Wizard starts. Follow the steps of the Wizard.

3. On the Select the task type page of the Wizard, select the Kaspersky Security Center 13.1 Administration Server node, expand the Advanced folder, and then select the Download updates to the repositories of distribution points task.
4. On the Settings page of the Wizard, specify the task settings as follows:
   • Sources of updates

     The following resources can be used as a source of updates for the Administration Server:

     • Kaspersky update servers

       HTTP(S) servers at Kaspersky from which Kaspersky applications download database and application module updates. By default, the Administration Server communicates with Kaspersky update servers and downloads updates by using the HTTPS protocol. You can configure the Administration Server to use the HTTP protocol instead of HTTPS.

       Selected by default.

     • Primary Administration Server

       This resource applies to tasks created for a secondary or virtual Administration Server.

     • Local or network folder

       A local or network folder that contains the latest updates. A network folder can be an FTP or HTTP server, or an SMB share. When selecting a local folder, you must specify a folder on the device that has Administration Server installed.

       An FTP or HTTP server or a network folder used by an update source must contain a folders structure (with updates) that matches the structure created when using Kaspersky update servers.

   • Folder for storing updates

     The path to the specified folder for storing saved updates. You can copy the specified folder path to a clipboard. You cannot change the path to a specified folder for a group task.

5. On the Select Administration group page of the Wizard, click Browse and select the administration group to which the task applies.
6. On the Configure task schedule page of the Wizard, you can create a schedule for task start. If necessary, specify the following settings:
   • Scheduled start:

     Select the schedule according to which the task runs, and configure the selected schedule.

     • Every N hours

       The task runs regularly, with the specified interval in hours, starting from the specified date and time.

       By default, the task runs every six hours, starting from the current system date and time.

     • Every N days

       The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

       By default, the task runs every day, starting from the current system date and time.

     • Every N weeks

       The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

       By default, the task runs every Monday at the current system time.

     • Every N minutes

       The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

       By default, the task runs every 30 minutes, starting from the current system time.

     • Daily (daylight saving time is not supported)

       The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.

       We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center.

       By default, the task starts every day at the current system time.

     • Weekly

       The task runs every week on the specified day and at the specified time.

     • By days of week

       The task runs regularly, on the specified days of week, at the specified time.

       By default, the task runs every Friday at 6:00:00 PM.

     • Monthly

       The task runs regularly, on the specified day of the month, at the specified time.

       In months that lack the specified day, the task runs on the last day.

       By default, the task runs on the first day of each month, at the current system time.

     • Manually (selected by default)

       The task does not run automatically. You can only start it manually.

       By default, this option is enabled.

     • Every month on specified days of selected weeks

       The task runs regularly, on the specified days of each month, at the specified time.

       By default, no days of month are selected; the default start time is 6:00:00 PM.

     • On virus outbreak

       The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

       • Anti-virus for workstations and file servers
       • Anti-virus for perimeter defense
       • Anti-virus for mail systems

       By default, all application types are selected.

       You may want to run different tasks depending on the anti-virus application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

     • On completing another task

       The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task.

   • Run missed tasks

     This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

     If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

     If this option is disabled, only scheduled tasks run on client devices; for Manually, Once and Immediately, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

     By default, this option is enabled.

   • Use automatically randomized delay for task starts

     If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

     The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

     If this option is disabled, the task starts on client devices according to the schedule.

   • Use randomized delay for task starts within an interval of (min)

     If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

     If this option is disabled, the task starts on client devices according to the schedule.

     By default, this option is disabled. The default time interval is one minute.

7. On the Define the task name page of the Wizard, specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
8. On the Finish task creation page of the Wizard, click the Finish button to close the Wizard.

   If you want the task to start as soon as the Wizard finishes, select the Run the task after the Wizard finishes check box.

When the Wizard completes its operation, Download updates to the repositories of distribution points appears in the list of Network Agent tasks in the target administration group and in the Tasks workspace of the console.

In addition to the settings that you specify during task creation, you can change other properties of a created task.

When the Download updates to the repositories of distribution points task is performed, updates for databases and software modules are downloaded from the update source and stored in the shared folder. Downloaded updates will only be used by distribution points that are included in the specified administration group and that have no update download task explicitly set for them.

