Kaspersky Security Center 13.1
13.1
English

Contents

Notifications and device statuses

This section contains information on how to view notifications, configure notification delivery, use device statuses, and enable changing device statuses.

In this section

Using notifications

Viewing onscreen notifications

About device statuses

Configuring the switching of device statuses

Configuring notification delivery

Event notifications displayed by running an executable file
Page top
[Topic 233384]

Using notifications

Notifications alert you about events and help you to speed up your responses to these events by performing recommended actions or actions you consider as appropriate.

Depending on the notification method chosen, the following types of notifications are available:

  • Onscreen notifications
  • Notifications by SMS
  • Notifications by email
  • Notifications by executable file or script

Onscreen notifications

Onscreen notifications alert you to events grouped by importance levels (Critical, Warning, and Informational).

Onscreen notification can have one of two statuses:

  • Reviewed. It means you have performed recommended action for the notification or you have assigned this status for the notification manually.
  • Not Reviewed. It means you have not performed recommended action for the notification or you have not assigned this status for the notification manually.

By default, the list of notifications include notifications in the Not Reviewed status.

You can monitor your organization's network viewing onscreen notifications and responding to them in a real time.

Notifications by email, by SMS, and by executable file or a script

Kaspersky Security Center provides the capability to monitor your organization's network by sending notifications about any event that you consider important. For any event you can configure notifications by email, by SMS, or by running an executable file or a script.

Upon receiving notifications by email or by SMS, you can decide on your response to an event. This response should be the most appropriate for your organization's network. By running an executable file or a script, you predefine a response to an event. You can also consider running an executable file or a script as a primary response to an event. After the executable file runs, you can take other steps to respond to the event.

Page top
[Topic 179103]

Viewing onscreen notifications

You can view notifications onscreen in three ways:

  • In the MONITORING & REPORTING NOTIFICATIONS section. Here you can view notifications relating to predefined categories.
  • In a separate window that can be opened no matter which section you are using at the moment. In this case you can mark notifications as reviewed.
  • In the Notifications by selected severity level widget on the MONITORING & REPORTING DASHBOARD section. In the widget, you can view only notifications of events that are at the Critical and Warning importance levels.

You can perform actions, for example, you can response to an event.

To view notifications from predefined categories:

  1. In the main menu, go to MONITORING & REPORTING NOTIFICATIONS.

    The All notifications category is selected in the left pane, and in the right pane all the notifications are displayed.

  2. In the left pane, select one of the categories:
    • Deployment
    • Devices
    • Protection
    • Updates (this includes notifications about Kaspersky applications available for download and notifications about anti-virus database updates that have been downloaded)
    • Exploit Prevention
    • Administration Server (this includes events concerning only Administration Server)
    • Useful links (this includes links to Kaspersky resources, for example, Kaspersky Technical Support, Kaspersky forum, license renewal page, or the Kaspersky IT Encyclopedia)
    • Kaspersky news (this includes information about releases of Kaspersky applications)

A list of notifications of the selected category is displayed. The list contains the following:

  • Icon related to the topic of the notification: deployment (A Server connected with managed devices.), protection (A check list.), updates (A shield with two rotating arrows.), device management (A Server managing devices.), Exploit Prevention (A computer with an eye icon.), Administration Server (Servers.).
  • Notification importance level. Notifications of the following importance levels are displayed: Critical notifications (A red square with a white exclamation mark.), Warning notifications (A yellow triangle with a white exclamation mark.), Info notifications. Notifications in the list are grouped by importance levels.
  • Notification. This contains a description of the notification.
  • Action. This contains a link to a quick action that we recommend you perform. For example, by clicking this link, you can proceed to the repository and install security applications on devices, or view a list of devices or a list of events. After you perform the recommended action for the notification, this notification is assigned the Reviewed status.
  • Status registered. This contains the number of days or hours that have passed from the moment when the notification was registered on the Administration Server.

