Monitoring and reporting

This section describes the monitoring and reporting capabilities of Kaspersky Security Center. These capabilities give you an overview of your infrastructure, protection statuses, and statistics.

After Kaspersky Security Center deployment or during the operation, you can configure the monitoring and reporting features to best suit your needs.

• Traffic lights

  Administration Console allows you to quickly assess the current status of Kaspersky Security Center and managed devices by checking traffic lights.

• Statistics

  Statistics on the status of the protection system and managed devices are displayed in information panels that can be customized.

• Reports

  The Reports feature allows you to get detailed numerical information about the security of your organization's network, save this information to a file, send it by email, and print it.

• Events

  Event selections provide an onscreen view of named sets of events that are selected from the Administration Server database. These sets of events are grouped according to the following categories:

  • By importance level—Critical events, Functional failures, Warnings, and Info events
  • By time—Recent events
  • By type—User requests and Audit events

You can create and view user-defined event selections based on the settings available, in the Kaspersky Security Center 13.1 Web Console interface, for configuration.

Scenario: Monitoring and reporting

This section provides a scenario for configuring the monitoring and reporting feature in Kaspersky Security Center.

Prerequisites

After you deploy Kaspersky Security Center in an organization's network you can start to monitor it and generate reports on its functioning.

Stages

Monitoring and reporting in an organization's network proceeds in stages:

1. Configuring the switching of device statuses

   Get acquainted with the settings that define the assignment of device statuses depending on specific conditions. By changing these settings, you can change the number of events with Critical or Warning importance levels.

   When configuring the switching of device statuses, be sure that the new settings do not conflict with the information security policies of your organization and that you are able to react to important security events in your organization's network in a timely manner.

2. Configuring notifications about events on client devices

   Configure notification (by email, by SMS, or by running an executable file) of events on client devices in accordance with your organization's needs.

3. Changing the response of your security network to the Virus outbreak event

   To adjust the network's response to new events, you can change the specific thresholds in the Administration Server properties. You can also create a stricter policy that will be activated, or create a task that will be run at the occurrence of this event.

4. Managing statistics

   Configure the display of statistics in accordance with your organization's needs.

5. Reviewing the security status of your organization's network

   To review the security status of your organization's network, you can do any of the following:

   • In the workspace of the Administration Server node, on the Statistics tab open the Protection status second-level tab (page) and review the Real-time protection status information panel
   • Generate and review the Report on protection status
   • Generate and review the Report on errors
6. Locating client devices that are not protected

   To locate client devices that are not protected, go the workspace of the Administration Server node, on the Statistics tab open the Protection status second-level tab (page), and review the History of discovery of new networked devices information panel. You can also generate and review the Report on protection deployment.

7. Checking protection of client devices

   To check protection of client devices, go to the workspace of the Administration Server node, on the Statistics tab open the Deployment or Threat statistics second-level tab (page), and review the relevant information panels. You can also start and review the Critical events event selection.

8. Evaluating and limiting the event load on the database

   Information about events that occur during operation of managed applications is transferred from a client device and registered in the Administration Server database. To reduce the load on the Administration Server, evaluate and limit the maximum number of events that can be stored in the database.

   To evaluate the event load on the database, calculate the database space. You can also limit the maximum number of events to avoid database overflow.

9. Reviewing license information

   To review license information, go to the workspace of the Administration Server node, on the Statistics tab open the Deployment second-level tab (page), and review the License key usage information panel. You can also generate and review the Report on usage of license keys.

Results

Upon completion of the scenario, you are informed about protection of your organization's network and, thus, can plan actions for further protection.

Monitoring traffic lights and logged events in Administration Console

Administration Console allows you to quickly assess the current status of Kaspersky Security Center and managed devices by checking traffic lights. The traffic lights are shown in the workspace of the Administration Server node, on the Monitoring tab. The tab provides six information panels with traffic lights and logged events. A traffic light is a colored vertical bar on the left side of a panel. Each panel with a traffic light corresponds to a specific functional scope of Kaspersky Security Center (see the table below).

Scopes covered by traffic lights in Administration Console

Each traffic light can be any of these five colors (see the table below). The color of a traffic light depends on the current status of Kaspersky Security Center and on events that were logged.

Color codes of traffic lights

The administrator's goal is to keep traffic lights on all of the information panels on the Monitoring tab green.

The information panels also show logged events that affect traffic lights and the status of Kaspersky Security Center (see the table below).

Name, description, and traffic light colors of logged events

Page top

Working with reports, statistics, and notifications

This section provides information about how to work with reports, statistics, and selections of events and devices in Kaspersky Security Center, as well as how to configure Administration Server notifications.

Working with reports

Reports in Kaspersky Security Center contain information about the status of managed devices. Reports are generated based on information stored on Administration Server. You can create reports for the following types of objects:

• For device selections created according to specific settings.
• For administration groups.
• For specific devices from different administration groups.
• For all devices on the network (in the deployment report).

The application has a selection of standard report templates. It is also possible to create custom report templates. Reports are displayed in the main application window, in the Administration Server folder in the console tree.

Creating a report template

To create a report template:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Reports tab.
3. Click the New report template button.

The New Report Template Wizard starts. Follow the instructions of the Wizard.

After the Wizard finishes its operation, the newly created report template is added to the selected Administration Server folder in the console tree. You can use this template for generating and viewing reports.

Viewing and editing report template properties

Expand all | Collapse all

You can view and edit basic properties of a report template, for example, the report template name or the fields displayed in the report.

To view and edit properties of a report template:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Reports tab.
3. In the list of report templates, select the required report template.
4. In the context menu of the selected report template, select Properties.

   As an alternative, you can first generate the report, and then click either the Open report template properties button or the Configure report columns button.

5. In the window that opens, edit the report template properties. Properties of each report may contain only some of the sections described below.
   • General section:
     • Report template name
     • Maximum number of entries to display

       If this option is enabled, the number of entries displayed in the table with detailed report data does not exceed the specified value.

       Report entries are first sorted according to the rules specified in the Fields → Details fields section of the report template properties, and then only the first of the resulting entries are kept. The heading of the table with detailed report data shows the displayed number of entries and the total available number of entries that match other report template settings.

       If this option is disabled, the table with detailed report data displays all available entries. We do not recommend that you disable this option. Limiting the number of displayed report entries reduces the load on the database management system (DBMS) and reduces the time required for generating and exporting the report. Some of the reports contain too many entries. If this is the case, you may find it difficult to read and analyze them all. Also, your device may run out of memory while generating such a report and, consequently, you will not be able to view the report.

       By default, this option is enabled. The default value is 1000.

     • Print version

       The report output is optimized for printing: space characters are added between some values for better visibility.

       By default, this option is enabled.

   • Fields section.

     Select the fields that will be displayed in the report, and the order of these fields, and configure whether the information in the report must be sorted and filtered by each of the fields.

   • Time interval section.

     Modify the report period. Available values are as follows:

     • Between the two specified dates
     • From the specified date to the report creation date
     • From the report creation date, minus the specified number of days, to the report creation date
   • Group, Device selection, or Devices section.

     Change the set of client devices for which the report creates. Only one of these sections may be present, depending on the settings specified during the report template creation.

   • Settings section.

     Change the settings of the report. The exact set of settings depends on the specific report.

   • Security section. Inherit settings from Administration Server

     If this option is enabled, security settings of the report are inherited from the Administration Server.

     If this option is disabled, you can configure security settings for the report. You can assign a role to a user or a group of users or assign permissions to a user or a group of users, as applied to the report.

     By default, this option is enabled.

     The Security section is available if the Display security settings sections check box is selected in the interface settings window.

   • Hierarchy of Administration Servers section:
     • Include data from secondary and virtual Administration Servers

       If this option is enabled, the report includes the information from the secondary and virtual Administration Servers that are subordinate to the Administration Server for which the report template is created.

       Disable this option if you want to view data only from the current Administration Server.

