Working with reports, statistics, and notifications

This section provides information about how to work with reports, statistics, and selections of events and devices in Kaspersky Security Center, as well as how to configure Administration Server notifications.

Working with reports

Reports in Kaspersky Security Center contain information about the status of managed devices. Reports are generated based on information stored on Administration Server. You can create reports for the following types of objects:

• For device selections created according to specific settings.
• For administration groups.
• For specific devices from different administration groups.
• For all devices on the network (in the deployment report).

The application has a selection of standard report templates. It is also possible to create custom report templates. Reports are displayed in the main application window, in the Administration Server folder in the console tree.

Creating a report template

To create a report template:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Reports tab.
3. Click the New report template button.

The New Report Template Wizard starts. Follow the instructions of the Wizard.

After the Wizard finishes its operation, the newly created report template is added to the selected Administration Server folder in the console tree. You can use this template for generating and viewing reports.

Viewing and editing report template properties

Expand all | Collapse all

You can view and edit basic properties of a report template, for example, the report template name or the fields displayed in the report.

To view and edit properties of a report template:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Reports tab.
3. In the list of report templates, select the required report template.
4. In the context menu of the selected report template, select Properties.

   As an alternative, you can first generate the report, and then click either the Open report template properties button or the Configure report columns button.

5. In the window that opens, edit the report template properties. Properties of each report may contain only some of the sections described below.
   • General section:
     • Report template name
     • Maximum number of entries to display

       If this option is enabled, the number of entries displayed in the table with detailed report data does not exceed the specified value.

       Report entries are first sorted according to the rules specified in the Fields → Details fields section of the report template properties, and then only the first of the resulting entries are kept. The heading of the table with detailed report data shows the displayed number of entries and the total available number of entries that match other report template settings.

       If this option is disabled, the table with detailed report data displays all available entries. We do not recommend that you disable this option. Limiting the number of displayed report entries reduces the load on the database management system (DBMS) and reduces the time required for generating and exporting the report. Some of the reports contain too many entries. If this is the case, you may find it difficult to read and analyze them all. Also, your device may run out of memory while generating such a report and, consequently, you will not be able to view the report.

       By default, this option is enabled. The default value is 1000.

     • Print version

       The report output is optimized for printing: space characters are added between some values for better visibility.

       By default, this option is enabled.

   • Fields section.

     Select the fields that will be displayed in the report, and the order of these fields, and configure whether the information in the report must be sorted and filtered by each of the fields.

   • Time interval section.

     Modify the report period. Available values are as follows:

     • Between the two specified dates
     • From the specified date to the report creation date
     • From the report creation date, minus the specified number of days, to the report creation date
   • Group, Device selection, or Devices section.

     Change the set of client devices for which the report creates. Only one of these sections may be present, depending on the settings specified during the report template creation.

   • Settings section.

     Change the settings of the report. The exact set of settings depends on the specific report.

   • Security section. Inherit settings from Administration Server

     If this option is enabled, security settings of the report are inherited from the Administration Server.

     If this option is disabled, you can configure security settings for the report. You can assign a role to a user or a group of users or assign permissions to a user or a group of users, as applied to the report.

     By default, this option is enabled.

     The Security section is available if the Display security settings sections check box is selected in the interface settings window.

   • Hierarchy of Administration Servers section:
     • Include data from secondary and virtual Administration Servers

       If this option is enabled, the report includes the information from the secondary and virtual Administration Servers that are subordinate to the Administration Server for which the report template is created.

       Disable this option if you want to view data only from the current Administration Server.

       By default, this option is enabled.

     • Up to nesting level

       The report includes data from secondary and virtual Administration Servers that are located under the current Administration Server on a nesting level that is less than or equal to the specified value.

       The default value is 1. You may want to change this value if you have to retrieve information from secondary Administration Servers located at lower levels in the tree.

     • Data wait interval (min)

       Before generating the report, the Administration Server for which the report template is created waits for data from secondary Administration Servers during the specified number of minutes. If no data is received from a secondary Administration Server at the end of this period, the report runs anyway. Instead of the actual data, the report shows data taken from the cache (if the Cache data from secondary Administration Servers option is enabled), or N/A (not available) otherwise.

       The default value is 5 (minutes).

     • Cache data from secondary Administration Servers

       Secondary Administration Servers regularly transfer data to the Administration Server for which the report template is created. There, the transferred data is stored in the cache.

       If the current Administration Server cannot receive data from a secondary Administration Server while generating the report, the report shows data taken from the cache. The date when the data was transferred to the cache is also displayed.

       Enabling this option allows you to view the information from secondary Administration Servers even if the up-to-date data cannot be retrieved. However, the displayed data can be obsolete.

       By default, this option is disabled.

     • Cache update frequency (h)

       Secondary Administration Servers at regular intervals transfer data to the Administration Server for which the report template is created. You can specify this period in hours. If you specify 0 hours, data is transferred only when the report is generated.

       The default value is 0.

     • Transfer detailed information from secondary Administration Servers

       In the generated report, the table with detailed report data includes data from secondary Administration Servers of the Administration Server for which the report template is created.

       Enabling this option slows the report generation and increases traffic between Administration Servers. However, you can view all data in one report.

       Instead of enabling this option, you may want to analyze detailed report data to detect a faulty secondary Administration Server, and then generate the same report only for that faulty Administration Server.

       By default, this option is disabled.

Extended filter format in report templates

In Kaspersky Security Center 13.1, you can apply the extended filter format to a report template. The extended filter format provides more flexibility in comparison with the default format. You can create complex filtering conditions by using a set of filters, which will be applied to the report by means of the OR logical operator during report creation, as shown below:

Filter[1](Field[1] AND Field[2]... AND Field[n]) OR Filter[2](Field[1] AND Field[2]... AND Field[n]) OR... Filter[n](Field[1] AND Field[2]... AND Field[n])

Additionally, with the extended filter format you can set a time interval value in a relative time format (for example, by using a "For last N days" condition) for specific fields in a filter. The availability and the set of time interval conditions depend on the type of the report template.