To view onscreen notifications in a separate window by importance level:

  1. In the upper-right corner of Kaspersky Security Center 13.1 Web Console, click the flag icon ().

    If the flag icon has a red dot, there are notifications that have not been reviewed.

    A window opens listing the notifications. By default, the All notifications tab is selected and the notifications are grouped by importance level: Critical, Warning, and Info.

  2. Select the System tab.

    The list of Critical (A red square with a white exclamation mark.) and Warning (A yellow triangle with a white exclamation mark.) importance levels notifications is displayed. The notification list includes the following:

    • Color marker. Critical notifications are marked in red. Warning notifications are marked in yellow.
    • Icon indicating the topic of the notification: deployment (A Server connected with managed devices.), protection (A check list.), updates (A shield with two rotating arrows.), device management (A Server managing devices.), Exploit Prevention (A computer with an eye icon.), Administration Server (Servers.).
    • Description of the notification.
    • Flag icon. The flag icon is gray if notifications have been assigned the Not Reviewed status. When you select the gray flag icon and assign the Reviewed status to a notification, the icon changes color to white.
    • Link to the recommended action. When you perform the recommended action after clicking the link, the notification gets the Reviewed status.
    • Number of days that have passed since the date when the notification was registered on the Administration Server.
  3. Select the More tab.

    The list of Info importance level notifications is displayed.

    The organization of the list is the same as for the list on the System tab (see the description above). The only difference is the absence of a color marker.

You can filter notifications by the date interval when they were registered on Administration Server. Use the Show filter check box to manage the filter.

To view onscreen notifications in the widget:

  1. In the DASHBOARD section, select Add or restore web widget.
  2. In the window that opens, click the Other category, select the Notifications by selected severity level widget, and click Add.

    The widget now appears on the DASHBOARD tab. By default, the notifications of Critical importance level are displayed on the widget.

    You can click the Settings button on the widget and change the widget settings to view notifications of the Warning importance level. Or, you can add another widget: Notifications by selected severity level, with a Warning importance level.

    The list of notifications on the widget is limited by its size and includes two notifications. These two notifications relate to the latest events.

The notification list in the widget includes the following:

  • Icon related to the topic of the notification: deployment (A Server connected with managed devices.), protection (A check list.), updates (A shield with two rotating arrows.), device management (A Server managing devices.), Exploit Prevention (A computer with an eye icon.), Administration Server (Servers.).
  • Description of the notification with a link to the recommended action. When you perform a recommended action after clicking the link, the notification gets the Reviewed status.
  • Number of days or number of hours that have passed since the date when the notification was registered on the Administration Server.
  • Link to other notifications. Upon clicking this link, you are transferred to the view of notifications in the NOTIFICATIONS section of the MONITORING & REPORTING section.
Page top
[Topic 180897]

About device statuses

Kaspersky Security Center assigns a status to each managed device. The particular status depends on whether the conditions defined by the user are met. In some cases, when assigning a status to a device, Kaspersky Security Center takes into consideration the device's visibility flag on the network (see the table below). If Kaspersky Security Center does not find a device on the network within two hours, the visibility flag of the device is set to Not Visible.

The statuses are the following:

  • Critical or Critical / Visible
  • Warning or Warning / Visible
  • OK or OK / Visible

The table below lists the default conditions that must be met to assign the Critical or Warning status to a device, with all possible values.

Conditions for assigning a status to a device

Condition

Condition description

Available values

Security application is not installed

Network Agent is installed on the device, but a security application is not installed.
  • Toggle button is on.
  • Toggle button is off.

Too many viruses detected

Some viruses have been found on the device by a task for virus detection, for example, the Virus scan task, and the number of viruses found exceeds the specified value.

More than 0.

Real-time protection level differs from the level set by the Administrator

The device is visible on the network, but the real-time protection level differs from the level set (in the condition) by the administrator for the device status.
  • Stopped.
  • Paused.
  • Running.