In the Administration Server properties window, in the Sections pane select Distribution points. In the properties of each distribution point, in the Update source section you can specify the update source (Retrieve from Administration Server or Use task for forced download of updates). By default, Retrieve from Administration Server is selected for a distribution point that is assigned manually or automatically. These distribution points will use the results of the Download updates to the repositories of distribution points task.

The properties of each distribution point specify the network folder that has been set up for that distribution point individually. The names of folders may vary for different distribution points. For this reason, we do not recommend that you change the network folder in the task properties if the task is created for a group of devices.

You can change the network folder with updates in the properties of the Download updates to the repositories of distribution points task if you are creating a local task for a device.

The previous versions of the application (Kaspersky Security Center 10 Service Pack 2 and earlier) allowed you to create the update download task for distribution points as a local task only. Starting from Kaspersky Security Center 10 Service Pack 3, this restriction has been lifted, which has resulted in decreased traffic rates.

Configuring the Download updates to the repository of the Administration Server task

To configure the Download updates to the repository of the Administration Server task:

1. In the workspace of the Tasks console tree folder, select Download updates to the Administration Server repository in the task list.
2. Open the task properties window in one of the following ways:
   • By selecting Properties in the context menu of the task.
   • By clicking the Configure task link in the information box for the selected task.

The Download updates to the repository of the Administration Server task properties window opens. In this window, you can configure how the updates are downloaded to the Administration Server repository.

Verifying downloaded updates

Before installing updates to the managed devices, you can first check the updates for operability and errors through the Update verification task. The Update verification task is performed automatically as part of the Download updates to the Administration Server repository task. The Administration Server downloads updates from the source, saves them in the temporary repository, and runs the Update verification task. If the task completes successfully, the updates are copied from the temporary repository to the Administration Server shared folder (<Kaspersky Security Center installation folder>\Share\Updates). They are distributed to all client devices for which the Administration Server is the source of updates.

If, as a result of the Update verification task, updates located in the temporary repository are incorrect or if the Update verification task completes with an error, such updates are not copied to the shared folder. The Administration Server retains the previous set of updates. Also, the tasks that have the When new updates are downloaded to the repository schedule type are not started then. These operations are performed at the next start of the Download updates to the Administration Server repository task if scanning of the new updates completes successfully.

A set of updates is considered invalid if any of the following conditions is met on at least one test device:

• An update task error occurred.
• The real-time protection status of the security application changed after the updates were applied.
• An infected object was detected during running of the on-demand scan task.
• A runtime error of a Kaspersky application occurred.

If none of the listed conditions is true for any test device, the set of updates is considered valid, and the Update verification task is considered to have completed successfully.

Before you start to create the Update verification task, perform the prerequisites:

1. Create an administration group with several test devices. You will need this group to verify updates on it.

   We recommend using devices with the most reliable protection and the most popular application configuration across the network. This approach increases the quality and probability of virus detection during scans, and minimizes the risk of false positives. If viruses are detected on test devices, the Update verification task is considered unsuccessful.

2. Create the Update and Virus Scan tasks for an application supported by Kaspersky Security Center, for example, Kaspersky Endpoint Security for Windows or Kaspersky Security for Windows Server. When creating the Update and Virus Scan tasks, specify the administration group with the test devices.

   The Update verification task sequentially runs the Update and Virus Scan tasks on test devices to check that all updates are valid. In addition, when creating the Update verification task, you need to specify the Update and Virus Scan tasks.

3. Create the Download updates to the Administration Server repository task.

To make Kaspersky Security Center verify downloaded updates before distributing them to client devices:

1. In the workspace of the Tasks folder, select the Download updates to the Administration Server repository task in the list of tasks.
2. Open the task properties window in one of the following ways:
   • By selecting Properties in the context menu of the task.
   • By clicking the Configure task link in the information box for the selected task.
3. If the Update verification task exists, click the Browse button. In the window that opens, select the Update verification task in the administration group with test devices.
4. If you did not create the Update verification task earlier, click the Create button.

   The Update Verification Task Wizard starts. Follow the instructions of the Wizard.

5. Click OK to close the properties window of the Download updates to the repository of the Administration Server task.

The automatic update verification is enabled. Now, you can run the Download updates to the Administration Server repository task and it will start from update verification.