       By default, this option is enabled.

     • Up to nesting level

       The report includes data from secondary and virtual Administration Servers that are located under the current Administration Server on a nesting level that is less than or equal to the specified value.

       The default value is 1. You may want to change this value if you have to retrieve information from secondary Administration Servers located at lower levels in the tree.

     • Data wait interval (min)

       Before generating the report, the Administration Server for which the report template is created waits for data from secondary Administration Servers during the specified number of minutes. If no data is received from a secondary Administration Server at the end of this period, the report runs anyway. Instead of the actual data, the report shows data taken from the cache (if the Cache data from secondary Administration Servers option is enabled), or N/A (not available) otherwise.

       The default value is 5 (minutes).

     • Cache data from secondary Administration Servers

       Secondary Administration Servers regularly transfer data to the Administration Server for which the report template is created. There, the transferred data is stored in the cache.

       If the current Administration Server cannot receive data from a secondary Administration Server while generating the report, the report shows data taken from the cache. The date when the data was transferred to the cache is also displayed.

       Enabling this option allows you to view the information from secondary Administration Servers even if the up-to-date data cannot be retrieved. However, the displayed data can be obsolete.

       By default, this option is disabled.

     • Cache update frequency (h)

       Secondary Administration Servers at regular intervals transfer data to the Administration Server for which the report template is created. You can specify this period in hours. If you specify 0 hours, data is transferred only when the report is generated.

       The default value is 0.

     • Transfer detailed information from secondary Administration Servers

       In the generated report, the table with detailed report data includes data from secondary Administration Servers of the Administration Server for which the report template is created.

       Enabling this option slows the report generation and increases traffic between Administration Servers. However, you can view all data in one report.

       Instead of enabling this option, you may want to analyze detailed report data to detect a faulty secondary Administration Server, and then generate the same report only for that faulty Administration Server.

       By default, this option is disabled.

Extended filter format in report templates

In Kaspersky Security Center 13.1, you can apply the extended filter format to a report template. The extended filter format provides more flexibility in comparison with the default format. You can create complex filtering conditions by using a set of filters, which will be applied to the report by means of the OR logical operator during report creation, as shown below:

Filter[1](Field[1] AND Field[2]... AND Field[n]) OR Filter[2](Field[1] AND Field[2]... AND Field[n]) OR... Filter[n](Field[1] AND Field[2]... AND Field[n])

Additionally, with the extended filter format you can set a time interval value in a relative time format (for example, by using a "For last N days" condition) for specific fields in a filter. The availability and the set of time interval conditions depend on the type of the report template.

Converting the filter into the extended format

The extended filter format for report templates is supported only in Kaspersky Security Center 12 and later versions. After conversion of the default filter into the extended format, the report template becomes incompatible with Administration Servers on your network that have earlier versions of Kaspersky Security Center installed. Information from these Administration Servers will not be received for the report.

To convert the report template default filter into the extended format:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Reports tab.
3. In the list of report templates, select the required report template.
4. In the context menu of the selected report template, select Properties.
5. In the properties window that opens, select the Fields section.
6. In the Details fields tab click the Convert filter link.
7. In the window that opens, click the OK button.

   Conversion into the extended filter format is irreversible for the report template to which it is applied. If you clicked the Convert filter link accidentally, you can cancel the changes by clicking the Cancel button in the report template properties window.

8. To apply the changes, close the report template properties window by clicking the OK button.

   When the report template properties window opens again, the newly available Filters section is displayed. In this section you can configure the extended filter.

Page top

Configuring the extended filter

To configure the extended filter in the report template properties:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Reports tab.
3. In the list of report templates, select the report template that was previously converted to extended filter format.
4. In the context menu of the selected report template, select Properties.
5. In the properties window that opens, select the Filters section.

   The Filters section is not displayed if the report template was not previously converted to extended filter format.

   In the Filters section of the report template properties window you can review and modify the list of filters applied to the report. Each filter in the list has a unique name and represents a set of filters for corresponding fields in the report.

6. Open the filter settings window in one of the following ways:
   • To create a new filter, click the Add button.
   • To modify the existing filter, select the required filter and click the Modify button.
7. In the window that opens, select and specify the values of the required fields of the filter.
8. Click the OK button to save changes and close the window.

   If you are creating a new filter, the filter name must be specified in the Filter name field before clicking the OK button.

9. Close the report template properties window by clicking the OK button.

   The extended filter in the report template is configured. Now you can create reports by using this report template.

Page top

Creating and viewing a report

To create and view a report:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Reports tab.
3. In the list of report templates, double-click the report template that you need.

   A report for the selected template is displayed.

The report displays the following data:

• The name and type of report, a brief description and the reporting period, as well as information about the group of devices for which the report is generated.
• Graph chart showing the most representative report data.
• Consolidated table with calculated report indicators.
• Table with detailed report data.

Saving a report

To save a created report:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Reports tab.
3. In the list of report templates, select the report template that you need.
4. In the context menu of the selected report template, select Save.

The Report Saving Wizard starts. Follow the instructions of the Wizard.

After the Wizard finishes, the folder opens to which you have saved the report file.

Creating a report delivery task

Reports can be emailed. Delivery of reports in Kaspersky Security Center is carried out using the report delivery task.

To create a delivery task for a single report:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Reports tab.
3. In the list of report templates, select the report template that you need.
4. In the context menu of the selected report template, select Deliver reports.

The Report Delivery Task Creation Wizard starts. Follow the instructions of the Wizard.

To create a delivery task for multiple reports:

1. In the console tree, under the node with the name of the required Administration Server, select the Tasks folder.
2. In the workspace of the Tasks folder, click the Create a task button.

The Add Task Wizard starts. Follow the instructions of the Wizard.

The newly created report delivery task is displayed in the Tasks folder in the console tree.

The report delivery task is created automatically if the email settings were specified during Kaspersky Security Center installation.

Step 1. Selecting the task type

In the Select the task type window, in the list of tasks select Deliver reports as the task type.

Click Next to proceed to the next step.

Step 2. Selecting the report type

In the Select report type window, in the list of task creation templates, select the type of report.

Click Next to proceed to the next step.

Step 3. Actions on a report

Expand all | Collapse all

In the Action to apply to reports window, specify the following settings:

• Send reports by email

  If this option is enabled, the application sends generated reports by email.

  You can configure the report sending by email by clicking the Email notification settings link. The link is available if this option is enabled.

  If this option is disabled, the application saves reports in the specified folder to store them.

  By default, this option is disabled.

• Save reports to shared folder

  If this option is enabled, the application saves reports to the folder that is specified in the field under the check box. To save reports to a shared folder, specify the UNC path to the folder. In this case, in the Selecting an account to run the task window, you must specify the user account and password for accessing this folder.

  If this option is disabled, the application does not save reports to the folder and sends them by email instead.

  By default, this option is disabled.

• Overwrite older reports of the same type

  If this option is enabled, the new report file at each task startup overwrites the file that was saved in the reports folder at the previous task startup.

  If this option is disabled, report files will not be overwritten. A new report file is stored in the reports folder at each task run.

  This check box is available, if the Save report to folder is selected.

  By default, this option is disabled.

• Specify account for access to shared folder

  If this option is enabled, you can specify the account under which the report will be saved to the folder. If a UNC path to a shared folder is specified as the Save report to folder setting in the Action to be applied to report window, you must specify the user account and password for accessing this folder.

  If this option is disabled, the report is saved to the folder under the account of Administration Server.

  The check box is available, if the Save report to folder is selected.

  By default, this option is disabled.

Click Next to proceed to the next step.

Step 4. Selecting the account to start the task

Expand all | Collapse all

In the Selecting an account to run the task window, you can specify which account to use when running the task. Select one of the following options:

• Default account

  The task will be run under the same account as the application that performs this task.

  By default, this option is selected.

• Specify account

  Fill in the Account and Password fields to specify the details of an account under which the task is run. The account must have sufficient rights for this task.

