Managing third-party applications on client devices

This section describes the features of Kaspersky Security Center that are related to the management of third-party applications installed on client devices.

Installing third-party software updates

This section describes the features of Kaspersky Security Center that are related to the installation of updates for the third-party applications installed on client devices.

Scenario: Updating third-party software

This section provides a scenario for updating third-party software installed on the client devices. The third-party software includes applications from Microsoft and other software vendors. Updates for Microsoft applications are provided by the Windows Update service.

Prerequisites

Administration Server must have a connection to the internet to install updates of third-part software other than Microsoft software.

By default, internet connection is not required for Administration Server to install Microsoft software updates on the managed devices. For example, the managed devices can download the Microsoft software updates directly from Microsoft Update servers or from Windows Server with Microsoft Windows Server Update Services (WSUS) deployed in your organization's network. Administration Server must be connected to the internet when you use Administration Server as WSUS server.

Stages

Updating third-party software proceeds in stages:

1. Searching for required updates

   To find the third-party software updates required for the managed devices, run the Find vulnerabilities and required updates task. When this task is complete, Kaspersky Security Center receives the lists of detected vulnerabilities and required updates for the third-party software installed on the devices that you specified in the task properties.

   The Find vulnerabilities and required updates task is created automatically by the Administration Server Quick Start Wizard. If you did not run the Wizard, create the task or run the Quick Start Wizard now.

   How-to instructions:

   • Administration Console: Scanning applications for vulnerabilities, Scheduling the Find vulnerabilities and required updates task
   • Kaspersky Security Center 13.1 Web Console: Creating the Find vulnerabilities and required updates task, Find vulnerabilities and required updates task settings
2. Analyzing the list of found updates

   View the SOFTWARE UPDATES list and decide which updates you want to install. To view detailed information about each update, click the update name in the list. For each update in the list, you can also view the statistics on the update installation on client devices.

   How-to instructions:

   • Administration Console: Viewing information about available updates
   • Kaspersky Security Center 13.1 Web Console: Viewing information about available third-party software updates
3. Configuring installation of updates

   When Kaspersky Security Center received the list of the third-party software updates, you can install them on client devices by using the Install required updates and fix vulnerabilities task or the Install Windows Update updates task. Create one of these tasks. You can create these tasks on the TASKS tab or by using the SOFTWARE UPDATES list.

   The Install required updates and fix vulnerabilities task is used to install updates for Microsoft applications, including the updates provided by the Windows Update service, and updates of other vendors' products. Note that this task can be created only if you have the license for the Vulnerability and Patch Management feature.

   The Install Windows Update updates task does not require a license, but it can be used to install Windows Update updates only.

   To install some software updates you must accept the End User License Agreement (EULA) for the installation software. If you decline the EULA, the software update will not be installed.

   You can start an update installation task by schedule. When specifying the task schedule, make sure that the update installation task starts after the Find vulnerabilities and required updates task is complete.

   How-to instructions:

   • Administration Console: Fixing vulnerabilities in applications, Viewing information about available updates
   • Kaspersky Security Center 13.1 Web Console: Creating the Install required updates and fix vulnerabilities task, Creating the Install Windows Update updates task, Viewing information about available third-party software updates
4. Scheduling the tasks

   To be sure that the update list is always up-to-date, schedule the Find vulnerabilities and required updates task to run the task automatically from time to time. The default frequency is once a week.

   If you have created the Install required updates and fix vulnerabilities task, you can schedule it to run with the same frequency as the Find vulnerabilities and required updates task or less often. When scheduling the Install Windows Update updates task, note that for this task you must define the list of updates every time before starting this task.

   When scheduling the tasks, make sure that an update installation task starts after the Find vulnerabilities and required updates task is complete.

5. Approving and declining software updates (optional)

   If you have created the Install required updates and fix vulnerabilities task, you can specify rules for update installation in the task properties. If you have created the Install Windows Update updates task, skip this step.

   For each rule, you can define the updates to install depending on the update status: Undefined, Approved or Declined. For example, you may want to create a specific task for servers and set a rule for this task to allow installation of only Windows Update updates and only those ones that have Approved status. After that you manually set the Approved status for those updates that you want to install. In this case the Windows Update updates that have the Undefined or Declined status will not be installed on the servers that you specified in the task.

   The usage of the Approved status to manage update installation is efficient for a small amount of updates. To install multiple updates, use the rules that you can configure in the Install required updates and fix vulnerabilities task. We recommend that you set the Approved status for only those specific updates that do not meet the criteria specified in the rules. When you manually approve a large amount of updates, performance of Administration Server decreases and may lead to Administration Server overload.

   By default, the downloaded software updates have the Undefined status. You can change the status to Approved or Declined in the SOFTWARE UPDATES list (OPERATIONS → PATCH MANAGEMENT → SOFTWARE UPDATES).

   How-to instructions:

   • Administration Console: Approving and declining software updates
   • Kaspersky Security Center 13.1 Web Console: Approving and declining third-party software updates
6. Configuring Administration Server to work as Windows Server Update Services (WSUS) server (optional)

   By default, Windows Update updates are downloaded to the managed devices from Microsoft servers. You can change this setting to use the Administration Server as WSUS server. In this case, the Administration Server synchronizes the update data with Windows Update at the specified frequency and provides updates in centralized mode to Windows Update on networked devices.

   To use the Administration Server as WSUS server, create the Perform Windows Update synchronization task and select the Use Administration Server as WSUS server check box in the Network Agent policy.

   How-to instructions:

   • Administration Console: Synchronizing updates from Windows Update with Administration Server, Configuring Windows updates in a Network Agent policy
   • Kaspersky Security Center 13.1 Web Console: Creating the Perform Windows Update synchronization task
7. Running an update installation task

   Start the Install required updates and fix vulnerabilities task or the Install Windows Update updates task. When you start these tasks, updates are downloaded and installed on managed devices. After the task is complete, make sure that it has the Completed successfully status in the task list.

8. Create the report on results of update installation of third-party software (optional)

   To view detailed statistics on the update installation, create the Report on results of installation of third-party software updates.

   How-to instructions:

   • Administration Console: Creating and viewing a report
   • Kaspersky Security Center 13.1 Web Console: Generating and viewing a report

Results

If you have created and configured the Install required updates and fix vulnerabilities task, the updates are installed on the managed devices automatically. When new updates are downloaded to the Administration Server repository, Kaspersky Security Center checks whether they meet the criteria specified in the update rules. All new updates that meet the criteria will be installed automatically at the next task run.

If you have created the Install Windows Update updates task, only those updates specified in the Install Windows Update updates task properties are installed. In future, if you want to install new updates downloaded to the Administration Server repository, you must add the required updates to the list of updates in the existing task or create a new Install Windows Update updates task.

About third-party software updates

Kaspersky Security Center enables you to manage updates of third-party software installed on managed devices and fix vulnerabilities in Microsoft applications and other software makers' products through installation of required updates.

Kaspersky Security Center searches for updates through the Find vulnerabilities and required updates task. When this task is complete, Administration Server receives the lists of detected vulnerabilities and required updates for the third-party software installed on the devices that you specified in the task properties. After viewing information about available updates, you can install them on devices.

Kaspersky Security Center updates some applications by removing the previous version of the application and installing the new one.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it's currently open.

For security reasons, any third-party software updates that you install by using the Vulnerability and Patch Management feature are automatically scanned for malware by Kaspersky technologies. These technologies are used for automatic file check and include anti-virus scan, static analysis, dynamic analysis, behavior analysis in the sandbox environment, and machine learning.

Kaspersky experts do not perform manual analysis of third-party software updates that can be installed by using the Vulnerability and Patch Management feature. In addition, Kaspersky experts do not search for vulnerabilities (known or unknown) or undocumented features in such updates, as well as do not perform other types of analysis of the updates other than the specified in the paragraph above.

Tasks for installing third-party software updates

When metadata of the third-party software updates is downloaded to the repository, you can install the updates on client devices by using the following tasks:

• The Install required updates and fix vulnerabilities task

  The Install required updates and fix vulnerabilities task is used to install updates for Microsoft applications, including the updates provided by the Windows Update service, and updates of other vendors' products. Note that this task can be created only if you have the license for the Vulnerability and Patch Management feature.

  When this task is complete, the updates are installed on the managed devices automatically. When metadata of new updates is downloaded to the Administration Server repository, Kaspersky Security Center checks whether the updates meet the criteria specified in the update rules. All new updates that meet the criteria will be downloaded and installed automatically at the next task run.

• The Install Windows Update updates task

  The Install Windows Update updates task does not require a license, but it can be used to install Windows Update updates only.

  When this task is complete, only those updates that are specified in the task properties are installed. In future, if you want to install new updates downloaded to the Administration Server repository, you must add the required updates to the list of updates in the existing task or create a new Install Windows Update updates task.

Using Administration Server as WSUS server

Information about available updates for Microsoft Windows is provided by the Windows Update service. The Administration Server can be used as the Windows Server Update Services (WSUS) server. To use Administration Server as the WSUS server, you create the Perform Windows Update synchronization task and select the Use Administration Server as WSUS server option in the Network Agent policy. After you have configured data synchronization with Windows Update, Administration Server provides updates to Windows Update services on devices in centralized mode and with the set frequency.

Installing third-party software updates

Expand all | Collapse all

You can install third-party software updates on managed devices by creating and running one of the following tasks:

• Install required updates and fix vulnerabilities

  The Install required updates and fix vulnerabilities task can be created only if you have a license for the Vulnerability and Patch Management feature. You can use this task to install both Windows Update updates provided by Microsoft and updates of other vendors' products.

• Install Windows Update updates

  You can use the Install Windows Update updates task to install Windows Update updates only.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it's currently open.

As an option, you can create a task to install the required updates in the following ways:

• By opening the update list and specifying which updates to install.

  As a result, a new task to install the selected updates is created. As an option, you can add the selected updates to an existing task.

• By running the Update Installation Wizard.

  The Update Installation Wizard is only available under the Vulnerability and Patch Management license.

  The Wizard simplifies creation and configuration of an update installation task, and allows you to eliminate the creation of redundant tasks that contain the same updates to install.

Installing third-party software updates by using the update list

To install third-party software updates by using the list of updates:

1. Open one of the lists of updates:
   • To open the general update list, go to OPERATIONS → PATCH MANAGEMENT → SOFTWARE UPDATES.
   • To open the update list for a managed device, go to DEVICES → MANAGED DEVICES → <device name> → Advanced → Available updates.
   • To open the update list for a specific application, go to OPERATIONS → THIRD-PARTY APPLICATIONS → APPLICATIONS REGISTRY → <application name> → Available updates.

   A list of available updates appears.

2. Select the check boxes next to the updates that you want to install.
3. Click the Install updates button.

   To install some software updates, you must accept the End User License Agreement (EULA). If you decline the EULA, the software update is not installed.

4. Select one of the following options:
   • New task

     The Add Task Wizard starts. If you have the Vulnerability and Patch Management license, the Install required updates and fix vulnerabilities task is preselected. If you do not have the license, the Install Windows Update updates task is preselected. Follow the steps of the Wizard to complete the task creation.

   • Install update (add rule to specified task)

     Select a task to which you want to add the selected updates. If you have the Vulnerability and Patch Management license, select the Install required updates and fix vulnerabilities task. A new rule to install the selected updates will be automatically added to the selected task. If you do not have the license, select the Install Windows Update updates task. The selected updates will be added to the task properties.

     The task properties window opens. Click the Save button to save the changes.

If you have chosen to create a task, the task is created and displayed in the task list at DEVICES → TASKS. If you have chosen to add the updates to an existing task, the updates are saved in the task properties.

To install third-party software updates, start the Install required updates and fix vulnerabilities task or the Install Windows Update updates task. You can start any of these tasks manually or specify schedule settings in the properties of the task that you start. When specifying the task schedule, make sure that the update installation task starts after the Find vulnerabilities and required updates task is complete.

Installing third-party software updates by using the Update Installation Wizard

The Update Installation Wizard is only available under the Vulnerability and Patch Management license.

To create a task to install third-party software updates by using the Update Installation Wizard:

1. Select OPERATIONS → PATCH MANAGEMENT, and in the drop-down list select SOFTWARE UPDATES.

   A list of available updates appears.

2. Select the check box next to the update that you want to install.
3. Click the Run Update Installation Wizard button.

   The Update Installation Wizard starts. The Select the update installation task page displays the list of all existing tasks of the following types:

   • Install required updates and fix vulnerabilities
   • Install Windows Update updates
   • Fix vulnerabilities

   You cannot modify the tasks of the last two types to install new updates. To install new updates, you can only use the Install required updates and fix vulnerabilities tasks.

4. If you want the Wizard to display only those tasks that install the update that you selected, then enable the Show only tasks that install this update option.
5. Choose what you want to do:
   • To start a task, select the check box next to the task name, and then click the Start button.
   • To add a new rule to an existing task:
     1. Select the check box next to the task name, and then click the Add rule button.
     2. On the page that opens, configure the new rule:
        • Installation rule for updates of this importance level

          Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

          If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the severity of the selected update (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

          If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

          By default, this option is disabled.

        • Installation rule for updates of this importance level according to MSRC

          Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

          If this option is enabled (available only for Windows Update updates), the updates fix only those vulnerabilities for which the severity level set by Microsoft Security Response Center (MSRC) is equal to or higher than the value selected in the list (Low, Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

          If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

          By default, this option is disabled.

        • Installation rule for updates by this vendor

          This option is available only for updates of third-party applications. Kaspersky Security Center installs only those updates that relate to the applications made by the same vendor as the selected update. Declined updates and updates to the applications made by other vendors are not installed.

          By default, this option is disabled.

        • Installation rule for updates of the type
        • Installation rule for the selected update
        • Approve selected updates

          The selected update will be approved for installation. Enable this option if some applied rules of update installation allow installation of approved updates only.

          By default, this option is disabled.

        • Automatically install all previous application updates that are required to install the selected updates

          Keep this option enabled if you agree with the installation of interim application versions when this is required for installing the selected updates.

          If this option is disabled, only the selected versions of applications are installed. Disable this option if you want to update applications in a straightforward manner, without attempting to install successive versions incrementally. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

          For example, you have version 3 of an application installed on a device and you want to update it to version 5, but version 5 of this application can be installed only over version 4. If this option is enabled, the software first installs version 4, and then installs version 5. If this option is disabled, the software fails to update the application.

          By default, this option is enabled.

     3. Click the Add button.
   • To create a task:
     1. Click the New task button.
     2. On the page that opens, configure the new rule:
        • Installation rule for updates of this importance level

          Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

          If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the severity of the selected update (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

          If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

          By default, this option is disabled.