Configuring test policies and auxiliary tasks

When creating an Update verification task, the Administration Server generates test policies, auxiliary group update tasks, and on-demand scan tasks.

Auxiliary group update and on-demand scan tasks take some time. These tasks are performed when the Update verification task is executed. The Update verification task is performed during execution of the Download updates to the repository task. The duration of the Download updates to the repository task includes auxiliary group update and on-demand scan tasks.

You can change the settings of test policies and auxiliary tasks.

To change settings of a test policy or an auxiliary task:

1. In the console tree, select a group for which the Update verification task is created.
2. In the group workspace, select one of the following tabs:
   • Policies, if you want to edit the test policy settings.
   • Tasks, if you want to change auxiliary task settings.
3. In the tab workspace, select a policy or a task, whose settings you want to change.
4. Open the policy (task) properties window in one of the following ways:
   • By selecting Properties in the context menu of the policy (task).
   • By clicking the Configure policy (Configure task) link in the information box for the selected policy (task).

To verify updates correctly, set the following restrictions on the modification of test policies and auxiliary tasks:

• In the auxiliary task settings:
  • Save all tasks with the Critical event and Functional failure importance levels on Administration Server. Using the events of these types, the Administration Server analyzes the operation of applications.
  • Use Administration Server as the source of updates.
  • Specify the task schedule type: Manually.
• In the settings of test policies:
  • Disable the iChecker and iSwift scanning acceleration technologies (Essential Threat Protection → File Threat Protection → Settings → Additional → Scan technologies).
  • Select actions on infected objects: Disinfect; delete if disinfection fails / Disinfect; block if disinfection fails / Block. (Essential Threat Protection → File Threat Protection → Action on threat detection).
• In the settings of test policies and auxiliary tasks:

  If the device requires a restart after installation of updates for software modules, it must be performed immediately. If the device is not restarted, it is not possible to test this type of updates. For some applications, installation of updates that require a restart may be prohibited or configured to prompt the user for confirmation first. These restrictions should be disabled in the settings of test policies and auxiliary tasks.

Viewing downloaded updates

To view the list of downloaded updates,

In the console tree, in the Repositories folder, select the Updates for Kaspersky databases and software modules subfolder.

The workspace of the Updates for Kaspersky databases and software modules folder shows the list of updates that have been saved on the Administration Server.

Automatic installation of Kaspersky Endpoint Security updates on devices

You can configure automatic updates of databases and software modules of Kaspersky Endpoint Security on client devices.

To configure download and automatic installation of Kaspersky Endpoint Security updates on devices:

1. In the console tree, select the Tasks folder.
2. Create an Update task in one of the following ways:
   • By selecting New → Task in the context menu of the Tasks folder in the console tree.
   • By clicking the New task button in the workspace of the Tasks folder.

   The Add Task Wizard starts. Follow the steps of the Wizard.

3. On the Select the task type page of the Wizard, select Kaspersky Endpoint Security as the task type, and then select Update as the task subtype.
4. Follow the rest of the Wizard instructions.

   After the Wizard finishes, an update task for Kaspersky Endpoint Security is created. The newly created task is displayed in the list of tasks in the workspace of the Tasks folder.

5. In the workspace of the Tasks folder, select the update task that you have created.
6. In the context menu of the task, select Properties.
7. In the task properties window that opens, in the Sections pane select Options.

   In the Options section, you can define the update task settings in local or mobile mode:

   • Update settings for local mode: Connection is established between the device and the Administration Server.
   • Update settings for mobile mode: No connection is established between Kaspersky Security Center and the device (for example, when the device is not connected to the internet).
8. Click the Settings button to select the update source.
9. Select the Download updates of application modules option to download and install software module updates together with the application databases.

   If the check box is selected, Kaspersky Endpoint Security notifies the user about available software module updates and includes software module updates in the update package when running the update task. Configure the use of update modules:

   • Install critical and approved updates. If any updates are available for software modules, Kaspersky Endpoint Security automatically installs those that have Critical status; the remaining updates will be installed after you approve them.
   • Install approved updates only. If any software module updates are available, Kaspersky Endpoint Security installs them after their installation is approved; they will be installed locally through the application interface or through Kaspersky Security Center.