  • Account

    Account under which the task is run.

  • Password

    Password of the account under which the task will be run.

Click Next to proceed to the next step.

Step 5. Configuring a task schedule

Expand all | Collapse all

On the Configure task schedule Wizard page, you can create a schedule for task start. If necessary, define the following settings:

• Scheduled start:

  Select the schedule according to which the task runs, and configure the selected schedule.

  • Every N hours

    The task runs regularly, with the specified interval in hours, starting from the specified date and time.

    By default, the task runs every six hours, starting from the current system date and time.

  • Every N days

    The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

    By default, the task runs every day, starting from the current system date and time.

  • Every N weeks

    The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

    By default, the task runs every Monday at the current system time.

  • Every N minutes

    The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

    By default, the task runs every 30 minutes, starting from the current system time.

  • Daily (daylight saving time is not supported)

    The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.

    We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center.

    By default, the task starts every day at the current system time.

  • Weekly

    The task runs every week on the specified day and at the specified time.

  • By days of week

    The task runs regularly, on the specified days of week, at the specified time.

    By default, the task runs every Friday at 6:00:00 PM.

  • Monthly

    The task runs regularly, on the specified day of the month, at the specified time.

    In months that lack the specified day, the task runs on the last day.

    By default, the task runs on the first day of each month, at the current system time.

  • Manually

    The task does not run automatically. You can only start it manually.

    By default, this option is enabled.

  • Every month on specified days of selected weeks

    The task runs regularly, on the specified days of each month, at the specified time.

    By default, no days of month are selected; the default start time is 6:00:00 PM.

  • On virus outbreak

    The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

    • Anti-virus for workstations and file servers
    • Anti-virus for perimeter defense
    • Anti-virus for mail systems

    By default, all application types are selected.

    You may want to run different tasks depending on the anti-virus application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

  • On completing another task

    The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task.

• Run missed tasks

  This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

  If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

  If this option is disabled, only scheduled tasks run on client devices; for Manually, Once and Immediately, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

  By default, this option is enabled.

• Use automatically randomized delay for task starts

  If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

  The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

  If this option is disabled, the task starts on client devices according to the schedule.

• Use randomized delay for task starts within an interval of (min)

  If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

  If this option is disabled, the task starts on client devices according to the schedule.

  By default, this option is disabled. The default time interval is one minute.

Page top

Step 6. Defining the task name

In the Define the task name window, specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).

Click Next to proceed to the next step.

Step 7. Completing creation of the task

In the Finish task creation window, click the Finish button to finish the wizard.

If you want the task to start as soon as the wizard finishes, select the Run the task after the Wizard finishes check box.

Managing statistics

Statistics on the status of the protection system and managed devices are displayed in information panels that can be customized. Statistics are displayed in the workspace of the Administration Server node on the Statistics tab. The tab contains some second-level tabs (pages). Each tabbed page displays information panels with statistics, as well as links to corporate news and other materials from Kaspersky. The statistical information is displayed in information panels as a table or chart (pie or bar). The data in the information panels is updated while the application is running and reflects the current state of the protection application.

You can modify the set of second-level tabs on the Statistics tab, the number of information panels on each tabbed page, and the data display mode in information panels.

To add a new second-level tab with information panels on the Statistics tab:

1. Click the Customize view button in the upper right corner of the Statistics tab.

   The statistics properties window opens. This window contains a list of tabbed pages that are currently shown on the Statistics tab. In this window, you can change the display order for the pages on the tab, add and remove pages, and proceed to configuration of page properties by clicking the Properties button.

2. Click the Add button.

   This opens the properties window of a new page.

3. Configure the new page:
   • In the General section, specify the page name.
   • In the Information panels section, click the Add button to add information panels that must be displayed on the page.

     Click the Properties button in the Information panels section to set up the properties of information panels that you added: name, type, and appearance of the chart in the panel, as well as data required to plot the chart.

4. Click OK.

The tabbed page with information panels that you have added appears on the Statistics tab. Click the settings icon () to proceed instantly to configuration of the page or a selected information panel on that page.

Configuring event notification

Expand all | Collapse all

Kaspersky Security Center allows you to select a method of notifying the administrator of events on client devices and to configure notification:

• Email. When an event occurs, the application sends a notification to email addresses specified. You can edit the text of the notification.
• SMS. When an event occurs, the application sends a notification to the phone numbers specified. You can configure SMS notifications to be sent through the mail gateway.
• Executable file. When an event occurs on a device, the executable file is started on the administrator's workstation. Using the executable file, the administrator can receive the parameters of any event that has occurred.

To configure notification of events occurring on client devices:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Events tab.
3. Click the Configure notifications and event export link and select the Configure notifications value in the drop-down list.

   This opens the Properties: Events window.

4. In the Notification section, select a notification method (by email, by SMS, or by running an executable file) and define the notification settings:
   • Email

     The Email tab allows you to configure email notifications for events.

     In the Recipients (email addresses) field, specify the email addresses to which the application will send notifications. You can specify multiple addresses in this field, by separating them with semicolons.

     In the SMTP servers field, specify mail server addresses, by separating them with semicolons. You can use the IP address or DNS name of the SMTP server as the address.

     In the SMTP server port field, specify the number of an SMTP server communication port. The default port number is 25.

     If you enable the Use DNS MX lookup option, you can use several MX records of the IP addresses for the same DNS name of the SMTP server. The same DNS name may have several MX records with different values of priority of receiving email messages. Administration Server attempts to send email notifications to the SMTP server in ascending order of MX records priority. By default, this option is disabled.

     If you enable the Use DNS MX lookup option and do not enable usage of TLS settings, we recommend that you use the DNSSEC settings on your server device as an additional measure of protection for sending email notifications.

     Click the Settings link to define additional notification settings:

     • Subject name (subject name of an email message)
     • Sender email address
     • ESMTP authentication settings

     You have to specify an account for authentication on an SMTP server if the ESMTP authentication option is enabled for the SMTP server.

     • TLS settings for the SMTP server:
       • Do not use TLS

       You can select this option if you want to disable encryption of email messages.

       • Use TLS if supported by SMTP server

       You can select this option if you want to use a TLS connection to an SMTP server. If the SMTP server does not support TLS, Administration Server connects the SMTP server without using TLS.

       • Always use TLS, check the server certificate for validity

       You can select this option if you want to use TLS authentication settings. If the SMTP server does not support TLS, Administration Server cannot connect the SMTP server.

     We recommend that you use this option for better protection of the connection with an SMTP server. If you select this option, you can set authentication settings for a TLS connection.

     If you choose Always use TLS, check the server certificate for validity value, you can specify a certificate for authentication of the SMTP server and choose whether you want to enable communication through any version of TLS or only through TLS 1.2 or later versions. Also, you can specify a certificate for client authentication on the SMTP server.

     You can specify TLS settings for an SMTP server:

     • Browse for an SMTP server certificate file:

     You can receive a file with the list of certificates from a trusted certification authority and upload the file to Administration Server. Kaspersky Security Center checks whether the certificate of an SMTP server is also signed by a trusted certification authority. Kaspersky Security Center cannot connect to an SMTP server if the certificate of the SMTP server is not received from a trusted certification authority.

     • Browse for a client certificate file:

     You can use a certificate that you received from any source, for example, from any trusted certification authority. You must specify the certificate and its private key by using one of the following certificate types:

     • X-509 certificate:

     You must specify a file with the certificate and a file with the private key. Both files do not depend on each other and the order of loading of the files is not significant. When both files are loaded, you must specify the password for decoding the private key. The password can have an empty value if the private key is not encoded.

     • pkcs12 container:

     You must upload a single file that contains the certificate and its private key. When the file is loaded, you must then specify the password for decoding the private key. The password can have an empty value if the private key is not encoded.

     The Notification message field contains standard text with information about the event that the application sends when an event occurs. This text includes substitute parameters, such as event name, device name, and domain name. You can edit the message text by adding other substitute parameters with more relevant details of the event. The list of substitute parameters is available by clicking the button to the right of the field.