Converting the filter into the extended format

The extended filter format for report templates is supported only in Kaspersky Security Center 12 and later versions. After conversion of the default filter into the extended format, the report template becomes incompatible with Administration Servers on your network that have earlier versions of Kaspersky Security Center installed. Information from these Administration Servers will not be received for the report.

To convert the report template default filter into the extended format:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Reports tab.
3. In the list of report templates, select the required report template.
4. In the context menu of the selected report template, select Properties.
5. In the properties window that opens, select the Fields section.
6. In the Details fields tab click the Convert filter link.
7. In the window that opens, click the OK button.

   Conversion into the extended filter format is irreversible for the report template to which it is applied. If you clicked the Convert filter link accidentally, you can cancel the changes by clicking the Cancel button in the report template properties window.

8. To apply the changes, close the report template properties window by clicking the OK button.

   When the report template properties window opens again, the newly available Filters section is displayed. In this section you can configure the extended filter.

Page top

Configuring the extended filter

To configure the extended filter in the report template properties:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Reports tab.
3. In the list of report templates, select the report template that was previously converted to extended filter format.
4. In the context menu of the selected report template, select Properties.
5. In the properties window that opens, select the Filters section.

   The Filters section is not displayed if the report template was not previously converted to extended filter format.

   In the Filters section of the report template properties window you can review and modify the list of filters applied to the report. Each filter in the list has a unique name and represents a set of filters for corresponding fields in the report.

6. Open the filter settings window in one of the following ways:
   • To create a new filter, click the Add button.
   • To modify the existing filter, select the required filter and click the Modify button.
7. In the window that opens, select and specify the values of the required fields of the filter.
8. Click the OK button to save changes and close the window.

   If you are creating a new filter, the filter name must be specified in the Filter name field before clicking the OK button.

9. Close the report template properties window by clicking the OK button.

   The extended filter in the report template is configured. Now you can create reports by using this report template.

Page top

Creating and viewing a report

To create and view a report:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Reports tab.
3. In the list of report templates, double-click the report template that you need.

   A report for the selected template is displayed.

The report displays the following data:

• The name and type of report, a brief description and the reporting period, as well as information about the group of devices for which the report is generated.
• Graph chart showing the most representative report data.
• Consolidated table with calculated report indicators.
• Table with detailed report data.

Saving a report

To save a created report:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Reports tab.
3. In the list of report templates, select the report template that you need.
4. In the context menu of the selected report template, select Save.

The Report Saving Wizard starts. Follow the instructions of the Wizard.

After the Wizard finishes, the folder opens to which you have saved the report file.

Creating a report delivery task

Reports can be emailed. Delivery of reports in Kaspersky Security Center is carried out using the report delivery task.

To create a delivery task for a single report:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Reports tab.
3. In the list of report templates, select the report template that you need.
4. In the context menu of the selected report template, select Deliver reports.

The Report Delivery Task Creation Wizard starts. Follow the instructions of the Wizard.

To create a delivery task for multiple reports:

1. In the console tree, under the node with the name of the required Administration Server, select the Tasks folder.
2. In the workspace of the Tasks folder, click the Create a task button.

The Add Task Wizard starts. Follow the instructions of the Wizard.

The newly created report delivery task is displayed in the Tasks folder in the console tree.

The report delivery task is created automatically if the email settings were specified during Kaspersky Security Center installation.

Step 1. Selecting the task type

In the Select the task type window, in the list of tasks select Deliver reports as the task type.

Click Next to proceed to the next step.

Step 2. Selecting the report type

In the Select report type window, in the list of task creation templates, select the type of report.

Click Next to proceed to the next step.

Step 3. Actions on a report

Expand all | Collapse all

In the Action to apply to reports window, specify the following settings:

• Send reports by email

  If this option is enabled, the application sends generated reports by email.

  You can configure the report sending by email by clicking the Email notification settings link. The link is available if this option is enabled.

  If this option is disabled, the application saves reports in the specified folder to store them.

  By default, this option is disabled.

• Save reports to shared folder

  If this option is enabled, the application saves reports to the folder that is specified in the field under the check box. To save reports to a shared folder, specify the UNC path to the folder. In this case, in the Selecting an account to run the task window, you must specify the user account and password for accessing this folder.

  If this option is disabled, the application does not save reports to the folder and sends them by email instead.

  By default, this option is disabled.

• Overwrite older reports of the same type

  If this option is enabled, the new report file at each task startup overwrites the file that was saved in the reports folder at the previous task startup.

  If this option is disabled, report files will not be overwritten. A new report file is stored in the reports folder at each task run.

  This check box is available, if the Save report to folder is selected.

  By default, this option is disabled.

• Specify account for access to shared folder

  If this option is enabled, you can specify the account under which the report will be saved to the folder. If a UNC path to a shared folder is specified as the Save report to folder setting in the Action to be applied to report window, you must specify the user account and password for accessing this folder.

  If this option is disabled, the report is saved to the folder under the account of Administration Server.

  The check box is available, if the Save report to folder is selected.

  By default, this option is disabled.

Click Next to proceed to the next step.

Step 4. Selecting the account to start the task

Expand all | Collapse all

In the Selecting an account to run the task window, you can specify which account to use when running the task. Select one of the following options:

• Default account

  The task will be run under the same account as the application that performs this task.

  By default, this option is selected.

• Specify account

  Fill in the Account and Password fields to specify the details of an account under which the task is run. The account must have sufficient rights for this task.

  • Account

    Account under which the task is run.

  • Password

    Password of the account under which the task will be run.

Click Next to proceed to the next step.