   If updating the software module requires reviewing and accepting the terms of the License Agreement and Privacy Policy, the application installs updates after the terms of the License Agreement and Privacy Policy have been accepted by the user.

10. Select the Copy updates to folder option in order for the application to save downloaded updates to a folder, and then click the Browse button to specify the folder.
11. Click OK.

When the Update task is running, the application sends requests to Kaspersky update servers.

Some updates require installation of the latest versions of management plug-ins.

Offline model of update download

Network Agent on managed devices may sometimes not connect to the Administration Server to receive updates. For example, Network Agent may have been installed on a laptop that sometimes has no internet connection and no local network access. Moreover, the administrator may limit the time for connecting devices to the network. In such cases, devices with Network Agent installed cannot receive updates from the Administration Server according to the existing schedule. If you have configured the updating of managed applications (such as Kaspersky Endpoint Security) using Network Agent, each update requires a connection to the Administration Server. When no connection is established between Network Agent and the Administration Server, updating is not possible. You can configure the connection between Network Agent and the Administration Server so that Network Agent connects to the Administration Server at specified time intervals. At worst, if the specified connection intervals are overlaid with periods when no connection is available, the databases will never be updated. In addition, issues may occur when multiple managed applications simultaneously attempt to access the Administration Server to receive updates. In this case, the Administration Server may stop responding to requests (similarly to a DDoS attack).

To avoid such problems as those described above, an offline model for downloading updates and modules of managed applications is implemented in Kaspersky Security Center. This model provides a mechanism for distribution of updates, regardless of temporary problems caused by inaccessibility of Administration Server communication channels. The model also reduces load on the Administration Server.

How the offline model of update download works

When the Administration Server receives updates, it notifies Network Agent (on devices where it is installed) of the updates that will be required for managed applications. When Network Agent receives information about these updates, it downloads the relevant files from the Administration Server in advance. At the first connection with Network Agent, the Administration Server initiates an update download. After Network Agent downloads all the updates to a client device, the updates become available for applications on that device.

When a managed application on a client device attempts to access Network Agent for updates, Network Agent checks whether it has all required updates. If the updates are received from the Administration Server not more than 25 hours before they were requested by the managed application, Network Agent does not connect to the Administration Server but supplies the managed application with updates from the local cache instead. Connection with the Administration Server may not be established when Network Agent provides updates to applications on client devices, but connection is not required for updating.

To distribute the load on the Administration Server, Network Agent on a device connects to the Administration Server and download updates in random order during the time interval specified by the Administration Server. This time interval depends on the number of devices with Network Agent installed that download updates and on the size of those updates. To reduce the load on the Administration Server, you can use Network Agent as distribution points.

If the offline model of update download is disabled, updates are distributed according to the schedule of the update download task.

By default, the offline model of update download is enabled.

The offline model of update download is only used with managed devices on which the task for retrieving updates by managed applications has When new updates are downloaded to the repository selected as the schedule type. For other managed devices, the standard scheme is used for retrieving updates from the Administration Server in real-time mode.

We recommend that you disable the offline model of update download by using the settings of the Network Agent policies of relevant administration groups in these cases: if managed applications have the retrieval of updates set not from the Administration Server, but from Kaspersky servers or a network folder, and if the update download task has When new updates are downloaded to the repository selected as the schedule type.

Enabling and disabling the offline model of update download

We recommend that you avoid disabling the offline model of update download. Disabling it may cause failures in update delivery to devices. In certain cases, a Kaspersky Technical Support specialist may recommend that you clear the Download updates and anti-virus databases from Administration Server in advance check box. Then, you will have to make sure that the task for receiving updates for Kaspersky applications has been set up.

To enable or disable the offline model of update download for an administration group:

1. In the console tree, select the administration group for which you need to enable the offline model of update download.
2. In the group workspace, open the Policies tab.
3. On the Policies tab, select the Network Agent policy.
4. In the context menu of the policy, select Properties.

   Open the properties window of the Network Agent policy.

5. In the policy properties window, select the Manage patches and updates section.
6. Select or clear the Download updates and anti-virus databases from Administration Server in advance (recommended) check box to enable or disable, respectively, the offline model of update download.