Virus scan has not been performed in a long time

The device is visible on the network and a security application is installed on the device, but neither the Malware scan task nor a local scan task has been run within the specified time interval. The condition is applicable only to devices that were added to the Administration Server database 7 days ago or earlier.

More than 1 day.

Databases are outdated

The device is visible on the network and a security application is installed on the device, but the anti-virus databases have not been updated on this device within the specified time interval. The condition is applicable only to devices that were added to the Administration Server database 1 day ago or earlier.

More than 1 day.

Not connected in a long time

Network Agent is installed on the device, but the device has not connected to an Administration Server within the specified time interval, because the device was turned off.

More than 1 day.

Active threats are detected

The number of unprocessed objects in the ACTIVE THREATS folder exceeds the specified value.

More than 0 items.

Restart is required

The device is visible on the network, but an application requires the device restart longer than the specified time interval and for one of the selected reasons.

More than 0 minutes.

Incompatible applications are installed

The device is visible on the network, but software inventory performed through Network Agent has detected incompatible applications installed on the device.
  • Toggle button is off.
  • Toggle button is on.

Software vulnerabilities have been detected

The device is visible on the network and Network Agent is installed on the device, but the Find vulnerabilities and required updates task has detected vulnerabilities with the specified severity level in applications installed on the device.
  • Critical.
  • High.
  • Medium.
  • Ignore if the vulnerability cannot be fixed.
  • Ignore if an update is assigned for installation.

License expired

The device is visible on the network, but the license has expired.
  • Toggle button is off.
  • Toggle button is on.

License expires soon

The device is visible on the network, but the license will expire on the device in less than the specified number of days.

More than 0 days.

Check for Windows Update updates has not been performed in a long time

The device is visible on the network, but the Perform Windows Update synchronization task has not been run within the specified time interval.

More than 1 day.

Invalid encryption status

Network Agent is installed on the device, but the device encryption result is equal to the specified value.
  • Does not comply with the policy due to the user's refusal (for external devices only).
  • Does not comply with the policy due to an error.
  • Restart is required when applying the policy.
  • No encryption policy is specified.
  • Not supported.
  • When applying the policy.

Mobile device settings do not comply with the policy

The mobile device settings are other than the settings that were specified in the Kaspersky Endpoint Security for Android policy during the check of compliance rules.
  • Toggle button is off.
  • Toggle button is on.

Unprocessed incidents detected

Some unprocessed incidents have been found on the device. Incidents can be created either automatically, through managed Kaspersky applications installed on the client device, or manually by the administrator.
  • Toggle button is off.
  • Toggle button is on.

Device status defined by application

The status of the device is defined by the managed application.
  • Toggle button is off.
  • Toggle button is on.

Device is out of disk space

Free disk space on the device is less than the specified value or the device could not be synchronized with the Administration Server. The Critical or Warning status is changed to the OK status when the device is successfully synchronized with the Administration Server and free space on the device is greater than or equal to the specified value.

More than 0 MB.

Device has become unmanaged

During device discovery, the device was recognized as visible on the network, but more than three attempts to synchronize with the Administration Server failed.

  • Toggle button is off.
  • Toggle button is on.

Protection is disabled

The device is visible on the network, but the security application on the device has been disabled for longer than the specified time interval.

More than 0 minutes.

Security application is not running

The device is visible on the network and a security application is installed on the device but is not running.
  • Toggle button is off.
  • Toggle button is on.

Kaspersky Security Center allows you to set up automatic switching of the status of a device in an administration group when specified conditions are met. When specified conditions are met, the client device is assigned one of the following statuses: Critical or Warning. When specified conditions are not met, the client device is assigned the OK status.

Different statuses may correspond to different values of one condition. For example, by default, if the Databases are outdated condition has the More than 3 days value, the client device is assigned the Warning status; if the value is More than 7 days, the Critical status is assigned.