        • Installation rule for updates of this importance level according to MSRC

          Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

          If this option is enabled (available only for Windows Update updates), the updates fix only those vulnerabilities for which the severity level set by Microsoft Security Response Center (MSRC) is equal to or higher than the value selected in the list (Low, Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

          If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

          By default, this option is disabled.

        • Installation rule for updates by this vendor

          This option is available only for updates of third-party applications. Kaspersky Security Center installs only those updates that relate to the applications made by the same vendor as the selected update. Declined updates and updates to the applications made by other vendors are not installed.

          By default, this option is disabled.

        • Installation rule for updates of the type
        • Installation rule for the selected update
        • Approve selected updates

          The selected update will be approved for installation. Enable this option if some applied rules of update installation allow installation of approved updates only.

          By default, this option is disabled.

        • Automatically install all previous application updates that are required to install the selected updates

          Keep this option enabled if you agree with the installation of interim application versions when this is required for installing the selected updates.

          If this option is disabled, only the selected versions of applications are installed. Disable this option if you want to update applications in a straightforward manner, without attempting to install successive versions incrementally. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

          For example, you have version 3 of an application installed on a device and you want to update it to version 5, but version 5 of this application can be installed only over version 4. If this option is enabled, the software first installs version 4, and then installs version 5. If this option is disabled, the software fails to update the application.

          By default, this option is enabled.

     3. Click the Add button.

If you have chosen to start a task, you can close the Wizard. The task will complete in background mode. No further actions are required.

If you have chosen to add a rule to an existing task, the task properties window opens. The new rule is already added to the task properties. You can view or modify the rule or other task settings. Click the Save button to save the changes.

If you have chosen to create a task, you continue to create the task in the Add Task Wizard. The new rule that you added in the Update Installation Wizard is displayed in the Add Task Wizard. When you complete the Wizard, the Install required updates and fix vulnerabilities task is added to the task list.

Creating the Find vulnerabilities and required updates task

Expand all | Collapse all

Through the Find vulnerabilities and required updates task, Kaspersky Security Center receives the lists of detected vulnerabilities and required updates for the third-party software installed on the managed devices.

The Find vulnerabilities and required updates task is created automatically when the Quick Start Wizard is running. If you did not run the Wizard, you can create the task manually.

To create the Find vulnerabilities and required updates task:

1. In the main menu, go to DEVICES → TASKS.
2. Click Add.

   The Add Task Wizard starts. Follow the steps of the Wizard.

3. For the Kaspersky Security Center application, select the Find vulnerabilities and required updates task type.
4. Specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
5. Select devices to which the task will be assigned.
6. If you want to modify the default task settings, enable the Open task details when creation is complete option on the Finish task creation page. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
7. Click the Create button.

   The task is created and displayed in the list of tasks.

8. Click the name of the created task to open the task properties window.
9. In the task properties window, specify the general task settings.
10. On the Application settings tab, specify the following settings:
    • Search for vulnerabilities and updates listed by Microsoft

      When searching for vulnerabilities and updates, Kaspersky Security Center uses the information about applicable Microsoft updates from the source of Microsoft updates, which are available at the present moment.

      For example, you may want to disable this option if you have different tasks with different settings for Microsoft updates and updates of third-party applications.

      By default, this option is enabled.

    • Connect to the update server to update data

      Windows Update Agent on a managed device connects to the source of Microsoft updates. The following servers can act as a source of Microsoft updates:

      • Kaspersky Security Center Administration Server (see the settings of Network Agent policy)
      • Windows Server with Microsoft Windows Server Update Services (WSUS) deployed in your organization's network
      • Microsoft Updates servers

      If this option is enabled, Windows Update Agent on a managed device connects to the source of Microsoft updates to refresh the information about applicable Microsoft Windows updates.

      If this option is disabled, Windows Update Agent on a managed device uses the information about applicable Microsoft Windows updates that was received from the source of Microsoft updates earlier and that is stored in the device's cache.

      Connecting to the source of Microsoft updates can be resource-consuming. You might want to disable this option if you set regular connection to this source of updates in another task or in the properties of Network Agent policy, in the section Software updates and vulnerabilities. If you do not want to disable this option, then, to reduce the Server overload, you can configure the task schedule to randomize delay for task starts within 360 minutes.

      By default, this option is enabled.

      Combination of the following options of the settings of Network Agent policy defines the mode of getting updates:

      • Windows Update Agent on a managed device connects to the Update Server to get updates only if the Connect to the update server to update data option is enabled and the Active option, in the Windows Update search mode settings group, is selected.
      • Windows Update Agent on a managed device uses the information about applicable Microsoft Windows updates that was received from the source of Microsoft updates earlier and that is stored in the device's cache, if the Connect to the update server to update data option is enabled and the Passive option, in the Windows Update search mode settings group, is selected, or if the Connect to the update server to update data option is disabled and the Active option, in the Windows Update search mode settings group, is selected.
      • Irrespective of the Connect to the update server to update data option's status (enabled or disabled), if Disabled option, in the Windows Update search mode settings group is selected, Kaspersky Security Center does not request any information about updates.
    • Search for third-party vulnerabilities and updates listed by Kaspersky

      If this option is enabled, Kaspersky Security Center searches for vulnerabilities and required updates for third-party applications (applications made by software vendors other than Kaspersky and Microsoft) in Windows Registry and in the folders specified under Specify paths for advanced search of applications in file system. The full list of supported third-party applications is managed by Kaspersky.

      If this option is disabled, Kaspersky Security Center does not search for vulnerabilities and required updates for third-party applications. For example, you may want to disable this option if you have different tasks with different settings for Microsoft Windows updates and updates of third-party applications.

      By default, this option is enabled.

    • Specify paths for advanced search of applications across the file system

      The folders in which Kaspersky Security Center searches for third-party applications that require vulnerability fix and update installation. You can use system variables.

      Specify the folders to which applications are installed. By default, the list contains system folders to which most of the applications are installed.

    • Enable advanced diagnostics

      If this feature is enabled, Network Agent writes traces even if tracing is disabled for Network Agent in Kaspersky Security Center Remote Diagnostics Utility. Traces are written to two files in turn; the total size of both files is determined by the Maximum size, in MB, of advanced diagnostics files value. When both files are full, Network Agent starts writing to them again. The files with traces are stored in the %WINDIR%\Temp folder. These files are accessible in the remote diagnostics utility, you can download or delete them there.

      If this feature is disabled, Network Agent writes traces according to the settings in Kaspersky Security Center Remote Diagnostics Utility. No additional traces are written.

      When creating a task, you do not have to enable advanced diagnostics. You may want to use this feature later if, for example, a task run fails on some of the devices and you want to get additional information during another task run.

      By default, this option is disabled.

    • Maximum size, in MB, of advanced diagnostics files

      The default value is 100 MB, and available values are between 1 MB and 2048 MB. You may be asked to change the default value by Kaspersky Technical Support specialists when information in the advanced diagnostics files sent by you is not enough to troubleshoot the problem.

11. Click the Save button.

The task is created and configured.

If the task results contain a warning of the 0x80240033 "Windows Update Agent error 80240033 ("License terms could not be downloaded.")" error, you can resolve this issue through the Windows Registry.

Find vulnerabilities and required updates task settings

Expand all | Collapse all

The Find vulnerabilities and required updates task is created automatically when the Quick Start Wizard is running. If you did not run the Wizard, you can create the task manually.

In addition to the general task settings, you can specify the following settings when creating the Find vulnerabilities and required updates task or later, when configuring the properties of the created task:

• Search for vulnerabilities and updates listed by Microsoft

  When searching for vulnerabilities and updates, Kaspersky Security Center uses the information about applicable Microsoft updates from the source of Microsoft updates, which are available at the present moment.

  For example, you may want to disable this option if you have different tasks with different settings for Microsoft updates and updates of third-party applications.

  By default, this option is enabled.

• Connect to the update server to update data

  Windows Update Agent on a managed device connects to the source of Microsoft updates. The following servers can act as a source of Microsoft updates:

  • Kaspersky Security Center Administration Server (see the settings of Network Agent policy)
  • Windows Server with Microsoft Windows Server Update Services (WSUS) deployed in your organization's network
  • Microsoft Updates servers

  If this option is enabled, Windows Update Agent on a managed device connects to the source of Microsoft updates to refresh the information about applicable Microsoft Windows updates.

  If this option is disabled, Windows Update Agent on a managed device uses the information about applicable Microsoft Windows updates that was received from the source of Microsoft updates earlier and that is stored in the device's cache.

  Connecting to the source of Microsoft updates can be resource-consuming. You might want to disable this option if you set regular connection to this source of updates in another task or in the properties of Network Agent policy, in the section Software updates and vulnerabilities. If you do not want to disable this option, then, to reduce the Server overload, you can configure the task schedule to randomize delay for task starts within 360 minutes.

  By default, this option is enabled.

  Combination of the following options of the settings of Network Agent policy defines the mode of getting updates:

  • Windows Update Agent on a managed device connects to the Update Server to get updates only if the Connect to the update server to update data option is enabled and the Active option, in the Windows Update search mode settings group, is selected.
  • Windows Update Agent on a managed device uses the information about applicable Microsoft Windows updates that was received from the source of Microsoft updates earlier and that is stored in the device's cache, if the Connect to the update server to update data option is enabled and the Passive option, in the Windows Update search mode settings group, is selected, or if the Connect to the update server to update data option is disabled and the Active option, in the Windows Update search mode settings group, is selected.
  • Irrespective of the Connect to the update server to update data option's status (enabled or disabled), if Disabled option, in the Windows Update search mode settings group is selected, Kaspersky Security Center does not request any information about updates.
• Search for third-party vulnerabilities and updates listed by Kaspersky

  If this option is enabled, Kaspersky Security Center searches for vulnerabilities and required updates for third-party applications (applications made by software vendors other than Kaspersky and Microsoft) in Windows Registry and in the folders specified under Specify paths for advanced search of applications in file system. The full list of supported third-party applications is managed by Kaspersky.

  If this option is disabled, Kaspersky Security Center does not search for vulnerabilities and required updates for third-party applications. For example, you may want to disable this option if you have different tasks with different settings for Microsoft Windows updates and updates of third-party applications.

  By default, this option is enabled.

• Specify paths for advanced search of applications across the file system

  The folders in which Kaspersky Security Center searches for third-party applications that require vulnerability fix and update installation. You can use system variables.

  Specify the folders to which applications are installed. By default, the list contains system folders to which most of the applications are installed.

• Enable advanced diagnostics

  If this feature is enabled, Network Agent writes traces even if tracing is disabled for Network Agent in Kaspersky Security Center Remote Diagnostics Utility. Traces are written to two files in turn; the total size of both files is determined by the Maximum size, in MB, of advanced diagnostics files value. When both files are full, Network Agent starts writing to them again. The files with traces are stored in the %WINDIR%\Temp folder. These files are accessible in the remote diagnostics utility, you can download or delete them there.

  If this feature is disabled, Network Agent writes traces according to the settings in Kaspersky Security Center Remote Diagnostics Utility. No additional traces are written.

  When creating a task, you do not have to enable advanced diagnostics. You may want to use this feature later if, for example, a task run fails on some of the devices and you want to get additional information during another task run.

  By default, this option is disabled.

• Maximum size, in MB, of advanced diagnostics files

  The default value is 100 MB, and available values are between 1 MB and 2048 MB. You may be asked to change the default value by Kaspersky Technical Support specialists when information in the advanced diagnostics files sent by you is not enough to troubleshoot the problem.

Recommendations on the task schedule

When scheduling the Find vulnerabilities and required updates task, make sure that two options—Run missed tasks and Use automatically randomized delay for task starts—are enabled.

By default, the Find vulnerabilities and required updates task is set to start at 6:00 PM. If the organization's workplace rules provide for shutting down all devices at this time, the Find vulnerabilities and required updates task will run after the devices are turned on again, that is, in the morning of the next day. Such activity may be undesirable because a vulnerability scan may increase the load on CPUs and disk subsystems. You must set up the most convenient schedule for the task based on the workplace rules adopted in the organization.

Creating the Install required updates and fix vulnerabilities task

Expand all | Collapse all

The Install required updates and fix vulnerabilities task is only available under the Vulnerability and Patch Management license.

The Install required updates and fix vulnerabilities task is used to update and fix vulnerabilities in third-party software, including Microsoft software, installed on the managed devices. This task allows you to install multiple updates and fix multiple vulnerabilities according to certain rules.

To install updates or fix vulnerabilities by using the Install required updates and fix vulnerabilities task, you can do one of the following:

• Run the Update Installation Wizard or the Vulnerability Fix Wizard.
• Create an Install required updates and fix vulnerabilities task.
• Add a rule for update installation to an existing Install required updates and fix vulnerabilities task.

To create the Install required updates and fix vulnerabilities task:

1. In the main menu, go to DEVICES → TASKS.
2. Click Add.

   The Add Task Wizard starts. Follow the steps of the Wizard.

3. For the Kaspersky Security Center application, select the Install required updates and fix vulnerabilities task type.
4. Specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
5. Select devices to which the task will be assigned.
6. Specify the rules for update installation, and then specify the following settings:
   • Start installation at device restart or shutdown

     If this option is enabled, updates are installed when the device is restarted or shut down. Otherwise, updates are installed according to a schedule.

     Use this option if installing the updates might affect the device performance.

     By default, this option is disabled.

   • Install required general system components

     If this option is enabled, before installing an update the application automatically installs all general system components (prerequisites) that are required to install the update. For example, these prerequisites can be operating system updates

     If this option is disabled, you may have to install the prerequisites manually.

     By default, this option is disabled.

   • Allow installation of new application versions during updates

     If this option is enabled, updates are allowed when they result in installation of a new version of a software application.

     If this option is disabled, the software is not upgraded. You can then install new versions of the software manually or through another task. For example, you may use this option if your company infrastructure is not supported by a new software version or if you want to check an upgrade in a test infrastructure.

     By default, this option is enabled.

     Upgrading an application may cause malfunction of dependent applications installed on client devices.

   • Download updates to the device without installing them

     If this option is enabled, the application downloads updates to the device but does not install them automatically. You can then Install downloaded updates manually.

     Microsoft updates are downloaded to the system Windows storage. Updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft) are downloaded to the folder specified in the Folder for downloading updates field.

     If this option is disabled, the updates are installed to the device automatically.

     By default, this option is disabled.

   • Folder for downloading updates

     This folder is used to download updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft).

   • Enable advanced diagnostics

     If this feature is enabled, Network Agent writes traces even if tracing is disabled for Network Agent in Kaspersky Security Center Remote Diagnostics Utility. Traces are written to two files in turn; the total size of both files is determined by the Maximum size, in MB, of advanced diagnostics files value. When both files are full, Network Agent starts writing to them again. The files with traces are stored in the %WINDIR%\Temp folder. These files are accessible in the remote diagnostics utility, you can download or delete them there.