     If the notification text contains a percent sign (%), you have to type it twice in a row to allow message sending. For example, "CPU load is 100%%".

     Click the Configure numeric limit of notifications link to specify the maximum number of notifications that the application can send over the specified time interval.

     Click the Send test message button to check if you have configured notifications properly. The application should send a test notification to the email addresses that you specified.

   • SMS

     The SMS tab allows you to configure the transmission of SMS notifications of various events to a cell phone. SMS messages are sent through a mail gateway.

     In the Recipients (email addresses) field, specify the email addresses to which the application will send notifications. You can specify multiple addresses in this field, by separating them with semicolons. The notifications will be delivered to the phone numbers associated with the specified email addresses.

     In the SMTP servers field, specify mail server addresses, by separating them with semicolons. You can use the IP address or the Windows network name (NetBIOS name) of the device as the address.

     In the SMTP server port field, specify the number of an SMTP server communication port. The default port number is 25.

     Click the Settings link to define additional notification settings:

     • Subject name (subject name of an email message)
     • Sender email address
     • ESMTP authentication settings

     If necessary, you can specify an account for authentication on an SMTP server if the option of ESMTP authentication is enabled for the SMTP server.

     • TLS settings for an SMTP server

     You can disable usage of TLS, use TLS if the SMTP server supports this protocol, or you can force usage of TLS only. If you choose to use only TLS, you can specify a certificate for authentication of the SMTP server and choose whether you want to enable communication through any version of TLS or only through TLS 1.2 or later versions. Also, if you choose to use only TLS, you can specify a certificate for client authentication on the SMTP server.

     • Browse for an SMTP server certificate file

     You can receive a file with the list of certificates from a trusted certification authority and upload the file to Kaspersky Security Center. Kaspersky Security Center checks whether the certificate of the SMTP server is also signed by a trusted certification authority. Kaspersky Security Center cannot connect to the SMTP server if the certificate of the SMTP server is not received from a trusted certification authority.

     You must upload a single file that contains the certificate and its private key. When the file is loaded, you must then specify the password for decoding the private key. The password can have an empty value if the private key is not encoded.The Notification message field contains standard text with information about the event that the application sends when an event occurs. This text includes substitute parameters, such as event name, device name, and domain name. You can edit the message text by adding other substitute parameters with more relevant details of the event. The list of substitute parameters is available by clicking the button to the right of the field.

     If the notification text contains a percent sign (%), you have to type it twice in a row to allow message sending. For example, "CPU load is 100%%".

     Click the Configure numeric limit of notifications link to specify the maximum number of notifications that the application can send during the specified time interval.

     Click the Send test message button to check whether you configured notifications properly. The application should send a test notification to the recipient that you specified.

   • Executable file to be run

     If this notification method is selected, in the entry field you can specify the application that will start when an event occurs.

     Clicking the Configure numeric limit of notifications link allows you to specify the maximum number of notifications that the application can send during the specified time interval.

     Clicking the Send test message button allows you to check whether you configured notifications properly: the application sends a test notification to the email addresses that you specified.

5. In the Notification message field, enter the text that the application will send when an event occurs.

   You can use the drop-down list to the right of the text field to add substitution settings with event details (for example, event description, or time of occurrence).

   If the notification text contains a percent (%), you must specify it twice in succession to allow message sending. For example, "CPU load is 100%%".

6. Click the Send test message button to check whether notification has been configured correctly.

   The application sends a test notification to the specified user.

7. Click OK to save the changes.

The re-adjusted notification settings are applied to all events that occur on client devices.

You can override notification settings for certain events in the Event configuration section of the Administration Server settings, of a policy settings, or of an application settings.

Creating a certificate for an SMTP server

To create a certificate for an SMTP server:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Events tab.
3. Click the Configure notifications and event export link and select the Configure notifications value in the drop-down list.

   The event properties window opens.

4. On the Email tab, click the Settings link to open the Settings window.
5. In the Settings window click the Specify certificate link to open the Certificate for signing window.
6. In the Certificate for signing window, click the Browse button.

   The Certificate window opens.

7. In the Certificate type drop-down list, specify the public or private type of certificate:
   • If the private type of certificate (PKCS #12 container) is selected, specify the certificate file and the password.
   • If the public type of certificate (X.509 certificate) is selected:
     1. Specify the private key file (one with the *.prk or *.pem extension).
     2. Specify the private key password.
     3. Specify the public key file (one with the *.cer extension).
8. Click OK.

The certificate for the SMTP server is issued.

Event selections

Information about events in the operation of Kaspersky Security Center and managed applications is saved both in the Administration Server database and in the Microsoft Windows system log. You can view information from the Administration Server database in the workspace of the Administration Server node, on the Events tab.

Information on the Events tab is represented as a list of event selections. Each selection includes events of a specific type only. For example, the "Device status is Critical" selection contains only records about changes of device statuses to "Critical". After application installation, the Events tab contains some standard event selections. You can create additional (custom) event selections or export event information to a file.

Viewing an event selection

To view the event selection:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Events tab.
3. In the Event selections drop-down list, select the relevant event selection.

   If you want events from this selection to be continuously displayed in the workspace, click the star icon () next to the selection.

The workspace will display a list of events, stored on the Administration Server, of the selected type.

You can sort information in the list of events in ascending or descending order in any column.

Customizing an event selection

To customize an event selection:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Events tab.
3. Open the relevant event selection on the Events tab.
4. Click the Selection properties button.

In the event selection properties window that opens you can configure the event selection.

Creating an event selection

To create an event selection:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Events tab.
3. Click the Create a selection button.
4. In the New event selection window that opens, enter the name of the new selection and click OK.

A selection with the name that you specified is created in the Event selections drop-down list.

By default, a created event selection contains all events stored on the Administration Server. To cause a selection to display only the events you want, you must customize the selection.

Exporting an event selection to a text file

To export an event selection to a text file:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Events tab.
3. Click the Import/Export button.
4. In the drop-down list, select Export events to file.

The Events Export Wizard starts. Follow the instructions of the Wizard.

Deleting events from a selection

To delete events from a selection:

1. In the console tree, select the node with the name of the relevant Administration Server.
2. In the workspace of the node, select the Events tab.
3. Select the events that you want to delete by using a mouse, the Shift key, or the Ctrl key.
4. Delete the selected events in one of the following ways:
   • By selecting Delete in the context menu of any of the selected events.

     If you select the Delete All item from the context menu, all displayed events will be deleted from the selection, regardless of your choice of events to delete.

   • By clicking the Delete event link (if one event is selected) or the Delete events link (if several events are selected) in the information box for these events.

The selected events are deleted.

Adding applications to exclusions by user requests

When you receive user requests to unblock erroneously blocked applications, you can create an exclusion from the Adaptive Security rules for these applications. Consequently, the applications will no longer be blocked on users' devices. You can track the number of user requests on the Monitoring tab of Administration Server.

To add applications blocked by Kaspersky Endpoint Security to exclusions by user requests:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Events tab.
3. In the Event selections drop-down list, select User requests.
4. Right-click the user request (or several user requests) containing applications that you want to add to exclusions, and then select Add exclusion.

   This starts the Add Exclusion Wizard. Follow its instructions.

The selected applications will be excluded from the Triggering of rules in Smart Training state list (under Repositories in the console tree) after the next synchronization of the client device with the Administration Server, and will no longer appear in the list.

Device selections

Information about the status of devices is displayed in the Device selections folder in the console tree.

Information in the Device selections folder is displayed as a list of device selections. Each selection contains devices that meet specific conditions. For example, the Devices with Critical status selection contains only devices with the Critical status. After application installation, the Device selections folder contains some standard selections. You can create additional (custom) device selections, export selection settings to file, or create selections with settings imported from another file.