Step 5. Configuring a task schedule

Expand all | Collapse all

On the Configure task schedule Wizard page, you can create a schedule for task start. If necessary, define the following settings:

• Scheduled start:

  Select the schedule according to which the task runs, and configure the selected schedule.

  • Every N hours

    The task runs regularly, with the specified interval in hours, starting from the specified date and time.

    By default, the task runs every six hours, starting from the current system date and time.

  • Every N days

    The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

    By default, the task runs every day, starting from the current system date and time.

  • Every N weeks

    The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

    By default, the task runs every Monday at the current system time.

  • Every N minutes

    The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

    By default, the task runs every 30 minutes, starting from the current system time.

  • Daily (daylight saving time is not supported)

    The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.

    We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center.

    By default, the task starts every day at the current system time.

  • Weekly

    The task runs every week on the specified day and at the specified time.

  • By days of week

    The task runs regularly, on the specified days of week, at the specified time.

    By default, the task runs every Friday at 6:00:00 PM.

  • Monthly

    The task runs regularly, on the specified day of the month, at the specified time.

    In months that lack the specified day, the task runs on the last day.

    By default, the task runs on the first day of each month, at the current system time.

  • Manually

    The task does not run automatically. You can only start it manually.

    By default, this option is enabled.

  • Every month on specified days of selected weeks

    The task runs regularly, on the specified days of each month, at the specified time.

    By default, no days of month are selected; the default start time is 6:00:00 PM.

  • On virus outbreak

    The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

    • Anti-virus for workstations and file servers
    • Anti-virus for perimeter defense
    • Anti-virus for mail systems

    By default, all application types are selected.

    You may want to run different tasks depending on the anti-virus application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

  • On completing another task

    The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task.

• Run missed tasks

  This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

  If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

  If this option is disabled, only scheduled tasks run on client devices; for Manually, Once and Immediately, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

  By default, this option is enabled.

• Use automatically randomized delay for task starts

  If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

  The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

  If this option is disabled, the task starts on client devices according to the schedule.

• Use randomized delay for task starts within an interval of (min)

  If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

  If this option is disabled, the task starts on client devices according to the schedule.

  By default, this option is disabled. The default time interval is one minute.

Page top

Step 6. Defining the task name

In the Define the task name window, specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).

Click Next to proceed to the next step.

Step 7. Completing creation of the task

In the Finish task creation window, click the Finish button to finish the wizard.

If you want the task to start as soon as the wizard finishes, select the Run the task after the Wizard finishes check box.

Managing statistics

Statistics on the status of the protection system and managed devices are displayed in information panels that can be customized. Statistics are displayed in the workspace of the Administration Server node on the Statistics tab. The tab contains some second-level tabs (pages). Each tabbed page displays information panels with statistics, as well as links to corporate news and other materials from Kaspersky. The statistical information is displayed in information panels as a table or chart (pie or bar). The data in the information panels is updated while the application is running and reflects the current state of the protection application.

You can modify the set of second-level tabs on the Statistics tab, the number of information panels on each tabbed page, and the data display mode in information panels.

To add a new second-level tab with information panels on the Statistics tab:

1. Click the Customize view button in the upper right corner of the Statistics tab.

   The statistics properties window opens. This window contains a list of tabbed pages that are currently shown on the Statistics tab. In this window, you can change the display order for the pages on the tab, add and remove pages, and proceed to configuration of page properties by clicking the Properties button.

2. Click the Add button.

   This opens the properties window of a new page.

3. Configure the new page:
   • In the General section, specify the page name.
   • In the Information panels section, click the Add button to add information panels that must be displayed on the page.

     Click the Properties button in the Information panels section to set up the properties of information panels that you added: name, type, and appearance of the chart in the panel, as well as data required to plot the chart.

4. Click OK.

The tabbed page with information panels that you have added appears on the Statistics tab. Click the settings icon () to proceed instantly to configuration of the page or a selected information panel on that page.

Configuring event notification

Expand all | Collapse all

Kaspersky Security Center allows you to select a method of notifying the administrator of events on client devices and to configure notification:

• Email. When an event occurs, the application sends a notification to email addresses specified. You can edit the text of the notification.
• SMS. When an event occurs, the application sends a notification to the phone numbers specified. You can configure SMS notifications to be sent through the mail gateway.
• Executable file. When an event occurs on a device, the executable file is started on the administrator's workstation. Using the executable file, the administrator can receive the parameters of any event that has occurred.

To configure notification of events occurring on client devices:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Events tab.
3. Click the Configure notifications and event export link and select the Configure notifications value in the drop-down list.

   This opens the Properties: Events window.

4. In the Notification section, select a notification method (by email, by SMS, or by running an executable file) and define the notification settings:
   • Email

     The Email tab allows you to configure email notifications for events.

     In the Recipients (email addresses) field, specify the email addresses to which the application will send notifications. You can specify multiple addresses in this field, by separating them with semicolons.

     In the SMTP servers field, specify mail server addresses, by separating them with semicolons. You can use the IP address or DNS name of the SMTP server as the address.

     In the SMTP server port field, specify the number of an SMTP server communication port. The default port number is 25.

     If you enable the Use DNS MX lookup option, you can use several MX records of the IP addresses for the same DNS name of the SMTP server. The same DNS name may have several MX records with different values of priority of receiving email messages. Administration Server attempts to send email notifications to the SMTP server in ascending order of MX records priority. By default, this option is disabled.

     If you enable the Use DNS MX lookup option and do not enable usage of TLS settings, we recommend that you use the DNSSEC settings on your server device as an additional measure of protection for sending email notifications.

     Click the Settings link to define additional notification settings:

     • Subject name (subject name of an email message)
     • Sender email address
     • ESMTP authentication settings

     You have to specify an account for authentication on an SMTP server if the ESMTP authentication option is enabled for the SMTP server.