     If this feature is disabled, Network Agent writes traces according to the settings in Kaspersky Security Center Remote Diagnostics Utility. No additional traces are written.

     When creating a task, you do not have to enable advanced diagnostics. You may want to use this feature later if, for example, a task run fails on some of the devices and you want to get additional information during another task run.

     By default, this option is disabled.

   • Maximum size, in MB, of advanced diagnostics files

     The default value is 100 MB, and available values are between 1 MB and 2048 MB. You may be asked to change the default value by Kaspersky Technical Support specialists when information in the advanced diagnostics files sent by you is not enough to troubleshoot the problem.

7. Specify the operating system restart settings:
   • Do not restart the device

     Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

   • Restart the device

     Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

   • Prompt user for action

     The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     By default, this option is selected.

   • Repeat prompt every (min)

     If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

     By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

     If this option is disabled, the prompt is displayed only once.

   • Restart after (min)

     After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

     By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

   • Wait time before forced closure of applications in blocked sessions (min)

     Applications are forced to close when the user's device goes locked (automatically after a specified interval of inactivity, or manually).

     If this option is enabled, applications are forced to close on the locked device upon expiration of the time interval specified in the entry field.

     If this option is disabled, applications do not close on the locked device.

     By default, this option is disabled.

8. If you want to modify the default task settings, enable the Open task details when creation is complete option on the Finish task creation page. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
9. Click the Finish button.

   The task is created and displayed in the list of tasks.

10. Click the name of the created task to open the task properties window.
11. In the task properties window, specify the general task settings according to your needs.
12. Click the Save button.

    The task is created and configured.

If the task results contain a warning of the 0x80240033 "Windows Update Agent error 80240033 ("License terms could not be downloaded.")" error, you can resolve this issue through the Windows Registry.

Adding rules for update installation

Expand all | Collapse all

This feature is only available under the Vulnerability and Patch Management license.

When installing software updates or fixing software vulnerabilities by using the Install required updates and fix vulnerabilities task, you must specify rules for the update installation. These rules determine the updates to install and the vulnerabilities to fix.

The exact settings depend on whether you add a rule for all updates, for Windows Update updates, or for updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft). When adding a rule for Windows Update updates or updates of third-party applications, you can select specific applications and application versions for which you want to install updates. When adding a rule for all updates, you can select specific updates that you want to install and vulnerabilities that you want to fix by means of installing updates.

You can add a rule for update installation in the following ways:

• By adding a rule while creating a new Install required updates and fix vulnerabilities task.
• By adding a rule on the Application Settings tab in the properties window of an existing Install required updates and fix vulnerabilities task.
• Through the Update Installation Wizard or the Vulnerability Fix Wizard.

To add a new rule for all updates:

1. Click the Add button.

   The Rule Creation Wizard starts. Proceed through the Wizard by using the Next button.

2. On the Rule type page, select Rule for all updates.
3. On the General criteria page, use the drop-down lists to specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

4. On the Updates page, select the updates to be installed:
   • Install all suitable updates

     Install all software updates that meet the criteria specified on the General criteria page of the Wizard. Selected by default.

   • Install only updates from the list

     Install only software updates that you select manually from the list. This list contains all available software updates.

     For example, you may want to select specific updates in the following cases: to check their installation in a test environment, to update only critical applications, or to update only specific applications.

     • Automatically install all previous application updates that are required to install the selected updates

       Keep this option enabled if you agree with the installation of interim application versions when this is required for installing the selected updates.

       If this option is disabled, only the selected versions of applications are installed. Disable this option if you want to update applications in a straightforward manner, without attempting to install successive versions incrementally. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

       For example, you have version 3 of an application installed on a device and you want to update it to version 5, but version 5 of this application can be installed only over version 4. If this option is enabled, the software first installs version 4, and then installs version 5. If this option is disabled, the software fails to update the application.

       By default, this option is enabled.

5. On the Vulnerabilities page, select vulnerabilities that will be fixed by installing the selected updates:
   • Fix all vulnerabilities that match other criteria

     Fix all vulnerabilities that meet the criteria specified on the General criteria page of the Wizard. Selected by default.

   • Fix only vulnerabilities from the list

     Fix only vulnerabilities that you select manually from the list. This list contains all detected vulnerabilities.

     For example, you may want to select specific vulnerabilities in the following cases: to check their fix in a test environment, to fix vulnerabilities only in critical applications, or to fix vulnerabilities only in specific applications.

6. On the Name page, specify the name for the rule that you are adding. You can later change this name in the Settings section of the properties window of the created task.

After the Rule Creation Wizard completes its operation, the new rule is added and displayed in the rule list in the Add Task Wizard or in the task properties.

To add a new rule for Windows Update updates:

1. Click the Add button.

   The Rule Creation Wizard starts. Proceed through the Wizard by using the Next button.

2. On the Rule type page, select Rule for Windows Update.
3. On the General criteria page, specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

   • Fix vulnerabilities with an MSRC severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Microsoft Security Response Center (MSRC) is equal to or higher than the value selected in the list (Low, Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

4. On the Applications page, select the applications and application versions for which you want to install updates. By default, all applications are selected.
5. On the Categories of updates page, select the categories of updates to be installed. These categories are the same as in Microsoft Update Catalog. By default, all categories are selected.
6. On the Name page, specify the name for the rule that you are adding. You can later change this name in the Settings section of the properties window of the created task.

After the Rule Creation Wizard completes its operation, the new rule is added and displayed in the rule list in the Add Task Wizard or in the task properties.

To add a new rule for updates of third-party applications:

1. Click the Add button.

   The Rule Creation Wizard starts. Proceed through the Wizard by using the Next button.

2. On the Rule type page, select Rule for third-party updates.
3. On the General criteria page, specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

4. On the Applications page, select the applications and application versions for which you want to install updates. By default, all applications are selected.
5. On the Name page, specify the name for the rule that you are adding. You can later change this name in the Settings section of the properties window of the created task.

After the Rule Creation Wizard completes its operation, the new rule is added and displayed in the rule list in the Add Task Wizard or in the task properties.

Creating the Install Windows Update updates task

Expand all | Collapse all

The Install Windows Update updates task allows you to install software updates provided by the Windows Update service on managed devices.

If you do not have the Vulnerability and Patch Management license, you cannot create new tasks of the Install Windows Update updates type. To install new updates, you can add them to an existing Install Windows Update updates task. We recommend that you use the Install required updates and fix vulnerabilities task instead of the Install Windows Update updates task. The Install required updates and fix vulnerabilities task enables you to install multiple updates and fix multiple vulnerabilities automatically, according to the rules that you define. In addition, this task enables you to install updates from software vendors other than Microsoft.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it's currently open.

To create the Install Windows Update updates task:

1. In the main menu, go to DEVICES → TASKS.
2. Click Add.

   The Add Task Wizard starts. Proceed through the Wizard by using the Next button.

3. For the Kaspersky Security Center application, select the Install Windows Update updates task type.
4. Specify the name for the task that you are creating.

   A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).

5. Select devices to which the task will be assigned.
6. Click the Add button.

   The list of updates opens.

7. Select the Windows Update updates that you want to install, and then click OK.
8. Specify the operating system restart settings:
   • Do not restart the device

     Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

   • Restart the device

     Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

   • Prompt user for action

     The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     By default, this option is selected.

   • Repeat prompt every (min)

     If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

     By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

     If this option is disabled, the prompt is displayed only once.

   • Restart after (min)

     After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

     By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

   • Force closure of applications in blocked sessions

     Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

     If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

     If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

     By default, this option is disabled.

9. Specify the account settings:
   • Default account

     The task will be run under the same account as the application that performs this task.

     By default, this option is selected.

   • Specify account

     Fill in the Account and Password fields to specify the details of an account under which the task is run. The account must have sufficient rights for this task.

   • Account

     Account under which the task is run.

   • Password

     Password of the account under which the task will be run.

10. If you want to modify the default task settings, enable the Open task details when creation is complete option on the Finish task creation page. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
11. Click the Finish button.

    The task is created and displayed in the list of tasks.

12. Click the name of the created task to open the task properties window.
13. In the task properties window, specify the general task settings according to your needs.
14. Click the Save button.

The task is created and configured.

Viewing information about available third-party software updates

Expand all | Collapse all

You can view the list of available updates for third-party software, including Microsoft software, installed on client devices.

To view a list of available updates for third-party applications installed on client devices:

1. Select OPERATIONS → PATCH MANAGEMENT.
2. Select SOFTWARE UPDATES in the drop-down list.

A list of available updates appears.

You can specify a filter to view the list of software updates. Click the Filter icon () in the upper right corner of the software updates list to manage the filter. You can also select one of preset filters from the Preset filters drop-down list above the software vulnerabilities list.

To view the properties of an update:

1. Click the name of the required software update.
2. The properties window of the update opens, displaying information grouped on the following tabs:
   • General

     This tab displays general details of the selected update:

     • Update approval status (can be changed manually by selecting a new status in the drop-down list)
     • Windows Server Update Services (WSUS) category to which the update belongs
     • Date and time the update was registered
     • Date and time the update was created
     • Importance level of the update
     • Installation requirements imposed by the update
     • Application family to which the update belong
     • Application to which the update applies
     • Number of the update revision
   • Attributes

     This tab displays a set of attributes that you can use to obtain more information about the selected update. This set differs depending on whether the update is published by Microsoft or by a third-party vendor.

     The tab displays the following information for a Microsoft update:

     • Importance level of the update according to the Microsoft Security Response Center (MSRC)
     • Link to the article in the Microsoft Knowledge Base describing the update
     • Link to the article in the Microsoft Security Bulletin describing the update
     • Update identifier (ID)

     The tab displays the following information for a third-party update:

     • Whether the update is a patch or a full distribution package
     • Localization language of the update
     • Whether the update is installed automatically or manually
     • Whether the update was revoked after being applied
     • Link for downloading the update
   • Devices

     This tab displays a list of devices on which the selected update has been installed.

   • Fixed vulnerabilities

     This tab displays a list of vulnerabilities that the selected update can fix.

   • Crossover of updates

     This tab displays possible crossovers between various updates published for the same application, that is, whether the selected update can supersede other updates or, vice versa, be superseded by other updates (available for Microsoft updates only).

   • Tasks to install this update

     This tab displays a list of tasks whose scope includes installation of the selected update. The tab also enables you to create a new remote installation task for the update.

To view the statistics of an update installation:

1. Select the check box next to the required software update.
2. Click the Statistics of update installation statuses button.

The diagram of the update installation statuses is displayed. Clicking a status opens a list of devices on which the update has the selected status.

You can view information about available software updates for third-party software, including Microsoft software, installed on the selected managed device running Windows.

To view a list of available updates for third-party software installed on the selected managed device:

1. Select DEVICES → MANAGED DEVICES.

   The list of managed devices is displayed.

2. In the list of managed devices, click the link with the name of the device for which you want to view third-party software updates.

   The properties window of the selected device is displayed.

3. In the properties window of the selected device, select the Advanced tab.
4. In the left pane, select the Available updates section. If you want to view only installed updates, enable the Show installed updates option.

The list of available third-party software updates for the selected device is displayed.

Exporting the list of available software updates to a file

You can export the list of updates for third-party software, including Microsoft software, that is displayed at the moment to the CSV or TXT files. You can use these files, for example, to send them to your information security manager or to store them for purposes of statistics.

To export to a text file the list of available updates for third-party software installed on all managed devices:

1. On the OPERATIONS tab, in the PATCH MANAGEMENT drop-down list, select SOFTWARE UPDATES.

   The page displays a list of available updates for third-party software installed on all managed devices.

2. Click the Export rows to TXT file or Export rows to CSV file button, depending on the format you prefer for export.

The file containing the list of available updates for third-party software, including Microsoft software, is downloaded to the device that you use at the moment.

To export to a text file the list of available updates for third-party software installed on the selected managed device:

1. Open the list of available third-party software updates on the selected managed device.
2. Select the software updates you want to export.

   Skip this step if you want to export a complete list of software updates.

   If you want to export a complete list of software updates, only updates displaying on the current page will be exported.

   If you want to export only installed updates, select the Show installed updates check box.

3. Click the Export rows to TXT file or Export rows to CSV file button, depending on the format you prefer for export.

The file containing the list of updates for third-party software, including Microsoft software, installed on the selected managed device is downloaded to the device you are using at the moment.

Approving and declining third-party software updates

When you configure the Install required updates and fix vulnerabilities task, you can create a rule that requires a specific status of updates that are to be installed. For example, an update rule can allow installation of the following:

• Only approved updates
• Only approved and undefined updates
• All updates irrespective of the update statuses

You can approve updates that must be installed and decline updates that must not be installed.

The usage of the Approved status to manage update installation is efficient for a small amount of updates. To install multiple updates, use the rules that you can configure in the Install required updates and fix vulnerabilities task. We recommend that you set the Approved status for only those specific updates that do not meet the criteria specified in the rules. When you manually approve a large amount of updates, performance of Administration Server decreases and may lead to Administration Server overload.

To approve or decline one or several updates:

1. In the main menu, go to OPERATIONS → PATCH MANAGEMENT, and in the drop-down list select SOFTWARE UPDATES.

   A list of available updates appears.

2. Select the updates that you want to approve or decline.
3. Click Approve to approve the selected updates or Decline to decline the selected updates.

   The default value is Undefined.

The selected updates have the statuses that you defined.

As an option, you can change the approval status in the properties of a specific update.

To approve or decline an update in its properties:

1. In the main menu, go to OPERATIONS → PATCH MANAGEMENT, and then select SOFTWARE UPDATES in the drop-down list.

   A list of available updates appears.

2. Click the name of the update that you want to approve or decline.

   The update properties window opens.

3. In the General section, select a status for the update by changing the Update approval status option. You can select the Approved, Declined, or Undefined status.
4. Click the Save button to save the changes.

The selected update has the status that you defined.

If you set Declined status for third-party software updates, these updates will not be installed on devices for which they were planned but have not yet been installed. Updates will remain on devices on which they were already installed. If you have to delete them, you can manually delete them locally.

Creating the Perform Windows Update synchronization task

Expand all | Collapse all

The Perform Windows Update synchronization task is only available under the Vulnerability and Patch Management license.

The Perform Windows Update synchronization task is required if you want to use the Administration Server as a WSUS server. In this case, the Administration Server downloads Windows updates to the database, and provides the updates to Windows Update on client devices, in the centralized mode through Network Agents. If the network does not use a WSUS server, each client device downloads Microsoft updates from external servers independently.

The Perform Windows Update synchronization task only downloads metadata from Microsoft servers. Kaspersky Security Center downloads the updates when you run an update installation task and only those updates that you select for installation.