Viewing a device selection

To view a device selection:

1. In the console tree, select the Device selections folder.
2. In the workspace of the folder, in the Devices in this selection list, select the relevant device selection.
3. Click the Run selection button.
4. Click the Selection results tab.

The workspace will display a list of devices that meet the selection criteria.

You can sort the information in the list of devices in ascending or descending order, in any column.

Configuring a device selection

Expand all | Collapse all

To configure a device selection:

1. In the console tree, select the Device selections folder.
2. In the workspace, click the Selection tab, and then click the relevant device selection in the list of user selections.
3. Click the Selection properties button.
4. In the properties window that opens, specify the following settings:
   • General selection properties.
   • Conditions that must be met for including devices in this selection. You can configure the conditions after selecting a condition name and clicking the Properties button.
   • Security settings.
5. Click OK.

The settings are applied and saved.

Below are descriptions of the conditions for assigning devices to a selection. Conditions are combined by using the OR logical operator: the selection will contain devices that comply with at least one of the listed conditions.

General

In the General section, you can change the name of the selection condition and specify whether that condition must be inverted:

Invert selection condition

Network

In the Network section, you can specify the criteria that will be used to include devices in the selection according to their network data:

• Device name or IP address

  Windows network name (NetBIOS name) of the device or IPv4 address.

• Windows domain

  Displays all devices included in the specified Windows domain.

• Administration group

  Displays devices included in the specified administration group.

• Description

  Text in the device properties window: In the Description field of the General section.

  To describe text in the Description field, you can use the following characters:

  • Within a word:
    • *. Replaces any string with any number of characters.

    Example:

    To describe words such as Server or Server's, you can enter Server*.

    • ?. Replaces any single character.

    Example:

    To describe words such as Window or Windows, you can enter Windo?.

    Asterisk (*) or question mark (?) cannot be used as the first character in the query.

  • To find several words:
    • Space. Displays all the devices whose descriptions contain any of the listed words.

    Example:

    To find a phrase that contains Secondary or Virtual words, you can include Secondary Virtual line in your query.

    • +. When a plus sign precedes a word, all search results will contain this word.

    Example:

    To find a phrase that contains both Secondary and Virtual, enter the +Secondary+Virtual query.

    • -. When a minus sign precedes a word, no search results will contain this word.

    Example:

    To find a phrase that contains Secondary and does not contain Virtual, enter the +Secondary-Virtual query.

    • "<some text>". Text enclosed in quotation marks must be present in the text.

    Example:

    To find a phrase that contains Secondary Server word combination, you can enter "Secondary Server" in the query.

• IP range

  If this option is enabled, you can enter the initial and final IP addresses of the IP range in which the relevant devices must be included.

  By default, this option is disabled.

Tags

In the Tags section, you can configure criteria for including devices into a selection based on key words (tags) that were previously added to the descriptions of managed devices:

• Apply if at least one specified tag matches

  If this option is enabled, the search results will show devices with descriptions that contain at least one of the selected tags.

  If this option is disabled, the search results will only show devices with descriptions that contain all the selected tags.

  By default, this option is disabled.

• Tag must be included

  If this option is selected, the search results will display the devices whose descriptions contain the selected tag. To find devices, you can use the asterisk, which stands for any string with any number of characters.

  By default, this option is selected.

• Tag must be excluded

  If this option is selected, the search results will display the devices whose descriptions do not contain the selected tag. To find devices, you can use the asterisk, which stands for any string with any number of characters.

Active Directory

In the Active Directory section, you can configure criteria for including devices into a selection based on their Active Directory data:

• Device is in an Active Directory organizational unit

  If this option is enabled, the selection includes devices from the Active Directory unit specified in the entry field.

  By default, this option is disabled.

• Include child organizational units

  If this option is enabled, the selection includes devices from all child organizational units of the specified Active Directory organizational unit.

  By default, this option is disabled.

• This device is a member of an Active Directory group

  If this option is enabled, the selection includes devices from the Active Directory group specified in the entry field.

  By default, this option is disabled.

Network activity

In the Network activity section, you can specify the criteria that will be used to include devices in the selection according to their network activity:

• This device is a distribution point

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Yes. The selection includes devices that act as distribution points.
  • No. Devices that act as distribution points are not included in the selection.
  • No value is selected. The criterion will not be applied.
• Do not disconnect from the Administration Server

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Enabled. The selection will include devices on which the Do not disconnect from the Administration Server check box is selected.
  • Disabled. The selection will include devices on which the Do not disconnect from the Administration Server check box is cleared.
  • No value is selected. The criterion will not be applied.
• Connection profile switched

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Yes. The selection will include devices that connected to the Administration Server after the connection profile was switched.
  • No. The selection will not include devices that connected to the Administration Server after the connection profile was switched.
  • No value is selected. The criterion will not be applied.
• Last connected to Administration Server

  You can use this check box to set a search criterion for devices according to the time they last connected to the Administration Server.

  If this check box is selected, in the entry fields you can specify the time interval (date and time) during which the last connection was established between Network Agent installed on the client device and the Administration Server. The selection will include devices that fall within the specified interval.

  If this check box is cleared, the criterion will not be applied.

  By default, this check box is cleared.

• New devices detected by network poll

  Searches for new devices that have been detected by network polling over the last few days.

  If this option is enabled, the selection only includes new devices that have been detected by device discovery over the number of days specified in the Detection period (days) field.

  If this option is disabled, the selection includes all devices that have been detected by device discovery.

  By default, this option is disabled.

• Device is visible

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Yes. The application includes in the selection devices that are currently visible in the network.
  • No. The application includes in the selection devices that are currently invisible in the network.
  • No value is selected. The criterion will not be applied.

Application

In the Application section, you can configure criteria for including devices in a selection based on the selected managed application:

• Application name

  In the drop-down list, you can set a criterion for including devices in a selection when search is performed by the name of a Kaspersky application.

  The list provides only the names of applications with management plug-ins installed on the administrator's workstation.

  If no application is selected, the criterion will not be applied.

• Application version

  In the entry field, you can set a criterion for including devices in a selection when search is performed by the version number of a Kaspersky application.

  If no version number is specified, the criterion will not be applied.

• Critical update name

  In the entry field, you can set a criterion for including devices in a selection when search is performed by application name or by update package number.

  If the field is left blank, the criterion will not be applied.

• Modules last updated

  You can use this option to set a criterion for searching devices by time of the last update of modules of applications installed on those devices.

  If this check box is selected, in the entry fields you can specify the time interval (date and time) during which the last update of modules of applications installed on those devices was performed.

  If this check box is cleared, the criterion will not be applied.

  By default, this check box is cleared.

• Device is managed through Kaspersky Security Center 13.1

  In the drop-down list, you can include in the selection the devices managed through Kaspersky Security Center:

  • Yes. The application includes in the selection devices managed through Kaspersky Security Center.
  • No. The application includes devices in the selection if they are not managed through Kaspersky Security Center.
  • No value is selected. The criterion will not be applied.
• Security application is installed

  In the drop-down list, you can include in the selection all devices with the security application installed:

  • Yes. The application includes in the selection all devices with the security application installed.
  • No. The application includes in the selection all devices with no security application installed.
  • No value is selected. The criterion will not be applied.

Operating system

In the Operating system section, you can specify the criteria that will be used to include devices in the selection according to their operating system type.

• Operating system version

  If the check box is selected, you can select an operating system from the list. Devices with the specified operating systems installed are included in the search results.

• Operating system bit size

  In the drop-down list, you can select the architecture for the operating system, which will determine how the moving rule is applied to the device (Unknown, x86, AMD64, or IA64). By default, no option is selected in the list so that the operating system's architecture is not defined.

• Operating system service pack version

  In this field, you can specify the package version of the operating system (in the X.Y format), which will determine how the moving rule is applied to the device. By default, no version value is specified.

• Operating system build

  This setting is applicable to Windows operating systems only.