     • TLS settings for the SMTP server:
       • Do not use TLS

       You can select this option if you want to disable encryption of email messages.

       • Use TLS if supported by SMTP server

       You can select this option if you want to use a TLS connection to an SMTP server. If the SMTP server does not support TLS, Administration Server connects the SMTP server without using TLS.

       • Always use TLS, check the server certificate for validity

       You can select this option if you want to use TLS authentication settings. If the SMTP server does not support TLS, Administration Server cannot connect the SMTP server.

     We recommend that you use this option for better protection of the connection with an SMTP server. If you select this option, you can set authentication settings for a TLS connection.

     If you choose Always use TLS, check the server certificate for validity value, you can specify a certificate for authentication of the SMTP server and choose whether you want to enable communication through any version of TLS or only through TLS 1.2 or later versions. Also, you can specify a certificate for client authentication on the SMTP server.

     You can specify TLS settings for an SMTP server:

     • Browse for an SMTP server certificate file:

     You can receive a file with the list of certificates from a trusted certification authority and upload the file to Administration Server. Kaspersky Security Center checks whether the certificate of an SMTP server is also signed by a trusted certification authority. Kaspersky Security Center cannot connect to an SMTP server if the certificate of the SMTP server is not received from a trusted certification authority.

     • Browse for a client certificate file:

     You can use a certificate that you received from any source, for example, from any trusted certification authority. You must specify the certificate and its private key by using one of the following certificate types:

     • X-509 certificate:

     You must specify a file with the certificate and a file with the private key. Both files do not depend on each other and the order of loading of the files is not significant. When both files are loaded, you must specify the password for decoding the private key. The password can have an empty value if the private key is not encoded.

     • pkcs12 container:

     You must upload a single file that contains the certificate and its private key. When the file is loaded, you must then specify the password for decoding the private key. The password can have an empty value if the private key is not encoded.

     The Notification message field contains standard text with information about the event that the application sends when an event occurs. This text includes substitute parameters, such as event name, device name, and domain name. You can edit the message text by adding other substitute parameters with more relevant details of the event. The list of substitute parameters is available by clicking the button to the right of the field.

     If the notification text contains a percent sign (%), you have to type it twice in a row to allow message sending. For example, "CPU load is 100%%".

     Click the Configure numeric limit of notifications link to specify the maximum number of notifications that the application can send over the specified time interval.

     Click the Send test message button to check if you have configured notifications properly. The application should send a test notification to the email addresses that you specified.

   • SMS

     The SMS tab allows you to configure the transmission of SMS notifications of various events to a cell phone. SMS messages are sent through a mail gateway.

     In the Recipients (email addresses) field, specify the email addresses to which the application will send notifications. You can specify multiple addresses in this field, by separating them with semicolons. The notifications will be delivered to the phone numbers associated with the specified email addresses.

     In the SMTP servers field, specify mail server addresses, by separating them with semicolons. You can use the IP address or the Windows network name (NetBIOS name) of the device as the address.

     In the SMTP server port field, specify the number of an SMTP server communication port. The default port number is 25.

     Click the Settings link to define additional notification settings:

     • Subject name (subject name of an email message)
     • Sender email address
     • ESMTP authentication settings

     If necessary, you can specify an account for authentication on an SMTP server if the option of ESMTP authentication is enabled for the SMTP server.

     • TLS settings for an SMTP server

     You can disable usage of TLS, use TLS if the SMTP server supports this protocol, or you can force usage of TLS only. If you choose to use only TLS, you can specify a certificate for authentication of the SMTP server and choose whether you want to enable communication through any version of TLS or only through TLS 1.2 or later versions. Also, if you choose to use only TLS, you can specify a certificate for client authentication on the SMTP server.

     • Browse for an SMTP server certificate file

     You can receive a file with the list of certificates from a trusted certification authority and upload the file to Kaspersky Security Center. Kaspersky Security Center checks whether the certificate of the SMTP server is also signed by a trusted certification authority. Kaspersky Security Center cannot connect to the SMTP server if the certificate of the SMTP server is not received from a trusted certification authority.

     You must upload a single file that contains the certificate and its private key. When the file is loaded, you must then specify the password for decoding the private key. The password can have an empty value if the private key is not encoded.The Notification message field contains standard text with information about the event that the application sends when an event occurs. This text includes substitute parameters, such as event name, device name, and domain name. You can edit the message text by adding other substitute parameters with more relevant details of the event. The list of substitute parameters is available by clicking the button to the right of the field.

     If the notification text contains a percent sign (%), you have to type it twice in a row to allow message sending. For example, "CPU load is 100%%".

     Click the Configure numeric limit of notifications link to specify the maximum number of notifications that the application can send during the specified time interval.

     Click the Send test message button to check whether you configured notifications properly. The application should send a test notification to the recipient that you specified.

   • Executable file to be run

     If this notification method is selected, in the entry field you can specify the application that will start when an event occurs.

     Clicking the Configure numeric limit of notifications link allows you to specify the maximum number of notifications that the application can send during the specified time interval.

     Clicking the Send test message button allows you to check whether you configured notifications properly: the application sends a test notification to the email addresses that you specified.

5. In the Notification message field, enter the text that the application will send when an event occurs.

   You can use the drop-down list to the right of the text field to add substitution settings with event details (for example, event description, or time of occurrence).

   If the notification text contains a percent (%), you must specify it twice in succession to allow message sending. For example, "CPU load is 100%%".

6. Click the Send test message button to check whether notification has been configured correctly.

   The application sends a test notification to the specified user.

7. Click OK to save the changes.

The re-adjusted notification settings are applied to all events that occur on client devices.

You can override notification settings for certain events in the Event configuration section of the Administration Server settings, of a policy settings, or of an application settings.