When running the Perform Windows Update synchronization task, the application receives a list of current updates from a Microsoft update server. Next, Kaspersky Security Center compiles a list of updates that have become outdated. At the next start of the Find vulnerabilities and required updates task, Kaspersky Security Center flags all outdated updates and sets the deletion time for them. At the next start of the Perform Windows Update synchronization task, all updates flagged for deletion 30 days ago are deleted. Kaspersky Security Center also checks for outdated updates that were flagged for deletion more than 180 days ago, and then deletes those older updates.

When the Perform Windows Update synchronization task completes and outdated updates are deleted, the database may still have the hash codes pertaining to the files of deleted updates, as well as corresponding files in the %AllUsersProfile%\Application Data\KasperskyLab\adminkit\1093\.working\wusfiles files (if they were downloaded earlier). You can run the Administration Server maintenance task to delete these outdated records from the database and corresponding files.

To create the Perform Windows Update synchronization task:

1. In the main menu, go to DEVICES → TASKS.
2. Click Add.

   The Add Task Wizard starts. Follow the steps of the Wizard.

3. For the Kaspersky Security Center application, select the Perform Windows Update synchronization task type.
4. Specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
5. Enable the Download express installation files option if you want the express update files to be downloaded when running the task.

   When Kaspersky Security Center synchronizes updates with Microsoft Windows Update Servers, information about all files is saved in the Administration Server database. All files required for an update are also downloaded to the drive during interaction with the Windows Update Agent. In particular, Kaspersky Security Center saves information about express update files to the database and downloads them when necessary. Downloading express update files leads to decreased free space on the drive.

   To avoid a decrease in disk space volume and to reduce traffic, disable the Download express installation files option.

6. Select the applications for which you want to download updates.

   If the All applications check box is selected, updates will be downloaded for all existing applications, and for all applications that may be released in the future.

7. Select the categories of updates that you want to download to the Administration Server.

   If the All categories check box is selected, updates will be downloaded for all existing updates categories, and for all categories that may appear in the future.

8. Select the localization languages for the updates that you want to download to the Administration Server. Select one of the following options:
   • Download all languages, including new ones

     If this option is selected, all the available localization languages of updates will be downloaded to Administration Server. By default, this option is selected.

   • Download selected languages

     If this option is selected, you can select from the list localization languages of updates that should be downloaded to Administration Server.

9. Specify which account to use when running the task. Select one of the following options:
   • Default account

     The task will be run under the same account as the application that performs this task.

     By default, this option is selected.

   • Specify account

     Fill in the Account and Password fields to specify the details of an account under which the task is run. The account must have sufficient rights for this task.

10. If you want to modify the default task settings, enable the Open task details when creation is complete option on the Finish task creation page. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
11. Click the Finish button.

    The task is created and displayed in the list of tasks.

12. Click the name of the created task to open the task properties window.
13. In the task properties window, specify the general task settings according to your needs.
14. Click the Save button.

The task is created and configured.

Updating third-party applications automatically

Some third-party applications can be updated automatically. The application vendor defines whether or not the application supports the auto-update feature. If a third-party application installed on a managed device supports auto-update, you can specify the auto-update setting in the application properties. After you change the auto-update setting, Network Agents apply the new setting on each managed device on which the application is installed.

The auto-update setting is independent of the other objects and settings of the Vulnerability and Patch Management feature. For example, this setting does not depend on an update approval status or the update installation tasks, such as Install required updates and fix vulnerabilities, Install Windows Update updates, and Fix vulnerabilities.

To configure the auto-update setting for a third-party application:

1. In the main menu, go to OPERATIONS → THIRD-PARTY APPLICATIONS → APPLICATIONS REGISTRY.
2. Click the name of the application for which you want to change the auto-update setting.

   To simplify the search, you can filter the list by the Automatic Updates status column.

   The application properties window opens.

3. In the General section, select a value for the following setting:

   Automatic Updates status

   Select one of the following options:

   • Undefined

     The auto-update feature is disabled. Kaspersky Security Center installs third-party application updates by using the tasks: Install required updates and fix vulnerabilities, Install Windows Update updates, and Fix vulnerabilities.

   • Allowed

     After the vendor releases an update for the application, this update is installed on the managed devices automatically. No additional actions are required.

   • Blocked

     The application updates are not installed automatically. Kaspersky Security Center installs third-party application updates by using the tasks: Install required updates and fix vulnerabilities, Install Windows Update updates, and Fix vulnerabilities.

4. Click the Save button to save the changes.

The auto-update setting is applied to the selected application.

Fixing third-party software vulnerabilities

This section describes the features of Kaspersky Security Center that relate to fixing vulnerabilities in the software installed on managed devices.

Scenario: Finding and fixing third-party software vulnerabilities

This section provides a scenario for finding and fixing vulnerabilities on the managed devices running Windows. You can find and fix software vulnerabilities in the operating system and in third-party software, including Microsoft software.

Prerequisites

• Kaspersky Security Center is deployed in your organization.
• There are managed devices running Windows in your organization.
• Internet connection is required for Administration Server to perform the following tasks:
  • To make a list of recommended fixes for vulnerabilities in Microsoft software. The list is created and regularly updated by Kaspersky specialists.
  • To fix vulnerabilities in third-part software other than Microsoft software.

Stages

Finding and fixing software vulnerabilities proceeds in stages:

1. Scanning for vulnerabilities in the software installed on the managed devices

   To find vulnerabilities in the software installed on the managed devices, run the Find vulnerabilities and required updates task. When this task is complete, Kaspersky Security Center receives the lists of detected vulnerabilities and required updates for the third-party software installed on the devices that you specified in the task properties.

   The Find vulnerabilities and required updates task is created automatically by Kaspersky Security Center Quick Start Wizard. If you did not run the Wizard, start it now or create the task manually.

   How-to instructions:

   • Administration Console: Scanning applications for vulnerabilities, Scheduling the Find vulnerabilities and required updates task
   • Kaspersky Security Center 13.1 Web Console: Creating the Find vulnerabilities and required updates task, Find vulnerabilities and required updates task settings
2. Analyzing the list of detected software vulnerabilities

   View the Software vulnerabilities list and decide which vulnerabilities are to be fixed. To view detailed information about each vulnerability, click the vulnerability name in the list. For each vulnerability in the list, you can also view the statistics on the vulnerability on managed devices.

   How-to instructions:

   • Administration Console: Viewing information about software vulnerabilities, Viewing statistics of vulnerabilities on managed devices
   • Kaspersky Security Center 13.1 Web Console: Viewing information about software vulnerabilities, Viewing statistics of vulnerabilities on managed devices
3. Configuring vulnerabilities fix

   When the software vulnerabilities are detected, you can fix the software vulnerabilities on the managed devices by using the Install required updates and fix vulnerabilities task or the Fix vulnerabilities task.

   The Install required updates and fix vulnerabilities task is used to update and fix vulnerabilities in third-party software, including Microsoft software, installed on the managed devices. This task allows you to install multiple updates and fix multiple vulnerabilities according to certain rules. Note that this task can be created only if you have the license for the Vulnerability and Patch Management feature. To fix software vulnerabilities the Install required updates and fix vulnerabilities task uses recommended software updates.

   The Fix vulnerabilities task does not require the license option for the Vulnerability and Patch Management feature. To use this task, you must manually specify user fixes for vulnerabilities in third-party software listed in the task settings. The Fix vulnerabilities task uses recommended fixes for Microsoft software and user fixes for third-party software.

   You can start Vulnerabilities Fix Wizard that creates one of these tasks automatically, or you can create one of these tasks manually.

   How-to instructions:

   • Administration Console: Selecting user fixes for vulnerabilities in third-party software, Fixing vulnerabilities in applications
   • Kaspersky Security Center 13.1 Web Console: Selecting user fixes for vulnerabilities in third-party software, Fixing vulnerabilities in third-party software, Creating the Install required updates and fix vulnerabilities task
4. Scheduling the tasks

   To be sure that the vulnerabilities list is always up-to-date, schedule the Find vulnerabilities and required updates task to run it automatically from time to time. The recommended average frequency is once a week.

   If you have created the Install required updates and fix vulnerabilities task, you can schedule it to run with the same frequency as the Find vulnerabilities and required updates task or less often. When scheduling the Fix vulnerabilities task, note that you have to select fixes for Microsoft software or specify user fixes for third-party software every time before starting the task.

   When scheduling the tasks, make sure that a task to fix vulnerability starts after the Find vulnerabilities and required updates task is complete.

5. Ignoring software vulnerabilities (optional)

   If you want, you can ignore software vulnerabilities to be fixed on all managed devices or only on the selected managed devices.

   How-to instructions:

   • Administration Console: Ignoring software vulnerabilities
   • Kaspersky Security Center 13.1 Web Console: Ignoring software vulnerabilities
6. Running a vulnerability fix task

   Start the Install required updates and fix vulnerabilities task or the Fix vulnerability task. When the task is complete, make sure that it has the Completed successfully status in the task list.

7. Create the report on results of fixing software vulnerabilities (optional)

   To view detailed statistics on the vulnerabilities fix, generate the Report on vulnerabilities. The report displays information about software vulnerabilities that are not fixed. Thus you can have an idea about finding and fixing vulnerabilities in third-party software, including Microsoft software, in your organization.

   How-to instructions:

   • Administration Console: Creating and viewing a report
   • Kaspersky Security Center 13.1 Web Console: Generating and viewing a report
8. Checking configuration of finding and fixing vulnerabilities in third-party software

   Be sure that you have done the following:

   • Obtained and reviewed the list of software vulnerabilities on managed devices
   • Ignored software vulnerabilities if you wanted
   • Configured the task to fix vulnerabilities
   • Scheduled the tasks to find and to fix software vulnerabilities so that they start sequentially
   • Checked that the task to fix software vulnerabilities was run

Results

If you have created and configured the Install required updates and fix vulnerabilities task, the vulnerabilities are fixed on the managed devices automatically. When the task is run, it correlates the list of available software updates to the rules specified in the task settings. All software updates that meet the criteria in the rules will be downloaded to the Administration Server repository and will be installed to fix software vulnerabilities.

If you have created the Fix vulnerabilities task, only software vulnerabilities in Microsoft software are fixed.

About finding and fixing software vulnerabilities

Kaspersky Security Center detects and fixes software

Finding software vulnerabilities

To find software vulnerabilities, Kaspersky Security Center uses characteristics from the database of known vulnerabilities. This database is created by Kaspersky specialists. It contains information about vulnerabilities, such as vulnerability description, vulnerability detect date, vulnerability severity level. You can find the details of software vulnerabilities on Kaspersky website.

Kaspersky Security Center uses the Find vulnerabilities and required updates task to find software vulnerabilities.

Fixing software vulnerabilities

To fix software vulnerabilities Kaspersky Security Center uses software updates issued by the software vendors. The software updates metadata is downloaded to the Administration Server repository as a result of the following tasks run:

• Download updates to the Administration Server repository. This task is intended to download updates metadata for Kaspersky and third-party software. This task is created automatically by the Kaspersky Security Center Quick Start Wizard. You can create the Download updates to the Administration Server repository task manually.
• Perform Windows Update synchronization. This task is intended to download updates metadata for Microsoft software.

Software updates to fix vulnerabilities can be represented as full distribution packages or patches. Software updates that fix software vulnerabilities are named fixes. Recommended fixes are those that are recommended for installation by Kaspersky specialists. User fixes are those that are manually specified for installation by users. To install a user fix, you have to create an installation package containing this fix.

If you have the Kaspersky Security Center license with the Vulnerability and Patch Management feature, to fix software vulnerabilities you can use Install required updates and fix vulnerabilities task. This task automatically fixes multiple vulnerabilities installing recommended fixes. For this task, you can manually configure certain rules to fix multiple vulnerabilities.

If you do not have the Kaspersky Security Center license with the Vulnerability and Patch Management feature, to fix software vulnerabilities, you can use the Fix vulnerabilities task. By means of this task, you can fix vulnerabilities by installing recommended fixes for Microsoft software and user fixes for other third-party software.

For security reasons, any third-party software updates that you install by using the Vulnerability and Patch Management feature are automatically scanned for malware by Kaspersky technologies. These technologies are used for automatic file check and include anti-virus scan, static analysis, dynamic analysis, behavior analysis in the sandbox environment, and machine learning.

Kaspersky experts do not perform manual analysis of third-party software updates that can be installed by using the Vulnerability and Patch Management feature. In addition, Kaspersky experts do not search for vulnerabilities (known or unknown) or undocumented features in such updates, as well as do not perform other types of analysis of the updates other than the specified in the paragraph above.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it's currently open.

To fix some software vulnerabilities, you must accept the End User License Agreement (EULA) for installing the software if EULA acceptance is requested. If you decline the EULA, the software vulnerability is not fixed.

Fixing third-party software vulnerabilities

Expand all | Collapse all

After you obtain the software vulnerabilities list, you can fix software vulnerabilities on managed devices that are running Windows. You can fix software vulnerabilities in the operating system and in third-party software, including Microsoft software, by creating and running the Fix vulnerabilities task or the Install required updates and fix vulnerabilities task.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it's currently open.

As an option, you can create a task to fix software vulnerabilities in the following ways:

• By opening the vulnerability list and specifying which vulnerabilities to fix.

  As a result, a new task to fix software vulnerabilities is created. As an option, you can add the selected vulnerabilities to an existing task.

• By running the Vulnerability Fix Wizard.

  The Vulnerability Fix Wizard is only available under the Vulnerability and Patch Management license.

  The Wizard simplifies creation and configuration of a vulnerability fix task and allows you to eliminate the creation of redundant tasks that contain the same updates to install.

Fixing software vulnerabilities by using the vulnerability list

To fix software vulnerabilities:

1. Open one of the lists of vulnerabilities:
   • To open the general vulnerability list, go to OPERATIONS → PATCH MANAGEMENT → Software vulnerabilities.
   • To open the vulnerability list for a managed device, go to DEVICES → MANAGED DEVICES → <device name> → Advanced → Software vulnerabilities.
   • To open the vulnerability list for a specific application, go to OPERATIONS → THIRD-PARTY APPLICATIONS → APPLICATIONS REGISTRY → <application name> → Vulnerabilities.

   A page with a list of vulnerabilities in the third-party software is displayed.

2. Select one or more vulnerabilities in the list, and then click the Fix vulnerability button.

   If a recommended software update to fix one of the selected vulnerabilities is absent, an informative message is displayed.

   To fix some software vulnerabilities, you must accept the End User License Agreement (EULA) for installing the software, if EULA acceptance is requested. If you decline the EULA, the software vulnerability is not fixed.