   By default, the offline model of update download is enabled.

The offline model of update download will be enabled or disabled.

Automatic updating and patching for Kaspersky Security Center components

By default, any updates and patches that have been downloaded are installed automatically for the following application components (starting from version 10 Service Pack 2):

• Network Agent for Windows
• Administration Console
• Exchange Mobile Device Server
• iOS MDM Server

Automatic updating and patching for Kaspersky Security Center components is available only for devices running Windows. You can disable automatic updating and patching for these components. In this case, any updates and patches that have been downloaded will be installed only after you change their status to Approved. Updates and patches with Undefined status will not be installed.

Enabling and disabling automatic updating and patching for Kaspersky Security Center components

Automatic installation of updates and patches for Kaspersky Security Center components is enabled by default during Network Agent installation on the device. You can disable it during Network Agent installation, or disable it later by using a policy.

To disable automatic updating and patching for Kaspersky Security Center components during local installation of Network Agent on a device:

1. Start local installation of Network Agent on the device.
2. At the Advanced settings step, clear the Automatically install applicable updates and patches for components that have Undefined status check box.
3. Follow the instructions of the Wizard.

Network Agent with disabled automatic updating and patching for Kaspersky Security Center components will be installed on the device. You can enable automatic updating and patching later by using a policy.

To disable automatic updating and patching for Kaspersky Security Center components during Network Agent installation on the device through an installation package:

1. In the console tree, select the Remote installation → Installation packages folder.
2. In the context menu of the Kaspersky Security Center Network Agent <version number> package, select Properties.
3. In the installation package properties, in the Settings section clear the Automatically install applicable updates and patches for components that have the Undefined status check box.

Network Agent with disabled automatic updating and patching for Kaspersky Security Center components will be installed from this package. You can enable automatic updating and patching later by using a policy.

If this check box was selected (or cleared) during Network Agent installation on the device, you can subsequently enable (or disable) automatic updating by using the Network Agent policy.

To enable or disable automatic updating and patching for Kaspersky Security Center components by using the Network Agent policy:

1. In the console tree, select the administration group for which you have to enable or disable automatic updating and patching.
2. In the group workspace, open the Policies tab.
3. On the Policies tab, select the Network Agent policy.
4. In the context menu of the policy, select Properties.

   Open the properties window of the Network Agent policy.

5. In the policy properties window, select the Manage patches and updates section.
6. Select or clear the Automatically install applicable updates and patches for components that have the Undefined status check box to enable or disable, respectively, automatic updating and patching.
7. Set the lock for this check box.

The policy will be applied to the selected devices, and automatic updating and patching for Kaspersky Security Center components will be enabled (or disabled) on these devices.

Automatic distribution of updates

Kaspersky Security Center allows automatic distribution and installation of updates on client devices and secondary Administration Servers.

Distributing updates to client devices automatically

To distribute updates of the selected application to client devices automatically immediately after they are downloaded to the Administration Server repository:

1. Connect to the Administration Server, which manages the client devices.
2. Create an update deployment task for the selected client devices in one of the following ways:
   • If you need to distribute updates to client devices that belong to a selected administration group, create a task for the selected group.
   • If you need to distribute updates to client devices that belong to different administration groups or belong to none of the administration groups, create a task for specific devices.

   The Add Task Wizard starts. Follow its instructions and perform the following actions:

   1. In the Task type Wizard window, in the node of the required application select the updates deployment task.

      The name of the updates deployment task displayed in the Task type window depends on the application for which you create this task. For detailed information about names of update tasks for the selected Kaspersky applications, see the corresponding Guides.

   2. In the Schedule Wizard window, in the Scheduled start field, select When new updates are downloaded to the repository.

The newly created update distribution task will start for the selected devices every time any updates are downloaded to the Administration Server repository.

If an update distribution task for the required application has already been created for the selected devices, to automatically distribute updates to client devices, in the task properties window, in the Schedule section, select When new updates are downloaded to the repository as the start option in the Scheduled start field.