If you upgrade the Kaspersky Security Center from the previous version, the values of the Databases are outdated condition for assigning the status to Critical or Warning do not change.

When Kaspersky Security Center assigns a status to a device, for some conditions (see the Condition description column) the visibility flag is taken into consideration. For example, if a managed device was assigned the Critical status because the Databases are outdated condition was met, and later the visibility flag was set for the device, then the device is assigned the OK status.

See also:

Configuring the switching of device statuses
Page top
[Topic 191051_1]

Configuring the switching of device statuses

You can change conditions to assign the Critical or Warning status to a device.

To enable changing the device status to Critical:

  1. In the main menu, go to DEVICESHIERARCHY OF GROUPS.
  2. In the list of groups that opens, click the link with the name of a group for which you want to change switching the device statuses.
  3. In the properties window that opens, select the Device status tab.
  4. In the left pane, select Critical.
  5. In the right pane, in the Set to Critical if these are specified section, enable the condition to switch a device to the Critical status.

    You can change only settings that are not locked in the parent policy.

  6. Select the radio button next to the condition in the list.
  7. In the upper-left corner of the list, click the Edit button.
  8. Set the required value for the selected condition.

    Values cannot be set for every condition.

  9. Click OK.

When specified conditions are met, the managed device is assigned the Critical status.

To enable changing the device status to Warning:

  1. In the main menu, go to DEVICESHIERARCHY OF GROUPS.
  2. In the list of groups that opens, click the link with the name of a group for which you want to change switching the device statuses.
  3. In the properties window that opens, select the Device status tab.
  4. In the left pane, select Warning.
  5. In the right pane, in the Set to Warning if these are specified section, enable the condition to switch a device to the Warning status.

    You can change only settings that are not locked in the parent policy.

  6. Select the radio button next to the condition in the list.
  7. In the upper-left corner of the list, click the Edit button.
  8. Set the required value for the selected condition.

    Values cannot be set for every condition.

  9. Click OK.

When specified conditions are met, the managed device is assigned the Warning status.

See also:

Notifications and device statuses

About device statuses

Scenario: Monitoring and reporting

Scenario: Configuring network protection
Page top
[Topic 181770]

Configuring notification delivery

Expand all | Collapse all

You can configure notification about events occurring in Kaspersky Security Center. Depending on the notification method chosen, the following types of notifications are available:

  • Email—When an event occurs, Kaspersky Security Center sends a notification to the email addresses specified.
  • SMS—When an event occurs, Kaspersky Security Center sends a notification to the phone numbers specified.
  • Executable file—When an event occurs, the executable file is run on the Administration Server.

To configure notification delivery of events occurring in Kaspersky Security Center:

  1. At the top of the screen, click the settings icon () next to the name of the required Administration Server.

    The Administration Server properties window opens with the General tab is selected.

  2. Click the Notification section, and in the right pane select the tab for the notification method you want:
    • Email

      The Email tab allows you to configure event notification by email.

      In the Recipients (email addresses) field, specify the email addresses to which the application will send notifications. You can specify multiple addresses in this field, by separating them with semicolons.

      In the SMTP servers field, specify mail server addresses, separating them with semicolons. You can use the IP address or the Windows network name (NetBIOS name) of the device as the address.

      In the SMTP server port field, specify the number of an SMTP server communication port. The default port number is 25.

      If you enable the Use DNS MX lookup option, you can use several MX records of the IP addresses for the same DNS name of the SMTP server. The same DNS name may have several MX records with different values of priority of receiving email messages. Administration Server attempts to send email notifications to the SMTP server in ascending order of MX records priority.

      If you enable the Use DNS MX lookup option and do not enable usage of TLS settings, we recommend that you use the DNSSEC settings on your server device as an additional measure of protection for sending email notifications.

      If you enable the Use ESMTP authentication option, you can specify the ESMTP authentication settings in the User name and Password fields. By default, the option is disabled, and the ESMTP authentication settings are not available.