3. Select one of the following options:
   • New task

     The Add Task Wizard starts. If you have the Vulnerability and Patch Management license, the Install required updates and fix vulnerabilities task is preselected. If you do not have the license, the Fix vulnerabilities task is preselected. Follow the steps of the Wizard to complete the task creation.

   • Fix vulnerability (add rule to specified task)

     Select a task to which you want to add the selected vulnerabilities. If you have the Vulnerability and Patch Management license, select the Install required updates and fix vulnerabilities task. A new rule to fix the selected vulnerabilities will be automatically added to the selected task. If you do not have the license, select the Fix vulnerabilities task. The selected vulnerabilities will be added to the task properties.

     The task properties window opens. Click the Save button to save the changes.

If you have chosen to create a task, the task is created and displayed in the task list at DEVICES → TASKS. If you have chosen to add the vulnerabilities to an existing task, the vulnerabilities are saved in the task properties.

To fix the third-party software vulnerabilities, start the Install required updates and fix vulnerabilities task or the Fix vulnerabilities task. If you have created the Fix vulnerabilities task, you must manually specify the software updates to fix the software vulnerabilities listed in the task settings.

Fixing software vulnerabilities by using the Vulnerability Fix Wizard

The Vulnerability Fix Wizard is only available under the Vulnerability and Patch Management license.

To fix software vulnerabilities by using the Vulnerability Fix Wizard:

1. On the OPERATIONS tab, in the PATCH MANAGEMENT drop-down list, select Software vulnerabilities.

   A page with a list of vulnerabilities in the third-party software installed on managed devices is displayed.

2. Select the check box next to the vulnerability that you want to fix.
3. Click the Run Vulnerability Fix Wizard button.

   The Vulnerability Fix Wizard starts. The Select the vulnerability fix task page displays the list of all existing tasks of the following types:

   • Install required updates and fix vulnerabilities
   • Install Windows Update updates
   • Fix vulnerabilities

   You cannot modify the last two types of tasks to install new updates. To install new updates, you can only use the Install required updates and fix vulnerabilities task.

4. If you want the Wizard to display only those tasks that fix the vulnerability that you selected, then enable the Show only tasks that fix this vulnerability option.
5. Choose what you want to do:
   • To start a task, select the check box next to the task name, and then click the Start button.
   • To add a new rule to an existing task:
     1. Select the check box next to the task name, and then click the Add rule button.
     2. On the page that opens, configure the new rule:
        • Rule for fixing vulnerabilities of this severity level

          Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

          If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the severity of the selected update (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

          If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

          By default, this option is disabled.

        • Rule for fixing vulnerabilities by means of updates of the same type as the update defined as recommended for the selected vulnerability (available only for Microsoft software vulnerabilities)
        • Rule for fixing vulnerabilities in applications from the selected vendor (available only for third-party software vulnerabilities)
        • Rule for fixing a vulnerability in all versions of the selected application (available only for third-party software vulnerabilities)
        • Rule for fixing the selected vulnerability
        • Approve updates that fix this vulnerability

          The selected update will be approved for installation. Enable this option if some applied rules of update installation allow installation of approved updates only.

          By default, this option is disabled.

     3. Click the Add button.
   • To create a task:
     1. Click the New task button.
     2. On the page that opens, configure the new rule:
        • Rule for fixing vulnerabilities of this severity level

          Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

          If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the severity of the selected update (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

          If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

          By default, this option is disabled.

        • Rule for fixing vulnerabilities by means of updates of the same type as the update defined as recommended for the selected vulnerability (available only for Microsoft software vulnerabilities)
        • Rule for fixing vulnerabilities in applications from the selected vendor (available only for third-party software vulnerabilities)
        • Rule for fixing a vulnerability in all versions of the selected application (available only for third-party software vulnerabilities)
        • Rule for fixing the selected vulnerability
        • Approve updates that fix this vulnerability

          The selected update will be approved for installation. Enable this option if some applied rules of update installation allow installation of approved updates only.

          By default, this option is disabled.

     3. Click the Add button.

If you have chosen to start a task, you can close the Wizard. The task will complete in background mode. No further actions are required.

If you have chosen to add a rule to an existing task, the task properties window opens. The new rule is already added to the task properties. You can view or modify the rule or other task settings. Click the Save button to save the changes.

If you have chosen to create a task, you continue to create the task in the Add Task Wizard. The new rule that you added in the Vulnerability Fix Wizard is displayed in the Add Task Wizard. When you complete the Wizard, the Install required updates and fix vulnerabilities task is added to the task list.

Creating the Fix vulnerabilities task

Expand all | Collapse all

The Fix vulnerabilities task allows you fix software vulnerabilities on managed devices that are running Windows. You can fix software vulnerabilities in third-party software, including Microsoft software.

If you do not have the Vulnerability and Patch Management license, you cannot create new tasks of the Fix vulnerabilities type. To fix new vulnerabilities, you can add them to an existing Fix vulnerabilities task. We recommend that you use the Install required updates and fix vulnerabilities task instead of the Fix vulnerabilities task. The Install required updates and fix vulnerabilities task enables you to install multiple updates and fix multiple vulnerabilities automatically, according to the rules that you define.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it's currently open.

To create the Fix vulnerabilities task:

1. In the main menu, go to DEVICES → TASKS.
2. Click Add.

   The Add Task Wizard starts. Proceed through the Wizard by using the Next button.

3. For the Kaspersky Security Center application, select the Fix vulnerabilities task type.
4. Specify the name for the task that you are creating.

   A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).

5. Select devices to which the task will be assigned.
6. Click the Add button.

   The list of vulnerabilities opens.

7. Select the vulnerabilities that you want to fix, and then click OK.

   Microsoft software vulnerabilities usually have recommended fixes. No additional actions are required for them. For vulnerabilities in software from other vendors, you first need to specify a user fix for each vulnerability that you want to fix. After that, you will be able to add those vulnerabilities into the Fix vulnerabilities task.

8. Specify the operating system restart settings:
   • Do not restart the device

     Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

   • Restart the device

     Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

   • Prompt user for action

     The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     By default, this option is selected.

   • Repeat prompt every (min)

     If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

     By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

     If this option is disabled, the prompt is displayed only once.

   • Restart after (min)

     After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

     By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

   • Force closure of applications in blocked sessions

     Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

     If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

     If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

     By default, this option is disabled.

9. Specify the account settings:
   • Default account

     The task will be run under the same account as the application that performs this task.

     By default, this option is selected.

   • Specify account

     Fill in the Account and Password fields to specify the details of an account under which the task is run. The account must have sufficient rights for this task.

   • Account

     Account under which the task is run.

   • Password

     Password of the account under which the task will be run.

10. If you want to modify the default task settings, enable the Open task details when creation is complete option on the Finish task creation page. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
11. Click the Finish button.

    The task is created and displayed in the list of tasks.

12. Click the name of the created task to open the task properties window.
13. In the task properties window, specify the general task settings according to your needs.
14. Click the Save button.

The task is created and configured.

Creating the Install required updates and fix vulnerabilities task

Expand all | Collapse all

The Install required updates and fix vulnerabilities task is only available under the Vulnerability and Patch Management license.

The Install required updates and fix vulnerabilities task is used to update and fix vulnerabilities in third-party software, including Microsoft software, installed on the managed devices. This task allows you to install multiple updates and fix multiple vulnerabilities according to certain rules.

To install updates or fix vulnerabilities by using the Install required updates and fix vulnerabilities task, you can do one of the following:

• Run the Update Installation Wizard or the Vulnerability Fix Wizard.
• Create an Install required updates and fix vulnerabilities task.
• Add a rule for update installation to an existing Install required updates and fix vulnerabilities task.

To create the Install required updates and fix vulnerabilities task:

1. In the main menu, go to DEVICES → TASKS.
2. Click Add.

   The Add Task Wizard starts. Follow the steps of the Wizard.

3. For the Kaspersky Security Center application, select the Install required updates and fix vulnerabilities task type.
4. Specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
5. Select devices to which the task will be assigned.
6. Specify the rules for update installation, and then specify the following settings:
   • Start installation at device restart or shutdown

     If this option is enabled, updates are installed when the device is restarted or shut down. Otherwise, updates are installed according to a schedule.

     Use this option if installing the updates might affect the device performance.

     By default, this option is disabled.

   • Install required general system components

     If this option is enabled, before installing an update the application automatically installs all general system components (prerequisites) that are required to install the update. For example, these prerequisites can be operating system updates

     If this option is disabled, you may have to install the prerequisites manually.

     By default, this option is disabled.

   • Allow installation of new application versions during updates

     If this option is enabled, updates are allowed when they result in installation of a new version of a software application.

     If this option is disabled, the software is not upgraded. You can then install new versions of the software manually or through another task. For example, you may use this option if your company infrastructure is not supported by a new software version or if you want to check an upgrade in a test infrastructure.

     By default, this option is enabled.

     Upgrading an application may cause malfunction of dependent applications installed on client devices.

   • Download updates to the device without installing them

     If this option is enabled, the application downloads updates to the device but does not install them automatically. You can then Install downloaded updates manually.

     Microsoft updates are downloaded to the system Windows storage. Updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft) are downloaded to the folder specified in the Folder for downloading updates field.

     If this option is disabled, the updates are installed to the device automatically.

     By default, this option is disabled.

   • Folder for downloading updates

     This folder is used to download updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft).

   • Enable advanced diagnostics

     If this feature is enabled, Network Agent writes traces even if tracing is disabled for Network Agent in Kaspersky Security Center Remote Diagnostics Utility. Traces are written to two files in turn; the total size of both files is determined by the Maximum size, in MB, of advanced diagnostics files value. When both files are full, Network Agent starts writing to them again. The files with traces are stored in the %WINDIR%\Temp folder. These files are accessible in the remote diagnostics utility, you can download or delete them there.

     If this feature is disabled, Network Agent writes traces according to the settings in Kaspersky Security Center Remote Diagnostics Utility. No additional traces are written.

     When creating a task, you do not have to enable advanced diagnostics. You may want to use this feature later if, for example, a task run fails on some of the devices and you want to get additional information during another task run.

     By default, this option is disabled.

   • Maximum size, in MB, of advanced diagnostics files

     The default value is 100 MB, and available values are between 1 MB and 2048 MB. You may be asked to change the default value by Kaspersky Technical Support specialists when information in the advanced diagnostics files sent by you is not enough to troubleshoot the problem.

7. Specify the operating system restart settings:
   • Do not restart the device

     Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

   • Restart the device

     Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

   • Prompt user for action

     The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     By default, this option is selected.

   • Repeat prompt every (min)

     If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

     By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

     If this option is disabled, the prompt is displayed only once.

   • Restart after (min)

     After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

     By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

   • Wait time before forced closure of applications in blocked sessions (min)

     Applications are forced to close when the user's device goes locked (automatically after a specified interval of inactivity, or manually).

     If this option is enabled, applications are forced to close on the locked device upon expiration of the time interval specified in the entry field.

     If this option is disabled, applications do not close on the locked device.

     By default, this option is disabled.

8. If you want to modify the default task settings, enable the Open task details when creation is complete option on the Finish task creation page. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
9. Click the Finish button.

   The task is created and displayed in the list of tasks.

10. Click the name of the created task to open the task properties window.
11. In the task properties window, specify the general task settings according to your needs.
12. Click the Save button.

    The task is created and configured.

If the task results contain a warning of the 0x80240033 "Windows Update Agent error 80240033 ("License terms could not be downloaded.")" error, you can resolve this issue through the Windows Registry.

Adding rules for update installation

Expand all | Collapse all

This feature is only available under the Vulnerability and Patch Management license.

When installing software updates or fixing software vulnerabilities by using the Install required updates and fix vulnerabilities task, you must specify rules for the update installation. These rules determine the updates to install and the vulnerabilities to fix.

The exact settings depend on whether you add a rule for all updates, for Windows Update updates, or for updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft). When adding a rule for Windows Update updates or updates of third-party applications, you can select specific applications and application versions for which you want to install updates. When adding a rule for all updates, you can select specific updates that you want to install and vulnerabilities that you want to fix by means of installing updates.

You can add a rule for update installation in the following ways:

• By adding a rule while creating a new Install required updates and fix vulnerabilities task.
• By adding a rule on the Application Settings tab in the properties window of an existing Install required updates and fix vulnerabilities task.
• Through the Update Installation Wizard or the Vulnerability Fix Wizard.

To add a new rule for all updates:

1. Click the Add button.

   The Rule Creation Wizard starts. Proceed through the Wizard by using the Next button.

2. On the Rule type page, select Rule for all updates.
3. On the General criteria page, use the drop-down lists to specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

4. On the Updates page, select the updates to be installed:
   • Install all suitable updates

     Install all software updates that meet the criteria specified on the General criteria page of the Wizard. Selected by default.

   • Install only updates from the list

     Install only software updates that you select manually from the list. This list contains all available software updates.

     For example, you may want to select specific updates in the following cases: to check their installation in a test environment, to update only critical applications, or to update only specific applications.

     • Automatically install all previous application updates that are required to install the selected updates

       Keep this option enabled if you agree with the installation of interim application versions when this is required for installing the selected updates.

       If this option is disabled, only the selected versions of applications are installed. Disable this option if you want to update applications in a straightforward manner, without attempting to install successive versions incrementally. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

       For example, you have version 3 of an application installed on a device and you want to update it to version 5, but version 5 of this application can be installed only over version 4. If this option is enabled, the software first installs version 4, and then installs version 5. If this option is disabled, the software fails to update the application.

       By default, this option is enabled.

5. On the Vulnerabilities page, select vulnerabilities that will be fixed by installing the selected updates:
   • Fix all vulnerabilities that match other criteria

     Fix all vulnerabilities that meet the criteria specified on the General criteria page of the Wizard. Selected by default.

   • Fix only vulnerabilities from the list

     Fix only vulnerabilities that you select manually from the list. This list contains all detected vulnerabilities.

     For example, you may want to select specific vulnerabilities in the following cases: to check their fix in a test environment, to fix vulnerabilities only in critical applications, or to fix vulnerabilities only in specific applications.

6. On the Name page, specify the name for the rule that you are adding. You can later change this name in the Settings section of the properties window of the created task.

After the Rule Creation Wizard completes its operation, the new rule is added and displayed in the rule list in the Add Task Wizard or in the task properties.

To add a new rule for Windows Update updates:

1. Click the Add button.

   The Rule Creation Wizard starts. Proceed through the Wizard by using the Next button.

2. On the Rule type page, select Rule for Windows Update.
3. On the General criteria page, specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

   • Fix vulnerabilities with an MSRC severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Microsoft Security Response Center (MSRC) is equal to or higher than the value selected in the list (Low, Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

4. On the Applications page, select the applications and application versions for which you want to install updates. By default, all applications are selected.
5. On the Categories of updates page, select the categories of updates to be installed. These categories are the same as in Microsoft Update Catalog. By default, all categories are selected.
6. On the Name page, specify the name for the rule that you are adding. You can later change this name in the Settings section of the properties window of the created task.