Distributing updates to secondary Administration Servers automatically

To distribute the updates of the selected application to secondary Administration Servers immediately after the updates are downloaded to the primary Administration Server repository:

1. In the console tree, in the primary Administration Server node, select the Tasks folder.
2. In the list of tasks in the workspace, select the Download updates to the repository of the Administration Server task of the Administration Server.
3. Open the Settings section of the selected task in one of the following ways:
   • By selecting Properties in the context menu of the task.
   • By clicking the Edit settings link in the information box for the selected task.
4. In the Settings section of the task properties window, select the Other settings subsection, and then click the Configure link.
5. In the Other settings window that opens, select the Force update of secondary Administration Servers check box.

In the settings of the updates download task of the Administration Server, on the Settings tab of the task properties window, select the Force update of secondary Administration Servers check box.

After the primary Administration Server retrieves updates, the update download tasks automatically start on secondary Administration Servers regardless of their schedule.

Installing updates for software modules of Network Agents automatically

To install updates for software modules of Network Agents automatically after they are uploaded to the Administration Server repository:

1. In the console tree, in the primary Administration Server node, select the Tasks folder.
2. In the list of tasks in the workspace, select the Download updates to the repository of the Administration Server task of the Administration Server.
3. Open the properties window of the selected task in one of the following ways:
   • By selecting Properties in the context menu of the task.
   • By clicking the Configure task link in the information box for the selected task.
4. In the task properties window, select the Settings section.
5. Click the Configure link in the Other settings section to open the Other settings window.
6. In the Other settings window that opens, select the Update Network Agent modules check box.

   If this check box is selected, updates for software modules of Network Agent will be automatically installed after they are uploaded to the Administration Server repository. If this check box is cleared, Network Agent updates will not be installed automatically. Retrieved updates can be installed manually. By default, this check box is selected.

   Network Agent software modules can only be installed automatically for Network Agent 10 Service Pack 1 or later.

7. Click OK.

Updates for Network Agent software modules will be installed automatically.

Assigning distribution points automatically

We recommend that you assign distribution points automatically. Kaspersky Security Center will then select on its own which devices must be assigned distribution points.

To assign distribution points automatically:

1. Open the main application window.
2. In the console tree, select the node with the name of the Administration Server for which you want to assign distribution points automatically.
3. In the context menu of the Administration Server, click Properties.
4. In the Administration Server properties window, in the Sections pane select Distribution points.
5. In the right part of the window, select the Automatically assign distribution points option.

   If automatic assignment of devices as distribution points is enabled, you cannot configure distribution points manually or edit the list of distribution points.

6. Click OK.

Administration Server assigns and configures distribution points automatically.

Assigning a device a distribution point manually

Expand all | Collapse all

Kaspersky Security Center allows you to assign devices to act as distribution points.

We recommend that you assign distribution points automatically. In this case, Kaspersky Security Center will select on its own which devices must be assigned distribution points. However, if you have to opt out of assigning distribution points automatically for any reason (for example, if you want to use exclusively assigned servers), you can assign distribution points manually after you calculate their number and configuration.

Devices functioning as distribution points must be protected, including physical protection, against any unauthorized access.

To manually assign a device to act as distribution point:

1. In the console tree, select the Administration Server node.
2. In the context menu of the Administration Server, select Properties.
3. In the Administration Server properties window, select the Distribution points section and click the Add button. This button is available if Manually assign distribution points has been selected.

   The Add distribution point window opens.

4. In the Add distribution point window, perform the following actions:
   1. Select a device that will act as distribution point (select one in an administration group, or specify the IP address of a device). When selecting a device, keep in mind the operation features of distribution points and the requirements set for the device that acts as distribution point.
   2. Indicate the specific devices to which the distribution point will distribute updates. You can specify an administration group or a network location description.
5. Click OK.

   The distribution point that you have added will be displayed in the list of distribution points, in the Distribution points section.

6. Select the newly added distribution point in the list and click the Properties button to open its properties window.
7. Configure the distribution point in the properties window:
   • The General section contains the settings of interaction between the distribution point and client devices.
     • SSL port

       The number of the SSL port for encrypted connection between client devices and the distribution point using SSL.

       By default, port 13000 is used.

     • Use multicast

       If this option is enabled, IP multicasting will be used for automatic distribution of installation packages to client devices within the group.