      You can specify TLS settings of connection with an SMTP server:

      • Do not use TLS

      You can select this option if you want to disable encryption of email messages.

      • Use TLS if supported by SMTP server

      You can select this option if you want to use a TLS connection to an SMTP server. If the SMTP server does not support TLS, Administration Server connects the SMTP server without using TLS.

      • Always use TLS, check the server certificate for validity

      You can select this option if you want to use TLS authentication settings. If the SMTP server does not support TLS, Administration Server cannot connect the SMTP server.

      We recommend that you use this option for better protection of the connection with an SMTP server. If you select this option, you can set authentication settings for a TLS connection.

      If you select Always use TLS, check the server certificate for validity value, you can specify a certificate for authentication of the SMTP server and choose whether you want to enable communication through any version of TLS or only through TLS 1.2 or later versions. Also, you can specify a certificate for client authentication on the SMTP server.

      You can specify certificates for a TLS connection by clicking the Specify certificate link:

      • Browse for an SMTP server certificate file:

      You can receive a file with the list of certificates from a trusted certification authority and upload the file to Administration Server. Kaspersky Security Center checks whether the certificate of an SMTP server is also signed by a trusted certification authority. Kaspersky Security Center cannot connect to an SMTP server if the certificate of the SMTP server is not received from a trusted certification authority.

      • Browse for a client certificate file:

      You can use a certificate that you received from any source, for example, from any trusted certification authority. You must specify the certificate and its private key by using one of the following certificate types:

      • X-509 certificate:

      You must specify a file with the certificate and a file with the private key. Both files do not depend on each other and the order of loading of the files is not significant. When both files are loaded, you must specify the password for decoding the private key. The password can have an empty value if the private key is not encoded.

      • pkcs12 container:

      You must upload a single file that contains the certificate and its private key. When the file is loaded, you must then specify the password for decoding the private key. The password can have an empty value if the private key is not encoded.

      In the Subject field, specify the email subject. You can leave this field empty.

      In the Subject template drop-down list, select the template for your subject. A variable determined by the selected template is placed automatically in the Subject field. You can construct an email subject selecting several subject templates.

      In the Sender email address: If this setting is not specified, the recipient address will be used instead. Warning: We do not recommend using a fictitious email address field, specify the sender email address. If you leave this field empty, by default, the recipient address is used. It is not recommended to use fictitious email addresses.

      The Notification message field contains standard text with information about the event that the application sends when an event occurs. This text includes substitute parameters, such as event name, device name, and domain name. You can edit the message text by adding other substitute parameters with more relevant details about the event.

      If the notification text contains a percent sign (%), you have to type it twice in a row to allow message sending. For example, "CPU load is 100%%".

      Clicking the Configure numeric limit of notifications link allows you to specify the maximum number of notifications that the application can send over the specified time interval.

      Clicking the Send test message button allows you to check whether you configured notifications properly: the application sends a test notification to the email addresses that you specified.

    • SMS

      The SMS tab allows you to configure the transmission of SMS notifications about various events to a cell phone. SMS messages are sent through a mail gateway.

      In the SMTP servers field, specify mail server addresses, separating them with semicolons. You can use the IP address or the Windows network name (NetBIOS name) of the device as the address.

      In the SMTP server port field, specify the number of an SMTP server communication port. The default port number is 25.

      If the Use ESMTP authentication option is enabled, you can specify the ESMTP authentication settings in the User name and Password fields. By default, the option is disabled, and the ESMTP authentication settings are not available.

      You can specify TLS settings of connection with an SMTP server:

      • Do not use TLS

      You can select this option if you want to disable encryption of email messages.

      • Use TLS if supported by SMTP server

      You can select this option if you want to use a TLS connection to an SMTP server. If the SMTP server does not support TLS, Administration Server connects the SMTP server without using TLS.

      • Always use TLS, check the server certificate for validity

      You can select this option if you want to use TLS authentication settings. If the SMTP server does not support TLS, Administration Server cannot connect the SMTP server.