After the Rule Creation Wizard completes its operation, the new rule is added and displayed in the rule list in the Add Task Wizard or in the task properties.

To add a new rule for updates of third-party applications:

1. Click the Add button.

   The Rule Creation Wizard starts. Proceed through the Wizard by using the Next button.

2. On the Rule type page, select Rule for third-party updates.
3. On the General criteria page, specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

4. On the Applications page, select the applications and application versions for which you want to install updates. By default, all applications are selected.
5. On the Name page, specify the name for the rule that you are adding. You can later change this name in the Settings section of the properties window of the created task.

After the Rule Creation Wizard completes its operation, the new rule is added and displayed in the rule list in the Add Task Wizard or in the task properties.

Selecting user fixes for vulnerabilities in third-party software

To use the Fix vulnerabilities task, you must manually specify the software updates to fix the vulnerabilities in third-party software listed in the task settings. The Fix vulnerabilities task uses recommended fixes for Microsoft software and user fixes for other third-party software. User fixes are software updates to fix vulnerabilities that the administrator manually specifies for installation.

To select user fixes for vulnerabilities in third-party software:

1. On the OPERATIONS tab, in the PATCH MANAGEMENT drop-down list, select Software vulnerabilities.

   The page displays the list of software vulnerabilities detected on client devices.

2. In the list of software vulnerabilities, click the link with the name of the software vulnerability for which you want to specify a user fix.

   The properties window of the vulnerability opens.

3. In the left pane, select the User fixes and other fixes section.

   The list of user fixes for the selected software vulnerability is displayed.

4. Click Add.

   The list of available installation packages is displayed. The list of displayed installation packages corresponds to the OPERATIONS → REPOSITORIES → INSTALLATION PACKAGES list. If you have not created an installation package containing a user fix for selected vulnerability, you can create the package now by starting the New Package Wizard.

5. Select an installation package (or packages) containing a user fix (or user fixes) for the vulnerability in third-party software.
6. Click Save.

The installation packages containing user fixes for the software vulnerability are specified. When the Fix vulnerabilities task is started, the installation package will be installed, and the software vulnerability will be fixed.

Viewing information about software vulnerabilities detected on all managed devices

After you have scanned software on managed devices for vulnerabilities, you can view the list of software vulnerabilities detected on all managed devices.

To view the list of software vulnerabilities detected on all managed devices,

On the OPERATIONS tab, in the PATCH MANAGEMENT drop-down list, select Software vulnerabilities.

The page displays the list of software vulnerabilities detected on client devices.

You can also generate and view Report on vulnerabilities.

You can specify a filter to view the list of software vulnerabilities. Click the Filter icon () in the upper right corner of the software vulnerabilities list to manage the filter. You can also select one of preset filters from the Preset filters drop-down list above the software vulnerabilities list.

You can obtain detailed information about any vulnerability from the list.

To obtain information about a software vulnerability:

In the list of software vulnerabilities, click the link with the name of the vulnerability.

The properties window of the software vulnerability opens.

Viewing information about software vulnerabilities detected on the selected managed device

You can view information about software vulnerabilities detected on the selected managed device running Windows.

To view a list of software vulnerabilities detected on the selected managed device:

1. In the main menu, go to DEVICES → MANAGED DEVICES.

   The list of managed devices is displayed.

2. In the list of managed devices, click the link with the name of the device for which you want to view detected software vulnerabilities.

   The properties window of the selected device is displayed.

3. In the properties window of the selected device, select the Advanced tab.
4. In the left pane, select the Software vulnerabilities section.

   If you want to view only software vulnerabilities that can be fixed, select the Show only vulnerabilities that can be fixed option.

The list of software vulnerabilities detected on the selected managed device is displayed.

To view the properties of the selected software vulnerability,

Click the link with the name of the software vulnerability in the list of software vulnerabilities.

The properties window of the selected software vulnerability is displayed.

Viewing statistics of vulnerabilities on managed devices

You can view statistics for each software vulnerability on managed devices. Statistics is represented as a diagram. The diagram displays the number of devices with the following statuses:

• Ignored on: <number of devices>. The status is assigned if, in the vulnerability properties, you have manually set the option to ignore the vulnerability.
• Fixed on: <number of devices>. The status is assigned if the task to fix the vulnerability has successfully completed.
• Fix scheduled on: <number of devices>. The status is assigned if you have created the task to fix the vulnerability but the task is not performed yet.
• Patch applied on: <number of devices>. The status is assigned if you have manually selected a software update to fix the vulnerability but this software updated has not fixed the vulnerability.
• Fix required on: <number of devices>. The status is assigned if the vulnerability was fixed only on the part of managed devices, and it is required to be fixed on the rest part of managed devices.

To view the statistics of a vulnerability on managed devices:

1. On the OPERATIONS tab, in the PATCH MANAGEMENT drop-down list, select Software vulnerabilities.

   The page displays a list of vulnerabilities in applications detected on managed devices.

2. Select the check box next to the required vulnerability.
3. Click the Statistics of vulnerability on devices button.

A diagram of the vulnerability statuses is displayed. Clicking a status opens a list of devices on which the vulnerability has the selected status.

Exporting the list of software vulnerabilities to a file

You can export the displayed list of vulnerabilities to the CSV or TXT files. You can use these files, for example, to send them to your information security manager or to store them for purposes of statistics.

To export the list of software vulnerabilities detected on all managed devices to a text file:

1. On the OPERATIONS tab, in the PATCH MANAGEMENT drop-down list, select Software vulnerabilities.

   The page displays a list of vulnerabilities in applications detected on managed devices.

2. Click the Export rows to TXT file or Export rows to CSV file button, depending on the format you prefer for export.

The file containing the list of software vulnerabilities is downloaded to the device that you use at the moment.

To export the list of software vulnerabilities detected on selected managed device to a text file:

1. Open the list of software vulnerabilities detected on selected managed device.
2. Select the software vulnerabilities you want to export.

   Skip this step if you want to export a complete list of software vulnerabilities detected on the managed device.

   If you want to export complete list of software vulnerabilities detected on the managed device, only vulnerabilities displaying on the current page will be exported.

3. Click the Export rows to TXT file or Export rows to CSV file button, depending on the format you prefer for export.

The file containing the list of software vulnerabilities detected on the selected managed device is downloaded to the device you are using at the moment.

Ignoring software vulnerabilities

You can ignore software vulnerabilities to be fixed. The reasons to ignore software vulnerabilities might be, for example, the following:

• You do not consider the software vulnerability critical to your organization.
• You understand that the software vulnerability fix can damage data related to the software that required the vulnerability fix.
• You are sure that the software vulnerability is not dangerous for your organization's network because you use other measures to protect your managed devices.

You can ignore a software vulnerability on all managed devices or only on selected managed devices.

To ignore a software vulnerability on all managed devices:

1. On the OPERATIONS tab, in the PATCH MANAGEMENT drop-down list, select Software vulnerabilities.

   The page displays the list of software vulnerabilities detected on managed devices.

2. In the list of software vulnerabilities, click the link with the name of the software vulnerability you want to ignore.

   The software vulnerability properties window opens.

3. On the General tab, enable the Ignore vulnerability option.
4. Click the Save button.

   The software vulnerability properties window closes.

The software vulnerability is ignored on all managed devices.

To ignore a software vulnerability on the selected managed device:

1. On the DEVICES tab, select the MANAGED DEVICES tab.

   The list of managed devices is displayed.

2. In the list of managed devices, click the link with the name of the device on which you want to ignore a software vulnerability.

   The device properties window is opened.

3. In the device properties window, select the Advanced tab.
4. In the left pane, select the Software vulnerabilities section.

   The list of software vulnerabilities detected on the device is displayed.

5. In the list of software vulnerabilities, select the vulnerability you want to ignore on the selected device.

   The software vulnerability properties window opens.

6. In the software vulnerability properties window, on the General tab, enable the Ignore vulnerability option.
7. Click the Save button.

   The software vulnerability properties window closes.

8. Close the device properties window.

The software vulnerability is ignored on the selected device.

The ignored software vulnerability will not be fixed after completion of the Fix vulnerabilities task or Install required updates and fix vulnerabilities task. You can exclude ignored software vulnerabilities from the list of vulnerabilities by means of the filter.

Managing applications run on client devices

This section describes the features of Kaspersky Security Center related to the management of applications run on client devices.

Scenario: Application Management

You can manage applications startup on user devices. You can allow or block applications to be run on managed devices. This functionality is realized by the Application Control component. You can manage applications installed on Windows devices.

Prerequisites

• Kaspersky Security Center is deployed in your organization.
• The Kaspersky Endpoint Security for Windows policy is created and is active.

Stages

The Application Control usage scenario proceeds in stages:

1. Forming and viewing the list of applications on client devices

   This stage helps you find out what applications are installed on managed devices. You can view the list of applications and decide which applications you want to allow and which you want to prohibit, according to your organization's security policies. The restrictions can be related to the information security polices in your organization. You can skip this stage if you know exactly what applications are installed on managed devices.

   How-to instructions:

   • Administration Console: Viewing application registry
   • Kaspersky Security Center 13.1 Web Console: Obtaining and viewing a list of applications installed on client devices
2. Forming and viewing the list of executable files on client devices

   This stage helps you find out what executable files are found on managed devices. View the list of executable files and compare it with the lists of allowed and prohibited executable files. The restrictions on executable files usage can be related to the information security polices in your organization. You can skip this stage if you know exactly what executable files are installed on managed devices.

   How-to instructions:

   • Administration Console: Inventory of executable files
   • Kaspersky Security Center 13.1 Web Console: Obtaining and viewing a list of executable files stored on client devices
3. Creating application categories for the applications used in your organization

   Analyze the lists of applications and executable files stored on managed devices. Basing on the analysis, create application categories. It is recommended to create a "Work applications" category that covers the standard set of applications that are used at your organization. If different user groups use different sets of applications in their work, a separate application category can be created for each user group.

   Depending the set of criteria to create an application category, you can create application categories of three types.

   How-to instructions:

   • Administration Console: Creating application categories for Kaspersky Endpoint Security for Windows policies, Creating an application category with content added manually, Creating an application category with content added automatically
   • Kaspersky Security Center 13.1 Web Console: Creating application category with content added manually, Creating application category that includes executable files from selected devices, Creating application category that includes executable files from selected folder
4. Configuring Application Control in the Kaspersky Endpoint Security for Windows policy

   Configure the Application Control component in the Kaspersky Endpoint Security for Windows policy using the application categories you have created on the previous stage.

   How-to instructions:

   • Administration Console: Configuring application startup management on client devices
   • Kaspersky Security Center 13.1 Web Console: Configuring Application Control in the Kaspersky Endpoint Security for Windows policy
5. Turning on Application Control component in test mode

   To ensure that Application Control rules do not block applications required for user's work, it is recommended to enable testing of Application Control rules and analyze their operation after creating new rules. When testing is enabled, Kaspersky Endpoint Security for Windows will not block applications whose startup is forbidden by Application Control rules, but will instead send notifications about their startup to the Administration Server.

   When testing Application Control rules, it is recommended to perform the following actions:

   • Determine the testing period. Testing period can vary from several days to two months.
   • Examine the events resulting from testing the operation of Application Control.

   How-to instructions for Kaspersky Security Center 13.1 Web Console: Configuring Application Control component in the Kaspersky Endpoint Security for Windows policy. Follow this instruction and enable the Test Mode option in configuration process.

6. Changing the application categories settings of Application Control component

   If necessary, make changes to the Application Control settings. Based on the test results, you can add executable files related to events of the Application Control component to an application category with content added manually.

   How-to instructions:

   • Administration Console: Adding event-related executable files to the application category
   • Kaspersky Security Center 13.1 Web Console: Adding event-related executable files to the application category
7. Applying the rules of Application Control in operation mode

   After Application Control rules are tested and configuration of application categories is complete, you can apply the rules of Application Control in operation mode.

   How-to instructions for Kaspersky Security Center 13.1 Web Console: Configuring Application Control component in the Kaspersky Endpoint Security for Windows policy. Follow this instruction and disable the Test Mode option in configuration process.

8. Verifying Application Control configuration

   Be sure that you have done the following:

   • Created application categories.
   • Configured Application Control using the application categories.
   • Applied the rules of Application Control in operation mode.

Results

When the scenario is complete, applications startup on managed devices is controlled. The users can start only those applications that are allowed in your organization and cannot start applications that are prohibited in your organization.

For detailed information about Application Control, refer to Kaspersky Endpoint Security for Windows Online Help and to the Kaspersky Security for Virtualization Light Agent.

About Application Control

The Application Control component monitors users' attempts to start applications and regulates the startup of applications by using Application Control rules.

Application Control component is available for Kaspersky Endpoint Security for Windows and for Kaspersky Security for Virtualization Light Agent. All the instructions in this section describe configuration of Application Control for Kaspersky Endpoint Security for Windows.

Startup of applications whose settings do not match any of the Application Control rules is regulated by the selected operating mode of the component:

• Denylist. The mode is used if you want to allow the startup of all applications except the applications specified in block rules. This mode is selected by default.
• Allowlist. The mode is used if you want to block the startup of all applications except the applications specified in allow rules.

The Application Control rules are implemented through application categories. You create application categories defining specific criteria. In Kaspersky Security Center there are three types of application categories:

• Category with content added manually. You define conditions, for example, file metadata, file hashcode, file certificate, KL category, file path, to include executable files in the category.
• Category that includes executable files from selected devices. You specify a device whose executable files are automatically included in the category.
• Category that includes executable files from selected folder. You specify a folder from which executable files are automatically included in the category.

For detailed information about Application Control, refer to Kaspersky Endpoint Security for Windows Online Help and to the Kaspersky Security for Virtualization Light Agent.

Obtaining and viewing a list of applications installed on client devices

Kaspersky Security Center inventories all software installed on managed client devices running Windows.

Network Agent compiles a list of applications installed on a device and then transmits this list to Administration Server. Network Agent automatically receives information about installed applications from the Windows registry.

To save the device resources, Network Agent by default starts receiving information about installed applications 10 minutes after the Network Agent service starts.

To view the list of applications installed on managed devices:

In the OPERATIONS → THIRD-PARTY APPLICATIONS drop-down list, select Applications registry.

The page displays the list of applications installed on managed devices.

For detailed information about Application Control, refer to Kaspersky Endpoint Security for Windows Online Help and to the Kaspersky Security for Virtualization Light Agent.

Obtaining and viewing a list of executable files stored on client devices

You can obtain a list of executable files stored on managed devices. To inventory executable files, you must create an inventory task.