  The build number of the operating system. You can specify whether the selected operating system must have an equal, earlier, or later build number. You can also configure searching for all build numbers except the specified one.

• Operating system release ID

  This setting is applicable to Windows operating systems only.

  The release identifier (ID) of the operating system. You can specify whether the selected operating system must have an equal, earlier, or later release ID. You can also configure searching for all release ID numbers except the specified one.

Device status

In the Device status section, you can configure criteria for including devices into a selection based on the description of the devices status from a managed application:

• Device status

  Drop-down list in which you can select one of the device statuses: OK, Critical, or Warning.

• Device status description

  In this field, you can select the check boxes next to conditions that, if met, assign one of the following statuses to the device: OK, Critical, or Warning.

• Device status defined by application

  Drop-down list, in which you can select the real-time protection status. Devices with the specified real-time protection status are included in the selection.

Protection components

In the Protection components section, you can set up the criteria for including devices in a selection based on their protection status:

• Databases released

  If this option is selected, you can search for client devices by anti-virus database release date. In the entry fields you can set the time interval, on the basis of which the search is performed.

  By default, this option is disabled.

• Last scanned

  If this check option is enabled, you can search for client devices by time of the last virus scan. In the entry fields you can specify the time period within which the last virus scan was performed.

  By default, this option is disabled.

• Total number of threats detected

  If this option is enabled, you can search for client devices by number of viruses detected. In the entry fields you can set the lower and upper threshold values for the number of viruses found.

  By default, this option is disabled.

Applications registry

In the Applications registry section, you can set up the criteria to search for devices according to applications installed on them:

• Application name

  Drop-down list in which you can select an application. Devices on which the specified application is installed, are included in the selection.

• Application version

  Entry field in which you can specify the version of selected application.

• Vendor

  Drop-down list in which you can select the manufacturer of an application installed on the device.

• Application status

  A drop-down list in which you can select the status of an application (Installed, Not installed). Devices on which the specified application is installed or not installed, depending on the selected status, will be included in the selection.

• Find by update

  If this option is enabled, search will be performed using the details of updates for applications installed on the relevant devices. After you select the check box, the Application name, Application version, and Application status fields change to Update name, Update version, and Status respectively.

  By default, this option is disabled.

• Incompatible security application name

  Drop-down list in which you can select third-party security applications. During the search, devices on which the specified application is installed, are included in the selection.

• Application tag

  In the drop-down list, you can select the application tag. All devices that have installed applications with the selected tag in the description are included in the device selection.

• Apply to devices without the specified tags

  If this option is enabled, the selection includes devices with descriptions that contain none of the selected tags.

  If this option is disabled, the criterion is not applied.

  By default, this option is disabled.

Hardware registry

In the Hardware registry section, you can configure criteria for including devices into a selection based on their installed hardware:

• Device

  In the drop-down list, you can select a unit type. All devices with this unit are included in the search results.

  The field supports the full-text search.

• Vendor

  In the drop-down list, you can select the name of a unit manufacturer. All devices with this unit are included in the search results.

  The field supports the full-text search.

• Device name

  Name of the device in the Windows network. The device with the specified name is included in the selection.

• Description

  Description of the device or hardware unit. Devices with the description specified in this field are included in the selection.

  A device's description in any format can be entered in the properties window of that device. The field supports the full-text search.

• Device vendor

  Name of the device manufacturer. Devices produced by the manufacturer specified in this field are included in the selection.

  You can enter the manufacturer's name in the properties window of a device.

• Serial number

  All hardware units with the serial number specified in this field will be included in the selection.

• Inventory number

  Equipment with the inventory number specified in this field will be included in the selection.

• User

  All hardware units of the user specified in this field will be included in the selection.

• Location

  Location of the device or hardware unit (for example, at the HQ or a branch office). Computers or other devices that are deployed at the location specified in this field will be included in the selection.

  You can describe the location of a device in any format in the properties window of that device.

• CPU frequency, in MHz

  The frequency range of a CPU. Devices with CPUs that match the frequency range in these fields (inclusive) will be included in the selection.

• Virtual CPU cores

  Range of the number of virtual cores in a CPU. Devices with CPUs that match the range in these fields (inclusive) will be included in the selection.

• Hard drive volume, in GB

  Range of values for the size of the hard drive on the device. Devices with hard drives that match the range in these entry fields (inclusive) will be included in the selection.

• RAM size, in MB

  Range of values for the size of the device RAM. Devices with RAMs that match the range in these entry fields (inclusive) will be included in the selection.

Virtual machines

In the Virtual machines section, you can set up the criteria to include devices in the selection according to whether these are virtual machines or part of virtual desktop infrastructure (VDI):

• This is a virtual machine

  In the drop-down list, you can select the following options:

  • Not important.
  • No. Find devices that are not virtual machines.
  • Yes. Find devices that are virtual machines.
• Virtual machine type

  In the drop-down list, you can select the virtual machine manufacturer.

  This drop-down list is available if the Yes or Not important value is selected in the This is a virtual machine drop-down list.

• Part of Virtual Desktop Infrastructure

  In the drop-down list, you can select the following options:

  • Not important.
  • No. Find devices that are not part of Virtual Desktop Infrastructure.
  • Yes. Find devices that are part of the Virtual Desktop Infrastructure (VDI).

Vulnerabilities and updates

In the Vulnerabilities and updates section, you can specify the criteria that will be used to include devices in the selection according to their Windows Update source:

WUA is switched to Administration Server

Users

In the Users section, you can set up the criteria to include devices in the selection according to the accounts of users who have logged in to the operating system.

• Last user who logged in to the system

  If this option is enabled, click the Browse button to specify a user account. The search results include devices on which the specified user performed the last login to the system.

• User who logged in to the system at least once

  If this option is enabled, click the Browse button to specify a user account. The search results include devices on which the specified user logged in to the system at least once.

Status-affecting problems in managed applications

In the Status-affecting problems in managed applications section, you can specify the criteria that will be used to include devices in the selection according to the list of possible problems detected by a managed application. If at least one problem that you select exists on a device, the device will be included in the selection. When you select a problem listed for several applications, you have the option to select this problem in all of the lists automatically.

Device status description

Statuses of components in managed applications

In the Statuses of components in managed applications section, you can configure criteria for including devices in a selection according to the statuses of components in managed applications:

• Data Leakage Prevention status

  Search for devices by the status of Data Leakage Prevention (No data from device, Stopped, Starting, Paused, Running, Failed).

• Collaboration servers protection status

  Search for devices by the status of server collaboration protection (No data from device, Stopped, Starting, Paused, Running, Failed).

• Anti-virus protection status of mail servers

  Search for devices by the status of Mail Server protection (No data from device, Stopped, Starting, Paused, Running, Failed).

• Endpoint Sensor status

  Search for devices by the status of the Endpoint Sensor component (No data from device, Stopped, Starting, Paused, Running, Failed).

Encryption

Encryption algorithm

Cloud segments

In the Cloud segments section, you can configure criteria for including devices in a selection according to their respective cloud segments:

• Device is in a cloud segment

  If this option is enabled, you can click the Browse button to specify the segment to search.

  If the Include child objects option is also enabled, the search is run on all child objects of the specified segment.

  Search results include only devices from the selected segment.

• Device discovered by using the API

  In the drop-down list, you can select whether a device is detected by API tools:

  • AWS. The device is discovered by using the AWS API, that is, the device is definitely in the AWS cloud environment.
  • Azure. The device is discovered by using the Azure API, that is, the device is definitely in the Azure cloud environment.
  • Google Cloud. The device is discovered by using the Google API, that is, the device is definitely in the Google Cloud environment.
  • No. The device cannot be detected by using the AWS, Azure, or Google API, that is, it is either outside the cloud environment or it is in the cloud environment but it cannot be detected by using an API.
  • No value. This condition does not apply.

Application components

This section contains the list of components of those applications that have corresponding management plug-ins installed in Administration Console.