       IP multicasting decreases the time required to install an application from an installation package to a group of client devices, but increases the installation time when you install an application to a single client device.

     • IP multicast address

       IP address that will be used for multicasting. You can define an IP address in the range of 224.0.0.0 – 239.255.255.255

       By default, Kaspersky Security Center automatically assigns a unique IP multicast address within the given range.

     • IP multicast port number

       Number of the port for IP multicasting.

       By default, the port number is 15001. If the device with Administration Server installed is specified as the distribution point, port 13001 is used for SSL connection by default.

     • Deploy updates

       Updates are distributed to managed devices from the following sources:

       • This distribution point, if this option is enabled.
       • Other distribution points, Administration Server, or Kaspersky update servers, if this option is disabled.

       If you use distribution points to deploy updates, you can save traffic because you reduce the number of downloads. Also, you can relieve the load on the Administration Server and relocate the load between the distribution points. You can calculate the number of distribution points for your network to optimize the traffic and load.

       If you disable this option, the number of update downloads and load on the Administration Server may increase. By default, this option is enabled.

     • Deploy installation packages

       Installation packages are distributed to managed devices from the following sources:

       • This distribution point, if this option is enabled.
       • Other distribution points, Administration Server, or Kaspersky update servers, if this option is disabled.

       If you use distribution points to deploy installation packages, you can save traffic because you reduce the number of downloads. Also, you can relieve the load on the Administration Server and relocate the load between the distribution points. You can calculate the number of distribution points for your network to optimize the traffic and load.

       If you disable this option, the number of installation package downloads and load on the Administration Server may increase. By default, this option is enabled.

     • Use this distribution point as a push server

       In Kaspersky Security Center, a distribution point can work as a push server for the devices managed through the mobile protocol. For example, a push server must be enabled if you want to be able to force synchronization of KasperskyOS devices with Administration Server. A push server has the same scope of managed devices as the distribution point on which the push server is enabled. If you have several distribution points assigned for the same administration group, you can enable push server on each of the distribution points. In this case, Administration Server balances the load between the distribution points.

       If you manage devices with KasperskyOS installed, or plan to do so, you must use a distribution point as a push server. You can also use a distribution point as a push server if you want to send push notifications to client devices.

     • Push server port

       The port on the distribution point that client devices will use for connection. By default, port 13295 is used.

   • In the Scope section, specify the scope to which the distribution point will distribute updates (administration groups and / or network location).
   • In the KSN Proxy section, you can configure the application to use the distribution point to forward KSN requests from the managed devices.
     • Enable KSN Proxy on distribution point side

       The KSN proxy service is run on the device that is used as a distribution point. Use this feature to redistribute and optimize traffic on the network.

       The distribution point sends the KSN statistics, which are listed in the Kaspersky Security Network statement, to Kaspersky. By default, the KSN statement is located in %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center\ksneula.

       By default, this option is disabled. Enabling this option takes effect only if the Use Administration Server as a proxy server and I agree to use Kaspersky Security Network options are enabled in the Administration Server properties window.

       You can assign a node of an active-passive cluster to a distribution point and enable KSN proxy server on this node.

     • Forward KSN requests to Administration Server

       The distribution point forwards KSN requests from the managed devices to the Administration Server.

       By default, this option is enabled.

     • Access KSN Cloud / Private KSN directly over Internet

       The distribution point forwards KSN requests from managed devices to the KSN Cloud or Private KSN. The KSN requests generated on the distribution point itself are also sent directly to the KSN Cloud or Private KSN.

       The distribution points that have Network Agent version 11 (or earlier) installed cannot access Private KSN directly. If you want to reconfigure the distribution points to send KSN requests to Private KSN, enable the Forward KSN requests to Administration Server option for each distribution point.

       The distribution points that have Network Agent version 12 (or later) installed can access Private KSN directly.

     • Ignore KSC proxy server settings when connecting to Private KSN

       Enable this option, if you have the proxy server settings configured in the distribution point properties or in the Network Agent policy, but your network architecture requires that you use Private KSN directly. Otherwise, requests from the managed applications cannot reach Private KSN.

       This option is available if you select the Access KSN Cloud / Private KSN directly over the Internet option.

     • TCP port

       The number of the TCP port that the managed devices will use to connect to KSN proxy server. The default port number is 13111.