Creating a certificate for an SMTP server

To create a certificate for an SMTP server:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Events tab.
3. Click the Configure notifications and event export link and select the Configure notifications value in the drop-down list.

   The event properties window opens.

4. On the Email tab, click the Settings link to open the Settings window.
5. In the Settings window click the Specify certificate link to open the Certificate for signing window.
6. In the Certificate for signing window, click the Browse button.

   The Certificate window opens.

7. In the Certificate type drop-down list, specify the public or private type of certificate:
   • If the private type of certificate (PKCS #12 container) is selected, specify the certificate file and the password.
   • If the public type of certificate (X.509 certificate) is selected:
     1. Specify the private key file (one with the *.prk or *.pem extension).
     2. Specify the private key password.
     3. Specify the public key file (one with the *.cer extension).
8. Click OK.

The certificate for the SMTP server is issued.

Event selections

Information about events in the operation of Kaspersky Security Center and managed applications is saved both in the Administration Server database and in the Microsoft Windows system log. You can view information from the Administration Server database in the workspace of the Administration Server node, on the Events tab.

Information on the Events tab is represented as a list of event selections. Each selection includes events of a specific type only. For example, the "Device status is Critical" selection contains only records about changes of device statuses to "Critical". After application installation, the Events tab contains some standard event selections. You can create additional (custom) event selections or export event information to a file.

Viewing an event selection

To view the event selection:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Events tab.
3. In the Event selections drop-down list, select the relevant event selection.

   If you want events from this selection to be continuously displayed in the workspace, click the star icon () next to the selection.

The workspace will display a list of events, stored on the Administration Server, of the selected type.

You can sort information in the list of events in ascending or descending order in any column.

Customizing an event selection

To customize an event selection:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Events tab.
3. Open the relevant event selection on the Events tab.
4. Click the Selection properties button.

In the event selection properties window that opens you can configure the event selection.

Creating an event selection

To create an event selection:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Events tab.
3. Click the Create a selection button.
4. In the New event selection window that opens, enter the name of the new selection and click OK.

A selection with the name that you specified is created in the Event selections drop-down list.

By default, a created event selection contains all events stored on the Administration Server. To cause a selection to display only the events you want, you must customize the selection.

Exporting an event selection to a text file

To export an event selection to a text file:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Events tab.
3. Click the Import/Export button.
4. In the drop-down list, select Export events to file.

The Events Export Wizard starts. Follow the instructions of the Wizard.

Deleting events from a selection

To delete events from a selection:

1. In the console tree, select the node with the name of the relevant Administration Server.
2. In the workspace of the node, select the Events tab.
3. Select the events that you want to delete by using a mouse, the Shift key, or the Ctrl key.
4. Delete the selected events in one of the following ways:
   • By selecting Delete in the context menu of any of the selected events.

     If you select the Delete All item from the context menu, all displayed events will be deleted from the selection, regardless of your choice of events to delete.

   • By clicking the Delete event link (if one event is selected) or the Delete events link (if several events are selected) in the information box for these events.

The selected events are deleted.

Adding applications to exclusions by user requests

When you receive user requests to unblock erroneously blocked applications, you can create an exclusion from the Adaptive Security rules for these applications. Consequently, the applications will no longer be blocked on users' devices. You can track the number of user requests on the Monitoring tab of Administration Server.

To add applications blocked by Kaspersky Endpoint Security to exclusions by user requests:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Events tab.
3. In the Event selections drop-down list, select User requests.
4. Right-click the user request (or several user requests) containing applications that you want to add to exclusions, and then select Add exclusion.

   This starts the Add Exclusion Wizard. Follow its instructions.

The selected applications will be excluded from the Triggering of rules in Smart Training state list (under Repositories in the console tree) after the next synchronization of the client device with the Administration Server, and will no longer appear in the list.

Device selections

Information about the status of devices is displayed in the Device selections folder in the console tree.

Information in the Device selections folder is displayed as a list of device selections. Each selection contains devices that meet specific conditions. For example, the Devices with Critical status selection contains only devices with the Critical status. After application installation, the Device selections folder contains some standard selections. You can create additional (custom) device selections, export selection settings to file, or create selections with settings imported from another file.

Viewing a device selection

To view a device selection:

1. In the console tree, select the Device selections folder.
2. In the workspace of the folder, in the Devices in this selection list, select the relevant device selection.
3. Click the Run selection button.
4. Click the Selection results tab.

The workspace will display a list of devices that meet the selection criteria.

You can sort the information in the list of devices in ascending or descending order, in any column.

Configuring a device selection

Expand all | Collapse all

To configure a device selection:

1. In the console tree, select the Device selections folder.
2. In the workspace, click the Selection tab, and then click the relevant device selection in the list of user selections.
3. Click the Selection properties button.
4. In the properties window that opens, specify the following settings:
   • General selection properties.
   • Conditions that must be met for including devices in this selection. You can configure the conditions after selecting a condition name and clicking the Properties button.
   • Security settings.
5. Click OK.

The settings are applied and saved.

Below are descriptions of the conditions for assigning devices to a selection. Conditions are combined by using the OR logical operator: the selection will contain devices that comply with at least one of the listed conditions.

General

In the General section, you can change the name of the selection condition and specify whether that condition must be inverted:

Invert selection condition

Network

In the Network section, you can specify the criteria that will be used to include devices in the selection according to their network data:

• Device name or IP address

  Windows network name (NetBIOS name) of the device or IPv4 address.

• Windows domain

  Displays all devices included in the specified Windows domain.

• Administration group

  Displays devices included in the specified administration group.

• Description

  Text in the device properties window: In the Description field of the General section.

  To describe text in the Description field, you can use the following characters:

  • Within a word:
    • *. Replaces any string with any number of characters.

    Example:

    To describe words such as Server or Server's, you can enter Server*.

    • ?. Replaces any single character.