In the Application components section, you can specify criteria for including devices in a selection according to the statuses and version numbers of the components that refer to the application that you select:

• Status

  Search for devices according to the component status sent by an application to the Administration Server. You can select one of the following statuses: No data from device, Stopped, Starting, Paused, Running, Malfunction, or Not installed. If the selected component of the application installed on a managed device has the specified status, the device is included in the device selection.

  Statuses sent by applications:

  • Starting—The component is currently in the process of initialization.
  • Running—The component is enabled and working properly.
  • Paused—The component is suspended, for example, after the user has paused protection in the managed application.
  • Malfunction—An error has occurred during the component operation.
  • Stopped—The component is disabled and not working at the moment.
  • Not installed—The user did not select the component for installation when configuring custom installation of the application.

  Unlike other statuses, the No data from device status is not sent by applications. This option shows that the applications have no information about the selected component status. For example, this can happen when the selected component does not belong to any of the applications installed on the device, or when the device is turned off.

• Version

  Search for devices according to the version number of the component that you select in the list. You can type a version number, for example 3.4.1.0, and then specify whether the selected component must have an equal, earlier, or later version. You can also configure searching for all versions except the specified one.

Exporting the settings of a device selection to a file

To export the settings of a device selection to a text file:

1. In the console tree, select the Device selections folder.
2. In the workspace, on the Selection tab, click the relevant device selection in the list of user selections.

   Settings can be exported only from the device selections created by a user.

3. Click the Run selection button.
4. On the Selection results tab, click the Export settings button.
5. In the Save as window that opens, specify a name for the selection settings export file, select a folder to save it to, and click the Save button.

The settings of the device selection will be saved to the specified file.

Creating a device selection

To create a device selection:

1. In the console tree, select the Device selections folder.
2. In the workspace of the folder, click Advanced and select the Create a selection in the drop-down list.
3. In the New device selection window that opens, enter the name of the new selection and click OK.

A new folder with the name you entered will appear in the console tree in the Device selections folder. By default, the new device selection contains all devices included in administration groups of the Administration Server on which the selection was created. To cause a selection to display only the devices you are particularly interested in, configure the selection by clicking the Selection properties button.

Creating a device selection according to imported settings

To create a device selection according to imported settings:

1. In the console tree, select the Device selections folder.
2. In the workspace of the folder, click the Advanced button and select Import selection from file in the drop-down list.
3. In the window that opens, specify the path to the file from which you want to import the selection settings. Click the Open button.

A New selection entry is created in the Device selections folder. The settings of the new selection are imported from the file that you specified.

If a selection named New selection already exists in the Device selections folder, an index in (<next sequence number>) format is added to the name of the created selection, for example: (1), (2).

Removing devices from administration groups in a selection

When working with a device selection, you can remove devices from administration groups right in this selection, without switching to the administration groups from which these devices must be removed.

To remove devices from administration groups:

1. In the console tree, select the Device selections folder.
2. Select the devices that you want to remove by using the Shift or Ctrl keys.
3. Remove the selected devices from administration groups in one of the following ways:
   • Select Delete in the context menu of any of the selected devices.
   • Click the Perform action button and select Remove from group in the drop-down list.

The selected devices are removed from their respective administration groups.

Monitoring of applications installation and uninstallation

You can monitor installation and uninstallation of specific applications on managed devices (for example, a specific browser). To use this function, you can add applications from the Application registry to the list of monitored applications. When a monitored application is installed or uninstalled, Network Agent publishes respective events: Monitored application has been installed or Monitored application has been uninstalled. You can monitor these events using, for example, event selections or reports.

You can monitor these events only if they are stored in Administration Server database.

To add an application to the list of monitored applications:

1. In the Advanced → Application management folder in the console tree, select the Applications registry subfolder.
2. Above the list of application, that is displayed, click the Show applications registry properties window button.
3. In the Monitored Applications window, that is displayed, click the Add button.
4. In the Select application name window, that is displayed, select the applications from the Application registry whose installation or uninstallation you want to monitor.
5. In the Select application name window, click the OK button.

After you have configured the list of monitored applications, and a monitored application is installed or uninstalled on managed devices in your organization, you can monitor the respective events, for example using the Recent events event selection.

Event types

Each Kaspersky Security Center component has its own set of event types. This section lists types of events that occur in Kaspersky Security Center Administration Server, Network Agent, iOS MDM Server, and Exchange Mobile Device Server. Types of events that occur in Kaspersky applications are not listed in this section.

Data structure of event type description

For each event type, its display name, identifier (ID), alphabetic code, description, and the default storage term are provided.

• Event type display name. This text is displayed in Kaspersky Security Center when you configure events and when they occur.
• Event type ID. This numerical code is used when you process events by using third-party tools for event analysis.
• Event type (alphabetic code). This code is used when you browse and process events by using public views that are provided in the Kaspersky Security Center database and when events are exported to a SIEM system.
• Description. This text contains the situations when an event occurs and what you can do in such a case.
• Default storage term. This is the number of days during which the event is stored in the Administration Server database and is displayed in the list of events on Administration Server. After this period elapses, the event is deleted. If the event storage term value is 0, such events are detected but are not displayed in the list of events on Administration Server. If you configured to save such events to the operating system event log, you can find them there.

  You can change the storage term for events:

  • Administration Console: Setting the storage term for an event
  • Kaspersky Security Center 13.1 Web Console: Setting the storage term for an event

Other data may include the following fields:

• event_id: unique number of the event in the database, generated and assigned automatically; not to be confused with Event type ID.
• task_id: the ID of the task that caused the event (if any)
• severity: one of the following severity levels (in the ascending order of severity):

  0) Invalid severity level

  1) Info

  2) Warning

  3) Error

  4) Critical

Administration Server events

This section contains information about the events related to the Administration Server.

Administration Server critical events

The table below shows the event types of Kaspersky Security Center Administration Server that have the Critical importance level.

Administration Server critical events

Administration Server functional failure events

The table below shows the event types of Kaspersky Security Center Administration Server that have the Functional failure importance level.

You can view the full list of events that can be generated by an application on the Event configuration tab in the application policy. For Administration Server, you can additionally view the event list in the Administration Server properties.

Administration Server functional failure events

Administration Server warning events

The table below shows the events of Kaspersky Security Center Administration Server that have the Warning importance level.

You can view the full list of events that can be generated by an application on the Event configuration tab in the application policy. For Administration Server, you can additionally view the event list in the Administration Server properties.

Administration Server warning events

Administration Server informational events

The table below shows the events of Kaspersky Security Center Administration Server that have the Info importance level.

Administration Server informational events

Page top

Network Agent events

This section contains information about the events related to Network Agent.

Network Agent functional failure events

The table below shows the event types of Kaspersky Security Center Network Agent that have the Functional failure severity level.

Network Agent functional failure events

Network Agent warning events

The table below shows the events of Kaspersky Security Center Network Agent that have the Warning severity level.

You can view the full list of events that can be generated by an application on the Event configuration tab in the application policy.

Network Agent warning events

Network Agent informational events

The table below shows the events of Kaspersky Security Center Network Agent that have the Info severity level.

You can view the full list of events that can be generated by an application on the Event configuration tab in the application policy.

Network Agent informational events

iOS MDM Server events

This section contains information about the events related to iOS MDM Server.

iOS MDM Server functional failure events

The table below shows the events of Kaspersky Security Center iOS MDM Server that have the Functional failure severity level.

You can view the full list of events that can be generated by an application on the Event configuration tab in the application policy.

iOS MDM Server functional failure events

Page top

iOS MDM Server warning events

The table below shows the events of Kaspersky Security Center iOS MDM Server that have the Warning severity level.

You can view the full list of events that can be generated by an application on the Event configuration tab in the application policy.

iOS MDM Server warning events

Page top

iOS MDM Server informational events

The table below shows the events of Kaspersky Security Center iOS MDM Server that have the Info severity level.