      We recommend that you use this option for better protection of the connection with an SMTP server. If you select this option, you can set authentication settings for a TLS connection.

      If you select Always use TLS, check the server certificate for validity value, you can specify a certificate for authentication of the SMTP server and choose whether you want to enable communication through any version of TLS or only through TLS 1.2 or later versions. Also, you can specify a certificate for client authentication on the SMTP server.

      You can specify SMTP server certificate file by clicking the Specify certificate link:

      You can receive a file with the list of certificates from a trusted certification authority and upload the file to Administration Server. Kaspersky Security Center checks whether the certificate of an SMTP server is also signed by a trusted certification authority. Kaspersky Security Center cannot connect to an SMTP server if the certificate of the SMTP server is not received from a trusted certification authority.

      In the Recipients (email addresses) field, specify the email addresses to which the application will send notifications. You can specify multiple addresses in this field, by separating them with semicolons. The notifications will be delivered to the phone numbers associated with the specified email addresses.

      In the Subject field, specify the email subject.

      In the Subject template drop-down list, select the template for your subject. A variable according to the selected template is put in the Subject field. You can construct an email subject selecting several subject templates.

      In the Sender email address: If this setting is not specified, the recipient address will be used instead. Warning: We do not recommend using a fictitious email address field, specify the sender email address. If you leave this field empty, by default, the recipient address is used. It is not recommended to use fictitious email addresses.

      In the Phone numbers of SMS message recipients field, specify the cell phone numbers of the SMS notification recipients.

      In the Notification message field, specify a text with information about the event that the application sends when an event occurs. This text can include substitute parameters, such as event name, device name, and domain name.

      If the notification text contains a percent sign (%), you have to type it twice in a row to allow message sending. For example, "CPU load is 100%%".

      Click the Configure numeric limit of notifications link to specify the maximum number of notifications that the application can send during the specified time interval.

      Click the Send test message to check whether you configured notifications properly: the application sends a test notification to the recipient that you specified.

    • Executable file to be run

      If this notification method is selected, in the entry field you can specify the application that will start when an event occurs.

      In the Executable file to be run on the Administration Server when an event occurs field, specify the folder and the name of the file to be run. Before specifying the file, prepare the file and specify the placeholders that define the event details to be sent in the notification message. The folder and the file that you specify must be located on the Administration Server.

      Clicking the Configure numeric limit of notifications link allows you to specify the maximum number of notifications that the application can send during the specified time interval.

  3. On the tab, define the notification settings.
  4. Click the OK button to close the Administration Server properties window.

The saved notification delivery settings are applied to all events that occur in Kaspersky Security Center.

You can override notification delivery settings for certain events in the Event configuration section of the Administration Server settings, of a policy's settings, or of an application's settings.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 180968]

Event notifications displayed by running an executable file

Kaspersky Security Center can notify the administrator about events on client devices by running an executable file. The executable file must contain another executable file with placeholders of the event to be relayed to the administrator.

Placeholders for describing an event

Placeholder

Placeholder description

%SEVERITY%

Event importance level

%COMPUTER%

Name of the device where the event occurred

%DOMAIN%

Domain

%EVENT%

Event

%DESCR%

Event description

%RISE_TIME%

Time created

%KLCSAK_EVENT_TASK_DISPLAY_NAME%

Task name

%KL_PRODUCT%

Kaspersky Security Center Network Agent

%KL_VERSION%

Network Agent version number

%HOST_IP%

IP address

%HOST_CONN_IP%

Connection IP address

Example:

Event notifications are sent by an executable file (such as script1.bat) inside which another executable file (such as script2.bat) with the %COMPUTER% placeholder is launched. When an event occurs, the script1.bat file is run on the administrator's device, which, in turn, runs the script2.bat file with the %COMPUTER% placeholder. The administrator then receives the name of the device where the event occurred.

Page top

[Topic 84509_1]