    Example:

    To describe words such as Window or Windows, you can enter Windo?.

    Asterisk (*) or question mark (?) cannot be used as the first character in the query.

  • To find several words:
    • Space. Displays all the devices whose descriptions contain any of the listed words.

    Example:

    To find a phrase that contains Secondary or Virtual words, you can include Secondary Virtual line in your query.

    • +. When a plus sign precedes a word, all search results will contain this word.

    Example:

    To find a phrase that contains both Secondary and Virtual, enter the +Secondary+Virtual query.

    • -. When a minus sign precedes a word, no search results will contain this word.

    Example:

    To find a phrase that contains Secondary and does not contain Virtual, enter the +Secondary-Virtual query.

    • "<some text>". Text enclosed in quotation marks must be present in the text.

    Example:

    To find a phrase that contains Secondary Server word combination, you can enter "Secondary Server" in the query.

• IP range

  If this option is enabled, you can enter the initial and final IP addresses of the IP range in which the relevant devices must be included.

  By default, this option is disabled.

Tags

In the Tags section, you can configure criteria for including devices into a selection based on key words (tags) that were previously added to the descriptions of managed devices:

• Apply if at least one specified tag matches

  If this option is enabled, the search results will show devices with descriptions that contain at least one of the selected tags.

  If this option is disabled, the search results will only show devices with descriptions that contain all the selected tags.

  By default, this option is disabled.

• Tag must be included

  If this option is selected, the search results will display the devices whose descriptions contain the selected tag. To find devices, you can use the asterisk, which stands for any string with any number of characters.

  By default, this option is selected.

• Tag must be excluded

  If this option is selected, the search results will display the devices whose descriptions do not contain the selected tag. To find devices, you can use the asterisk, which stands for any string with any number of characters.

Active Directory

In the Active Directory section, you can configure criteria for including devices into a selection based on their Active Directory data:

• Device is in an Active Directory organizational unit

  If this option is enabled, the selection includes devices from the Active Directory unit specified in the entry field.

  By default, this option is disabled.

• Include child organizational units

  If this option is enabled, the selection includes devices from all child organizational units of the specified Active Directory organizational unit.

  By default, this option is disabled.

• This device is a member of an Active Directory group

  If this option is enabled, the selection includes devices from the Active Directory group specified in the entry field.

  By default, this option is disabled.

Network activity

In the Network activity section, you can specify the criteria that will be used to include devices in the selection according to their network activity:

• This device is a distribution point

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Yes. The selection includes devices that act as distribution points.
  • No. Devices that act as distribution points are not included in the selection.
  • No value is selected. The criterion will not be applied.
• Do not disconnect from the Administration Server

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Enabled. The selection will include devices on which the Do not disconnect from the Administration Server check box is selected.
  • Disabled. The selection will include devices on which the Do not disconnect from the Administration Server check box is cleared.
  • No value is selected. The criterion will not be applied.
• Connection profile switched

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Yes. The selection will include devices that connected to the Administration Server after the connection profile was switched.
  • No. The selection will not include devices that connected to the Administration Server after the connection profile was switched.
  • No value is selected. The criterion will not be applied.
• Last connected to Administration Server

  You can use this check box to set a search criterion for devices according to the time they last connected to the Administration Server.

  If this check box is selected, in the entry fields you can specify the time interval (date and time) during which the last connection was established between Network Agent installed on the client device and the Administration Server. The selection will include devices that fall within the specified interval.

  If this check box is cleared, the criterion will not be applied.

  By default, this check box is cleared.

• New devices detected by network poll

  Searches for new devices that have been detected by network polling over the last few days.

  If this option is enabled, the selection only includes new devices that have been detected by device discovery over the number of days specified in the Detection period (days) field.

  If this option is disabled, the selection includes all devices that have been detected by device discovery.

  By default, this option is disabled.

• Device is visible

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Yes. The application includes in the selection devices that are currently visible in the network.
  • No. The application includes in the selection devices that are currently invisible in the network.
  • No value is selected. The criterion will not be applied.

Application

In the Application section, you can configure criteria for including devices in a selection based on the selected managed application:

• Application name

  In the drop-down list, you can set a criterion for including devices in a selection when search is performed by the name of a Kaspersky application.

  The list provides only the names of applications with management plug-ins installed on the administrator's workstation.

  If no application is selected, the criterion will not be applied.

• Application version

  In the entry field, you can set a criterion for including devices in a selection when search is performed by the version number of a Kaspersky application.

  If no version number is specified, the criterion will not be applied.

• Critical update name

  In the entry field, you can set a criterion for including devices in a selection when search is performed by application name or by update package number.

  If the field is left blank, the criterion will not be applied.

• Modules last updated

  You can use this option to set a criterion for searching devices by time of the last update of modules of applications installed on those devices.

  If this check box is selected, in the entry fields you can specify the time interval (date and time) during which the last update of modules of applications installed on those devices was performed.

  If this check box is cleared, the criterion will not be applied.

  By default, this check box is cleared.

• Device is managed through Kaspersky Security Center 13.1

  In the drop-down list, you can include in the selection the devices managed through Kaspersky Security Center:

  • Yes. The application includes in the selection devices managed through Kaspersky Security Center.
  • No. The application includes devices in the selection if they are not managed through Kaspersky Security Center.
  • No value is selected. The criterion will not be applied.
• Security application is installed

  In the drop-down list, you can include in the selection all devices with the security application installed:

  • Yes. The application includes in the selection all devices with the security application installed.
  • No. The application includes in the selection all devices with no security application installed.
  • No value is selected. The criterion will not be applied.

Operating system

In the Operating system section, you can specify the criteria that will be used to include devices in the selection according to their operating system type.

• Operating system version

  If the check box is selected, you can select an operating system from the list. Devices with the specified operating systems installed are included in the search results.