You can view the full list of events that can be generated by an application on the Event configuration tab in the application policy.

iOS MDM Server informational events

Page top

Exchange Mobile Device Server events

This section contains information about the events related to an Exchange Mobile Device Server.

Exchange Mobile Device Server functional failure events

The table below shows the events of Kaspersky Security Center Exchange Mobile Device Server that have the Functional failure severity level.

You can view the full list of events that can be generated by an application on the Event configuration tab in the application policy.

Exchange Mobile Device Server functional failure events

Page top

Exchange Mobile Device Server informational events

The table below shows the events of Kaspersky Security Center Exchange Mobile Device Server that have the Info severity level.

You can view the full list of events that can be generated by an application on the Event configuration tab in the application policy.

Exchange Mobile Device Server informational events

Page top

Blocking frequent events

This section provides information about managing frequent events blocking, about removing blocking of frequent events, and about exporting the list of frequent events to a file.

About blocking frequent events

A managed application, for example, Kaspersky Endpoint Security for Windows, installed on a single or several managed devices can send a lot of events of the same type to the Administration Server. Receiving frequent events may overload the Administration Server database and overwrite other events. Administration Server starts blocking the most frequent events when the number of all the received events exceeds the specified limit for the database.

Administration Server blocks the frequent events from receiving automatically. You cannot block the frequent events yourself, or choose which events to block.

If you want to find out if an event is blocked, you can check if this event is present in the Blocking frequent events section of the Administration Server properties. If the event is blocked, you can do the following:

• If you want to prevent overwriting the database, you can continue blocking such type of events from receiving.
• If you want, for example, to find the reason of sending the frequent events to the Administration Server, you can unblock frequent events and continue receiving the events of this type anyway.
• If you want to continue receiving the frequent events until they become blocked again, you can remove from blocking the frequent events.

Managing frequent events blocking

Administration Server automatically blocks the receiving of frequent events, but you can stop blocking and continue to receive frequent events. You can also block receiving frequent events that you unblocked before.

To manage frequent events blocking:

1. In the Kaspersky Security Center console tree, open the context menu of the Administration Server folder, and then select Properties.
2. In the Administration Server properties window, go to the Sections pane, and then select Blocking frequent events.
3. In the Blocking frequent events section:
   • Select the Event type options of the events that you want to block from being received.
   • Unselect the Event type options of the events that you want to continue receiving.
4. Click the Apply button.
5. Click the OK button.

Administration Server receives the frequent events for which you unselected the option Event type and blocks receiving frequent events for which you selected the option Event type.

Removing blocking of frequent events

You can remove blocking for frequent events and start receiving them until Administration Server blocks this type of frequent events again.

To remove blocking of frequent events:

1. In the Kaspersky Security Center console tree, open the context menu of the Administration Server folder, and then select Properties.
2. In the Administration Server properties window, go to the Sections pane, and then select Blocking frequent events.
3. In the Blocking frequent events section, click the row of the frequent event for which you want to remove blocking.
4. Click the Delete button.

The frequent event is removed from the list of the frequent events. Administration Server will receive events of this type.

Exporting a list of frequent events to a file

To export a list of frequent events to a file:

1. In the Kaspersky Security Center console tree, open the context menu of the Administration Server folder, and then select Properties.
2. In the Administration Server properties window, go to the Sections pane, and then select Blocking frequent events.
3. Click the Export to file button.
4. In the Save as window that opens, specify the path to the file to which you want to save the list.
5. Click the Save button.

All the records on the frequent events list are exported to a file.

Controlling changes in the status of virtual machines

Administration Server stores information about the status of managed devices, such as the hardware registry and the list of installed applications, and the settings of managed applications, tasks and policies. If a virtual machine functions as a managed device, the user can restore its status at any time using a previously created snapshot of the virtual machine. Information about the status of the virtual machine on Administration Server may become outdated.

For example, the administrator had created a protection policy on Administration Server at 12:00 PM, which started to run on virtual machine VM_1 at 12:01 PM. At 12:30 PM, the user of virtual machine VM_1 changed its status by restoring it from a snapshot made at 11:00 AM. The protection policy stops running on the virtual machine. However, outdated information stored on Administration Server states that the protection policy on virtual machine VM_1 continues.

Kaspersky Security Center allows you to monitor changes in the status of virtual machines.

After each synchronization with a device, the Administration Server generates a unique ID that is stored on the device and on the Administration Server. Before starting the next synchronization, Administration Server compares the values of those IDs on both sides. If the values of the IDs do not match, Administration Server recognizes the virtual machine as restored from a snapshot. Administration Server resets all the settings of policies and tasks that are active for the virtual machine and sends it the up-to-date policies and the list of group tasks.

Monitoring the anti-virus protection status using information from the system registry

To monitor the anti-virus protection status on a client device using information logged by Network Agent, depending on the operating system of the device:

• On the devices running Windows:
  1. Open the system registry of the client device (for example, locally, using the regedit command in the Start → Run menu).
  2. Go to the following hive:
     • For 32-bit systems:

       HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1103\1.0.0.0\Statistics\AVState

     • For 64-bit systems:

       HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1103\1.0.0.0\Statistics\AVState

     The system registry displays information about the anti-virus protection status of the client device.

• On the devices running Linux:
  • Information is enclosed in separate text files, one for each type of data, located at /var/opt/kaspersky/klnagent/1103/1.0.0.0/Statistics/AVState/.
• On the devices running macOS:
  • Information is enclosed in separate text files, one for each type of data, located at /Library/Application Support/Kaspersky Lab/klnagent/Data/1103/1.0.0.0/Statistics/AVState/.

The anti-virus protection status corresponds to the values of the keys described in the table below.

Registry keys and their possible values

Page top

Viewing and configuring the actions when devices show inactivity

Expand all | Collapse all

If client devices within a group are inactive, you can get notifications about it. You can also automatically delete such devices.

To view or configure the actions when the devices in the group show inactivity:

1. In the console tree, right-click the name of the required administration group.
2. In the context menu, select Properties.

   This opens the administration group properties window.

3. In the Properties window, go to the Devices section.
4. If needed, enable or disable the following options:
   • Notify the administrator if the device has been inactive for longer than (days)

     If this option is enabled, the administrator receives notifications about inactive devices. You can specify the time interval after which the Device has remained inactive on the network in a long time event is created. The default time interval is 7 days.

     By default, this option is enabled.

   • Remove the device from the group if it has been inactive for longer than (days)

     If this option is enabled, you can specify the time interval after which the device is automatically removed from the group. The default time interval is 60 days.

     By default, this option is enabled.

   • Inherit from parent group

     The settings in this section will be inherited from the parent group in which the client device is included. If this option is enabled, the settings under Device activity on the network are locked from any changes.

     This option is available only if the administration group has a parent group.

     By default, this option is enabled.

   • Force inheritance in child groups

     The setting values will be distributed to child groups but in the properties of the child groups these settings are locked.

     By default, this option is disabled.

5. Click OK.

Your changes are saved and applied.

Page top

Disabling Kaspersky announcements

In Kaspersky Security Center 13.1 Web Console, the Kaspersky announcements section (MONITORING & REPORTING → Kaspersky announcements) keeps you informed by providing information related to your version of Kaspersky Security Center and the managed applications installed on managed devices. If you do not want to receive Kaspersky announcements, you can disable this feature.

The Kaspersky announcements include two types of information: security-related announcements and marketing announcements. You can disable the announcements of each type separately.

To disable security-related announcements:

1. In the console tree, select the Administration Server for which you want to disable security-related announcements.
2. Right-click and in the context menu that appears, select Properties.
3. In the Administration Server properties window that opens, in the Kaspersky announcements section, disable the Enable the display of Kaspersky announcements in Kaspersky Security Center 13.1 Web Console option.
4. Click OK.

Kaspersky announcements are disabled.

Marketing announcements are disabled by default. You receive marketing announcements only if you enabled Kaspersky Security Network (KSN). You can disable this type of announcement by disabling KSN.