The feature of inventorying executable files is available for the following applications:

• Kaspersky Endpoint Security for Windows
• Kaspersky Endpoint Security for Linux
• Kaspersky Security for Virtualization 4.0 Light Agent and later versions

You can reduce load on the database while obtaining information about the installed applications. To do this, we recommend that you run an inventory task on reference devices on which a standard set of software is installed.

To create an inventory task for executable files on client devices:

1. In the main menu, go to DEVICES → TASKS.

   The list of tasks is displayed.

2. Click the Add button.

   The Add Task Wizard starts. Follow the steps of the Wizard.

3. On the New task page, in the Application drop-down list, select Kaspersky Endpoint Security for Windows or Kaspersky Endpoint Security for Linux, depending on the operating system type of the client devices.
4. In the Task type drop-down list, select Inventory.
5. On the Finish task creation page, click the Finish button.

After the Add Task Wizard has finished, the Inventory task is created and configured. If you want, you can change the settings for the created task. The newly created task is displayed in the list of tasks.

For a detailed description of the inventory task, refer to the following Helps:

• Kaspersky Endpoint Security for Windows Help
• Kaspersky Endpoint Security for Linux Help
• Kaspersky Security for Virtualization Light Agent

After the Inventory task is performed, the list of executable files stored on managed devices is formed, and you can view the list.

During inventory, executable files in the following formats are detected: MZ, COM, PE, NE, SYS, CMD, BAT, PS1, JS, VBS, REG, MSI, CPL, DLL, JAR, and HTML.

To view the list of executable files stored on client devices:

In the OPERATIONS → THIRD-PARTY APPLICATIONS drop-down list, select EXECUTABLE FILES.

The page displays the list of executable files stored on client devices.

To send the executable file of the managed device to Kaspersky:

1. In the main menu, go to OPERATIONS → THIRD-PARTY APPLICATIONS → EXECUTABLE FILES.
2. Click the link of the executable file that you want to send to Kaspersky.
3. In the window that opens, go to the Devices section, and then select the checkbox of the managed device from which you want to send the executable file.

   Before you send the executable file, make sure that the managed device has a direct connection to the Administration Server, by selecting the Do not disconnect from the Administration Server checkbox.

4. Click the Send to Kaspersky button.

The selected executable file is downloaded for further sending to Kaspersky.

Creating application category with content added manually

Expand all | Collapse all

You can specify a set of criteria as a template of executable files for which you want to allow or block a start in your organization. On the basis of executable files corresponding to the criteria, you can create an application category and use it in the Application Control component configuration.

To create an application category with content added manually:

1. In the OPERATIONS → THIRD-PARTY APPLICATIONS drop-down list, select APPLICATION CATEGORIES.

   The page with a list of application categories is displayed.

2. Click the Add button.

   The New Category Wizard starts. Follow the steps of the Wizard.

3. On the Select category creation method page of the Wizard, select the Category with content added manually. Data of executable files is manually added to the category option.
4. On the Conditions page of the Wizard, click the Add button to add a condition criterion to include files in the creating category.
5. On the Condition criteria page, select a rule type for the creation of category from the list:
   • From KL category

     If this option is selected, you can specify a Kaspersky application category as the condition of adding applications to the user category. The applications from the specified Kaspersky category will be added to the user application category.

   • Select certificate from repository

     If this option is selected, you can specify certificates from the storage. Executable files that have been signed in accordance with the specified certificates will be added to the user category.

   • Specify path to application (masks supported)

     If this option is selected, you can specify the path to the folder on the client device containing the executable files that are to be added to the user application category.

   • Removable drive

     If this option is selected, you can specify the type of the medium (any drive or removable drive) on which the application is run. Applications that have been run on the selected drive type are added to the user application category.

   • Hash, metadata, or certificate:
     • Select from list of executable files

       If this option is selected, you can use the list of executable files on the client device to select and add applications to the category.

     • Select from applications registry

       If this option is selected, application registry is displayed. You can select an application from the registry and specify the following file metadata:

       • File name.
       • File version. You can specify precise value of the version or describe a condition, for example "greater than 5.0".
       • Application name.
       • Application version. You can specify precise value of the version or describe a condition, for example "greater than 5.0".
       • Vendor.
     • Specify manually

       If this option is selected, you must specify file hash, or metadata, or certificate as the condition of adding applications to the user category.

       File Hash

       Depending on the version of the security application installed on devices on your network, you must select an algorithm for hash value computing by Kaspersky Security Center for files in this category. Information about computed hash values is stored in the Administration Server database. Storage of hash values does not increase the database size significantly.

       SHA-256 is a cryptographic hash function: no vulnerabilities have been found in its algorithm, and so it is considered the most reliable cryptographic function nowadays. Kaspersky Endpoint Security 10 Service Pack 2 for Windows and later versions support SHA-256 computing. Computing of the MD5 hash function is supported by all versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows.

       Select either of the options of hash value computing by Kaspersky Security Center for files in the category:

       • If all instances of security applications installed on your network are Kaspersky Endpoint Security 10 Service Pack 2 for Windows or later versions, select the SHA-256 check box. We do not recommend that you add any categories created according to the criterion of the SHA-256 hash of an executable file for versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows. This may result in failures in the security application operation. In this case, you can use the MD5 cryptographic hash function for files of the category.
       • If any versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows are installed on your network, select the MD5 hash. You cannot add a category that was created based on the criterion of the MD5 checksum of an executable file for Kaspersky Endpoint Security 10 Service Pack 2 for Windows or later versions. In this case, you can use the SHA-256 cryptographic hash function for files of the category.
       • If different devices on your network use both earlier and later versions of Kaspersky Endpoint Security 10, select both the SHA-256 check box and the MD5 hash check box.

       Metadata

       If this option is selected, you can specify file metadata as file name, file version, vendor. The metadata will be sent to Administration Server. Executable files that contain the same metadata will be added to the application category.

       Certificate

       If this option is selected, you can specify certificates from the storage. Executable files that have been signed in accordance with the specified certificates will be added to the user category.

     • From file or from MSI package / archived folder

       If this option is selected, you can specify an MSI installer file as the condition of adding applications to the user category. The application installer metadata will be sent to Administration Server. The applications for which the installer metadata is the same as for the specified MSI installer are added to the user application category.

   The selected criterion is added to the list of conditions.

   You can add as many criteria for the creating application category as you need.

6. On the Exclusions page of the Wizard, click the Add button to add an exclusive condition criterion to exclude files from the category that is being created.
7. On the Condition criteria page, select a rule type from the list, in the same way that you selected a rule type for category creation.

When the Wizard finishes, the application category is created. It is displayed in the list of application categories. You can use the created application category when you configure Application Control.

For detailed information about Application Control, refer to Kaspersky Endpoint Security for Windows Online Help and to the Kaspersky Security for Virtualization Light Agent.

Creating application category that includes executable files from selected devices

Expand all | Collapse all

You can use executable files from selected devices as a template of executable files that you want to allow or block. Based on executable files from selected devices, you can create an application category and use it in the Application Control component configuration.

To create application category that includes executable files from selected devices:

1. In the OPERATIONS → THIRD-PARTY APPLICATIONS drop-down list, select APPLICATION CATEGORIES.

   The page with a list of application categories is displayed.

2. Click the Add button.

   The New Category Wizard starts. Proceed through the Wizard by using the Next button.

3. On the Select category creation method page of the Wizard, specify the category name and select the Category that includes executable files from selected devices. These executable files are processed automatically and their metrics are added to the category option.
4. Click Add.
5. In the window that opens, select a device or devices whose executable files will be used to create the application category.
6. Specify the following settings:
   • Hash value computing algorithm

     Depending on the version of the security application installed on devices on your network, you must select an algorithm for hash value computing by Kaspersky Security Center for files in this category. Information about computed hash values is stored in the Administration Server database. Storage of hash values does not increase the database size significantly.

     SHA-256 is a cryptographic hash function: no vulnerabilities have been found in its algorithm, and so it is considered the most reliable cryptographic function nowadays. Kaspersky Endpoint Security 10 Service Pack 2 for Windows and later versions support SHA-256 computing. Computing of the MD5 hash function is supported by all versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows.

     Select either of the options of hash value computing by Kaspersky Security Center for files in the category:

     • If all instances of security applications installed on your network are Kaspersky Endpoint Security 10 Service Pack 2 for Windows or later versions, select the SHA-256 check box. We do not recommend that you add any categories created according to the criterion of the SHA-256 hash of an executable file for versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows. This may result in failures in the security application operation. In this case, you can use the MD5 cryptographic hash function for files of the category.
     • If any versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows are installed on your network, select the MD5 hash. You cannot add a category that was created based on the criterion of the MD5 checksum of an executable file for Kaspersky Endpoint Security 10 Service Pack 2 for Windows or later versions. In this case, you can use the SHA-256 cryptographic hash function for files of the category.

     If different devices on your network use both earlier and later versions of Kaspersky Endpoint Security 10, select both the SHA-256 check box and the MD5 hash check box.

     The Calculate SHA-256 for files in this category (supported by Kaspersky Endpoint Security 10 Service Pack 2 for Windows and any later versions) check box is selected by default.

     The Calculate MD5 for files in this category (supported by versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows) is cleared by default.

   • Synchronize data with Administration Server repository

     Select this option if you want that Administration Server periodically to check changes in the specified folder (or folders).

     By default, this option is disabled.

     If you enable this option, specify the period (in hours) to check changes in the specified folder (folders). By default, scan interval is 24 hours.

   • File type

     In this section, you can specify file type that is used to create the application category.

     All files. All files are taken into consideration when creating the category. By default, this option is selected.

     Only files outside the application categories. Only files outside the application categories are taken into consideration when creating the category.

   • Folders

     In this section you can specify which folders from the selected device (devices) contain files that are used to create the application category.

     All folders. All folders are taken into consideration for the creating category. By default, this option is selected.

     Specified folder. Only specified folder is taken into consideration for the creating category. If you select this option you must specify path to the folder.

When the Wizard finishes, the application category is created. It is displayed in the list of application categories. You can use the created application category when you configure Application Control.

Creating application category that includes executable files from selected folder

Expand all | Collapse all

You can use executable files from a selected folder as a standard of executable files that you want to allow or block in your organization. On the basis of executable files from the selected folder, you can create an application category and use it in the Application Control component configuration.

To create an application category that includes executable files from the selected folder:

1. In the OPERATIONS → THIRD-PARTY APPLICATIONS drop-down list, select APPLICATION CATEGORIES.

   The page with a list of application categories is displayed.

2. Click the Add button.

   The New Category Wizard starts. Proceed through the Wizard by using the Next button.

3. On the Select category creation method page of the Wizard, specify the category name and select the Category that includes executable files from a specific folder. Executable files of applications copied to the specified folder are automatically processed and their metrics are added to the category option.
4. Specify the folder whose executable files will be used to create the application category.
5. Define the following settings:
   • Include dynamic-link libraries (DLL) in this category

     The application category includes dynamic-link libraries (files in DLL format), and the Application Control component logs the actions of such libraries running in the system. Including DLL files in the category may lower the performance of Kaspersky Security Center.

     By default, this check box is cleared.

   • Include script data in this category

     The application category includes data on scripts, and scripts are not blocked by Web Threat Protection. Including the script data in the category may lower the performance of Kaspersky Security Center.

     By default, this check box is cleared.

   • Hash value computing algorithm: Calculate SHA-256 for files in this category (supported by Kaspersky Endpoint Security 10 Service Pack 2 for Windows and later versions) / Calculate MD5 for files in this category (supported by versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows)

     Depending on the version of the security application installed on devices on your network, you must select an algorithm for hash value computing by Kaspersky Security Center for files in this category. Information about computed hash values is stored in the Administration Server database. Storage of hash values does not increase the database size significantly.

     SHA-256 is a cryptographic hash function: no vulnerabilities have been found in its algorithm, and so it is considered the most reliable cryptographic function nowadays. Kaspersky Endpoint Security 10 Service Pack 2 for Windows and later versions support SHA-256 computing. Computing of the MD5 hash function is supported by all versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows.

     Select either of the options of hash value computing by Kaspersky Security Center for files in the category:

     • If all instances of security applications installed on your network are Kaspersky Endpoint Security 10 Service Pack 2 for Windows or later versions, select the SHA-256 check box. We do not recommend that you add any categories created according to the criterion of the SHA-256 hash of an executable file for versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows. This may result in failures in the security application operation. In this case, you can use the MD5 cryptographic hash function for files of the category.
     • If any versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows are installed on your network, select the MD5 hash. You cannot add a category that was created based on the criterion of the MD5 checksum of an executable file for Kaspersky Endpoint Security 10 Service Pack 2 for Windows or later versions. In this case, you can use the SHA-256 cryptographic hash function for files of the category.

     If different devices on your network use both earlier and later versions of Kaspersky Endpoint Security 10, select both the SHA-256 check box and the MD5 hash check box.

     The Calculate SHA-256 for files in this category (supported by Kaspersky Endpoint Security 10 Service Pack 2 for Windows and any later versions) check box is selected by default.

     The Calculate MD5 for files in this category (supported by versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows) is cleared by default.

   • Force folder scan for changes

     If this option is enabled, the application regularly checks the folder of category content addition for changes. You can specify the frequency of checks (in hours) in the entry field next to the check box. By default, the time interval between forced checks is 24 hours.

     If this option is disabled, the application does not force any checks of the folder. The Server attempts to access files if they have been modified, added, or deleted.

     By default, this option is disabled.

When the Wizard finishes, the application category is created. It is displayed in the list of application categories. You can use the application category at Application Control configuration.

For detailed information about Application Control, refer to Kaspersky Endpoint Security for Windows Online Help and to the Kaspersky Security for Virtualization Light Agent.

Viewing the list of application categories

You can view the list of configured application categories and the settings of each application category.

To view the list of application categories,

On the OPERATIONS tab, in the THIRD-PARTY APPLICATIONS drop-down list, select APPLICATION CATEGORIES.

The page with a list of application categories is displayed.

To view properties of an application category,

Click the name of the application category.

The properties window of the application category is displayed. The properties are grouped on several tabs.

Configuring Application Control in the Kaspersky Endpoint Security for Windows policy

After you create Application Control categories, you can use them for configuring Application Control in Kaspersky Endpoint Security for Windows policies.

To configure Application Control in Kaspersky Endpoint Security for Windows policy:

1. In the main menu, go to DEVICES → POLICIES & PROFILES.

   A page with a list of policies is displayed.

2. Click Kaspersky Endpoint Security for Windows policy.

   The policy settings window opens.

3. Select the Application settings tab, Security Controls section, Application Control subsection.

   The Application Control window with Application Control settings is displayed.