• Operating system bit size

  In the drop-down list, you can select the architecture for the operating system, which will determine how the moving rule is applied to the device (Unknown, x86, AMD64, or IA64). By default, no option is selected in the list so that the operating system's architecture is not defined.

• Operating system service pack version

  In this field, you can specify the package version of the operating system (in the X.Y format), which will determine how the moving rule is applied to the device. By default, no version value is specified.

• Operating system build

  This setting is applicable to Windows operating systems only.

  The build number of the operating system. You can specify whether the selected operating system must have an equal, earlier, or later build number. You can also configure searching for all build numbers except the specified one.

• Operating system release ID

  This setting is applicable to Windows operating systems only.

  The release identifier (ID) of the operating system. You can specify whether the selected operating system must have an equal, earlier, or later release ID. You can also configure searching for all release ID numbers except the specified one.

Device status

In the Device status section, you can configure criteria for including devices into a selection based on the description of the devices status from a managed application:

• Device status

  Drop-down list in which you can select one of the device statuses: OK, Critical, or Warning.

• Device status description

  In this field, you can select the check boxes next to conditions that, if met, assign one of the following statuses to the device: OK, Critical, or Warning.

• Device status defined by application

  Drop-down list, in which you can select the real-time protection status. Devices with the specified real-time protection status are included in the selection.

Protection components

In the Protection components section, you can set up the criteria for including devices in a selection based on their protection status:

• Databases released

  If this option is selected, you can search for client devices by anti-virus database release date. In the entry fields you can set the time interval, on the basis of which the search is performed.

  By default, this option is disabled.

• Last scanned

  If this check option is enabled, you can search for client devices by time of the last virus scan. In the entry fields you can specify the time period within which the last virus scan was performed.

  By default, this option is disabled.

• Total number of threats detected

  If this option is enabled, you can search for client devices by number of viruses detected. In the entry fields you can set the lower and upper threshold values for the number of viruses found.

  By default, this option is disabled.

Applications registry

In the Applications registry section, you can set up the criteria to search for devices according to applications installed on them:

• Application name

  Drop-down list in which you can select an application. Devices on which the specified application is installed, are included in the selection.

• Application version

  Entry field in which you can specify the version of selected application.

• Vendor

  Drop-down list in which you can select the manufacturer of an application installed on the device.

• Application status

  A drop-down list in which you can select the status of an application (Installed, Not installed). Devices on which the specified application is installed or not installed, depending on the selected status, will be included in the selection.

• Find by update

  If this option is enabled, search will be performed using the details of updates for applications installed on the relevant devices. After you select the check box, the Application name, Application version, and Application status fields change to Update name, Update version, and Status respectively.

  By default, this option is disabled.

• Incompatible security application name

  Drop-down list in which you can select third-party security applications. During the search, devices on which the specified application is installed, are included in the selection.

• Application tag

  In the drop-down list, you can select the application tag. All devices that have installed applications with the selected tag in the description are included in the device selection.

• Apply to devices without the specified tags

  If this option is enabled, the selection includes devices with descriptions that contain none of the selected tags.

  If this option is disabled, the criterion is not applied.

  By default, this option is disabled.

Hardware registry

In the Hardware registry section, you can configure criteria for including devices into a selection based on their installed hardware:

• Device

  In the drop-down list, you can select a unit type. All devices with this unit are included in the search results.

  The field supports the full-text search.

• Vendor

  In the drop-down list, you can select the name of a unit manufacturer. All devices with this unit are included in the search results.

  The field supports the full-text search.

• Device name

  Name of the device in the Windows network. The device with the specified name is included in the selection.

• Description

  Description of the device or hardware unit. Devices with the description specified in this field are included in the selection.

  A device's description in any format can be entered in the properties window of that device. The field supports the full-text search.

• Device vendor

  Name of the device manufacturer. Devices produced by the manufacturer specified in this field are included in the selection.

  You can enter the manufacturer's name in the properties window of a device.

• Serial number

  All hardware units with the serial number specified in this field will be included in the selection.

• Inventory number

  Equipment with the inventory number specified in this field will be included in the selection.

• User

  All hardware units of the user specified in this field will be included in the selection.

• Location

  Location of the device or hardware unit (for example, at the HQ or a branch office). Computers or other devices that are deployed at the location specified in this field will be included in the selection.

  You can describe the location of a device in any format in the properties window of that device.

• CPU frequency, in MHz

  The frequency range of a CPU. Devices with CPUs that match the frequency range in these fields (inclusive) will be included in the selection.

• Virtual CPU cores

  Range of the number of virtual cores in a CPU. Devices with CPUs that match the range in these fields (inclusive) will be included in the selection.

• Hard drive volume, in GB

  Range of values for the size of the hard drive on the device. Devices with hard drives that match the range in these entry fields (inclusive) will be included in the selection.

• RAM size, in MB

  Range of values for the size of the device RAM. Devices with RAMs that match the range in these entry fields (inclusive) will be included in the selection.

Virtual machines

In the Virtual machines section, you can set up the criteria to include devices in the selection according to whether these are virtual machines or part of virtual desktop infrastructure (VDI):

• This is a virtual machine

  In the drop-down list, you can select the following options:

  • Not important.
  • No. Find devices that are not virtual machines.
  • Yes. Find devices that are virtual machines.
• Virtual machine type

  In the drop-down list, you can select the virtual machine manufacturer.

  This drop-down list is available if the Yes or Not important value is selected in the This is a virtual machine drop-down list.

• Part of Virtual Desktop Infrastructure

  In the drop-down list, you can select the following options:

  • Not important.
  • No. Find devices that are not part of Virtual Desktop Infrastructure.
  • Yes. Find devices that are part of the Virtual Desktop Infrastructure (VDI).