     • UDP port

       If you need the managed devices to connect to KSN proxy server through a UDP port, enable the Use UDP port option and specify a UDP port number. By default, this option is enabled. The default UDP port to connect to the KSN proxy server is 15111.

   • In the Device discovery section, configure the polling of Windows domains, Active Directory, and IP ranges by the distribution point.
     • Windows domains

       You can enable device discovery for Windows domains and set the schedule for the discovery.

     • Active Directory

       You can enable network polling for Active Directory and set the schedule for the poll.

       If you select the Enable Active Directory polling check box, you can select one of the following options:

       • Poll current Active Directory domain.
       • Poll Active Directory domain forest.
       • Poll selected Active Directory domains only. If you select this option, add one or more Active Directory domains to the list.
     • IP ranges

       You can enable device discovery for IP ranges.

       If you select the Enable range polling check box, you can add scan ranges and set the schedule for them.

       You can add IP ranges to the list of scanned ranges.

   • In the Advanced section, specify the folder that the distribution point must use to store distributed data.
     • Use default folder

       If you select this option, the application uses the Network Agent installation folder on the distribution point.

     • Use specified folder

       If you select this option, in the field below, you can specify the path to the folder. It can be a local folder on the distribution point, or it can be a folder on any device on the corporate network.

       The user account used on the distribution point to run Network Agent must have read/write access to the specified folder.

The selected devices act as distribution points.

Only devices running a Windows operating system can determine their network location. Network location cannot be determined for devices running other operating systems.

Removing a device from the list of distribution points

To remove a device from the list of distribution points:

1. In the console tree, select the Administration Server node.
2. In the context menu of the Administration Server, select Properties.
3. In the Administration Server properties window, in the Distribution points section, select the device that acts as distribution point, and click the Remove button.

The device will be removed from the list of distribution points and will stop acting as distribution point.

You cannot remove a device from the list of distribution points if it was assigned by the Administration Server automatically.

Downloading updates by distribution points

Kaspersky Security Center allows distribution points to receive updates from the Administration Server, Kaspersky servers, or from a local or network folder.

To configure update download for a distribution point:

1. In the console tree, select the Administration Server node.
2. In the context menu of the Administration Server, select Properties.
3. In the Administration Server properties window, in the Distribution points section, select the distribution point through which updates will be delivered to client devices in the group.
4. Click the Properties button to open the properties window of the selected distribution point.
5. In the distribution point properties window, select the Sources of updates section.
6. Select an update source for the distribution point:
   • To allow the distribution point to receive updates from the Administration Server, select Retrieve from Administration Server:
     • Download diff files

       This option enables the downloading diff files feature.

       By default, this option is enabled.

   • To allow the distribution point to receive updates by using a task, select Use task for forced download of updates:
     • Click the Browse button if such a task already exists on the device, and select the task in the list that appears.
     • Click the New task button to create a task if no such task yet exists on the device. The Add Task Wizard starts. Follow the instructions of the Wizard.

     The Download updates to the repositories of distribution points task is a local task. You have to create a new task for each device that acts as distribution point.

The distribution point will receive updates from the specified source.

Deleting software updates from the repository

To delete software updates from the Administration Server repository:

1. In the Advanced → Application management folder in the console tree, select the Software updates subfolder.
2. In the workspace of the Software updates folder, select the update that you want to delete.
3. In the context menu of the update, select Delete update files.

Software updates will be deleted from the Administration Server repository.

Patch installation for a Kaspersky application in cluster mode

Kaspersky Security Center only supports manual installation of patches for Kaspersky applications in cluster mode.

To install a patch for a Kaspersky application:

1. Download the patch to each node of the cluster.
2. Run patch installation on the active node.
3. Wait for the patch to be successfully installed.
4. Run the patch on all subnodes of the cluster consecutively.

   If you are running the patch from the command line, use the -CLUSTER_SECONDARY_NODE key.

   The patch is now installed on all nodes of the cluster.

5. Run the Kaspersky cluster services manually.

Every node of the cluster is displayed in Administration Console as a device with Network Agent installed.

For information about installed patches, see the Software updates folder or the report on the versions of updates for software modules of Kaspersky applications.