4. Switch the toggle button to enable the Application Control option.
5. If you want to test Application Control rules, switch the toggle button to enable the Test Mode option.

   If you want to apply Application Control rules, switch the toggle button to disable the Test Mode option.

6. Enable the Control DLL and drivers option if you want Kaspersky Endpoint Security for Windows to monitor the loading of DLL modules when applications are started by users.

   Information about the module and the application that loaded the module will be saved to a report.

   Kaspersky Endpoint Security for Windows monitors only the DLL modules and drivers loaded after the Control DLL and drivers option is selected. Restart the computer after selecting the Control DLL and drivers option if you want Kaspersky Endpoint Security for Windows to monitor all DLL modules and drivers, including those loaded before Kaspersky Endpoint Security for Windows is started.

7. (Optional) In the Message templates block, change the template of the message that is displayed when an application is blocked from starting and the template of the email message that is sent to you.
8. In the Application Control Mode block settings, select Denylist or Allowlist mode.

   By default, Denylist mode is selected.

9. Click the Rules Lists Settings link.

   The Denylists and allowlists window opens to let you add an application category. By default, the Denylist tab is selected if the Denylist mode is selected, and the Allowlist tab is selected if the Allowlist mode is selected.

10. In the Denylists and allowlists window, click the Add button.

    The Application Control rule window opens.

11. Click the Category is not defined link.

    The Application Category window opens.

12. Add the application category (or categories) that you created earlier.

    You can edit the settings of a created category by clicking the Edit button.

    You can create a new category by clicking the Add button.

    You can delete a category from the list by clicking the Delete button.

13. After the list of application categories is complete, click the OK button.

    The Application Category window closes.

14. In the Application Control rule window, in the Subjects and their rights section, create the list of users and groups of users to apply the Application Control rule.
15. Click the OK button to save the settings and to close the Application Control rule window.
16. Click the OK button to save the settings and to close the Denylists and allowlists window.
17. Click the OK button to save the settings and to close the Application Control window.
18. Close the window with the Kaspersky Endpoint Security for Windows policy settings.

Application Control is configured. After the policy is propagated to the client devices, the startup of executable files is managed.

For detailed information about Application Control, refer to Kaspersky Endpoint Security for Windows Online Help and to the Kaspersky Security for Virtualization Light Agent.

Adding event-related executable files to the application category

Expand all | Collapse all

After you configure Application Control in the Kaspersky Endpoint Security for Windows policies, the following events will be displayed in the list of events:

• Application startup prohibited (Critical event). This event is displayed if you have configured Application Control to apply rules.
• Application startup prohibited in test mode (Info event). This event is displayed if you have configured Application Control to test rules.
• Application startup blockage message to administrator (Warning event). This event is displayed if you have configured Application Control to apply rules and a user has requested access to the application that is blocked at startup.

It is recommended to create event selections to view events related to Application Control operation.

You can add executable files related to Application Control events to an existing application category or to a new application category. You can add executable files only to an application category with content added manually.

To add executable files related to Application Control events to an application category:

1. In the main menu, go to MONITORING & REPORTING → EVENT SELECTIONS.

   The list of event selections is displayed.

2. Select the event selection to view events related to Application Control and start this event selection.

   If you have not created event selection related to Application Control, you can select and start a predefined selection, for example, Recent events.

   The list of events is displayed.

3. Select the events whose associated executable files you want to add to the application category, and then click the Assign to category button.

   The New Category Wizard starts. Proceed through the Wizard by using the Next button.

4. On the Wizard page, specify the relevant settings:
   • In the Action on executable file related to the event section, select one of the following options:
     • Add to a new application category

       Select this option if you want to create a new application category based on event-related executable files.

       By default, this option is selected.

       If you have selected this option, specify a new category name.

     • Add to an existing application category

       Select this option if you want to add event-related executable files to an existing application category.

       By default, this option is not selected.

       If you have selected this option, select the application category with content added manually to which you want to add executable files.

   • In the Rule type section, select one of the following options:
     • Rules for adding to inclusions
     • Rules for adding to exclusions
   • In the Parameter used as a condition section, select one of the following options:
     • Certificate details (or SHA-256 hashes for files without a certificate)

       Files may be signed with a certificate. Multiple files may be signed with the same certificate. For example, different versions of the same application may be signed with the same certificate, or several different applications from the same vendor may be signed with the same certificate. When you select a certificate, several versions of an application or several applications from the same vendor may end up in the category.

       Each file has its own unique SHA-256 hash function. When you select an SHA-256 hash function, only one corresponding file, for example, the defined application version, ends up in the category.

       Select this option if you want to add to the category rules the certificate details of an executable file (or the SHA-256 hash function for files without a certificate).

       By default, this option is selected.

     • Certificate details (files without a certificate will be skipped)

       Files may be signed with a certificate. Multiple files may be signed with the same certificate. For example, different versions of the same application may be signed with the same certificate, or several different applications from the same vendor may be signed with the same certificate. When you select a certificate, several versions of an application or several applications from the same vendor may end up in the category.

       Select this option if you want to add the certificate details of an executable file to the category rules. If the executable file has no certificate, this file will be skipped. No information about this file will be added to the category.

     • Only SHA-256 (files without a hash will be skipped)

       Each file has its own unique SHA-256 hash function. When you select an SHA-256 hash function, only one corresponding file, for example, the defined application version, ends up in the category.

       Select this option if you want to add only the details of the SHA-256 hash function of the executable file.

     • Only MD5 (discontinued mode, only for Kaspersky Endpoint Security 10 Service Pack 1 version)

       Each file has its own unique MD5 hash function. When you select an MD5 hash function, only one corresponding file, for example, the defined application version, ends up in the category.

       Select this option if you want to add only the details of the MD5 hash function of the executable file. Computing of the MD5 hash function is supported by Kaspersky Endpoint Security 10 Service Pack 1 for Windows and all earlier versions.

5. Click OK.

When the Wizard finishes, executable files related to the Application Control events are added to the existing application category or to a new application category. You can view settings of the application category that you have modified or created.

For detailed information about Application Control, refer to Kaspersky Endpoint Security for Windows Online Help and to the Kaspersky Security for Virtualization Light Agent.

Creating an installation package of a third-party application from the Kaspersky database

Kaspersky Security Center Web Console allows you to perform remote installation of third-party applications by using installation packages. Such third-party applications are included in a dedicated Kaspersky database. This database is created automatically when you run the Download updates to the repository of the Administration Server task for the first time.

To create an installation package of a third-party application from the Kaspersky database:

1. In Kaspersky Security Center Web Console, open DISCOVERY & DEPLOYMENT → DEPLOYMENT & ASSIGNMENT → INSTALLATION PACKAGES.
2. Click the Add button.
3. On the New Package Wizard page that opens, select the Select an application from the Kaspersky database to create an installation package option, and then click Next.
4. In the list of applications that opens, select the relevant application, and then click Next.
5. Select the relevant localization language in the drop-down list, and then click Next.

   This step is only displayed if the application offers multiple language options.

6. If you are prompted to accept a License Agreement for the installation, on the End User License Agreement page that opens, click the link to read the License Agreement on the vendor's website, and then select the I confirm that I have fully read, understand, and accept the terms and conditions of this End User License Agreement check box.
7. On the Name of the new installation package page that opens, in the Package name field, enter the name for the installation package, and then click Next.

Wait until the newly created installation package is uploaded to Administration Server. When the New Package Wizard displays the message informing you the package creation process was successful, click Finish.

The newly created installation package appears on the list of installation packages. You can select this package when creating or reconfiguring the Install application remotely task.

Viewing and modifying the settings of an installation package of a third-party application from the Kaspersky database

If you have previously created any installation packages of third-party applications listed in the Kaspersky database, you can subsequently view and modify the settings of these packages.

Modifying the settings of an installation package of a third-party application from the Kaspersky database is only available under the Vulnerability and Patch Management license.

To view and modify the settings of an installation package of a third-party application from the Kaspersky database:

1. In Kaspersky Security Center Web Console, open DISCOVERY & DEPLOYMENT → DEPLOYMENT & ASSIGNMENT → INSTALLATION PACKAGES.
2. In the list of installation packages that opens, click the name of the relevant package.
3. On the properties page that opens, modify the settings, if necessary.
4. Click the Save button.

The settings that you modified are saved.

Settings of an installation package of a third-party application from the Kaspersky database

Expand all | Collapse all

The settings of an installation package of a third-party application are grouped on the following tabs:

Only a part of the settings listed below are displayed by default so you can add the corresponding columns by clicking the Filter button and selecting relevant column names from the list.

• General tab:
  • Entry field that contains the name of the installation package that can be edited manually
  • Application

    The name of the third-party application for which the installation package is created.

  • Version

    The version number of the third-party application for which the installation package is created.

  • Size

    The size of the third-party installation package (in kilobytes).

  • Created

    The date and time the third-party installation package was created.

  • Path

    The path to the network folder where the third-party installation package is stored.

• Installation procedure tab:
  • Install required general system components

    If this option is enabled, before installing an update the application automatically installs all general system components (prerequisites) that are required to install the update. For example, these prerequisites can be operating system updates.

    If this option is disabled, you may have to install the prerequisites manually.

    By default, this option is disabled.

  • Table that displays the update properties and containing the following columns:
    • Name

      The name of the update.

    • Description

      The description of the update.

    • Source

      The source of the update, that is, whether it was released by Microsoft or by a different third-party developer.

    • Type

      The type of the update, that is, whether it is intended for a driver or an application.

    • Category

      The Windows Server Update Services (WSUS) category displayed for Microsoft updates (Critical Updates, Definition Updates, Drivers, Feature Packs, Security Updates, Service Packs, Tools, Update Rollups, Updates, or Upgrade).

    • Importance level according to MSRC

      The importance level of the update defined by Microsoft Security Response Center (MSRC).

    • Importance level

      The importance level of the update defined by Kaspersky.

    • Patch importance level (for patches intended for Kaspersky applications)

      The importance level of the patch if it is intended for a Kaspersky application.

    • Article

      The identifier (ID) of the article in the Knowledge Base describing the update.

    • Bulletin

      The ID of the security bulletin describing the update.

    • Not assigned for installation (new version)

      Displays whether the update has the Not assigned for installation status.

    • To be installed

      Displays whether the update has the To be installed status.

    • Installing

      Displays whether the update has the Installing status.

    • Installed

      Displays whether the update has the Installed status.

    • Failed

      Displays whether the update has the Failed status.

    • Restart is required

      Displays whether the update has the Restart is required status.

    • Registered

      Displays the date and time when the update was registered.

    • Installed in interactive mode

      Displays whether the update requires interaction with the user during installation.

    • Revoked

      Displays the date and time when the update was revoked.

    • Update approval status

      Displays whether the update is approved for installation.

    • Revision

      Displays the current revision number of the update.

    • Update ID

      Displays the ID of the update.

    • Application version

      Displays the version number to which the application is to be updated.

    • Superseded

      Displays other update(s) that can supersede the update.

    • Superseding

      Displays other update(s) that can be superseded by the update.

    • You must accept the terms of the License Agreement

      Displays whether the update requires acceptance of the terms of an End User License Agreement (EULA).

    • Description URL

      Displays the name of the update vendor.

    • Application family

      Displays the name of the family of applications to which the update belongs.

    • Application

      Displays the name of the application to which the update belongs.

    • Localization language

      Displays the language of the update localization.

    • Not assigned for installation (new version)

      Displays whether the update has the Not assigned for installation (new version) status.

    • Requires prerequisites installation

      Displays whether the update has the Requires prerequisites installation status.

    • Download mode

      Displays the mode of the update download.

    • Is a patch

      Displays whether the update is a patch.

    • Not installed

      Displays whether the update has the Not installed status.

• Settings tab that displays the installation package settings—with their names, descriptions, and values—used as command-line parameters during installation. If the package provides no such settings, the corresponding message is displayed. You can modify the values of these settings.
• Revision history tab that displays the installation package revisions and containing the following columns:
  • Revision

    Displays the number of the installation packages revision.

  • Time

    Displays the time when the revision was created.

  • User

    Displays the name of the user account under which the revision was created.

  • Action

    Lists the action(s) performed on the installation package within the revision.

  • Description

    Displays the text description added for the revision.

Application tags

This section describes application tags, and provides instructions for creating and modifying them as well as for tagging third-party applications.

About application tags

Kaspersky Security Center enables you to tag third-party applications (applications made by software vendors other than Kaspersky). A tag is the label of an application that can be used for grouping or finding applications. A tag assigned to applications can serve as a condition in device selections.

For example, you can create the [Browsers] tag and assign it to all browsers such as Microsoft Internet Explorer, Google Chrome, Mozilla Firefox.

Creating an application tag

To create an application tag:

1. In the main menu, go to OPERATIONS → THIRD-PARTY APPLICATIONS → APPLICATION TAGS.
2. Click Add.

   A new tag window opens.

3. Enter the tag name.
4. Click OK to save the changes.

The new tag appears in the list of application tags.

Renaming an application tag

To rename an application tag:

1. In the main menu, go to OPERATIONS → THIRD-PARTY APPLICATIONS → APPLICATION TAGS.
2. Select the check box next to the tag that you want to rename, and then click Edit.

   A tag properties window opens.

3. Change the tag name.
4. Click OK to save the changes.

The updated tag appears in the list of application tags.

Assigning tags to an application

To assign one or several tags to an application:

1. In the main menu, go to OPERATIONS → THIRD-PARTY APPLICATIONS → APPLICATIONS REGISTRY.
2. Click the name of the application to which you want to assign tags.
3. Select the Tags tab.

   The tab displays all application tags that exist on the Administration Server. For tags assigned to the selected application, the check box in the Tag assigned column is selected.

4. For tags that you want to assign, select check boxes in the Tag assigned column.
5. Click Save to save the changes.

The tags are assigned to the application.

Removing assigned tags from an application

To remove one or several tags from an application:

1. In the main menu, go to OPERATIONS → THIRD-PARTY APPLICATIONS → APPLICATIONS REGISTRY.
2. Click the name of the application from which you want to remove tags.
3. Select the Tags tab.

   The tab displays all application tags that exist on the Administration Server. For tags assigned to the selected application, the check box in the Tag assigned column is selected.

4. For tags that you want to remove, clear check boxes in the Tag assigned column.
5. Click Save to save the changes.

The tags are removed from the application.

The removed application tags are not deleted. If you want, you can delete them manually.

Deleting an application tag

To delete an application tag:

1. In the main menu, go to OPERATIONS → THIRD-PARTY APPLICATIONS → APPLICATION TAGS.
2. In the list, select the application tag that you want to delete.
3. Click the Delete button.
4. In the window that opens, click OK.

The application tag is deleted. The deleted tag is automatically removed from all of the applications to which it was assigned.