Vulnerabilities and updates

In the Vulnerabilities and updates section, you can specify the criteria that will be used to include devices in the selection according to their Windows Update source:

WUA is switched to Administration Server

Users

In the Users section, you can set up the criteria to include devices in the selection according to the accounts of users who have logged in to the operating system.

• Last user who logged in to the system

  If this option is enabled, click the Browse button to specify a user account. The search results include devices on which the specified user performed the last login to the system.

• User who logged in to the system at least once

  If this option is enabled, click the Browse button to specify a user account. The search results include devices on which the specified user logged in to the system at least once.

Status-affecting problems in managed applications

In the Status-affecting problems in managed applications section, you can specify the criteria that will be used to include devices in the selection according to the list of possible problems detected by a managed application. If at least one problem that you select exists on a device, the device will be included in the selection. When you select a problem listed for several applications, you have the option to select this problem in all of the lists automatically.

Device status description

Statuses of components in managed applications

In the Statuses of components in managed applications section, you can configure criteria for including devices in a selection according to the statuses of components in managed applications:

• Data Leakage Prevention status

  Search for devices by the status of Data Leakage Prevention (No data from device, Stopped, Starting, Paused, Running, Failed).

• Collaboration servers protection status

  Search for devices by the status of server collaboration protection (No data from device, Stopped, Starting, Paused, Running, Failed).

• Anti-virus protection status of mail servers

  Search for devices by the status of Mail Server protection (No data from device, Stopped, Starting, Paused, Running, Failed).

• Endpoint Sensor status

  Search for devices by the status of the Endpoint Sensor component (No data from device, Stopped, Starting, Paused, Running, Failed).

Encryption

Encryption algorithm

Cloud segments

In the Cloud segments section, you can configure criteria for including devices in a selection according to their respective cloud segments:

• Device is in a cloud segment

  If this option is enabled, you can click the Browse button to specify the segment to search.

  If the Include child objects option is also enabled, the search is run on all child objects of the specified segment.

  Search results include only devices from the selected segment.

• Device discovered by using the API

  In the drop-down list, you can select whether a device is detected by API tools:

  • AWS. The device is discovered by using the AWS API, that is, the device is definitely in the AWS cloud environment.
  • Azure. The device is discovered by using the Azure API, that is, the device is definitely in the Azure cloud environment.
  • Google Cloud. The device is discovered by using the Google API, that is, the device is definitely in the Google Cloud environment.
  • No. The device cannot be detected by using the AWS, Azure, or Google API, that is, it is either outside the cloud environment or it is in the cloud environment but it cannot be detected by using an API.
  • No value. This condition does not apply.

Application components

This section contains the list of components of those applications that have corresponding management plug-ins installed in Administration Console.

In the Application components section, you can specify criteria for including devices in a selection according to the statuses and version numbers of the components that refer to the application that you select:

• Status

  Search for devices according to the component status sent by an application to the Administration Server. You can select one of the following statuses: No data from device, Stopped, Starting, Paused, Running, Malfunction, or Not installed. If the selected component of the application installed on a managed device has the specified status, the device is included in the device selection.

  Statuses sent by applications:

  • Starting—The component is currently in the process of initialization.
  • Running—The component is enabled and working properly.
  • Paused—The component is suspended, for example, after the user has paused protection in the managed application.
  • Malfunction—An error has occurred during the component operation.
  • Stopped—The component is disabled and not working at the moment.
  • Not installed—The user did not select the component for installation when configuring custom installation of the application.

  Unlike other statuses, the No data from device status is not sent by applications. This option shows that the applications have no information about the selected component status. For example, this can happen when the selected component does not belong to any of the applications installed on the device, or when the device is turned off.

• Version

  Search for devices according to the version number of the component that you select in the list. You can type a version number, for example 3.4.1.0, and then specify whether the selected component must have an equal, earlier, or later version. You can also configure searching for all versions except the specified one.

Exporting the settings of a device selection to a file

To export the settings of a device selection to a text file:

1. In the console tree, select the Device selections folder.
2. In the workspace, on the Selection tab, click the relevant device selection in the list of user selections.

   Settings can be exported only from the device selections created by a user.

3. Click the Run selection button.
4. On the Selection results tab, click the Export settings button.
5. In the Save as window that opens, specify a name for the selection settings export file, select a folder to save it to, and click the Save button.

The settings of the device selection will be saved to the specified file.

Creating a device selection

To create a device selection:

1. In the console tree, select the Device selections folder.
2. In the workspace of the folder, click Advanced and select the Create a selection in the drop-down list.
3. In the New device selection window that opens, enter the name of the new selection and click OK.

A new folder with the name you entered will appear in the console tree in the Device selections folder. By default, the new device selection contains all devices included in administration groups of the Administration Server on which the selection was created. To cause a selection to display only the devices you are particularly interested in, configure the selection by clicking the Selection properties button.

Creating a device selection according to imported settings

To create a device selection according to imported settings:

1. In the console tree, select the Device selections folder.
2. In the workspace of the folder, click the Advanced button and select Import selection from file in the drop-down list.
3. In the window that opens, specify the path to the file from which you want to import the selection settings. Click the Open button.

A New selection entry is created in the Device selections folder. The settings of the new selection are imported from the file that you specified.

If a selection named New selection already exists in the Device selections folder, an index in (<next sequence number>) format is added to the name of the created selection, for example: (1), (2).

Removing devices from administration groups in a selection

When working with a device selection, you can remove devices from administration groups right in this selection, without switching to the administration groups from which these devices must be removed.

To remove devices from administration groups:

1. In the console tree, select the Device selections folder.
2. Select the devices that you want to remove by using the Shift or Ctrl keys.
3. Remove the selected devices from administration groups in one of the following ways:
   • Select Delete in the context menu of any of the selected devices.
   • Click the Perform action button and select Remove from group in the drop-down list.

The selected devices are removed from their respective administration groups.